rpms/firewalld
5
0
Fork 0
Code Issues Pull Requests Releases Activity

revert RHEL only patch to default StrictForwardPorts=yes

Browse Source 
Resolves: RHEL-72937
This commit is contained in:
Eric Garver 2025-01-15 11:38:59 -05:00
parent 61999733ad
commit 87f215dc32
2 changed files with 4 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
0002-RHEL-only-Default-to-StrictForwardPorts-yes.patch
View File

@ -1,54 +0,0 @@
From d1828d7c5b17b5d152acc461123565f3a32d61ce Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Wed, 6 Nov 2024 11:08:14 -0500
Subject: [PATCH] RHEL only: Default to StrictForwardPorts=yes
---
config/firewalld.conf | 4 ++--
src/firewall/config/__init__.py.in | 2 +-
src/tests/functions.at | 4 ++++
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 800b255c77e0..93b85181c2be 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -94,8 +94,8 @@ RFC3964_IPv4=yes
# allowed via firewalld.
# If set to no, then docker (and podman) integrates seamlessly with firewalld.
# Published container ports are implicitly allowed.
-# Defaults to "no".
-StrictForwardPorts=no
+# Defaults to "yes".
+StrictForwardPorts=yes
# NftablesFlowtable
# This may improve forwarded traffic throughput by enabling nftables flowtable.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 4951d37cf80e..478bb7383d41 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -139,4 +139,4 @@ FALLBACK_ALLOW_ZONE_DRIFTING = False
FALLBACK_NFTABLES_FLOWTABLE = "off"
FALLBACK_NFTABLES_COUNTERS = False
FALLBACK_NFTABLES_TABLE_OWNER = True
-FALLBACK_STRICT_FORWARD_PORTS = False
+FALLBACK_STRICT_FORWARD_PORTS = True
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 500756bdacdb..621f2f6f613c 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -141,6 +141,10 @@ m4_define([FWD_START_TEST], [
AT_CHECK([if ! cp /etc/firewalld/firewalld.conf ./firewalld.conf; then exit 77; fi])
fi
+ dnl RHEL downstream changed the default value for this, but upstream tests
+ dnl expect it to be "no".
+ AT_CHECK([sed -i 's/^StrictForwardPorts.*/StrictForwardPorts=no/' ./firewalld.conf])
+
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
AT_KEYWORDS(offline)
dnl cockpit is added by default downstream, but upstream tests don't expect
--
2.45.2

6
firewalld.spec
View File

@ -1,12 +1,11 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld Name: firewalld
Version: 2.3.0 Version: 2.3.0
Release: 1%{?dist} Release: 2%{?dist}
URL: http://www.firewalld.org URL: http://www.firewalld.org
License: GPL-2.0-or-later License: GPL-2.0-or-later
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-RHEL-only-Default-to-StrictForwardPorts-yes.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -254,6 +253,9 @@ end
%{_mandir}/man1/firewall-config*.1* %{_mandir}/man1/firewall-config*.1*
%changelog %changelog
* Wed Jan 15 2025 Eric Garver <egarver@redhat.com> - 2.3.0-2
- revert RHEL only patch to default StrictForwardPorts=yes
* Tue Nov 05 2024 Eric Garver <egarver@redhat.com> - 2.3.0-1 * Tue Nov 05 2024 Eric Garver <egarver@redhat.com> - 2.3.0-1
- rebase package to v2.3.0 - rebase package to v2.3.0