From 7c611c49f74d71f6a24e3d87176c5abe129ce176 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Fri, 31 Aug 2018 10:57:15 -0400 Subject: [PATCH] default to iptables backend Resolves: rhbz 1623868 --- ...patch-to-default-to-iptables-backend.patch | 116 ++++++++++++++++++ firewalld.spec | 6 +- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 0001-fedora-patch-to-default-to-iptables-backend.patch diff --git a/0001-fedora-patch-to-default-to-iptables-backend.patch b/0001-fedora-patch-to-default-to-iptables-backend.patch new file mode 100644 index 0000000..d33324d --- /dev/null +++ b/0001-fedora-patch-to-default-to-iptables-backend.patch @@ -0,0 +1,116 @@ +From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 30 Aug 2018 16:34:19 -0400 +Subject: [PATCH] fedora patch to default to iptables backend + +--- + config/firewalld.conf | 7 ------- + src/firewall/config/__init__.py.in | 2 +- + src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++ + src/tests/dbus/firewalld.conf.at | 2 +- + src/tests/functions.at | 4 ++-- + 5 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index b53c0aa50c53..63df409bf567 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -55,10 +55,3 @@ LogDenied=off + # will be used. Possible values are: yes, no and system. + # Default: system + AutomaticHelpers=system +- +-# FirewallBackend +-# Selects the firewall backend implementation. +-# Choices are: +-# - nftables (default) +-# - iptables (iptables, ip6tables, ebtables and ipset) +-FirewallBackend=nftables +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 955be32077e1..cff7c3fe9025 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True + FALLBACK_INDIVIDUAL_CALLS = False + FALLBACK_LOG_DENIED = "off" + FALLBACK_AUTOMATIC_HELPERS = "system" +-FALLBACK_FIREWALL_BACKEND = "nftables" ++FALLBACK_FIREWALL_BACKEND = "iptables" +diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py +index 4d57bad693c1..6264f45a1913 100644 +--- a/src/firewall/core/io/firewalld_conf.py ++++ b/src/firewall/core/io/firewalld_conf.py +@@ -240,6 +240,12 @@ class firewalld_conf(object): + if key not in done: + if (key in self._config and \ + self._config[key] != value): ++ # Only write FirewallBackend if it's not the default. ++ # We will change the default in the future. ++ if key == "FirewallBackend" and \ ++ self._config[key] == config.FALLBACK_FIREWALL_BACKEND: ++ done.append(key) ++ continue + empty = False + temp_file.write(u'%s=%s\n' % + (key, self._config[key])) +@@ -247,6 +253,12 @@ class firewalld_conf(object): + elif key in self._deleted: + modified = True + else: ++ # Only write FirewallBackend if it's not the default. ++ # We will change the default in the future. ++ if key == "FirewallBackend" and \ ++ value == config.FALLBACK_FIREWALL_BACKEND: ++ done.append(key) ++ continue + empty = False + temp_file.write(line+u"\n") + done.append(key) +@@ -258,6 +270,11 @@ class firewalld_conf(object): + for (key,value) in self._config.items(): + if key in done: + continue ++ # Only write FirewallBackend if it's not the default. ++ # We will change the default in the future. ++ if key == "FirewallBackend" and \ ++ value == config.FALLBACK_FIREWALL_BACKEND: ++ continue + if not empty: + temp_file.write(u"\n") + empty = True +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 473210de10af..44e649111ffb 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl + string "AutomaticHelpers" : variant string "system" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +-string "FirewallBackend" : variant string "nftables" ++string "FirewallBackend" : variant string "iptables" + m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl + string "IPv6_rpfilter" : variant string "no"],[dnl + string "IPv6_rpfilter" : variant string "yes"]) +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 3b79a9f31305..dd7b43d9dac6 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [ + fi + + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +- m4_define_default([FIREWALL_BACKEND], [nftables]) ++ m4_define_default([FIREWALL_BACKEND], [iptables]) + + dnl don't unload modules or bother cleaning up, the namespace will be deleted + AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) + + dnl set the appropriate backend +- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) ++ AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf]) + + dnl fib matching is pretty new in nftables. Don't use rpfilter on older + dnl kernels. +-- +2.18.0 + diff --git a/firewalld.spec b/firewalld.spec index a52962e..e4f72fb 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,13 +1,14 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.6.1 -Release: 1%{?dist} +Release: 2%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: FedoraServer.xml Source2: FedoraWorkstation.xml Patch0: firewalld-0.2.6-MDNS-default.patch +Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -270,6 +271,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Fri Aug 10 2018 Eric Garver - 0.6.1-2 +- default to iptables backend + * Fri Aug 10 2018 Eric Garver - 0.6.1-1 - rebase package to v0.6.1