commit 86bcc4af9e88ae0d12d8065d86c4843ea26f1c32 Author: CentOS Sources Date: Sat Nov 14 08:08:47 2020 +0000 import firewalld-0.8.2-3.el8 diff --git a/.firewalld.metadata b/.firewalld.metadata new file mode 100644 index 0000000..fb7e6de --- /dev/null +++ b/.firewalld.metadata @@ -0,0 +1 @@ +785c4062248b95a85ddc023eba075b66109e254b SOURCES/firewalld-0.8.2.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2a44183 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/firewalld-0.8.2.tar.gz diff --git a/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch b/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch new file mode 100644 index 0000000..cbb36e7 --- /dev/null +++ b/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch @@ -0,0 +1,319 @@ +From 52d53cc4ab0503ad484330b2121f85094a7903de Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 9 Jul 2018 11:29:33 -0400 +Subject: [PATCH 1/6] RHEL only: Add cockpit by default to some zones + +Fixes: #1581578 +--- + config/zones/home.xml | 1 + + config/zones/internal.xml | 1 + + config/zones/public.xml | 1 + + config/zones/work.xml | 1 + + src/tests/cli/firewall-cmd.at | 14 +++++++++++++- + src/tests/features/helpers_custom.at | 9 +++++++++ + src/tests/features/service_include.at | 2 +- + src/tests/regression/gh366.at | 3 +++ + src/tests/regression/gh453.at | 2 ++ + src/tests/regression/rhbz1514043.at | 2 +- + 10 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/config/zones/home.xml b/config/zones/home.xml +index 42b29b2f2d50..8aa8afa0e8aa 100644 +--- a/config/zones/home.xml ++++ b/config/zones/home.xml +@@ -6,4 +6,5 @@ + + + ++ + +diff --git a/config/zones/internal.xml b/config/zones/internal.xml +index e646b48c94e8..40cb7e14424b 100644 +--- a/config/zones/internal.xml ++++ b/config/zones/internal.xml +@@ -6,4 +6,5 @@ + + + ++ + +diff --git a/config/zones/public.xml b/config/zones/public.xml +index 49795d8c9068..617e131a4895 100644 +--- a/config/zones/public.xml ++++ b/config/zones/public.xml +@@ -4,4 +4,5 @@ + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + ++ + +diff --git a/config/zones/work.xml b/config/zones/work.xml +index 6ea5550a40bd..9609ee6f65c2 100644 +--- a/config/zones/work.xml ++++ b/config/zones/work.xml +@@ -4,4 +4,5 @@ + For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + ++ + +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 806af74221b6..74f480f8730f 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -1285,6 +1285,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 1122 ct state new,untracked accept + tcp dport 3333 ct state new,untracked accept + tcp dport 4444 ct state new,untracked accept +@@ -1300,6 +1301,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED +@@ -1314,6 +1316,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED +@@ -1395,6 +1398,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + } + } + ]) +@@ -1498,6 +1502,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl + ]) +@@ -1532,6 +1537,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl + ]) +@@ -1579,6 +1585,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + icmp type echo-request accept + icmpv6 type echo-request accept + } +@@ -1619,6 +1626,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ]) + IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl +@@ -1641,6 +1649,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 + ]) + IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl +@@ -1697,6 +1706,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + } + } + ]) +@@ -1734,6 +1744,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl + ]) +@@ -1754,6 +1765,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl + ]) +@@ -1779,7 +1791,7 @@ FWD_START_TEST([rich rules priority]) + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: cockpit dhcpv6-client ssh + ports: + protocols: + masquerade: no +diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at +index 41d0f17b1d9e..bd4b52cfb1d6 100644 +--- a/src/tests/features/helpers_custom.at ++++ b/src/tests/features/helpers_custom.at +@@ -37,6 +37,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept + } +@@ -47,6 +48,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +@@ -55,6 +57,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + +@@ -91,6 +94,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept + } +@@ -101,6 +105,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +@@ -109,6 +114,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + +@@ -126,6 +132,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept +@@ -139,6 +146,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) +@@ -149,6 +157,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) +diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at +index 7f02701a9419..070f1578fc2b 100644 +--- a/src/tests/features/service_include.at ++++ b/src/tests/features/service_include.at +@@ -120,7 +120,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl + + ]) + FWD_CHECK([--zone=public --list-services], 0, [dnl +-dhcpv6-client ssh ++cockpit dhcpv6-client ssh + ]) + FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist]) + FWD_RELOAD +diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at +index 1441a6be53bf..51ff504e6a9d 100644 +--- a/src/tests/regression/gh366.at ++++ b/src/tests/regression/gh366.at +@@ -7,6 +7,7 @@ table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++tcp dport 9090 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + } +@@ -14,11 +15,13 @@ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED + ])]) + +diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at +index 36a6fce5f22a..61bc90aae673 100644 +--- a/src/tests/regression/gh453.at ++++ b/src/tests/regression/gh453.at +@@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 ct state new,untracked accept + } +@@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 ct state new,untracked accept + tcp dport 5060 ct helper set "helper-sip-tcp" +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index efc33e09478b..241cf547f7f3 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD + FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl +-services: dhcpv6-client samba ssh ++services: cockpit dhcpv6-client samba ssh + ]) + + dnl check that log denied actually took effect +-- +2.23.0 + diff --git a/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..766f11b --- /dev/null +++ b/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch @@ -0,0 +1,235 @@ +From 42c3c63410d53f1f1eef8a756202231a7872aafa Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Feb 2020 09:12:17 -0500 +Subject: [PATCH 2/6] RHEL only: default to AllowZoneDrifting=yes + +--- + config/firewalld.conf | 4 ++-- + doc/xml/firewalld.conf.xml | 2 +- + doc/xml/firewalld.dbus.xml | 2 +- + src/firewall/config/__init__.py.in | 2 +- + src/tests/cli/firewall-cmd.at | 8 ++++++++ + src/tests/dbus/firewalld.conf.at | 4 ++-- + src/tests/features/rfc3964_ipv4.at | 4 ++++ + src/tests/functions.at | 1 + + src/tests/regression/rhbz1514043.at | 4 ++++ + src/tests/regression/rhbz1715977.at | 9 +++++++++ + 10 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 532f0452212e..f791b2358ab8 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -71,5 +71,5 @@ RFC3964_IPv4=yes + # Note: If "yes" packets will only drift from source based zones to interface + # based zones (including the default zone). Packets never drift from interface + # based zones to other interfaces based zones (including the default zone). +-# Possible values; "yes", "no". Defaults to "no". +-AllowZoneDrifting=no ++# Possible values; "yes", "no". Defaults to "yes". ++AllowZoneDrifting=yes +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index fcfbfd2b68c1..c21ef87813bc 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -197,7 +197,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 5d77af976443..77ad77c01675 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2591,7 +2591,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 481eb8de758d..645c76b66c8d 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" + FALLBACK_FIREWALL_BACKEND = "nftables" + FALLBACK_FLUSH_ALL_ON_RELOAD = True + FALLBACK_RFC3964_IPV4 = True +-FALLBACK_ALLOW_ZONE_DRIFTING = False ++FALLBACK_ALLOW_ZONE_DRIFTING = True +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 74f480f8730f..c47c14ea1fc2 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -696,6 +696,10 @@ FWD_START_TEST([ipset]) + CHECK_IPSET + CHECK_IPSET_HASH_MAC + ++ dnl Expected test results assume this is set to "no" ++ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++ FWD_RELOAD ++ + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, ignore) + FWD_CHECK([--reload], 0, ignore) + FWD_CHECK([--ipset=foobar --get-entries], 0, [ +@@ -1197,6 +1201,10 @@ FWD_START_TEST([rich rules priority]) + + CHECK_LOG_AUDIT + ++ dnl Expected test results assume this is set to "no" ++ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++ FWD_RELOAD ++ + dnl Verify generic layout of zone + NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl + table inet firewalld { +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 35aead759a9c..4eefa3286f9f 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus) + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ])], [ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at +index 54f5f756270b..15fef52612cc 100644 +--- a/src/tests/features/rfc3964_ipv4.at ++++ b/src/tests/features/rfc3964_ipv4.at +@@ -1,6 +1,10 @@ + FWD_START_TEST([RFC3964_IPv4]) + AT_KEYWORDS(rfc3964_ipv4) + ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf]) + AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf]) + FWD_RELOAD +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 5b3ed3ee4a5a..8f5ceba4d3f2 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [ + IF_HOST_SUPPORTS_IP6TABLES([], [ + sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log + ]) ++ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log + if test x"$1" != x"ignore"; then + if test -n "$1"; then + sed -i $1 ./firewalld.log +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index 241cf547f7f3..8e4846a078b8 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -1,6 +1,10 @@ + FWD_START_TEST([--set-log-denied does not zero config]) + AT_KEYWORDS(log_denied rhbz1514043) + ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD +diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at +index d548de72b90c..b9886e1a0a2b 100644 +--- a/src/tests/regression/rhbz1715977.at ++++ b/src/tests/regression/rhbz1715977.at +@@ -14,6 +14,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + } + } +@@ -23,6 +24,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl +@@ -31,6 +33,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept']) +@@ -44,6 +47,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept + } +@@ -54,6 +58,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED + ]) +@@ -63,6 +68,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept']) +@@ -76,6 +82,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept + ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept +@@ -87,6 +94,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED +@@ -97,6 +105,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore]) +-- +2.23.0 + diff --git a/SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch b/SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch new file mode 100644 index 0000000..a868380 --- /dev/null +++ b/SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch @@ -0,0 +1,29 @@ +From b2e4f83c8fb011ffe0a8b040fa937f60c842cc25 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 14:42:22 -0400 +Subject: [PATCH 3/6] fix: nftables: ipset: port ranges for non-default + protocols + +Fixes: 2d1b0fe9fe74 ("fix: nftables: allow set intervals with concatenations") +(cherry picked from commit e80f4fccfc771128affdc578ed37842d5d469ca9) +(cherry picked from commit 6a2fd018666ab8c4877291f8f807a9943db74de3) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index a9d5a45337bd..69ee63b32f8b 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1680,7 +1680,7 @@ class nftables(object): + port_str = entry_tokens[i][index+1:] + + try: +- index = entry_tokens[i].index("-") ++ index = port_str.index("-") + except ValueError: + fragment.append(port_str) + else: +-- +2.23.0 + diff --git a/SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch b/SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch new file mode 100644 index 0000000..f1c73ca --- /dev/null +++ b/SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch @@ -0,0 +1,44 @@ +From c694ab9a3d00f0471bfdf73a1b00d43f60395717 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 14:38:45 -0400 +Subject: [PATCH 4/6] test: ipset: verify port ranges for non-default protocol + +(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b) +(cherry picked from commit a2b8a09b929901e14620aa802fd423f958c56188) +--- + src/tests/cli/firewall-cmd.at | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index c47c14ea1fc2..ad7b1b32f42c 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -743,6 +743,7 @@ FWD_START_TEST([ipset]) + dnl multi dimensional set with non default protocol + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore) + FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore) ++ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore) + FWD_RELOAD + FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore) + FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore) +@@ -752,6 +753,7 @@ FWD_START_TEST([ipset]) + type ipv4_addr . inet_proto . inet_service + flags interval + elements = { 10.10.10.10 . sctp . 1234, ++ 10.10.10.10 . udp . 1000-1002, + 20.20.20.20 . tcp . 8080 } + } + } +@@ -769,6 +771,9 @@ FWD_START_TEST([ipset]) + Type: hash:ip,port + Members: + 10.10.10.10,sctp:1234 ++ 10.10.10.10,udp:1000 ++ 10.10.10.10,udp:1001 ++ 10.10.10.10,udp:1002 + 20.20.20.20,tcp:8080 + ]) + FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore) +-- +2.23.0 + diff --git a/SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch b/SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch new file mode 100644 index 0000000..0227dc6 --- /dev/null +++ b/SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch @@ -0,0 +1,51 @@ +From 85782b1fb964e3b67a0276881bdba4ca9881dec3 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 15:21:58 -0400 +Subject: [PATCH 5/6] test: log: verify logging still works after truncate + +The log policy we ship presumes firewalld opens log files in append +mode. This is because the logrotate policy uses "copytruncate". Lets +verify that it actually works as expected. + +(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827) +(cherry picked from commit 2ab7f9e793a51c9aebe08fff6226c38159ae2312) +--- + src/tests/regression/gh599.at | 16 ++++++++++++++++ + src/tests/regression/regression.at | 1 + + 2 files changed, 17 insertions(+) + create mode 100644 src/tests/regression/gh599.at + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +new file mode 100644 +index 000000000000..472f228ba2a9 +--- /dev/null ++++ b/src/tests/regression/gh599.at +@@ -0,0 +1,16 @@ ++FWD_START_TEST([writing to log after copytruncate]) ++AT_KEYWORDS(gh599) ++ ++AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])]) ++AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) ++ ++dnl Verify we continue to write to the log file after it's truncated. That is, ++dnl simulate logrotate's copytruncate. ++NS_CHECK([truncate -s 0 ./firewalld.log]) ++ ++dnl generate some logs, anything will do since we have debug enabled. ++FWD_CHECK([--list-all], 0, [ignore], [ignore]) ++ ++NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) ++ ++FWD_END_TEST +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 8042c3a27f89..2528ddd3fede 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -27,3 +27,4 @@ m4_include([regression/gh509.at]) + m4_include([regression/gh567.at]) + m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) ++m4_include([regression/gh599.at]) +-- +2.23.0 + diff --git a/SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch b/SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch new file mode 100644 index 0000000..4edca71 --- /dev/null +++ b/SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch @@ -0,0 +1,32 @@ +From 01dd132e2004e6d40c6c2200f6105ca49594041a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 6 Apr 2020 15:34:57 -0400 +Subject: [PATCH 6/6] fix: test/regression/gh599: fix if not using debug output + +Fixes: e887c16512ab ("test: log: verify logging still works after truncate") +(cherry picked from commit f7e3c60263e144a04ee175d5f7bb3fa4636a97a4) +(cherry picked from commit e78548b1fd6e87500d7df3ade5373285ca525f03) +--- + src/tests/regression/gh599.at | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +index 472f228ba2a9..337e18018baf 100644 +--- a/src/tests/regression/gh599.at ++++ b/src/tests/regression/gh599.at +@@ -8,9 +8,9 @@ dnl Verify we continue to write to the log file after it's truncated. That is, + dnl simulate logrotate's copytruncate. + NS_CHECK([truncate -s 0 ./firewalld.log]) + +-dnl generate some logs, anything will do since we have debug enabled. +-FWD_CHECK([--list-all], 0, [ignore], [ignore]) ++dnl generate some logs ++FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore]) + + NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) + +-FWD_END_TEST ++FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d']) +-- +2.23.0 + diff --git a/SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch b/SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch new file mode 100644 index 0000000..3521956 --- /dev/null +++ b/SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch @@ -0,0 +1,496 @@ +From 5a912cc04a75e018631745647a524cce8569505b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 8 Apr 2020 13:38:06 -0400 +Subject: [PATCH 07/10] test: dbus: zone: verify permanent config API + signatures + +(cherry picked from commit f6a6837cb49d5a9ca4ea08964fb62bb9f7f420ac) +(cherry picked from commit 7cc77369cd68ff1860b151fc649d237f1feb84ba) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_permanent_signatures.at | 464 ++++++++++++++++++++ + 2 files changed, 465 insertions(+) + create mode 100644 src/tests/dbus/zone_permanent_signatures.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index 46fec2ff4024..ffef478f5449 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -1,3 +1,4 @@ + AT_BANNER([dbus]) + m4_include([dbus/firewalld.conf.at]) + m4_include([dbus/service.at]) ++m4_include([dbus/zone_permanent_signatures.at]) +diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at +new file mode 100644 +index 000000000000..15319552c15f +--- /dev/null ++++ b/src/tests/dbus/zone_permanent_signatures.at +@@ -0,0 +1,464 @@ ++FWD_START_TEST([dbus api - zone permanent signatures]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_INTROSPECT([config], [[//method[@name="listZones"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="getZoneNames"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="getZoneByName"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++ ++dnl zone relation to interface/sources ++DBUS_INTROSPECT([config], [[//method[@name="getZoneOfInterface"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="getZoneOfSource"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++ ++dnl #################### ++dnl Zone object APIs ++dnl #################### ++ ++dnl Get a reference to the public zone. We'll use it to introspect APIs. ++DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout]) ++DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)] ++export DBUS_PUBLIC_ZONE_OBJ ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl ++ ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update"]]], 0, [dnl ++ ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="remove"]]], 0, [dnl ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Version ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Short ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Description ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Target ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getTarget"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarget"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Interfaces ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getInterfaces"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setInterfaces"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addInterface"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeInterface"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryInterface"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Sources ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSources"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSources"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSource"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSource"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySource"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Services ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getServices"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setServices"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addService"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeService"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryService"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Ports ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++ ++dnl Source Ports ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++ ++dnl Protocol ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Forward Ports ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getForwardPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setForwardPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++ ++dnl Masquerade ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getMasquerade"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setMasquerade"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addMasquerade"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeMasquerade"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMasquerade"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl ICMP Block ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlocks"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlocks"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlock"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlock"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl ICMP Block Inversion ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Rich Rules ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getRichRules"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setRichRules"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addRichRule"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeRichRule"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryRichRule"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++FWD_END_TEST +-- +2.25.2 + diff --git a/SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch b/SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch new file mode 100644 index 0000000..311740b --- /dev/null +++ b/SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch @@ -0,0 +1,446 @@ +From 3122491686014a2cdd83d3506334055fd18c80e0 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 8 Apr 2020 14:16:48 -0400 +Subject: [PATCH 08/10] test: dbus: zone: verify runtime config API signatures + +(cherry picked from commit fca39ea7edbd57283bc15fdd88fbfd4b1943f977) +(cherry picked from commit d17a68d680b631954fdb5031a3c0627a68f77049) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_runtime_signatures.at | 415 ++++++++++++++++++++++ + 2 files changed, 416 insertions(+) + create mode 100644 src/tests/dbus/zone_runtime_signatures.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index ffef478f5449..377244460e7a 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -2,3 +2,4 @@ AT_BANNER([dbus]) + m4_include([dbus/firewalld.conf.at]) + m4_include([dbus/service.at]) + m4_include([dbus/zone_permanent_signatures.at]) ++m4_include([dbus/zone_runtime_signatures.at]) +diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at +new file mode 100644 +index 000000000000..53fdbea03180 +--- /dev/null ++++ b/src/tests/dbus/zone_runtime_signatures.at +@@ -0,0 +1,415 @@ ++FWD_START_TEST([dbus api - zone runtime signatures]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Default Zone ++DBUS_INTROSPECT([], [[//method[@name="getDefaultZone"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="setDefaultZone"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Fetching Zones ++DBUS_INTROSPECT([], [[//method[@name="getZones"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getActiveZones"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Interface/Source ++DBUS_INTROSPECT([], [[//method[@name="getZoneOfInterface"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getZoneOfSource"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl #################### ++dnl Zone APIs ++dnl #################### ++ ++DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Interfaces ++DBUS_INTROSPECT([], [[//method[@name="addInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="changeZone"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="changeZoneOfInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Sources ++DBUS_INTROSPECT([], [[//method[@name="addSource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="changeZoneOfSource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeSource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="querySource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Services ++DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeService"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryService"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Protocols ++DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeProtocol"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryProtocol"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Ports ++DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl ++ ++ ++ dnl NOTE: The signature is "aas", but getPorts() actually returns ++ dnl "a(ss)". Apparently python-dbus coerces to "aas". ++ ++ ++]) ++ ++dnl Source Ports ++DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl ++ ++ ++ dnl NOTE: The signature is "aas", but getPorts() actually returns ++ dnl "a(ss)". Apparently python-dbus coerces to "aas". ++ ++ ++]) ++ ++dnl Forward Ports ++DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl ++ ++ ++ dnl NOTE: The signature is "aas", but getPorts() actually returns ++ dnl "a(ssss)". Apparently python-dbus coerces to "aas". ++ ++ ++]) ++ ++dnl Masquerade ++DBUS_INTROSPECT([], [[//method[@name="addMasquerade"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeMasquerade"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl ICMP Block ++DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl ICMP Block Inversion ++DBUS_INTROSPECT([], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Rich Rules ++DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeRichRule"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryRichRule"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getRichRules"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++FWD_END_TEST +-- +2.25.2 + diff --git a/SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch b/SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch new file mode 100644 index 0000000..27a9477 --- /dev/null +++ b/SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch @@ -0,0 +1,38 @@ +From ac3d706eb4bfead921c7e739e5e95a186bf35438 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 8 Apr 2020 17:05:39 -0400 +Subject: [PATCH 09/10] fix: test/regression/gh599: use expr to be more + portable + +dash was failing due to not having "let". So lets use "expr" instead. + +Fixes: e887c16512ab ("test: log: verify logging still works after truncate") +(cherry picked from commit eba44b2ebeedccbac0329a56c86c5d8f26c30f9f) +(cherry picked from commit cdd7c9d60624a443a0a07c29081d0ef68a384beb) +--- + src/tests/regression/gh599.at | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +index 337e18018baf..b0a230733c85 100644 +--- a/src/tests/regression/gh599.at ++++ b/src/tests/regression/gh599.at +@@ -3,6 +3,7 @@ AT_KEYWORDS(gh599) + + AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])]) + AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) ++AT_SKIP_IF([! NS_CMD([which expr >/dev/null 2>&1])]) + + dnl Verify we continue to write to the log file after it's truncated. That is, + dnl simulate logrotate's copytruncate. +@@ -11,6 +12,6 @@ NS_CHECK([truncate -s 0 ./firewalld.log]) + dnl generate some logs + FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore]) + +-NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) ++NS_CHECK([expr $(cat ./firewalld.log | wc -c) ">" 0], 0, [ignore], [ignore]) + + FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d']) +-- +2.25.2 + diff --git a/SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch b/SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch new file mode 100644 index 0000000..5d3ece4 --- /dev/null +++ b/SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch @@ -0,0 +1,27 @@ +From 10f7c0956e7c7054da9e6187aa525c23f65a8dfc Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Apr 2020 07:40:48 -0400 +Subject: [PATCH 10/10] fix(systemd): Conflict with nftables.service + +(cherry picked from commit 7b6aff3a51a955399c782f48137405d0fa94e966) +(cherry picked from commit fc00563ef029cb4c12c652725bfd3a3b5122d136) +--- + config/firewalld.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index b757a08f28dc..afbe0ac5def7 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -4,7 +4,7 @@ Before=network-pre.target + Wants=network-pre.target + After=dbus.service + After=polkit.service +-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service ++Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service + Documentation=man:firewalld(1) + + [Service] +-- +2.25.2 + diff --git a/SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch b/SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch new file mode 100644 index 0000000..ae11b5e --- /dev/null +++ b/SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch @@ -0,0 +1,390 @@ +From 3564be1c8a28ac59e8a7135a1ab2a82d2e8a3c90 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 9 Apr 2020 12:49:02 -0400 +Subject: [PATCH 11/45] test(dbus): zone: verify permanent config APIs + +(cherry picked from commit 64d5bf1b117bc29d09b4f30cbb1c87d8559eeac0) +(cherry picked from commit a972e90b522ba11e0bd65b8d0cd1a55e1d18f9cd) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_permanent_functional.at | 359 ++++++++++++++++++++ + 2 files changed, 360 insertions(+) + create mode 100644 src/tests/dbus/zone_permanent_functional.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index 377244460e7a..31c180dc3d3d 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -3,3 +3,4 @@ m4_include([dbus/firewalld.conf.at]) + m4_include([dbus/service.at]) + m4_include([dbus/zone_permanent_signatures.at]) + m4_include([dbus/zone_runtime_signatures.at]) ++m4_include([dbus/zone_permanent_functional.at]) +diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at +new file mode 100644 +index 000000000000..2261832e00a8 +--- /dev/null ++++ b/src/tests/dbus/zone_permanent_functional.at +@@ -0,0 +1,359 @@ ++FWD_START_TEST([dbus api - zone permanent functional]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_CHECK([config], [config.addZone], ++ ["foobar" dnl name ++ '("1.0", dnl version ++ "foobar", dnl short ++ "foobar zone", dnl description ++ false, dnl bogus/unused ++ "ACCEPT", dnl target ++ @<:@"ssh", "mdns"@:>@, dnl services ++ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl ports ++ @<:@"echo-request"@:>@, dnl ICMP Blocks ++ true, dnl masquerade ++ @<:@("1234", "tcp", "4321", ""), ("1234", "udp", "4321", "10.10.10.10")@:>@, dnl forward ports ++ @<:@"dummy0", "dummy1"@:>@, dnl interfaces ++ @<:@"10.10.10.0/24"@:>@, dnl sources ++ @<:@"rule family=ipv4 source address=10.20.20.20 drop"@:>@, dnl rules_str ++ @<:@"icmp"@:>@, dnl protocols ++ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl source ports ++ false dnl ICMP block inversion ++ )'dnl ++ ], 0, [stdout]) ++DBUS_FOOBAR_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)] ++export DBUS_FOOBAR_ZONE_OBJ ++ ++dnl Get Zones ++dnl ++DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl ++ [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)] ++]) ++DBUS_CHECK([config], [config.listZones], [], 0, [stdout]) ++NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl ++ sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] |dnl ++ while read LINE; do { echo "${LINE}" | grep ["^[0-9]\+$"] ; } || exit 1; done], 0, [ignore]) ++DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout]) ++NS_CHECK([sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] ./stdout | grep ["^[0-9]\+$"]], 0, [ignore]) ++ ++dnl Interfaces ++FWD_CHECK([-q --permanent --zone public --add-interface dummy2]) ++DBUS_CHECK([config], [config.getZoneOfInterface], ["dummy2"], 0, [dnl ++ ('public',) ++]) ++FWD_CHECK([-q --permanent --zone public --remove-interface dummy2]) ++ ++dnl Sources ++FWD_CHECK([-q --permanent --zone public --add-source 10.20.20.0/24]) ++DBUS_CHECK([config], [config.getZoneOfSource], ["10.20.20.0/24"], 0, [dnl ++ ('public',) ++]) ++FWD_CHECK([-q --permanent --zone public --remove-source 10.20.20.0/24]) ++ ++dnl #################### ++dnl Zone object APIs ++dnl #################### ++ ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl ++ (('1.0', dnl version ++ 'foobar', dnl short ++ 'foobar zone', dnl description ++ false, dnl bogus/unused ++ 'ACCEPT', dnl target ++ @<:@'ssh', 'mdns'@:>@, dnl services ++ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl ports ++ @<:@'echo-request'@:>@, dnl ICMP Blocks ++ true, dnl masquerade ++ @<:@('1234', 'tcp', '4321', ''), ('1234', 'udp', '4321', '10.10.10.10')@:>@, dnl forward ports ++ @<:@'dummy0', 'dummy1'@:>@, dnl interfaces ++ @<:@'10.10.10.0/24'@:>@, dnl sources ++ @<:@'rule family="ipv4" source address="10.20.20.20" drop'@:>@, dnl rules_str ++ @<:@'icmp'@:>@, dnl protocols ++ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl source ports ++ false),) ++]) ++ ++dnl Verify update works ++dnl ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.update], [dnl ++ '("1.1", dnl version ++ "foobar v2", dnl short ++ "foobar zone updated", dnl description ++ false, dnl bogus/unused ++ "ACCEPT", dnl target ++ @<:@"ssh", "mdns", "samba"@:>@, dnl services ++ @<:@("1234", "tcp"), ("4444", "udp")@:>@, dnl ports ++ @<:@"echo-request", "echo-reply"@:>@, dnl ICMP Blocks ++ false, dnl masquerade ++ @<:@("1234", "tcp", "4321", "")@:>@, dnl forward ports ++ @<:@"dummy0", "dummy1", "dummy2"@:>@, dnl interfaces ++ @<:@"10.10.10.0/24", "10.20.0.0/16"@:>@, dnl sources ++ @<:@"rule family=ipv4 source address=10.20.20.20 reject"@:>@, dnl rules_str ++ @<:@"icmp", "ipv6-icmp"@:>@, dnl protocols ++ @<:@("1234", "tcp"), ("6666", "udp")@:>@, dnl source ports ++ true dnl ICMP block inversion ++ )'dnl ++ ], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl ++ (('1.1', dnl version ++ 'foobar v2', dnl short ++ 'foobar zone updated', dnl description ++ false, dnl bogus/unused ++ 'ACCEPT', dnl target ++ @<:@'ssh', 'mdns', 'samba'@:>@, dnl services ++ @<:@('1234', 'tcp'), ('4444', 'udp')@:>@, dnl ports ++ @<:@'echo-request', 'echo-reply'@:>@, dnl ICMP Blocks ++ false, dnl masquerade ++ @<:@('1234', 'tcp', '4321', '')@:>@, dnl forward ports ++ @<:@'dummy0', 'dummy1', 'dummy2'@:>@, dnl interfaces ++ @<:@'10.10.10.0/24', '10.20.0.0/16'@:>@, dnl sources ++ @<:@'rule family="ipv4" source address="10.20.20.20" reject'@:>@, dnl rules_str ++ @<:@'icmp', 'ipv6-icmp'@:>@, dnl protocols ++ @<:@('1234', 'tcp'), ('6666', 'udp')@:>@, dnl source ports ++ true),) ++]) ++ ++dnl Rename ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.rename], ["foobar-renamed"], 0, [ignore]) ++DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 0, [ignore]) ++ ++dnl Remove ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.remove], [], 0, [ignore]) ++DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 1, [ignore], [ignore]) ++ ++dnl Get a reference to the public zone. We'll use for the rest of the tests. ++DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout]) ++DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)] ++export DBUS_PUBLIC_ZONE_OBJ ++ ++dnl loadDefaults ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.loadDefaults], [], 0, [ignore]) ++ ++dnl Version ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl ++ ('',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setVersion], ["1.1"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl ++ ('1.1',) ++]) ++ ++dnl Short ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl ++ ('Public',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setShort], ["Public updated"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl ++ ('Public updated',) ++]) ++ ++dnl Description ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl ++ ('For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setDescription], ["A shorter description."], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl ++ ('A shorter description.',) ++]) ++ ++dnl Target ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl ++ ('default',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setTarget], ["ACCEPT"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl ++ ('ACCEPT',) ++]) ++ ++dnl Interfaces ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addInterface], ["dummy0"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy0"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy1"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setInterfaces], [['["dummy0", "dummy1"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl ++ [(['dummy0', 'dummy1'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeInterface], ["dummy0"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl ++ [(['dummy1'],)] ++]) ++ ++dnl Sources ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSource], ["10.10.10.0/24"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.10.10.0/24"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.20.20.0/24"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSources], [['["10.10.10.0/24", "10.20.20.0/24"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl ++ [(['10.10.10.0/24', '10.20.20.0/24'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSource], ["10.10.10.0/24"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl ++ [(['10.20.20.0/24'],)] ++]) ++ ++dnl Services ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addService], ["samba"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["samba"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["https"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setServices], [['["samba", "https"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl ++ [(['samba', 'https'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeService], ["samba"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl ++ [(['https'],)] ++]) ++ ++dnl Ports ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addPort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["4321" "udp"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setPorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl ++ [([('1234', 'tcp'), ('4321', 'udp')],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removePort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl ++ [([('4321', 'udp')],)] ++]) ++ ++dnl Source Ports ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSourcePort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["4321" "udp"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSourcePorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl ++ [([('1234', 'tcp'), ('4321', 'udp')],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSourcePort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl ++ [([('4321', 'udp')],)] ++]) ++ ++dnl Forward Ports ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["1234" "tcp" "1111" ""], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["4321" "udp" "4444" "10.10.10.10"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setForwardPorts], [['[("1234", "tcp", "1111", ""), ("4321", "udp", "4444", "10.10.10.10")]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl ++ [([('1234', 'tcp', '1111', ''), ('4321', 'udp', '4444', '10.10.10.10')],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl ++ [([('4321', 'udp', '4444', '10.10.10.10')],)] ++]) ++ ++dnl Protocols ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addProtocol], ["icmp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["icmp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["igmp"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setProtocols], [['["icmp", "igmp"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl ++ [(['icmp', 'igmp'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeProtocol], ["icmp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl ++ [(['igmp'],)] ++]) ++ ++dnl Masquerade ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addMasquerade], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setMasquerade], [true], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl ++ [(true,)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeMasquerade], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl ++ [(false,)] ++]) ++ ++dnl ICMP Block ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlock], ["echo-reply"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-reply"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-request"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlocks], [['["echo-reply", "echo-request"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl ++ [(['echo-reply', 'echo-request'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlock], ["echo-reply"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl ++ [(['echo-request'],)] ++]) ++ ++dnl ICMP Block Inversion ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlockInversion], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlockInversion], [true], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl ++ [(true,)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlockInversion], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl ++ [(false,)] ++]) ++ ++dnl Rich Rules ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.20.20.0/24 drop"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setRichRules], [['["rule family=ipv4 source address=10.10.10.0/24 accept", "rule family=ipv4 source address=10.20.20.0/24 drop"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl ++ [(['rule family="ipv4" source address="10.10.10.0/24" accept', 'rule family="ipv4" source address="10.20.20.0/24" drop'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl ++ [(['rule family="ipv4" source address="10.20.20.0/24" drop'],)] ++]) ++ ++FWD_END_TEST([-e '/ERROR: INVALID_ZONE: foobar-renamed/d']) +-- +2.27.0 + diff --git a/SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch b/SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch new file mode 100644 index 0000000..e242232 --- /dev/null +++ b/SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch @@ -0,0 +1,328 @@ +From 069fbf5bda85526cdae9cf684a61c49d6961c065 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 9 Apr 2020 14:03:48 -0400 +Subject: [PATCH 12/45] test(dbus): zone: verify runtime config APIs + +(cherry picked from commit b1e7a3843f7c6dfc31ac3ac38cc938bd8ece7c6c) +(cherry picked from commit 2bc363979f3223ed0b98f027c96d8af7c3d79211) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_runtime_functional.at | 297 ++++++++++++++++++++++ + 2 files changed, 298 insertions(+) + create mode 100644 src/tests/dbus/zone_runtime_functional.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index 31c180dc3d3d..d9f7a2953131 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -4,3 +4,4 @@ m4_include([dbus/service.at]) + m4_include([dbus/zone_permanent_signatures.at]) + m4_include([dbus/zone_runtime_signatures.at]) + m4_include([dbus/zone_permanent_functional.at]) ++m4_include([dbus/zone_runtime_functional.at]) +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +new file mode 100644 +index 000000000000..d0098dfdff65 +--- /dev/null ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -0,0 +1,297 @@ ++FWD_START_TEST([dbus api - zone permanent functional]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_CHECK([], [getZoneSettings], ["public"], 0, [dnl ++ (('', dnl version ++ 'Public', dnl short ++ 'For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.', dnl description ++ false, dnl bogus/unused ++ 'default', dnl target ++ @<:@'ssh', 'dhcpv6-client', 'cockpit'@:>@, dnl services ++ @a(ss) @<:@@:>@, dnl ports ++ @as @<:@@:>@, dnl ICMP Blocks ++ false, dnl masquerade ++ @a(ssss) @<:@@:>@, dnl forward ports ++ @as @<:@@:>@, dnl interfaces ++ @as @<:@@:>@, dnl sources ++ @as @<:@@:>@, dnl rules_str ++ @as @<:@@:>@, dnl protocols ++ @a(ss) @<:@@:>@, dnl source ports ++ false),) ++]) ++ ++dnl Default Zone ++DBUS_CHECK([], [getDefaultZone], [], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [setDefaultZone], ['drop'], 0, [dnl ++ () ++]) ++DBUS_CHECK([], [getDefaultZone], [], 0, [dnl ++ ('drop',) ++]) ++ ++dnl Fetching Zones ++DBUS_CHECK([], [zone.getZones], [], 0, [dnl ++ [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)] ++]) ++FWD_CHECK([-q --zone public --add-interface dummy0]) ++FWD_CHECK([-q --zone public --add-source 10.1.1.1]) ++DBUS_CHECK([], [zone.getActiveZones], [], 0, [dnl ++ ['public': {'interfaces': ['dummy0'], 'sources': ['10.1.1.1']}] ++]) ++FWD_CHECK([-q --zone public --remove-interface dummy0]) ++FWD_CHECK([-q --zone public --remove-source 10.1.1.1]) ++ ++dnl Interfaces/Sources ++FWD_CHECK([-q --zone public --add-interface dummy1]) ++DBUS_CHECK([], [zone.getZoneOfInterface], ["dummy1"], 0, [dnl ++ ('public',) ++]) ++FWD_CHECK([-q --zone public --remove-interface dummy1]) ++FWD_CHECK([-q --zone drop --add-source 10.10.10.0/24]) ++DBUS_CHECK([], [zone.getZoneOfSource], ["10.10.10.0/24"], 0, [dnl ++ ('drop',) ++]) ++FWD_CHECK([-q --zone drop --remove-source 10.10.10.0/24]) ++ ++dnl #################### ++dnl Zone Individual APIs ++dnl #################### ++ ++dnl isImmutable ++DBUS_CHECK([], [zone.isImmutable], ["public"], 0, [dnl ++ (false,) ++]) ++ ++dnl Interfaces ++DBUS_CHECK([], [zone.addInterface], ["public" "dummy0"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.changeZone], ["drop" "dummy0"], 0, [dnl ++ ('drop',) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.changeZoneOfInterface], ["public" "dummy0"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([], [zone.addInterface], ["public" "dummy1"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl ++ [(['dummy0', 'dummy1'],)] ++]) ++DBUS_CHECK([], [zone.removeInterface], ["public" "dummy0"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl ++ [(['dummy1'],)] ++]) ++ ++dnl Sources ++DBUS_CHECK([], [zone.addSource], ["public" "10.10.10.0/24"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.changeZoneOfSource], ["drop" "10.10.10.0/24"], 0, [dnl ++ ('drop',) ++]) ++DBUS_CHECK([], [zone.querySource], ["public" "10.10.10.0/24"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([], [zone.querySource], ["drop" "10.10.10.0/24"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.changeZoneOfSource], ["public" "10.10.10.0/24"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.addSource], ["public" "10.20.0.0/16"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl ++ [(['10.10.10.0/24', '10.20.0.0/16'],)] ++]) ++DBUS_CHECK([], [zone.removeSource], ["public" "10.10.10.0/24"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl ++ [(['10.20.0.0/16'],)] ++]) ++ ++dnl Services ++DBUS_CHECK([], [zone.addService], ["public" "samba" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.getServices], ["public"], 0, [dnl ++ [(['ssh', 'dhcpv6-client', 'cockpit', 'samba'],)] ++]) ++DBUS_CHECK([], [zone.removeService], ["public" "samba"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl ++ (false,) ++]) ++ ++dnl Protocols ++DBUS_CHECK([], [zone.addProtocol], ["public" "icmp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.getProtocols], ["public"], 0, [dnl ++ [(['icmp'],)] ++]) ++DBUS_CHECK([], [zone.removeProtocol], ["public" "icmp"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl ++ (false,) ++]) ++ ++dnl Ports ++DBUS_CHECK([], [zone.addPort], ["public" "1234" "tcp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addPort], ["public" "4321" "udp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getPorts], ["public"], 0, [dnl ++ [([['1234', 'tcp'], ['4321', 'udp']],)] ++]) ++DBUS_CHECK([], [zone.removePort], ["public" "1234" "tcp"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl ++ (false,) ++]) ++ ++dnl Source Ports ++DBUS_CHECK([], [zone.addSourcePort], ["public" "1234" "tcp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addSourcePort], ["public" "4321" "udp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getSourcePorts], ["public"], 0, [dnl ++ [([['1234', 'tcp'], ['4321', 'udp']],)] ++]) ++DBUS_CHECK([], [zone.removeSourcePort], ["public" "1234" "tcp"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl ++ (false,) ++]) ++ ++dnl Forward Ports ++DBUS_CHECK([], [zone.addForwardPort], ["public" "1234" "tcp" "1111" "" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addForwardPort], ["public" "4321" "udp" "4444" "10.10.10.10" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getForwardPorts], ["public"], 0, [dnl ++ [([['1234', 'tcp', '1111', ''], ['4321', 'udp', '4444', '10.10.10.10']],)] ++]) ++DBUS_CHECK([], [zone.removeForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl ++ (false,) ++]) ++ ++dnl Masquerade ++DBUS_CHECK([], [zone.addMasquerade], ["public" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.removeMasquerade], ["public"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl ++ (false,) ++]) ++ ++dnl ICMP Block ++DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-reply" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-request" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getIcmpBlocks], ["public"], 0, [dnl ++ [(['echo-reply', 'echo-request'],)] ++]) ++DBUS_CHECK([], [zone.removeIcmpBlock], ["public" "echo-reply"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl ++ (false,) ++]) ++ ++dnl ICMP Block Inversion ++DBUS_CHECK([], [zone.addIcmpBlockInversion], ["public"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.removeIcmpBlockInversion], ["public"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl ++ (false,) ++]) ++ ++dnl Rich Rules ++DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl ++ [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)] ++]) ++DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl ++ (false,) ++]) ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch b/SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch new file mode 100644 index 0000000..bc8d158 --- /dev/null +++ b/SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch @@ -0,0 +1,45 @@ +From 54b9d3c0aab51a598162ccd58152861730b9cee7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Apr 2020 08:08:21 -0400 +Subject: [PATCH 13/45] fix(direct): rule in a zone chain + +Fixes: rhbz 1829104 +Fixes: 3c439c9008ad ("chore: eliminate FirewallZoneTransaction class") +(cherry picked from commit f2941a82592b2ac6e9001b0d0f6c321fcb704005) +(cherry picked from commit f1d8753487e99ed8b3b036df36bedb861db00e65) +--- + src/firewall/core/fw_zone.py | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 59c9401c1060..5677effab146 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -188,7 +188,7 @@ class FirewallZone(object): + if splits[1] not in self.get_zones(): + return None + if len(splits) == 2 or \ +- (len(splits) == 3 and splits[2] in [ "log", "deny", "allow" ]): ++ (len(splits) == 3 and splits[2] in [ "pre", "log", "deny", "allow", "post" ]): + return (splits[1], _chain) + return None + +@@ -200,14 +200,12 @@ class FirewallZone(object): + x = self.zone_from_chain(chain) + if x is not None: + (_zone, _chain) = x +- + if use_transaction is None: + transaction = self.new_transaction() + else: + transaction = use_transaction + +- self.gen_chain_rules(_zone, True, [(table, _chain)], +- transaction) ++ self.gen_chain_rules(_zone, True, table, _chain, transaction) + + if use_transaction is None: + transaction.execute(True) +-- +2.27.0 + diff --git a/SOURCES/0014-test-direct-rule-in-a-zone-chain.patch b/SOURCES/0014-test-direct-rule-in-a-zone-chain.patch new file mode 100644 index 0000000..adceeda --- /dev/null +++ b/SOURCES/0014-test-direct-rule-in-a-zone-chain.patch @@ -0,0 +1,88 @@ +From 162e697cf86947e7ff54a05570146b5b75321e97 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Apr 2020 08:00:35 -0400 +Subject: [PATCH 14/45] test(direct): rule in a zone chain + +Coverage for rhbz 1829104. + +(cherry picked from commit f88617bb205c6891d4f9c1d5231ddf356a3bd59f) +(cherry picked from commit c9f519adea34ec29e262713a543f2b086fb9ffa7) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1829104.at | 55 +++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+) + create mode 100644 src/tests/regression/rhbz1829104.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 2528ddd3fede..c3a5706c6406 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -28,3 +28,4 @@ m4_include([regression/gh567.at]) + m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) + m4_include([regression/gh599.at]) ++m4_include([regression/rhbz1829104.at]) +diff --git a/src/tests/regression/rhbz1829104.at b/src/tests/regression/rhbz1829104.at +new file mode 100644 +index 000000000000..45659eb3c3df +--- /dev/null ++++ b/src/tests/regression/rhbz1829104.at +@@ -0,0 +1,55 @@ ++m4_if(iptables, FIREWALL_BACKEND, [ ++FWD_START_TEST([direct rule in zone chain]) ++AT_KEYWORDS(direct rhbz1829104) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_END_TEST ++]) +-- +2.27.0 + diff --git a/SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch b/SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch new file mode 100644 index 0000000..3d437f2 --- /dev/null +++ b/SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch @@ -0,0 +1,36 @@ +From 1eb5d5c57edb6e35895fa4ae4314f652da423d92 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 24 Apr 2020 11:27:10 -0400 +Subject: [PATCH 15/45] fix(client): addService needs to reduce tuple size + +The dbus API only allows 8 elements. Reduce the tuple to the correct +size as it's common for clients to do + + settings = FirewallClientServiceSettings() + [..] + addService(settings.settings) + +(cherry picked from commit e2ab8a6e584e6ba2adb0a5e0a13fbb6d7eb39b0c) +(cherry picked from commit 3eae583907a953b71df16747bbabefd24fbdc3ab) +--- + src/firewall/client.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/client.py b/src/firewall/client.py +index efe5d7db1273..ea27c0186509 100644 +--- a/src/firewall/client.py ++++ b/src/firewall/client.py +@@ -2488,7 +2488,9 @@ class FirewallClientConfig(object): + elif type(settings) is dict: + path = self.fw_config.addService2(name, settings) + else: +- path = self.fw_config.addService(name, tuple(settings)) ++ # tuple based dbus API has 8 elements. Slice what we're given down ++ # to the expected size. ++ path = self.fw_config.addService(name, tuple(settings[:8])) + return FirewallClientConfigService(self.bus, path) + + # icmptype +-- +2.27.0 + diff --git a/SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch b/SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch new file mode 100644 index 0000000..64de7d7 --- /dev/null +++ b/SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch @@ -0,0 +1,36 @@ +From c9fccec891a3cd454ad7179ee3871f630b635b47 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 20 Apr 2020 16:45:02 -0400 +Subject: [PATCH 16/45] test(dbus): zone: fix false failure due to list order + +Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs") +(cherry picked from commit 8ca79abf32fd609b10b88482c89ee0c9c9711718) +(cherry picked from commit 86feb18448794b58f2725484083ead9ddc0bc451) +--- + src/tests/dbus/zone_runtime_functional.at | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +index d0098dfdff65..f48d97897cd9 100644 +--- a/src/tests/dbus/zone_runtime_functional.at ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -281,11 +281,14 @@ DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10 + DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl + (true,) + ]) ++DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl ++ [(['rule family="ipv4" source address="10.10.10.10" accept'],)] ++]) + DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl + ('public',) + ]) +-DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl +- [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)] ++DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept"], 0, [dnl ++ (true,) + ]) + DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl + ('public',) +-- +2.27.0 + diff --git a/SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch b/SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch new file mode 100644 index 0000000..d68d668 --- /dev/null +++ b/SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch @@ -0,0 +1,26 @@ +From 9bdee2d94d0fadde8c40d7742176089bed602213 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 24 Apr 2020 13:50:10 -0400 +Subject: [PATCH 17/45] test(dbus): zone: fix zone runtime functional test + title + +Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs") +(cherry picked from commit 72191394919d1d69a40e258227dbbc3ee3e0285e) +(cherry picked from commit d0713c7b04ac430adb4855078e91fa62b2c79486) +--- + src/tests/dbus/zone_runtime_functional.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +index f48d97897cd9..bb0798abe7da 100644 +--- a/src/tests/dbus/zone_runtime_functional.at ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -1,4 +1,4 @@ +-FWD_START_TEST([dbus api - zone permanent functional]) ++FWD_START_TEST([dbus api - zone runtime functional]) + AT_KEYWORDS(dbus zone gh586) + + dnl #################### +-- +2.27.0 + diff --git a/SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch b/SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch new file mode 100644 index 0000000..a489d03 --- /dev/null +++ b/SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch @@ -0,0 +1,55 @@ +From 6112ab6a515ac5813e8b4027976a6dc651647f07 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 16 Apr 2020 15:40:49 -0400 +Subject: [PATCH 18/45] fix(doc): dbus: signatures for zone tuple based APIs + +Fixes: 26e23b8cd945 ("firewall.core.io.zone: New icmp block inversion flag") +(cherry picked from commit 7fbc6f6204a342f5ae92f10923093d2381c9b0ac) +(cherry picked from commit 13edc3137fc3b9ed36207009621dda437a8f87df) +--- + doc/xml/firewalld.dbus.xml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 77ad77c01675..1625b9d50576 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -274,7 +274,7 @@ + + + +- getZoneSettings(s: zone) → (sssbsasa(ss)asba(ssss)asasasasa(ss)) ++ getZoneSettings(s: zone) → (sssbsasa(ss)asba(ssss)asasasasa(ss)b) + + + Return runtime settings of given zone. +@@ -2338,7 +2338,7 @@ + + + +- addZone(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) → o ++ addZone(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) → o + + + Add zone with given settings into permanent configuration. +@@ -3810,7 +3810,7 @@ + + + +- getSettings() → (sssbsasa(ss)asba(ssss)asasasasa(ss)) ++ getSettings() → (sssbsasa(ss)asba(ssss)asasasasa(ss)b) + + + Return permanent settings of given zone. +@@ -4309,7 +4309,7 @@ + + + +- update((sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) → Nothing ++ update((sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) → Nothing + + + Update settings of zone to settings. +-- +2.27.0 + diff --git a/SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch b/SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch new file mode 100644 index 0000000..9fc68d3 --- /dev/null +++ b/SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch @@ -0,0 +1,29 @@ +From cc9d8ac3501b1dc64d6b48990792a06637d69314 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 17 Apr 2020 14:45:16 -0400 +Subject: [PATCH 19/45] fix(config): bool values in dict based import/export + +Always export bool values. + +(cherry picked from commit ae4b9b44ed8e9e62f47846f7032c19b559e3d7ad) +(cherry picked from commit 88016dc40ba2e119fe04e54724fb432404d7e8c1) +--- + src/firewall/core/io/service.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py +index cf343fe0ce93..0387b6c798b0 100644 +--- a/src/firewall/core/io/service.py ++++ b/src/firewall/core/io/service.py +@@ -96,7 +96,7 @@ class Service(IO_Object): + conf = {} + type_formats = dict([(x[0], x[1]) for x in self.IMPORT_EXPORT_STRUCTURE]) + for key in type_formats: +- if getattr(self, key): ++ if getattr(self, key) or isinstance(getattr(self, key), bool): + conf[key] = copy.deepcopy(getattr(self, key)) + return conf + +-- +2.27.0 + diff --git a/SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch b/SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch new file mode 100644 index 0000000..7d1249c --- /dev/null +++ b/SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch @@ -0,0 +1,39 @@ +From 8d48dfee165ad41ed2d235dc3772c5b588a75521 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 4 May 2020 10:48:10 -0400 +Subject: [PATCH 20/45] fix(dbus): service: don't cleanup config for old set + APIs + +This avoids them from unknowingly wiping away config that the old APIs +are unaware of. + +Fixes: 335a68c1bba5 ("fix: dbus: fix service API break") +(cherry picked from commit 11bd8742158b2b3c9b0412a9ca1cb9ada7fd6fd7) +(cherry picked from commit faa5822d8073336bed29e12b7cc73bedfa4811b7) +--- + src/firewall/core/fw_config.py | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py +index 8f29f0c416d2..35f623f2c8f1 100644 +--- a/src/firewall/core/fw_config.py ++++ b/src/firewall/core/fw_config.py +@@ -566,7 +566,6 @@ class FirewallConfig(object): + + if obj.builtin: + x = copy.copy(obj) +- x.cleanup() + x.import_config(conf_dict) + x.path = config.ETC_FIREWALLD_SERVICES + x.builtin = False +@@ -576,7 +575,6 @@ class FirewallConfig(object): + service_writer(x) + return x + else: +- obj.cleanup() + obj.import_config(conf_dict) + service_writer(obj) + return obj +-- +2.27.0 + diff --git a/SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch b/SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch new file mode 100644 index 0000000..8f05bb7 --- /dev/null +++ b/SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch @@ -0,0 +1,33 @@ +From b33d40f277444f0af0f780b68389af4098ab639b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 6 Jan 2020 15:38:28 -0500 +Subject: [PATCH 21/45] test(gh509): only run test for nftables backend + +The test wipes the config and therefore restarts with defaults (e.g. +the nftables backend). Some hosts under test may not have nftables +available so the test will fail. Only use the test if FIREWALL_BACKEND +is nftables. + +(cherry picked from commit 61140a7ed9d6b26cd030d366eb7c9111a3ad45df) +(cherry picked from commit 4d3907862535298e6f8b6bc566bdce10a86647bc) +--- + src/tests/regression/gh509.at | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/regression/gh509.at b/src/tests/regression/gh509.at +index 00cc51c9c51f..1c151066c2bb 100644 +--- a/src/tests/regression/gh509.at ++++ b/src/tests/regression/gh509.at +@@ -1,3 +1,4 @@ ++m4_if(nftables, FIREWALL_BACKEND, [ + FWD_START_TEST([missing firewalld.conf file]) + AT_KEYWORDS(gh509) + +@@ -12,3 +13,4 @@ FWD_RESTART + FWD_END_TEST([-e '/ERROR: Failed to load/d' dnl + -e '/WARNING:.*No such file or directory:.*/d' dnl + -e '/WARNING: Using fallback firewalld configuration settings/d']) ++]) +-- +2.27.0 + diff --git a/SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch b/SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch new file mode 100644 index 0000000..0e7b49b --- /dev/null +++ b/SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch @@ -0,0 +1,29 @@ +From ab514ea71dcc69abd910790822d67e2854ad54c7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 May 2020 09:12:46 -0400 +Subject: [PATCH 22/45] test(ipv6): skip square bracket address tests if ipv6 + not available + +Fixes: ff9cd7a4c618 ("test: ipset: coverage for ipv6 addresses with brackets") +(cherry picked from commit fc626b34171a71f500fac31b9f2929b009993b98) +(cherry picked from commit bd98ef1f5660dc83c5179d4c6204cf62ba985122) +--- + src/tests/regression/rhbz1779835.at | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at +index 37d1afc990ab..8de5c0353b6e 100644 +--- a/src/tests/regression/rhbz1779835.at ++++ b/src/tests/regression/rhbz1779835.at +@@ -1,6 +1,8 @@ + FWD_START_TEST([ipv6 address with brackets]) + AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich) + ++IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])]) ++ + dnl ipset + FWD_CHECK([-q --permanent --new-ipset=foobar --type=hash:ip --family=inet6]) + FWD_CHECK([[-q --permanent --ipset foobar --add-entry='[1234::4321]']]) +-- +2.27.0 + diff --git a/SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch b/SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch new file mode 100644 index 0000000..be44967 --- /dev/null +++ b/SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch @@ -0,0 +1,34 @@ +From 4a94fcfa0450b653c579118678da409b0f449259 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 May 2020 09:34:12 -0400 +Subject: [PATCH 23/45] fix(ipset): flush the set if IndividiualCalls=yes + +Make sure we flush the set when creating. Otherwise a pre-existing set +may have stale entries. + +Fixes: 81d784f8c856 ("test: ipset: verify clean up on exit/reload") +(cherry picked from commit fab381045990f1c994d60c3f7c5813c576e60af1) +(cherry picked from commit a512e55190210ecba57f0ccfda88d39ac3151d13) +--- + src/firewall/core/fw_ipset.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py +index 68f016ba2222..90b24c6264c0 100644 +--- a/src/firewall/core/fw_ipset.py ++++ b/src/firewall/core/fw_ipset.py +@@ -117,6 +117,11 @@ class FirewallIPSet(object): + # no entries visible for ipsets with timeout + continue + ++ try: ++ backend.set_flush(obj.name) ++ except Exception as msg: ++ raise FirewallError(errors.COMMAND_FAILED, msg) ++ + for entry in obj.entries: + try: + backend.set_add(obj.name, entry) +-- +2.27.0 + diff --git a/SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch b/SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch new file mode 100644 index 0000000..4082a98 --- /dev/null +++ b/SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch @@ -0,0 +1,64 @@ +From 729936737ae3588d5b79c9f00760a2228586338b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 May 2020 08:25:07 -0400 +Subject: [PATCH 24/45] test(dbus): better way to check IPv6_rpfilter expected + value + +(cherry picked from commit 42e349f57a41305354871ca0c0d08fcf800a2fe3) +(cherry picked from commit a79695be7243802b49c5bdb131c231b1ef8a9350) +--- + src/tests/dbus/firewalld.conf.at | 24 +++++++----------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 4eefa3286f9f..1c957957b3da 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -1,8 +1,13 @@ + FWD_START_TEST([firewalld.conf]) + AT_KEYWORDS(dbus) + +-dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ ++ EXPECTED_IPV6_RPFILTER_VALUE=yes ++], [ ++ EXPECTED_IPV6_RPFILTER_VALUE=no ++]) ++ ++dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + DBUS_GETALL([config], [config], 0, [dnl + string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" +@@ -10,28 +15,13 @@ string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" + string "FirewallBackend" : variant string "nftables" + string "FlushAllOnReload" : variant string "yes" +-string "IPv6_rpfilter" : variant string "yes" +-string "IndividualCalls" : variant string "no" +-string "Lockdown" : variant string "no" +-string "LogDenied" : variant string "off" +-string "MinimalMark" : variant int32 100 +-string "RFC3964_IPv4" : variant string "yes" +-])], [ +-DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "yes" +-string "AutomaticHelpers" : variant string "no" +-string "CleanupOnExit" : variant string "no" +-string "DefaultZone" : variant string "public" +-string "FirewallBackend" : variant string "nftables" +-string "FlushAllOnReload" : variant string "yes" +-string "IPv6_rpfilter" : variant string "no" ++string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"]) + string "IndividualCalls" : variant string "no" + string "Lockdown" : variant string "no" + string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ]) +-]) + + m4_define([_helper], [ + DBUS_SET([config], [config], [string:"$1" $2], 0, ignore) +-- +2.27.0 + diff --git a/SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch b/SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch new file mode 100644 index 0000000..ed68b54 --- /dev/null +++ b/SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch @@ -0,0 +1,47 @@ +From 571c32c466f0516d0543926828ce49b004ce584f Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 11 May 2020 17:19:12 -0400 +Subject: [PATCH 25/45] test(functions): add macro + IF_HOST_SUPPORTS_NFT_RULE_INDEX + +(cherry picked from commit 735eb589b2a18129b2b8a9d4dfe8b9375757619a) +(cherry picked from commit cda25d11a9e333ee5cdd9d7e084e7075cb1550bb) +--- + src/tests/functions.at | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 8f5ceba4d3f2..f83720595d2f 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -598,3 +598,27 @@ m4_define([NMCLI_CHECK], [ + NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])], + [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6]) + ]) ++ ++m4_define([IF_HOST_SUPPORTS_NFT_RULE_INDEX], [ ++ m4_if(nftables, FIREWALL_BACKEND, [ ++ AT_DATA([./nft_rule_index.nft], [ ++ add table inet firewalld_check_rule_index ++ add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; } ++ add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept ++ add rule inet firewalld_check_rule_index foobar accept ++ insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept ++]) ++ NS_CHECK([nft -f ./nft_rule_index.nft]) ++ ++ if test "$( NS_CMD([nft list chain inet firewalld_check_rule_index foobar | head -n 5 |tail -n 1 | TRIM_WHITESPACE]) )" = "udp dport 4321 accept"; then ++ : ++ $1 ++ else ++ : ++ $2 ++ fi ++ ++ NS_CHECK([rm ./nft_rule_index.nft]) ++ NS_CHECK([nft delete table inet firewalld_check_rule_index]) ++ ], [$1]) ++]) +-- +2.27.0 + diff --git a/SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch b/SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch new file mode 100644 index 0000000..0c648f6 --- /dev/null +++ b/SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch @@ -0,0 +1,57 @@ +From 5e35e5d183773984bc69ff035e7f0c69cc99b282 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 11 May 2020 17:22:39 -0400 +Subject: [PATCH 26/45] test(functions): use IndividualCalls if host doesn't + support nft rule index + +(cherry picked from commit 5418d89006665e90f7f742bbdc9a551d9d9a1ca7) +(cherry picked from commit 4224d86814ac6aa80fbc58c2b6f8e53a89adcaba) +--- + src/tests/dbus/firewalld.conf.at | 8 +++++++- + src/tests/functions.at | 4 ++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 1c957957b3da..14d87767a267 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -7,6 +7,12 @@ IF_HOST_SUPPORTS_NFT_FIB([ + EXPECTED_IPV6_RPFILTER_VALUE=no + ]) + ++IF_HOST_SUPPORTS_NFT_RULE_INDEX([ ++ EXPECTED_INDIVIDUAL_CALLS_VALUE=no ++], [ ++ EXPECTED_INDIVIDUAL_CALLS_VALUE=yes ++]) ++ + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + DBUS_GETALL([config], [config], 0, [dnl + string "AllowZoneDrifting" : variant string "yes" +@@ -16,7 +22,7 @@ string "DefaultZone" : variant string "public" + string "FirewallBackend" : variant string "nftables" + string "FlushAllOnReload" : variant string "yes" + string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"]) +-string "IndividualCalls" : variant string "no" ++string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"]) + string "Lockdown" : variant string "no" + string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 +diff --git a/src/tests/functions.at b/src/tests/functions.at +index f83720595d2f..1cde4997f920 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -221,6 +221,10 @@ m4_define([FWD_START_TEST], [ + fi + echo "kill $DBUS_PID" >> ./cleanup_late + ++ IF_HOST_SUPPORTS_NFT_RULE_INDEX([], [ ++ AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf]) ++ ]) ++ + FWD_START_FIREWALLD + ]) + ]) +-- +2.27.0 + diff --git a/SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch b/SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch new file mode 100644 index 0000000..992a86b --- /dev/null +++ b/SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch @@ -0,0 +1,57 @@ +From 4c90b4a07d2b3f935f5ea8b4607a77f12b66d855 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 10 Dec 2019 10:34:16 -0500 +Subject: [PATCH 27/45] test(check-container): add support for centos8 stream + +(cherry picked from commit 47be9c516344243750b68d570c69e7a5c4022805) +(cherry picked from commit fdf7eb8c8d7b82e68c6488e4755568fd0a5442a1) +--- + src/tests/Makefile.am | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 6be678146b99..b7556b30ecc8 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -48,7 +48,7 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4 + $(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at + mv $@.tmp $@ + +-CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide ++CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide check-container-centos8-stream + + check-container-debian-sid-image: check-container-%-image: + (cd $(abs_top_srcdir) && { \ +@@ -76,11 +76,28 @@ check-container-fedora-rawhide-image: check-container-%-image: + echo "COPY . /tmp/firewalld"; \ + } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) + ++check-container-centos8-stream-image: check-container-%-image: ++ (cd $(abs_top_srcdir) && { \ ++ echo "FROM centos:8" && \ ++ echo "RUN dnf -y makecache" && \ ++ echo "RUN dnf -y install centos-release-stream" && \ ++ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \ ++ docbook-style-xsl file gettext glib2-devel intltool ipset \ ++ iptables iptables-ebtables nftables libtool libxml2 \ ++ libxslt make nftables python3-nftables python3-slip-dbus \ ++ python3-gobject-base diffutils procps-ng iproute which dbus-daemon \ ++ NetworkManager" && \ ++ echo "COPY . /tmp/firewalld"; \ ++ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) ++ ++check-container-debian-sid: PYTHON=/usr/bin/python3 ++check-container-fedora-rawhide: PYTHON=/usr/bin/python3 ++check-container-centos8-stream: PYTHON=/usr/libexec/platform-python + $(CONTAINER_TARGETS): check-container-%: check-container-%-image + $(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \ + cd /tmp/firewalld && \ + ./autogen.sh && \ +- ./configure PYTHON=/usr/bin/python3 && \ ++ ./configure PYTHON=\"${PYTHON}\" && \ + make && \ + { make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" || \ + make -C src/tests check-local TESTSUITEFLAGS=\"--recheck --errexit --verbose\" ; } && \ +-- +2.27.0 + diff --git a/SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch b/SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch new file mode 100644 index 0000000..1ec83d5 --- /dev/null +++ b/SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch @@ -0,0 +1,33 @@ +From fe902f0be61bb0fe25418e5e13f7aa0131e042db Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 19 May 2020 13:24:25 -0400 +Subject: [PATCH 28/45] fix(firewall-offline-cmd): remove instances of "[P]" in + help text + +All commands are permanent. The "[P]" tag is unnecessary. + +(cherry picked from commit 32f7ea86eaf86705d8f52eeb1195e7549653fdce) +(cherry picked from commit 1a22a093088eb7cc23f3b6c4b4ba6fb3323902aa) +--- + src/firewall-offline-cmd.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in +index 98ca3e81ad7b..c0ad9ec8f64e 100755 +--- a/src/firewall-offline-cmd.in ++++ b/src/firewall-offline-cmd.in +@@ -168,9 +168,9 @@ IPSet Options + --ipset= --get-entries + List entries of an ipset + --ipset= --add-entries-from-file= +- Add a new entries to an ipset [P] ++ Add a new entries to an ipset + --ipset= --remove-entries-from-file= +- Remove entries from an ipset [P] ++ Remove entries from an ipset + + IcmpType Options + --new-icmptype= +-- +2.27.0 + diff --git a/SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch b/SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch new file mode 100644 index 0000000..a5d83b6 --- /dev/null +++ b/SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch @@ -0,0 +1,30 @@ +From 53e62b6640c2d52ca6385120e3215b18d4ea70bf Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 8 Jun 2020 14:58:50 -0400 +Subject: [PATCH 29/45] fix(rich): source mac with nftables backend + +Fixes: #643 +Fixes: rhbz 1843398 +Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface") +(cherry picked from commit e255e7357358b5fe1593225e6bd995850421825a) +(cherry picked from commit d78607ca4862a7b20551a98387ff285499d73440) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 69ee63b32f8b..97b1cd9f7f1e 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1064,7 +1064,7 @@ class nftables(object): + if addr_field == "daddr": + raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__)) + family = "ether" +- if check_single_address("ipv4", address): ++ elif check_single_address("ipv4", address): + family = "ip" + elif check_address("ipv4", address): + family = "ip" +-- +2.27.0 + diff --git a/SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch b/SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch new file mode 100644 index 0000000..cbc1f06 --- /dev/null +++ b/SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch @@ -0,0 +1,42 @@ +From 8058fda3072600ce65851b43cd3422fe0acdecb4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 8 Jun 2020 14:11:27 -0400 +Subject: [PATCH 30/45] test(rich): source mac with nftables backend + +With the nftables backend firewalld fails to add a rule that matches the +source mac address. + +(cherry picked from commit ef555fa1538b8df414fecaf400653fb0a95322db) +(cherry picked from commit a1fe0b082aec4ea5f175854412cd7ab4eef4e294) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1843398.at | 8 ++++++++ + 2 files changed, 9 insertions(+) + create mode 100644 src/tests/regression/rhbz1843398.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index c3a5706c6406..984d299bfd4e 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -29,3 +29,4 @@ m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) + m4_include([regression/gh599.at]) + m4_include([regression/rhbz1829104.at]) ++m4_include([regression/rhbz1843398.at]) +diff --git a/src/tests/regression/rhbz1843398.at b/src/tests/regression/rhbz1843398.at +new file mode 100644 +index 000000000000..4606e8497223 +--- /dev/null ++++ b/src/tests/regression/rhbz1843398.at +@@ -0,0 +1,8 @@ ++FWD_START_TEST([rich rule source mac]) ++AT_KEYWORDS(rich rhbz1843398 gh643) ++ ++FWD_CHECK([--permanent --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore]) ++FWD_CHECK([ --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore]) ++FWD_RELOAD ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch b/SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch new file mode 100644 index 0000000..32aaf12 --- /dev/null +++ b/SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch @@ -0,0 +1,27 @@ +From 944b49770943ec485212f2ca50d73231b7495d65 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Wed, 10 Jun 2020 17:55:54 -0400 +Subject: [PATCH 31/45] docs(README): add libxslt for doc generation + +(cherry picked from commit 1e9638b07a9c740a4ab5128708f9a40acc2d4668) +(cherry picked from commit 32c7f4c7eeafa4298ca403f45db8fda49f01ed2e) +--- + README | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README b/README +index 120543588540..7c00c3094949 100644 +--- a/README ++++ b/README +@@ -58,7 +58,7 @@ For use with Python 2: + To be able to create man pages and documentation from docbook files: + + docbook-style-xsl +- ++ libxslt + + Use the usual autoconf/automake incantation to generate makefiles + +-- +2.27.0 + diff --git a/SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch b/SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch new file mode 100644 index 0000000..3ecd0dc --- /dev/null +++ b/SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch @@ -0,0 +1,56 @@ +From d48ffab0a49db8c937bbd62b0b8b755b3dbca4a8 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 23 Jun 2020 13:39:49 -0400 +Subject: [PATCH 32/45] docs: replace occurrences of the term blacklist with + denylist + +(cherry picked from commit af3f7cd074f737c584a42cf1028f18e6fa597204) +(cherry picked from commit 621916b2dbb4cb04da4a0babc3b741202fd709b4) +--- + doc/xml/firewalld.direct.xml | 12 ++++++------ + src/firewall-config.glade | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml +index de7b5973dd7f..d65b66f74513 100644 +--- a/doc/xml/firewalld.direct.xml ++++ b/doc/xml/firewalld.direct.xml +@@ -273,16 +273,16 @@ + Example + + +- Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table: ++ Denylisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table: + + + <?xml version="1.0" encoding="utf-8"?> + <direct> +- <chain ipv="ipv4" table="raw" chain="blacklist"/> +- <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j blacklist</rule> +- <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j blacklist</rule> +- <rule ipv="ipv4" table="raw" chain="blacklist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "</rule> +- <rule ipv="ipv4" table="raw" chain="blacklist" priority="1">-j DROP</rule> ++ <chain ipv="ipv4" table="raw" chain="denylist"/> ++ <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j denylist</rule> ++ <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j denylist</rule> ++ <rule ipv="ipv4" table="raw" chain="denylist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "denylisted: "</rule> ++ <rule ipv="ipv4" table="raw" chain="denylist" priority="1">-j DROP</rule> + </direct> + + +diff --git a/src/firewall-config.glade b/src/firewall-config.glade +index 689433c47eca..6c057f66f401 100644 +--- a/src/firewall-config.glade ++++ b/src/firewall-config.glade +@@ -9761,7 +9761,7 @@ + + False + start +- For host or network white or blacklisting deactivate the element. ++ For host or network allow or denylisting deactivate the element. + True + 0 + 0 +-- +2.27.0 + diff --git a/SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch b/SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch new file mode 100644 index 0000000..b684962 --- /dev/null +++ b/SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch @@ -0,0 +1,31 @@ +From 542e44f2ba257b7f643770c9e2eedcf9a9f87c9c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Jun 2020 11:08:58 +0300 +Subject: [PATCH 33/45] fix: update dynamic DCE RPC ports in freeipa-trust + service + +Samba did change DCE RPC dynamic port range to 49152-65535 with version +4.7. + +Signed-off-by: Alexander Bokovoy +(cherry picked from commit 0753d6e653b804779f7301737809767f0d5cf9af) +(cherry picked from commit 88bbe05e5bdd510cc2544f2fb201186ef2abb8bb) +--- + config/services/freeipa-trust.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/services/freeipa-trust.xml b/config/services/freeipa-trust.xml +index 100cab614abe..315f69cce150 100644 +--- a/config/services/freeipa-trust.xml ++++ b/config/services/freeipa-trust.xml +@@ -9,6 +9,6 @@ + + + +- ++ + + +-- +2.27.0 + diff --git a/SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch b/SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch new file mode 100644 index 0000000..cc97cef --- /dev/null +++ b/SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch @@ -0,0 +1,70 @@ +From 4b2fecb2288fdd345f98890f9c801b1e4e2a5474 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 25 Jun 2020 16:42:36 +0200 +Subject: [PATCH 34/45] fix: core: rich: Catch ValueError on non-numeric + priority values + +Be a bit more user-friendly by printing: + +| Error: INVALID_RULE: invalid 'priority' attribute value 'ab'. + +instead of Python's default, which is: + +| Error: invalid literal for int() with base 10: 'ab' + +Fixes: rhbz 1689429 +(cherry picked from commit 3a0e79b1cfe4344d21d30eb47c038252d728cc44) +(cherry picked from commit fa21382cc513cc0dba56ba085782a3e23c863afc) +--- + src/firewall/core/rich.py | 5 ++++- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1689429.at | 12 ++++++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 src/tests/regression/rhbz1689429.at + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index dacaeb9c0b70..eb4a2d2d9669 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -379,7 +379,10 @@ class Rich_Rule(object): + raise FirewallError(errors.INVALID_RULE, "'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead." % attr_value) + self.family = attr_value + elif attr_name == 'priority': +- self.priority = int(attr_value) ++ try: ++ self.priority = int(attr_value) ++ except ValueError: ++ raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value) + elif attr_name: + if attr_name == 'protocol': + err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'." +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 984d299bfd4e..1c8f76afa87a 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -30,3 +30,4 @@ m4_include([regression/gh330.at]) + m4_include([regression/gh599.at]) + m4_include([regression/rhbz1829104.at]) + m4_include([regression/rhbz1843398.at]) ++m4_include([regression/rhbz1689429.at]) +diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at +new file mode 100644 +index 000000000000..5701607d660f +--- /dev/null ++++ b/src/tests/regression/rhbz1689429.at +@@ -0,0 +1,12 @@ ++FWD_START_TEST([rich rule invalid priority]) ++AT_KEYWORDS(rich rhbz1689429) ++ ++FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [], ++ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++]) ++FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [], ++ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++]) ++FWD_RELOAD ++ ++FWD_END_TEST([ignore]) +-- +2.27.0 + diff --git a/SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch b/SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch new file mode 100644 index 0000000..43519c9 --- /dev/null +++ b/SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch @@ -0,0 +1,55 @@ +From 040621b36e72f63482cce6c4e4daefd8b982387c Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Tue, 23 Jun 2020 20:01:17 -0400 +Subject: [PATCH 35/45] fix(cli): add --zone is an invalid option with --direct + +Fixes: rhbz 1483921 +(cherry picked from commit 303f85fc35d230f6e1980996020011dd8c0c2041) +(cherry picked from commit e946d8c8f4717d269b9ca785cf124d83de7b723e) +--- + src/firewall-cmd.in | 3 +++ + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1483921.at | 8 ++++++++ + 3 files changed, 12 insertions(+) + create mode 100644 src/tests/regression/rhbz1483921.at + +diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in +index 317da5eab6e4..014f3884d64b 100755 +--- a/src/firewall-cmd.in ++++ b/src/firewall-cmd.in +@@ -962,6 +962,9 @@ if (a.direct and not options_direct) or (options_direct and not a.direct): + cmd.fail(parser.format_usage() + + "Wrong usage of 'direct' options.") + ++if a.zone and a.direct: ++ cmd.fail(parser.format_usage() + "--zone is an invalid option with --direct") ++ + if a.name and not (a.new_zone_from_file or a.new_service_from_file or \ + a.new_ipset_from_file or a.new_icmptype_from_file or \ + a.new_helper_from_file): +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 1c8f76afa87a..5241a11a830d 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -31,3 +31,4 @@ m4_include([regression/gh599.at]) + m4_include([regression/rhbz1829104.at]) + m4_include([regression/rhbz1843398.at]) + m4_include([regression/rhbz1689429.at]) ++m4_include([regression/rhbz1483921.at]) +diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at +new file mode 100644 +index 000000000000..d3dd60bc8faf +--- /dev/null ++++ b/src/tests/regression/rhbz1483921.at +@@ -0,0 +1,8 @@ ++FWD_START_TEST([direct zone]) ++ AT_KEYWORDS(direct rhbz1483921) ++ ++ FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) ++ ++ FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) ++FWD_END_TEST ++ +-- +2.27.0 + diff --git a/SOURCES/0036-test-rhbz1483921-better-test-name.patch b/SOURCES/0036-test-rhbz1483921-better-test-name.patch new file mode 100644 index 0000000..8535140 --- /dev/null +++ b/SOURCES/0036-test-rhbz1483921-better-test-name.patch @@ -0,0 +1,29 @@ +From 23a0df223fdcb52b96aa0c68d5faabc5d645682d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 29 Jun 2020 14:48:00 -0400 +Subject: [PATCH 36/45] test(rhbz1483921): better test name + +Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct") +(cherry picked from commit a844f985f2d160b921ad65c87d91e795ef9a45cb) +(cherry picked from commit 48a97e77452dff84b542006f7e3a64434a993a48) +--- + src/tests/regression/rhbz1483921.at | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at +index d3dd60bc8faf..97939919f9af 100644 +--- a/src/tests/regression/rhbz1483921.at ++++ b/src/tests/regression/rhbz1483921.at +@@ -1,8 +1,7 @@ +-FWD_START_TEST([direct zone]) ++FWD_START_TEST([direct and zone mutually exclusive]) + AT_KEYWORDS(direct rhbz1483921) + + FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) + + FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) + FWD_END_TEST +- +-- +2.27.0 + diff --git a/SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch b/SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch new file mode 100644 index 0000000..b6fb921 --- /dev/null +++ b/SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch @@ -0,0 +1,71 @@ +From 09b9f5a18dbe01d0d3ab9b0db721eadab5e38b35 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Mon, 29 Jun 2020 17:34:46 -0400 +Subject: [PATCH 37/45] fix(cli): add ipset type hash:mac is incompatible with + the family parameter Fixes: rhbz1541077 + +(cherry picked from commit dddba7b9c276e9c58f6c2bc554c82252fa084eaf) +(cherry picked from commit 15f5691f0dbffcc1d4c1f42e77e79c6600db0d77) +--- + src/firewall-cmd.in | 3 +++ + src/firewall-offline-cmd.in | 3 +++ + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1541077.at | 9 +++++++++ + 4 files changed, 16 insertions(+) + create mode 100644 src/tests/regression/rhbz1541077.at + +diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in +index 014f3884d64b..b6c2f84f5a9e 100755 +--- a/src/firewall-cmd.in ++++ b/src/firewall-cmd.in +@@ -1074,6 +1074,9 @@ if a.permanent: + if not a.type: + cmd.fail(parser.format_usage() + "No type specified.") + ++ if a.type=='hash:mac' and a.family: ++ cmd.fail(parser.format_usage()+ "--family is not compatible with the hash:mac type") ++ + settings = FirewallClientIPSetSettings() + settings.setType(a.type) + if a.option: +diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in +index c0ad9ec8f64e..98c00548e3e5 100755 +--- a/src/firewall-offline-cmd.in ++++ b/src/firewall-offline-cmd.in +@@ -1577,6 +1577,9 @@ try: + if not a.type: + cmd.fail(parser.format_usage() + "No type specified.") + ++ if a.type=='hash:mac' and a.family: ++ cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type") ++ + settings = FirewallClientIPSetSettings() + settings.setType(a.type) + if a.option: +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 5241a11a830d..5c8aae7e64d3 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -32,3 +32,4 @@ m4_include([regression/rhbz1829104.at]) + m4_include([regression/rhbz1843398.at]) + m4_include([regression/rhbz1689429.at]) + m4_include([regression/rhbz1483921.at]) ++m4_include([regression/rhbz1541077.at]) +diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at +new file mode 100644 +index 000000000000..765ab0c6290b +--- /dev/null ++++ b/src/tests/regression/rhbz1541077.at +@@ -0,0 +1,9 @@ ++FWD_START_TEST([hash:mac and family mutually exclusive]) ++ AT_KEYWORDS(ipset rhbz1541077) ++ ++ FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++ ++ FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++ ++ FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch b/SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch new file mode 100644 index 0000000..a3083f7 --- /dev/null +++ b/SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch @@ -0,0 +1,42 @@ +From 15989f86b18c99d79b342e78a2c3bd26c4973868 Mon Sep 17 00:00:00 2001 +From: Vladislav Grigoryev <20725816+vgaetera@users.noreply.github.com> +Date: Tue, 23 Jun 2020 13:34:40 +0300 +Subject: [PATCH 38/45] fix(cli): unify indentation for forward-ports and rich + rules + +Unify indentation for forward-ports and rich rules in the CLI zone listing. +Do not insert redundant newlines when there are no forward-ports or rich rules. + +(cherry picked from commit 41df4088cd98f35adb3ac836143e7be34bb07a21) +(cherry picked from commit 809fc4b61321cd459dde65559af3dfbd73f4ce1e) +--- + src/firewall/command.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/command.py b/src/firewall/command.py +index c371dc23584c..8dee63bdda8f 100644 +--- a/src/firewall/command.py ++++ b/src/firewall/command.py +@@ -428,7 +428,7 @@ class FirewallCommand(object): + for port in ports])) + self.print_msg(" protocols: " + " ".join(sorted(protocols))) + self.print_msg(" masquerade: %s" % ("yes" if masquerade else "no")) +- self.print_msg(" forward-ports: " + ++ self.print_msg(" forward-ports: " + ("\n\t" if forward_ports else "") + + "\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % \ + (port, proto, toport, toaddr) + for (port, proto, toport, toaddr) in \ +@@ -437,8 +437,8 @@ class FirewallCommand(object): + " ".join(["%s/%s" % (port[0], port[1]) + for port in source_ports])) + self.print_msg(" icmp-blocks: " + " ".join(icmp_blocks)) +- self.print_msg(" rich rules: \n\t" + "\n\t".join( +- sorted(rules, key=rich_rule_sorted_key))) ++ self.print_msg(" rich rules: " + ("\n\t" if rules else "") + ++ "\n\t".join(sorted(rules, key=rich_rule_sorted_key))) + + def print_service_info(self, service, settings): + ports = settings.getPorts() +-- +2.27.0 + diff --git a/SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch b/SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch new file mode 100644 index 0000000..3db21b8 --- /dev/null +++ b/SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch @@ -0,0 +1,40 @@ +From 13442af85c144da1eff00cf193db118eb9afb498 Mon Sep 17 00:00:00 2001 +From: Paul Wouters +Date: Mon, 6 Jul 2020 20:43:05 -0400 +Subject: [PATCH 39/45] improvement(service): IPsec: Update description and add + TCP port 4500 + +IKE and IPsec over TCP is defined in RFC 8229. It specifically mentions +no ports to allow administrators to configure any port to prevent being +blocked by networks. + +However, most IKE/IPsec blocking seems to come from unwanted accidental +UDP blocks, so any TCP would usually ensures IPsec can still work on +such networks. The default is therefor to pick the same TCP port as IKE +and IPsec over UDP uses, port 4500. + +(cherry picked from commit 8c4fb4f658719cfb58bacae9e6e82c8e82c3465d) +(cherry picked from commit 0e2733a5b052a4a1d5e1f6f34bca1ff3760948f1) +--- + config/services/ipsec.xml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/config/services/ipsec.xml b/config/services/ipsec.xml +index 9e70acb40003..824f1f3e539f 100644 +--- a/config/services/ipsec.xml ++++ b/config/services/ipsec.xml +@@ -1,9 +1,10 @@ + + + IPsec +- Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a vpnc server or FreeS/WAN, do not disable this option. ++ Internet Protocol Security (IPsec) is the standarized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practise. + + + + ++ + +-- +2.27.0 + diff --git a/SOURCES/0040-fix-rich-nftables-log-level-warning.patch b/SOURCES/0040-fix-rich-nftables-log-level-warning.patch new file mode 100644 index 0000000..78a8859 --- /dev/null +++ b/SOURCES/0040-fix-rich-nftables-log-level-warning.patch @@ -0,0 +1,30 @@ +From f32a3617acd884f0a1af8e648fe09fa17ac24193 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 21 Jul 2020 15:33:37 -0400 +Subject: [PATCH 40/45] fix(rich): nftables: log level "warning" + +nftables wants the "warn" keyword not "warning". + +(cherry picked from commit f622e65783c4d9f6969701a799d13cb8486d1c0f) +(cherry picked from commit 995cde22cced261c558ecad523befe62eb878d05) +--- + src/firewall/core/nftables.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 97b1cd9f7f1e..85c790b5b51e 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -993,7 +993,8 @@ class nftables(object): + if rich_rule.log.prefix: + log_options["prefix"] = "%s" % rich_rule.log.prefix + if rich_rule.log.level: +- log_options["level"] = "%s" % rich_rule.log.level ++ level = "warn" if "warning" == rich_rule.log.level else rich_rule.log.level ++ log_options["level"] = "%s" % level + + rule = {"family": "inet", + "table": TABLE_NAME, +-- +2.27.0 + diff --git a/SOURCES/0041-fix-rich-icmptypes-with-one-family.patch b/SOURCES/0041-fix-rich-icmptypes-with-one-family.patch new file mode 100644 index 0000000..fd13a1a --- /dev/null +++ b/SOURCES/0041-fix-rich-icmptypes-with-one-family.patch @@ -0,0 +1,85 @@ +From 5acbdc31a56f4b680323ba7aa92383da9e9f25fa Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 22 Jul 2020 09:18:42 -0400 +Subject: [PATCH 41/45] fix(rich): icmptypes with one family + +They were mistakenly being added to both families which fails. + +Fixes: rhbz 1855140 +(cherry picked from commit 0112e36c4e225504b15a1feef3d453a757a00b21) +(cherry picked from commit bd61af7db6f92d48a79fb1e84405aef4f522ffbf) +--- + src/firewall/core/fw_zone.py | 26 +++++++++++--------------- + src/firewall/core/nftables.py | 2 +- + 2 files changed, 12 insertions(+), 16 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 5677effab146..b9fe1f6aae97 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1522,14 +1522,17 @@ class FirewallZone(object): + transaction.add_rules(backend, rules) + + def _rule_prepare(self, enable, zone, rule, transaction): +- if rule.family is not None: ++ ipvs = [] ++ if rule.family: + ipvs = [ rule.family ] +- else: +- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] ++ elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)): ++ ict = self._fw.icmptype.get_icmptype(rule.element.name) ++ if ict.destination: ++ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination] + + source_ipv = self._rule_source_ipv(rule.source) +- if source_ipv is not None and source_ipv != "": +- if rule.family is not None: ++ if source_ipv: ++ if rule.family: + # rule family is defined by user, no way to change it + if rule.family != source_ipv: + raise FirewallError(errors.INVALID_RULE, +@@ -1538,6 +1541,9 @@ class FirewallZone(object): + # use the source family as rule family + ipvs = [ source_ipv ] + ++ if not ipvs: ++ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] ++ + # add an element to object to allow backends to know what ipvs this applies to + rule.ipvs = ipvs + +@@ -1699,16 +1705,6 @@ class FirewallZone(object): + # icmp block might have reject or drop action, but not accept + raise FirewallError(errors.INVALID_RULE, + "IcmpBlock not usable with accept action") +- if ict.destination: +- for ipv in ipvs: +- if ipv in ict.destination \ +- and not backend.is_ipv_supported(ipv): +- raise FirewallError( +- errors.INVALID_RULE, +- "Icmp%s %s not usable with %s" % \ +- ("Block" if type(rule.element) == \ +- Rich_IcmpBlock else "Type", +- rule.element.name, backend.name)) + + table = "filter" + if enable: +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 85c790b5b51e..0198200b2372 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1383,7 +1383,7 @@ class nftables(object): + return ICMP_TYPES_FRAGMENTS[ipv][icmp_type] + else: + raise FirewallError(INVALID_ICMPTYPE, +- "ICMP type '%s' not supported by %s" % (icmp_type, self.name)) ++ "ICMP type '%s' not supported by %s for %s" % (icmp_type, self.name, ipv)) + + def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None): + table = "filter" +-- +2.27.0 + diff --git a/SOURCES/0042-test-rich-icmptypes-with-one-family.patch b/SOURCES/0042-test-rich-icmptypes-with-one-family.patch new file mode 100644 index 0000000..dce2fb1 --- /dev/null +++ b/SOURCES/0042-test-rich-icmptypes-with-one-family.patch @@ -0,0 +1,68 @@ +From 210a2580e405a852b5b64da99e6fead6a0d9e069 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Aug 2020 11:59:04 -0400 +Subject: [PATCH 42/45] test(rich): icmptypes with one family + +Coverage for rhbz 1855140. + +(cherry picked from commit 87ec14dddd742ff5fd8cce04e68c8bf9db8237e9) +(cherry picked from commit d5e74f5c4feb4a6ce060c2ded30f67a0fbe44865) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1855140.at | 35 +++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + create mode 100644 src/tests/regression/rhbz1855140.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 5c8aae7e64d3..d7b4d56239d1 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -33,3 +33,4 @@ m4_include([regression/rhbz1843398.at]) + m4_include([regression/rhbz1689429.at]) + m4_include([regression/rhbz1483921.at]) + m4_include([regression/rhbz1541077.at]) ++m4_include([regression/rhbz1855140.at]) +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +new file mode 100644 +index 000000000000..8059e29fe71a +--- /dev/null ++++ b/src/tests/regression/rhbz1855140.at +@@ -0,0 +1,35 @@ ++FWD_START_TEST([rich rule icmptypes with one family]) ++AT_KEYWORDS(rich icmp rhbz1855140) ++ ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) ++FWD_RELOAD ++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ icmp type echo-request accept ++ icmpv6 type echo-request accept ++ icmpv6 type nd-neighbor-advert accept ++ icmp type timestamp-request accept ++ } ++ } ++]) ++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ++ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13 ++]) ++IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136 ++]) ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch b/SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch new file mode 100644 index 0000000..2767cf2 --- /dev/null +++ b/SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch @@ -0,0 +1,59 @@ +From d76d54277bc51398f7aa20b3dce0863e3520810b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Jul 2020 15:18:38 -0400 +Subject: [PATCH 43/45] fix(LastUpdatedOrderedDict): __getitem__(): fetch from + list if int + +If the LastUpdatedOrderedDict contains a boolean key, e.g. + + myLastUpdatedOrderedDict = LastUpdatedOrderedDict() + myLastUpdatedOrderedDic[True] = "true" + +then + + myLastUpdatedOrderedDic[1] + +yields "true". As such, using the LastUpdatedOrderedDict as an iterable +e.g. + + for foo in myLastUpdatedOrderedDict: + ... + +would mean that the for loop tries integer indexes 0 (returns key True), +and then 1 (also returns key True). This caused duplicate walks of a key +True if it was the first key in the LastUpdatedOrderedDict. + +This occurs because + + >>> True == 1 + True + >>> False == 0 + True + +(cherry picked from commit 55754b65be6eaa697382992679e6673346e39f78) +(cherry picked from commit 1561dbc6c2b8f8f7f27b89810a8dda9b869b1923) +--- + src/firewall/fw_types.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/fw_types.py b/src/firewall/fw_types.py +index 07c69c61702f..3d90c1812aec 100644 +--- a/src/firewall/fw_types.py ++++ b/src/firewall/fw_types.py +@@ -54,10 +54,10 @@ class LastUpdatedOrderedDict(object): + self._dict[key] = value + + def __getitem__(self, key): +- if key in self._dict: +- return self._dict[key] +- else: ++ if type(key) == int: + return self._list[key] ++ else: ++ return self._dict[key] + + def __len__(self): + return len(self._list) +-- +2.27.0 + diff --git a/SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch b/SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch new file mode 100644 index 0000000..3d91816 --- /dev/null +++ b/SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch @@ -0,0 +1,35 @@ +From 38eec50b2a48b586b4dcceb03f119be967690c79 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Aug 2020 12:07:24 -0400 +Subject: [PATCH 44/45] test(regression/rhbz1483921): correctly use macros + +"firewall-cmd" is implicit in the macro. Specifying it will result in +CLI parse failure. + +Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct") +(cherry picked from commit 0b8a2554463cfb96e17fbd31b8cbf4f6235e8625) +(cherry picked from commit bf6e1b8c1943166c60b9df25ae424e635ba23253) +--- + src/tests/regression/rhbz1483921.at | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at +index 97939919f9af..4536615318eb 100644 +--- a/src/tests/regression/rhbz1483921.at ++++ b/src/tests/regression/rhbz1483921.at +@@ -1,7 +1,8 @@ + FWD_START_TEST([direct and zone mutually exclusive]) +- AT_KEYWORDS(direct rhbz1483921) ++AT_KEYWORDS(direct rhbz1483921) ++ ++FWD_CHECK([--zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore]) ++ ++FWD_CHECK([--zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore]) + +- FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) +- +- FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) + FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch b/SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch new file mode 100644 index 0000000..fdf01ea --- /dev/null +++ b/SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch @@ -0,0 +1,37 @@ +From 025b24b137cfe8c9ef7145848764f0051084df71 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Aug 2020 12:11:16 -0400 +Subject: [PATCH 45/45] test(regression/rhbz1541077): correctly use macros + +"firewall-cmd" is implicit in the macro. Specifying it will result in +CLI parse failure. + +Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter") +(cherry picked from commit 6e279ef6517a1ee4e2f9ac60922e8ddac8b096b7) +(cherry picked from commit a9976e7165a5b88eedc30357250add8e690210f1) +--- + src/tests/regression/rhbz1541077.at | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at +index 765ab0c6290b..692ca8ecc892 100644 +--- a/src/tests/regression/rhbz1541077.at ++++ b/src/tests/regression/rhbz1541077.at +@@ -1,9 +1,9 @@ + FWD_START_TEST([hash:mac and family mutually exclusive]) +- AT_KEYWORDS(ipset rhbz1541077) ++AT_KEYWORDS(ipset rhbz1541077) + +- FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) +- +- FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) ++FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) ++ ++AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + +- FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) + FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch b/SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch new file mode 100644 index 0000000..f3ae903 --- /dev/null +++ b/SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch @@ -0,0 +1,49 @@ +From 32de2767e869970877c19c8919e37de375351bc1 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 6 Aug 2020 08:24:02 -0400 +Subject: [PATCH] fix(rich): use correct error code for invalid priority + +Fixes: 3a0e79b1cfe4 ("fix: core: rich: Catch ValueError on non-numeric priority values") +(cherry picked from commit e1562ba92caec988c7cf397b2fa77b8d41592c7e) +(cherry picked from commit 5a4e35317a32422dec4acffc845a6651f65680da) +--- + src/firewall/core/rich.py | 2 +- + src/tests/regression/rhbz1689429.at | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index eb4a2d2d9669..86c0c998a478 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -382,7 +382,7 @@ class Rich_Rule(object): + try: + self.priority = int(attr_value) + except ValueError: +- raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value) ++ raise FirewallError(errors.INVALID_PRIORITY, "invalid 'priority' attribute value '%s'." % attr_value) + elif attr_name: + if attr_name == 'protocol': + err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'." +diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at +index 5701607d660f..9157c9544ffc 100644 +--- a/src/tests/regression/rhbz1689429.at ++++ b/src/tests/regression/rhbz1689429.at +@@ -1,11 +1,11 @@ + FWD_START_TEST([rich rule invalid priority]) + AT_KEYWORDS(rich rhbz1689429) + +-FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [], +- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 139, [], ++ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'. + ]) +-FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [], +- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 139, [], ++ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'. + ]) + FWD_RELOAD + +-- +2.27.0 + diff --git a/SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch b/SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch new file mode 100644 index 0000000..e867f13 --- /dev/null +++ b/SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch @@ -0,0 +1,55 @@ +From cd284a0cacb0e9c1b75a7651b83848dd51e52ffd Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 7 Aug 2020 07:42:00 -0400 +Subject: [PATCH] test(dbus): zone: add nm-shared to expected output if it + exists + +newer networkmanager ships with this zone. as such, if nm is installed +the expected "get zones" output changes. + +(cherry picked from commit a609c15657e68bacbc05d87cb71f366148cb8ced) +(cherry picked from commit 9f8f9390ef0a1631c07cae37be2ab27f29d0f34d) +--- + src/tests/dbus/zone_permanent_functional.at | 6 +++++- + src/tests/dbus/zone_runtime_functional.at | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at +index 2261832e00a8..75645983dbf7 100644 +--- a/src/tests/dbus/zone_permanent_functional.at ++++ b/src/tests/dbus/zone_permanent_functional.at +@@ -30,8 +30,12 @@ export DBUS_FOOBAR_ZONE_OBJ + + dnl Get Zones + dnl ++if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then ++ NM_SHARED="'nm-shared', " ++ export NM_SHARED ++fi + DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl +- [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)] ++ (@<:@'block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,) + ]) + DBUS_CHECK([config], [config.listZones], [], 0, [stdout]) + NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +index bb0798abe7da..b5799b9b1ca3 100644 +--- a/src/tests/dbus/zone_runtime_functional.at ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -36,8 +36,12 @@ DBUS_CHECK([], [getDefaultZone], [], 0, [dnl + ]) + + dnl Fetching Zones ++if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then ++ NM_SHARED="'nm-shared', " ++ export NM_SHARED ++fi + DBUS_CHECK([], [zone.getZones], [], 0, [dnl +- [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)] ++ (@<:@'block', 'dmz', 'drop', 'external', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,) + ]) + FWD_CHECK([-q --zone public --add-interface dummy0]) + FWD_CHECK([-q --zone public --add-source 10.1.1.1]) +-- +2.27.0 + diff --git a/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch b/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch new file mode 100644 index 0000000..4c1e8c1 --- /dev/null +++ b/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch @@ -0,0 +1,29 @@ +From 2a1a55209a95c5463e07cc3eb048d128ab7593ed Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 10 Aug 2020 09:29:05 -0400 +Subject: [PATCH 48/62] test(regression/rhbz1541077): use FWD_OFFLINE_CHECK + macro + +Fixes: 6e279ef6517a ("test(regression/rhbz1541077): correctly use macros") +Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter") +(cherry picked from commit fae16b550ed8b384ee24691e6442b7cbd6b776aa) +(cherry picked from commit 3efe0f30d4499763aacc573dc634b52ceb11a017) +--- + src/tests/regression/rhbz1541077.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at +index 692ca8ecc892..73ad4b49cb3d 100644 +--- a/src/tests/regression/rhbz1541077.at ++++ b/src/tests/regression/rhbz1541077.at +@@ -4,6 +4,6 @@ AT_KEYWORDS(ipset rhbz1541077) + FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + +-AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) ++FWD_OFFLINE_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + + FWD_END_TEST +-- +2.28.0 + diff --git a/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch b/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch new file mode 100644 index 0000000..41f7cb1 --- /dev/null +++ b/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch @@ -0,0 +1,30 @@ +From 5326d7a86d6e7413dee343b795a352d8b4e6ab0d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 10 Aug 2020 09:33:22 -0400 +Subject: [PATCH 49/62] test(regression/rhbz1855140.at): avoid IPv6 tests if + IPv6 not available + +Fixes: 87ec14dddd74 ("test(rich): icmptypes with one family") +(cherry picked from commit a47819d346fbd0f4d4d382a6a795c76c7f443a3b) +(cherry picked from commit 1b4fea7277c26026ecbe09f79928c794489424b9) +--- + src/tests/regression/rhbz1855140.at | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index 8059e29fe71a..cea943e0bf24 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -2,7 +2,9 @@ FWD_START_TEST([rich rule icmptypes with one family]) + AT_KEYWORDS(rich icmp rhbz1855140) + + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) ++IF_HOST_SUPPORTS_IPV6_RULES([ + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) ++]) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) + FWD_RELOAD + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +-- +2.28.0 + diff --git a/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch b/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch new file mode 100644 index 0000000..f0d495e --- /dev/null +++ b/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch @@ -0,0 +1,53 @@ +From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 27 Aug 2020 15:30:45 -0400 +Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm + config + +Otherwise we may get runtime errors because the running kernel doesn't +support the ict. Use the permanent ict definition so we allow the case +where ip6tables is missing or not available. Explicit usage of an ict +not supported by the kernel will still fail to apply at runtime +(iptables complains), but if ip6tables is missing we don't attempt to +apply the ipv6 rules thus avoiding the issue. + +(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2) +(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7) +--- + src/firewall/core/fw_zone.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index b9fe1f6aae97..9d8bcf620251 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1526,7 +1526,7 @@ class FirewallZone(object): + if rule.family: + ipvs = [ rule.family ] + elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)): +- ict = self._fw.icmptype.get_icmptype(rule.element.name) ++ ict = self._fw.config.get_icmptype(rule.element.name) + if ict.destination: + ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination] + +@@ -1698,7 +1698,7 @@ class FirewallZone(object): + # ICMP BLOCK and ICMP TYPE + elif type(rule.element) == Rich_IcmpBlock or \ + type(rule.element) == Rich_IcmpType: +- ict = self._fw.icmptype.get_icmptype(rule.element.name) ++ ict = self._fw.config.get_icmptype(rule.element.name) + + if type(rule.element) == Rich_IcmpBlock and \ + rule.action and type(rule.action) == Rich_Accept: +@@ -1862,7 +1862,7 @@ class FirewallZone(object): + transaction.add_rules(backend, rules) + + def _icmp_block(self, enable, zone, icmp, transaction): +- ict = self._fw.icmptype.get_icmptype(icmp) ++ ict = self._fw.config.get_icmptype(icmp) + + if enable: + transaction.add_chain(zone, "filter", "INPUT") +-- +2.28.0 + diff --git a/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch b/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch new file mode 100644 index 0000000..8d686b1 --- /dev/null +++ b/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch @@ -0,0 +1,50 @@ +From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 27 Aug 2020 15:59:13 -0400 +Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually + enabled + +One scenario is if IPv6 is not available, but we specify an icmp-type +that is ipv6 only, then we'll still attempt to call the IPv6 backend. We +should not do that. + +(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de) +(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79) +--- + src/firewall/core/fw_zone.py | 5 ++++- + src/tests/regression/rhbz1855140.at | 2 -- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 9d8bcf620251..bd026222dce5 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1542,7 +1542,10 @@ class FirewallZone(object): + ipvs = [ source_ipv ] + + if not ipvs: +- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] ++ ipvs = ["ipv4", "ipv6"] ++ ++ # clamp ipvs to those that are actually enabled. ++ ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)] + + # add an element to object to allow backends to know what ipvs this applies to + rule.ipvs = ipvs +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index cea943e0bf24..8059e29fe71a 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family]) + AT_KEYWORDS(rich icmp rhbz1855140) + + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) +-IF_HOST_SUPPORTS_IPV6_RULES([ + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) +-]) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) + FWD_RELOAD + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +-- +2.28.0 + diff --git a/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch b/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch new file mode 100644 index 0000000..e60c327 --- /dev/null +++ b/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch @@ -0,0 +1,62 @@ +From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 11:44:33 -0400 +Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families + don't conflict + +Fixes: rhbz 1855140 +(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8) +(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7) +--- + src/firewall/core/fw_zone.py | 6 ++++++ + src/firewall/core/io/zone.py | 17 ++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index bd026222dce5..129306b6f969 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1703,6 +1703,12 @@ class FirewallZone(object): + type(rule.element) == Rich_IcmpType: + ict = self._fw.config.get_icmptype(rule.element.name) + ++ if rule.family and ict.destination and \ ++ rule.family not in ict.destination: ++ raise FirewallError(errors.INVALID_ICMPTYPE, ++ "rich rule family '%s' conflicts with icmp type '%s'" % \ ++ (rule.family, rule.element.name)) ++ + if type(rule.element) == Rich_IcmpBlock and \ + rule.action and type(rule.action) == Rich_Accept: + # icmp block might have reject or drop action, but not accept +diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py +index 68b2a7c9567c..529b92c25b62 100644 +--- a/src/firewall/core/io/zone.py ++++ b/src/firewall/core/io/zone.py +@@ -232,7 +232,22 @@ class Zone(IO_Object): + raise FirewallError(errors.INVALID_ADDR, source) + elif item == "rules_str": + for rule in config: +- rich.Rich_Rule(rule_str=rule) ++ obj_rich = rich.Rich_Rule(rule_str=rule) ++ if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or ++ isinstance(obj_rich.element, rich.Rich_IcmpType)): ++ existing_icmptypes = self.fw_config.get_icmptypes() ++ if obj_rich.element.name not in existing_icmptypes: ++ raise FirewallError(errors.INVALID_ICMPTYPE, ++ "'%s' not among existing icmp types" % \ ++ obj_rich.element.name) ++ ++ elif obj_rich.family: ++ ict = self.fw_config.get_icmptype(obj_rich.element.name) ++ if ict.destination and obj_rich.family not in ict.destination: ++ raise FirewallError(errors.INVALID_ICMPTYPE, ++ "rich rule family '%s' conflicts with icmp type '%s'" % \ ++ (obj_rich.family, obj_rich.element.name)) ++ + + def check_name(self, name): + super(Zone, self).check_name(name) +-- +2.28.0 + diff --git a/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch b/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch new file mode 100644 index 0000000..e743640 --- /dev/null +++ b/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch @@ -0,0 +1,48 @@ +From 08cb6f0c7abca95fa898020bb9f3ba3f4bfbf148 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 13:15:34 -0400 +Subject: [PATCH 53/62] fix(nftables): packet marks with masks + +(cherry picked from commit e296b926ae5dc4cbc277b6dd755d045e73ed4411) +(cherry picked from commit 371efe757f2bde20b4301a78ed3c48ec1d31bf5e) +--- + src/firewall/core/fw_zone.py | 2 ++ + src/firewall/core/nftables.py | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 129306b6f969..6eaed4232405 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1719,6 +1719,8 @@ class FirewallZone(object): + if enable: + transaction.add_chain(zone, table, "INPUT") + transaction.add_chain(zone, table, "FORWARD_IN") ++ if enable and type(rule.action) == Rich_Mark: ++ transaction.add_chain(zone, "mangle", "PREROUTING") + + rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule) + transaction.add_rules(backend, rules) +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 0198200b2372..76668a60468f 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1043,8 +1043,13 @@ class nftables(object): + zone=zone) + table = "mangle" + chain = "%s_%s_%s" % (table, target, chain_suffix) +- rule_action = {"mangle": {"key": {"meta": {"key": "mark"}}, +- "value": rich_rule.action.set}} ++ value = rich_rule.action.set.split("/") ++ if len(value) > 1: ++ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}}, ++ "value": {"^": [{"&": [{"meta": {"key": "mark"}}, value[1]]}, value[0]]}}} ++ else: ++ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}}, ++ "value": value[0]}} + else: + raise FirewallError(INVALID_RULE, + "Unknown action %s" % type(rich_rule.action)) +-- +2.28.0 + diff --git a/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch b/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch new file mode 100644 index 0000000..e155098 --- /dev/null +++ b/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch @@ -0,0 +1,27 @@ +From 603ca9c2dd16f212a8b2fb43a9e9599fe3dd3abf Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 14:22:18 -0400 +Subject: [PATCH 54/62] fix(nftables): icmp types with code == 0 + +(cherry picked from commit 098e35168d6a15516cc76189a70df8db56bd1b13) +(cherry picked from commit 8dcfaa607329cd4c2bdaa3b101371a30a04ef858) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 76668a60468f..daa7ace085a2 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -82,7 +82,7 @@ def _icmp_types_fragments(protocol, type, code=None): + fragments = [{"match": {"left": {"payload": {"protocol": protocol, "field": "type"}}, + "op": "==", + "right": type}}] +- if code: ++ if code is not None: + fragments.append({"match": {"left": {"payload": {"protocol": protocol, "field": "code"}}, + "op": "==", + "right": code}}) +-- +2.28.0 + diff --git a/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch b/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch new file mode 100644 index 0000000..fbfab5b --- /dev/null +++ b/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch @@ -0,0 +1,35 @@ +From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 31 Aug 2020 15:38:34 -0400 +Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for + icmp-type w/ mark action + +This is a stable only fix. It does not occur on master. + +(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808) +--- + src/firewall/core/ipXtables.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index b1d6c202fda7..c4535f2e5818 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -1240,8 +1240,13 @@ class ip4tables(object): + proto = [ "-p", "ipv6-icmp" ] + match = [ "-m", "icmp6", "--icmpv6-type", ict.name ] + ++ if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark): ++ chains = ["PREROUTING"] ++ else: ++ chains = ["INPUT", "FORWARD_IN"] ++ + rules = [] +- for chain in ["INPUT", "FORWARD_IN"]: ++ for chain in chains: + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], + zone=zone) + if self._fw.zone.query_icmp_block_inversion(zone): +-- +2.28.0 + diff --git a/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch b/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch new file mode 100644 index 0000000..19d348c --- /dev/null +++ b/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch @@ -0,0 +1,66 @@ +From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 10:48:35 -0400 +Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests + +(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4) +(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c) +--- + src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index 8059e29fe71a..fbb33a419c56 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) ++FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore) + FWD_RELOAD ++NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl ++ table inet firewalld { ++ chain mangle_PRE_public_allow { ++ icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086 ++ } ++ } ++]) + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { +@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + } + } + ]) ++IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl ++]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13 + ]) ++IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl ++ MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86 ++]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED +@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136 + ]) + +-FWD_END_TEST ++dnl verify bad icmptypes are rejected ++FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore]) ++FWD_CHECK([ --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore]) ++FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore]) ++IF_HOST_SUPPORTS_IPV6_RULES([ ++FWD_CHECK([ --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore]) ++]) ++ ++FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d']) +-- +2.28.0 + diff --git a/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch b/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch new file mode 100644 index 0000000..8f73132 --- /dev/null +++ b/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch @@ -0,0 +1,80 @@ +From 0f94133731fa497b04744fa4a37cfa5fd5e45fab Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Aug 2020 11:38:36 -0400 +Subject: [PATCH 57/62] fix(policy): cache rule_str for rich rules + +There are various areas that we use list comprehensions to convert +Rich_Rule to rule_str. This isn't cheap. Let's just cache the rule_str +and avoid the cost. + +Fixes: rhbz 1871298 +(cherry picked from commit 5402724221a3dddc9c139663d28ababed4057cc6) +(cherry picked from commit 763b07972fd80e7b2f28b29efe812b92f6dff1d1) +--- + src/firewall/core/io/zone.py | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py +index 529b92c25b62..ec81762be100 100644 +--- a/src/firewall/core/io/zone.py ++++ b/src/firewall/core/io/zone.py +@@ -120,6 +120,7 @@ class Zone(IO_Object): + self.sources = [ ] + self.fw_config = None # to be able to check services and a icmp_blocks + self.rules = [ ] ++ self.rules_str = [ ] + self.icmp_block_inversion = False + self.combined = False + self.applied = False +@@ -141,6 +142,7 @@ class Zone(IO_Object): + del self.sources[:] + self.fw_config = None # to be able to check services and a icmp_blocks + del self.rules[:] ++ del self.rules_str[:] + self.icmp_block_inversion = False + self.combined = False + self.applied = False +@@ -163,17 +165,13 @@ class Zone(IO_Object): + self.interfaces = [u2b_if_py2(i) for i in self.interfaces] + self.sources = [u2b_if_py2(s) for s in self.sources] + self.rules = [u2b_if_py2(s) for s in self.rules] +- +- def __getattr__(self, name): +- if name == "rules_str": +- rules_str = [str(rule) for rule in self.rules] +- return rules_str +- else: +- return getattr(super(Zone, self), name) ++ self.rules_str = [u2b_if_py2(s) for s in self.rules_str] + + def __setattr__(self, name, value): + if name == "rules_str": + self.rules = [rich.Rich_Rule(rule_str=s) for s in value] ++ # must convert back to string to get the canonical string. ++ super(Zone, self).__setattr__(name, [str(s) for s in self.rules]) + else: + super(Zone, self).__setattr__(name, value) + +@@ -307,6 +305,7 @@ class Zone(IO_Object): + self.source_ports.append(port) + for rule in zone.rules: + self.rules.append(rule) ++ self.rules_str.append(str(rule)) + if zone.icmp_block_inversion: + self.icmp_block_inversion = True + +@@ -687,9 +686,9 @@ class zone_ContentHandler(IO_Object_ContentHandler): + except Exception as e: + log.warning("%s: %s", e, str(self._rule)) + else: +- if str(self._rule) not in \ +- [ str(x) for x in self.item.rules ]: ++ if str(self._rule) not in self.item.rules_str: + self.item.rules.append(self._rule) ++ self.item.rules_str.append(str(self._rule)) + else: + log.warning("Rule '%s' already set, ignoring.", + str(self._rule)) +-- +2.28.0 + diff --git a/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch b/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch new file mode 100644 index 0000000..38e6d81 --- /dev/null +++ b/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch @@ -0,0 +1,55 @@ +From ed42b8048e97040802da727f77cad4a1bb5ff42b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Aug 2020 14:28:45 -0400 +Subject: [PATCH 58/62] test(zone): rich rule parsing bottleneck + +Coverage for rhbz 1871298. +Verify we can parse a large amount of rich rules in a reasonable time. + +This test took 3m before the fix and now takes 18s after the fix. +Considering it "failed" after 45s should give us plenty of headroom. + +(cherry picked from commit ece30971412eedb9032b0d87233ca21ef9154830) +(cherry picked from commit b21f071851ffec6d3a382b6e60eb88dcda7df467) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1871298.at | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 src/tests/regression/rhbz1871298.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index d7b4d56239d1..65540840f50e 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -34,3 +34,4 @@ m4_include([regression/rhbz1689429.at]) + m4_include([regression/rhbz1483921.at]) + m4_include([regression/rhbz1541077.at]) + m4_include([regression/rhbz1855140.at]) ++m4_include([regression/rhbz1871298.at]) +diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at +new file mode 100644 +index 000000000000..0689399d85ec +--- /dev/null ++++ b/src/tests/regression/rhbz1871298.at +@@ -0,0 +1,18 @@ ++FWD_START_TEST([rich rule parsing bottleneck]) ++AT_KEYWORDS(rich offline rhbz1871298) ++ ++AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])]) ++ ++NS_CHECK([mkdir -p ./zones]) ++NS_CHECK([echo '' > ./zones/foobar.xml]) ++NS_CHECK([echo "" >> ./zones/foobar.xml]) ++NS_CHECK([echo "foobar" >> ./zones/foobar.xml]) ++NS_CHECK([sh -c 'for I in $(seq 10000); do echo "" >> ./zones/foobar.xml; done']) ++NS_CHECK([echo "" >> ./zones/foobar.xml]) ++ ++if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then ++ FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}" ++fi ++NS_CHECK([timeout 45 firewall-offline-cmd --system-config ./ $FIREWALL_OFFLINE_CMD_ARGS --check-config], 0, [ignore]) ++ ++FWD_END_TEST +-- +2.28.0 + diff --git a/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch b/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch new file mode 100644 index 0000000..8a0d031 --- /dev/null +++ b/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch @@ -0,0 +1,158 @@ +From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 1 Sep 2020 13:16:23 -0400 +Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if + ip6tables not available + +We were not filling the runtime ipv6 icmptypes list if the active +backend was nftables and ip6tables wasn't available. This caused "ipv6" +to be dropped from the supported ipvs/destinations for the icmptype. +This also caused runtimeToPermanent to fail because the runtime +icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy +the runtime icmptype to permanent because they were different... this +caused sanity checks on the permanent configuration to fail. + +(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9) +(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647) +--- + src/firewall/core/fw.py | 24 ++++++++++++++---------- + src/firewall/core/fw_icmptype.py | 8 ++++---- + src/firewall/core/ipXtables.py | 2 +- + src/firewall/core/nftables.py | 6 +++--- + src/firewall/server/firewalld.py | 4 ++-- + 5 files changed, 24 insertions(+), 20 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index c767f416f3d2..1df916efb10f 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -76,10 +76,10 @@ class Firewall(object): + else: + self.ip4tables_backend = ipXtables.ip4tables(self) + self.ip4tables_enabled = True +- self.ip4tables_supported_icmp_types = [ ] ++ self.ipv4_supported_icmp_types = [ ] + self.ip6tables_backend = ipXtables.ip6tables(self) + self.ip6tables_enabled = True +- self.ip6tables_supported_icmp_types = [ ] ++ self.ipv6_supported_icmp_types = [ ] + self.ebtables_backend = ebtables.ebtables() + self.ebtables_enabled = True + self.ipset_backend = ipset.ipset() +@@ -172,11 +172,13 @@ class Firewall(object): + log.warning("iptables-restore and iptables are missing, " + "disabling IPv4 firewall.") + self.ip4tables_enabled = False +- if self.ip4tables_enabled: +- self.ip4tables_supported_icmp_types = \ +- self.ip4tables_backend.supported_icmp_types() ++ if self.nftables_enabled: ++ self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4") + else: +- self.ip4tables_supported_icmp_types = [ ] ++ if self.ip4tables_enabled: ++ self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types() ++ else: ++ self.ipv4_supported_icmp_types = [ ] + self.ip6tables_backend.fill_exists() + if not self.ip6tables_backend.restore_command_exists: + if self.ip6tables_backend.command_exists: +@@ -186,11 +188,13 @@ class Firewall(object): + log.warning("ip6tables-restore and ip6tables are missing, " + "disabling IPv6 firewall.") + self.ip6tables_enabled = False +- if self.ip6tables_enabled: +- self.ip6tables_supported_icmp_types = \ +- self.ip6tables_backend.supported_icmp_types() ++ if self.nftables_enabled: ++ self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6") + else: +- self.ip6tables_supported_icmp_types = [ ] ++ if self.ip6tables_enabled: ++ self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types() ++ else: ++ self.ipv6_supported_icmp_types = [ ] + self.ebtables_backend.fill_exists() + if not self.ebtables_backend.restore_command_exists: + if self.ebtables_backend.command_exists: +diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py +index afe9f91d6bf6..a565bb6d8733 100644 +--- a/src/firewall/core/fw_icmptype.py ++++ b/src/firewall/core/fw_icmptype.py +@@ -57,13 +57,13 @@ class FirewallIcmpType(object): + ipvs = orig_ipvs[:] + for ipv in orig_ipvs: + if ipv == "ipv4": +- if not self._fw.ip4tables_enabled: ++ if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled: + continue +- supported_icmps = self._fw.ip4tables_supported_icmp_types ++ supported_icmps = self._fw.ipv4_supported_icmp_types + elif ipv == "ipv6": +- if not self._fw.ip6tables_enabled: ++ if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled: + continue +- supported_icmps = self._fw.ip6tables_supported_icmp_types ++ supported_icmps = self._fw.ipv6_supported_icmp_types + else: + supported_icmps = [ ] + if obj.name.lower() not in supported_icmps: +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index c4535f2e5818..450e427c08b5 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -612,7 +612,7 @@ class ip4tables(object): + rules.append(["-t", table, "-P", chain, _policy]) + return rules + +- def supported_icmp_types(self): ++ def supported_icmp_types(self, ipv=None): + """Return ICMP types that are supported by the iptables/ip6tables command and kernel""" + ret = [ ] + output = "" +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index daa7ace085a2..0a73c2c2669d 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -480,13 +480,13 @@ class nftables(object): + + return rules + +- def supported_icmp_types(self): ++ def supported_icmp_types(self, ipv=None): + # nftables supports any icmp_type via arbitrary type/code matching. + # We just need a translation for it in ICMP_TYPES_FRAGMENTS. + supported = set() + +- for ipv in ICMP_TYPES_FRAGMENTS.keys(): +- supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys()) ++ for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys(): ++ supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys()) + + return list(supported) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 10b085d48660..949f577053cc 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object): + return dbus.Boolean(self.fw.ip4tables_enabled) + + elif prop == "IPv4ICMPTypes": +- return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s") ++ return dbus.Array(self.fw.ipv4_supported_icmp_types, "s") + + elif prop == "IPv6": + return dbus.Boolean(self.fw.ip6tables_enabled) +@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object): + return dbus.Boolean(self.fw.ipv6_rpfilter_enabled) + + elif prop == "IPv6ICMPTypes": +- return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s") ++ return dbus.Array(self.fw.ipv6_supported_icmp_types, "s") + + elif prop == "BRIDGE": + return dbus.Boolean(self.fw.ebtables_enabled) +-- +2.28.0 + diff --git a/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch b/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch new file mode 100644 index 0000000..27f1bea --- /dev/null +++ b/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch @@ -0,0 +1,29 @@ +From 8a520d8343ab1567f0f3df39e4fc45dbaf9c6f77 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 24 Sep 2020 15:24:41 -0400 +Subject: [PATCH 60/62] docs(firewall-cmd): clarify lockdown whitelist command + paths + +Reported-by: D. Hugh Redelmeier +(cherry picked from commit a7b12b8eb87dd3bd2bb342cf5d74bf089cf3b9a6) +(cherry picked from commit 7e9b1a02cc7aa12f9c499b2acad584dbabf9a518) +--- + doc/xml/firewall-cmd.xml.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 8bc389acae6c..702c549ab9d9 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -2104,7 +2104,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to + If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match. + + +- Commands for user root and others is not always the same. Example: As root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd is be used on Fedora. ++ Command paths for users are not always the same and depends on the users PATH. Some distributions symlink /bin to /usr/bin in which case it depends on the order they appear in the PATH environment variable. + + + The context is the security (SELinux) context of a running application or service. To get the context of a running application use ps -e --context. +-- +2.28.0 + diff --git a/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch b/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch new file mode 100644 index 0000000..7e71c90 --- /dev/null +++ b/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch @@ -0,0 +1,39 @@ +From b82e2cf588916624c5f45c10e7c929f24ff84e9a Mon Sep 17 00:00:00 2001 +From: Donald Yandt <10255876+TorontoMedia@users.noreply.github.com> +Date: Sun, 27 Sep 2020 20:19:35 -0400 +Subject: [PATCH 61/62] docs(dbus): fix invalid method names + +Replace invalid method names for both 'queryEntry' and 'queryIPSet'. + +Fixes: #693 +(cherry picked from commit 6fc82d2d34b436a1f1921b36930169c965f3ff4b) +(cherry picked from commit 24fb2b2424107cd88e331b8f8edae0dc1671c504) +--- + doc/xml/firewalld.dbus.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 1625b9d50576..3bf4f53b108d 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -579,7 +579,7 @@ + + + +- queryService(s: ipset, s: entry) → b ++ queryEntry(s: ipset, s: entry) → b + + + Return whether entry has been added to ipset. +@@ -591,7 +591,7 @@ + + + +- queryService(s: ipset) → b ++ queryIPSet(s: ipset) → b + + + Return whether ipset is defined in runtime configuration. +-- +2.28.0 + diff --git a/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch b/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch new file mode 100644 index 0000000..cf91047 --- /dev/null +++ b/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch @@ -0,0 +1,27 @@ +From cd158a2880734c5da329e9a5c9c075ba5bceced6 Mon Sep 17 00:00:00 2001 +From: diegoe +Date: Wed, 21 Oct 2020 21:19:52 -0500 +Subject: [PATCH 62/62] docs(firewall-cmd): small description grammar fix + +(cherry picked from commit 9ae97bb2b65fbafa0ed5c0bfd9ebd5945bc6bea9) +(cherry picked from commit 9b4664fca4d3551dbb758a53b212a5aab043ccd9) +--- + doc/xml/firewall-cmd.xml.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 702c549ab9d9..1789f513d8ee 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -56,7 +56,7 @@ + Description + + +- firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration. ++ firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations. + + + +-- +2.28.0 + diff --git a/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch b/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch new file mode 100644 index 0000000..b0d7f92 --- /dev/null +++ b/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch @@ -0,0 +1,52 @@ +From 4aa1e421dae3ece1de075ef538f709d6388f8811 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Wed, 10 Jun 2020 16:14:43 -0400 +Subject: [PATCH 63/64] feat(service): add collectd service Fixes: rhbz 1837368 + +(cherry picked from commit 8b974e75d9100b17568a55c4962dfe09d34f03dc) +--- + config/Makefile.am | 1 + + config/services/collectd.xml | 6 ++++++ + po/POTFILES.in | 1 + + 3 files changed, 8 insertions(+) + create mode 100644 config/services/collectd.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index 702592e6a685..5f44678841f3 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -134,6 +134,7 @@ CONFIG_FILES = \ + services/ceph.xml \ + services/cfengine.xml \ + services/cockpit.xml \ ++ services/collectd.xml \ + services/condor-collector.xml \ + services/ctdb.xml \ + services/dhcpv6-client.xml \ +diff --git a/config/services/collectd.xml b/config/services/collectd.xml +new file mode 100644 +index 000000000000..fb2483e0e716 +--- /dev/null ++++ b/config/services/collectd.xml +@@ -0,0 +1,6 @@ ++ ++ ++ Collectd ++ Collectd is a monitoring system that allows metrics to be sent over the network. This rule allows incoming collectd traffic from remote boxes. ++ ++ +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 918f6f0986ae..92323b03fc17 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -67,6 +67,7 @@ config/services/ceph.xml + config/services/cfengine.xml + config/services/cockpit.xml + config/services/condor-collector.xml ++config/services/collectd.xml + config/services/ctdb.xml + config/services/dhcpv6-client.xml + config/services/dhcpv6.xml +-- +2.28.0 + diff --git a/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch b/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch new file mode 100644 index 0000000..85482a5 --- /dev/null +++ b/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch @@ -0,0 +1,54 @@ +From 7edc99c9aca9c1416a05c117ab65598dc3095c35 Mon Sep 17 00:00:00 2001 +From: Kenneth D'souza +Date: Tue, 16 Jun 2020 01:14:52 +0530 +Subject: [PATCH 64/64] feat(service): Add rpc-rquotad.service + +Signed-off-by: Kenneth D'souza +(cherry picked from commit 35e58d6fca6fbf44c34629dc058f3f1f727e7783) +--- + config/Makefile.am | 1 + + config/services/rquotad.xml | 7 +++++++ + po/POTFILES.in | 1 + + 3 files changed, 9 insertions(+) + create mode 100644 config/services/rquotad.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index 5f44678841f3..178c2358b117 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -233,6 +233,7 @@ CONFIG_FILES = \ + services/redis.xml \ + services/RH-Satellite-6.xml \ + services/rpc-bind.xml \ ++ services/rquotad.xml \ + services/rsh.xml \ + services/rsyncd.xml \ + services/rtsp.xml \ +diff --git a/config/services/rquotad.xml b/config/services/rquotad.xml +new file mode 100644 +index 000000000000..adcd233ebd4d +--- /dev/null ++++ b/config/services/rquotad.xml +@@ -0,0 +1,7 @@ ++ ++ ++ rquotad ++ Remote Quota Server Daemon ++ ++ ++ +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 92323b03fc17..8552b8eca4ab 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -166,6 +166,7 @@ config/services/redis-sentinel.xml + config/services/redis.xml + config/services/RH-Satellite-6.xml + config/services/rpc-bind.xml ++config/services/rquotad.xml + config/services/rsh.xml + config/services/rsyncd.xml + config/services/rtsp.xml +-- +2.28.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec new file mode 100644 index 0000000..2b33ca0 --- /dev/null +++ b/SPECS/firewalld.spec @@ -0,0 +1,1681 @@ +Summary: A firewall daemon with D-Bus interface providing a dynamic firewall +Name: firewalld +Version: 0.8.2 +Release: 3%{?dist} +URL: http://www.firewalld.org +License: GPLv2+ +Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz +Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch +Patch3: 0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch +Patch4: 0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch +Patch5: 0005-test-log-verify-logging-still-works-after-truncate.patch +Patch6: 0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch +Patch7: 0007-test-dbus-zone-verify-permanent-config-API-signature.patch +Patch8: 0008-test-dbus-zone-verify-runtime-config-API-signatures.patch +Patch9: 0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch +Patch10: 0010-fix-systemd-Conflict-with-nftables.service.patch +Patch11: 0011-test-dbus-zone-verify-permanent-config-APIs.patch +Patch12: 0012-test-dbus-zone-verify-runtime-config-APIs.patch +Patch13: 0013-fix-direct-rule-in-a-zone-chain.patch +Patch14: 0014-test-direct-rule-in-a-zone-chain.patch +Patch15: 0015-fix-client-addService-needs-to-reduce-tuple-size.patch +Patch16: 0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch +Patch17: 0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch +Patch18: 0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch +Patch19: 0019-fix-config-bool-values-in-dict-based-import-export.patch +Patch20: 0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch +Patch21: 0021-test-gh509-only-run-test-for-nftables-backend.patch +Patch22: 0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch +Patch23: 0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch +Patch24: 0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch +Patch25: 0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch +Patch26: 0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch +Patch27: 0027-test-check-container-add-support-for-centos8-stream.patch +Patch28: 0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch +Patch29: 0029-fix-rich-source-mac-with-nftables-backend.patch +Patch30: 0030-test-rich-source-mac-with-nftables-backend.patch +Patch31: 0031-docs-README-add-libxslt-for-doc-generation.patch +Patch32: 0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch +Patch33: 0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch +Patch34: 0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch +Patch35: 0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch +Patch36: 0036-test-rhbz1483921-better-test-name.patch +Patch37: 0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch +Patch38: 0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch +Patch39: 0039-improvement-service-IPsec-Update-description-and-add.patch +Patch40: 0040-fix-rich-nftables-log-level-warning.patch +Patch41: 0041-fix-rich-icmptypes-with-one-family.patch +Patch42: 0042-test-rich-icmptypes-with-one-family.patch +Patch43: 0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch +Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch +Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch +Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch +Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch +Patch48: 0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch +Patch49: 0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch +Patch50: 0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch +Patch51: 0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch +Patch52: 0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch +Patch53: 0053-fix-nftables-packet-marks-with-masks.patch +Patch54: 0054-fix-nftables-icmp-types-with-code-0.patch +Patch55: 0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch +Patch56: 0056-test-regression-rhbz1855140-add-negative-tests.patch +Patch57: 0057-fix-policy-cache-rule_str-for-rich-rules.patch +Patch58: 0058-test-zone-rich-rule-parsing-bottleneck.patch +Patch59: 0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch +Patch60: 0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch +Patch61: 0061-docs-dbus-fix-invalid-method-names.patch +Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch +Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch +Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch + +BuildArch: noarch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: desktop-file-utils +BuildRequires: gettext +BuildRequires: intltool +# glib2-devel is needed for gsettings.m4 +BuildRequires: glib2, glib2-devel +BuildRequires: systemd-units +BuildRequires: docbook-style-xsl +BuildRequires: libxslt +BuildRequires: iptables, ebtables, ipset +BuildRequires: python3-devel +Requires: iptables, ebtables, ipset +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: firewalld-filesystem = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Conflicts: selinux-policy < 3.14.1-28 +Conflicts: squid < 7:3.5.10-1 +Obsoletes: firewalld-selinux < 0.4.4.2-2 +# bz1581578 +Conflicts: cockpit-ws < 171-2 + +%description +firewalld is a firewall service daemon that provides a dynamic customizable +firewall with a D-Bus interface. + +%package -n python3-firewall +Summary: Python3 bindings for firewalld + +%{?python_provide:%python_provide python3-firewall} + +Obsoletes: python-firewall < 0.5.2-2 +Obsoletes: python2-firewall < 0.5.2-2 +Requires: python3-dbus +Requires: python3-slip-dbus +Requires: python3-decorator +Requires: python3-gobject-base +Requires: python3-nftables + +%description -n python3-firewall +Python3 bindings for firewalld. + +%package -n firewalld-filesystem +Summary: Firewalld directory layout and rpm macros + +%description -n firewalld-filesystem +This package provides directories and rpm macros which +are required by other packages that add firewalld configuration files. + +%package -n firewall-applet +Summary: Firewall panel applet +Requires: %{name} = %{version}-%{release} +Requires: firewall-config = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: python3-qt5-base +Requires: python3-gobject +Requires: libnotify +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-applet +The firewall panel applet provides a status information of firewalld and also +the firewall settings. + +%package -n firewall-config +Summary: Firewall configuration application +Requires: %{name} = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: gtk3 +Requires: python3-gobject +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-config +The firewall configuration application provides an configuration interface for +firewalld. + +%prep +%autosetup -p1 +# must autogen since a patch above touched a Makefile.am +./autogen.sh + +%build +%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}" +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +desktop-file-install --delete-original \ + --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ + %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +desktop-file-install --delete-original \ + --dir %{buildroot}%{_datadir}/applications \ + %{buildroot}%{_datadir}/applications/firewall-config.desktop + +%find_lang %{name} --all-name + +%post +%systemd_post firewalld.service + +%preun +%systemd_preun firewalld.service + +%postun +%systemd_postun_with_restart firewalld.service + +%files -f %{name}.lang +%doc COPYING README +%{_sbindir}/firewalld +%{_bindir}/firewall-cmd +%{_bindir}/firewall-offline-cmd +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/firewall-cmd +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_firewalld +%{_prefix}/lib/firewalld/icmptypes/*.xml +%{_prefix}/lib/firewalld/ipsets/README +%{_prefix}/lib/firewalld/services/*.xml +%{_prefix}/lib/firewalld/zones/*.xml +%{_prefix}/lib/firewalld/helpers/*.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld +%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/sysconfig/firewalld +%{_unitdir}/firewalld.service +%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy +%{_mandir}/man1/firewall*cmd*.1* +%{_mandir}/man1/firewalld*.1* +%{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf +%{_sysconfdir}/logrotate.d/firewalld + +%files -n python3-firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__ +%{python3_sitelib}/firewall/__pycache__/*.py* +%{python3_sitelib}/firewall/*.py* +%{python3_sitelib}/firewall/config/*.py* +%{python3_sitelib}/firewall/config/__pycache__/*.py* +%{python3_sitelib}/firewall/core/*.py* +%{python3_sitelib}/firewall/core/__pycache__/*.py* +%{python3_sitelib}/firewall/core/io/*.py* +%{python3_sitelib}/firewall/core/io/__pycache__/*.py* +%{python3_sitelib}/firewall/server/*.py* +%{python3_sitelib}/firewall/server/__pycache__/*.py* + +%files -n firewalld-filesystem +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/helpers +%dir %{_prefix}/lib/firewalld/icmptypes +%dir %{_prefix}/lib/firewalld/ipsets +%dir %{_prefix}/lib/firewalld/services +%dir %{_prefix}/lib/firewalld/zones +%{_rpmconfigdir}/macros.d/macros.firewalld + +%files -n firewall-applet +%attr(0755,root,root) %dir %{_sysconfdir}/firewall +%{_bindir}/firewall-applet +%defattr(0644,root,root) +%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +%{_sysconfdir}/firewall/applet.conf +%{_datadir}/icons/hicolor/*/apps/firewall-applet*.* +%{_mandir}/man1/firewall-applet*.1* + +%files -n firewall-config +%{_bindir}/firewall-config +%defattr(0644,root,root) +%{_datadir}/firewalld/firewall-config.glade +%{_datadir}/firewalld/gtk3_chooserbutton.py* +%{_datadir}/firewalld/gtk3_niceexpander.py* +%{_datadir}/applications/firewall-config.desktop +%{_datadir}/metainfo/firewall-config.appdata.xml +%{_datadir}/icons/hicolor/*/apps/firewall-config*.* +%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml +%{_mandir}/man1/firewall-config*.1* + +%changelog +* Mon Oct 26 2020 Eric Garver - 0.8.2-3 +- fix(nftables): packet marks with masks +- fix(nftables): icmp types with code == 0 +- fix(rich icmptype): verify rule and icmptype families +- fix(zone): cache rule_str for rich rules +- improvement(service): IPsec: Update description and add TCP port 4500 +- feat(service): add collectd service +- feat(service): Add rpc-rquotad.service + +* Tue Aug 04 2020 Eric Garver - 0.8.2-2 +- fix(cli): add ipset type hash:mac is incompatible with the family parameter +- fix(cli): add --zone is an invalid option with --direct +- fix: update dynamic DCE RPC ports in freeipa-trust service +- fix: core: rich: Catch ValueError on non-numeric priority values +- fix(rich): icmptypes with one family +- fix(direct): rule in a zone chain +- plus additional upstream stable fixes + +* Mon Apr 06 2020 Eric Garver - 0.8.2-1 +- rebase to v0.8.2 + +* Thu Feb 27 2020 Eric Garver - 0.8.0-4 +- doc: direct: add CAVEATS section + +* Mon Feb 03 2020 Eric Garver - 0.8.0-3 +- restore zone drifting as a feature + +* Tue Nov 12 2019 Eric Garver - 0.8.0-2 +- fix: CLI: service: also output helpers for service info + +* Tue Nov 05 2019 Eric Garver - 0.8.0-1 +- rebase to v0.8.0 + +* Tue Aug 13 2019 Eric Garver - 0.7.0-5 +- bump nftables version requirements + +* Tue Aug 06 2019 Eric Garver - 0.7.0-4 +- backport patches to sort source-based zone dispatch by zone name + +* Tue Jul 23 2019 Eric Garver - 0.7.0-3 +- backport patch to show service includes in service output +- backport patches to fix dbus API break + +* Thu Jun 13 2019 Eric Garver - 0.7.0-2 +- package rebuild + +* Wed Jun 12 2019 Eric Garver - 0.7.0-1 +- rebase to v0.7.0 + +* Sun Jan 13 2019 Eric Garver - 0.6.3-7 +- backport additional patches for RFC3964_IPv4 filter feature + +* Tue Jan 08 2019 Eric Garver - 0.6.3-6 +- backport nftables support for wildcard interfaces +- backport RFC3964_IPv4 filter feature + +* Tue Dec 18 2018 Eric Garver - 0.6.3-5 +- backport fix for lost NM interfaces in default zone during reload + +* Thu Dec 13 2018 Eric Garver - 0.6.3-4 +- backport recent stable fixes +- backport fix for lost NM interfaces during reload +- backport rich rule priorities +- backport fix for set entries not applied +- update translations + +* Tue Oct 16 2018 Eric Garver - 0.6.3-3 +- backport FlushAllOnReload feature + +* Fri Oct 12 2018 Eric Garver - 0.6.3-2 +- use py3_shbang_opts for lockdown-whitelist +- fix cockpit patch causing test failure + +* Thu Oct 11 2018 Eric Garver - 0.6.3-1 +- rebase package to v0.6.3 +- use py3_shbang_opts for interpreter invocations + +* Mon Sep 10 2018 Eric Garver - 0.6.1-5 +- python3-firewalld can get by with python3-gobject-base +- firewall-config can get by with python3-qt5-base + +* Thu Aug 16 2018 Eric Garver - 0.6.1-4 +- backports for new failed state if startup fails +- backports to use explicit RETURN on user defined ebtables chains +- backports to fix nftables AUDIT log support + +* Tue Aug 14 2018 Eric Garver - 0.6.1-3 +- drop support for ebtables broute table + +* Fri Aug 10 2018 Eric Garver - 0.6.1-2 +- add more ports to high-availability service + +* Thu Aug 09 2018 Eric Garver - 0.6.1-1 +- rebase to v0.6.1 +- fix patch adding cockpit by default, fixes testsuite + +* Mon Jul 09 2018 Eric Garver - 0.6.0-2 +- Use correct conflicts version for cockpit-ws +- Enable cockpit by default in some zones + +* Fri Jul 06 2018 Eric Garver - 0.6.0-1 +- rebase to v0.6.0 + +* Tue May 01 2018 Eric Garver - 0.6.0-0.1.alpha1 +- rebase to v0.6.0-alpha + +* Wed Mar 21 2018 Eric Garver - 0.5.2-3 +- remove fedora-isms and clean up spec file + +* Wed Mar 21 2018 Eric Garver - 0.5.2-2 +- remove python2-firewall subpackage + +* Mon Mar 19 2018 Eric Garver - 0.5.2-1 +- rebase package to v0.5.2 + +* Fri Feb 09 2018 Igor Gnatenko - 0.5.1-2 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Eric Garver - 0.5.1-1 +- rebase package to v0.5.1 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.4.4.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 05 2018 Igor Gnatenko - 0.4.4.5-5 +- Remove obsolete scriptlets + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 0.4.4.5-4 +- Python 2 binary package renamed to python2-firewall + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Mon Jul 31 2017 Thomas Woerner - 0.4.4.5-3 +- Fix spec file for next RHEL versions + +* Wed Jul 26 2017 Fedora Release Engineering - 0.4.4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 9 2017 Thomas Woerner - 0.4.4.5-1 +- Rebase to firewalld-0.4.4.5 + http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release + - Fix build from spec + - Fix –remove-service-from-zone option (RHBZ#1438127) + - Support sctp and dccp in ports, source-ports, forward-ports, helpers and + rich rules (RHBZ#1429808) + - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238) + - firewall.core.ipXtables: Use new wait option for restore commands if + available + - New services for oVirt: + ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe + - Rename extension for policy choices (server and desktop) to .policy.choice + (RHBZ#1449754) + - D-Bus interfaces: Fix GetAll for interfaces without properties + (RHBZ#1452017) + - Load NAT helpers with conntrack helpers (RHBZ#1452681) + - Translation updates +- Additional upstream patches: + - Rich-rule source validation (d69b7cb) + - IPv6 ICMP type only rich-rule fix (cf50bd0) + +* Mon Mar 27 2017 Thomas Woerner - 0.4.4.4-1 +- Rebase to firewalld-0.4.4.4 + http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release +- Drop references to fedorahosted.org from spec file and Makefile.am, use + archive from github +- Fix inconsistent ordering of rules in INPUT_ZONE_SOURCE (issue#166) +- Fix ipset overloading from /etc/firewalld/ipsets +- Fix permanent rich rules using icmp-type elements (RHBZ#1434594) +- firewall-config: Deactivate edit, remove, .. buttons if there are no items +- Check if ICMP types are supported by kernel before trying to use them +- firewall-config: Show invalid ipset type in the ipset configuration dialog + in a special label + +* Tue Feb 21 2017 Thomas Woerner - 0.4.4.3-2 +- Fixed ipset overloading, dropped applied check in get_ipset (issue#206) + +* Fri Feb 10 2017 Thomas Woerner - 0.4.4.3-1 +- Rebase to firewalld-0.4.4.3 + http://www.firewalld.org/2017/02/firewalld-0-4-4-3-release +- Speed up of large file loading +- Support for more ipset types +- Speed up of adding or removing entries for ipsets from files +- Support icmp-type usage in rich rules +- Support for more icmp types +- Support for h323 conntrack helper +- New services +- Code cleanup and several other bug fixes +- Translation updates + +* Fri Feb 10 2017 Fedora Release Engineering - 0.4.4.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Stratakis Charalampos - 0.4.4.2-3 +- Rebuild for Python 3.6 + +* Mon Dec 5 2016 Thomas Woerner - 0.4.4.2-2 +- Dropping firewalld-selinux package again as the required fix made it into + selinux-policy packages for F-23+, updated selinux-policy version conflicts + +* Thu Dec 1 2016 Thomas Woerner - 0.4.4.2-1 +- New firewalld-selinux sub package delivering the SELinux policy module for + firewalld (RHBZ#1396765) (RHBZ#1394625) (RHBZ#1394578) (RHBZ#1394573) + (RHBZ#1394569) +- New firewalld release 0.4.4.2: + - firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem + - firewall.core.fw_nm: create NMClient lazily + - Do not use hard-coded path for modinfo, use autofoo to detect it + - firewall.core.io.ifcfg: Dropped invalid option warning with bad format + string + - firewall.core.io.ifcfg: Properly handle quoted ifcfg values + - firewall.core.fw_zone: Do not reset ZONE with ifdown + - Updated translations from zanata + - firewall-config: Extra grid at bottom to visualize firewalld settings + +* Wed Nov 9 2016 Thomas Woerner - 0.4.4.1-1 +- firewall-config: Use proper source check in sourceDialog (fixes issue#162) +- firewallctl: New support for helpers +- Translation updates + +* Fri Oct 28 2016 Thomas Woerner - 0.4.4-1 +- Fix dist-check +- src/Makefile.am: Install new helper files +- config/Makefile.am: Install helpers +- Merged translations +- Updated translations from zanata +- firewalld.spec: Adapt requires for PyQt5 +- firewall-applet: Fix fromUTF8 for python2 PyQt5 usage +- firewall-applet: Use PyQt5 +- firewall-config: New nf_conntrack_select dialog, use nf_conntrack_helpers D-Bus property +- shell-completion/bash/firewall-cmd: Updates for helpers and also some fixes +- src/tests/firewall-[offline-]cmd_test.sh: New helper tests, adapted module tests for services +- doc/xml/seealso.xml: Add firewalld.helper(5) man page +- doc/xml/seealso.xml: Add firewalld.ipset(5) man page +- Fixed typo in firewalld.ipset(5) man page +- Updated firewalld.dbus(5) man page +- New firewalld.helper(5) man page +- doc/xml/firewall-offline-cmd.xml: Updated firewall-offline-cmd man page +- doc/xml/firewall-cmd.xml: Updated firewall-cmd man page +- firewall-offline-cmd: New support for helpers +- firewall-cmd: New support for helpers +- firewall.command: New check_helper_family, check_module and print_helper_info methods +- firewall.core.fw_test: Add helpers also to offline backend +- firewall.server.config: New AutomaticHelpers property (rw) +- firewall.server.config: Fix an dict size changed error for firewall.conf file changes +- firewall.server.config: Make LogDenied property readwrite to be consistent +- Some renames of nf_conntrack_helper* functions and structures, helpers is a dict +- firewall.core.fw: Properly check helper setting in set_automatic_helpers +- firewall.errors: Add missing BUILTIN_HELPER error code +- No extra interface for helpers needed in runtime, dropped DBUS_INTERFACE_HELPER +- firewall.server.firewalld: Drop unused queryHelper D-Bus method +- New helpers Q.931 and RAS from nf_conntrack_h323 +- firewall.core.io.helper: Allow dots in helper names, remove underscore +- firewall.core.io.firewalld_conf: Fixed typo in FALLBACK_AUTOMATIC_HELPERS +- firewall-[offline-]cmd: Use sys.excepthook to force exception_handler usage always +- firewall.core.fw_config: new_X methods should also check builtins +- firewall.client: Set helper family to "" if None +- firewall.client: Add missing module string to FirewallClientHelperSettings.settings +- config/firewalld.conf: Add possible values description for AutomaticHelpers +- helpers/amanda.xml: Fix typo in helper module +- firewall-config: Added support for helper module setting +- firewall.client: Added support for helper module setting +- firewall.server.config_helper: Added support for helper module setting +- firewall.core.io.service, firewall.server.config_service: Only replace underscore by dash if module start with nf_conntrack_ +- firewall.core.fw_zone: Use helper module instead of a generated name from helper name +- helpers: Added kernel module +- firewall.core.io.helper: Add module to helper +- firewall-cmd: Removed duplicate --get-ipset-types from help output +- firewall.core.fw_zone: Add zone bingings for PREROUTING in the raw table +- firewall.core.ipXtables: Add PREROUTING default rules for zones in raw table +- firewall-config: New support to handle helpers, new dialogs, new helper tab, .. +- config/org.fedoraproject.FirewallConfig.gschema.xml.in: New show-helpers setting +- firewall.client: New helper management for runtime and permanent configuration +- firewall.server.firewalld: New runtime helper management, new nf_conntrack_helper property +- firewall.server.config_service: Fix module name handling (no nf_conntrack_ prefix needed) +- firewall.server.config: New permanent D-Bus helper management +- New firewall.server.config_helper to provide the permanent D-Bus interface for helpers +- firewall.core.fw_zone: Use helpers fw.nf_conntrack_helper for services using helpers +- firewall.core.fw: New helper management, new _automatic_helpers and nf_conntrack_helper settings +- firewall.core.fw_config: Add support for permanent helper handling +- firewall.core.io.service: The module does not need to start with nf_conntrack_ anymore +- firewall.functions: New functions to get and set nf_conntrack_helper kernel setting +- firewall.core.io.firewalld_conf: New support for AutomaticHelpers setting +- firewall.config.dbus: New D-Bus definitions for helpers, new DBUS_INTERFACE_REVISION 12 +- New firewall.core.fw_helper providing FirewallHelper backend +- New firewall.core.helper with HELPER_MAXNAMELEN definition +- config/firewalld.conf: New AutomaticHelpers setting with description +- firewall.config.__init__.py.in: New helpers variables +- firewalld.spec: Add new helpers directory +- config/Makefile.am: Install new helpers +- New helper configuration files for amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp and tftp +- firewall.core.io.helper: New IO handler for netfilter helpers +- firewall.errors: New INVALID_HELPER error code +- firewall.core.io.ifcfg: Use .bak for save files +- firewall-config: Set internal log_denied setting after changing +- firewall.server.config: Copy props before removing items +- doc/xml/firewalld.ipset: Replaced icmptype name remains with ipset +- firewall.core.fw_zone: Fix LOG rule placement for LogDenied +- firewall.command: Use "source-ports" in print_zone_info +- firewall.core.logger: Use syslog.openlog() and syslog.closelog() +- firewall-[offline-]cmd man pages: Document --path-{zone,icmptype,ipset,service} +- firewall-cmd: Enable --path-{zone,icmptype,service} options again +- firewall.core.{ipXtables,ebtables}: Copy rule before extracting items in set_rules +- firewall.core.fw: Do not abort transaction on failed ipv6_rpfilter rules +- config/Makefile.am: Added cfengine, condor-collector and smtp-submission services +- Makefile.am: New dist-check used in the archive target +- src/Makefile.am: Reordered nobase_dist_python_DATA to be sorted +- config/Makefile.am: New CONFIG_FILES variable to contain the config files +- Merge pull request #150 from hspaans/master +- Merge pull request #146 from canvon/bugfix/spelling +- Merge pull request #145 from jcpunk/condor +- Command line tools man pages: New section about sequence options and exit codes +- Creating service file for SMTP-Submission. +- Creating service file for CFEngine. +- Fix typo in documentation: iptables mangle table +- Only use sort on lists of main items, but not for item properties +- firewall.core.io.io_object: import_config should not change ordering of lists +- firewall.core.fw_transaction: Load helper modules in FirewallZoneTransaction +- firewall.command: Fail with NOT_AUTHORIZED if authorization fails (RHBZ#1368549) +- firewall.command: Fix sequence exit code with at least one succeeded item +- Add condor collector service +- firewall-cmd: Fixed --{get,set}-{description,short} for permanent zones +- firewall.command: Do not use error code 254 for {ALREADY,NOT}_ENABLED sequences + +* Tue Aug 16 2016 Thomas Woerner - 0.4.3.3-1 +- Fix CVE-2016-5410: Firewall configuration can be modified by any logged in + user +- firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO +- Update AppData configuration file. +- tests/firewalld_rich.py: Use new import structure and FirewallClient classes +- tests/firewalld_direct.py: Use new import structure +- tests: firewalld_direct: Fix assert to check for True instead of False +- tests: firewalld_config: Fix expected value when querying the zone target +- tests: firewalld_config: Use real nf_conntrack modules +- firewalld.spec: Added comment about make call for %%build +- firewall-config: Use also width_request and height_request with default size +- Updated firewall-config screenshot +- firewall-cmd: Fixed typo in help output (RHBZ#1367171) +- test-suite: Ignore stderr to get default zone also for missing firewalld.conf +- firewall.core.logger: Warnings should be printed to stderr per default +- firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails +- firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired +- firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired +- test-suite: Do not fail on ALREADY_ENABLED --add-destination tests +- firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings +- doc/xml/firewalld.dbus.xml: Removed undefined reference +- doc/xml/transform-html.xsl.in: Fixed references in the document +- doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para +- doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page +- firewall: core: fw_nm: Instantiate the NM client only once +- firewall/core/io/*.py: Do not traceback on a general sax parsing issue +- firewall-offline-cmd: Fix --{add,remove}-entries-from-file +- firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file +- firewall.core.prog: Do not output stderr, but return it in the error case +- firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) +- config/firewall.service.in: use KillMode=mixed +- config/firewalld.service.in: use network-pre.target +- firewall-config: Add missing gettext.textdomain call to fix translations +- Add UDP to transmission-client.xml service +- tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings +- firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls +- firewall.client: Fix NOT_ENABLED errors in icmptype destination calls +- firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination + calls +- firewall.command: Add the removed FirewallError handling to the action + (a17ce50) +- firewall.command: Do not use query methods for sequences and also single + options +- Add missing information about MAC and ipset sources to man pages and help + output +- firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages +- firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} +- firewallctl: Fix traceback if not connected to firewalld +- firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked +- firewall.command: Convert errors to string for Python3 +- firewall.command: Get proper firewall error code from D-BusExceptions +- firewall-cmd: Fixed traceback without args +- Add missing service files to Makefile.am +- shell-completion: Add shell completion support for + --{get,set}--{description,short} +- Updated RHEL-7 selinux-policy and squid conflict + +* Tue Jul 19 2016 Fedora Release Engineering - 0.4.3.2-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Mon Jul 4 2016 Thomas Woerner - 0.4.3.2-1 +- Fix regression with unavailable optional commands +- All missing backend messages should be warnings +- Individual calls for missing restore commands +- Only one authenticate call for add and remove options and also sequences +- New service RH-Satellite-6 +- Fixed selinux-policy conflict version for RHEL-7 + +* Wed Jun 29 2016 Thomas Woerner - 0.4.3.1-2 +- Fixed selinux-policy conflict version for Fedora 24 + +* Tue Jun 28 2016 Thomas Woerner - 0.4.3.1-1 +- New firewalld release 0.4.3.1 +- firewall.command: Fix python3 DBusException message not interable error +- src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing +- firewallctl: Do not trace back on list command without further arguments +- firewallctl (man1): Added remaining sections zone, service, .. +- firewallctl: Added runtime-to-permanent, interface and source parser, + IndividualCalls setting +- firewall.server.config: Allow to set IndividualCalls property in config + interface +- Fix missing icmp rules for some zones +- runProg: Fix issue with running programs +- firewall-offline-cmd: Fix issues with missing system-config-firewall +- firewall.core.ipXtables: Split up source and dest addresses for transaction +- firewall.server.config: Log error in case of loading malformed files in + watcher +- Install and package the firewallctl man page +- New firewallctl utility (RHBZ#1147959) +- doc.xml.seealso: Show firewalld.dbus in See Also sections +- firewall.core.fw_config: Create backup on zone, service, ipset and icmptype + removal (RHBZ#1339251) +- {zone,service,ipset,icmptype}_writer: Do not fail on failed backup +- firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd +- firewall-cmd: Dropped duplicate setType call in --new-ipset +- radius service: Support also tcp ports (RBZ#1219717) +- xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset + sources +- config.xmlschema.service.xsd: Fix service destination conflicts + (RHBZ#1296573) +- firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg +- firewall.command: Only print summary and description in print_X_info with + verbose +- firewall.command: print_msg should be able to print empty lines +- firewall-config: No processing of runtime passthroughs signals in permanent +- Landspace.io fixes and pylint calm downs +- firewall.core.io.zone: Add zone_reader and zone_writer to __all__, pylint + fixes +- firewall-config: Fixed titles of command and context dialogs, also entry + lenths +- firewall-config: pylint calm downs +- firewall.core.fw_zone: Fix use of MAC source in rich rules without ipv limit +- firewall-config: Use self.active_zoens in conf_zone_added_cb +- firewall.command: New parse_port, extended parse methods with more checks +- firewall.command: Fixed parse_port to use the separator in the split call +- firewall.command: New [de]activate_exception_handler, raise error in parse_X +- services ha: Allow corosync-qnetd port +- firewall-applet: Support for kde5-nm-connection-editor +- tests/firewall-offline-cmd_test.sh: New tests for service and icmptype + modifications +- firewall-offline-cmd: Use FirewallCommand for simplification and sequence + options +- tests/firewall-cmd_test.sh: New tests for service and icmptype modifications +- firewall-cmd: Fixed set, remove and query destination options for services +- firewall.core.io.service: Source ports have not been checked in _check_config +- firewall.core.fw_zone: Method check_source_port is not used, removed +- firewall.core.base: Added default to ZONE_TARGETS +- firewall.client: Allow to remove ipv:address pair for service destinations +- tests/firewall-offline-cmd_test.sh: There is no timeout option in permanent +- firewall-cmd: Landscape.io fixes, pylint calm downs +- firewall-cmd: Use FirewallCommand for simplification and sequence options +- firewall.command: New FirewallCommand for command line client simplification +- New services: kshell, rsh, ganglia-master, ganglia-client +- firewalld: Cleanup of unused imports, do not translate some deamon messages +- firewalld: With fd close interation in runProg, it is not needed here anymore +- firewall.core.prog: Add fd close iteration to runProg +- firewall.core.fw_nm: Hide NM typelib import, new nm_get_dbus_interface + function +- firewalld.spec: Require NetworkManager-libnm instead of NetworkManager-glib +- firewall-config: New add/remove ipset entries from file, remove all entries +- firewall-applet: Fix tooltip after applet start with connection to firewalld +- firewall-config: Select new zone, service or icmptype if the view was empty +- firewalld.spec: Added build requires for iptables, ebtables and ipset +- Adding nf_conntrack_sip module to the service SIP +- firewall: core: fw_ifcfg: Quickly return if ifcfg directory does not exist +- Drop unneeded python shebangs +- Translation updates + +* Mon May 30 2016 Thomas Woerner - 0.4.2-1 +- New module to search for and change ifcfg files for interfaces not under + control of NM +- firewall_config: Enhanced messages in status bar +- firewall-config: New message window as overlay if not connected +- firewall-config: Fix sentivity of option, view menus and main paned if not + connected +- firewall-applet: Quit on SIGINT (Ctrl-C), reduced D-Bus calls, some cleanup +- firewall-[offline]cmd: Show target in zone information +- D-Bus: Completed masquerade methods in FirewallClientZoneSettings +- Fixed log-denied rules for icmp-blocks +- Keep sorting of interfaces, services, icmp-blocks and other settings in zones +- Fixed runtime-to-permanent not to save interfaces under control of NM +- New icmp-block-inversion flag in the zones +- ICMP type filtering in the zones +- New services: sip, sips, managesieve +- rich rules: Allow destination action (RHBZ#1163428) +- firewall-offline-cmd: New option -q/--quiet +- firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file +- firewall-[offline-]cmd: Fix option for setting the destination address +- firewall-config: Fixed resizing behaviour +- New transaction model for speed ups in start, restart, stop and other actions +- firewall-cmd: New options --load{zone,service,ipset,icmptype}-defaults +- Fixed memory leak in dbus_introspection_add_properties +- Landscape.io fixes, pylint calm downs +- New D-Bus getXnames methods to speed up firewall-config and firewall-cmd +- ebtables-restore: No support for COMMIT command +- Source port support in services, zones and rich rules +- firewall-offline-cmd: Added --{add,remove}-entries-from-file for ipsets +- firewall-config: New active bindings side bar for simple binding changes +- Reworked NetworkManager module +- Proper default zone handling for NM connections +- Try to set zone binding with NM if interface is under control of NM +- Code cleanup and bug fixes +- Include test suite in the release and install in /usr/share/firewalld/tests +- New Travis-CI configuration file +- Fixed more broken frensh translations +- Translation updates + +* Mon May 9 2016 Thomas Woerner - 0.4.1.2-2 +- Fixed ebtables-restore does not support the COMMIT command issue + +* Wed Apr 20 2016 Thomas Woerner - 0.4.1.2-1 +- Fixed translations with python3 +- Fixed exception for failed NM import, new doc string +- Make ipsets visible per default in firewall-config +- Install new fw_nm module +- Do not fail if log file could not be opened +- Fixed broken fr translation + +* Tue Apr 19 2016 Thomas Woerner - 0.4.1-1 +- Enhancements of ipset handling + - No cleanup of ipsets using timeouts while reloading + - Only destroy conflicting ipsets + - Only use ipset types supported by the system + - Add and remove several ipset entries in one call using a file +- Reduce time frame where builtin chains are on policy DROP while reloading +- Include descriptions in --info-X calls +- Command line interface support to get and alter descriptions of zones, + services, ipsets and icmptypes with permanent option +- Properly watch changes in combined zones +- Fix logging in rich rule forward rules +- Transformed direct.passthrough errors into warnings +- Rework of import structures +- Reduced calls to get ids for port and protocol names (RHBZ#1305434) +- Build and installation fixes by Markos Chandras +- Provide D-Bus properties in introspection data +- Fix for flaws found by landscape.io +- Fix for repeated SUGHUP +- New NetworkManager module to get and set zones of connections, used in + firewall-applet and firewall-config +- configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset) +- Code cleanups +- Bug fixes + +* Mon Feb 22 2016 Jiri Popelka - 0.4.0-4 +- Revert one commit to temporary work-around RHBZ#1309754 + +* Mon Feb 08 2016 Jiri Popelka - 0.4.0-3 +- Make sure tempdir is created even in offline mode. (RHBZ#1305175) + +* Wed Feb 03 2016 Fedora Release Engineering - 0.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Feb 1 2016 Thomas Woerner - 0.4.0-1 +- Version 0.4.0 + - Speed ups + - ipset support + - MAC address support + - Log of denied packets + - Mark action in rich rules + - Enhanced alteration of config files with command line tools + - Use of zone chains in direct interface + - firewall-applet enhancement + - New services: ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio, + smtps, snmptrap, snmp, syslog-tls and syslog + - Several bug fixes + - Code optimizations + +* Tue Nov 10 2015 Fedora Release Engineering - 0.3.14.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Wed Jul 22 2015 Adam Williamson - 0.3.14.2-4 +- bump versions on old config package obsoletes (f21 is on 0.3.14 now) + +* Mon Jul 13 2015 Thomas Woerner - 0.3.14.2-3 +- Require python3-gobject-base for fedora >= 23 and rhel >= 8 (RHBZ#1242076) +- Fix rhel defines: No python3 for rhel-7 + +* Thu Jun 18 2015 Thomas Woerner - 0.3.14.2-2 +- Fixed 'pid_file' referenced before assignment (RHBZ#1233232) + +* Wed Jun 17 2015 Thomas Woerner - 0.3.14.2-1 +- reunification of the firewalld spec files for all Fedora releases +- fix dependencies for -applet and -config: use_python3 is the proper switch + not with_python3 (RHBZ#1232493) +- firewalld.spec: + - fixed requirements for -applet and -config +- man pages: + - adapted firewall-applet man page to new version +- firewall-applet: + - Only honour active connections for zone changes + - Change QSettings path and file names +- firewall-config: + - Only honour active connections for zone changes in the “Change Zones of Connections” menu +- Translations: + - updated translations + - marked translations for “Connections” for review + +* Wed Jun 17 2015 Fedora Release Engineering - 0.3.14.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 16 2015 Stephen Gallagher 0.3.14.1-2 +- Fix issue with missing polkit policy when installing firewalld on + Cloud Edition. + +* Fri Jun 12 2015 Thomas Woerner - 0.3.14.1-1 +- firewall-applet + - do not use isSystemTrayAvailable check to fix KDE5 startup + - dropped gtk applet remain: org.fedoraproject.FirewallApplet.gschema.xml + +* Fri Jun 12 2015 Thomas Woerner - 0.3.14-1 +- renamed python2-firewall to python-firewall +- fixed requirements for GUI parts with Python3 +- dropped upstream merged python3 patch +- firewalld: + - print real zone names in error messages + - iptables 1.4.21 does not accept limits of 1/day, minimum is 2/day now + - rate limit fix for rich rules + - fix readdition of removed permanent direct settings + - adaption of the polkit domains to use PK_ACTION_DIRECT_INFO + - fixed two minor Python3 issues in firewall.core.io.direct + - fixed use of fallback configuration values + - fixed use without firewalld.conf + - firewalld main restructureization + - IPv6_rpfilter now also available as a property on D-Bus in the config interface + - fixed wait option use for ipXtables + - added --concurrent support for ebtables + - richLanguage: allow masquerading with destination + - richLanguage: limit masquerading forward rule to new connections + - ipXtables: No dns lookups in available_tables and _detect_wait_option + - full ebtables support: start, stop, reload, panic mode, direct chains and rules + - fix for reload with direct rules + - fix or flaws found by landscape.io + - pid file handling fixes in case of pid file removal + - fix for client issue in case of a dbus NoReply error +- configuration + - new services: dropbox-lansync, ptp + - new icmptypes: timestamp-request, timestamp-reply +- man pages: + - firewalld.zones(5): fixed typos + - firewalld.conf(5): Fixed wrong reference to firewalld.lockdown-whitelist page +- firewall-applet: + - new version using Qt4 fixing several issues with the Gtk version +- spec file: + - enabled Python3 support: new backends python-firewall and python3-firewall + - some cleanup +- git: + - migrated to github +- translations: + - migrated to zanata +- build environment: + - no need for autoconf-2.69, 2.68 is sufficient + +* Thu May 07 2015 Stephen Gallagher 0.3.13-7 +- Use VARIANT_ID instead of VARIANT for making decisions + +* Thu Apr 16 2015 Stephen Gallagher 0.3.13-6 +- Switch to using $VARIANT directly from /etc/os-release + +* Fri Mar 13 2015 Stephen Gallagher 0.3.13-5 +- Fix bugs with posttrans +- Remove nonexistent fedora-cloud.conf symlink + +* Fri Mar 13 2015 Stephen Gallagher 0.3.13-4 +- Remove per-edition config files +- Decide on default configuration based on /etc/os-release + +* Mon Feb 23 2015 Jiri Popelka - 0.3.13-3 +- use python3 bindings on fedora >=23 + +* Wed Jan 28 2015 Thomas Woerner - 0.3.13-2 +- enable python2 and python3 bindings for fedora >= 20 and rhel >= 7 +- use python3 bindings on fedora >= 22 and rhel >= 8 for firewalld, + firewall-config and firewall-applet + +* Thu Dec 04 2014 Jiri Popelka - 0.3.13-1 +- firewalld: + - ipXtables: use -w or -w2 if supported (RHBZ#1161745, RHBZ#1151067) + - DROP INVALID packets (RHBZ#1169837) + - don't use ipv6header for protocol matching. (RHBZ#1065565) + - removeAllPassthroughs(): remove passthroughs in reverse order (RHBZ#1167100) + - fix config.service.removeDestination() (RHBZ#1164584) +- firewall-config: + - portProtoDialog: other protocol excludes port number/range + - better fix for updating zoneStore also in update_active_zones() + - fix typo in menu +- configuration: + - new services: tinc, vdsm, mosh, iscsi-target, rsyncd + - ship and install XML Schema files. (#8) +- man pages: + - firewalld.dbus, firewalld.direct, firewalld, firewall-cmd +- spec file: + - filesystem subpackage + - make dirs&files in /usr/lib/ world-readable (RHBZ#915988) + +* Tue Oct 14 2014 Jiri Popelka - 0.3.12-1 +- firewalld: + - new runtimeToPermanent and tracked passsthrough support + - make permanent D-Bus interfaces more fine grained like the runtime versions (RHBZ#1127706) + - richLanguage: allow using destination with forward-port + - Rich_Rule.check(): action can't be used with icmp-block/forward-port/masquerade + - fixed Python specific D-Bus exception (RHBZ#1132441) +- firewall-cmd: + - new --runtime-to-permanent to create permanent from runtime configuration + - use new D-Bus methods for permanent changes + - show target REJECT instead of %%REJECT%% (RHBZ#1058794) + - --direct: make fail messages consistent (RHBZ#1141835) +- firewall-config: + - richRuleDialog - OK button tooltip indicates problem + - use new D-Bus methods for permanent changes + - show target REJECT instead of %%REJECT%% (RHBZ#1058794) + - update "Change Zones of Connections" menu on default zone change (RHBZ#11120212) + - fixed rename of zones, services and icmptypes to not create new entry (RBHZ#1131064) +- configuration: + - new service for Squid HTTP proxy server + - new service for Kerberos admin server + - new services for syslog and syslog-tls + - new services for SNMP and SNMP traps + - add Keywords to .desktop to improve software searchability +- docs: + - updated translations + - firewalld.richlanguage: improvements suggested by Rufe Glick + - firewalld.dbus: various improvements + - firewalld.zone: better description of Limit tag + - mention new homepage everywhere + +* Wed Aug 27 2014 Jiri Popelka - 0.3.11-3 +- Quiet systemctl if cups-browsed.service is not installed + +* Mon Aug 25 2014 Jiri Popelka - 0.3.11-2 +- add few Requires to spec (RHBZ#1133167) + +* Wed Aug 20 2014 Jiri Popelka - 0.3.11-1 +- firewalld: + - improve error messages + - check built-in chains in direct chain handling functions (RHBZ#1120619) + - dbus_to_python() check whether input is of expected type (RHBZ#1122018) + - handle negative timeout values (RHBZ#1124476) + - warn when Command/Uid/Use/Context already in lockdown whitelist (RHBZ#1126405) + - make --lockdown-{on,off} work again (RHBZ#1111573) +- firewall-cmd: + - --timeout now accepts time units (RHBZ#994044) +- firewall-config: + - show active (not default) zones in bold (RHBZ#993655) +- configuration: + - remove ipp-client service from all zones (RHBZ#1105639). + - fallbacks for missing values in firewalld.conf + - create missing dirs under /etc if needed + - add -Es to python command in lockdown-whitelist.xml (RHBZ#1099065) +- docs: + - 'direct' methods concern only chains/rules added via 'direct' (RHBZ#1120619) + - --remove-[interface/source] don't need a zone to be specified (RHBZ#1125851) + - various fixes in firewalld.zone(5), firewalld.dbus(5), firewalld.direct(5) +- others: + - rpm macros for easier packaging of e.g. services + +* Tue Jul 22 2014 Thomas Woerner - 0.3.10-5 +- Fixed wrong default zone names for server and workstation (RHBZ#1120296) + +* Tue Jul 8 2014 Thomas Woerner - 0.3.10-4 +- renamed fedora specific zones to FedoraServer and FedoraWorkstation for + zone name limitations (length and allowed chars) + +* Mon Jul 7 2014 Thomas Woerner - 0.3.10-3 +- New support for Fedora per-product configuration settings for Fedora.next + https://fedoraproject.org/wiki/Per-Product_Configuration_Packaging_Draft +- Added Fedora server zone (RHBZ#1110711) +- Added Fedora workstation zone(RHBZ#1113775) + +* Sat Jun 07 2014 Fedora Release Engineering - 0.3.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Jiri Popelka - 0.3.10-1 +- new services: freeipa-*, puppermaster, amanda-k5, synergy, + xmpp-*, tor, privoxy, sane +- do not use at_console in D-Bus policies (RHBZ#1094745) +- apply all rich rules for non-default targets +- AppData file (RHBZ#1094754) +- separate Polkit actions for desktop & server (RHBZ#1091068) +- sanitize missing ip6t_rpfilter (RHBZ#1074427) +- firewall/core/io/*: few improvements (RHBZ#1065738) +- no load failed error for absent direct.xml file +- new DBUS_INTERFACE.getZoneSettings to get all run-time zone settings +- fixed creation and deletion of zones, services and icmptypes over D-Bus signals +- FirewallClientZoneSettings: Set proper default target +- if Python2 then encode strings from sax parser (RHBZ#1059104, RHBZ#1058853) +- firewall-cmd: + - don't colour output of query commands (RHBZ#1097841) + - use "default" instead of {chain}_{zone} (RHBZ#1075675) + - New --get-target and --set-target + - Create and remove permanent zones, services and icmptypes +- firewall-config: + - Adding services and icmptypes resulted in duplicates in UI + - Use left button menu of -applet in Option menu +- firewall-offline-cmd: same functionality as 'firewall-cmd --permanent' +- firewall-applet: ZoneConnectionEditor was missing the Default Zone entry +- bash-completion: getting zones/services/icmps is different with/without --permanent +- firewalld.zone(5): removed superfluous slash (RHBZ#1091575) +- updated translations + +* Wed Feb 05 2014 Jiri Popelka - 0.3.9.3-1 +- Fixed persistent port forwarding (RHBZ#1056154) +- Stop default zone rules being applied to all zones (RHBZ#1057875) +- Enforce trust, block and drop zones in the filter table only (RHBZ#1055190) +- Allow RAs prior to applying IPv6_rpfilter (RHBZ#1058505) +- Fix writing of rule.audit in zone_writer() + +* Fri Jan 17 2014 Jiri Popelka - 0.3.9.2-1 +- fix regression introduced in 0.3.9 (RHBZ#1053932) + +* Thu Jan 16 2014 Jiri Popelka - 0.3.9.1-1 +- fix regressions introduced in 0.3.9 (RHBZ#1054068, RHBZ#1054120) + +* Mon Jan 13 2014 Jiri Popelka - 0.3.9-1 +- translation updates +- New IPv6_rpfilter setting to enable source address validation (RHBZ#847707) +- Do not mix original and customized zones in case of target changes, + apply only used zones +- firewall-cmd: fix --*_lockdown_whitelist_uid to work with uid 0 +- Don't show main window maximized. (RHBZ#1046811) +- Use rmmod instead of 'modprobe -r' (RHBZ#1031102) +- Deprecate 'enabled' attribute of 'masquerade' element +- firewall-config: new zone was added twice to the list +- firewalld.dbus(5) +- Enable python shebang fix again +- firewall/client: handle_exceptions: Use loop in decorator +- firewall-offline-cmd: Do not mask firewalld service with disabled option +- firewall-config: richRuleDialogActionRejectType Entry -> ComboBox +- Rich_Rule: fix parsing of reject element (RHBZ#1027373) +- Show combined zones in permanent configuration (RHBZ#1002016) +- firewall-cmd(1): document exit code 2 and colored output (RHBZ#1028507) +- firewall-config: fix RHBZ#1028853 + +* Tue Nov 05 2013 Jiri Popelka - 0.3.8-1 +- fix memory leaks +- New option --debug-gc +- Python3 compatibility +- Better non-ascii support +- several firewall-config & firewall-applet fixes +- New --remove-rules commands for firewall-cmd and removeRules methods for D-Bus +- Fixed FirewallDirect.get_rules to return proper list +- Fixed LastUpdatedOrderedDict.keys() +- Enable rich rule usage in trusted zone (RHBZ#994144) +- New error codes: INVALID_CONTEXT, INVALID_COMMAND, INVALID_USER and INVALID_UID + +* Thu Oct 17 2013 Jiri Popelka - 0.3.7-1 +- Don't fail on missing ip[6]tables/ebtables table. (RHBZ#967376) +- bash-completion: --permanent --direct options +- firewall/core/fw.py: fix checking for iptables & ip6tables (RHBZ#1017087) +- firewall-cmd: use client's exception_handler instead of catching exceptions ourselves +- FirewallClientZoneSettings: fix {add|remove|query}RichRule() +- Extend amanda-client service with 10080/tcp (RHBZ#1016867) +- Simplify Rich_Rule()_lexer() by using functions.splitArgs() +- Fix encoding problems in exception handling (RHBZ#1015941) + +* Fri Oct 04 2013 Jiri Popelka - 0.3.6.2-1 +- firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958) +- firewall-cmd: fix variable name (RHBZ#1015011) + +* Thu Oct 03 2013 Jiri Popelka - 0.3.6.1-1 +- remove superfluous po files from archive + +* Wed Oct 02 2013 Jiri Popelka - 0.3.6-1 +- firewalld.richlanguage.xml: correct log levels (RHBZ#993740) +- firewall-config: Make sure that all zone settings are updated properly on firewalld restart +- Rich_Limit: Allow long representation for duration (RHBZ#994103 +- firewall-config: Show "Changes applied." after changes (RHBZ#993643) +- Use own connection dialog to change zones for NM connections +- Rename service cluster-suite to high-availability (RHBZ#885257) +- Permanent direct support for firewall-config and firewall-cmd +- Try to avoid file descriptor leaking (RHBZ#951900) +- New functions to split and join args properly (honoring quotes) +- firewall-cmd(1): 2 simple examples +- Better IPv6 NAT checking. +- Ship firewalld.direct(5). + +* Mon Sep 30 2013 Jiri Popelka - 0.3.5-1 +- Only use one PK action for configuration (RHBZ#994729) +- firewall-cmd: indicate non-zero exit code with red color +- rich-rule: enable to have log without prefix & log_level & limit +- log-level warn/err -> warning/error (RHBZ#1009436) +- Use policy DROP while reloading, do not reset policy in restart twice +- Add _direct chains to all table and chain combinations +- documentation improvements +- New firewalld.direct(5) man page docbook source +- tests/firewall-cmd_test.sh: make rich language tests work +- Rich_Rule._import_from_string(): improve error messages (RHBZ#994150) +- direct.passthrough wasn't always matching out_signature (RHBZ#967800) +- firewall-config: twist ICMP Type IP address family logic. +- firewall-config: port-forwarding/masquerading dialog (RHBZ#993658) +- firewall-offline-cmd: New --remove-service= option (BZ#969106) +- firewall-config: Options->Lockdown was not changing permanent. +- firewall-config: edit line on doubleclick (RHBZ#993572) +- firewall-config: System Default Zone -> Default Zone (RHBZ#993811) +- New direct D-Bus interface, persistent direct rule handling, enabled passthough +- src/firewall-cmd: Fixed help output to use more visual parameters +- src/firewall-cmd: New usage output, no redirection to man page anymore +- src/firewall/core/rich.py: Fixed forwad port destinations +- src/firewall-offline-cmd: Early enable/disable handling now with mask/unmask +- doc/xml/firewalld.zone.xml: Added more information about masquerade use +- Prefix to log message is optional (RHBZ#998079) +- firewall-cmd: fix --permanent --change-interface (RHBZ#997974) +- Sort zones/interfaces/service/icmptypes on output. +- wbem-https service (RHBZ#996668) +- applet&config: add support for KDE NetworkManager connection editor +- firewall/core/fw_config.py: New method update_lockdown_whitelist +- Added missing file watcher for lockdown whitelist in config D-Bus interface +- firewall/core/watcher: New add_watch_file for lockdown-whitelist and direct +- Make use of IPv6 NAT conditional, based on kernel number (RHBZ#967376) + +* Tue Jul 30 2013 Thomas Woerner 0.3.4-1 +- several rich rule check enhancements and fixes +- firewall-cmd: direct options - check ipv4|ipv6|eb (RHBZ#970505) +- firewall-cmd(1): improve description of direct options (RHBZ#970509) +- several firewall-applet enhancements and fixes +- New README +- several doc and man page fixes +- Service definitions for PCP daemons (RHBZ#972262) +- bash-completion: add lockdown and rich language options +- firewall-cmd: add --permanent --list-all[-zones] +- firewall-cmd: new -q/--quiet option +- firewall-cmd: warn when default zone not active (RHBZ#971843) +- firewall-cmd: check priority in --add-rule (RHBZ#914955) +- add dhcpv6 (for server) service (RHBZ#917866) +- firewall-cmd: add --permanent --get-zone-of-interface/source --change-interface/source +- firewall-cmd: print result (yes/no) of all --query-* commands +- move permanent-getZoneOf{Interface|Source} from firewall-cmd to server +- Check Interfaces/sources when updating permanent zone settings. +- FirewallDConfig: getZoneOfInterface/Source can actually return more zones +- Fixed toaddr check in forward port to only allow single address, no range +- firewall-cmd: various output improvements +- fw_zone: use check_single_address from firewall.functions +- getZoneOfInterface/Source does not need to throw exception +- firewall.functions: Use socket.inet_pton in checkIP, fixed checkIP*nMask +- firewall.core.io.service: Properly check port/proto and destination address +- Install applet desktop file into /etc/xdg/autostart +- Fixed option problem with rich rule destinations (RHBZ#979804) +- Better exception creation in dbus_handle_exceptions() decorator (RHBZ#979790) +- Updated firewall-offline-cmd +- Use priority in add, remove, query and list of direct rules (RHBZ#979509) +- New documentation (man pages are created from docbook sources) +- firewall/core/io/direct.py: use prirority for rule methods, new get_all_ methods +- direct: pass priority also to client.py and firewall-cmd +- applet: New blink and blink-count settings +- firewall.functions: New function ppid_of_pid +- applet: Check for gnome3 and fix it, use new settings, new size-changed cb +- firewall-offline-cmd: Fix use of systemctl in chroot +- firewall-config: use string.ascii_letters instead of string.letters +- dbus_to_python(): handle non-ascii chars in dbus.String. +- Modernize old syntax constructions. +- dict.keys() in Python 3 returns a "view" instead of list +- Use gettext.install() to install _() in builtins namespace. +- Allow non-ascii chars in 'short' and 'description' +- README: More information for "Working With The Source Repository" +- Build environment fixes +- firewalld.spec: Added missing checks for rhel > 6 for pygobject3-base +- firewall-applet: New setting show-inactive +- Don't stop on reload when lockdown already enabled (RHBZ#987403) +- firewall-cmd: --lockdown-on/off did not touch firewalld.conf +- FirewallApplet.gschema.xml: Dropped unused sender-info setting +- doc/firewall-applet.xml: Added information about gsettings +- several debug and log message fixes +- Add chain for sources so they can be checked before interfaces (RHBZ#903222) +- Add dhcp and proxy-dhcp services (RHBZ#986947) +- io/Zone(): don't error on deprecated family attr of source elem +- Limit length of zone file name (to 12 chars) due to Netfilter internals. +- It was not possible to overload a zone with defined source(s). +- DEFAULT_ZONE_TARGET: {chain}_ZONE_{zone} -> {chain}_{zone} +- New runtime getSettings for services and icmptypes, fixed policies callbacks +- functions: New functions checkUser, checkUid and checkCommand +- src/firewall/client: Fixed lockdown-whitelist-updated signal handling +- firewall-cmd(1): move firewalld.richlanguage(5) reference in --*-rich-rule +- Rich rule service: Only add modules for accept action +- firewall/core/rich: Several fixes and enhanced checks +- Fixed reload of direct rules +- firewall/client: New functions to set and get the exception handler +- firewall-config: New and enhanced UI to handle lockdown and rich rules +- zone's immutable attribute is redundant +- Do not allow to set settings in config for immutable zones. +- Ignore deprecated 'immutable' attribute in zone files. +- Eviscerate 'immutable' completely. +- FirewallDirect.query_rule(): fix it +- permanent direct: activate firewall.core.io.direct:Direct reader +- core/io/*: simplify getting of character data +- FirewallDirect.set_config(): allow reloading + +* Thu Jun 20 2013 Jiri Popelka +- Remove migrating to a systemd unit file from a SysV initscript +- Remove pointless "ExclusiveOS" tag + +* Fri Jun 7 2013 Thomas Woerner 0.3.3-2 +- Fixed rich rule check for use in D-Bus + +* Thu Jun 6 2013 Thomas Woerner 0.3.3-1 +- new service files +- relicensed logger.py under GPLv2+ +- firewall-config: sometimes we don't want to use client's exception handler +- When removing Service/IcmpType remove it from zones too (RHBZ#958401) +- firewall-config: work-around masquerade_check_cb() being called more times +- Zone(IO): add interfaces/sources to D-Bus signature +- Added missing UNKNOWN_SOURCE error code +- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid +- New changeZoneOfInterface method, marked changeZone as deprecated +- Fixed firewall-cmd man page entry for --panic-on +- firewall-applet: Fixed possible problems of unescaped strings used for markup +- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet +- Cleanup of unused variables in FirewallD.start +- New firewall/fw_types.py with LastUpdatedOrderedDict +- direct.chains, direct.rules: Using LastUpdatedOrderedDict +- Support splitted zone files +- New reader and writer for stored direct chains and rules +- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts() +- fix service_writer() and icmptype_writer() to put newline at end of file +- firewall-cmd: fix --list-sources +- No need to specify whether source address family is IPv4 or IPv6 +- add getZoneOfSource() to D-Bus interface +- Add tests and bash-completion for the new "source" operations +- Convert all input args in D-Bus methods +- setDefaultZone() was calling accessCheck() *after* the action +- New uniqify() function to remove duplicates from list whilst preserving order +- Zone.combine() merge also services and ports +- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518) +- firewall-applet: more fixes to make the address sources family agnostic +- Better defaults for lockdown white list +- Use auth_admin_keep for allow_any and allow_inactive also +- New D-Bus API for lockdown policies +- Use IPv4, IPv6 and BRIDGE for FirewallD properties +- Use rich rule action as audit type +- Prototype of string-only D-Bus interface for rich language +- Fixed wrongly merged source family check in firewall/core/io/zone.py +- handle_cmr: report errors, cleanup modules in error case only, mark handling +- Use audit type from rule action, fixed rule output +- Fixed lockdown whitelist D-Bus handling method names +- New rich rule handling in runtime D-Bus interface +- Added interface, source and rich rule handling (runtime and permanent) +- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown +- Write changes in setLockdownWhitelist +- Fixed typo in policies log message in method calls +- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling +- Don't check access in query/getLockdownWhitelist*() +- firewall-cmd: Also output masquerade flag in --list-all +- firewall-cmd: argparse is able to convert argument to desired type itself +- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist +- Makefile.am: add missing files +- firewall-cmd_test.sh: tests for rich rules +- Added lockdown, source, interface and rich rule docs to firewall-cmd +- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098) +- Use in metavar for firewall-cmd parser + +* Fri May 10 2013 Jiri Popelka - 0.3.2-2 +- removed unintentional en_US.po from tarball + +* Tue Apr 30 2013 Jiri Popelka - 0.3.2-1 +- Fix signal handling for SIGTERM +- Additional service files (RHBZ#914859) +- Updated po files +- s/persistent/permanent/ (Trac Ticket #7) +- Better behaviour when running without valid DISPLAY (RHBZ#955414) +- client.handle_exceptions(): do not loop forever +- Set Zone.defaults in zone_reader (RHBZ#951747) +- client: do not pass the dbus exception name to handler +- IO_Object_XMLGenerator: make it work with Python 2.7.4 (RHBZ#951741) +- firewall-cmd: do not use deprecated BaseException.message +- client.py: fix handle_exceptions() (RHBZ#951314) +- firewall-config: check zone/service/icmptype name (RHBZ#947820) +- Allow 3121/tcp (pacemaker_remote) in cluster-suite service. (RHBZ#885257) +- firewall-applet: fix default zone hangling in 'shields-up' (RHBZ#947230) +- FirewallError.get_code(): check for unknown error + +* Wed Apr 17 2013 Jiri Popelka - 0.3.1-2 +- Make permanenent changes work with Python 2.7.4 (RHBZ#951741) + +* Thu Mar 28 2013 Thomas Woerner 0.3.1-1 +- Use explicit file lists for make dist +- New rich rule validation check code +- New global check_port and check_address functions +- Allow source white and black listing with the rich rule +- Fix error handling in case of unsupported family in rich rule +- Enable ip_forwarding in masquerade and forward-port +- New functions to read and write simple files using filename and content +- Add --enable-sysconfig to install Fedora-specific sysconfig config file. +- Add chains for security table (RHBZ#927015) +- firewalld.spec: no need to specify --with-systemd-unitdir +- firewalld.service: remove syslog.target and dbus.target +- firewalld.service: replace hard-coded paths +- Move bash-completion to new location. +- Revert "Added configure for new build env" +- Revert "Added Makefile.in files" +- Revert "Added po/Makefile.in.in" +- Revert "Added po/LINGUAS" +- Revert "Added aclocal.m4" +- Amend zone XML Schema + +* Wed Mar 20 2013 Thomas Woerner 0.3.0-1 +- Added rich language support +- Added lockdown feature +- Allow to bind interfaces and sources to zones permanently +- Enabled IPv6 NAT support + masquerading and port/packet forwarding for IPv6 only with rich language +- Handle polkit errors in client class and firewall-config +- Added priority description for --direct --add-rule in firewall-cmd man page +- Add XML Schemas for zones/services/icmptypes XMLs +- Don't keep file descriptors open when forking +- Introduce --nopid option for firewalld +- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782) +- Update cluster-suite service (RHBZ#885257) +- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912) +- Fix interaction problem of changed event of gtk combobox with polkit-kde + by processing all remaining events (RHBZ#915892) +- Stop default zone rules being applied to all zones (RHBZ#912782) +- Firewall.start(): don't call set_default_zone() +- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages +- firewalld-cmd: make --state verbose (RHBZ#886484) +- improve firewalld --help (RHBZ#910492) +- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834) +- Continue loading zone in case of wrong service/port etc. (RHBZ#909466) +- Check also services and icmptypes in Zone() (RHBZ#909466) +- Increase the maximum length of the port forwarding fields from 5 to 11 in + firewall-config +- firewall-cmd: add usage to fail message +- firewall-cmd: redefine usage to point to man page +- firewall-cmd: fix visible problems with arg. parsing +- Use argparse module for parsing command line options and arguments +- firewall-cmd.1: better clarify where to find ACTIONs +- firewall-cmd Bash completion +- firewall-cmd.1: comment --zone= usage and move some options +- Use zone's target only in %%s_ZONES chains +- default zone in firewalld.conf was set to public with every restart (#902845) +- man page cleanup +- code cleanup + +* Thu Mar 07 2013 Jiri Popelka - 0.2.12-5 +- Another fix for RHBZ#912782 + +* Wed Feb 20 2013 Jiri Popelka - 0.2.12-4 +- Stop default zone rules being applied to all zones (RHBZ#912782) + +* Wed Feb 13 2013 Fedora Release Engineering - 0.2.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 22 2013 Jiri Popelka - 0.2.12-2 +- Default zone in firewalld.conf was reseted with every restart (RHBZ#902845) +- Add icon cache related scriptlets for firewall-config (RHBZ#902680) +- Fix typo in firewall-config (RHBZ#895812) +- Fix few mistakes in firewall-cmd(1) man page + +* Mon Jan 14 2013 Thomas Woerner 0.2.12-1 +- firewall-cmd: use -V instead of -v for version info (RHBZ#886477) +- firewall-cmd: don't check reload()'s return value (RHBZ#886461) +- actually install firewalld.zones.5 +- firewall-config: treat exceptions when adding new zone/service/icmp + (RHBZ#886602) +- firewalld.spec: Fixed requirements of firewall-config to use gtk2 and + pygobject3 +- Fail gracefully when running in non X environment.(RHBZ#886551) +- offline-cmd: fail gracefully when no s-c-f config +- fix duplicated iptables rules (RHBZ#886515) +- detect errors and duplicates in config file (RHBZ#886581) +- firewall-config: don't make 'Edit Service' and 'Edit ICMP Type' insensitive +- firewalld.spec: fixed requirements, require pygobject3-base +- frewall-applet: Unused code cleanup +- firewall-applet: several usability fixes and enhancements + (RHBZ#886531) (RHBZ#886534) +- firewall/server/server.py: fixed KeyboardInterrupt message (RHBZ#886558) +- Moved fallback zone and minimal_mark to firewall.config.__init__ +- Do not raise ZONE_ALREADY_SET in change_zone if old zone is set again + (RHBZ#886432) +- Make default zone default for all unset connections/interfaces + (RHBZ#888288) (RHBZ#882736) +- firewall-config: Use Gtk.MessageType.WARNING for warning dialog +- firewall-config: Handle unknown services and icmptypes in persistent mode +- firewall-config: Do not load settings more than once +- firewall-config: UI cleanup and fixes (RHBZ#888242) +- firewall-cmd: created alias --change-zone for --change-interface +- firewall-cmd man page updates (RHBZ#806511) +- Merged branch 'build-cleanups' +- dropped call to autogen.sh in build stage, not needed anymore due to + 'build-cleanups' merge + +* Thu Dec 13 2012 Thomas Woerner 0.2.11-2 +- require pygobject3-base instead of pygobject3 (no cairo needed) (RHBZ#874378) +- fixed dependencies of firewall-config to use gtk3 with pygobject3-base and + not pygtk2 + +* Tue Dec 11 2012 Thomas Woerner 0.2.11-1 +- Fixed more _xmlplus (PyXML) incompatibilities to python xml +- Several man page updates +- Fixed error in addForwardPort, removeForwardPort and queryForwardPort +- firewall-cmd: use already existing queryForwardPort() +- Update firewall.cmd man page, use man page as firewall-cmd usage (rhbz#876394) +- firewall-config: Do not force to show labels in the main toolbar +- firewall-config: Dropped "Change default zone" from toolbar +- firewall-config: Added menu entry to change zones of connections +- firewall-applet: Zones can be changed now using nm-connection-editor + (rhbz#876661) +- translation updates: cs, hu, ja + +* Tue Nov 20 2012 Thomas Woerner 0.2.10-1 +- tests/firewalld_config.py: tests for config.service and config.icmptype +- FirewallClientConfigServiceSettings(): destinations are dict not list +- service/zone/icmptype: do not write deprecated name attribute +- New service ntp +- firewall-config: Fixed name of about dialog +- configure.in: Fixed getting of error codes +- Added coding to all pyhton files +- Fixed copyright years +- Beautified file headers +- Force use of pygobject3 in python-slip (RHBZ#874378) +- Log: firewall.server.config_icmptype, firewall.server.config_service and + firewall.server.config_zone: Prepend full path +- Allow ":" in interface names for interface aliases +- Add name argument to Updated and Renamed signal +- Disable IPv4, IPv6 and EB tables if missing - for IPv4/IPv6 only environments +- firewall-config.glade file cleanup +- firewall-config: loadDefaults() can throw exception +- Use toolbars for Add/Edit/Remove/LoadDefaults buttons for zones, services + and icmp types +- New vnc-server service, opens ports for displays :0 to :3 (RHBZ#877035) +- firewall-cmd: Fix typo in help output, allow default zone usage for + permanenent options +- Translation updates: cs, fr, ja, pt_BR and zh_CN + +* Wed Oct 17 2012 Thomas Woerner 0.2.9-1 +- firewall-config: some UI usability changes +- firewall-cmd: New option --list-all-zones, output of --list-all changed, + more option combination checks +- firewall-applet: Replaced NMClient by direct DBUS calls to fix python core + dumps in case of connection activates/deactivates +- Use fallback 'C' locale if current locale isn't supported (RHBZ#860278) +- Add interfaces to zones again after reload +- firewall-cmd: use FirewallClient().connected value +- firewall-cmd: --remove-interface was not working due to a typo +- Do not use restorecon for new and backup files +- Fixed use of properties REJECT and DROP +- firewalld_test.py: check interfaces after reload +- Translation updates +- Renamed firewall-convert-scfw-config to firewall-offline-cmd, used by + anaconda for firewall configuration (e.g. kickstart) +- Fix python shebang to use -Es at installation time for bin_SCRIPTS and + sbin_SCRIPTS and at all times in gtk3_chooserbutton.py +- tests/firewalld_config.py: update test_zones() test case +- Config interface: improve renaming of zones/services/icmp_types +- Move emiting of Added signals closer to source. +- FirewallClient(): config:ServiceAdded signal was wrongly mapped +- Add argument 'name' to Removed signal +- firewall-config: Add callbacks for config:[service|icmp]-[added|removed] +- firewall-config: catch INVALID_X error when removing zone/service/icmp_type +- firewall-config: remove unused code +- Revert "Neutralize _xmlplus instead of conforming it" +- firewall-applet: some UI usability changes +- firewall-cmd: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings + +* Fri Sep 7 2012 Thomas Woerner 0.2.8-1 +- Do not apply old settings to zones after reload +- FirewallClient: Added callback structure for firewalld signals +- New firewall-config with full zone, service and icmptype support +- Added Shields Up/Down configuration dialog to firewall-applet +- Name attribute of main tag deprecated for zones, services and icmptypes, + will be ignored if present +- Fixed wrong references in firewalld man page +- Unregister DBus interfaces after sending out the Removed signal +- Use proper DBus signature in addIcmpType, addService and addZone +- New builtin property for config interfaces +- New test case for Config interface +- spec: use new systemd-rpm macros (rhbz#850110) +- More config file verifications +- Lots of smaller fixes and enhancements + +* Tue Aug 21 2012 Jiri Popelka 0.2.7-2 +- use new systemd-rpm macros (rhbz#850110) + +* Mon Aug 13 2012 Thomas Woerner 0.2.7-1 +- Update of firewall-config +- Some bug fixes + +* Tue Aug 7 2012 Thomas Woerner 0.2.6-1 +- New D-BUS interface for persistent configuration +- Aded support for persistent zone configuration in firewall-cmd +- New Shields Up feature in firewall-applet +- New requirements for python-decorator and pygobject3 +- New firewall-config sub-package +- New firewall-convert-scfw-config config script + +* Fri Apr 20 2012 Thomas Woerner 0.2.5-1 +- Fixed traceback in firewall-cmd for failed or canceled authorization, + return proper error codes, new error codes NOT_RUNNING and NOT_AUTHORIZED +- Enhanced firewalld service file (RHBZ#806868) and (RHBZ#811240) +- Fixed duplicates in zone after reload, enabled timed settings after reload +- Removed conntrack --ctstate INVALID check from default ruleset, because it + results in ICMP problems (RHBZ#806017). +- Update interfaces in default zone after reload (rhbz#804814) +- New man pages for firewalld(1), firewalld.conf(5), firewalld.icmptype(5), + firewalld.service(5) and firewalld.zone(5), updated firewall-cmd man page + (RHBZ#811257) +- Fixed firewall-cmd help output +- Fixed missing icon for firewall-applet (RHBZ#808759) +- Added root user check for firewalld (RHBZ#767654) +- Fixed requirements of firewall-applet sub package (RHBZ#808746) +- Update interfaces in default zone after changing of default zone (RHBZ#804814) +- Start firewalld before NetworkManager (RHBZ#811240) +- Add Type=dbus and BusName to service file (RHBZ#811240) + +* Fri Mar 16 2012 Thomas Woerner 0.2.4-1 +- fixed firewalld.conf save exception if no temporary file can be written to + /etc/firewalld/ + +* Thu Mar 15 2012 Thomas Woerner 0.2.3-1 +- firewall-cmd: several changes and fixes +- code cleanup +- fixed icmp protocol used for ipv6 (rhbz#801182) +- added and fixed some comments +- properly restore zone settings, timeout is always set, check for 0 +- some FirewallError exceptions were actually not raised +- do not REJECT in each zone +- removeInterface() don't require zone +- new tests in firewall-test script +- dbus_to_python() was ignoring certain values +- added functions for the direct interface: chains, rules, passthrough +- fixed inconsistent data after reload +- some fixes for the direct interface: priority positions are bound to ipv, + table and chain +- added support for direct interface in firewall-cmd: +- added isImmutable(zone) to zone D-Bus interface +- renamed policy file +- enhancements for error messages, enables output for direct.passthrough +- added allow_any to firewald policies, using at leas auth_admin for policies +- replaced ENABLE_FAILED, DISABLE_FAILED, ADD_FAILED and REMOVE_FAILED by + COMMAND_FAILED, resorted error codes +- new firewalld configuration setting CleanupOnExit +- enabled polkit again, found a fix for property problem with slip.dbus.service +- added dhcpv6-client to 'public' (the default) and to 'internal' zones. +- fixed missing settings form zone config files in + "firewall-cmd --list=all --zone=" call +- added list functions for services and icmptypes, added --list=services and + --list=icmptypes to firewall-cmd + +* Tue Mar 6 2012 Thomas Woerner 0.2.2-1 +- enabled dhcpv6-client service for zones home and work +- new dhcpv6-client service +- firewall-cmd: query mode returns reversed values +- new zone.changeZone(zone, interface) +- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded + by files in /etc/firewalld (no overload of immutable zones block, drop, + trusted) +- reset MinimalMark in firewalld.cnf to default value +- fixed service destination (addresses not used) +- fix xmlplus to be compatible with the python xml sax parser and python 3 + by adding __contains__ to xml.sax.xmlreader.AttributesImpl +- use icon and glib related post, postun and posttrans scriptes for firewall +- firewall-cmd: fix typo in state +- firewall-cmd: fix usage() +- firewall-cmd: fix interface action description in usage() +- client.py: fix definition of queryInterface() +- client.py: fix typo in getInterfaces() +- firewalld.service: do not fork +- firewall-cmd: fix bug in --list=port and --port action help message +- firewall-cmd: fix bug in --list=service + +* Mon Mar 5 2012 Thomas Woerner +- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded + by files in /etc/firewalld (no overload of immutable zones block, drop, + trusted) + +* Tue Feb 21 2012 Thomas Woerner 0.2.1-1 +- added missing firewall.dbus_utils + +* Tue Feb 7 2012 Thomas Woerner 0.2.0-2 +- added glib2-devel to build requires, needed for gsettings.m4 +- added --with-system-unitdir arg to fix installaiton of system file +- added glib-compile-schemas calls for postun and posttrans +- added EXTRA_DIST file lists + +* Mon Feb 6 2012 Thomas Woerner 0.2.0-1 +- version 0.2.0 with new FirewallD1 D-BUS interface +- supports zones with a default zone +- new direct interface as a replacement of the partial virt interface with + additional passthrough functionality +- dropped custom rules, use direct interface instead +- dropped trusted interface funcionality, use trusted zone instead +- using zone, service and icmptype configuration files +- not using any system-config-firewall parts anymore + +* Mon Feb 14 2011 Thomas Woerner 0.1.3-1 +- new version 0.1.3 +- restore all firewall features for reload: panic and virt rules and chains +- string fixes for firewall-cmd man page (by Jiri Popelka) +- fixed firewall-cmd port list (by Jiri Popelka) +- added firewall dbus client connect check to firewall-cmd (by Jiri Popelka) +- translation updates: de, es, gu, it, ja, kn, ml, nl, or, pa, pl, ru, ta, + uk, zh_CN + +* Mon Jan 3 2011 Thomas Woerner 0.1.2-1 +- fixed package according to package review (rhbz#665395): + - non executable scripts: dropped shebang + - using newer GPL license file + - made /etc/dbus-1/system.d/FirewallD.conf config(noreplace) + - added requires(post) and (pre) for chkconfig + +* Mon Jan 3 2011 Thomas Woerner 0.1.1-1 +- new version 0.1.1 +- fixed source path in POTFILES* +- added missing firewall_config.py.in +- added misssing space for spec_ver line +- using firewall_config.VARLOGFILE +- added date to logging output +- also log fatal and error logs to stderr and firewall_config.VARLOGFILE +- make log message for active_firewalld fatal + +* Mon Dec 20 2010 Thomas Woerner 0.1-1 +- initial package (proof of concept implementation)