diff --git a/.firewalld.metadata b/.firewalld.metadata index 23ab0b0..fb7e6de 100644 --- a/.firewalld.metadata +++ b/.firewalld.metadata @@ -1 +1 @@ -e558ccbfd8a0e08d9339cf1506d8856d3533ed82 SOURCES/firewalld-0.8.0.tar.gz +785c4062248b95a85ddc023eba075b66109e254b SOURCES/firewalld-0.8.2.tar.gz diff --git a/.gitignore b/.gitignore index 14b4503..2a44183 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/firewalld-0.8.0.tar.gz +SOURCES/firewalld-0.8.2.tar.gz diff --git a/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch b/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch similarity index 64% rename from SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch rename to SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch index e558b49..cbb36e7 100644 --- a/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch +++ b/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch @@ -1,7 +1,7 @@ -From aaba32dd922c84662521754952e5a50198dd8625 Mon Sep 17 00:00:00 2001 +From 52d53cc4ab0503ad484330b2121f85094a7903de Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Mon, 9 Jul 2018 11:29:33 -0400 -Subject: [PATCH] Add cockpit by default to some zones +Subject: [PATCH 1/6] RHEL only: Add cockpit by default to some zones Fixes: #1581578 --- @@ -9,9 +9,9 @@ Fixes: #1581578 config/zones/internal.xml | 1 + config/zones/public.xml | 1 + config/zones/work.xml | 1 + + src/tests/cli/firewall-cmd.at | 14 +++++++++++++- src/tests/features/helpers_custom.at | 9 +++++++++ src/tests/features/service_include.at | 2 +- - src/tests/firewall-cmd.at | 14 +++++++++++++- src/tests/regression/gh366.at | 3 +++ src/tests/regression/gh453.at | 2 ++ src/tests/regression/rhbz1514043.at | 2 +- @@ -57,100 +57,11 @@ index 6ea5550a40bd..9609ee6f65c2 100644 + -diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at -index c65f067a06ec..263185c88724 100644 ---- a/src/tests/features/helpers_custom.at -+++ b/src/tests/features/helpers_custom.at -@@ -17,6 +17,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl - chain filter_IN_public_allow { - tcp dport 22 ct state new,untracked accept - ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept -+ tcp dport 9090 ct state new,untracked accept - tcp dport 2121 ct helper set "helper-ftptest-tcp" - tcp dport 2121 ct state new,untracked accept - } -@@ -27,6 +28,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl - ]) - IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED -+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED - ]) - IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl -@@ -35,6 +37,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl - IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED - ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED -+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED - ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED - ]) - -@@ -51,6 +54,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl - chain filter_IN_public_allow { - tcp dport 22 ct state new,untracked accept - ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept -+ tcp dport 9090 ct state new,untracked accept - tcp dport 2121 ct helper set "helper-ftptest-tcp" - tcp dport 2121 ct state new,untracked accept - } -@@ -61,6 +65,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl - ]) - IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED -+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED - ]) - IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl -@@ -69,6 +74,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl - IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED - ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED -+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED - ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED - ]) - -@@ -86,6 +92,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl - chain filter_IN_public_allow { - tcp dport 22 ct state new,untracked accept - ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept -+ tcp dport 9090 ct state new,untracked accept - tcp dport 21 ct helper set "helper-ftp-tcp" - tcp dport 2121 ct helper set "helper-ftptest-tcp" - tcp dport 2121 ct state new,untracked accept -@@ -99,6 +106,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl - ]) - IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED -+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED - ]) -@@ -109,6 +117,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl - IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED - ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED -+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED - ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED - ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED - ]) -diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at -index 219d5b42767b..0bf59f63b81b 100644 ---- a/src/tests/features/service_include.at -+++ b/src/tests/features/service_include.at -@@ -117,7 +117,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl - - ]) - FWD_CHECK([--zone=public --list-services], 0, [dnl --dhcpv6-client ssh -+cockpit dhcpv6-client ssh - ]) - FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist]) - FWD_RELOAD -diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at -index 0e0d3938da0a..540bdb8b1065 100644 ---- a/src/tests/firewall-cmd.at -+++ b/src/tests/firewall-cmd.at -@@ -1144,6 +1144,7 @@ FWD_START_TEST([rich rules priority]) +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 806af74221b6..74f480f8730f 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -1285,6 +1285,7 @@ FWD_START_TEST([rich rules priority]) chain filter_IN_public_allow { tcp dport 22 ct state new,untracked accept ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept @@ -158,7 +69,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 tcp dport 1122 ct state new,untracked accept tcp dport 3333 ct state new,untracked accept tcp dport 4444 ct state new,untracked accept -@@ -1159,6 +1160,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1300,6 +1301,7 @@ FWD_START_TEST([rich rules priority]) ]) IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED @@ -166,7 +77,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED -@@ -1173,6 +1175,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1314,6 +1316,7 @@ FWD_START_TEST([rich rules priority]) IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED @@ -174,7 +85,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED -@@ -1254,6 +1257,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1395,6 +1398,7 @@ FWD_START_TEST([rich rules priority]) chain filter_IN_public_allow { tcp dport 22 ct state new,untracked accept ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept @@ -182,7 +93,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 } } ]) -@@ -1357,6 +1361,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1498,6 +1502,7 @@ FWD_START_TEST([rich rules priority]) ]) IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED @@ -190,7 +101,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ]) IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl ]) -@@ -1391,6 +1396,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1532,6 +1537,7 @@ FWD_START_TEST([rich rules priority]) IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED @@ -198,7 +109,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ]) IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl ]) -@@ -1438,6 +1444,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1579,6 +1585,7 @@ FWD_START_TEST([rich rules priority]) chain filter_IN_public_allow { tcp dport 22 ct state new,untracked accept ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept @@ -206,7 +117,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 icmp type echo-request accept icmpv6 type echo-request accept } -@@ -1478,6 +1485,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1619,6 +1626,7 @@ FWD_START_TEST([rich rules priority]) ]) IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED @@ -214,7 +125,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ]) IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl -@@ -1500,6 +1508,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1641,6 +1649,7 @@ FWD_START_TEST([rich rules priority]) IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED @@ -222,7 +133,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 ]) IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl -@@ -1556,6 +1565,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1697,6 +1706,7 @@ FWD_START_TEST([rich rules priority]) chain filter_IN_public_allow { tcp dport 22 ct state new,untracked accept ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept @@ -230,7 +141,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 } } ]) -@@ -1593,6 +1603,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1734,6 +1744,7 @@ FWD_START_TEST([rich rules priority]) ]) IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED @@ -238,7 +149,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ]) IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl ]) -@@ -1613,6 +1624,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1754,6 +1765,7 @@ FWD_START_TEST([rich rules priority]) IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED @@ -246,7 +157,7 @@ index 0e0d3938da0a..540bdb8b1065 100644 ]) IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl ]) -@@ -1638,7 +1650,7 @@ FWD_START_TEST([rich rules priority]) +@@ -1779,7 +1791,7 @@ FWD_START_TEST([rich rules priority]) icmp-block-inversion: no interfaces: sources: @@ -255,6 +166,95 @@ index 0e0d3938da0a..540bdb8b1065 100644 ports: protocols: masquerade: no +diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at +index 41d0f17b1d9e..bd4b52cfb1d6 100644 +--- a/src/tests/features/helpers_custom.at ++++ b/src/tests/features/helpers_custom.at +@@ -37,6 +37,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept + } +@@ -47,6 +48,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +@@ -55,6 +57,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + +@@ -91,6 +94,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept + } +@@ -101,6 +105,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +@@ -109,6 +114,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + +@@ -126,6 +132,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept +@@ -139,6 +146,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) +@@ -149,6 +157,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) +diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at +index 7f02701a9419..070f1578fc2b 100644 +--- a/src/tests/features/service_include.at ++++ b/src/tests/features/service_include.at +@@ -120,7 +120,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl + + ]) + FWD_CHECK([--zone=public --list-services], 0, [dnl +-dhcpv6-client ssh ++cockpit dhcpv6-client ssh + ]) + FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist]) + FWD_RELOAD diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at index 1441a6be53bf..51ff504e6a9d 100644 --- a/src/tests/regression/gh366.at @@ -282,25 +282,25 @@ index 1441a6be53bf..51ff504e6a9d 100644 ])]) diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at -index f57a79dcf9a2..6d820fce840a 100644 +index 36a6fce5f22a..61bc90aae673 100644 --- a/src/tests/regression/gh453.at +++ b/src/tests/regression/gh453.at @@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl - chain filter_IN_public_allow { - tcp dport 22 ct state new,untracked accept - ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept -+ tcp dport 9090 ct state new,untracked accept - tcp dport 21 ct helper set "helper-ftp-tcp" - tcp dport 21 ct state new,untracked accept - } + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 ct state new,untracked accept + } @@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl - chain filter_IN_public_allow { - tcp dport 22 ct state new,untracked accept - ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept -+ tcp dport 9090 ct state new,untracked accept - tcp dport 21 ct helper set "helper-ftp-tcp" - tcp dport 21 ct state new,untracked accept - tcp dport 5060 ct helper set "helper-sip-tcp" + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 ct state new,untracked accept + tcp dport 5060 ct helper set "helper-sip-tcp" diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at index efc33e09478b..241cf547f7f3 100644 --- a/src/tests/regression/rhbz1514043.at diff --git a/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..766f11b --- /dev/null +++ b/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch @@ -0,0 +1,235 @@ +From 42c3c63410d53f1f1eef8a756202231a7872aafa Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Feb 2020 09:12:17 -0500 +Subject: [PATCH 2/6] RHEL only: default to AllowZoneDrifting=yes + +--- + config/firewalld.conf | 4 ++-- + doc/xml/firewalld.conf.xml | 2 +- + doc/xml/firewalld.dbus.xml | 2 +- + src/firewall/config/__init__.py.in | 2 +- + src/tests/cli/firewall-cmd.at | 8 ++++++++ + src/tests/dbus/firewalld.conf.at | 4 ++-- + src/tests/features/rfc3964_ipv4.at | 4 ++++ + src/tests/functions.at | 1 + + src/tests/regression/rhbz1514043.at | 4 ++++ + src/tests/regression/rhbz1715977.at | 9 +++++++++ + 10 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 532f0452212e..f791b2358ab8 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -71,5 +71,5 @@ RFC3964_IPv4=yes + # Note: If "yes" packets will only drift from source based zones to interface + # based zones (including the default zone). Packets never drift from interface + # based zones to other interfaces based zones (including the default zone). +-# Possible values; "yes", "no". Defaults to "no". +-AllowZoneDrifting=no ++# Possible values; "yes", "no". Defaults to "yes". ++AllowZoneDrifting=yes +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index fcfbfd2b68c1..c21ef87813bc 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -197,7 +197,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 5d77af976443..77ad77c01675 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2591,7 +2591,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 481eb8de758d..645c76b66c8d 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" + FALLBACK_FIREWALL_BACKEND = "nftables" + FALLBACK_FLUSH_ALL_ON_RELOAD = True + FALLBACK_RFC3964_IPV4 = True +-FALLBACK_ALLOW_ZONE_DRIFTING = False ++FALLBACK_ALLOW_ZONE_DRIFTING = True +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 74f480f8730f..c47c14ea1fc2 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -696,6 +696,10 @@ FWD_START_TEST([ipset]) + CHECK_IPSET + CHECK_IPSET_HASH_MAC + ++ dnl Expected test results assume this is set to "no" ++ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++ FWD_RELOAD ++ + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, ignore) + FWD_CHECK([--reload], 0, ignore) + FWD_CHECK([--ipset=foobar --get-entries], 0, [ +@@ -1197,6 +1201,10 @@ FWD_START_TEST([rich rules priority]) + + CHECK_LOG_AUDIT + ++ dnl Expected test results assume this is set to "no" ++ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++ FWD_RELOAD ++ + dnl Verify generic layout of zone + NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl + table inet firewalld { +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 35aead759a9c..4eefa3286f9f 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus) + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ])], [ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at +index 54f5f756270b..15fef52612cc 100644 +--- a/src/tests/features/rfc3964_ipv4.at ++++ b/src/tests/features/rfc3964_ipv4.at +@@ -1,6 +1,10 @@ + FWD_START_TEST([RFC3964_IPv4]) + AT_KEYWORDS(rfc3964_ipv4) + ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf]) + AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf]) + FWD_RELOAD +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 5b3ed3ee4a5a..8f5ceba4d3f2 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [ + IF_HOST_SUPPORTS_IP6TABLES([], [ + sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log + ]) ++ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log + if test x"$1" != x"ignore"; then + if test -n "$1"; then + sed -i $1 ./firewalld.log +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index 241cf547f7f3..8e4846a078b8 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -1,6 +1,10 @@ + FWD_START_TEST([--set-log-denied does not zero config]) + AT_KEYWORDS(log_denied rhbz1514043) + ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD +diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at +index d548de72b90c..b9886e1a0a2b 100644 +--- a/src/tests/regression/rhbz1715977.at ++++ b/src/tests/regression/rhbz1715977.at +@@ -14,6 +14,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + } + } +@@ -23,6 +24,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl +@@ -31,6 +33,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept']) +@@ -44,6 +47,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept + } +@@ -54,6 +58,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED + ]) +@@ -63,6 +68,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept']) +@@ -76,6 +82,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept + ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept +@@ -87,6 +94,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED +@@ -97,6 +105,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore]) +-- +2.23.0 + diff --git a/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch b/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch deleted file mode 100644 index ea33abc..0000000 --- a/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch +++ /dev/null @@ -1,132 +0,0 @@ -From ff17d85fd863e7be2b4088c92360185aca6693b0 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 7 Nov 2019 08:21:52 -0500 -Subject: [PATCH] fix: CLI: service: also output helpers for service info - -Fixes: 0c07b704f76d ("feat: CLI: add "helper" support for services") -Fixes: rhbz 1769520 -(cherry picked from commit 6bfffe65f55b727afc37a8c1fb4068f6589bb890) ---- - src/firewall/command.py | 2 ++ - src/tests/features/helpers_custom.at | 42 ++++++++++++++++++++++++++- - src/tests/features/service_include.at | 3 ++ - 3 files changed, 46 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/command.py b/src/firewall/command.py -index 85e58d731a80..c371dc23584c 100644 ---- a/src/firewall/command.py -+++ b/src/firewall/command.py -@@ -449,6 +449,7 @@ class FirewallCommand(object): - destinations = settings.getDestinations() - short_description = settings.getShort() - includes = settings.getIncludes() -+ helpers = settings.getHelpers() - self.print_msg(service) - if self.verbose: - self.print_msg(" summary: " + short_description) -@@ -464,6 +465,7 @@ class FirewallCommand(object): - " ".join(["%s:%s" % (k, v) - for k, v in destinations.items()])) - self.print_msg(" includes: " + " ".join(sorted(includes))) -+ self.print_msg(" helpers: " + " ".join(sorted(helpers))) - - def print_icmptype_info(self, icmptype, settings): - destinations = settings.getDestinations() -diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at -index c65f067a06ec..4c9024d1e2b8 100644 ---- a/src/tests/features/helpers_custom.at -+++ b/src/tests/features/helpers_custom.at -@@ -1,5 +1,5 @@ - FWD_START_TEST([customer helpers]) --AT_KEYWORDS(helpers rhbz1733066 gh514) -+AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520) - - FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"]) - FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"]) -@@ -8,7 +8,27 @@ FWD_CHECK([-q --permanent --new-service="ftptest"]) - FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"]) - FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"]) - FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"]) -+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl -+ftptest -+ ports: 2121/tcp -+ protocols: -+ source-ports: -+ modules: ftptest -+ destination: -+ includes: -+ helpers: -+])]) - FWD_RELOAD -+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl -+ftptest -+ ports: 2121/tcp -+ protocols: -+ source-ports: -+ modules: ftptest -+ destination: -+ includes: -+ helpers: -+])]) - - FWD_CHECK([-q --add-service=ftptest]) - -@@ -42,7 +62,27 @@ dnl Same thing as above, but with the new "helper" in service. - FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"]) - FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1) - FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"]) -+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl -+ftptest -+ ports: 2121/tcp -+ protocols: -+ source-ports: -+ modules: -+ destination: -+ includes: -+ helpers: ftptest -+])]) - FWD_RELOAD -+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl -+ftptest -+ ports: 2121/tcp -+ protocols: -+ source-ports: -+ modules: -+ destination: -+ includes: -+ helpers: ftptest -+])]) - - FWD_CHECK([-q --add-service=ftptest]) - -diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at -index 219d5b42767b..7f02701a9419 100644 ---- a/src/tests/features/service_include.at -+++ b/src/tests/features/service_include.at -@@ -76,6 +76,7 @@ my-service-with-include - modules: - destination: - includes: mdns recursive-service ssdp -+ helpers: - ])]) - FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl - my-service-with-include -@@ -85,6 +86,7 @@ my-service-with-include - modules: - destination: - includes: mdns recursive-service ssdp -+ helpers: - ])]) - - dnl firewall-offline-cmd -@@ -106,6 +108,7 @@ my-service-with-include - modules: - destination: - includes: mdns recursive-service ssdp -+ helpers: - ])]) - - dnl negative test for including service that doesn't exist --- -2.23.0 - diff --git a/SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch b/SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch new file mode 100644 index 0000000..a868380 --- /dev/null +++ b/SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch @@ -0,0 +1,29 @@ +From b2e4f83c8fb011ffe0a8b040fa937f60c842cc25 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 14:42:22 -0400 +Subject: [PATCH 3/6] fix: nftables: ipset: port ranges for non-default + protocols + +Fixes: 2d1b0fe9fe74 ("fix: nftables: allow set intervals with concatenations") +(cherry picked from commit e80f4fccfc771128affdc578ed37842d5d469ca9) +(cherry picked from commit 6a2fd018666ab8c4877291f8f807a9943db74de3) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index a9d5a45337bd..69ee63b32f8b 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1680,7 +1680,7 @@ class nftables(object): + port_str = entry_tokens[i][index+1:] + + try: +- index = entry_tokens[i].index("-") ++ index = port_str.index("-") + except ValueError: + fragment.append(port_str) + else: +-- +2.23.0 + diff --git a/SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch b/SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch new file mode 100644 index 0000000..f1c73ca --- /dev/null +++ b/SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch @@ -0,0 +1,44 @@ +From c694ab9a3d00f0471bfdf73a1b00d43f60395717 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 14:38:45 -0400 +Subject: [PATCH 4/6] test: ipset: verify port ranges for non-default protocol + +(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b) +(cherry picked from commit a2b8a09b929901e14620aa802fd423f958c56188) +--- + src/tests/cli/firewall-cmd.at | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index c47c14ea1fc2..ad7b1b32f42c 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -743,6 +743,7 @@ FWD_START_TEST([ipset]) + dnl multi dimensional set with non default protocol + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore) + FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore) ++ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore) + FWD_RELOAD + FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore) + FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore) +@@ -752,6 +753,7 @@ FWD_START_TEST([ipset]) + type ipv4_addr . inet_proto . inet_service + flags interval + elements = { 10.10.10.10 . sctp . 1234, ++ 10.10.10.10 . udp . 1000-1002, + 20.20.20.20 . tcp . 8080 } + } + } +@@ -769,6 +771,9 @@ FWD_START_TEST([ipset]) + Type: hash:ip,port + Members: + 10.10.10.10,sctp:1234 ++ 10.10.10.10,udp:1000 ++ 10.10.10.10,udp:1001 ++ 10.10.10.10,udp:1002 + 20.20.20.20,tcp:8080 + ]) + FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore) +-- +2.23.0 + diff --git a/SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch b/SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch new file mode 100644 index 0000000..0227dc6 --- /dev/null +++ b/SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch @@ -0,0 +1,51 @@ +From 85782b1fb964e3b67a0276881bdba4ca9881dec3 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 15:21:58 -0400 +Subject: [PATCH 5/6] test: log: verify logging still works after truncate + +The log policy we ship presumes firewalld opens log files in append +mode. This is because the logrotate policy uses "copytruncate". Lets +verify that it actually works as expected. + +(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827) +(cherry picked from commit 2ab7f9e793a51c9aebe08fff6226c38159ae2312) +--- + src/tests/regression/gh599.at | 16 ++++++++++++++++ + src/tests/regression/regression.at | 1 + + 2 files changed, 17 insertions(+) + create mode 100644 src/tests/regression/gh599.at + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +new file mode 100644 +index 000000000000..472f228ba2a9 +--- /dev/null ++++ b/src/tests/regression/gh599.at +@@ -0,0 +1,16 @@ ++FWD_START_TEST([writing to log after copytruncate]) ++AT_KEYWORDS(gh599) ++ ++AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])]) ++AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) ++ ++dnl Verify we continue to write to the log file after it's truncated. That is, ++dnl simulate logrotate's copytruncate. ++NS_CHECK([truncate -s 0 ./firewalld.log]) ++ ++dnl generate some logs, anything will do since we have debug enabled. ++FWD_CHECK([--list-all], 0, [ignore], [ignore]) ++ ++NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) ++ ++FWD_END_TEST +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 8042c3a27f89..2528ddd3fede 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -27,3 +27,4 @@ m4_include([regression/gh509.at]) + m4_include([regression/gh567.at]) + m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) ++m4_include([regression/gh599.at]) +-- +2.23.0 + diff --git a/SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch b/SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch new file mode 100644 index 0000000..4edca71 --- /dev/null +++ b/SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch @@ -0,0 +1,32 @@ +From 01dd132e2004e6d40c6c2200f6105ca49594041a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 6 Apr 2020 15:34:57 -0400 +Subject: [PATCH 6/6] fix: test/regression/gh599: fix if not using debug output + +Fixes: e887c16512ab ("test: log: verify logging still works after truncate") +(cherry picked from commit f7e3c60263e144a04ee175d5f7bb3fa4636a97a4) +(cherry picked from commit e78548b1fd6e87500d7df3ade5373285ca525f03) +--- + src/tests/regression/gh599.at | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +index 472f228ba2a9..337e18018baf 100644 +--- a/src/tests/regression/gh599.at ++++ b/src/tests/regression/gh599.at +@@ -8,9 +8,9 @@ dnl Verify we continue to write to the log file after it's truncated. That is, + dnl simulate logrotate's copytruncate. + NS_CHECK([truncate -s 0 ./firewalld.log]) + +-dnl generate some logs, anything will do since we have debug enabled. +-FWD_CHECK([--list-all], 0, [ignore], [ignore]) ++dnl generate some logs ++FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore]) + + NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) + +-FWD_END_TEST ++FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d']) +-- +2.23.0 + diff --git a/SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch b/SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch new file mode 100644 index 0000000..3521956 --- /dev/null +++ b/SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch @@ -0,0 +1,496 @@ +From 5a912cc04a75e018631745647a524cce8569505b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 8 Apr 2020 13:38:06 -0400 +Subject: [PATCH 07/10] test: dbus: zone: verify permanent config API + signatures + +(cherry picked from commit f6a6837cb49d5a9ca4ea08964fb62bb9f7f420ac) +(cherry picked from commit 7cc77369cd68ff1860b151fc649d237f1feb84ba) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_permanent_signatures.at | 464 ++++++++++++++++++++ + 2 files changed, 465 insertions(+) + create mode 100644 src/tests/dbus/zone_permanent_signatures.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index 46fec2ff4024..ffef478f5449 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -1,3 +1,4 @@ + AT_BANNER([dbus]) + m4_include([dbus/firewalld.conf.at]) + m4_include([dbus/service.at]) ++m4_include([dbus/zone_permanent_signatures.at]) +diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at +new file mode 100644 +index 000000000000..15319552c15f +--- /dev/null ++++ b/src/tests/dbus/zone_permanent_signatures.at +@@ -0,0 +1,464 @@ ++FWD_START_TEST([dbus api - zone permanent signatures]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_INTROSPECT([config], [[//method[@name="listZones"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="getZoneNames"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="getZoneByName"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++ ++dnl zone relation to interface/sources ++DBUS_INTROSPECT([config], [[//method[@name="getZoneOfInterface"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config], [[//method[@name="getZoneOfSource"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++ ++dnl #################### ++dnl Zone object APIs ++dnl #################### ++ ++dnl Get a reference to the public zone. We'll use it to introspect APIs. ++DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout]) ++DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)] ++export DBUS_PUBLIC_ZONE_OBJ ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl ++ ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update"]]], 0, [dnl ++ ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="remove"]]], 0, [dnl ++ ++ ++]) ++ ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Version ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Short ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Description ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Target ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getTarget"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarget"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Interfaces ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getInterfaces"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setInterfaces"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addInterface"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeInterface"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryInterface"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Sources ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSources"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSources"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSource"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSource"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySource"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Services ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getServices"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setServices"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addService"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeService"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryService"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Ports ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++ ++dnl Source Ports ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++ ++dnl Protocol ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Forward Ports ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getForwardPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setForwardPorts"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++ ++dnl Masquerade ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getMasquerade"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setMasquerade"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addMasquerade"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeMasquerade"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMasquerade"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl ICMP Block ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlocks"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlocks"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlock"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlock"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl ICMP Block Inversion ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Rich Rules ++dnl ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getRichRules"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setRichRules"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addRichRule"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeRichRule"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryRichRule"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++FWD_END_TEST +-- +2.25.2 + diff --git a/SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch b/SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch new file mode 100644 index 0000000..311740b --- /dev/null +++ b/SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch @@ -0,0 +1,446 @@ +From 3122491686014a2cdd83d3506334055fd18c80e0 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 8 Apr 2020 14:16:48 -0400 +Subject: [PATCH 08/10] test: dbus: zone: verify runtime config API signatures + +(cherry picked from commit fca39ea7edbd57283bc15fdd88fbfd4b1943f977) +(cherry picked from commit d17a68d680b631954fdb5031a3c0627a68f77049) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_runtime_signatures.at | 415 ++++++++++++++++++++++ + 2 files changed, 416 insertions(+) + create mode 100644 src/tests/dbus/zone_runtime_signatures.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index ffef478f5449..377244460e7a 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -2,3 +2,4 @@ AT_BANNER([dbus]) + m4_include([dbus/firewalld.conf.at]) + m4_include([dbus/service.at]) + m4_include([dbus/zone_permanent_signatures.at]) ++m4_include([dbus/zone_runtime_signatures.at]) +diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at +new file mode 100644 +index 000000000000..53fdbea03180 +--- /dev/null ++++ b/src/tests/dbus/zone_runtime_signatures.at +@@ -0,0 +1,415 @@ ++FWD_START_TEST([dbus api - zone runtime signatures]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Default Zone ++DBUS_INTROSPECT([], [[//method[@name="getDefaultZone"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="setDefaultZone"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Fetching Zones ++DBUS_INTROSPECT([], [[//method[@name="getZones"]]], 0, [dnl ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getActiveZones"]]], 0, [dnl ++ ++ ++ ++]) ++ ++dnl Interface/Source ++DBUS_INTROSPECT([], [[//method[@name="getZoneOfInterface"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getZoneOfSource"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl #################### ++dnl Zone APIs ++dnl #################### ++ ++DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Interfaces ++DBUS_INTROSPECT([], [[//method[@name="addInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="changeZone"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="changeZoneOfInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryInterface"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Sources ++DBUS_INTROSPECT([], [[//method[@name="addSource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="changeZoneOfSource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeSource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="querySource"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Services ++DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeService"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryService"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Protocols ++DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeProtocol"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryProtocol"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Ports ++DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl ++ ++ ++ dnl NOTE: The signature is "aas", but getPorts() actually returns ++ dnl "a(ss)". Apparently python-dbus coerces to "aas". ++ ++ ++]) ++ ++dnl Source Ports ++DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl ++ ++ ++ dnl NOTE: The signature is "aas", but getPorts() actually returns ++ dnl "a(ss)". Apparently python-dbus coerces to "aas". ++ ++ ++]) ++ ++dnl Forward Ports ++DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl ++ ++ ++ dnl NOTE: The signature is "aas", but getPorts() actually returns ++ dnl "a(ssss)". Apparently python-dbus coerces to "aas". ++ ++ ++]) ++ ++dnl Masquerade ++DBUS_INTROSPECT([], [[//method[@name="addMasquerade"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeMasquerade"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl ICMP Block ++DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlock"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl ICMP Block Inversion ++DBUS_INTROSPECT([], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++dnl Rich Rules ++DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl ++ ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="removeRichRule"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="queryRichRule"]]], 0, [dnl ++ ++ ++ ++ ++ ++]) ++DBUS_INTROSPECT([], [[//method[@name="getRichRules"]]], 0, [dnl ++ ++ ++ ++ ++]) ++ ++FWD_END_TEST +-- +2.25.2 + diff --git a/SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch b/SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch new file mode 100644 index 0000000..27a9477 --- /dev/null +++ b/SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch @@ -0,0 +1,38 @@ +From ac3d706eb4bfead921c7e739e5e95a186bf35438 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 8 Apr 2020 17:05:39 -0400 +Subject: [PATCH 09/10] fix: test/regression/gh599: use expr to be more + portable + +dash was failing due to not having "let". So lets use "expr" instead. + +Fixes: e887c16512ab ("test: log: verify logging still works after truncate") +(cherry picked from commit eba44b2ebeedccbac0329a56c86c5d8f26c30f9f) +(cherry picked from commit cdd7c9d60624a443a0a07c29081d0ef68a384beb) +--- + src/tests/regression/gh599.at | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +index 337e18018baf..b0a230733c85 100644 +--- a/src/tests/regression/gh599.at ++++ b/src/tests/regression/gh599.at +@@ -3,6 +3,7 @@ AT_KEYWORDS(gh599) + + AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])]) + AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) ++AT_SKIP_IF([! NS_CMD([which expr >/dev/null 2>&1])]) + + dnl Verify we continue to write to the log file after it's truncated. That is, + dnl simulate logrotate's copytruncate. +@@ -11,6 +12,6 @@ NS_CHECK([truncate -s 0 ./firewalld.log]) + dnl generate some logs + FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore]) + +-NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) ++NS_CHECK([expr $(cat ./firewalld.log | wc -c) ">" 0], 0, [ignore], [ignore]) + + FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d']) +-- +2.25.2 + diff --git a/SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch b/SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch new file mode 100644 index 0000000..5d3ece4 --- /dev/null +++ b/SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch @@ -0,0 +1,27 @@ +From 10f7c0956e7c7054da9e6187aa525c23f65a8dfc Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Apr 2020 07:40:48 -0400 +Subject: [PATCH 10/10] fix(systemd): Conflict with nftables.service + +(cherry picked from commit 7b6aff3a51a955399c782f48137405d0fa94e966) +(cherry picked from commit fc00563ef029cb4c12c652725bfd3a3b5122d136) +--- + config/firewalld.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index b757a08f28dc..afbe0ac5def7 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -4,7 +4,7 @@ Before=network-pre.target + Wants=network-pre.target + After=dbus.service + After=polkit.service +-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service ++Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service + Documentation=man:firewalld(1) + + [Service] +-- +2.25.2 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index de64085..716222c 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,12 +1,20 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 0.8.0 -Release: 2%{?dist} +Version: 0.8.2 +Release: 1%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz -Patch1: RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch -Patch2: 0002-fix-CLI-service-also-output-helpers-for-service-info.patch +Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch +Patch3: 0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch +Patch4: 0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch +Patch5: 0005-test-log-verify-logging-still-works-after-truncate.patch +Patch6: 0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch +Patch7: 0007-test-dbus-zone-verify-permanent-config-API-signature.patch +Patch8: 0008-test-dbus-zone-verify-runtime-config-API-signatures.patch +Patch9: 0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch +Patch10: 0010-fix-systemd-Conflict-with-nftables.service.patch BuildArch: noarch BuildRequires: autoconf @@ -150,6 +158,7 @@ desktop-file-install --delete-original \ %{_mandir}/man1/firewalld*.1* %{_mandir}/man5/firewall*.5* %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf +%{_sysconfdir}/logrotate.d/firewalld %files -n python3-firewall %attr(0755,root,root) %dir %{python3_sitelib}/firewall @@ -204,6 +213,15 @@ desktop-file-install --delete-original \ %{_mandir}/man1/firewall-config*.1* %changelog +* Mon Apr 06 2020 Eric Garver - 0.8.2-1 +- rebase to v0.8.2 + +* Thu Feb 27 2020 Eric Garver - 0.8.0-4 +- doc: direct: add CAVEATS section + +* Mon Feb 03 2020 Eric Garver - 0.8.0-3 +- restore zone drifting as a feature + * Tue Nov 12 2019 Eric Garver - 0.8.0-2 - fix: CLI: service: also output helpers for service info