From 698a906f329aba4044084ebf45551a8a8c154aff Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 21 Feb 2017 02:29:24 +0100
Subject: [PATCH] - Fixed ipset overloading, dropped applied check in get_ipset
 (issue#206)

---
 ...d-0.4.4.3-get_ipset_no_applied_check.patch | 91 +++++++++++++++++++
 firewalld.spec                                |  7 +-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 firewalld-0.4.4.3-get_ipset_no_applied_check.patch

diff --git a/firewalld-0.4.4.3-get_ipset_no_applied_check.patch b/firewalld-0.4.4.3-get_ipset_no_applied_check.patch
new file mode 100644
index 0000000..149f9f4
--- /dev/null
+++ b/firewalld-0.4.4.3-get_ipset_no_applied_check.patch
@@ -0,0 +1,91 @@
+commit 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9
+Author: Thomas Woerner <twoerner@redhat.com>
+Date:   Wed Feb 15 11:11:40 2017 +0100
+
+    firewall.core.fw_ipset: get_ipset may not ckeck if set is applied by default
+    
+    This breaks the ipset overloading from /etc/firewalld/ipsets.
+    Fixes: #206
+
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index bbbc8eb..952d122 100644
+--- a/src/firewall/core/fw_ipset.py
++++ b/src/firewall/core/fw_ipset.py
+@@ -55,10 +55,11 @@ class FirewallIPSet(object):
+     def has_ipsets(self):
+         return len(self._ipsets) > 0
+ 
+-    def get_ipset(self, name):
++    def get_ipset(self, name, applied=False):
+         self.check_ipset(name)
+         obj = self._ipsets[name]
+-        self.check_applied_obj(obj)
++        if applied:
++            self.check_applied_obj(obj)
+         return obj
+ 
+     def _error2warning(self, f, name, *args):
+@@ -141,11 +142,11 @@ class FirewallIPSet(object):
+     # TYPE
+ 
+     def get_type(self, name):
+-        return self.get_ipset(name).type
++        return self.get_ipset(name, applied=True).type
+ 
+     # DIMENSION
+     def get_dimension(self, name):
+-        return len(self.get_ipset(name).type.split(","))
++        return len(self.get_ipset(name, applied=True).type.split(","))
+ 
+     # APPLIED
+ 
+@@ -164,7 +165,7 @@ class FirewallIPSet(object):
+     # OPTIONS
+ 
+     def get_family(self, name):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "family" in obj.options:
+             if obj.options["family"] == "inet6":
+                 return "ipv6"
+@@ -179,7 +180,7 @@ class FirewallIPSet(object):
+         pass
+ 
+     def add_entry(self, name, entry):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -201,7 +202,7 @@ class FirewallIPSet(object):
+                 obj.entries.append(entry)
+ 
+     def remove_entry(self, name, entry):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -222,7 +223,7 @@ class FirewallIPSet(object):
+                 obj.entries.remove(entry)
+ 
+     def query_entry(self, name, entry):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -230,11 +231,11 @@ class FirewallIPSet(object):
+         return entry in obj.entries
+ 
+     def get_entries(self, name):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         return obj.entries
+ 
+     def set_entries(self, name, entries):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
diff --git a/firewalld.spec b/firewalld.spec
index f3d0acc..06856d9 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -8,7 +8,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.4.4.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2
@@ -19,6 +19,7 @@ Source2: FedoraWorkstation.xml
 %if 0%{?fedora}
 Patch0: firewalld-0.2.6-MDNS-default.patch
 %endif
+Patch1: firewalld-0.4.4.3-get_ipset_no_applied_check.patch
 BuildArch: noarch
 BuildRequires: desktop-file-utils
 BuildRequires: gettext
@@ -154,6 +155,7 @@ firewalld.
 %if 0%{?fedora}
 %patch0 -p1
 %endif
+%patch1 -p1 -b .get_ipset_no_applied_check
 
 %if 0%{?with_python3}
 rm -rf %{py3dir}
@@ -412,6 +414,9 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Tue Feb 21 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-2
+- Fixed ipset overloading, dropped applied check in get_ipset (issue#206)
+
 * Fri Feb 10 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-1
 - Rebase to firewalld-0.4.4.3
   http://www.firewalld.org/2017/02/firewalld-0-4-4-3-release