import firewalld-0.9.3-7.el8

2021-08-09 18:22:10 +00:00 · 2021-08-09 18:22:10 +00:00 · 97943e0640
commit 97943e0640
parent 0d214f019b
7 changed files with 626 additions and 1 deletions
--- a/SOURCES/0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
+++ b/SOURCES/0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
@ -0,0 +1,28 @@
+From 8d8ec4530dea1a74254c6cc14ece4fa14f7f94fe Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 12:00:06 -0400
+Subject: [PATCH 31/36] test(functions): FWD_GREP_LOG: allow checking error
+ code
+
+(cherry picked from commit 748bcaee9a1d1151cf0e4bc9229f7b46774332ae)
+(cherry picked from commit 69c6a91ca507bdf0e18784ce06d3d872a1c2e5ab)
+---
+ src/tests/functions.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 54afcf14585a..4b298644d7e4 100644
+--- a/src/tests/functions.at
+++ b/src/tests/functions.at
+@@ -328,7 +328,7 @@ m4_define([FWD_CHECK], [
+ ])
+ 
+ m4_define([FWD_GREP_LOG], [
+-    AT_CHECK([grep "$1" ./firewalld.log], 0, [ignore], [ignore])
+    AT_CHECK([grep "$1" ./firewalld.log], $2, [ignore], [ignore])
+ ])
+ 
+ m4_define([TRIM], [[sed -e 's/^[ \t]*//' -e 's/[ \t]*$//']])
+-- 
+2.27.0
+
--- a/SOURCES/0032-test-functions-improve-checking-firewalld.log-for-er.patch
+++ b/SOURCES/0032-test-functions-improve-checking-firewalld.log-for-er.patch
@ -0,0 +1,41 @@
+From fd61eebac7618b1f9051497904d4392ac9b6f53b Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 12:12:03 -0400
+Subject: [PATCH 32/36] test(functions): improve checking firewalld.log for
+ errors
+
+Don't delete the errors/warnings from the log. Use sed/grep in a pipe
+instead.
+
+(cherry picked from commit 23dc028083dbdbd291f022ab60bad0462e23d48e)
+(cherry picked from commit 1bafb54763926f49f930038fb6ecd9ab3e05c796)
+---
+ src/tests/functions.at | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 4b298644d7e4..03795bc3c132 100644
+--- a/src/tests/functions.at
+++ b/src/tests/functions.at
+@@ -255,14 +255,11 @@ m4_define([FWD_START_TEST], [
+ 
+ m4_define([FWD_END_TEST], [
+     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
+-        IF_HOST_SUPPORTS_IP6TABLES([], [
+-            sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
+-        ])
+         if test x"$1" != x"ignore"; then
+-            if test -n "$1"; then
+-                sed -i $1 ./firewalld.log
+-            fi
+-            AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
+            AT_FAIL_IF([cat ./firewalld.log | dnl
+                       sed "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" | dnl
+                       m4_ifnblank([$1], [sed $1 |]) dnl
+                       [grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)']])
+         fi
+         m4_undefine([CURRENT_DBUS_ADDRESS])
+         m4_undefine([CURRENT_TEST_NS])
+-- 
+2.27.0
+
--- a/SOURCES/0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
+++ b/SOURCES/0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
@ -0,0 +1,46 @@
+From a79321b79b0543cff0c99702c1ab9eeaab8bfe06 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 11:42:58 -0400
+Subject: [PATCH 33/36] fix(policy): warn instead of error for overlapping
+ ports
+
+Fixes: rhbz 1914935
+(cherry picked from commit b71e532bc21fb6a06345b5ecfeb60683c7a194e9)
+(cherry picked from commit 66ca4b0fd9588d60d31998ad792f04962053aaab)
+---
+ src/firewall/core/fw_policy.py | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py
+index 3f5dab808ff0..79a52d8d97c0 100644
+--- a/src/firewall/core/fw_policy.py
+++ b/src/firewall/core/fw_policy.py
+@@ -98,11 +98,23 @@ class FirewallPolicy(object):
+         for args in obj.services:
+             self.add_service(policy, args)
+         for args in obj.ports:
+-            self.add_port(policy, *args)
+            try:
+                self.add_port(policy, *args)
+            except FirewallError as error:
+                if error.code in [errors.ALREADY_ENABLED]:
+                    log.warning(error)
+                else:
+                    raise error
+         for args in obj.protocols:
+             self.add_protocol(policy, args)
+         for args in obj.source_ports:
+-            self.add_source_port(policy, *args)
+            try:
+                self.add_source_port(policy, *args)
+            except FirewallError as error:
+                if error.code in [errors.ALREADY_ENABLED]:
+                    log.warning(error)
+                else:
+                    raise error
+         for args in obj.rules:
+             self.add_rule(policy, args)
+         if obj.masquerade:
+-- 
+2.27.0
+
--- a/SOURCES/0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
+++ b/SOURCES/0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
@ -0,0 +1,99 @@
+From 7c1e62b4933f2b110dcedc411b4381c00abe799f Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 11:27:11 -0400
+Subject: [PATCH 34/36] test(zone): verify overlapping ports don't halt zone
+ loading
+
+We can warn about the overlapping ports, but don't completely error out.
+
+Coverage: rhbz 1914935
+(cherry picked from commit 012a87a343673c7699f48fa6af973c890be08671)
+(cherry picked from commit 50e4c979283eee83bf0c707184cd0ca9bf112e85)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1914935.at | 64 +++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1914935.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 2a5ad9ef995a..aadd948a459f 100644
+--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
+@@ -41,3 +41,4 @@ m4_include([regression/gh703.at])
+ m4_include([regression/ipset_netmask_allowed.at])
+ m4_include([regression/rhbz1940928.at])
+ m4_include([regression/rhbz1936896.at])
+m4_include([regression/rhbz1914935.at])
+diff --git a/src/tests/regression/rhbz1914935.at b/src/tests/regression/rhbz1914935.at
+new file mode 100644
+index 000000000000..5b110ea4cf4d
+--- /dev/null
+++ b/src/tests/regression/rhbz1914935.at
+@@ -0,0 +1,64 @@
+FWD_START_TEST([zone overlapping ports])
+AT_KEYWORDS(zone port rhbz1914935)
+
+AT_CHECK([mkdir -p ./zones])
+
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<port port="1024-65535" protocol="tcp" />
+<port port="1234" protocol="tcp" />
+<port port="2000-3000" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
+FWD_CHECK([--zone foobar --list-ports], 0, [dnl
+1024-65535/tcp
+])
+
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<source-port port="1024-65535" protocol="tcp" />
+<source-port port="1234" protocol="tcp" />
+<source-port port="2000-3000" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
+FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
+1024-65535/tcp
+])
+
+dnl this one partially overlaps so it should not throw a warning.
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<port port="1024-2000" protocol="tcp" />
+<port port="1500-2500" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
+FWD_CHECK([--zone foobar --list-ports], 0, [dnl
+1024-2500/tcp
+])
+
+dnl this one partially overlaps so it should not throw a warning.
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<source-port port="1024-2000" protocol="tcp" />
+<source-port port="1500-2500" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
+FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
+1024-2500/tcp
+])
+
+FWD_END_TEST([-e '/WARNING: ALREADY_ENABLED:/d'])
+-- 
+2.27.0
+
--- a/SOURCES/v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
+++ b/SOURCES/v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
@ -0,0 +1,242 @@
+From e399840e91c766531923c017ffa00bbc01e7bbe6 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 12 Feb 2021 14:23:21 -0500
+Subject: [PATCH 35/36] fix(ipset): normalize entries in CIDR notation
+
+This will convert things like 10.0.1.0/22 to 10.0.0.0/22. Fix up test
+cases in which the error code changed due to this.
+
+(cherry picked from commit e4dc44fcfd214b27c718eb4d99d3b137495b9626)
+---
+ src/firewall/client.py              |  9 ++++++++-
+ src/firewall/core/fw_ipset.py       | 11 ++++++++++-
+ src/firewall/core/ipset.py          | 13 +++++++++++++
+ src/firewall/server/config_ipset.py | 10 ++++++++--
+ src/tests/regression/rhbz1601610.at | 19 +++++++++++++------
+ 5 files changed, 52 insertions(+), 10 deletions(-)
+
+diff --git a/src/firewall/client.py b/src/firewall/client.py
+index 51bf09c8fad6..aa6bd7cd282b 100644
+--- a/src/firewall/client.py
+++ b/src/firewall/client.py
+@@ -34,6 +34,7 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU
+ from firewall.dbus_utils import dbus_to_python
+ from firewall.functions import b2u
+ from firewall.core.rich import Rich_Rule
+from firewall.core.ipset import normalize_ipset_entry
+ from firewall import errors
+ from firewall.errors import FirewallError
+ 
+@@ -1616,12 +1617,16 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+-        self.settings[5] = entries
+        _entries = set()
+        for _entry in dbus_to_python(entries, list):
+            _entries.add(normalize_ipset_entry(_entry))
+        self.settings[5] = list(_entries)
+     @handle_exceptions
+     def addEntry(self, entry):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+        entry = normalize_ipset_entry(entry)
+         if entry not in self.settings[5]:
+             self.settings[5].append(entry)
+         else:
+@@ -1631,6 +1636,7 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+        entry = normalize_ipset_entry(entry)
+         if entry in self.settings[5]:
+             self.settings[5].remove(entry)
+         else:
+@@ -1640,6 +1646,7 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+        entry = normalize_ipset_entry(entry)
+         return entry in self.settings[5]
+ 
+ # ipset config
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index 6ebda2d56213..e5348949413c 100644
+--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
+@@ -24,7 +24,8 @@
+ __all__ = [ "FirewallIPSet" ]
+ 
+ from firewall.core.logger import log
+-from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts
+from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
+                                normalize_ipset_entry
+ from firewall.core.io.ipset import IPSet
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -189,6 +190,7 @@ class FirewallIPSet(object):
+ 
+     def add_entry(self, name, entry):
+         obj = self.get_ipset(name, applied=True)
+        entry = normalize_ipset_entry(entry)
+ 
+         IPSet.check_entry(entry, obj.options, obj.type)
+         if entry in obj.entries:
+@@ -208,6 +210,7 @@ class FirewallIPSet(object):
+ 
+     def remove_entry(self, name, entry):
+         obj = self.get_ipset(name, applied=True)
+        entry = normalize_ipset_entry(entry)
+ 
+         # no entry check for removal
+         if entry not in obj.entries:
+@@ -226,6 +229,7 @@ class FirewallIPSet(object):
+ 
+     def query_entry(self, name, entry):
+         obj = self.get_ipset(name, applied=True)
+        entry = normalize_ipset_entry(entry)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -239,6 +243,11 @@ class FirewallIPSet(object):
+     def set_entries(self, name, entries):
+         obj = self.get_ipset(name, applied=True)
+ 
+        _entries = set()
+        for _entry in entries:
+            _entries.add(normalize_ipset_entry(_entry))
+        entries = list(_entries)
+
+         for entry in entries:
+             IPSet.check_entry(entry, obj.options, obj.type)
+         if "timeout" not in obj.options or obj.options["timeout"] == "0":
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index 0d632143ce13..5bb21856f648 100644
+--- a/src/firewall/core/ipset.py
+++ b/src/firewall/core/ipset.py
+@@ -24,6 +24,7 @@
+ __all__ = [ "ipset", "check_ipset_name", "remove_default_create_options" ]
+ 
+ import os.path
+import ipaddress
+ 
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -289,3 +290,15 @@ def remove_default_create_options(options):
+            IPSET_DEFAULT_CREATE_OPTIONS[opt] == _options[opt]:
+             del _options[opt]
+     return _options
+
+def normalize_ipset_entry(entry):
+    """ Normalize IP addresses in entry """
+    _entry = []
+    for _part in entry.split(","):
+        try:
+            _part.index("/")
+            _entry.append(str(ipaddress.ip_network(_part, strict=False)))
+        except ValueError:
+            _entry.append(_part)
+
+    return ",".join(_entry)
+diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py
+index 8c647bc29ab9..18ef5783de62 100644
+--- a/src/firewall/server/config_ipset.py
+++ b/src/firewall/server/config_ipset.py
+@@ -33,7 +33,7 @@ from firewall.dbus_utils import dbus_to_python, \
+     dbus_introspection_prepare_properties, \
+     dbus_introspection_add_properties
+ from firewall.core.io.ipset import IPSet
+-from firewall.core.ipset import IPSET_TYPES
+from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry
+ from firewall.core.logger import log
+ from firewall.server.decorators import handle_exceptions, \
+     dbus_handle_exceptions, dbus_service_method
+@@ -406,7 +406,10 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+                          in_signature='as')
+     @dbus_handle_exceptions
+     def setEntries(self, entries, sender=None):
+-        entries = dbus_to_python(entries, list)
+        _entries = set()
+        for _entry in dbus_to_python(entries, list):
+            _entries.add(normalize_ipset_entry(_entry))
+        entries = list(_entries)
+         log.debug1("%s.setEntries('[%s]')", self._log_prefix,
+                    ",".join(entries))
+         self.parent.accessCheck(sender)
+@@ -421,6 +424,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def addEntry(self, entry, sender=None):
+         entry = dbus_to_python(entry, str)
+        entry = normalize_ipset_entry(entry)
+         log.debug1("%s.addEntry('%s')", self._log_prefix, entry)
+         self.parent.accessCheck(sender)
+         settings = list(self.getSettings())
+@@ -436,6 +440,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def removeEntry(self, entry, sender=None):
+         entry = dbus_to_python(entry, str)
+        entry = normalize_ipset_entry(entry)
+         log.debug1("%s.removeEntry('%s')", self._log_prefix, entry)
+         self.parent.accessCheck(sender)
+         settings = list(self.getSettings())
+@@ -451,6 +456,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def queryEntry(self, entry, sender=None): # pylint: disable=W0613
+         entry = dbus_to_python(entry, str)
+        entry = normalize_ipset_entry(entry)
+         log.debug1("%s.queryEntry('%s')", self._log_prefix, entry)
+         settings = list(self.getSettings())
+         if "timeout" in settings[4] and settings[4]["timeout"] != "0":
+diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
+index ede2c45b88c1..a716539a8acf 100644
+--- a/src/tests/regression/rhbz1601610.at
+++ b/src/tests/regression/rhbz1601610.at
+@@ -6,11 +6,14 @@ CHECK_IPSET
+ FWD_CHECK([-q --new-ipset=foobar --permanent --type=hash:net])
+ FWD_RELOAD
+ 
+-FWD_CHECK([-q --ipset=foobar --add-entry=10.1.1.0/22])
+-FWD_CHECK([-q --ipset=foobar --add-entry=10.1.2.0/22], 13, ignore, ignore)
+-FWD_CHECK([-q --ipset=foobar --add-entry=10.2.0.0/22])
+FWD_CHECK([--ipset=foobar --add-entry=10.1.1.0/22], 0, [ignore])
+FWD_CHECK([--ipset=foobar --query-entry 10.1.2.0/22], 0, [ignore])
+FWD_CHECK([--ipset=foobar --add-entry=10.1.2.0/22], 0, [ignore], [dnl
+Warning: ALREADY_ENABLED: '10.1.0.0/22' already is in 'foobar'
+])
+FWD_CHECK([--ipset=foobar --add-entry=10.2.0.0/22], 0, [ignore])
+ FWD_CHECK([--ipset=foobar --get-entries], 0, [dnl
+-10.1.1.0/22
+10.1.0.0/22
+ 10.2.0.0/22
+ ])
+ NFT_LIST_SET([foobar], 0, [dnl
+@@ -31,6 +34,9 @@ Members:
+ ])
+ 
+ FWD_CHECK([-q --ipset=foobar --remove-entry=10.1.1.0/22])
+FWD_CHECK([--ipset=foobar --query-entry 10.1.1.0/22], 1, [ignore])
+FWD_CHECK([--ipset=foobar --query-entry 10.1.2.0/22], 1, [ignore])
+FWD_CHECK([--ipset=foobar --query-entry 10.2.0.0/22], 0, [ignore])
+ FWD_CHECK([--ipset=foobar --get-entries], 0, [dnl
+ 10.2.0.0/22
+ ])
+@@ -52,7 +58,7 @@ Members:
+ 
+ FWD_CHECK([-q --permanent --ipset=foobar --add-entry=10.1.1.0/22])
+ FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [dnl
+-10.1.1.0/22
+10.1.0.0/22
+ ])
+ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
+ FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
+@@ -101,4 +107,5 @@ Members:
+ 
+ FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
+               -e '/ERROR: COMMAND_FAILED:.*element.*exists/d'dnl
+-              -e '/Kernel support protocol versions/d'])
+              -e '/Kernel support protocol versions/d'dnl
+              -e '/WARNING: ALREADY_ENABLED:/d'])
+-- 
+2.27.0
+
--- a/SOURCES/v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
+++ b/SOURCES/v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
@ -0,0 +1,157 @@
+From 3d7ec2dabb164cbc2dce5aa8aa37ae156ebad275 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 23 Feb 2021 09:18:33 -0500
+Subject: [PATCH 36/36] fix(ipset): disallow overlapping entries
+
+These are already being blocked by the ipset backend, but we should
+catch them higher up to avoid differences in the backends.
+
+(cherry picked from commit 5b4e8918715a1d2e4abf77ed4eb3252486a19109)
+---
+ src/firewall/client.py                        |  4 +++-
+ src/firewall/core/fw_ipset.py                 |  4 +++-
+ src/firewall/core/ipset.py                    | 13 +++++++++++++
+ src/firewall/server/config_ipset.py           |  5 ++++-
+ src/tests/regression/ipset_netmask_allowed.at | 14 ++++++++------
+ 5 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/src/firewall/client.py b/src/firewall/client.py
+index aa6bd7cd282b..3715ffd29316 100644
+--- a/src/firewall/client.py
+++ b/src/firewall/client.py
+@@ -34,7 +34,7 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU
+ from firewall.dbus_utils import dbus_to_python
+ from firewall.functions import b2u
+ from firewall.core.rich import Rich_Rule
+-from firewall.core.ipset import normalize_ipset_entry
+from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing
+ from firewall import errors
+ from firewall.errors import FirewallError
+ 
+@@ -1619,6 +1619,7 @@ class FirewallClientIPSetSettings(object):
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+         _entries = set()
+         for _entry in dbus_to_python(entries, list):
+            check_entry_overlaps_existing(_entry, _entries)
+             _entries.add(normalize_ipset_entry(_entry))
+         self.settings[5] = list(_entries)
+     @handle_exceptions
+@@ -1628,6 +1629,7 @@ class FirewallClientIPSetSettings(object):
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+         entry = normalize_ipset_entry(entry)
+         if entry not in self.settings[5]:
+            check_entry_overlaps_existing(entry, self.settings[5])
+             self.settings[5].append(entry)
+         else:
+             raise FirewallError(errors.ALREADY_ENABLED, entry)
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index e5348949413c..a285fd4a4aab 100644
+--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
+@@ -25,7 +25,7 @@ __all__ = [ "FirewallIPSet" ]
+ 
+ from firewall.core.logger import log
+ from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
+-                                normalize_ipset_entry
+                                normalize_ipset_entry, check_entry_overlaps_existing
+ from firewall.core.io.ipset import IPSet
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -196,6 +196,7 @@ class FirewallIPSet(object):
+         if entry in obj.entries:
+             raise FirewallError(errors.ALREADY_ENABLED,
+                                 "'%s' already is in '%s'" % (entry, name))
+        check_entry_overlaps_existing(entry, obj.entries)
+ 
+         try:
+             for backend in self.backends():
+@@ -245,6 +246,7 @@ class FirewallIPSet(object):
+ 
+         _entries = set()
+         for _entry in entries:
+            check_entry_overlaps_existing(_entry, _entries)
+             _entries.add(normalize_ipset_entry(_entry))
+         entries = list(_entries)
+ 
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index 5bb21856f648..d6defa395241 100644
+--- a/src/firewall/core/ipset.py
+++ b/src/firewall/core/ipset.py
+@@ -302,3 +302,16 @@ def normalize_ipset_entry(entry):
+             _entry.append(_part)
+ 
+     return ",".join(_entry)
+
+def check_entry_overlaps_existing(entry, entries):
+    """ Check if entry overlaps any entry in the list of entries """
+    # Only check simple types
+    if len(entry.split(",")) > 1:
+        return
+
+    for itr in entries:
+        try:
+            if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)):
+                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry))
+        except ValueError:
+            pass
+diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py
+index 18ef5783de62..f33c2a02926f 100644
+--- a/src/firewall/server/config_ipset.py
+++ b/src/firewall/server/config_ipset.py
+@@ -33,7 +33,8 @@ from firewall.dbus_utils import dbus_to_python, \
+     dbus_introspection_prepare_properties, \
+     dbus_introspection_add_properties
+ from firewall.core.io.ipset import IPSet
+-from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry
+from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \
+                                check_entry_overlaps_existing
+ from firewall.core.logger import log
+ from firewall.server.decorators import handle_exceptions, \
+     dbus_handle_exceptions, dbus_service_method
+@@ -408,6 +409,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     def setEntries(self, entries, sender=None):
+         _entries = set()
+         for _entry in dbus_to_python(entries, list):
+            check_entry_overlaps_existing(_entry, _entries)
+             _entries.add(normalize_ipset_entry(_entry))
+         entries = list(_entries)
+         log.debug1("%s.setEntries('[%s]')", self._log_prefix,
+@@ -432,6 +434,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+         if entry in settings[5]:
+             raise FirewallError(errors.ALREADY_ENABLED, entry)
+        check_entry_overlaps_existing(entry, settings[5])
+         settings[5].append(entry)
+         self.update(settings)
+ 
+diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at
+index b5165d94b220..fd08afd3b57c 100644
+--- a/src/tests/regression/ipset_netmask_allowed.at
+++ b/src/tests/regression/ipset_netmask_allowed.at
+@@ -9,15 +9,17 @@ dnl an add for the whole range. i.e. 1.2.3.4/24  --> 1.2.3.[0.255] (256
+ dnl entries).
+ dnl
+ dnl In nftables, we allow this by using actual intervals.
+-FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
+-FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.4/24], 0, [ignore])
+FWD_CHECK([            --ipset foobar --add-entry 1.2.3.4/24], 0, [ignore])
+ 
+ dnl check the edge case
+ FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
+ FWD_CHECK([            --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
+ 
+-dnl overlaps should be denied by ipset
+-FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore])
+-FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore])
+dnl overlaps should be denied
+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/22], 136, [ignore], [ignore])
+FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/22], 136, [ignore], [ignore])
+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.4/30], 136, [ignore], [ignore])
+FWD_CHECK([            --ipset foobar --add-entry 1.2.3.4/30], 136, [ignore], [ignore])
+ 
+-FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
+FWD_END_TEST([-e '/ERROR: INVALID_ENTRY:/d'])
+-- 
+2.27.0
+
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.9.3
-Release: 5%{?dist}
+Release: 7%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -35,6 +35,12 @@ Patch27: 0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
 Patch28: 0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
 Patch29: 0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
 Patch30: 0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
+Patch31: 0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
+Patch32: 0032-test-functions-improve-checking-firewalld.log-for-er.patch
+Patch33: 0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
+Patch34: 0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
+Patch35: v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
+Patch36: v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch

 BuildArch: noarch
 BuildRequires: autoconf
@ -236,6 +242,12 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*

 %changelog
+* Tue Jul 13 2021 Eric Garver <egarver@redhat.com> - 0.9.3-7
+- fix(ipset): disallow overlapping entries
+
+* Tue Jul 13 2021 Eric Garver <egarver@redhat.com> - 0.9.3-6
+- fix(policy): warn instead of error for overlapping ports
+
 * Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-5
 - docs(conf): note that IPv6_rpfilter has a performance penalty