import firewalld-0.8.2-1.el8

This commit is contained in:
CentOS Sources 2020-07-28 09:02:47 -04:00 committed by Stepan Oksanichenko
parent 473bc21d2d
commit b4b2120af0
14 changed files with 1546 additions and 262 deletions

View File

@ -1 +1 @@
e558ccbfd8a0e08d9339cf1506d8856d3533ed82 SOURCES/firewalld-0.8.0.tar.gz
785c4062248b95a85ddc023eba075b66109e254b SOURCES/firewalld-0.8.2.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/firewalld-0.8.0.tar.gz
SOURCES/firewalld-0.8.2.tar.gz

View File

@ -1,7 +1,7 @@
From aaba32dd922c84662521754952e5a50198dd8625 Mon Sep 17 00:00:00 2001
From 52d53cc4ab0503ad484330b2121f85094a7903de Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 9 Jul 2018 11:29:33 -0400
Subject: [PATCH] Add cockpit by default to some zones
Subject: [PATCH 1/6] RHEL only: Add cockpit by default to some zones
Fixes: #1581578
---
@ -9,9 +9,9 @@ Fixes: #1581578
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/cli/firewall-cmd.at | 14 +++++++++++++-
src/tests/features/helpers_custom.at | 9 +++++++++
src/tests/features/service_include.at | 2 +-
src/tests/firewall-cmd.at | 14 +++++++++++++-
src/tests/regression/gh366.at | 3 +++
src/tests/regression/gh453.at | 2 ++
src/tests/regression/rhbz1514043.at | 2 +-
@ -57,100 +57,11 @@ index 6ea5550a40bd..9609ee6f65c2 100644
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
</zone>
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index c65f067a06ec..263185c88724 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -17,6 +17,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -27,6 +28,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -35,6 +37,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -51,6 +54,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -61,6 +65,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -69,6 +74,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -86,6 +92,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
@@ -99,6 +106,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
@@ -109,6 +117,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 219d5b42767b..0bf59f63b81b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -117,7 +117,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
])
FWD_CHECK([--zone=public --list-services], 0, [dnl
-dhcpv6-client ssh
+cockpit dhcpv6-client ssh
])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 0e0d3938da0a..540bdb8b1065 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -1144,6 +1144,7 @@ FWD_START_TEST([rich rules priority])
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 806af74221b6..74f480f8730f 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1285,6 +1285,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -158,7 +69,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
tcp dport 1122 ct state new,untracked accept
tcp dport 3333 ct state new,untracked accept
tcp dport 4444 ct state new,untracked accept
@@ -1159,6 +1160,7 @@ FWD_START_TEST([rich rules priority])
@@ -1300,6 +1301,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -166,7 +77,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1173,6 +1175,7 @@ FWD_START_TEST([rich rules priority])
@@ -1314,6 +1316,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -174,7 +85,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1254,6 +1257,7 @@ FWD_START_TEST([rich rules priority])
@@ -1395,6 +1398,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -182,7 +93,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
}
}
])
@@ -1357,6 +1361,7 @@ FWD_START_TEST([rich rules priority])
@@ -1498,6 +1502,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -190,7 +101,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1391,6 +1396,7 @@ FWD_START_TEST([rich rules priority])
@@ -1532,6 +1537,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -198,7 +109,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1438,6 +1444,7 @@ FWD_START_TEST([rich rules priority])
@@ -1579,6 +1585,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -206,7 +117,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
icmp type echo-request accept
icmpv6 type echo-request accept
}
@@ -1478,6 +1485,7 @@ FWD_START_TEST([rich rules priority])
@@ -1619,6 +1626,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -214,7 +125,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1500,6 +1508,7 @@ FWD_START_TEST([rich rules priority])
@@ -1641,6 +1649,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -222,7 +133,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1556,6 +1565,7 @@ FWD_START_TEST([rich rules priority])
@@ -1697,6 +1706,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -230,7 +141,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
}
}
])
@@ -1593,6 +1603,7 @@ FWD_START_TEST([rich rules priority])
@@ -1734,6 +1744,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -238,7 +149,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1613,6 +1624,7 @@ FWD_START_TEST([rich rules priority])
@@ -1754,6 +1765,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -246,7 +157,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1638,7 +1650,7 @@ FWD_START_TEST([rich rules priority])
@@ -1779,7 +1791,7 @@ FWD_START_TEST([rich rules priority])
icmp-block-inversion: no
interfaces:
sources:
@ -255,6 +166,95 @@ index 0e0d3938da0a..540bdb8b1065 100644
ports:
protocols:
masquerade: no
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index 41d0f17b1d9e..bd4b52cfb1d6 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -37,6 +37,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -47,6 +48,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -55,6 +57,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -91,6 +94,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -101,6 +105,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -109,6 +114,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -126,6 +132,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
@@ -139,6 +146,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
@@ -149,6 +157,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 7f02701a9419..070f1578fc2b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -120,7 +120,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
])
FWD_CHECK([--zone=public --list-services], 0, [dnl
-dhcpv6-client ssh
+cockpit dhcpv6-client ssh
])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
index 1441a6be53bf..51ff504e6a9d 100644
--- a/src/tests/regression/gh366.at
@ -282,25 +282,25 @@ index 1441a6be53bf..51ff504e6a9d 100644
])])
diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at
index f57a79dcf9a2..6d820fce840a 100644
index 36a6fce5f22a..61bc90aae673 100644
--- a/src/tests/regression/gh453.at
+++ b/src/tests/regression/gh453.at
@@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
}
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
}
@@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
tcp dport 5060 ct helper set "helper-sip-tcp"
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
tcp dport 5060 ct helper set "helper-sip-tcp"
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index efc33e09478b..241cf547f7f3 100644
--- a/src/tests/regression/rhbz1514043.at

View File

@ -0,0 +1,235 @@
From 42c3c63410d53f1f1eef8a756202231a7872aafa Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 09:12:17 -0500
Subject: [PATCH 2/6] RHEL only: default to AllowZoneDrifting=yes
---
config/firewalld.conf | 4 ++--
doc/xml/firewalld.conf.xml | 2 +-
doc/xml/firewalld.dbus.xml | 2 +-
src/firewall/config/__init__.py.in | 2 +-
src/tests/cli/firewall-cmd.at | 8 ++++++++
src/tests/dbus/firewalld.conf.at | 4 ++--
src/tests/features/rfc3964_ipv4.at | 4 ++++
src/tests/functions.at | 1 +
src/tests/regression/rhbz1514043.at | 4 ++++
src/tests/regression/rhbz1715977.at | 9 +++++++++
10 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 532f0452212e..f791b2358ab8 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
-# Possible values; "yes", "no". Defaults to "no".
-AllowZoneDrifting=no
+# Possible values; "yes", "no". Defaults to "yes".
+AllowZoneDrifting=yes
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index fcfbfd2b68c1..c21ef87813bc 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -197,7 +197,7 @@
to interface based zones (including the default zone). Packets
never drift from interface based zones to other interfaces
based zones (including the default zone).
- Valid values; "yes", "no". Defaults to "no".
+ Valid values; "yes", "no". Defaults to "yes".
</para>
</listitem>
</varlistentry>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 5d77af976443..77ad77c01675 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2591,7 +2591,7 @@
to interface based zones (including the default zone). Packets
never drift from interface based zones to other interfaces
based zones (including the default zone).
- Valid values; "yes", "no". Defaults to "no".
+ Valid values; "yes", "no". Defaults to "yes".
</para></listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 481eb8de758d..645c76b66c8d 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
-FALLBACK_ALLOW_ZONE_DRIFTING = False
+FALLBACK_ALLOW_ZONE_DRIFTING = True
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 74f480f8730f..c47c14ea1fc2 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -696,6 +696,10 @@ FWD_START_TEST([ipset])
CHECK_IPSET
CHECK_IPSET_HASH_MAC
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, ignore)
FWD_CHECK([--reload], 0, ignore)
FWD_CHECK([--ipset=foobar --get-entries], 0, [
@@ -1197,6 +1201,10 @@ FWD_START_TEST([rich rules priority])
CHECK_LOG_AUDIT
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
dnl Verify generic layout of zone
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
table inet firewalld {
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 35aead759a9c..4eefa3286f9f 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus)
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
index 54f5f756270b..15fef52612cc 100644
--- a/src/tests/features/rfc3964_ipv4.at
+++ b/src/tests/features/rfc3964_ipv4.at
@@ -1,6 +1,10 @@
FWD_START_TEST([RFC3964_IPv4])
AT_KEYWORDS(rfc3964_ipv4)
+dnl Expected test results assume this is set to "no"
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 5b3ed3ee4a5a..8f5ceba4d3f2 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
IF_HOST_SUPPORTS_IP6TABLES([], [
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
])
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
if test x"$1" != x"ignore"; then
if test -n "$1"; then
sed -i $1 ./firewalld.log
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index 241cf547f7f3..8e4846a078b8 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -1,6 +1,10 @@
FWD_START_TEST([--set-log-denied does not zero config])
AT_KEYWORDS(log_denied rhbz1514043)
+dnl Expected test results assume this is set to "no"
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+
FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index d548de72b90c..b9886e1a0a2b 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -14,6 +14,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
}
}
@@ -23,6 +24,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
@@ -31,6 +33,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
@@ -44,6 +47,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
}
@@ -54,6 +58,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
])
@@ -63,6 +68,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
@@ -76,6 +82,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
@@ -87,6 +94,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
@@ -97,6 +105,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
--
2.23.0

View File

@ -1,132 +0,0 @@
From ff17d85fd863e7be2b4088c92360185aca6693b0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 7 Nov 2019 08:21:52 -0500
Subject: [PATCH] fix: CLI: service: also output helpers for service info
Fixes: 0c07b704f76d ("feat: CLI: add "helper" support for services")
Fixes: rhbz 1769520
(cherry picked from commit 6bfffe65f55b727afc37a8c1fb4068f6589bb890)
---
src/firewall/command.py | 2 ++
src/tests/features/helpers_custom.at | 42 ++++++++++++++++++++++++++-
src/tests/features/service_include.at | 3 ++
3 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/src/firewall/command.py b/src/firewall/command.py
index 85e58d731a80..c371dc23584c 100644
--- a/src/firewall/command.py
+++ b/src/firewall/command.py
@@ -449,6 +449,7 @@ class FirewallCommand(object):
destinations = settings.getDestinations()
short_description = settings.getShort()
includes = settings.getIncludes()
+ helpers = settings.getHelpers()
self.print_msg(service)
if self.verbose:
self.print_msg(" summary: " + short_description)
@@ -464,6 +465,7 @@ class FirewallCommand(object):
" ".join(["%s:%s" % (k, v)
for k, v in destinations.items()]))
self.print_msg(" includes: " + " ".join(sorted(includes)))
+ self.print_msg(" helpers: " + " ".join(sorted(helpers)))
def print_icmptype_info(self, icmptype, settings):
destinations = settings.getDestinations()
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index c65f067a06ec..4c9024d1e2b8 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -1,5 +1,5 @@
FWD_START_TEST([customer helpers])
-AT_KEYWORDS(helpers rhbz1733066 gh514)
+AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520)
FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"])
FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"])
@@ -8,7 +8,27 @@ FWD_CHECK([-q --permanent --new-service="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules: ftptest
+ destination:
+ includes:
+ helpers:
+])])
FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules: ftptest
+ destination:
+ includes:
+ helpers:
+])])
FWD_CHECK([-q --add-service=ftptest])
@@ -42,7 +62,27 @@ dnl Same thing as above, but with the new "helper" in service.
FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1)
FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes:
+ helpers: ftptest
+])])
FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes:
+ helpers: ftptest
+])])
FWD_CHECK([-q --add-service=ftptest])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 219d5b42767b..7f02701a9419 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -76,6 +76,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
my-service-with-include
@@ -85,6 +86,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
dnl firewall-offline-cmd
@@ -106,6 +108,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
dnl negative test for including service that doesn't exist
--
2.23.0

View File

@ -0,0 +1,29 @@
From b2e4f83c8fb011ffe0a8b040fa937f60c842cc25 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 14:42:22 -0400
Subject: [PATCH 3/6] fix: nftables: ipset: port ranges for non-default
protocols
Fixes: 2d1b0fe9fe74 ("fix: nftables: allow set intervals with concatenations")
(cherry picked from commit e80f4fccfc771128affdc578ed37842d5d469ca9)
(cherry picked from commit 6a2fd018666ab8c4877291f8f807a9943db74de3)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index a9d5a45337bd..69ee63b32f8b 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1680,7 +1680,7 @@ class nftables(object):
port_str = entry_tokens[i][index+1:]
try:
- index = entry_tokens[i].index("-")
+ index = port_str.index("-")
except ValueError:
fragment.append(port_str)
else:
--
2.23.0

View File

@ -0,0 +1,44 @@
From c694ab9a3d00f0471bfdf73a1b00d43f60395717 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 14:38:45 -0400
Subject: [PATCH 4/6] test: ipset: verify port ranges for non-default protocol
(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b)
(cherry picked from commit a2b8a09b929901e14620aa802fd423f958c56188)
---
src/tests/cli/firewall-cmd.at | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index c47c14ea1fc2..ad7b1b32f42c 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -743,6 +743,7 @@ FWD_START_TEST([ipset])
dnl multi dimensional set with non default protocol
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore)
FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore)
+ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore)
FWD_RELOAD
FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore)
FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore)
@@ -752,6 +753,7 @@ FWD_START_TEST([ipset])
type ipv4_addr . inet_proto . inet_service
flags interval
elements = { 10.10.10.10 . sctp . 1234,
+ 10.10.10.10 . udp . 1000-1002,
20.20.20.20 . tcp . 8080 }
}
}
@@ -769,6 +771,9 @@ FWD_START_TEST([ipset])
Type: hash:ip,port
Members:
10.10.10.10,sctp:1234
+ 10.10.10.10,udp:1000
+ 10.10.10.10,udp:1001
+ 10.10.10.10,udp:1002
20.20.20.20,tcp:8080
])
FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore)
--
2.23.0

View File

@ -0,0 +1,51 @@
From 85782b1fb964e3b67a0276881bdba4ca9881dec3 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 15:21:58 -0400
Subject: [PATCH 5/6] test: log: verify logging still works after truncate
The log policy we ship presumes firewalld opens log files in append
mode. This is because the logrotate policy uses "copytruncate". Lets
verify that it actually works as expected.
(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827)
(cherry picked from commit 2ab7f9e793a51c9aebe08fff6226c38159ae2312)
---
src/tests/regression/gh599.at | 16 ++++++++++++++++
src/tests/regression/regression.at | 1 +
2 files changed, 17 insertions(+)
create mode 100644 src/tests/regression/gh599.at
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
new file mode 100644
index 000000000000..472f228ba2a9
--- /dev/null
+++ b/src/tests/regression/gh599.at
@@ -0,0 +1,16 @@
+FWD_START_TEST([writing to log after copytruncate])
+AT_KEYWORDS(gh599)
+
+AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])])
+AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
+
+dnl Verify we continue to write to the log file after it's truncated. That is,
+dnl simulate logrotate's copytruncate.
+NS_CHECK([truncate -s 0 ./firewalld.log])
+
+dnl generate some logs, anything will do since we have debug enabled.
+FWD_CHECK([--list-all], 0, [ignore], [ignore])
+
+NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
+
+FWD_END_TEST
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 8042c3a27f89..2528ddd3fede 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -27,3 +27,4 @@ m4_include([regression/gh509.at])
m4_include([regression/gh567.at])
m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
+m4_include([regression/gh599.at])
--
2.23.0

View File

@ -0,0 +1,32 @@
From 01dd132e2004e6d40c6c2200f6105ca49594041a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 Apr 2020 15:34:57 -0400
Subject: [PATCH 6/6] fix: test/regression/gh599: fix if not using debug output
Fixes: e887c16512ab ("test: log: verify logging still works after truncate")
(cherry picked from commit f7e3c60263e144a04ee175d5f7bb3fa4636a97a4)
(cherry picked from commit e78548b1fd6e87500d7df3ade5373285ca525f03)
---
src/tests/regression/gh599.at | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
index 472f228ba2a9..337e18018baf 100644
--- a/src/tests/regression/gh599.at
+++ b/src/tests/regression/gh599.at
@@ -8,9 +8,9 @@ dnl Verify we continue to write to the log file after it's truncated. That is,
dnl simulate logrotate's copytruncate.
NS_CHECK([truncate -s 0 ./firewalld.log])
-dnl generate some logs, anything will do since we have debug enabled.
-FWD_CHECK([--list-all], 0, [ignore], [ignore])
+dnl generate some logs
+FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore])
NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
-FWD_END_TEST
+FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d'])
--
2.23.0

View File

@ -0,0 +1,496 @@
From 5a912cc04a75e018631745647a524cce8569505b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 13:38:06 -0400
Subject: [PATCH 07/10] test: dbus: zone: verify permanent config API
signatures
(cherry picked from commit f6a6837cb49d5a9ca4ea08964fb62bb9f7f420ac)
(cherry picked from commit 7cc77369cd68ff1860b151fc649d237f1feb84ba)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_permanent_signatures.at | 464 ++++++++++++++++++++
2 files changed, 465 insertions(+)
create mode 100644 src/tests/dbus/zone_permanent_signatures.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 46fec2ff4024..ffef478f5449 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -1,3 +1,4 @@
AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
+m4_include([dbus/zone_permanent_signatures.at])
diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
new file mode 100644
index 000000000000..15319552c15f
--- /dev/null
+++ b/src/tests/dbus/zone_permanent_signatures.at
@@ -0,0 +1,464 @@
+FWD_START_TEST([dbus api - zone permanent signatures])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_INTROSPECT([config], [[//method[@name="listZones"]]], 0, [dnl
+ <method name="listZones">
+ <arg direction="out" type="ao"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneNames"]]], 0, [dnl
+ <method name="getZoneNames">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneByName"]]], 0, [dnl
+ <method name="getZoneByName">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="o"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl
+ <method name="addZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ <arg direction="out" type="o"></arg>
+ </method>
+])
+
+dnl zone relation to interface/sources
+DBUS_INTROSPECT([config], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
+ <method name="getZoneOfInterface">
+ <arg direction="in" name="iface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneOfSource"]]], 0, [dnl
+ <method name="getZoneOfSource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+
+dnl ####################
+dnl Zone object APIs
+dnl ####################
+
+dnl Get a reference to the public zone. We'll use it to introspect APIs.
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_PUBLIC_ZONE_OBJ
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
+ <method name="getSettings">
+ <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update"]]], 0, [dnl
+ <method name="update">
+ <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
+ <method name="loadDefaults">
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="remove"]]], 0, [dnl
+ <method name="remove">
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"]]], 0, [dnl
+ <method name="rename">
+ <arg direction="in" name="name" type="s"></arg>
+ </method>
+])
+
+dnl Version
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl
+ <method name="getVersion">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl
+ <method name="setVersion">
+ <arg direction="in" name="version" type="s"></arg>
+ </method>
+])
+
+dnl Short
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl
+ <method name="getShort">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl
+ <method name="setShort">
+ <arg direction="in" name="short" type="s"></arg>
+ </method>
+])
+
+dnl Description
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl
+ <method name="getDescription">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl
+ <method name="setDescription">
+ <arg direction="in" name="description" type="s"></arg>
+ </method>
+])
+
+dnl Target
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getTarget"]]], 0, [dnl
+ <method name="getTarget">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarget"]]], 0, [dnl
+ <method name="setTarget">
+ <arg direction="in" name="target" type="s"></arg>
+ </method>
+])
+
+dnl Interfaces
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getInterfaces"]]], 0, [dnl
+ <method name="getInterfaces">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setInterfaces"]]], 0, [dnl
+ <method name="setInterfaces">
+ <arg direction="in" name="interfaces" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addInterface"]]], 0, [dnl
+ <method name="addInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeInterface"]]], 0, [dnl
+ <method name="removeInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryInterface"]]], 0, [dnl
+ <method name="queryInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Sources
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSources"]]], 0, [dnl
+ <method name="getSources">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSources"]]], 0, [dnl
+ <method name="setSources">
+ <arg direction="in" name="sources" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSource"]]], 0, [dnl
+ <method name="addSource">
+ <arg direction="in" name="source" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSource"]]], 0, [dnl
+ <method name="removeSource">
+ <arg direction="in" name="source" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySource"]]], 0, [dnl
+ <method name="querySource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Services
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getServices"]]], 0, [dnl
+ <method name="getServices">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setServices"]]], 0, [dnl
+ <method name="setServices">
+ <arg direction="in" name="services" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="service" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeService"]]], 0, [dnl
+ <method name="removeService">
+ <arg direction="in" name="service" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryService"]]], 0, [dnl
+ <method name="queryService">
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="out" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl
+ <method name="setPorts">
+ <arg direction="in" name="ports" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Source Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="out" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl
+ <method name="setSourcePorts">
+ <arg direction="in" name="ports" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Protocol
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl
+ <method name="setProtocols">
+ <arg direction="in" name="protocols" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Forward Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ <method name="getForwardPorts">
+ <arg direction="out" type="a(ssss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setForwardPorts"]]], 0, [dnl
+ <method name="setForwardPorts">
+ <arg direction="in" name="ports" type="a(ssss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForwardPort"]]], 0, [dnl
+ <method name="addForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeForwardPort"]]], 0, [dnl
+ <method name="removeForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryForwardPort"]]], 0, [dnl
+ <method name="queryForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Masquerade
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getMasquerade"]]], 0, [dnl
+ <method name="getMasquerade">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setMasquerade"]]], 0, [dnl
+ <method name="setMasquerade">
+ <arg direction="in" name="masquerade" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addMasquerade"]]], 0, [dnl
+ <method name="addMasquerade">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeMasquerade"]]], 0, [dnl
+ <method name="removeMasquerade">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ <method name="queryMasquerade">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ <method name="getIcmpBlocks">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlocks"]]], 0, [dnl
+ <method name="setIcmpBlocks">
+ <arg direction="in" name="icmptypes" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+ <method name="addIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
+ <method name="removeIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
+ <method name="queryIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block Inversion
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlockInversion"]]], 0, [dnl
+ <method name="getIcmpBlockInversion">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlockInversion"]]], 0, [dnl
+ <method name="setIcmpBlockInversion">
+ <arg direction="in" name="flag" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+ <method name="addIcmpBlockInversion">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+ <method name="removeIcmpBlockInversion">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ <method name="queryIcmpBlockInversion">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Rich Rules
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getRichRules"]]], 0, [dnl
+ <method name="getRichRules">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setRichRules"]]], 0, [dnl
+ <method name="setRichRules">
+ <arg direction="in" name="rules" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addRichRule"]]], 0, [dnl
+ <method name="addRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeRichRule"]]], 0, [dnl
+ <method name="removeRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryRichRule"]]], 0, [dnl
+ <method name="queryRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+FWD_END_TEST
--
2.25.2

View File

@ -0,0 +1,446 @@
From 3122491686014a2cdd83d3506334055fd18c80e0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 14:16:48 -0400
Subject: [PATCH 08/10] test: dbus: zone: verify runtime config API signatures
(cherry picked from commit fca39ea7edbd57283bc15fdd88fbfd4b1943f977)
(cherry picked from commit d17a68d680b631954fdb5031a3c0627a68f77049)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_runtime_signatures.at | 415 ++++++++++++++++++++++
2 files changed, 416 insertions(+)
create mode 100644 src/tests/dbus/zone_runtime_signatures.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index ffef478f5449..377244460e7a 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -2,3 +2,4 @@ AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
+m4_include([dbus/zone_runtime_signatures.at])
diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
new file mode 100644
index 000000000000..53fdbea03180
--- /dev/null
+++ b/src/tests/dbus/zone_runtime_signatures.at
@@ -0,0 +1,415 @@
+FWD_START_TEST([dbus api - zone runtime signatures])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl
+ <method name="getZoneSettings">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+dnl Default Zone
+DBUS_INTROSPECT([], [[//method[@name="getDefaultZone"]]], 0, [dnl
+ <method name="getDefaultZone">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="setDefaultZone"]]], 0, [dnl
+ <method name="setDefaultZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ </method>
+])
+
+dnl Fetching Zones
+DBUS_INTROSPECT([], [[//method[@name="getZones"]]], 0, [dnl
+ <method name="getZones">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getActiveZones"]]], 0, [dnl
+ <method name="getActiveZones">
+ <arg direction="out" type="a{sa{sas}}"></arg>
+ </method>
+])
+
+dnl Interface/Source
+DBUS_INTROSPECT([], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
+ <method name="getZoneOfInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getZoneOfSource"]]], 0, [dnl
+ <method name="getZoneOfSource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+dnl ####################
+dnl Zone APIs
+dnl ####################
+
+DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl
+ <method name="isImmutable">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Interfaces
+DBUS_INTROSPECT([], [[//method[@name="addInterface"]]], 0, [dnl
+ <method name="addInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZone"]]], 0, [dnl
+ <method name="changeZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZoneOfInterface"]]], 0, [dnl
+ <method name="changeZoneOfInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeInterface"]]], 0, [dnl
+ <method name="removeInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryInterface"]]], 0, [dnl
+ <method name="queryInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl
+ <method name="getInterfaces">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Sources
+DBUS_INTROSPECT([], [[//method[@name="addSource"]]], 0, [dnl
+ <method name="addSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZoneOfSource"]]], 0, [dnl
+ <method name="changeZoneOfSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeSource"]]], 0, [dnl
+ <method name="removeSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="querySource"]]], 0, [dnl
+ <method name="querySource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl
+ <method name="getSources">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Services
+DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeService"]]], 0, [dnl
+ <method name="removeService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryService"]]], 0, [dnl
+ <method name="queryService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl
+ <method name="getServices">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Protocols
+DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Ports
+DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Source Ports
+DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Forward Ports
+DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl
+ <method name="addForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl
+ <method name="removeForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl
+ <method name="queryForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ <method name="getForwardPorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ssss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Masquerade
+DBUS_INTROSPECT([], [[//method[@name="addMasquerade"]]], 0, [dnl
+ <method name="addMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeMasquerade"]]], 0, [dnl
+ <method name="removeMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ <method name="queryMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block
+DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+ <method name="addIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
+ <method name="removeIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
+ <method name="queryIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ <method name="getIcmpBlocks">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl ICMP Block Inversion
+DBUS_INTROSPECT([], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+ <method name="addIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+ <method name="removeIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ <method name="queryIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Rich Rules
+DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl
+ <method name="addRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeRichRule"]]], 0, [dnl
+ <method name="removeRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryRichRule"]]], 0, [dnl
+ <method name="queryRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getRichRules"]]], 0, [dnl
+ <method name="getRichRules">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+FWD_END_TEST
--
2.25.2

View File

@ -0,0 +1,38 @@
From ac3d706eb4bfead921c7e739e5e95a186bf35438 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 17:05:39 -0400
Subject: [PATCH 09/10] fix: test/regression/gh599: use expr to be more
portable
dash was failing due to not having "let". So lets use "expr" instead.
Fixes: e887c16512ab ("test: log: verify logging still works after truncate")
(cherry picked from commit eba44b2ebeedccbac0329a56c86c5d8f26c30f9f)
(cherry picked from commit cdd7c9d60624a443a0a07c29081d0ef68a384beb)
---
src/tests/regression/gh599.at | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
index 337e18018baf..b0a230733c85 100644
--- a/src/tests/regression/gh599.at
+++ b/src/tests/regression/gh599.at
@@ -3,6 +3,7 @@ AT_KEYWORDS(gh599)
AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])])
AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
+AT_SKIP_IF([! NS_CMD([which expr >/dev/null 2>&1])])
dnl Verify we continue to write to the log file after it's truncated. That is,
dnl simulate logrotate's copytruncate.
@@ -11,6 +12,6 @@ NS_CHECK([truncate -s 0 ./firewalld.log])
dnl generate some logs
FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore])
-NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
+NS_CHECK([expr $(cat ./firewalld.log | wc -c) ">" 0], 0, [ignore], [ignore])
FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d'])
--
2.25.2

View File

@ -0,0 +1,27 @@
From 10f7c0956e7c7054da9e6187aa525c23f65a8dfc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 Apr 2020 07:40:48 -0400
Subject: [PATCH 10/10] fix(systemd): Conflict with nftables.service
(cherry picked from commit 7b6aff3a51a955399c782f48137405d0fa94e966)
(cherry picked from commit fc00563ef029cb4c12c652725bfd3a3b5122d136)
---
config/firewalld.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/firewalld.service.in b/config/firewalld.service.in
index b757a08f28dc..afbe0ac5def7 100644
--- a/config/firewalld.service.in
+++ b/config/firewalld.service.in
@@ -4,7 +4,7 @@ Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
+Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
Documentation=man:firewalld(1)
[Service]
--
2.25.2

View File

@ -1,12 +1,20 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.8.0
Release: 2%{?dist}
Version: 0.8.2
Release: 1%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
Patch1: RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-fix-CLI-service-also-output-helpers-for-service-info.patch
Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
Patch3: 0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch
Patch4: 0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch
Patch5: 0005-test-log-verify-logging-still-works-after-truncate.patch
Patch6: 0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch
Patch7: 0007-test-dbus-zone-verify-permanent-config-API-signature.patch
Patch8: 0008-test-dbus-zone-verify-runtime-config-API-signatures.patch
Patch9: 0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch
Patch10: 0010-fix-systemd-Conflict-with-nftables.service.patch
BuildArch: noarch
BuildRequires: autoconf
@ -150,6 +158,7 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewalld*.1*
%{_mandir}/man5/firewall*.5*
%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%{_sysconfdir}/logrotate.d/firewalld
%files -n python3-firewall
%attr(0755,root,root) %dir %{python3_sitelib}/firewall
@ -204,6 +213,15 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
* Mon Apr 06 2020 Eric Garver <egarver@redhat.com> - 0.8.2-1
- rebase to v0.8.2
* Thu Feb 27 2020 Eric Garver <egarver@redhat.com> - 0.8.0-4
- doc: direct: add CAVEATS section
* Mon Feb 03 2020 Eric Garver <egarver@redhat.com> - 0.8.0-3
- restore zone drifting as a feature
* Tue Nov 12 2019 Eric Garver <egarver@redhat.com> - 0.8.0-2
- fix: CLI: service: also output helpers for service info