rpms/firewalld
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New version 0.3.0

Browse Source 
- Added rich language support
- Added lockdown feature
- Allow to bind interfaces and sources to zones permanently
- Enabled IPv6 NAT support
  masquerading and port/packet forwarding for IPv6 only with rich language
- Handle polkit errors in client class and firewall-config
- Added priority description for --direct --add-rule in firewall-cmd man page
- Add XML Schemas for zones/services/icmptypes XMLs
- Don't keep file descriptors open when forking
- Introduce --nopid option for firewalld
- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782)
- Update cluster-suite service (RHBZ#885257)
- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912)
- Fix interaction problem of changed event of gtk combobox with polkit-kde
  by processing all remaining events (RHBZ#915892)
- Stop default zone rules being applied to all zones (RHBZ#912782)
- Firewall.start(): don't call set_default_zone()
- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages
- firewalld-cmd: make --state verbose (RHBZ#886484)
- improve firewalld --help (RHBZ#910492)
- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834)
- Continue loading zone in case of wrong service/port etc. (RHBZ#909466)
- Check also services and icmptypes in Zone() (RHBZ#909466)
- Increase the maximum length of the port forwarding fields from 5 to 11 in
  firewall-config
- firewall-cmd: add usage to fail message
- firewall-cmd: redefine usage to point to man page
- firewall-cmd: fix visible problems with arg. parsing
- Use argparse module for parsing command line options and arguments
- firewall-cmd.1: better clarify where to find ACTIONs
- firewall-cmd Bash completion
- firewall-cmd.1: comment --zone=<zone> usage and move some options
- Use zone's target only in %s_ZONES chains
- default zone in firewalld.conf was set to public with every restart (#902845)
- man page cleanup
- code cleanup
This commit is contained in:
Thomas Woerner 2013-03-20 18:04:20 +01:00
parent 241828c972
commit 7b258f3cda
7 changed files with 45 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -13,3 +13,4 @@
/firewalld-0.2.10.tar.bz2
/firewalld-0.2.11.tar.bz2
/firewalld-0.2.12.tar.bz2
/firewalld-0.3.0.tar.bz2

32
firewalld-0.2.12-bz912782.patch
View File

@ -1,32 +0,0 @@
From 3253df596ab6f5e43d22dff3049600fc0de9c41b Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Wed, 20 Feb 2013 14:58:40 +0100
Subject: [PATCH 1/2] Stop default zone rules being applied to all zones
(RHBZ#912782)
See https://bugzilla.redhat.com/show_bug.cgi?id=912782
for description.
Patch from Quentin Armitage
---
src/firewall/core/fw_zone.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 6d874e5..0fd0267 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -272,8 +272,9 @@ class FirewallZone:
if target == "DROP" and table == "nat":
# DROP is not supported in nat table
continue
+ action = "-g" if "_ZONE_" in target else "-j"
rule = [ "%s_ZONES" % src_chain, "-t", table,
- opt, interface, "-j", target ]
+ opt, interface, action, target ]
if enable and not append:
rule.insert(1, "1")
rules.append((ipv, rule))
--
1.8.1.2

72
firewalld-0.2.12-bz912782_2.patch
View File

@ -1,72 +0,0 @@
From 41a1a4c69448991bb89b22081b29bffe47bfcca1 Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Wed, 6 Mar 2013 17:21:00 +0100
Subject: [PATCH] FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains
(RHBZ#912782)
We need to separate top-level FORWARD_ZONES chain
into these two chains to be able to correctly match
rules for input and output interface, see
https://bugzilla.redhat.com/show_bug.cgi?id=912782#c11
---
src/firewall/core/base.py | 4 ++--
src/firewall/core/fw_zone.py | 2 +-
src/firewall/core/ipXtables.py | 10 ++++++----
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/firewall/core/base.py b/src/firewall/core/base.py
index b89870d..1dcf30b 100644
--- a/src/firewall/core/base.py
+++ b/src/firewall/core/base.py
@@ -44,8 +44,8 @@ INTERFACE_ZONE_SRC = {
"PREROUTING": "PREROUTING",
"POSTROUTING": "POSTROUTING",
"INPUT": "INPUT",
- "FORWARD_IN": "FORWARD",
- "FORWARD_OUT": "FORWARD",
+ "FORWARD_IN": "FORWARD_IN",
+ "FORWARD_OUT": "FORWARD_OUT",
"OUTPUT": "OUTPUT",
}
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 2b0ac8b..c72055e 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -264,7 +264,7 @@ class FirewallZone:
target = self._zones[zone].target.format(
chain=SHORTCUTS[chain], zone=zone)
if target in [ "REJECT", "%%REJECT%%" ] and \
- src_chain not in [ "INPUT", "FORWARD", "OUTPUT" ]:
+ src_chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
# REJECT is only valid in the INPUT, FORWARD and
# OUTPUT chains, and user-defined chains which are
# only called from those chains
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index d172151..311f9e4 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -83,14 +83,16 @@ DEFAULT_RULES["filter"] = [
"-I INPUT 6 -j %%REJECT%%",
"-N FORWARD_direct",
- "-N FORWARD_ZONES",
+ "-N FORWARD_IN_ZONES",
+ "-N FORWARD_OUT_ZONES",
"-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
"-I FORWARD 2 -i lo -j ACCEPT",
"-I FORWARD 3 -j FORWARD_direct",
- "-I FORWARD 4 -j FORWARD_ZONES",
- "-I FORWARD 5 -p %%ICMP%% -j ACCEPT",
- "-I FORWARD 6 -j %%REJECT%%",
+ "-I FORWARD 4 -j FORWARD_IN_ZONES",
+ "-I FORWARD 5 -j FORWARD_OUT_ZONES",
+ "-I FORWARD 6 -p %%ICMP%% -j ACCEPT",
+ "-I FORWARD 7 -j %%REJECT%%",
"-N OUTPUT_direct",
--
1.8.1.4

26
firewalld-0.2.12-conf.patch
View File

@ -1,26 +0,0 @@
From 0a9017067bd04a1370faa461ceede31316f1caaa Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Tue, 22 Jan 2013 16:27:56 +0100
Subject: [PATCH 4/5] default zone in firewalld.conf was set to public with
every restart (#902845)
---
src/firewall/core/io/firewalld_conf.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 159df99..911f8bf 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -37,7 +37,7 @@ class firewalld_conf:
self._deleted = [ ]
def get(self, key):
- self._config.get(key.strip())
+ return self._config.get(key.strip())
def set(self, key, value):
_key = key.strip()
--
1.8.1

26
firewalld-0.2.12-gtk.patch
View File

@ -1,26 +0,0 @@
From 964bd061f00c9e90935430ba3036b228800cd5ed Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Wed, 16 Jan 2013 14:17:10 +0100
Subject: [PATCH 2/5] firewall-config: fix typo gtk -> Gtk
Fixes: RHBZ#895812
---
src/firewall-config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall-config b/src/firewall-config
index b783268..1f0b5dc 100755
--- a/src/firewall-config
+++ b/src/firewall-config
@@ -839,7 +839,7 @@ class FirewallConfig(object):
if default_zone in zones:
selection.select_path(zones.index(default_zone))
else:
- selection.set_mode(gtk.SelectionMode.NONE)
+ selection.set_mode(Gtk.SelectionMode.NONE)
self.defaultZoneDialog.set_position(Gtk.WindowPosition.CENTER_ON_PARENT)
self.defaultZoneDialog.set_transient_for(self.mainWindow)
--
1.8.1

54
firewalld.spec
View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-BUS interface providing a dynamic firewall
Name: firewalld
Version: 0.2.12
Release: 5%{?dist}
Version: 0.3.0
Release: 1%{?dist}
URL: http://fedorahosted.org/firewalld
License: GPLv2+
ExclusiveOS: Linux
@ -11,10 +11,6 @@ Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2
%if 0%{?fedora} > 17
Patch0: firewalld-0.2.6-MDNS-default.patch
%endif
Patch1: firewalld-0.2.12-conf.patch
Patch2: firewalld-0.2.12-gtk.patch
Patch3: firewalld-0.2.12-bz912782.patch
Patch4: firewalld-0.2.12-bz912782_2.patch
BuildRequires: desktop-file-utils
BuildRequires: gettext
BuildRequires: intltool
@ -80,11 +76,6 @@ firewalld.
%patch0 -p1
%endif
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
%configure --with-systemd-unitdir=%{_unitdir}
@ -152,6 +143,8 @@ fi
%{_sbindir}/firewalld
%{_bindir}/firewall-cmd
%{_bindir}/firewall-offline-cmd
%dir %{_sysconfdir}/bash_completion.d
%{_sysconfdir}/bash_completion.d/firewall-cmd-bash-completion.sh
%defattr(0640,root,root)
%attr(0750,root,root) %dir %{_prefix}/lib/firewalld
%attr(0750,root,root) %dir %{_prefix}/lib/firewalld/icmptypes
@ -162,6 +155,7 @@ fi
%{_prefix}/lib/firewalld/zones/*.xml
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld
%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones
@ -200,6 +194,44 @@ fi
%{_datadir}/icons/hicolor/*/apps/firewall-config*.*
%changelog
* Wed Mar 20 2013 Thomas Woerner <twoerner@redhat.com> 0.3.0-1
- Added rich language support
- Added lockdown feature
- Allow to bind interfaces and sources to zones permanently
- Enabled IPv6 NAT support
masquerading and port/packet forwarding for IPv6 only with rich language
- Handle polkit errors in client class and firewall-config
- Added priority description for --direct --add-rule in firewall-cmd man page
- Add XML Schemas for zones/services/icmptypes XMLs
- Don't keep file descriptors open when forking
- Introduce --nopid option for firewalld
- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782)
- Update cluster-suite service (RHBZ#885257)
- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912)
- Fix interaction problem of changed event of gtk combobox with polkit-kde
by processing all remaining events (RHBZ#915892)
- Stop default zone rules being applied to all zones (RHBZ#912782)
- Firewall.start(): don't call set_default_zone()
- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages
- firewalld-cmd: make --state verbose (RHBZ#886484)
- improve firewalld --help (RHBZ#910492)
- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834)
- Continue loading zone in case of wrong service/port etc. (RHBZ#909466)
- Check also services and icmptypes in Zone() (RHBZ#909466)
- Increase the maximum length of the port forwarding fields from 5 to 11 in
firewall-config
- firewall-cmd: add usage to fail message
- firewall-cmd: redefine usage to point to man page
- firewall-cmd: fix visible problems with arg. parsing
- Use argparse module for parsing command line options and arguments
- firewall-cmd.1: better clarify where to find ACTIONs
- firewall-cmd Bash completion
- firewall-cmd.1: comment --zone=<zone> usage and move some options
- Use zone's target only in %s_ZONES chains
- default zone in firewalld.conf was set to public with every restart (#902845)
- man page cleanup
- code cleanup
* Thu Mar 07 2013 Jiri Popelka <jpopelka@redhat.com> - 0.2.12-5
- Another fix for RHBZ#912782

2
sources
View File

@ -1 +1 @@
49abe07b77efade4bbaacfb80da9990c firewalld-0.2.12.tar.bz2
a6c52df72fd5dcaa8b26dd89edc5e3a9 firewalld-0.3.0.tar.bz2