From b978befb8e7e1a284b4df6e7d9742b4ff80d1459 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 15:42:40 +0000 Subject: [PATCH] import UBI firewalld-2.3.0-2.el10 --- .firewalld.metadata | 1 - .gitignore | 2 +- ...Add-cockpit-by-default-to-some-zones.patch | 66 +- ...nly-default-to-AllowZoneDrifting-yes.patch | 80 - ...ice-add-galera-service-Fixes-rhbz169.patch | 56 - ...t-normalize-entries-in-CIDR-notation.patch | 242 --- ...x-ipset-disallow-overlapping-entries.patch | 157 -- ...ig-add-CleanupModulesOnExit-configur.patch | 302 --- ...-default-to-CleanupModulesOnExit-yes.patch | 95 - ...-reduce-cost-of-entry-overlap-detect.patch | 141 -- ...-ipset-huge-set-of-entries-benchmark.patch | 56 - ...-further-reduce-cost-of-entry-overla.patch | 150 -- ...-exception-on-overlap-checking-empty.patch | 32 - ...pset-verify-remove-entries-from-file.patch | 48 - ...-fix-configuring-IP-range-for-ipsets.patch | 138 -- ...ore-nftables-add-delete-table-helper.patch | 45 - ...les-always-flush-main-table-on-start.patch | 38 - ...nUpOnExit-verify-restart-does-not-du.patch | 82 - ...ables-policy-use-delete-table-helper.patch | 32 - ...h-support-using-ipset-in-destination.patch | 242 --- ...9-v1.0.0-test-rich-destination-ipset.patch | 60 - ...-destination-ipset-verify-policy-sup.patch | 63 - ...-add-ICMPv6-Multicast-Listener-Disco.patch | 131 -- ...h-validate-service-name-of-rich-rule.patch | 82 - ...fix-range-check-for-large-rule-limit.patch | 27 - ...nt-policy-extract-helper-function-fo.patch | 63 - ...nt-rich-add-Rich_Limit.value_parse-a.patch | 189 -- ...nt-rich-support-burst-attribute-to-l.patch | 238 --- ...t-atlocal-pass-EBTABLES-to-testsuite.patch | 38 - ...direct-add-has_runtime_configuration.patch | 34 - ...ct-avoid-iptables-flush-if-using-nft.patch | 117 -- ...ct-avoid-iptables-flush-if-using-nft.patch | 175 -- ...ce-update-highest-port-number-for-ce.patch | 29 - SPECS/firewalld.spec | 1731 ----------------- firewalld.spec | 285 +++ sources | 1 + 36 files changed, 329 insertions(+), 4939 deletions(-) delete mode 100644 .firewalld.metadata rename SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch => 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch (64%) delete mode 100644 SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch delete mode 100644 SOURCES/0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch delete mode 100644 SOURCES/0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch delete mode 100644 SOURCES/0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch delete mode 100644 SOURCES/0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch delete mode 100644 SOURCES/0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch delete mode 100644 SOURCES/0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch delete mode 100644 SOURCES/0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch delete mode 100644 SOURCES/0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch delete mode 100644 SOURCES/0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch delete mode 100644 SOURCES/0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch delete mode 100644 SOURCES/0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch delete mode 100644 SOURCES/0014-v1.2.0-chore-nftables-add-delete-table-helper.patch delete mode 100644 SOURCES/0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch delete mode 100644 SOURCES/0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch delete mode 100644 SOURCES/0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch delete mode 100644 SOURCES/0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch delete mode 100644 SOURCES/0019-v1.0.0-test-rich-destination-ipset.patch delete mode 100644 SOURCES/0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch delete mode 100644 SOURCES/0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch delete mode 100644 SOURCES/0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch delete mode 100644 SOURCES/0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch delete mode 100644 SOURCES/0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch delete mode 100644 SOURCES/0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch delete mode 100644 SOURCES/0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch delete mode 100644 SOURCES/0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch delete mode 100644 SOURCES/0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch delete mode 100644 SOURCES/0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch delete mode 100644 SOURCES/0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch delete mode 100644 SOURCES/0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch delete mode 100644 SPECS/firewalld.spec create mode 100644 firewalld.spec create mode 100644 sources diff --git a/.firewalld.metadata b/.firewalld.metadata deleted file mode 100644 index 8dea652..0000000 --- a/.firewalld.metadata +++ /dev/null @@ -1 +0,0 @@ -e5b8b96e901d81ea8e806f44306acbf73487f3ad SOURCES/firewalld-0.9.11.tar.gz diff --git a/.gitignore b/.gitignore index 5af1705..bfaaa37 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/firewalld-0.9.11.tar.gz +firewalld-2.3.0.tar.bz2 diff --git a/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch b/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch similarity index 64% rename from SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch rename to 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch index d4722c2..3a97961 100644 --- a/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +++ b/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch @@ -1,65 +1,83 @@ -From feb06c3d50c737183c08fd05592d5c9209f4b966 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 9 Jul 2018 11:29:33 -0400 -Subject: [PATCH 01/10] RHEL only: Add cockpit by default to some zones +From f113f17734cfb964bd2b72f233c48e650e205cb9 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 25 May 2021 13:31:41 -0400 +Subject: [PATCH 1/4] RHEL only: Add cockpit by default to some zones Fixes: #1581578 --- - config/zones/home.xml | 1 + - config/zones/internal.xml | 1 + - config/zones/public.xml | 1 + - config/zones/work.xml | 1 + - src/tests/functions.at | 19 +++++++++++++++++++ - 5 files changed, 23 insertions(+) + config/zones/home.xml | 1 + + config/zones/internal.xml | 1 + + config/zones/public.xml | 1 + + config/zones/work.xml | 1 + + src/tests/features/startup_failsafe.at | 1 + + src/tests/functions.at | 20 ++++++++++++++++++++ + 6 files changed, 25 insertions(+) diff --git a/config/zones/home.xml b/config/zones/home.xml -index 42b29b2f2d50..8aa8afa0e8aa 100644 +index d73c9bdb16b6..33064688367e 100644 --- a/config/zones/home.xml +++ b/config/zones/home.xml -@@ -6,4 +6,5 @@ +@@ -6,5 +6,6 @@ + + diff --git a/config/zones/internal.xml b/config/zones/internal.xml -index e646b48c94e8..40cb7e14424b 100644 +index 053c18ccda8b..852b16ad94dd 100644 --- a/config/zones/internal.xml +++ b/config/zones/internal.xml -@@ -6,4 +6,5 @@ +@@ -6,5 +6,6 @@ + + diff --git a/config/zones/public.xml b/config/zones/public.xml -index 49795d8c9068..617e131a4895 100644 +index 49fc4c20af52..62bc751de448 100644 --- a/config/zones/public.xml +++ b/config/zones/public.xml -@@ -4,4 +4,5 @@ +@@ -4,5 +4,6 @@ For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + diff --git a/config/zones/work.xml b/config/zones/work.xml -index 6ea5550a40bd..9609ee6f65c2 100644 +index f1a14a9b4682..27b54a7783c4 100644 --- a/config/zones/work.xml +++ b/config/zones/work.xml -@@ -4,4 +4,5 @@ +@@ -4,5 +4,6 @@ For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + +diff --git a/src/tests/features/startup_failsafe.at b/src/tests/features/startup_failsafe.at +index 3cdf7c3c307a..b9401d460114 100644 +--- a/src/tests/features/startup_failsafe.at ++++ b/src/tests/features/startup_failsafe.at +@@ -20,6 +20,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 accept + ip6 daddr fe80::/64 udp dport 546 accept ++ tcp dport 9090 accept + tcp dport 443 accept + } + } diff --git a/src/tests/functions.at b/src/tests/functions.at -index 72db26d5ce0c..2f8183966760 100644 +index 244d24686c86..ad3462c6715f 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at -@@ -112,6 +112,13 @@ m4_define([FWD_START_TEST], [ +@@ -128,6 +128,14 @@ m4_define([FWD_START_TEST], [ fi m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ ++ AT_KEYWORDS(offline) + dnl cockpit is added by default downstream, but upstream tests don't expect + dnl it. Simply remove it at the start of every test. + dnl @@ -68,9 +86,9 @@ index 72db26d5ce0c..2f8183966760 100644 + FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore]) + FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore]) ], [ - dnl don't unload modules or bother cleaning up, the namespace will be deleted - AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) -@@ -229,6 +236,18 @@ m4_define([FWD_START_TEST], [ + dnl set the appropriate backend + AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) +@@ -259,6 +267,18 @@ m4_define([FWD_START_TEST], [ ]) FWD_START_FIREWALLD @@ -90,5 +108,5 @@ index 72db26d5ce0c..2f8183966760 100644 ]) -- -2.39.1 +2.39.3 diff --git a/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch deleted file mode 100644 index 49125ba..0000000 --- a/SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 6b88f757186f0b6479c2a334c0c0362a2ba05570 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 4 Feb 2020 09:12:17 -0500 -Subject: [PATCH 02/10] RHEL only: default to AllowZoneDrifting=yes - ---- - config/firewalld.conf | 4 ++-- - doc/xml/firewalld.conf.xml | 2 +- - doc/xml/firewalld.dbus.xml | 2 +- - src/firewall/config/__init__.py.in | 2 +- - src/tests/functions.at | 5 +++++ - 5 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/config/firewalld.conf b/config/firewalld.conf -index 99d573dcf06f..a0556c0bbf5b 100644 ---- a/config/firewalld.conf -+++ b/config/firewalld.conf -@@ -73,5 +73,5 @@ RFC3964_IPv4=yes - # Note: If "yes" packets will only drift from source based zones to interface - # based zones (including the default zone). Packets never drift from interface - # based zones to other interfaces based zones (including the default zone). --# Possible values; "yes", "no". Defaults to "no". --AllowZoneDrifting=no -+# Possible values; "yes", "no". Defaults to "yes". -+AllowZoneDrifting=yes -diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml -index 8155c547a216..0a6e8f2fdebf 100644 ---- a/doc/xml/firewalld.conf.xml -+++ b/doc/xml/firewalld.conf.xml -@@ -206,7 +206,7 @@ - to interface based zones (including the default zone). Packets - never drift from interface based zones to other interfaces - based zones (including the default zone). -- Valid values; "yes", "no". Defaults to "no". -+ Valid values; "yes", "no". Defaults to "yes". - - - -diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml -index da442f3f41b9..1c33ad5ee918 100644 ---- a/doc/xml/firewalld.dbus.xml -+++ b/doc/xml/firewalld.dbus.xml -@@ -2787,7 +2787,7 @@ - to interface based zones (including the default zone). Packets - never drift from interface based zones to other interfaces - based zones (including the default zone). -- Valid values; "yes", "no". Defaults to "no". -+ Valid values; "yes", "no". Defaults to "yes". - - - -diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index e875e849dec1..0dec7913f694 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -133,4 +133,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" - FALLBACK_FIREWALL_BACKEND = "nftables" - FALLBACK_FLUSH_ALL_ON_RELOAD = True - FALLBACK_RFC3964_IPV4 = True --FALLBACK_ALLOW_ZONE_DRIFTING = False -+FALLBACK_ALLOW_ZONE_DRIFTING = True -diff --git a/src/tests/functions.at b/src/tests/functions.at -index 2f8183966760..a2989c6345da 100644 ---- a/src/tests/functions.at -+++ b/src/tests/functions.at -@@ -126,6 +126,11 @@ m4_define([FWD_START_TEST], [ - dnl set the appropriate backend - AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) - -+ dnl Expected test results assume this is set to "no", but downstream -+ dnl RHEL overrides it to "yes". Override it back to "no" so we don't -+ dnl have to fix up all the tests when bringing them from upstream. -+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) -+ - dnl fib matching is pretty new in nftables. Don't use rpfilter on older - dnl kernels. - m4_if(nftables, FIREWALL_BACKEND, [ --- -2.39.1 - diff --git a/SOURCES/0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch b/SOURCES/0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch deleted file mode 100644 index ee1db9e..0000000 --- a/SOURCES/0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 17a69c4dd7feff3c6101b5541497b8304447ed40 Mon Sep 17 00:00:00 2001 -From: Vrinda Punj -Date: Tue, 1 Dec 2020 11:58:19 -0500 -Subject: [PATCH 03/10] v1.0.0: feat(service): add galera service Fixes: - rhbz1696260 - -(cherry picked from commit 11632147677464cb7121d17526ead242e68be041) ---- - config/Makefile.am | 1 + - config/services/galera.xml | 9 +++++++++ - po/POTFILES.in | 1 + - 3 files changed, 11 insertions(+) - create mode 100644 config/services/galera.xml - -diff --git a/config/Makefile.am b/config/Makefile.am -index fef3b55dc527..f844a5a00e2f 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -159,6 +159,7 @@ CONFIG_FILES = \ - services/freeipa-replication.xml \ - services/freeipa-trust.xml \ - services/ftp.xml \ -+ services/galera.xml \ - services/ganglia-client.xml \ - services/ganglia-master.xml \ - services/git.xml \ -diff --git a/config/services/galera.xml b/config/services/galera.xml -new file mode 100644 -index 000000000000..2305713fbcab ---- /dev/null -+++ b/config/services/galera.xml -@@ -0,0 +1,9 @@ -+ -+ -+ Galera -+ MariaDB-Galera Database Server -+ -+ -+ -+ -+ -diff --git a/po/POTFILES.in b/po/POTFILES.in -index 666eb677855b..249cff8d0d2f 100644 ---- a/po/POTFILES.in -+++ b/po/POTFILES.in -@@ -91,6 +91,7 @@ config/services/freeipa-ldap.xml - config/services/freeipa-replication.xml - config/services/freeipa-trust.xml - config/services/ftp.xml -+config/services/galera.xml - config/services/ganglia-client.xml - config/services/ganglia-master.xml - config/services/git.xml --- -2.39.1 - diff --git a/SOURCES/0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch b/SOURCES/0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch deleted file mode 100644 index 335d5fa..0000000 --- a/SOURCES/0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch +++ /dev/null @@ -1,242 +0,0 @@ -From 430dee713b69a32e5c5bf6b1f68a605564fe93ef Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Fri, 12 Feb 2021 14:23:21 -0500 -Subject: [PATCH 04/10] v1.0.0: fix(ipset): normalize entries in CIDR notation - -This will convert things like 10.0.1.0/22 to 10.0.0.0/22. Fix up test -cases in which the error code changed due to this. - -(cherry picked from commit e4dc44fcfd214b27c718eb4d99d3b137495b9626) ---- - src/firewall/client.py | 9 ++++++++- - src/firewall/core/fw_ipset.py | 11 ++++++++++- - src/firewall/core/ipset.py | 13 +++++++++++++ - src/firewall/server/config_ipset.py | 10 ++++++++-- - src/tests/regression/rhbz1601610.at | 19 +++++++++++++------ - 5 files changed, 52 insertions(+), 10 deletions(-) - -diff --git a/src/firewall/client.py b/src/firewall/client.py -index 51bf09c8fad6..aa6bd7cd282b 100644 ---- a/src/firewall/client.py -+++ b/src/firewall/client.py -@@ -34,6 +34,7 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU - from firewall.dbus_utils import dbus_to_python - from firewall.functions import b2u - from firewall.core.rich import Rich_Rule -+from firewall.core.ipset import normalize_ipset_entry - from firewall import errors - from firewall.errors import FirewallError - -@@ -1616,12 +1617,16 @@ class FirewallClientIPSetSettings(object): - if "timeout" in self.settings[4] and \ - self.settings[4]["timeout"] != "0": - raise FirewallError(errors.IPSET_WITH_TIMEOUT) -- self.settings[5] = entries -+ _entries = set() -+ for _entry in dbus_to_python(entries, list): -+ _entries.add(normalize_ipset_entry(_entry)) -+ self.settings[5] = list(_entries) - @handle_exceptions - def addEntry(self, entry): - if "timeout" in self.settings[4] and \ - self.settings[4]["timeout"] != "0": - raise FirewallError(errors.IPSET_WITH_TIMEOUT) -+ entry = normalize_ipset_entry(entry) - if entry not in self.settings[5]: - self.settings[5].append(entry) - else: -@@ -1631,6 +1636,7 @@ class FirewallClientIPSetSettings(object): - if "timeout" in self.settings[4] and \ - self.settings[4]["timeout"] != "0": - raise FirewallError(errors.IPSET_WITH_TIMEOUT) -+ entry = normalize_ipset_entry(entry) - if entry in self.settings[5]: - self.settings[5].remove(entry) - else: -@@ -1640,6 +1646,7 @@ class FirewallClientIPSetSettings(object): - if "timeout" in self.settings[4] and \ - self.settings[4]["timeout"] != "0": - raise FirewallError(errors.IPSET_WITH_TIMEOUT) -+ entry = normalize_ipset_entry(entry) - return entry in self.settings[5] - - # ipset config -diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py -index e90082407562..57e0e6cb51db 100644 ---- a/src/firewall/core/fw_ipset.py -+++ b/src/firewall/core/fw_ipset.py -@@ -24,7 +24,8 @@ - __all__ = [ "FirewallIPSet" ] - - from firewall.core.logger import log --from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts -+from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \ -+ normalize_ipset_entry - from firewall.core.io.ipset import IPSet - from firewall import errors - from firewall.errors import FirewallError -@@ -189,6 +190,7 @@ class FirewallIPSet(object): - - def add_entry(self, name, entry): - obj = self.get_ipset(name, applied=True) -+ entry = normalize_ipset_entry(entry) - - IPSet.check_entry(entry, obj.options, obj.type) - if entry in obj.entries: -@@ -207,6 +209,7 @@ class FirewallIPSet(object): - - def remove_entry(self, name, entry): - obj = self.get_ipset(name, applied=True) -+ entry = normalize_ipset_entry(entry) - - # no entry check for removal - if entry not in obj.entries: -@@ -224,6 +227,7 @@ class FirewallIPSet(object): - - def query_entry(self, name, entry): - obj = self.get_ipset(name, applied=True) -+ entry = normalize_ipset_entry(entry) - if "timeout" in obj.options and obj.options["timeout"] != "0": - # no entries visible for ipsets with timeout - raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) -@@ -237,6 +241,11 @@ class FirewallIPSet(object): - def set_entries(self, name, entries): - obj = self.get_ipset(name, applied=True) - -+ _entries = set() -+ for _entry in entries: -+ _entries.add(normalize_ipset_entry(_entry)) -+ entries = list(_entries) -+ - for entry in entries: - IPSet.check_entry(entry, obj.options, obj.type) - if "timeout" not in obj.options or obj.options["timeout"] == "0": -diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py -index 0d632143ce13..5bb21856f648 100644 ---- a/src/firewall/core/ipset.py -+++ b/src/firewall/core/ipset.py -@@ -24,6 +24,7 @@ - __all__ = [ "ipset", "check_ipset_name", "remove_default_create_options" ] - - import os.path -+import ipaddress - - from firewall import errors - from firewall.errors import FirewallError -@@ -289,3 +290,15 @@ def remove_default_create_options(options): - IPSET_DEFAULT_CREATE_OPTIONS[opt] == _options[opt]: - del _options[opt] - return _options -+ -+def normalize_ipset_entry(entry): -+ """ Normalize IP addresses in entry """ -+ _entry = [] -+ for _part in entry.split(","): -+ try: -+ _part.index("/") -+ _entry.append(str(ipaddress.ip_network(_part, strict=False))) -+ except ValueError: -+ _entry.append(_part) -+ -+ return ",".join(_entry) -diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py -index 8c647bc29ab9..18ef5783de62 100644 ---- a/src/firewall/server/config_ipset.py -+++ b/src/firewall/server/config_ipset.py -@@ -33,7 +33,7 @@ from firewall.dbus_utils import dbus_to_python, \ - dbus_introspection_prepare_properties, \ - dbus_introspection_add_properties - from firewall.core.io.ipset import IPSet --from firewall.core.ipset import IPSET_TYPES -+from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry - from firewall.core.logger import log - from firewall.server.decorators import handle_exceptions, \ - dbus_handle_exceptions, dbus_service_method -@@ -406,7 +406,10 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - in_signature='as') - @dbus_handle_exceptions - def setEntries(self, entries, sender=None): -- entries = dbus_to_python(entries, list) -+ _entries = set() -+ for _entry in dbus_to_python(entries, list): -+ _entries.add(normalize_ipset_entry(_entry)) -+ entries = list(_entries) - log.debug1("%s.setEntries('[%s]')", self._log_prefix, - ",".join(entries)) - self.parent.accessCheck(sender) -@@ -421,6 +424,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - @dbus_handle_exceptions - def addEntry(self, entry, sender=None): - entry = dbus_to_python(entry, str) -+ entry = normalize_ipset_entry(entry) - log.debug1("%s.addEntry('%s')", self._log_prefix, entry) - self.parent.accessCheck(sender) - settings = list(self.getSettings()) -@@ -436,6 +440,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - @dbus_handle_exceptions - def removeEntry(self, entry, sender=None): - entry = dbus_to_python(entry, str) -+ entry = normalize_ipset_entry(entry) - log.debug1("%s.removeEntry('%s')", self._log_prefix, entry) - self.parent.accessCheck(sender) - settings = list(self.getSettings()) -@@ -451,6 +456,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - @dbus_handle_exceptions - def queryEntry(self, entry, sender=None): # pylint: disable=W0613 - entry = dbus_to_python(entry, str) -+ entry = normalize_ipset_entry(entry) - log.debug1("%s.queryEntry('%s')", self._log_prefix, entry) - settings = list(self.getSettings()) - if "timeout" in settings[4] and settings[4]["timeout"] != "0": -diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at -index ede2c45b88c1..a716539a8acf 100644 ---- a/src/tests/regression/rhbz1601610.at -+++ b/src/tests/regression/rhbz1601610.at -@@ -6,11 +6,14 @@ CHECK_IPSET - FWD_CHECK([-q --new-ipset=foobar --permanent --type=hash:net]) - FWD_RELOAD - --FWD_CHECK([-q --ipset=foobar --add-entry=10.1.1.0/22]) --FWD_CHECK([-q --ipset=foobar --add-entry=10.1.2.0/22], 13, ignore, ignore) --FWD_CHECK([-q --ipset=foobar --add-entry=10.2.0.0/22]) -+FWD_CHECK([--ipset=foobar --add-entry=10.1.1.0/22], 0, [ignore]) -+FWD_CHECK([--ipset=foobar --query-entry 10.1.2.0/22], 0, [ignore]) -+FWD_CHECK([--ipset=foobar --add-entry=10.1.2.0/22], 0, [ignore], [dnl -+Warning: ALREADY_ENABLED: '10.1.0.0/22' already is in 'foobar' -+]) -+FWD_CHECK([--ipset=foobar --add-entry=10.2.0.0/22], 0, [ignore]) - FWD_CHECK([--ipset=foobar --get-entries], 0, [dnl --10.1.1.0/22 -+10.1.0.0/22 - 10.2.0.0/22 - ]) - NFT_LIST_SET([foobar], 0, [dnl -@@ -31,6 +34,9 @@ Members: - ]) - - FWD_CHECK([-q --ipset=foobar --remove-entry=10.1.1.0/22]) -+FWD_CHECK([--ipset=foobar --query-entry 10.1.1.0/22], 1, [ignore]) -+FWD_CHECK([--ipset=foobar --query-entry 10.1.2.0/22], 1, [ignore]) -+FWD_CHECK([--ipset=foobar --query-entry 10.2.0.0/22], 0, [ignore]) - FWD_CHECK([--ipset=foobar --get-entries], 0, [dnl - 10.2.0.0/22 - ]) -@@ -52,7 +58,7 @@ Members: - - FWD_CHECK([-q --permanent --ipset=foobar --add-entry=10.1.1.0/22]) - FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [dnl --10.1.1.0/22 -+10.1.0.0/22 - ]) - FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22]) - FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [ -@@ -101,4 +107,5 @@ Members: - - FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl - -e '/ERROR: COMMAND_FAILED:.*element.*exists/d'dnl -- -e '/Kernel support protocol versions/d']) -+ -e '/Kernel support protocol versions/d'dnl -+ -e '/WARNING: ALREADY_ENABLED:/d']) --- -2.39.1 - diff --git a/SOURCES/0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch b/SOURCES/0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch deleted file mode 100644 index 473840f..0000000 --- a/SOURCES/0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch +++ /dev/null @@ -1,157 +0,0 @@ -From bba9a6860dd358791d0be3f075718d7cf8dca261 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 23 Feb 2021 09:18:33 -0500 -Subject: [PATCH 05/10] v1.0.0: fix(ipset): disallow overlapping entries - -These are already being blocked by the ipset backend, but we should -catch them higher up to avoid differences in the backends. - -(cherry picked from commit 5b4e8918715a1d2e4abf77ed4eb3252486a19109) ---- - src/firewall/client.py | 4 +++- - src/firewall/core/fw_ipset.py | 4 +++- - src/firewall/core/ipset.py | 13 +++++++++++++ - src/firewall/server/config_ipset.py | 5 ++++- - src/tests/regression/ipset_netmask_allowed.at | 14 ++++++++------ - 5 files changed, 31 insertions(+), 9 deletions(-) - -diff --git a/src/firewall/client.py b/src/firewall/client.py -index aa6bd7cd282b..3715ffd29316 100644 ---- a/src/firewall/client.py -+++ b/src/firewall/client.py -@@ -34,7 +34,7 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU - from firewall.dbus_utils import dbus_to_python - from firewall.functions import b2u - from firewall.core.rich import Rich_Rule --from firewall.core.ipset import normalize_ipset_entry -+from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing - from firewall import errors - from firewall.errors import FirewallError - -@@ -1619,6 +1619,7 @@ class FirewallClientIPSetSettings(object): - raise FirewallError(errors.IPSET_WITH_TIMEOUT) - _entries = set() - for _entry in dbus_to_python(entries, list): -+ check_entry_overlaps_existing(_entry, _entries) - _entries.add(normalize_ipset_entry(_entry)) - self.settings[5] = list(_entries) - @handle_exceptions -@@ -1628,6 +1629,7 @@ class FirewallClientIPSetSettings(object): - raise FirewallError(errors.IPSET_WITH_TIMEOUT) - entry = normalize_ipset_entry(entry) - if entry not in self.settings[5]: -+ check_entry_overlaps_existing(entry, self.settings[5]) - self.settings[5].append(entry) - else: - raise FirewallError(errors.ALREADY_ENABLED, entry) -diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py -index 57e0e6cb51db..711c86a062be 100644 ---- a/src/firewall/core/fw_ipset.py -+++ b/src/firewall/core/fw_ipset.py -@@ -25,7 +25,7 @@ __all__ = [ "FirewallIPSet" ] - - from firewall.core.logger import log - from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \ -- normalize_ipset_entry -+ normalize_ipset_entry, check_entry_overlaps_existing - from firewall.core.io.ipset import IPSet - from firewall import errors - from firewall.errors import FirewallError -@@ -196,6 +196,7 @@ class FirewallIPSet(object): - if entry in obj.entries: - raise FirewallError(errors.ALREADY_ENABLED, - "'%s' already is in '%s'" % (entry, name)) -+ check_entry_overlaps_existing(entry, obj.entries) - - try: - for backend in self.backends(): -@@ -243,6 +244,7 @@ class FirewallIPSet(object): - - _entries = set() - for _entry in entries: -+ check_entry_overlaps_existing(_entry, _entries) - _entries.add(normalize_ipset_entry(_entry)) - entries = list(_entries) - -diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py -index 5bb21856f648..d6defa395241 100644 ---- a/src/firewall/core/ipset.py -+++ b/src/firewall/core/ipset.py -@@ -302,3 +302,16 @@ def normalize_ipset_entry(entry): - _entry.append(_part) - - return ",".join(_entry) -+ -+def check_entry_overlaps_existing(entry, entries): -+ """ Check if entry overlaps any entry in the list of entries """ -+ # Only check simple types -+ if len(entry.split(",")) > 1: -+ return -+ -+ for itr in entries: -+ try: -+ if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)): -+ raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry)) -+ except ValueError: -+ pass -diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py -index 18ef5783de62..f33c2a02926f 100644 ---- a/src/firewall/server/config_ipset.py -+++ b/src/firewall/server/config_ipset.py -@@ -33,7 +33,8 @@ from firewall.dbus_utils import dbus_to_python, \ - dbus_introspection_prepare_properties, \ - dbus_introspection_add_properties - from firewall.core.io.ipset import IPSet --from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry -+from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \ -+ check_entry_overlaps_existing - from firewall.core.logger import log - from firewall.server.decorators import handle_exceptions, \ - dbus_handle_exceptions, dbus_service_method -@@ -408,6 +409,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - def setEntries(self, entries, sender=None): - _entries = set() - for _entry in dbus_to_python(entries, list): -+ check_entry_overlaps_existing(_entry, _entries) - _entries.add(normalize_ipset_entry(_entry)) - entries = list(_entries) - log.debug1("%s.setEntries('[%s]')", self._log_prefix, -@@ -432,6 +434,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - raise FirewallError(errors.IPSET_WITH_TIMEOUT) - if entry in settings[5]: - raise FirewallError(errors.ALREADY_ENABLED, entry) -+ check_entry_overlaps_existing(entry, settings[5]) - settings[5].append(entry) - self.update(settings) - -diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at -index b5165d94b220..fd08afd3b57c 100644 ---- a/src/tests/regression/ipset_netmask_allowed.at -+++ b/src/tests/regression/ipset_netmask_allowed.at -@@ -9,15 +9,17 @@ dnl an add for the whole range. i.e. 1.2.3.4/24 --> 1.2.3.[0.255] (256 - dnl entries). - dnl - dnl In nftables, we allow this by using actual intervals. --FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore]) --FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore]) -+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.4/24], 0, [ignore]) -+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.4/24], 0, [ignore]) - - dnl check the edge case - FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore]) - FWD_CHECK([ --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore]) - --dnl overlaps should be denied by ipset --FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore]) --FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore]) -+dnl overlaps should be denied -+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/22], 136, [ignore], [ignore]) -+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/22], 136, [ignore], [ignore]) -+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.4/30], 136, [ignore], [ignore]) -+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.4/30], 136, [ignore], [ignore]) - --FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d']) -+FWD_END_TEST([-e '/ERROR: INVALID_ENTRY:/d']) --- -2.39.1 - diff --git a/SOURCES/0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch b/SOURCES/0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch deleted file mode 100644 index f779d0c..0000000 --- a/SOURCES/0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch +++ /dev/null @@ -1,302 +0,0 @@ -From 4779d5bf08ff1c24777df4b88b4af2e8e5918f84 Mon Sep 17 00:00:00 2001 -From: Paul Laufer <50234787+refual@users.noreply.github.com> -Date: Fri, 27 Nov 2020 12:23:11 +0100 -Subject: [PATCH 06/10] v1.0.0: feat(config): add CleanupModulesOnExit - configuration option - -Fixes: rhbz 1520532 -Fixes: #533 -Closes: #721 -(cherry picked from commit 152a51537a7840afd0879ab4b60178bef4ec16a2) ---- - config/firewalld.conf | 9 +++++++- - doc/xml/firewalld.conf.xml | 11 ++++++++++ - doc/xml/firewalld.dbus.xml | 9 ++++++++ - src/firewall/config/__init__.py.in | 1 + - src/firewall/core/fw.py | 29 +++++++++++++++++++------- - src/firewall/core/io/firewalld_conf.py | 19 +++++++++++++---- - src/firewall/server/config.py | 23 +++++++++++++------- - src/tests/dbus/firewalld.conf.at | 2 ++ - 8 files changed, 82 insertions(+), 21 deletions(-) - -diff --git a/config/firewalld.conf b/config/firewalld.conf -index a0556c0bbf5b..3abbc9c998c1 100644 ---- a/config/firewalld.conf -+++ b/config/firewalld.conf -@@ -7,10 +7,17 @@ DefaultZone=public - - # Clean up on exit - # If set to no or false the firewall configuration will not get cleaned up --# on exit or stop of firewalld -+# on exit or stop of firewalld. - # Default: yes - CleanupOnExit=yes - -+# Clean up kernel modules on exit -+# If set to yes or true the firewall related kernel modules will be -+# unloaded on exit or stop of firewalld. This might attempt to unload -+# modules not originally loaded by firewalld. -+# Default: no -+CleanupModulesOnExit=no -+ - # Lockdown - # If set to enabled, firewall changes with the D-Bus interface will be limited - # to applications that are listed in the lockdown whitelist. -diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml -index 0a6e8f2fdebf..3ae531bcd94a 100644 ---- a/doc/xml/firewalld.conf.xml -+++ b/doc/xml/firewalld.conf.xml -@@ -88,6 +88,17 @@ - - - -+ -+ -+ -+ -+ Setting this option to yes or true unloads all firewall-related -+ kernel modules when firewalld is stopped. The default value is no -+ or false. -+ -+ -+ -+ - - - -diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml -index 1c33ad5ee918..cc4593e1883f 100644 ---- a/doc/xml/firewalld.dbus.xml -+++ b/doc/xml/firewalld.dbus.xml -@@ -2798,6 +2798,15 @@ - - - -+ -+ CleanupModulesOnExit - s - (rw) -+ -+ -+ Setting this option to yes or true unloads all firewall-related -+ kernel modules when firewalld is stopped. -+ -+ -+ - - CleanupOnExit - s - (rw) - -diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index 0dec7913f694..5d6d769fbf15 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -125,6 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ] - FALLBACK_ZONE = "public" - FALLBACK_MINIMAL_MARK = 100 - FALLBACK_CLEANUP_ON_EXIT = True -+FALLBACK_CLEANUP_MODULES_ON_EXIT = False - FALLBACK_LOCKDOWN = False - FALLBACK_IPV6_RPFILTER = True - FALLBACK_INDIVIDUAL_CALLS = False -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index 3eb54e37ab5c..4171697bdb94 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -105,12 +105,13 @@ class Firewall(object): - self.__init_vars() - - def __repr__(self): -- return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \ -+ return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \ - (self.__class__, self.ip4tables_enabled, self.ip6tables_enabled, - self.ebtables_enabled, self._state, self._panic, - self._default_zone, self._module_refcount, self._marks, -- self.cleanup_on_exit, self.ipv6_rpfilter_enabled, -- self.ipset_enabled, self._individual_calls, self._log_denied) -+ self.cleanup_on_exit, self.cleanup_modules_on_exit, -+ self.ipv6_rpfilter_enabled, self.ipset_enabled, -+ self._individual_calls, self._log_denied) - - def __init_vars(self): - self._state = "INIT" -@@ -120,6 +121,7 @@ class Firewall(object): - self._marks = [ ] - # fallback settings will be overloaded by firewalld.conf - self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT -+ self.cleanup_modules_on_exit = config.FALLBACK_CLEANUP_MODULES_ON_EXIT - self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER - self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS - self._log_denied = config.FALLBACK_LOG_DENIED -@@ -232,6 +234,13 @@ class Firewall(object): - log.debug1("CleanupOnExit is set to '%s'", - self.cleanup_on_exit) - -+ if self._firewalld_conf.get("CleanupModulesOnExit"): -+ value = self._firewalld_conf.get("CleanupModulesOnExit") -+ if value is not None and value.lower() in [ "yes", "true" ]: -+ self.cleanup_modules_on_exit = True -+ log.debug1("CleanupModulesOnExit is set to '%s'", -+ self.cleanup_modules_on_exit) -+ - if self._firewalld_conf.get("Lockdown"): - value = self._firewalld_conf.get("Lockdown") - if value is not None and value.lower() in [ "yes", "true" ]: -@@ -667,11 +676,15 @@ class Firewall(object): - self.__init_vars() - - def stop(self): -- if self.cleanup_on_exit and not self._offline: -- self.flush() -- self.ipset.flush() -- self.set_policy("ACCEPT") -- self.modules_backend.unload_firewall_modules() -+ if not self._offline: -+ if self.cleanup_on_exit: -+ self.flush() -+ self.ipset.flush() -+ self.set_policy("ACCEPT") -+ -+ if self.cleanup_modules_on_exit: -+ log.debug1('Unloading firewall kernel modules') -+ self.modules_backend.unload_firewall_modules() - - self.cleanup() - -diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py -index 7c7092120676..70258400ef06 100644 ---- a/src/firewall/core/io/firewalld_conf.py -+++ b/src/firewall/core/io/firewalld_conf.py -@@ -28,10 +28,11 @@ from firewall import config - from firewall.core.logger import log - from firewall.functions import b2u, u2b, PY2 - --valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", -- "IPv6_rpfilter", "IndividualCalls", "LogDenied", -- "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload", -- "RFC3964_IPv4", "AllowZoneDrifting" ] -+valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", -+ "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter", -+ "IndividualCalls", "LogDenied", "AutomaticHelpers", -+ "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4", -+ "AllowZoneDrifting" ] - - class firewalld_conf(object): - def __init__(self, filename): -@@ -75,6 +76,7 @@ class firewalld_conf(object): - self.set("DefaultZone", config.FALLBACK_ZONE) - self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK)) - self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no") -+ self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no") - self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no") - self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no") - self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no") -@@ -135,6 +137,15 @@ class firewalld_conf(object): - config.FALLBACK_CLEANUP_ON_EXIT) - self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no") - -+ # check module cleanup on exit -+ value = self.get("CleanupModulesOnExit") -+ if not value or value.lower() not in [ "no", "false", "yes", "true" ]: -+ if value is not None: -+ log.warning("CleanupModulesOnExit '%s' is not valid, using default " -+ "value %s", value if value else '', -+ config.FALLBACK_CLEANUP_MODULES_ON_EXIT) -+ self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no") -+ - # check lockdown - value = self.get("Lockdown") - if not value or value.lower() not in [ "yes", "true", "no", "false" ]: -diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py -index 031ef5d1afaa..8815920c6893 100644 ---- a/src/firewall/server/config.py -+++ b/src/firewall/server/config.py -@@ -100,6 +100,7 @@ class FirewallDConfig(slip.dbus.service.Object): - dbus_introspection_prepare_properties(self, - config.dbus.DBUS_INTERFACE_CONFIG, - { "CleanupOnExit": "readwrite", -+ "CleanupModulesOnExit": "readwrite", - "IPv6_rpfilter": "readwrite", - "Lockdown": "readwrite", - "MinimalMark": "readwrite", -@@ -554,9 +555,9 @@ class FirewallDConfig(slip.dbus.service.Object): - @dbus_handle_exceptions - def _get_property(self, prop): - if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit", -- "Lockdown", "IPv6_rpfilter", "IndividualCalls", -- "LogDenied", "AutomaticHelpers", "FirewallBackend", -- "FlushAllOnReload", "RFC3964_IPv4", -+ "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter", -+ "IndividualCalls", "LogDenied", "AutomaticHelpers", -+ "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4", - "AllowZoneDrifting" ]: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.InvalidArgs: " -@@ -578,6 +579,10 @@ class FirewallDConfig(slip.dbus.service.Object): - if value is None: - value = "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no" - return dbus.String(value) -+ elif prop == "CleanupModulesOnExit": -+ if value is None: -+ value = "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no" -+ return dbus.String(value) - elif prop == "Lockdown": - if value is None: - value = "yes" if config.FALLBACK_LOCKDOWN else "no" -@@ -623,6 +628,8 @@ class FirewallDConfig(slip.dbus.service.Object): - return dbus.Int32(self._get_property(prop)) - elif prop == "CleanupOnExit": - return dbus.String(self._get_property(prop)) -+ elif prop == "CleanupModulesOnExit": -+ return dbus.String(self._get_property(prop)) - elif prop == "Lockdown": - return dbus.String(self._get_property(prop)) - elif prop == "IPv6_rpfilter": -@@ -679,9 +686,9 @@ class FirewallDConfig(slip.dbus.service.Object): - ret = { } - if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: - for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", -- "Lockdown", "IPv6_rpfilter", "IndividualCalls", -- "LogDenied", "AutomaticHelpers", "FirewallBackend", -- "FlushAllOnReload", "RFC3964_IPv4", -+ "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter", -+ "IndividualCalls", "LogDenied", "AutomaticHelpers", -+ "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4", - "AllowZoneDrifting" ]: - ret[x] = self._get_property(x) - elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, -@@ -706,12 +713,12 @@ class FirewallDConfig(slip.dbus.service.Object): - self.accessCheck(sender) - - if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: -- if property_name in [ "CleanupOnExit", "Lockdown", -+ if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit", - "IPv6_rpfilter", "IndividualCalls", - "LogDenied", - "FirewallBackend", "FlushAllOnReload", - "RFC3964_IPv4", "AllowZoneDrifting" ]: -- if property_name in [ "CleanupOnExit", "Lockdown", -+ if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit", - "IPv6_rpfilter", "IndividualCalls" ]: - if new_value.lower() not in [ "yes", "no", - "true", "false" ]: -diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at -index 9fc5502a8d0b..9a04a3bd491c 100644 ---- a/src/tests/dbus/firewalld.conf.at -+++ b/src/tests/dbus/firewalld.conf.at -@@ -17,6 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf. - DBUS_GETALL([config], [config], 0, [dnl - string "AllowZoneDrifting" : variant string "no" - string "AutomaticHelpers" : variant string "no" -+string "CleanupModulesOnExit" : variant string "no" - string "CleanupOnExit" : variant string "no" - string "DefaultZone" : variant string "public" - string "FirewallBackend" : variant string "nftables" -@@ -45,6 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"]) - _helper([IndividualCalls], [string:"yes"], [variant string "yes"]) - _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"]) - _helper([FlushAllOnReload], [string:"no"], [variant string "no"]) -+_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"]) - _helper([CleanupOnExit], [string:"yes"], [variant string "yes"]) - _helper([RFC3964_IPv4], [string:"no"], [variant string "no"]) - _helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"]) --- -2.39.1 - diff --git a/SOURCES/0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch b/SOURCES/0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch deleted file mode 100644 index b806d77..0000000 --- a/SOURCES/0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 82b49bd47d0073f2c2bc4bd296c1a52e4d4d3732 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 20 Dec 2021 13:56:55 -0500 -Subject: [PATCH 07/10] RHEL only: default to CleanupModulesOnExit=yes - -Resolves: rhbz1980206 ---- - config/firewalld.conf | 4 ++-- - doc/xml/firewalld.conf.xml | 4 ++-- - src/firewall/config/__init__.py.in | 2 +- - src/firewall/core/fw.py | 2 ++ - src/tests/dbus/firewalld.conf.at | 4 ++-- - 5 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/config/firewalld.conf b/config/firewalld.conf -index 3abbc9c998c1..c387f87c28be 100644 ---- a/config/firewalld.conf -+++ b/config/firewalld.conf -@@ -15,8 +15,8 @@ CleanupOnExit=yes - # If set to yes or true the firewall related kernel modules will be - # unloaded on exit or stop of firewalld. This might attempt to unload - # modules not originally loaded by firewalld. --# Default: no --CleanupModulesOnExit=no -+# Default: yes -+CleanupModulesOnExit=yes - - # Lockdown - # If set to enabled, firewall changes with the D-Bus interface will be limited -diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml -index 3ae531bcd94a..c94073dbf84f 100644 ---- a/doc/xml/firewalld.conf.xml -+++ b/doc/xml/firewalld.conf.xml -@@ -93,8 +93,8 @@ - - - Setting this option to yes or true unloads all firewall-related -- kernel modules when firewalld is stopped. The default value is no -- or false. -+ kernel modules when firewalld is stopped. The default value is yes -+ or true. - - - -diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index 5d6d769fbf15..285e2f034b6b 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -125,7 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ] - FALLBACK_ZONE = "public" - FALLBACK_MINIMAL_MARK = 100 - FALLBACK_CLEANUP_ON_EXIT = True --FALLBACK_CLEANUP_MODULES_ON_EXIT = False -+FALLBACK_CLEANUP_MODULES_ON_EXIT = True - FALLBACK_LOCKDOWN = False - FALLBACK_IPV6_RPFILTER = True - FALLBACK_INDIVIDUAL_CALLS = False -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index 4171697bdb94..5cef18b5f889 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -238,6 +238,8 @@ class Firewall(object): - value = self._firewalld_conf.get("CleanupModulesOnExit") - if value is not None and value.lower() in [ "yes", "true" ]: - self.cleanup_modules_on_exit = True -+ if value is not None and value.lower() in [ "no", "false" ]: -+ self.cleanup_modules_on_exit = False - log.debug1("CleanupModulesOnExit is set to '%s'", - self.cleanup_modules_on_exit) - -diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at -index 9a04a3bd491c..68832bca33bc 100644 ---- a/src/tests/dbus/firewalld.conf.at -+++ b/src/tests/dbus/firewalld.conf.at -@@ -17,7 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf. - DBUS_GETALL([config], [config], 0, [dnl - string "AllowZoneDrifting" : variant string "no" - string "AutomaticHelpers" : variant string "no" --string "CleanupModulesOnExit" : variant string "no" -+string "CleanupModulesOnExit" : variant string "yes" - string "CleanupOnExit" : variant string "no" - string "DefaultZone" : variant string "public" - string "FirewallBackend" : variant string "nftables" -@@ -46,7 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"]) - _helper([IndividualCalls], [string:"yes"], [variant string "yes"]) - _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"]) - _helper([FlushAllOnReload], [string:"no"], [variant string "no"]) --_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"]) -+_helper([CleanupModulesOnExit], [string:"no"], [variant string "no"]) - _helper([CleanupOnExit], [string:"yes"], [variant string "yes"]) - _helper([RFC3964_IPv4], [string:"no"], [variant string "no"]) - _helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"]) --- -2.39.1 - diff --git a/SOURCES/0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch b/SOURCES/0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch deleted file mode 100644 index 8e04062..0000000 --- a/SOURCES/0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch +++ /dev/null @@ -1,141 +0,0 @@ -From ae057df0222e6e1dd1556436fad93b669da8f653 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 30 Nov 2021 14:54:20 -0500 -Subject: [PATCH 08/10] v1.1.0: fix(ipset): reduce cost of entry overlap - detection - -This increases peak memory usage to reduce the duration it takes to -apply the set entries. Building the list of IPv4Network objects up front -means we don't have to build them multiple times inside the for loop. - -Fixes: #881 -(cherry picked from commit 7f5b736378c0133f46470c42e0c1fb3b95087de5) ---- - src/firewall/client.py | 10 ++++------ - src/firewall/core/fw_ipset.py | 9 +++------ - src/firewall/core/ipset.py | 27 ++++++++++++++++++++++----- - src/firewall/server/config_ipset.py | 10 ++++------ - 4 files changed, 33 insertions(+), 23 deletions(-) - -diff --git a/src/firewall/client.py b/src/firewall/client.py -index 3715ffd29316..fdc88ac7946b 100644 ---- a/src/firewall/client.py -+++ b/src/firewall/client.py -@@ -34,7 +34,8 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU - from firewall.dbus_utils import dbus_to_python - from firewall.functions import b2u - from firewall.core.rich import Rich_Rule --from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing -+from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing, \ -+ check_for_overlapping_entries - from firewall import errors - from firewall.errors import FirewallError - -@@ -1617,11 +1618,8 @@ class FirewallClientIPSetSettings(object): - if "timeout" in self.settings[4] and \ - self.settings[4]["timeout"] != "0": - raise FirewallError(errors.IPSET_WITH_TIMEOUT) -- _entries = set() -- for _entry in dbus_to_python(entries, list): -- check_entry_overlaps_existing(_entry, _entries) -- _entries.add(normalize_ipset_entry(_entry)) -- self.settings[5] = list(_entries) -+ check_for_overlapping_entries(entries) -+ self.settings[5] = entries - @handle_exceptions - def addEntry(self, entry): - if "timeout" in self.settings[4] and \ -diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py -index 711c86a062be..d4bf99eaadcc 100644 ---- a/src/firewall/core/fw_ipset.py -+++ b/src/firewall/core/fw_ipset.py -@@ -25,7 +25,8 @@ __all__ = [ "FirewallIPSet" ] - - from firewall.core.logger import log - from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \ -- normalize_ipset_entry, check_entry_overlaps_existing -+ normalize_ipset_entry, check_entry_overlaps_existing, \ -+ check_for_overlapping_entries - from firewall.core.io.ipset import IPSet - from firewall import errors - from firewall.errors import FirewallError -@@ -242,11 +243,7 @@ class FirewallIPSet(object): - def set_entries(self, name, entries): - obj = self.get_ipset(name, applied=True) - -- _entries = set() -- for _entry in entries: -- check_entry_overlaps_existing(_entry, _entries) -- _entries.add(normalize_ipset_entry(_entry)) -- entries = list(_entries) -+ check_for_overlapping_entries(entries) - - for entry in entries: - IPSet.check_entry(entry, obj.options, obj.type) -diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py -index d6defa395241..66ea4335536d 100644 ---- a/src/firewall/core/ipset.py -+++ b/src/firewall/core/ipset.py -@@ -309,9 +309,26 @@ def check_entry_overlaps_existing(entry, entries): - if len(entry.split(",")) > 1: - return - -+ try: -+ entry_network = ipaddress.ip_network(entry, strict=False) -+ except ValueError: -+ # could not parse the new IP address, maybe a MAC -+ return -+ - for itr in entries: -- try: -- if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)): -- raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry)) -- except ValueError: -- pass -+ if entry_network.overlaps(ipaddress.ip_network(itr, strict=False)): -+ raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(entry, itr)) -+ -+def check_for_overlapping_entries(entries): -+ """ Check if any entry overlaps any entry in the list of entries """ -+ try: -+ entries = [ipaddress.ip_network(x, strict=False) for x in entries] -+ except ValueError: -+ # at least one entry can not be parsed -+ return -+ -+ while entries: -+ entry = entries.pop() -+ for itr in entries: -+ if entry.overlaps(itr): -+ raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr)) -diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py -index f33c2a02926f..499ffcb9227a 100644 ---- a/src/firewall/server/config_ipset.py -+++ b/src/firewall/server/config_ipset.py -@@ -34,7 +34,8 @@ from firewall.dbus_utils import dbus_to_python, \ - dbus_introspection_add_properties - from firewall.core.io.ipset import IPSet - from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \ -- check_entry_overlaps_existing -+ check_entry_overlaps_existing, \ -+ check_for_overlapping_entries - from firewall.core.logger import log - from firewall.server.decorators import handle_exceptions, \ - dbus_handle_exceptions, dbus_service_method -@@ -407,11 +408,8 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - in_signature='as') - @dbus_handle_exceptions - def setEntries(self, entries, sender=None): -- _entries = set() -- for _entry in dbus_to_python(entries, list): -- check_entry_overlaps_existing(_entry, _entries) -- _entries.add(normalize_ipset_entry(_entry)) -- entries = list(_entries) -+ entries = dbus_to_python(entries, list) -+ check_for_overlapping_entries(entries) - log.debug1("%s.setEntries('[%s]')", self._log_prefix, - ",".join(entries)) - self.parent.accessCheck(sender) --- -2.39.1 - diff --git a/SOURCES/0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch b/SOURCES/0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch deleted file mode 100644 index f151ea5..0000000 --- a/SOURCES/0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 885d308c1457e9ea0d839d852dd98a1c134b448c Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 30 Nov 2021 14:50:17 -0500 -Subject: [PATCH 09/10] v1.1.0: test(ipset): huge set of entries benchmark - -Coverage: #881 -(cherry picked from commit 114936c71ab1b12a5598d06805b7e9e13f7ee190) ---- - src/tests/regression/gh881.at | 25 +++++++++++++++++++++++++ - src/tests/regression/regression.at | 1 + - 2 files changed, 26 insertions(+) - create mode 100644 src/tests/regression/gh881.at - -diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at -new file mode 100644 -index 000000000000..c7326805b555 ---- /dev/null -+++ b/src/tests/regression/gh881.at -@@ -0,0 +1,25 @@ -+FWD_START_TEST([ipset entry overlap detect perf]) -+AT_KEYWORDS(ipset gh881) -+ -+dnl build a large ipset -+dnl -+AT_DATA([./deny_cidr], []) -+NS_CHECK([sh -c ' -+for I in $(seq 10); do -+ for J in $(seq 250); do -+ echo "10.${I}.${J}.0/24" >> ./deny_cidr -+ done -+done -+']) -+ -+dnl verify non-overlapping does not error -+dnl -+FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore]) -+NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore]) -+ -+dnl verify overlap detection actually detects an overlap -+dnl -+NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr]) -+NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore]) -+ -+FWD_END_TEST() -diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at -index 104f784cbe93..143298d3235f 100644 ---- a/src/tests/regression/regression.at -+++ b/src/tests/regression/regression.at -@@ -50,3 +50,4 @@ m4_include([regression/gh874.at]) - m4_include([regression/service_includes_for_builtin.at]) - m4_include([regression/rhbz2181406.at]) - m4_include([regression/ipset_scale.at]) -+m4_include([regression/gh881.at]) --- -2.39.1 - diff --git a/SOURCES/0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch b/SOURCES/0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch deleted file mode 100644 index 748d7b9..0000000 --- a/SOURCES/0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch +++ /dev/null @@ -1,150 +0,0 @@ -From d8d6d313acd50aa1c87c42fb7a7334b01c516227 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 25 Jan 2022 09:29:32 -0500 -Subject: [PATCH 10/10] v1.1.0: fix(ipset): further reduce cost of entry - overlap detection - -This makes the complexity linear by sorting the networks ahead of time. - -Fixes: #881 -Fixes: rhbz2043289 -(cherry picked from commit 36c170db265265e838a089858be4b20dbbd582eb) ---- - src/firewall/core/ipset.py | 59 ++++++++++++++++++++++++++++++++--- - src/tests/regression/gh881.at | 42 ++++++++++++++++++++++--- - 2 files changed, 92 insertions(+), 9 deletions(-) - -diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py -index 66ea4335536d..b160d8345669 100644 ---- a/src/firewall/core/ipset.py -+++ b/src/firewall/core/ipset.py -@@ -327,8 +327,57 @@ def check_for_overlapping_entries(entries): - # at least one entry can not be parsed - return - -- while entries: -- entry = entries.pop() -- for itr in entries: -- if entry.overlaps(itr): -- raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr)) -+ # We can take advantage of some facts of IPv4Network/IPv6Network and -+ # how Python sorts the networks to quickly detect overlaps. -+ # -+ # Facts: -+ # -+ # 1. IPv{4,6}Network are normalized to remove host bits, e.g. -+ # 10.1.1.0/16 will become 10.1.0.0/16. -+ # -+ # 2. IPv{4,6}Network objects are sorted by: -+ # a. IP address (network bits) -+ # then -+ # b. netmask (significant bits count) -+ # -+ # Because of the above we have these properties: -+ # -+ # 1. big networks (netA) are sorted before smaller networks (netB) -+ # that overlap the big network (netA) -+ # - e.g. 10.1.128.0/17 (netA) sorts before 10.1.129.0/24 (netB) -+ # 2. same value addresses (network bits) are grouped together even -+ # if the number of network bits vary. e.g. /16 vs /24 -+ # - recall that address are normalized to remove host bits -+ # - e.g. 10.1.128.0/17 (netA) sorts before 10.1.128.0/24 (netC) -+ # 3. non-overlapping networks (netD, netE) are always sorted before or -+ # after networks that overlap (netB, netC) the current one (netA) -+ # - e.g. 10.1.128.0/17 (netA) sorts before 10.2.128.0/16 (netD) -+ # - e.g. 10.1.128.0/17 (netA) sorts after 9.1.128.0/17 (netE) -+ # - e.g. 9.1.128.0/17 (netE) sorts before 10.1.129.0/24 (netB) -+ # -+ # With this we know the sorted list looks like: -+ # -+ # list: [ netE, netA, netB, netC, netD ] -+ # -+ # netE = non-overlapping network -+ # netA = big network -+ # netB = smaller network that overlaps netA (subnet) -+ # netC = smaller network that overlaps netA (subnet) -+ # netD = non-overlapping network -+ # -+ # If networks netB and netC exist in the list, they overlap and are -+ # adjacent to netA. -+ # -+ # Checking for overlaps on a sorted list is thus: -+ # -+ # 1. compare adjacent elements in the list for overlaps -+ # -+ # Recall that we only need to detect a single overlap. We do not need to -+ # detect them all. -+ # -+ entries.sort() -+ prev_network = entries.pop(0) -+ for current_network in entries: -+ if prev_network.overlaps(current_network): -+ raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(prev_network, current_network)) -+ prev_network = current_network -diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at -index c7326805b555..a5cf7e4eb912 100644 ---- a/src/tests/regression/gh881.at -+++ b/src/tests/regression/gh881.at -@@ -5,21 +5,55 @@ dnl build a large ipset - dnl - AT_DATA([./deny_cidr], []) - NS_CHECK([sh -c ' --for I in $(seq 10); do -+for I in $(seq 250); do - for J in $(seq 250); do - echo "10.${I}.${J}.0/24" >> ./deny_cidr - done - done - ']) -+NS_CHECK([echo "10.254.0.0/16" >> ./deny_cidr]) - - dnl verify non-overlapping does not error - dnl - FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore]) --NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore]) -+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore]) -+ -+dnl still no overlap -+dnl -+AT_DATA([./deny_cidr], [ -+9.0.0.0/8 -+11.1.0.0/16 -+]) -+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore]) - - dnl verify overlap detection actually detects an overlap - dnl --NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr]) --NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore]) -+AT_DATA([./deny_cidr], [ -+10.1.0.0/16 -+10.2.0.0/16 -+10.250.0.0/16 -+]) -+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore]) -+ -+AT_DATA([./deny_cidr], [ -+10.253.0.0/16 -+10.253.128.0/17 -+]) -+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore]) -+ -+AT_DATA([./deny_cidr], [ -+10.1.1.1/32 -+]) -+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore]) -+ -+AT_DATA([./deny_cidr], [ -+10.0.0.0/8 -+10.0.0.0/25 -+]) -+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore]) -+ -+dnl empty file, no additions, but previous ones will remain -+AT_DATA([./deny_cidr], []) -+FWD_CHECK([--permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore]) - - FWD_END_TEST() --- -2.39.1 - diff --git a/SOURCES/0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch b/SOURCES/0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch deleted file mode 100644 index 3cee2c5..0000000 --- a/SOURCES/0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e9e1edef3af8bd1a6b7c27fdd2d580e2f1571440 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= -Date: Sun, 28 Aug 2022 10:25:33 +0200 -Subject: [PATCH 11/17] v1.1.0: fix(ipset): exception on overlap checking empty - set - -In the case of --remove-entries-from-file, check_for_overlapping_entries -can be called with no entry in input, which fails with an exception. - -Fixes: rhbz2121985 -(cherry picked from commit 1ea554e6263ed21aa9ae6e5f0abb629d53b4a7bc) ---- - src/firewall/core/ipset.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py -index b160d8345669..d8e0a1ab1e56 100644 ---- a/src/firewall/core/ipset.py -+++ b/src/firewall/core/ipset.py -@@ -327,6 +327,9 @@ def check_for_overlapping_entries(entries): - # at least one entry can not be parsed - return - -+ if len(entries) == 0: -+ return -+ - # We can take advantage of some facts of IPv4Network/IPv6Network and - # how Python sorts the networks to quickly detect overlaps. - # --- -2.39.3 - diff --git a/SOURCES/0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch b/SOURCES/0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch deleted file mode 100644 index 9d3122c..0000000 --- a/SOURCES/0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a7b4212df4e1aa05d8dcb8fd4cf5e353a84d3481 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 29 Aug 2022 08:37:50 -0400 -Subject: [PATCH 12/17] v1.1.0: test(ipset): verify --remove-entries-from-file - -Specifically if it results in an empty set. - -Coverage: rhbz2121985 -(cherry picked from commit edea40189e10d3f7777e69746592fb5e2e0e36ea) ---- - src/tests/regression/gh1011.at | 15 +++++++++++++++ - src/tests/regression/regression.at | 1 + - 2 files changed, 16 insertions(+) - create mode 100644 src/tests/regression/gh1011.at - -diff --git a/src/tests/regression/gh1011.at b/src/tests/regression/gh1011.at -new file mode 100644 -index 000000000000..037ab70648eb ---- /dev/null -+++ b/src/tests/regression/gh1011.at -@@ -0,0 +1,15 @@ -+FWD_START_TEST([remove entries results in empty]) -+AT_KEYWORDS(ipset gh1011 rhbz2121985) -+ -+FWD_CHECK([--permanent --new-ipset foobar --type hash:net], 0, [ignore]) -+AT_DATA([./empty], [dnl -+10.10.10.0/24 -+]) -+FWD_CHECK([--permanent --ipset foobar --add-entry 10.10.10.0/24], 0, [ignore]) -+FWD_CHECK([--permanent --ipset foobar --remove-entries-from-file ./empty], 0, [ignore]) -+ -+FWD_RELOAD() -+FWD_CHECK([--ipset foobar --add-entry 10.10.10.0/24], 0, [ignore]) -+FWD_CHECK([--ipset foobar --remove-entries-from-file ./empty], 0, [ignore]) -+ -+FWD_END_TEST() -diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at -index 143298d3235f..889c66dd175d 100644 ---- a/src/tests/regression/regression.at -+++ b/src/tests/regression/regression.at -@@ -51,3 +51,4 @@ m4_include([regression/service_includes_for_builtin.at]) - m4_include([regression/rhbz2181406.at]) - m4_include([regression/ipset_scale.at]) - m4_include([regression/gh881.at]) -+m4_include([regression/gh1011.at]) --- -2.39.3 - diff --git a/SOURCES/0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch b/SOURCES/0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch deleted file mode 100644 index 4de35a1..0000000 --- a/SOURCES/0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 90412a5fae831dcb1a8c9d9f4a798efabcc46567 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Tue, 11 Jul 2023 15:26:56 +0200 -Subject: [PATCH 13/17] v1.2.0: fix(ipset): fix configuring IP range for ipsets - with nftables - -Setting an IP range with nftables did not work: - - firewall-cmd --permanent --delete-ipset=testipset || : - firewall-cmd --permanent --delete-zone=testzone || : - - ENTRY=1.1.1.1-1.1.1.10 - - firewall-cmd --permanent --new-ipset=testipset --type=hash:ip - firewall-cmd --permanent --ipset=testipset --add-entry="$ENTRY" - firewall-cmd --permanent --info-ipset=testipset - firewall-cmd --permanent --new-zone=testzone - firewall-cmd --permanent --zone=testzone --add-rich-rule='rule family="ipv4" source ipset="testipset" service name="ssh" accept' - - firewall-cmd --reload & - -This would generate the following JSON request: - - { - "add": { - "element": { - "family": "inet", - "table": "firewalld", - "name": "testipset", - "elem": [ - "1.1.1.1-1.1.1.10" - ] - } - } - } - -libnftables will try to resolve "1.1.1.1-1.1.1.10" via getaddrinfo(). Calling -getaddrinfo() to resolve names is bound to fail, and it blocks the process for -a very long time. libnftables should not block the calling process ([1]). - -We need to generate the correct JSON request, which is - - { - "add": { - "element": { - "family": "inet", - "table": "firewalld", - "name": "testipset", - "elem": [ - { - "range": [ - "1.1.1.1", - "1.1.1.10" - ] - } - ] - } - } - } - -This is an ugly fix, because the parsing of ipset entries is duplicated -and inconsistent. A better solution for that shall follow. - -[1] https://marc.info/?l=netfilter-devel&m=168901121103612 - -https://bugzilla.redhat.com/show_bug.cgi?id=2028748 - -Fixes: 1582c5dd736a ('feat: nftables: convert to libnftables JSON interface') -(cherry picked from commit 4db89e316f2d60f3cf856a7025a96a61e40b1e5a) ---- - src/firewall/core/nftables.py | 27 +++++++++++++++------------ - src/tests/cli/firewall-cmd.at | 4 ++-- - 2 files changed, 17 insertions(+), 14 deletions(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 19a649aaaa71..2764bcf93645 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -1850,19 +1850,22 @@ class nftables(object): - fragment.append({"range": [port_str[:index], port_str[index+1:]]}) - - elif type_format[i] in ["ip", "net"]: -- try: -- index = entry_tokens[i].index("/") -- except ValueError: -- addr = entry_tokens[i] -- if "family" in obj.options and obj.options["family"] == "inet6": -- addr = normalizeIP6(addr) -- fragment.append(addr) -+ if '-' in entry_tokens[i]: -+ fragment.append({"range": entry_tokens[i].split('-') }) - else: -- addr = entry_tokens[i][:index] -- if "family" in obj.options and obj.options["family"] == "inet6": -- addr = normalizeIP6(addr) -- fragment.append({"prefix": {"addr": addr, -- "len": int(entry_tokens[i][index+1:])}}) -+ try: -+ index = entry_tokens[i].index("/") -+ except ValueError: -+ addr = entry_tokens[i] -+ if "family" in obj.options and obj.options["family"] == "inet6": -+ addr = normalizeIP6(addr) -+ fragment.append(addr) -+ else: -+ addr = entry_tokens[i][:index] -+ if "family" in obj.options and obj.options["family"] == "inet6": -+ addr = normalizeIP6(addr) -+ fragment.append({"prefix": {"addr": addr, -+ "len": int(entry_tokens[i][index+1:])}}) - else: - fragment.append(entry_tokens[i]) - return [{"concat": fragment}] if len(type_format) > 1 else fragment -diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at -index 47bdd81f5194..c4ab3108d37c 100644 ---- a/src/tests/cli/firewall-cmd.at -+++ b/src/tests/cli/firewall-cmd.at -@@ -908,7 +908,7 @@ FWD_START_TEST([ipset]) - - dnl multi dimensional sets - FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore) -- FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,1234], 0, ignore) -+ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10-10.10.10.12,1234], 0, ignore) - FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,2000-2100], 0, ignore) - FWD_RELOAD - NFT_LIST_SET([foobar], 0, [dnl -@@ -916,7 +916,7 @@ FWD_START_TEST([ipset]) - set foobar { - type ipv4_addr . inet_proto . inet_service - flags interval -- elements = { 10.10.10.10 . tcp . 1234, -+ elements = { 10.10.10.10-10.10.10.12 . tcp . 1234, - 10.10.10.10 . tcp . 2000-2100 } - } - } --- -2.39.3 - diff --git a/SOURCES/0014-v1.2.0-chore-nftables-add-delete-table-helper.patch b/SOURCES/0014-v1.2.0-chore-nftables-add-delete-table-helper.patch deleted file mode 100644 index 5f34719..0000000 --- a/SOURCES/0014-v1.2.0-chore-nftables-add-delete-table-helper.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 08f76e2aa6d7ca35cfb626f20ace1f9036cda3a0 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 14 Aug 2023 09:13:29 -0400 -Subject: [PATCH 14/17] v1.2.0: chore(nftables): add delete table helper - -This is to workaround an nftables issue where using the "delete" verb on -a table that does not exist will throw ENOENT. We can't use the newer -"destroy" verb because it's too new to rely upon. - -A simple hack is to always add the table before deleting it. The "add" -is ignored if the table already exists. - -(cherry picked from commit 8be561d26931832f000526cc41293700faa6c877) ---- - src/firewall/core/nftables.py | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 2764bcf93645..1959bdce73be 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -396,6 +396,20 @@ class nftables(object): - # Tables always exist in nftables - return [table] if table else IPTABLES_TO_NFT_HOOK.keys() - -+ def _build_delete_table_rules(self, table): -+ # To avoid nftables returning ENOENT we always add the table before -+ # deleting to guarantee it will exist. -+ # -+ # In the future, this add+delete should be replaced with "destroy", but -+ # that verb is too new to rely upon. -+ rules = [] -+ for family in ["inet", "ip", "ip6"]: -+ rules.append({"add": {"table": {"family": family, -+ "name": table}}}) -+ rules.append({"delete": {"table": {"family": family, -+ "name": table}}}) -+ return rules -+ - def build_flush_rules(self): - # Policy is stashed in a separate table that we're _not_ going to - # flush. As such, we retain the policy rule handles and ref counts. --- -2.39.3 - diff --git a/SOURCES/0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch b/SOURCES/0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch deleted file mode 100644 index 9ac7b6f..0000000 --- a/SOURCES/0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0704ea3fef79cc1532f913ac1598e297016e1905 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 10 Aug 2023 08:43:03 -0400 -Subject: [PATCH 15/17] v1.2.0: fix(nftables): always flush main table on start - -On start created_tables will not contain the main "firewalld" table so a -flush command is not issued. We should always attempt to flush. If -CleanupOnExit=no, then not flushing causes duplicate rules on restart. - -Fixes: rhbz2222044 -(cherry picked from commit 6a155ea7195f2c720625e2452afa41544b4b4227) ---- - src/firewall/core/nftables.py | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 1959bdce73be..e3e06d75f663 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -427,13 +427,11 @@ class nftables(object): - self.policy_priority_counts = {} - self.zone_source_index_cache = {} - -- rules = [] - for family in ["inet", "ip", "ip6"]: - if TABLE_NAME in self.created_tables[family]: -- rules.append({"delete": {"table": {"family": family, -- "name": TABLE_NAME}}}) - self.created_tables[family].remove(TABLE_NAME) -- return rules -+ -+ return self._build_delete_table_rules(TABLE_NAME) - - def _build_set_policy_rules_ct_rules(self, enable): - add_del = { True: "add", False: "delete" }[enable] --- -2.39.3 - diff --git a/SOURCES/0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch b/SOURCES/0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch deleted file mode 100644 index 5c18204..0000000 --- a/SOURCES/0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 8c79246dbc5b8945c22b313ad51be698f2b61316 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 9 Aug 2023 14:39:08 -0400 -Subject: [PATCH 16/17] v1.2.0: test(CleanUpOnExit): verify restart does not - duplicate rules - -Coverage: rhbz2222044 -(cherry picked from commit c66e752a00c05a5afa58904850d244f50528059e) ---- - src/tests/regression/regression.at | 1 + - src/tests/regression/rhbz2222044.at | 50 +++++++++++++++++++++++++++++ - 2 files changed, 51 insertions(+) - create mode 100644 src/tests/regression/rhbz2222044.at - -diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at -index 889c66dd175d..bc9aeb1a8624 100644 ---- a/src/tests/regression/regression.at -+++ b/src/tests/regression/regression.at -@@ -52,3 +52,4 @@ m4_include([regression/rhbz2181406.at]) - m4_include([regression/ipset_scale.at]) - m4_include([regression/gh881.at]) - m4_include([regression/gh1011.at]) -+m4_include([regression/rhbz2222044.at]) -diff --git a/src/tests/regression/rhbz2222044.at b/src/tests/regression/rhbz2222044.at -new file mode 100644 -index 000000000000..9f3b1615b2f9 ---- /dev/null -+++ b/src/tests/regression/rhbz2222044.at -@@ -0,0 +1,50 @@ -+FWD_START_TEST([duplicate rules after restart]) -+AT_KEYWORDS(rhbz2222044) -+AT_SKIP_IF([! NS_CMD([command -v wc >/dev/null 2>&1])]) -+ -+dnl rules have not changed so rule count should not change -+m4_define([check_rule_count], [ -+m4_if(nftables, FIREWALL_BACKEND, [ -+NS_CHECK([nft list table inet firewalld | wc -l], 0, [dnl -+237 -+]) -+NS_CHECK([nft list table ip firewalld | wc -l], 0, [dnl -+105 -+]) -+NS_CHECK([nft list table ip6 firewalld | wc -l], 0, [dnl -+105 -+]) -+], [ dnl iptables -+NS_CHECK([iptables-save | wc -l], 0, [dnl -+256 -+]) -+])]) -+ -+dnl -------------------------- -+dnl -------------------------- -+ -+AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=yes/' ./firewalld.conf]) -+FWD_RELOAD() -+ -+check_rule_count() -+FWD_RESTART() -+check_rule_count() -+ -+check_rule_count() -+FWD_RELOAD() -+check_rule_count() -+ -+dnl Now do it again, but with CleanupOnExit=no -+AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) -+FWD_RELOAD() -+ -+check_rule_count() -+FWD_RESTART() -+check_rule_count() -+ -+check_rule_count() -+FWD_RELOAD() -+check_rule_count() -+ -+m4_undefine([check_rule_count]) -+FWD_END_TEST() --- -2.39.3 - diff --git a/SOURCES/0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch b/SOURCES/0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch deleted file mode 100644 index 8bb305d..0000000 --- a/SOURCES/0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2ca79f8ebbadcf39f9b378b7fd296fcef13a4c54 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 14 Aug 2023 09:21:17 -0400 -Subject: [PATCH 17/17] v1.2.0: chore(nftables): policy: use delete table - helper - -Use the new table delete helper when deleting the policy table. - -(cherry picked from commit a291a5d2f03711c2c6b0079128626204229ad79e) ---- - src/firewall/core/nftables.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index e3e06d75f663..2a13b2678a94 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -489,9 +489,9 @@ class nftables(object): - if policy_key in self.rule_to_handle: - rules.append(rule) - -+ rules += self._build_delete_table_rules(TABLE_NAME_POLICY) -+ - if TABLE_NAME_POLICY in self.created_tables["inet"]: -- rules.append({"delete": {"table": {"family": "inet", -- "name": TABLE_NAME_POLICY}}}) - self.created_tables["inet"].remove(TABLE_NAME_POLICY) - else: - FirewallError(UNKNOWN_ERROR, "not implemented") --- -2.39.3 - diff --git a/SOURCES/0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch b/SOURCES/0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch deleted file mode 100644 index 3d5e0a1..0000000 --- a/SOURCES/0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch +++ /dev/null @@ -1,242 +0,0 @@ -From 0715e07a68d50d33797a724d24157a96afee3de6 Mon Sep 17 00:00:00 2001 -From: Derek Dai -Date: Tue, 10 Nov 2020 20:37:36 +0800 -Subject: [PATCH 18/26] v1.0.0: feat(rich): support using ipset in destination - -Fixes: #706 -Closes: #711 -(cherry picked from commit 286d00031f431f3c3d0f94028975a409e78be8c8) ---- - doc/xml/firewalld.richlanguage.xml | 2 +- - src/firewall/core/io/policy.py | 21 ++++++++++---- - src/firewall/core/io/zone.py | 4 +-- - src/firewall/core/ipXtables.py | 25 +++++++++++------ - src/firewall/core/nftables.py | 7 ++++- - src/firewall/core/rich.py | 44 ++++++++++++++++++++++-------- - 6 files changed, 74 insertions(+), 29 deletions(-) - -diff --git a/doc/xml/firewalld.richlanguage.xml b/doc/xml/firewalld.richlanguage.xml -index e336bfd0b464..19bd038fc1fd 100644 ---- a/doc/xml/firewalld.richlanguage.xml -+++ b/doc/xml/firewalld.richlanguage.xml -@@ -129,7 +129,7 @@ source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset" - Destination - - --destination [not] address="address[/mask]" -+destination [not] address="address[/mask]"|ipset="ipset" - - With the destination address the target can be limited to the destination address. The destination address is using the same syntax as the source address. - -diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py -index c543aa1b42a6..3b951545e975 100644 ---- a/src/firewall/core/io/policy.py -+++ b/src/firewall/core/io/policy.py -@@ -186,11 +186,18 @@ def common_startElement(obj, name, attrs): - str(obj._rule)) - return True - invert = False -+ address = None -+ if "address" in attrs: -+ address = attrs["address"] -+ ipset = None -+ if "ipset" in attrs: -+ ipset = attrs["ipset"] - if "invert" in attrs and \ - attrs["invert"].lower() in [ "yes", "true" ]: - invert = True -- obj._rule.destination = rich.Rich_Destination(attrs["address"], -- invert) -+ obj._rule.destination = rich.Rich_Destination(address, -+ ipset, -+ invert) - - elif name in [ "accept", "reject", "drop", "mark" ]: - if not obj._rule: -@@ -447,7 +454,11 @@ def common_writer(obj, handler): - - # destination - if rule.destination: -- attrs = { "address": rule.destination.addr } -+ attrs = { } -+ if rule.destination.addr: -+ attrs["address"] = rule.destination.addr -+ if rule.destination.ipset: -+ attrs["ipset"] = rule.destination.ipset - if rule.destination.invert: - attrs["invert"] = "True" - handler.ignorableWhitespace(" ") -@@ -607,7 +618,7 @@ class Policy(IO_Object): - "forward-port": [ "port", "protocol" ], - "rule": None, - "source": None, -- "destination": [ "address" ], -+ "destination": None, - "protocol": [ "value" ], - "source-port": [ "port", "protocol" ], - "log": None, -@@ -625,7 +636,7 @@ class Policy(IO_Object): - "forward-port": [ "to-port", "to-addr" ], - "rule": [ "family", "priority" ], - "source": [ "address", "mac", "invert", "family", "ipset" ], -- "destination": [ "invert" ], -+ "destination": [ "address", "invert", "ipset" ], - "log": [ "prefix", "level" ], - "reject": [ "type" ], - } -diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py -index 4291ec9cba00..0c419ee0f2bd 100644 ---- a/src/firewall/core/io/zone.py -+++ b/src/firewall/core/io/zone.py -@@ -73,7 +73,7 @@ class Zone(IO_Object): - "interface": [ "name" ], - "rule": None, - "source": None, -- "destination": [ "address" ], -+ "destination": None, - "protocol": [ "value" ], - "source-port": [ "port", "protocol" ], - "log": None, -@@ -91,7 +91,7 @@ class Zone(IO_Object): - "forward-port": [ "to-port", "to-addr" ], - "rule": [ "family", "priority" ], - "source": [ "address", "mac", "invert", "family", "ipset" ], -- "destination": [ "invert" ], -+ "destination": [ "address", "invert", "ipset" ], - "log": [ "prefix", "level" ], - "reject": [ "type" ], - } -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index cf6c6e03e7ad..401377104ce1 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -1093,15 +1093,22 @@ class ip4tables(object): - return [] - - rule_fragment = [] -- if rich_dest.invert: -- rule_fragment.append("!") -- if check_single_address("ipv6", rich_dest.addr): -- rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ] -- elif check_address("ipv6", rich_dest.addr): -- addr_split = rich_dest.addr.split("/") -- rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ] -- else: -- rule_fragment += [ "-d", rich_dest.addr ] -+ if rich_dest.addr: -+ if rich_dest.invert: -+ rule_fragment.append("!") -+ if check_single_address("ipv6", rich_dest.addr): -+ rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ] -+ elif check_address("ipv6", rich_dest.addr): -+ addr_split = rich_dest.addr.split("/") -+ rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ] -+ else: -+ rule_fragment += [ "-d", rich_dest.addr ] -+ elif rich_dest.ipset: -+ rule_fragment += [ "-m", "set" ] -+ if rich_dest.invert: -+ rule_fragment.append("!") -+ flags = self._fw.zone._ipset_match_flags(rich_dest.ipset, "dst") -+ rule_fragment += [ "--match-set", rich_dest.ipset, flags ] - - return rule_fragment - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 2a13b2678a94..d238451ebd5d 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -1253,7 +1253,12 @@ class nftables(object): - def _rich_rule_destination_fragment(self, rich_dest): - if not rich_dest: - return {} -- return self._rule_addr_fragment("daddr", rich_dest.addr, invert=rich_dest.invert) -+ if rich_dest.addr: -+ address = rich_dest.addr -+ elif rich_dest.ipset: -+ address = "ipset:" + rich_dest.ipset -+ -+ return self._rule_addr_fragment("daddr", address, invert=rich_dest.invert) - - def _rich_rule_source_fragment(self, rich_source): - if not rich_source: -diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py -index 03bc194c2b28..6a03eeca5d8a 100644 ---- a/src/firewall/core/rich.py -+++ b/src/firewall/core/rich.py -@@ -63,13 +63,27 @@ class Rich_Source(object): - "no address, mac and ipset") - - class Rich_Destination(object): -- def __init__(self, addr, invert=False): -+ def __init__(self, addr, ipset, invert=False): - self.addr = addr -+ if self.addr == "": -+ self.addr = None -+ self.ipset = ipset -+ if self.ipset == "": -+ self.ipset = None - self.invert = invert -+ if self.addr is None and self.ipset is None: -+ raise FirewallError(errors.INVALID_RULE, -+ "no address and ipset") - - def __str__(self): -- return 'destination %saddress="%s"' % ("not " if self.invert else "", -- self.addr) -+ ret = 'destination%s ' % (" NOT" if self.invert else "") -+ if self.addr is not None: -+ return ret + 'address="%s"' % self.addr -+ elif self.ipset is not None: -+ return ret + 'ipset="%s"' % self.ipset -+ else: -+ raise FirewallError(errors.INVALID_RULE, -+ "no address and ipset") - - class Rich_Service(object): - def __init__(self, name): -@@ -404,12 +418,12 @@ class Rich_Rule(object): - attrs.clear() - index = index -1 # return token to input - elif in_element == 'destination': -- if attr_name in ['address', 'invert']: -+ if attr_name in ['address', 'ipset', 'invert']: - attrs[attr_name] = attr_value - elif element in ['not', 'NOT']: - attrs['invert'] = True - else: -- self.destination = Rich_Destination(attrs.get('address'), attrs.get('invert')) -+ self.destination = Rich_Destination(attrs.get('address'), attrs.get('ipset'), attrs.get('invert', False)) - in_elements.pop() # destination - attrs.clear() - index = index -1 # return token to input -@@ -587,12 +601,20 @@ class Rich_Rule(object): - - # destination - if self.destination is not None: -- if self.family is None: -- raise FirewallError(errors.INVALID_FAMILY) -- if self.destination.addr is None or \ -- not functions.check_address(self.family, -- self.destination.addr): -- raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr)) -+ if self.destination.addr is not None: -+ if self.family is None: -+ raise FirewallError(errors.INVALID_FAMILY) -+ if self.destination.ipset is not None: -+ raise FirewallError(errors.INVALID_DESTINATION, "address and ipset") -+ if not functions.check_address(self.family, self.destination.addr): -+ raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr)) -+ -+ elif self.destination.ipset is not None: -+ if not check_ipset_name(self.destination.ipset): -+ raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset)) -+ -+ else: -+ raise FirewallError(errors.INVALID_RULE, "invalid destination") - - # service - if type(self.element) == Rich_Service: --- -2.43.0 - diff --git a/SOURCES/0019-v1.0.0-test-rich-destination-ipset.patch b/SOURCES/0019-v1.0.0-test-rich-destination-ipset.patch deleted file mode 100644 index cc7e28c..0000000 --- a/SOURCES/0019-v1.0.0-test-rich-destination-ipset.patch +++ /dev/null @@ -1,60 +0,0 @@ -From cf8a55d1fe769a9e4632fbccf5ae4738ab661421 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 12 Nov 2020 17:11:58 -0500 -Subject: [PATCH 19/26] v1.0.0: test(rich): destination ipset - -(cherry picked from commit f274bfd0f7bc0e466c42b732e03002e11e99ed88) ---- - src/tests/features/features.at | 1 + - src/tests/features/rich_destination_ipset.at | 30 ++++++++++++++++++++ - 2 files changed, 31 insertions(+) - create mode 100644 src/tests/features/rich_destination_ipset.at - -diff --git a/src/tests/features/features.at b/src/tests/features/features.at -index 2340853aeca7..381bf6dba0e4 100644 ---- a/src/tests/features/features.at -+++ b/src/tests/features/features.at -@@ -13,3 +13,4 @@ m4_include([features/rich_rules.at]) - m4_include([features/icmp_blocks.at]) - m4_include([features/rpfilter.at]) - m4_include([features/zone_combine.at]) -+m4_include([features/rich_destination_ipset.at]) -diff --git a/src/tests/features/rich_destination_ipset.at b/src/tests/features/rich_destination_ipset.at -new file mode 100644 -index 000000000000..c07809141851 ---- /dev/null -+++ b/src/tests/features/rich_destination_ipset.at -@@ -0,0 +1,30 @@ -+FWD_START_TEST([rich destination ipset]) -+AT_KEYWORDS(rich ipset) -+ -+FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, [ignore]) -+FWD_RELOAD -+ -+FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore]) -+FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore]) -+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl -+ table inet firewalld { -+ chain filter_IN_public_allow { -+ tcp dport 22 ct state new,untracked accept -+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept -+ ip daddr @foobar accept -+ } -+ } -+]) -+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl -+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst -+]) -+ -+dnl negative tests -+FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore]) -+FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore]) -+FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore]) -+FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore]) -+ -+FWD_END_TEST([-e '/ERROR: INVALID_RULE: bad attribute/d'dnl -+ -e '/ERROR: INVALID_DESTINATION: address and ipset/d']) --- -2.43.0 - diff --git a/SOURCES/0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch b/SOURCES/0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch deleted file mode 100644 index 5472393..0000000 --- a/SOURCES/0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 63100ca625942e6be2c68422e7a48bc68f8d01c5 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Fri, 13 Nov 2020 13:32:22 -0500 -Subject: [PATCH 20/26] v1.0.0: test(rich): destination ipset: verify policy - support - -(cherry picked from commit fdd120572cd45a6ea2515bc906b89482de6560ea) ---- - src/tests/features/rich_destination_ipset.at | 23 ++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/src/tests/features/rich_destination_ipset.at b/src/tests/features/rich_destination_ipset.at -index c07809141851..3286755d2252 100644 ---- a/src/tests/features/rich_destination_ipset.at -+++ b/src/tests/features/rich_destination_ipset.at -@@ -1,9 +1,14 @@ - FWD_START_TEST([rich destination ipset]) - AT_KEYWORDS(rich ipset) - -+FWD_CHECK([--permanent --new-policy=mypolicy], 0, [ignore]) -+FWD_CHECK([--permanent --policy=mypolicy --add-ingress-zone ANY], 0, [ignore]) -+FWD_CHECK([--permanent --policy=mypolicy --add-egress-zone HOST], 0, [ignore]) -+ - FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, [ignore]) - FWD_RELOAD - -+dnl zone - FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore]) - FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore]) - NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl -@@ -20,11 +25,29 @@ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl - ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst - ]) - -+dnl policy -+FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore]) -+FWD_CHECK([ --policy mypolicy --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore]) -+NFT_LIST_RULES([inet], [filter_IN_policy_mypolicy_allow], 0, [dnl -+ table inet firewalld { -+ chain filter_IN_policy_mypolicy_allow { -+ ip daddr @foobar accept -+ } -+ } -+]) -+IPTABLES_LIST_RULES([filter], [IN_mypolicy_allow], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst -+]) -+ - dnl negative tests - FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore]) - FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore]) - FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore]) - FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore]) -+FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore]) -+FWD_CHECK([ --policy mypolicy --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore]) -+FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore]) -+FWD_CHECK([ --policy mypolicy --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore]) - - FWD_END_TEST([-e '/ERROR: INVALID_RULE: bad attribute/d'dnl - -e '/ERROR: INVALID_DESTINATION: address and ipset/d']) --- -2.43.0 - diff --git a/SOURCES/0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch b/SOURCES/0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch deleted file mode 100644 index 4c829b1..0000000 --- a/SOURCES/0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch +++ /dev/null @@ -1,131 +0,0 @@ -From b18ab581731a302ddba0428b685360d315293e73 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Wed, 29 Nov 2023 17:02:07 +0100 -Subject: [PATCH 21/26] v2.1.0: feat(icmp): add ICMPv6 Multicast Listener - Discovery (MLD) types - -Note that ip6tables does not support these ICMPv6 types. Currently, -the name of the ICMP types in firewalld must correspond to the names -in iptables. As ip6tables doesn't support it, it does not. If ip6tables -adds support for "mld-listener-query", but calls it differently, we have -a problem. Nothing that can be done about that. - -`man nft` also lists an alias "mld-listener-reduction" (for -"mld-listener-done", type 132). That alias is not supported. Use the -name as from RFC 4890. - -(cherry picked from commit dd88bbf812e0a50766b69c2bf12470ecf9d2466a) ---- - config/Makefile.am | 4 ++++ - config/icmptypes/mld-listener-done.xml | 7 +++++++ - config/icmptypes/mld-listener-query.xml | 7 +++++++ - config/icmptypes/mld-listener-report.xml | 7 +++++++ - config/icmptypes/mld2-listener-report.xml | 7 +++++++ - po/POTFILES.in | 4 ++++ - src/firewall/core/nftables.py | 4 ++++ - 7 files changed, 40 insertions(+) - create mode 100644 config/icmptypes/mld-listener-done.xml - create mode 100644 config/icmptypes/mld-listener-query.xml - create mode 100644 config/icmptypes/mld-listener-report.xml - create mode 100644 config/icmptypes/mld2-listener-report.xml - -diff --git a/config/Makefile.am b/config/Makefile.am -index f844a5a00e2f..a11c6abae583 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -83,6 +83,10 @@ CONFIG_FILES = \ - icmptypes/host-unknown.xml \ - icmptypes/host-unreachable.xml \ - icmptypes/ip-header-bad.xml \ -+ icmptypes/mld-listener-done.xml \ -+ icmptypes/mld-listener-query.xml \ -+ icmptypes/mld-listener-report.xml \ -+ icmptypes/mld2-listener-report.xml \ - icmptypes/neighbour-advertisement.xml \ - icmptypes/neighbour-solicitation.xml \ - icmptypes/network-prohibited.xml \ -diff --git a/config/icmptypes/mld-listener-done.xml b/config/icmptypes/mld-listener-done.xml -new file mode 100644 -index 000000000000..09b8bbba5b90 ---- /dev/null -+++ b/config/icmptypes/mld-listener-done.xml -@@ -0,0 +1,7 @@ -+ -+ -+ MLD Listener Done -+ ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Done (type 132) (RFC 4890 section 4.4.1). Also known as mld-listener-reduction to nft. -+ -+ -+ -diff --git a/config/icmptypes/mld-listener-query.xml b/config/icmptypes/mld-listener-query.xml -new file mode 100644 -index 000000000000..418685578d1d ---- /dev/null -+++ b/config/icmptypes/mld-listener-query.xml -@@ -0,0 +1,7 @@ -+ -+ -+ MLD Listener Query -+ ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Query (type 130) (RFC 4890 section 4.4.1). -+ -+ -+ -diff --git a/config/icmptypes/mld-listener-report.xml b/config/icmptypes/mld-listener-report.xml -new file mode 100644 -index 000000000000..98fb4161b298 ---- /dev/null -+++ b/config/icmptypes/mld-listener-report.xml -@@ -0,0 +1,7 @@ -+ -+ -+ MLD Listener Report -+ ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Report (type 131) (RFC 4890 section 4.4.1). -+ -+ -+ -diff --git a/config/icmptypes/mld2-listener-report.xml b/config/icmptypes/mld2-listener-report.xml -new file mode 100644 -index 000000000000..faee68c95b20 ---- /dev/null -+++ b/config/icmptypes/mld2-listener-report.xml -@@ -0,0 +1,7 @@ -+ -+ -+ MLDv2 Multicast Listener Report -+ ICMPv6 Link-Local Multicast Listener Discovery (MDLv2) of type Multicast Listener Report (type 143) (RFC 4890 section 4.4.1). -+ -+ -+ -diff --git a/po/POTFILES.in b/po/POTFILES.in -index 249cff8d0d2f..3bb71fd3d332 100644 ---- a/po/POTFILES.in -+++ b/po/POTFILES.in -@@ -15,6 +15,10 @@ config/icmptypes/host-redirect.xml - config/icmptypes/host-unknown.xml - config/icmptypes/host-unreachable.xml - config/icmptypes/ip-header-bad.xml -+config/icmptypes/mld-listener-done.xml -+config/icmptypes/mld-listener-query.xml -+config/icmptypes/mld-listener-report.xml -+config/icmptypes/mld2-listener-report.xml - config/icmptypes/neighbour-advertisement.xml - config/icmptypes/neighbour-solicitation.xml - config/icmptypes/network-prohibited.xml -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index d238451ebd5d..67fb6457e86c 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -140,6 +140,10 @@ ICMP_TYPES_FRAGMENTS = { - "echo-reply": _icmp_types_fragments("icmpv6", "echo-reply"), - "echo-request": _icmp_types_fragments("icmpv6", "echo-request"), - "failed-policy": _icmp_types_fragments("icmpv6", "destination-unreachable", 5), -+ "mld-listener-done": _icmp_types_fragments("icmpv6", "mld-listener-done"), -+ "mld-listener-query": _icmp_types_fragments("icmpv6", "mld-listener-query"), -+ "mld-listener-report": _icmp_types_fragments("icmpv6", "mld-listener-report"), -+ "mld2-listener-report": _icmp_types_fragments("icmpv6", "mld2-listener-report"), - "neighbour-advertisement": _icmp_types_fragments("icmpv6", "nd-neighbor-advert"), - "neighbour-solicitation": _icmp_types_fragments("icmpv6", "nd-neighbor-solicit"), - "no-route": _icmp_types_fragments("icmpv6", "destination-unreachable", 0), --- -2.43.0 - diff --git a/SOURCES/0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch b/SOURCES/0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch deleted file mode 100644 index 4b17038..0000000 --- a/SOURCES/0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 5266735bf4827178ddd9a12edc37b1b0a93e0d3a Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Tue, 12 Dec 2023 14:58:07 +0100 -Subject: [PATCH 22/26] v2.1.0: fix(rich): validate service name of rich rule - -Previously, validation of valid service names was not done. -That meant: - - $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent - success - $ firewall-cmd --reload - Error: INVALID_SERVICE: listen - -which left firewalld in a bad state. - -Now: - - $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent - Error: INVALID_SERVICE: Zone 'public': 'listen' not among existing services - -https://issues.redhat.com/browse/RHEL-5790 -(cherry picked from commit fbcdddd3e38c31a7b8325bf02764b84344c216b0) ---- - src/firewall/core/io/policy.py | 11 +++++++++++ - src/tests/features/rich_rules.at | 8 +++++++- - 2 files changed, 18 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py -index 3b951545e975..514a20251ef4 100644 ---- a/src/firewall/core/io/policy.py -+++ b/src/firewall/core/io/policy.py -@@ -304,6 +304,8 @@ def common_endElement(obj, name): - obj._limit_ok = None - - def common_check_config(obj, config, item, all_config): -+ obj_type = "Policy" if isinstance(obj, Policy) else "Zone" -+ - if item == "services" and obj.fw_config: - existing_services = obj.fw_config.get_services() - for service in config: -@@ -360,6 +362,15 @@ def common_check_config(obj, config, item, all_config): - raise FirewallError(errors.INVALID_ICMPTYPE, - "rich rule family '%s' conflicts with icmp type '%s'" % \ - (obj_rich.family, obj_rich.element.name)) -+ elif obj.fw_config and isinstance(obj_rich.element, rich.Rich_Service): -+ existing_services = obj.fw_config.get_services() -+ if obj_rich.element.name not in existing_services: -+ raise FirewallError( -+ errors.INVALID_SERVICE, -+ "{} '{}': '{}' not among existing services".format( -+ obj_type, obj.name, obj_rich.element.name -+ ), -+ ) - - def common_writer(obj, handler): - # short -diff --git a/src/tests/features/rich_rules.at b/src/tests/features/rich_rules.at -index bb5e4b72a516..de98bf0ce268 100644 ---- a/src/tests/features/rich_rules.at -+++ b/src/tests/features/rich_rules.at -@@ -46,6 +46,11 @@ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priorit - FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.13 drop'], 0, ignore) - FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore) - FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1 source address=10.10.10.15 accept'], 0, ignore) -+ -+dnl Invalid service name is rejected. -+FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore) -+FWD_CHECK([--policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore) -+ - FWD_RELOAD - NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl - table inet firewalld { -@@ -289,4 +294,5 @@ IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl - ACCEPT all ::/0 ::/0 - ]) - --FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d']) -+FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d' dnl -+ -e "/ERROR: INVALID_SERVICE: Policy 'foobar': 'bogusservice' not among existing services/d"]) --- -2.43.0 - diff --git a/SOURCES/0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch b/SOURCES/0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch deleted file mode 100644 index 523638d..0000000 --- a/SOURCES/0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 39e8946ba75fc3ce36c3ff72e3af1fb2ae0d95ec Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Mon, 5 Feb 2024 13:24:25 +0100 -Subject: [PATCH 23/26] v2.2.0: fix(rich): fix range check for large rule limit - -Fixes: 555ae1307a3e ('New rich language usable in zones') -(cherry picked from commit e790c64ebb5760e8d8f8afd1b978baab891d5933) ---- - src/firewall/core/rich.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py -index 6a03eeca5d8a..b150a0dca402 100644 ---- a/src/firewall/core/rich.py -+++ b/src/firewall/core/rich.py -@@ -264,7 +264,7 @@ class Rich_Limit(object): - elif duration == "d": - mult = 24*60*60 - -- if 10000 * mult / rate == 0: -+ if 10000 * mult // rate == 0: - raise FirewallError(errors.INVALID_LIMIT, - "%s too fast" % self.value) - --- -2.43.0 - diff --git a/SOURCES/0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch b/SOURCES/0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch deleted file mode 100644 index aed7dc7..0000000 --- a/SOURCES/0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 028529e33ed45507bcb1f3eb2722de3344eea091 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Mon, 5 Feb 2024 13:09:02 +0100 -Subject: [PATCH 24/26] v2.2.0: improvement(policy): extract helper function - for writing limit rule element - -Soon the Rich_Limit will also get a burst attribute. Then _handler_add_rich_limit() -will become more complicated. We wouldn't want to duplicated that code. - -(cherry picked from commit f662606891569f09553c73023a2f70086d137512) ---- - src/firewall/core/io/policy.py | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py -index 514a20251ef4..66535e0d0368 100644 ---- a/src/firewall/core/io/policy.py -+++ b/src/firewall/core/io/policy.py -@@ -372,6 +372,11 @@ def common_check_config(obj, config, item, all_config): - ), - ) - -+ -+def _handler_add_rich_limit(handler, limit): -+ handler.simpleElement("limit", {"value": limit.value}) -+ -+ - def common_writer(obj, handler): - # short - if obj.short and obj.short != "": -@@ -533,8 +538,7 @@ def common_writer(obj, handler): - handler.ignorableWhitespace(" ") - handler.startElement("log", attrs) - handler.ignorableWhitespace("\n ") -- handler.simpleElement("limit", -- { "value": rule.log.limit.value }) -+ _handler_add_rich_limit(handler, rule.log.limit) - handler.ignorableWhitespace("\n ") - handler.endElement("log") - else: -@@ -549,8 +553,7 @@ def common_writer(obj, handler): - handler.ignorableWhitespace(" ") - handler.startElement("audit", { }) - handler.ignorableWhitespace("\n ") -- handler.simpleElement("limit", -- { "value": rule.audit.limit.value }) -+ _handler_add_rich_limit(handler, rule.audit.limit) - handler.ignorableWhitespace("\n ") - handler.endElement("audit") - else: -@@ -579,8 +582,7 @@ def common_writer(obj, handler): - handler.ignorableWhitespace(" ") - handler.startElement(action, attrs) - handler.ignorableWhitespace("\n ") -- handler.simpleElement("limit", -- { "value": rule.action.limit.value }) -+ _handler_add_rich_limit(handler, rule.action.limit) - handler.ignorableWhitespace("\n ") - handler.endElement(action) - else: --- -2.43.0 - diff --git a/SOURCES/0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch b/SOURCES/0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch deleted file mode 100644 index 94ffdc6..0000000 --- a/SOURCES/0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch +++ /dev/null @@ -1,189 +0,0 @@ -From 2844fedea7b0c65d864f9960b513150c4468adb2 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Wed, 13 Dec 2023 19:42:37 +0100 -Subject: [PATCH 25/26] v2.2.0: improvement(rich): add Rich_Limit.value_parse() - and normalize value - -Instead of duplicating the parsing, add a Rich_Limit.value_parse() -function that can be used to "understand" the value string. - -Note that already previously, Rich_Limit.__init__() would normalize the -value (e.g. modify "/minute" to "/m"). Go one step further with this. -Now parse and stringify the value, so that it is normalized. Invalid -values are left unnormalized, and Rich_Limit.__init__() still does not -fail the operation (like before). For that we have check(). - -This normalization matters. For example, the parser is (rightfully) -graceful and will accept 'limit value="1 /m"'. If we add two rules -that are identical, except for the white space, we want that the -normalize string is identical. That's useful, because the normalized -string of a rule is used as identity for the rule. - -(cherry picked from commit 8d2f9502db98b349cabf76bb9c0a303fe6e3512a) ---- - src/firewall-config.in | 6 +-- - src/firewall/core/nftables.py | 9 ++--- - src/firewall/core/rich.py | 76 ++++++++++++++++++++++------------- - 3 files changed, 53 insertions(+), 38 deletions(-) - -diff --git a/src/firewall-config.in b/src/firewall-config.in -index f91e945ca7de..e4fbb029ac6d 100755 ---- a/src/firewall-config.in -+++ b/src/firewall-config.in -@@ -3245,7 +3245,7 @@ class FirewallConfig(object): - - if old_obj.action.limit: - self.richRuleDialogActionLimitCheck.set_active(True) -- (rate, duration) = old_obj.action.limit.value.split("/") -+ (rate, duration) = old_obj.action.limit.value_parse() - self.richRuleDialogActionLimitRateEntry.set_text(rate) - combobox_select_text( \ - self.richRuleDialogActionLimitDurationCombobox, -@@ -3288,7 +3288,7 @@ class FirewallConfig(object): - loglevel[log_level]) - if old_obj.log.limit: - self.richRuleDialogLogLimitCheck.set_active(True) -- (rate, duration) = old_obj.log.limit.value.split("/") -+ (rate, duration) = old_obj.log.limit.value_parse() - self.richRuleDialogLogLimitRateEntry.set_text(rate) - combobox_select_text( \ - self.richRuleDialogLogLimitDurationCombobox, -@@ -3299,7 +3299,7 @@ class FirewallConfig(object): - self.richRuleDialogAuditCheck.set_active(True) - if old_obj.audit.limit: - self.richRuleDialogAuditLimitCheck.set_active(True) -- (rate, duration) = old_obj.audit.limit.value.split("/") -+ (rate, duration) = old_obj.audit.limit.value_parse() - self.richRuleDialogAuditLimitRateEntry.set_text(rate) - combobox_select_text( \ - self.richRuleDialogAuditLimitDurationCombobox, -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 67fb6457e86c..f24095ce729c 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -1071,13 +1071,10 @@ class nftables(object): - "d" : "day", - } - -- try: -- i = limit.value.index("/") -- except ValueError: -- raise FirewallError(INVALID_RULE, "Expected '/' in limit") -+ rate, duration = limit.value_parse() - -- return {"limit": {"rate": int(limit.value[0:i]), -- "per": rich_to_nft[limit.value[i+1]]}} -+ return {"limit": {"rate": rate, -+ "per": rich_to_nft[duration]}} - - def _rich_rule_chain_suffix(self, rich_rule): - if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]: -diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py -index b150a0dca402..a77f2b4aa495 100644 ---- a/src/firewall/core/rich.py -+++ b/src/firewall/core/rich.py -@@ -230,54 +230,72 @@ class Rich_Mark(object): - # value is uint32 - raise FirewallError(errors.INVALID_MARK, x) - -+DURATION_TO_MULT = { -+ "s": 1, -+ "m": 60, -+ "h": 60 * 60, -+ "d": 24 * 60 * 60, -+} -+ - class Rich_Limit(object): - def __init__(self, value): - self.value = value -- if "/" in self.value: -- splits = self.value.split("/") -- if len(splits) == 2 and \ -- splits[1] in [ "second", "minute", "hour", "day" ]: -- self.value = "%s/%s" % (splits[0], splits[1][:1]) - - def check(self): -+ self.value_parse() -+ -+ @property -+ def value(self): -+ return self._value -+ -+ @value.setter -+ def value(self, value): -+ if value is None: -+ self._value = None -+ return -+ try: -+ rate, duration = self._value_parse(value) -+ except FirewallError: -+ # The value is invalid. We cannot normalize it. -+ v = value -+ else: -+ v = f"{rate}/{duration}" -+ if getattr(self, "_value", None) != v: -+ self._value = v -+ -+ @staticmethod -+ def _value_parse(value): - splits = None -- if "/" in self.value: -- splits = self.value.split("/") -+ if "/" in value: -+ splits = value.split("/") - if not splits or len(splits) != 2: -- raise FirewallError(errors.INVALID_LIMIT, self.value) -+ raise FirewallError(errors.INVALID_LIMIT, value) - (rate, duration) = splits - try: - rate = int(rate) - except: -- raise FirewallError(errors.INVALID_LIMIT, self.value) -+ raise FirewallError(errors.INVALID_LIMIT, value) - -- if rate < 1 or duration not in [ "s", "m", "h", "d" ]: -- raise FirewallError(errors.INVALID_LIMIT, self.value) -+ if duration in ["second", "minute", "hour", "day"]: -+ duration = duration[:1] - -- mult = 1 -- if duration == "s": -- mult = 1 -- elif duration == "m": -- mult = 60 -- elif duration == "h": -- mult = 60*60 -- elif duration == "d": -- mult = 24*60*60 -+ if rate < 1 or duration not in ["s", "m", "h", "d"]: -+ raise FirewallError(errors.INVALID_LIMIT, value) - -- if 10000 * mult // rate == 0: -- raise FirewallError(errors.INVALID_LIMIT, -- "%s too fast" % self.value) -+ if 10000 * DURATION_TO_MULT[duration] // rate == 0: -+ raise FirewallError(errors.INVALID_LIMIT, "%s too fast" % (value,)) - - if rate == 1 and duration == "d": - # iptables (v1.4.21) doesn't accept 1/d -- raise FirewallError(errors.INVALID_LIMIT, -- "%s too slow" % self.value) -+ raise FirewallError(errors.INVALID_LIMIT, "%s too slow" % (value,)) - -- def __str__(self): -- return 'limit value="%s"' % (self.value) -+ return rate, duration - -- def command(self): -- return '' -+ def value_parse(self): -+ return self._value_parse(self._value) -+ -+ def __str__(self): -+ return f'limit value="{self._value}"' - - class Rich_Rule(object): - priority_min = -32768 --- -2.43.0 - diff --git a/SOURCES/0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch b/SOURCES/0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch deleted file mode 100644 index cfe7fa4..0000000 --- a/SOURCES/0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch +++ /dev/null @@ -1,238 +0,0 @@ -From 45ebffc5521db62064f365f4a9100b4ab40dce90 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Wed, 13 Dec 2023 20:35:51 +0100 -Subject: [PATCH 26/26] v2.2.0: improvement(rich): support "burst" attribute to - limit in rich rules - -For iptables, this is `-m limit --limit rate/suffix --limit-burst burst`. - -For nftables, this is `limit rate [over] packet_number / TIME_UNIT [burst packet_number packets]` - -Not implemented in `src/firewall-config.in`. - -https://issues.redhat.com/browse/RHEL-9316 -(cherry picked from commit 58dfdcafabaaad639bfcf389ebbd6b2c242965a4) ---- - src/firewall/core/io/policy.py | 9 +++-- - src/firewall/core/io/zone.py | 1 + - src/firewall/core/ipXtables.py | 9 +++-- - src/firewall/core/nftables.py | 12 +++++-- - src/firewall/core/rich.py | 63 ++++++++++++++++++++++++++++++---- - src/tests/cli/firewall-cmd.at | 4 +-- - 6 files changed, 82 insertions(+), 16 deletions(-) - -diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py -index 66535e0d0368..c732324c441b 100644 ---- a/src/firewall/core/io/policy.py -+++ b/src/firewall/core/io/policy.py -@@ -278,7 +278,7 @@ def common_startElement(obj, name, attrs): - obj._rule_error = True - return True - value = attrs["value"] -- obj._limit_ok.limit = rich.Rich_Limit(value) -+ obj._limit_ok.limit = rich.Rich_Limit(value, attrs.get("burst")) - else: - return False - -@@ -374,7 +374,11 @@ def common_check_config(obj, config, item, all_config): - - - def _handler_add_rich_limit(handler, limit): -- handler.simpleElement("limit", {"value": limit.value}) -+ d = {"value": limit.value} -+ burst = limit.burst -+ if burst is not None: -+ d["burst"] = burst -+ handler.simpleElement("limit", d) - - - def common_writer(obj, handler): -@@ -652,6 +656,7 @@ class Policy(IO_Object): - "destination": [ "address", "invert", "ipset" ], - "log": [ "prefix", "level" ], - "reject": [ "type" ], -+ "limit": ["burst"], - } - - def __init__(self): -diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py -index 0c419ee0f2bd..753036e4fb55 100644 ---- a/src/firewall/core/io/zone.py -+++ b/src/firewall/core/io/zone.py -@@ -94,6 +94,7 @@ class Zone(IO_Object): - "destination": [ "address", "invert", "ipset" ], - "log": [ "prefix", "level" ], - "reject": [ "type" ], -+ "limit": ["burst"], - } - - @staticmethod -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index 401377104ce1..0f9a1518380e 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -967,9 +967,12 @@ class ip4tables(object): - return rules - - def _rule_limit(self, limit): -- if limit: -- return [ "-m", "limit", "--limit", limit.value ] -- return [] -+ if not limit: -+ return [] -+ s = ["-m", "limit", "--limit", limit.value] -+ if limit.burst is not None: -+ s += ["--limit-burst", limit.burst] -+ return s - - def _rich_rule_chain_suffix(self, rich_rule): - if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]: -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index f24095ce729c..834176c09cbc 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -1073,8 +1073,16 @@ class nftables(object): - - rate, duration = limit.value_parse() - -- return {"limit": {"rate": rate, -- "per": rich_to_nft[duration]}} -+ d = { -+ "rate": rate, -+ "per": rich_to_nft[duration], -+ } -+ -+ burst = limit.burst_parse() -+ if burst is not None: -+ d["burst"] = burst -+ -+ return {"limit": d} - - def _rich_rule_chain_suffix(self, rich_rule): - if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]: -diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py -index a77f2b4aa495..c561709af0e2 100644 ---- a/src/firewall/core/rich.py -+++ b/src/firewall/core/rich.py -@@ -238,11 +238,13 @@ DURATION_TO_MULT = { - } - - class Rich_Limit(object): -- def __init__(self, value): -+ def __init__(self, value, burst=None): - self.value = value -+ self.burst = burst - - def check(self): - self.value_parse() -+ self.burst_parse() - - @property - def value(self): -@@ -263,6 +265,24 @@ class Rich_Limit(object): - if getattr(self, "_value", None) != v: - self._value = v - -+ @property -+ def burst(self): -+ return self._burst -+ -+ @burst.setter -+ def burst(self, burst): -+ if burst is None: -+ self._burst = None -+ return -+ try: -+ b = self._burst_parse(burst) -+ except FirewallError: -+ b = burst -+ else: -+ b = str(burst) -+ if getattr(self, "_burst", None) != b: -+ self._burst = b -+ - @staticmethod - def _value_parse(value): - splits = None -@@ -294,8 +314,28 @@ class Rich_Limit(object): - def value_parse(self): - return self._value_parse(self._value) - -+ @staticmethod -+ def _burst_parse(burst): -+ if burst is None: -+ return None -+ try: -+ b = int(burst) -+ except: -+ raise FirewallError(errors.INVALID_LIMIT, burst) -+ -+ if b < 1 or b > 10_000_000: -+ raise FirewallError(errors.INVALID_LIMIT, burst) -+ -+ return b -+ -+ def burst_parse(self): -+ return self._burst_parse(self._burst) -+ - def __str__(self): -- return f'limit value="{self._value}"' -+ s = f'limit value="{self._value}"' -+ if self._burst is not None: -+ s += f" burst={self._burst}" -+ return s - - class Rich_Rule(object): - priority_min = -32768 -@@ -368,7 +408,7 @@ class Rich_Rule(object): - 'invert', 'value', - 'port', 'protocol', 'to-port', 'to-addr', - 'name', 'prefix', 'level', 'type', -- 'set']: -+ 'set', 'burst']: - raise FirewallError(errors.INVALID_RULE, "bad attribute '%s'" % attr_name) - else: # element - if element in ['rule', 'source', 'destination', 'protocol', -@@ -554,11 +594,20 @@ class Rich_Rule(object): - attrs.clear() - index = index -1 # return token to input - elif in_element == 'limit': -- if attr_name == 'value': -- attrs['limit'] = Rich_Limit(attr_value) -- in_elements.pop() # limit -+ if attr_name in ["value", "burst"]: -+ attrs[f"limit.{attr_name}"] = attr_value - else: -- raise FirewallError(errors.INVALID_RULE, "invalid 'limit' element") -+ if "limit.value" not in attrs: -+ raise FirewallError( -+ errors.INVALID_RULE, "invalid 'limit' element" -+ ) -+ attrs["limit"] = Rich_Limit( -+ attrs["limit.value"], attrs.get("limit.burst") -+ ) -+ attrs.pop("limit.value", None) -+ attrs.pop("limit.burst", None) -+ in_elements.pop() # limit -+ index = index - 1 # return token to input - - index = index + 1 - -diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at -index c4ab3108d37c..6c69f0ccebd4 100644 ---- a/src/tests/cli/firewall-cmd.at -+++ b/src/tests/cli/firewall-cmd.at -@@ -1356,8 +1356,8 @@ FWD_START_TEST([rich rules good]) - rich_rule_test([rule protocol value="ah" reject]) - rich_rule_test([rule protocol value="esp" accept]) - rich_rule_test([rule protocol value="sctp" log]) -- rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept]) -- rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop]) -+ rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" burst=5 accept]) -+ rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" burst=5 drop]) - IF_HOST_SUPPORTS_IPV6_RULES([ - rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"]) - rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop]) --- -2.43.0 - diff --git a/SOURCES/0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch b/SOURCES/0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch deleted file mode 100644 index 0b3e06c..0000000 --- a/SOURCES/0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3a56ea30acb41358742a94f088f12bd4f1ba1f80 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 31 Jan 2023 09:24:56 -0500 -Subject: [PATCH 27/30] v2.0.0: test(atlocal): pass EBTABLES to testsuite - -(cherry picked from commit a5adb26a5eebdaa6e978c580d4fb73f7aa06802f) ---- - src/tests/atlocal.in | 1 + - src/tests/functions.at | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/tests/atlocal.in b/src/tests/atlocal.in -index 8c5493ac38df..595a96f0f5c9 100644 ---- a/src/tests/atlocal.in -+++ b/src/tests/atlocal.in -@@ -1,5 +1,6 @@ - export PYTHON="@PYTHON@" - -+export EBTABLES="@EBTABLES@" - export IPTABLES="@IPTABLES@" - export IPTABLES_RESTORE="@IPTABLES_RESTORE@" - export IP6TABLES="@IP6TABLES@" -diff --git a/src/tests/functions.at b/src/tests/functions.at -index a2989c6345da..35e3271ce68d 100644 ---- a/src/tests/functions.at -+++ b/src/tests/functions.at -@@ -368,7 +368,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl - m4_define([EBTABLES_LIST_RULES], [ - dnl ebtables commit 5f508b76a0ce change list output for inversion. - m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ -- NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])], -+ NS_CHECK([PIPESTATUS0([$EBTABLES --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])], - [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) - ]) - ]) --- -2.43.0 - diff --git a/SOURCES/0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch b/SOURCES/0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch deleted file mode 100644 index ea0a81f..0000000 --- a/SOURCES/0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f61b27ffc91da3d5e634a2d90edd164ac4102086 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 26 Jun 2024 11:13:00 -0400 -Subject: [PATCH 28/30] v2.0.0: chore(direct): add has_runtime_configuration() - -This is originally from cdd015475e83 ("fix(ipset): defer native ipset -creation if nftables"). ---- - src/firewall/core/fw_direct.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py -index 76aeda9f19cb..a35ebce1f276 100644 ---- a/src/firewall/core/fw_direct.py -+++ b/src/firewall/core/fw_direct.py -@@ -64,9 +64,14 @@ class FirewallDirect(object): - def set_permanent_config(self, obj): - self._obj = obj - -- def has_configuration(self): -+ def has_runtime_configuration(self): - if len(self._chains) + len(self._rules) + len(self._passthroughs) > 0: - return True -+ return False -+ -+ def has_configuration(self): -+ if self.has_runtime_configuration(): -+ return True - if len(self._obj.get_all_chains()) + \ - len(self._obj.get_all_rules()) + \ - len(self._obj.get_all_passthroughs()) > 0: --- -2.43.0 - diff --git a/SOURCES/0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch b/SOURCES/0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch deleted file mode 100644 index 3de1dff..0000000 --- a/SOURCES/0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 17c70eba7ddfd8a8687b16102cf5ee988e33993f Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 30 Jan 2023 16:42:50 -0500 -Subject: [PATCH 29/30] v2.0.0: feat(direct): avoid iptables flush if using - nftables backend - -If FirewallBackend=nftables and there are no direct rules; then we can -avoid flushing iptables at startup and shutdown. This means other -applications can control iptables while firewalld only touches nftables. - -Fixes: #863 -(cherry picked from commit b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87) ---- - src/firewall/core/fw.py | 31 +++++++++++++++++++++++++++---- - src/firewall/core/fw_direct.py | 9 +++++++++ - 2 files changed, 36 insertions(+), 4 deletions(-) - -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index 5cef18b5f889..a2ad39bd9f5f 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -425,7 +425,8 @@ class Firewall(object): - transaction = FirewallTransaction(self) - - # flush rules -- self.flush(use_transaction=transaction) -+ if not reload: -+ self.flush(use_transaction=transaction) - - # If modules need to be unloaded in complete reload or if there are - # ipsets to get applied, limit the transaction to flush. -@@ -836,7 +837,26 @@ class Firewall(object): - if use_transaction is None: - transaction.execute(True) - -- # flush and policy -+ def may_skip_flush_direct_backends(self): -+ if self.nftables_enabled and not self.direct.has_runtime_configuration(): -+ return True -+ -+ return False -+ -+ def flush_direct_backends(self, use_transaction=None): -+ if use_transaction is None: -+ transaction = FirewallTransaction(self) -+ else: -+ transaction = use_transaction -+ -+ for backend in self.all_backends(): -+ if backend in self.enabled_backends(): -+ continue -+ rules = backend.build_flush_rules() -+ transaction.add_rules(backend, rules) -+ -+ if use_transaction is None: -+ transaction.execute(True) - - def flush(self, use_transaction=None): - if use_transaction is None: -@@ -846,7 +866,10 @@ class Firewall(object): - - log.debug1("Flushing rule set") - -- for backend in self.all_backends(): -+ if not self.may_skip_flush_direct_backends(): -+ self.flush_direct_backends(use_transaction=transaction) -+ -+ for backend in self.enabled_backends(): - rules = backend.build_flush_rules() - transaction.add_rules(backend, rules) - -@@ -1002,7 +1025,7 @@ class Firewall(object): - if not _panic: - self.set_policy("DROP") - -- # stop -+ self.flush() - self.cleanup() - - start_exception = None -diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py -index a35ebce1f276..5d4cc6a6918e 100644 ---- a/src/firewall/core/fw_direct.py -+++ b/src/firewall/core/fw_direct.py -@@ -219,6 +219,9 @@ class FirewallDirect(object): - else: - transaction = use_transaction - -+ if self._fw.may_skip_flush_direct_backends(): -+ transaction.add_pre(self._fw.flush_direct_backends) -+ - #TODO: policy="ACCEPT" - self._chain(True, ipv, table, chain, transaction) - -@@ -265,6 +268,9 @@ class FirewallDirect(object): - else: - transaction = use_transaction - -+ if self._fw.may_skip_flush_direct_backends(): -+ transaction.add_pre(self._fw.flush_direct_backends) -+ - self._rule(True, ipv, table, chain, priority, args, transaction) - - if use_transaction is None: -@@ -347,6 +353,9 @@ class FirewallDirect(object): - else: - transaction = use_transaction - -+ if self._fw.may_skip_flush_direct_backends(): -+ transaction.add_pre(self._fw.flush_direct_backends) -+ - self._passthrough(True, ipv, list(args), transaction) - - if use_transaction is None: --- -2.43.0 - diff --git a/SOURCES/0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch b/SOURCES/0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch deleted file mode 100644 index 982a882..0000000 --- a/SOURCES/0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 2e34d7361f8a7528f5e5d86f794bc87c94f8214e Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 30 Jan 2023 14:43:18 -0500 -Subject: [PATCH 30/30] v2.0.0: test(direct): avoid iptables flush if using - nftables backend - -Coverage: #863 -(cherry picked from commit dcd0dd3674ea8ef757a1b41f6b53717a45e821aa) ---- - src/tests/features/features.at | 1 + - .../features/iptables_no_flush_on_shutdown.at | 143 ++++++++++++++++++ - 2 files changed, 144 insertions(+) - create mode 100644 src/tests/features/iptables_no_flush_on_shutdown.at - -diff --git a/src/tests/features/features.at b/src/tests/features/features.at -index 381bf6dba0e4..cfe8e88b46a9 100644 ---- a/src/tests/features/features.at -+++ b/src/tests/features/features.at -@@ -14,3 +14,4 @@ m4_include([features/icmp_blocks.at]) - m4_include([features/rpfilter.at]) - m4_include([features/zone_combine.at]) - m4_include([features/rich_destination_ipset.at]) -+m4_include([features/iptables_no_flush_on_shutdown.at]) -diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at -new file mode 100644 -index 000000000000..a3bb1395791d ---- /dev/null -+++ b/src/tests/features/iptables_no_flush_on_shutdown.at -@@ -0,0 +1,143 @@ -+m4_if(nftables, FIREWALL_BACKEND, [ -+ -+dnl If FirewallBackend=nftables, and there are no --direct rules, then we can -+dnl avoid flushing iptables on shutdown. We can also avoid a flush on startup -+dnl if there are no permanent direct rules. But we will have to flush on the -+dnl first direct rule added. -+FWD_START_TEST([avoid iptables flush if using nftables]) -+AT_KEYWORDS(direct gh863) -+ -+dnl no flush on reload if no direct rules -+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IF_HOST_SUPPORTS_IP6TABLES([ -+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+]) -+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 -+]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all ::/0 ::/0 -+]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl -+ -j ACCEPT -+]) -+FWD_RELOAD() -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 -+]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all ::/0 ::/0 -+]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl -+ -j ACCEPT -+]) -+ -+dnl no flush on restart (or stop) if no direct rules -+FWD_RESTART() -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 -+]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all ::/0 ::/0 -+]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl -+ -j ACCEPT -+]) -+ -+dnl the first runtime direct rule should trigger an iptables flush -+FWD_CHECK([--direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 -+]) -+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IF_HOST_SUPPORTS_IP6TABLES([ -+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+]) -+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 -+]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl -+ ACCEPT all ::/0 ::/0 -+]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl -+ -j ACCEPT -+]) -+FWD_RELOAD() -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl -+]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl -+]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl -+]) -+ -+dnl permanent direct rules should trigger a flush at start -+FWD_CHECK([--permanent --direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) -+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IF_HOST_SUPPORTS_IP6TABLES([ -+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+]) -+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+FWD_RELOAD() -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl -+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 -+]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl -+]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl -+]) -+ -+FWD_CHECK([--permanent --direct --remove-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) -+FWD_RELOAD() -+ -+dnl adding a chain should trigger a flush -+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IF_HOST_SUPPORTS_IP6TABLES([ -+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+]) -+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+FWD_CHECK([--direct --add-chain ipv4 filter firewalld_foobar], 0, [ignore]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+FWD_RELOAD() -+ -+dnl adding a chain should trigger a flush -+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+IF_HOST_SUPPORTS_IP6TABLES([ -+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+]) -+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) -+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) -+FWD_CHECK([--direct --add-passthrough ipv4 -t filter -I INPUT -j ACCEPT], 0, [ignore]) -+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) -+ -+FWD_END_TEST() -+ -+]) --- -2.43.0 - diff --git a/SOURCES/0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch b/SOURCES/0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch deleted file mode 100644 index 3f63943..0000000 --- a/SOURCES/0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 4c95c843cd21f618677fe4d047b187facb00d027 Mon Sep 17 00:00:00 2001 -From: Pierre Riteau -Date: Mon, 22 Apr 2024 11:50:25 +0200 -Subject: [PATCH] v2.2.0: fix(service): update highest port number for ceph - -The highest port number used by Ceph was updated in -https://github.com/ceph/ceph/pull/42210. - -Fixes https://github.com/firewalld/firewalld/issues/1329 - -(cherry picked from commit f514a3ea4b59a0be11467d1b68a992329b6dc8dd) ---- - config/services/ceph.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/services/ceph.xml b/config/services/ceph.xml -index efed53691afd..eb6a3f2d1e3d 100644 ---- a/config/services/ceph.xml -+++ b/config/services/ceph.xml -@@ -2,5 +2,5 @@ - - ceph - Ceph is a distributed object store and file system. Enable this option to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR). -- -+ - --- -2.43.0 - diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec deleted file mode 100644 index a1d729f..0000000 --- a/SPECS/firewalld.spec +++ /dev/null @@ -1,1731 +0,0 @@ -Summary: A firewall daemon with D-Bus interface providing a dynamic firewall -Name: firewalld -Version: 0.9.11 -Release: 10%{?dist} -URL: http://www.firewalld.org -License: GPLv2+ -Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz -Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch -Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch -Patch3: 0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch -Patch4: 0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch -Patch5: 0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch -Patch6: 0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch -Patch7: 0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch -Patch8: 0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch -Patch9: 0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch -Patch10: 0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch -Patch11: 0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch -Patch12: 0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch -Patch13: 0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch -Patch14: 0014-v1.2.0-chore-nftables-add-delete-table-helper.patch -Patch15: 0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch -Patch16: 0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch -Patch17: 0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch -Patch18: 0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch -Patch19: 0019-v1.0.0-test-rich-destination-ipset.patch -Patch20: 0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch -Patch21: 0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch -Patch22: 0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch -Patch23: 0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch -Patch24: 0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch -Patch25: 0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch -Patch26: 0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch -Patch27: 0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch -Patch28: 0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch -Patch29: 0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch -Patch30: 0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch -Patch31: 0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch - -BuildArch: noarch -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: desktop-file-utils -BuildRequires: gettext -BuildRequires: intltool -# glib2-devel is needed for gsettings.m4 -BuildRequires: glib2, glib2-devel -BuildRequires: systemd-units -BuildRequires: docbook-style-xsl -BuildRequires: libxslt -BuildRequires: iptables, ebtables, ipset -BuildRequires: python3-devel -Requires: iptables, ebtables, ipset -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd -Requires: firewalld-filesystem = %{version}-%{release} -Requires: python3-firewall = %{version}-%{release} -Conflicts: selinux-policy < 3.14.1-28 -Conflicts: squid < 7:3.5.10-1 -Obsoletes: firewalld-selinux < 0.4.4.2-2 -# bz1581578 -Conflicts: cockpit-ws < 171-2 - -%description -firewalld is a firewall service daemon that provides a dynamic customizable -firewall with a D-Bus interface. - -%package -n python3-firewall -Summary: Python3 bindings for firewalld - -%{?python_provide:%python_provide python3-firewall} - -Obsoletes: python-firewall < 0.5.2-2 -Obsoletes: python2-firewall < 0.5.2-2 -Requires: python3-dbus -Requires: python3-slip-dbus -Requires: python3-decorator -Requires: python3-gobject-base -Requires: python3-nftables - -%description -n python3-firewall -Python3 bindings for firewalld. - -%package -n firewalld-filesystem -Summary: Firewalld directory layout and rpm macros - -%description -n firewalld-filesystem -This package provides directories and rpm macros which -are required by other packages that add firewalld configuration files. - -%package -n firewall-applet -Summary: Firewall panel applet -Requires: %{name} = %{version}-%{release} -Requires: firewall-config = %{version}-%{release} -Requires: hicolor-icon-theme -Requires: python3-qt5-base -Requires: python3-gobject -Requires: libnotify -Requires: NetworkManager-libnm -Requires: dbus-x11 - -%description -n firewall-applet -The firewall panel applet provides a status information of firewalld and also -the firewall settings. - -%package -n firewall-config -Summary: Firewall configuration application -Requires: %{name} = %{version}-%{release} -Requires: hicolor-icon-theme -Requires: gtk3 -Requires: python3-gobject -Requires: NetworkManager-libnm -Requires: dbus-x11 - -%description -n firewall-config -The firewall configuration application provides an configuration interface for -firewalld. - -%prep -%autosetup -p1 -# must autogen since a patch above touched a Makefile.am -./autogen.sh - -%build -%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}" -make %{?_smp_mflags} - -%install -make install DESTDIR=%{buildroot} -desktop-file-install --delete-original \ - --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ - %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop -desktop-file-install --delete-original \ - --dir %{buildroot}%{_datadir}/applications \ - %{buildroot}%{_datadir}/applications/firewall-config.desktop - -%find_lang %{name} --all-name - -%post -%systemd_post firewalld.service - -%preun -%systemd_preun firewalld.service - -%postun -%systemd_postun_with_restart firewalld.service - -%files -f %{name}.lang -%doc COPYING README -%{_sbindir}/firewalld -%{_bindir}/firewall-cmd -%{_bindir}/firewall-offline-cmd -%dir %{_datadir}/bash-completion/completions -%{_datadir}/bash-completion/completions/firewall-cmd -%dir %{_datadir}/zsh/site-functions -%{_datadir}/zsh/site-functions/_firewalld -%{_prefix}/lib/firewalld/icmptypes/*.xml -%{_prefix}/lib/firewalld/ipsets/README -%{_prefix}/lib/firewalld/services/*.xml -%{_prefix}/lib/firewalld/policies/*.xml -%{_prefix}/lib/firewalld/zones/*.xml -%{_prefix}/lib/firewalld/helpers/*.xml -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld -%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf -%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/policies -%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones -%defattr(0644,root,root) -%config(noreplace) %{_sysconfdir}/sysconfig/firewalld -%{_unitdir}/firewalld.service -%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf -%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice -%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice -%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy -%{_mandir}/man1/firewall*cmd*.1* -%{_mandir}/man1/firewalld*.1* -%{_mandir}/man5/firewall*.5* -%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf -%{_sysconfdir}/logrotate.d/firewalld - -%files -n python3-firewall -%attr(0755,root,root) %dir %{python3_sitelib}/firewall -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__ -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__ -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__ -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__ -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server -%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__ -%{python3_sitelib}/firewall/__pycache__/*.py* -%{python3_sitelib}/firewall/*.py* -%{python3_sitelib}/firewall/config/*.py* -%{python3_sitelib}/firewall/config/__pycache__/*.py* -%{python3_sitelib}/firewall/core/*.py* -%{python3_sitelib}/firewall/core/__pycache__/*.py* -%{python3_sitelib}/firewall/core/io/*.py* -%{python3_sitelib}/firewall/core/io/__pycache__/*.py* -%{python3_sitelib}/firewall/server/*.py* -%{python3_sitelib}/firewall/server/__pycache__/*.py* - -%files -n firewalld-filesystem -%dir %{_prefix}/lib/firewalld -%dir %{_prefix}/lib/firewalld/helpers -%dir %{_prefix}/lib/firewalld/icmptypes -%dir %{_prefix}/lib/firewalld/ipsets -%dir %{_prefix}/lib/firewalld/services -%dir %{_prefix}/lib/firewalld/policies -%dir %{_prefix}/lib/firewalld/zones -%{_rpmconfigdir}/macros.d/macros.firewalld - -%files -n firewall-applet -%attr(0755,root,root) %dir %{_sysconfdir}/firewall -%{_bindir}/firewall-applet -%defattr(0644,root,root) -%{_sysconfdir}/xdg/autostart/firewall-applet.desktop -%{_sysconfdir}/firewall/applet.conf -%{_datadir}/icons/hicolor/*/apps/firewall-applet*.* -%{_mandir}/man1/firewall-applet*.1* - -%files -n firewall-config -%{_bindir}/firewall-config -%defattr(0644,root,root) -%{_datadir}/firewalld/firewall-config.glade -%{_datadir}/firewalld/gtk3_chooserbutton.py* -%{_datadir}/firewalld/gtk3_niceexpander.py* -%{_datadir}/applications/firewall-config.desktop -%{_datadir}/metainfo/firewall-config.appdata.xml -%{_datadir}/icons/hicolor/*/apps/firewall-config*.* -%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml -%{_mandir}/man1/firewall-config*.1* - -%changelog -* Tue Feb 04 2025 Eric Garver - 0.9.11-10 -- fix(service): update highest port number for ceph - -* Fri Aug 02 2024 Eric Garver - 0.9.11-9 -- feat(direct): avoid iptables flush if using nftables backend - -* Thu Jun 13 2024 Eric Garver - 0.9.11-8 -- feat(rich): support "burst" attribute to limit in rich rules - -* Thu Jun 13 2024 Eric Garver - 0.9.11-7 -- fix(rich): validate service name of rich rule - -* Thu Jun 13 2024 Eric Garver - 0.9.11-6 -- feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types - -* Thu Jun 13 2024 Eric Garver - 0.9.11-5 -- feat(rich): support using ipset in destination - -* Fri Nov 03 2023 Eric Garver - 0.9.11-4 -- fix(nftables): always flush main table on start - -* Fri Nov 03 2023 Eric Garver - 0.9.11-3 -- fix(ipset): fix configuring IP range for ipsets with nftables - -* Fri Nov 03 2023 Eric Garver - 0.9.11-2 -- fix(ipset): exception on overlap checking empty set - -* Tue Apr 18 2023 Eric Garver - 0.9.11-1 -- rebase to v0.9.11 - -* Thu Feb 03 2022 Eric Garver - 0.9.3-13 -- change default CleanupModulesOnExit=yes - -* Mon Dec 20 2021 Eric Garver - 0.9.3-12 -- feat(config): add CleanupModulesOnExit configuration option -- change default CleanupModulesOnExit=yes - -* Tue Nov 16 2021 Eric Garver - 0.9.3-11 -- fix(zone): detect same source/interface in zones - -* Tue Nov 16 2021 Eric Garver - 0.9.3-10 -- fix(nftables): rich: source address with netmask - -* Tue Nov 16 2021 Eric Garver - 0.9.3-9 -- fix(nftables): do not log icmp block if inversion - -* Tue Nov 16 2021 Eric Garver - 0.9.3-8 -- docs(firewall-*cmd): client conntrack helpers must use a policy - -* Tue Jul 13 2021 Eric Garver - 0.9.3-7 -- fix(ipset): disallow overlapping entries - -* Tue Jul 13 2021 Eric Garver - 0.9.3-6 -- fix(policy): warn instead of error for overlapping ports - -* Wed May 19 2021 Eric Garver - 0.9.3-5 -- docs(conf): note that IPv6_rpfilter has a performance penalty - -* Wed May 19 2021 Eric Garver - 0.9.3-4 -- fix(nm): reload: only consider NM connections with a real interface - -* Wed May 19 2021 Eric Garver - 0.9.3-3 -- fix(ipset): fix hash:net,net functionality - -* Wed May 19 2021 Eric Garver - 0.9.3-2 -- fix(direct): rule order with multiple address with -s/-d - -* Thu Feb 25 2021 Eric Garver - 0.9.3-1 -- rebase to v0.9.3 -- fixes from upstream branch stable-0.9 - -* Fri Jan 29 2021 Eric Garver - 0.8.2-6 -- feat(service): add galera service - -* Fri Jan 29 2021 Eric Garver - 0.8.2-5 -- fix(zone): add source with mac address - -* Fri Jan 29 2021 Eric Garver - 0.8.2-4 -- fix(rich): non-printable characters removed from rich - -* Mon Oct 26 2020 Eric Garver - 0.8.2-3 -- fix(nftables): packet marks with masks -- fix(nftables): icmp types with code == 0 -- fix(rich icmptype): verify rule and icmptype families -- fix(zone): cache rule_str for rich rules -- improvement(service): IPsec: Update description and add TCP port 4500 -- feat(service): add collectd service -- feat(service): Add rpc-rquotad.service - -* Tue Aug 04 2020 Eric Garver - 0.8.2-2 -- fix(cli): add ipset type hash:mac is incompatible with the family parameter -- fix(cli): add --zone is an invalid option with --direct -- fix: update dynamic DCE RPC ports in freeipa-trust service -- fix: core: rich: Catch ValueError on non-numeric priority values -- fix(rich): icmptypes with one family -- fix(direct): rule in a zone chain -- plus additional upstream stable fixes - -* Mon Apr 06 2020 Eric Garver - 0.8.2-1 -- rebase to v0.8.2 - -* Thu Feb 27 2020 Eric Garver - 0.8.0-4 -- doc: direct: add CAVEATS section - -* Mon Feb 03 2020 Eric Garver - 0.8.0-3 -- restore zone drifting as a feature - -* Tue Nov 12 2019 Eric Garver - 0.8.0-2 -- fix: CLI: service: also output helpers for service info - -* Tue Nov 05 2019 Eric Garver - 0.8.0-1 -- rebase to v0.8.0 - -* Tue Aug 13 2019 Eric Garver - 0.7.0-5 -- bump nftables version requirements - -* Tue Aug 06 2019 Eric Garver - 0.7.0-4 -- backport patches to sort source-based zone dispatch by zone name - -* Tue Jul 23 2019 Eric Garver - 0.7.0-3 -- backport patch to show service includes in service output -- backport patches to fix dbus API break - -* Thu Jun 13 2019 Eric Garver - 0.7.0-2 -- package rebuild - -* Wed Jun 12 2019 Eric Garver - 0.7.0-1 -- rebase to v0.7.0 - -* Sun Jan 13 2019 Eric Garver - 0.6.3-7 -- backport additional patches for RFC3964_IPv4 filter feature - -* Tue Jan 08 2019 Eric Garver - 0.6.3-6 -- backport nftables support for wildcard interfaces -- backport RFC3964_IPv4 filter feature - -* Tue Dec 18 2018 Eric Garver - 0.6.3-5 -- backport fix for lost NM interfaces in default zone during reload - -* Thu Dec 13 2018 Eric Garver - 0.6.3-4 -- backport recent stable fixes -- backport fix for lost NM interfaces during reload -- backport rich rule priorities -- backport fix for set entries not applied -- update translations - -* Tue Oct 16 2018 Eric Garver - 0.6.3-3 -- backport FlushAllOnReload feature - -* Fri Oct 12 2018 Eric Garver - 0.6.3-2 -- use py3_shbang_opts for lockdown-whitelist -- fix cockpit patch causing test failure - -* Thu Oct 11 2018 Eric Garver - 0.6.3-1 -- rebase package to v0.6.3 -- use py3_shbang_opts for interpreter invocations - -* Mon Sep 10 2018 Eric Garver - 0.6.1-5 -- python3-firewalld can get by with python3-gobject-base -- firewall-config can get by with python3-qt5-base - -* Thu Aug 16 2018 Eric Garver - 0.6.1-4 -- backports for new failed state if startup fails -- backports to use explicit RETURN on user defined ebtables chains -- backports to fix nftables AUDIT log support - -* Tue Aug 14 2018 Eric Garver - 0.6.1-3 -- drop support for ebtables broute table - -* Fri Aug 10 2018 Eric Garver - 0.6.1-2 -- add more ports to high-availability service - -* Thu Aug 09 2018 Eric Garver - 0.6.1-1 -- rebase to v0.6.1 -- fix patch adding cockpit by default, fixes testsuite - -* Mon Jul 09 2018 Eric Garver - 0.6.0-2 -- Use correct conflicts version for cockpit-ws -- Enable cockpit by default in some zones - -* Fri Jul 06 2018 Eric Garver - 0.6.0-1 -- rebase to v0.6.0 - -* Tue May 01 2018 Eric Garver - 0.6.0-0.1.alpha1 -- rebase to v0.6.0-alpha - -* Wed Mar 21 2018 Eric Garver - 0.5.2-3 -- remove fedora-isms and clean up spec file - -* Wed Mar 21 2018 Eric Garver - 0.5.2-2 -- remove python2-firewall subpackage - -* Mon Mar 19 2018 Eric Garver - 0.5.2-1 -- rebase package to v0.5.2 - -* Fri Feb 09 2018 Igor Gnatenko - 0.5.1-2 -- Escape macros in %%changelog - -* Wed Feb 07 2018 Eric Garver - 0.5.1-1 -- rebase package to v0.5.1 - -* Wed Feb 07 2018 Fedora Release Engineering - 0.4.4.5-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Fri Jan 05 2018 Igor Gnatenko - 0.4.4.5-5 -- Remove obsolete scriptlets - -* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 0.4.4.5-4 -- Python 2 binary package renamed to python2-firewall - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 - -* Mon Jul 31 2017 Thomas Woerner - 0.4.4.5-3 -- Fix spec file for next RHEL versions - -* Wed Jul 26 2017 Fedora Release Engineering - 0.4.4.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Jun 9 2017 Thomas Woerner - 0.4.4.5-1 -- Rebase to firewalld-0.4.4.5 - http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release - - Fix build from spec - - Fix –remove-service-from-zone option (RHBZ#1438127) - - Support sctp and dccp in ports, source-ports, forward-ports, helpers and - rich rules (RHBZ#1429808) - - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238) - - firewall.core.ipXtables: Use new wait option for restore commands if - available - - New services for oVirt: - ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe - - Rename extension for policy choices (server and desktop) to .policy.choice - (RHBZ#1449754) - - D-Bus interfaces: Fix GetAll for interfaces without properties - (RHBZ#1452017) - - Load NAT helpers with conntrack helpers (RHBZ#1452681) - - Translation updates -- Additional upstream patches: - - Rich-rule source validation (d69b7cb) - - IPv6 ICMP type only rich-rule fix (cf50bd0) - -* Mon Mar 27 2017 Thomas Woerner - 0.4.4.4-1 -- Rebase to firewalld-0.4.4.4 - http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release -- Drop references to fedorahosted.org from spec file and Makefile.am, use - archive from github -- Fix inconsistent ordering of rules in INPUT_ZONE_SOURCE (issue#166) -- Fix ipset overloading from /etc/firewalld/ipsets -- Fix permanent rich rules using icmp-type elements (RHBZ#1434594) -- firewall-config: Deactivate edit, remove, .. buttons if there are no items -- Check if ICMP types are supported by kernel before trying to use them -- firewall-config: Show invalid ipset type in the ipset configuration dialog - in a special label - -* Tue Feb 21 2017 Thomas Woerner - 0.4.4.3-2 -- Fixed ipset overloading, dropped applied check in get_ipset (issue#206) - -* Fri Feb 10 2017 Thomas Woerner - 0.4.4.3-1 -- Rebase to firewalld-0.4.4.3 - http://www.firewalld.org/2017/02/firewalld-0-4-4-3-release -- Speed up of large file loading -- Support for more ipset types -- Speed up of adding or removing entries for ipsets from files -- Support icmp-type usage in rich rules -- Support for more icmp types -- Support for h323 conntrack helper -- New services -- Code cleanup and several other bug fixes -- Translation updates - -* Fri Feb 10 2017 Fedora Release Engineering - 0.4.4.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Dec 13 2016 Stratakis Charalampos - 0.4.4.2-3 -- Rebuild for Python 3.6 - -* Mon Dec 5 2016 Thomas Woerner - 0.4.4.2-2 -- Dropping firewalld-selinux package again as the required fix made it into - selinux-policy packages for F-23+, updated selinux-policy version conflicts - -* Thu Dec 1 2016 Thomas Woerner - 0.4.4.2-1 -- New firewalld-selinux sub package delivering the SELinux policy module for - firewalld (RHBZ#1396765) (RHBZ#1394625) (RHBZ#1394578) (RHBZ#1394573) - (RHBZ#1394569) -- New firewalld release 0.4.4.2: - - firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem - - firewall.core.fw_nm: create NMClient lazily - - Do not use hard-coded path for modinfo, use autofoo to detect it - - firewall.core.io.ifcfg: Dropped invalid option warning with bad format - string - - firewall.core.io.ifcfg: Properly handle quoted ifcfg values - - firewall.core.fw_zone: Do not reset ZONE with ifdown - - Updated translations from zanata - - firewall-config: Extra grid at bottom to visualize firewalld settings - -* Wed Nov 9 2016 Thomas Woerner - 0.4.4.1-1 -- firewall-config: Use proper source check in sourceDialog (fixes issue#162) -- firewallctl: New support for helpers -- Translation updates - -* Fri Oct 28 2016 Thomas Woerner - 0.4.4-1 -- Fix dist-check -- src/Makefile.am: Install new helper files -- config/Makefile.am: Install helpers -- Merged translations -- Updated translations from zanata -- firewalld.spec: Adapt requires for PyQt5 -- firewall-applet: Fix fromUTF8 for python2 PyQt5 usage -- firewall-applet: Use PyQt5 -- firewall-config: New nf_conntrack_select dialog, use nf_conntrack_helpers D-Bus property -- shell-completion/bash/firewall-cmd: Updates for helpers and also some fixes -- src/tests/firewall-[offline-]cmd_test.sh: New helper tests, adapted module tests for services -- doc/xml/seealso.xml: Add firewalld.helper(5) man page -- doc/xml/seealso.xml: Add firewalld.ipset(5) man page -- Fixed typo in firewalld.ipset(5) man page -- Updated firewalld.dbus(5) man page -- New firewalld.helper(5) man page -- doc/xml/firewall-offline-cmd.xml: Updated firewall-offline-cmd man page -- doc/xml/firewall-cmd.xml: Updated firewall-cmd man page -- firewall-offline-cmd: New support for helpers -- firewall-cmd: New support for helpers -- firewall.command: New check_helper_family, check_module and print_helper_info methods -- firewall.core.fw_test: Add helpers also to offline backend -- firewall.server.config: New AutomaticHelpers property (rw) -- firewall.server.config: Fix an dict size changed error for firewall.conf file changes -- firewall.server.config: Make LogDenied property readwrite to be consistent -- Some renames of nf_conntrack_helper* functions and structures, helpers is a dict -- firewall.core.fw: Properly check helper setting in set_automatic_helpers -- firewall.errors: Add missing BUILTIN_HELPER error code -- No extra interface for helpers needed in runtime, dropped DBUS_INTERFACE_HELPER -- firewall.server.firewalld: Drop unused queryHelper D-Bus method -- New helpers Q.931 and RAS from nf_conntrack_h323 -- firewall.core.io.helper: Allow dots in helper names, remove underscore -- firewall.core.io.firewalld_conf: Fixed typo in FALLBACK_AUTOMATIC_HELPERS -- firewall-[offline-]cmd: Use sys.excepthook to force exception_handler usage always -- firewall.core.fw_config: new_X methods should also check builtins -- firewall.client: Set helper family to "" if None -- firewall.client: Add missing module string to FirewallClientHelperSettings.settings -- config/firewalld.conf: Add possible values description for AutomaticHelpers -- helpers/amanda.xml: Fix typo in helper module -- firewall-config: Added support for helper module setting -- firewall.client: Added support for helper module setting -- firewall.server.config_helper: Added support for helper module setting -- firewall.core.io.service, firewall.server.config_service: Only replace underscore by dash if module start with nf_conntrack_ -- firewall.core.fw_zone: Use helper module instead of a generated name from helper name -- helpers: Added kernel module -- firewall.core.io.helper: Add module to helper -- firewall-cmd: Removed duplicate --get-ipset-types from help output -- firewall.core.fw_zone: Add zone bingings for PREROUTING in the raw table -- firewall.core.ipXtables: Add PREROUTING default rules for zones in raw table -- firewall-config: New support to handle helpers, new dialogs, new helper tab, .. -- config/org.fedoraproject.FirewallConfig.gschema.xml.in: New show-helpers setting -- firewall.client: New helper management for runtime and permanent configuration -- firewall.server.firewalld: New runtime helper management, new nf_conntrack_helper property -- firewall.server.config_service: Fix module name handling (no nf_conntrack_ prefix needed) -- firewall.server.config: New permanent D-Bus helper management -- New firewall.server.config_helper to provide the permanent D-Bus interface for helpers -- firewall.core.fw_zone: Use helpers fw.nf_conntrack_helper for services using helpers -- firewall.core.fw: New helper management, new _automatic_helpers and nf_conntrack_helper settings -- firewall.core.fw_config: Add support for permanent helper handling -- firewall.core.io.service: The module does not need to start with nf_conntrack_ anymore -- firewall.functions: New functions to get and set nf_conntrack_helper kernel setting -- firewall.core.io.firewalld_conf: New support for AutomaticHelpers setting -- firewall.config.dbus: New D-Bus definitions for helpers, new DBUS_INTERFACE_REVISION 12 -- New firewall.core.fw_helper providing FirewallHelper backend -- New firewall.core.helper with HELPER_MAXNAMELEN definition -- config/firewalld.conf: New AutomaticHelpers setting with description -- firewall.config.__init__.py.in: New helpers variables -- firewalld.spec: Add new helpers directory -- config/Makefile.am: Install new helpers -- New helper configuration files for amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp and tftp -- firewall.core.io.helper: New IO handler for netfilter helpers -- firewall.errors: New INVALID_HELPER error code -- firewall.core.io.ifcfg: Use .bak for save files -- firewall-config: Set internal log_denied setting after changing -- firewall.server.config: Copy props before removing items -- doc/xml/firewalld.ipset: Replaced icmptype name remains with ipset -- firewall.core.fw_zone: Fix LOG rule placement for LogDenied -- firewall.command: Use "source-ports" in print_zone_info -- firewall.core.logger: Use syslog.openlog() and syslog.closelog() -- firewall-[offline-]cmd man pages: Document --path-{zone,icmptype,ipset,service} -- firewall-cmd: Enable --path-{zone,icmptype,service} options again -- firewall.core.{ipXtables,ebtables}: Copy rule before extracting items in set_rules -- firewall.core.fw: Do not abort transaction on failed ipv6_rpfilter rules -- config/Makefile.am: Added cfengine, condor-collector and smtp-submission services -- Makefile.am: New dist-check used in the archive target -- src/Makefile.am: Reordered nobase_dist_python_DATA to be sorted -- config/Makefile.am: New CONFIG_FILES variable to contain the config files -- Merge pull request #150 from hspaans/master -- Merge pull request #146 from canvon/bugfix/spelling -- Merge pull request #145 from jcpunk/condor -- Command line tools man pages: New section about sequence options and exit codes -- Creating service file for SMTP-Submission. -- Creating service file for CFEngine. -- Fix typo in documentation: iptables mangle table -- Only use sort on lists of main items, but not for item properties -- firewall.core.io.io_object: import_config should not change ordering of lists -- firewall.core.fw_transaction: Load helper modules in FirewallZoneTransaction -- firewall.command: Fail with NOT_AUTHORIZED if authorization fails (RHBZ#1368549) -- firewall.command: Fix sequence exit code with at least one succeeded item -- Add condor collector service -- firewall-cmd: Fixed --{get,set}-{description,short} for permanent zones -- firewall.command: Do not use error code 254 for {ALREADY,NOT}_ENABLED sequences - -* Tue Aug 16 2016 Thomas Woerner - 0.4.3.3-1 -- Fix CVE-2016-5410: Firewall configuration can be modified by any logged in - user -- firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO -- Update AppData configuration file. -- tests/firewalld_rich.py: Use new import structure and FirewallClient classes -- tests/firewalld_direct.py: Use new import structure -- tests: firewalld_direct: Fix assert to check for True instead of False -- tests: firewalld_config: Fix expected value when querying the zone target -- tests: firewalld_config: Use real nf_conntrack modules -- firewalld.spec: Added comment about make call for %%build -- firewall-config: Use also width_request and height_request with default size -- Updated firewall-config screenshot -- firewall-cmd: Fixed typo in help output (RHBZ#1367171) -- test-suite: Ignore stderr to get default zone also for missing firewalld.conf -- firewall.core.logger: Warnings should be printed to stderr per default -- firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails -- firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired -- firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired -- test-suite: Do not fail on ALREADY_ENABLED --add-destination tests -- firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings -- doc/xml/firewalld.dbus.xml: Removed undefined reference -- doc/xml/transform-html.xsl.in: Fixed references in the document -- doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para -- doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page -- firewall: core: fw_nm: Instantiate the NM client only once -- firewall/core/io/*.py: Do not traceback on a general sax parsing issue -- firewall-offline-cmd: Fix --{add,remove}-entries-from-file -- firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file -- firewall.core.prog: Do not output stderr, but return it in the error case -- firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) -- config/firewall.service.in: use KillMode=mixed -- config/firewalld.service.in: use network-pre.target -- firewall-config: Add missing gettext.textdomain call to fix translations -- Add UDP to transmission-client.xml service -- tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings -- firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls -- firewall.client: Fix NOT_ENABLED errors in icmptype destination calls -- firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination - calls -- firewall.command: Add the removed FirewallError handling to the action - (a17ce50) -- firewall.command: Do not use query methods for sequences and also single - options -- Add missing information about MAC and ipset sources to man pages and help - output -- firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages -- firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} -- firewallctl: Fix traceback if not connected to firewalld -- firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked -- firewall.command: Convert errors to string for Python3 -- firewall.command: Get proper firewall error code from D-BusExceptions -- firewall-cmd: Fixed traceback without args -- Add missing service files to Makefile.am -- shell-completion: Add shell completion support for - --{get,set}--{description,short} -- Updated RHEL-7 selinux-policy and squid conflict - -* Tue Jul 19 2016 Fedora Release Engineering - 0.4.3.2-2 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Mon Jul 4 2016 Thomas Woerner - 0.4.3.2-1 -- Fix regression with unavailable optional commands -- All missing backend messages should be warnings -- Individual calls for missing restore commands -- Only one authenticate call for add and remove options and also sequences -- New service RH-Satellite-6 -- Fixed selinux-policy conflict version for RHEL-7 - -* Wed Jun 29 2016 Thomas Woerner - 0.4.3.1-2 -- Fixed selinux-policy conflict version for Fedora 24 - -* Tue Jun 28 2016 Thomas Woerner - 0.4.3.1-1 -- New firewalld release 0.4.3.1 -- firewall.command: Fix python3 DBusException message not interable error -- src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing -- firewallctl: Do not trace back on list command without further arguments -- firewallctl (man1): Added remaining sections zone, service, .. -- firewallctl: Added runtime-to-permanent, interface and source parser, - IndividualCalls setting -- firewall.server.config: Allow to set IndividualCalls property in config - interface -- Fix missing icmp rules for some zones -- runProg: Fix issue with running programs -- firewall-offline-cmd: Fix issues with missing system-config-firewall -- firewall.core.ipXtables: Split up source and dest addresses for transaction -- firewall.server.config: Log error in case of loading malformed files in - watcher -- Install and package the firewallctl man page -- New firewallctl utility (RHBZ#1147959) -- doc.xml.seealso: Show firewalld.dbus in See Also sections -- firewall.core.fw_config: Create backup on zone, service, ipset and icmptype - removal (RHBZ#1339251) -- {zone,service,ipset,icmptype}_writer: Do not fail on failed backup -- firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd -- firewall-cmd: Dropped duplicate setType call in --new-ipset -- radius service: Support also tcp ports (RBZ#1219717) -- xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset - sources -- config.xmlschema.service.xsd: Fix service destination conflicts - (RHBZ#1296573) -- firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg -- firewall.command: Only print summary and description in print_X_info with - verbose -- firewall.command: print_msg should be able to print empty lines -- firewall-config: No processing of runtime passthroughs signals in permanent -- Landspace.io fixes and pylint calm downs -- firewall.core.io.zone: Add zone_reader and zone_writer to __all__, pylint - fixes -- firewall-config: Fixed titles of command and context dialogs, also entry - lenths -- firewall-config: pylint calm downs -- firewall.core.fw_zone: Fix use of MAC source in rich rules without ipv limit -- firewall-config: Use self.active_zoens in conf_zone_added_cb -- firewall.command: New parse_port, extended parse methods with more checks -- firewall.command: Fixed parse_port to use the separator in the split call -- firewall.command: New [de]activate_exception_handler, raise error in parse_X -- services ha: Allow corosync-qnetd port -- firewall-applet: Support for kde5-nm-connection-editor -- tests/firewall-offline-cmd_test.sh: New tests for service and icmptype - modifications -- firewall-offline-cmd: Use FirewallCommand for simplification and sequence - options -- tests/firewall-cmd_test.sh: New tests for service and icmptype modifications -- firewall-cmd: Fixed set, remove and query destination options for services -- firewall.core.io.service: Source ports have not been checked in _check_config -- firewall.core.fw_zone: Method check_source_port is not used, removed -- firewall.core.base: Added default to ZONE_TARGETS -- firewall.client: Allow to remove ipv:address pair for service destinations -- tests/firewall-offline-cmd_test.sh: There is no timeout option in permanent -- firewall-cmd: Landscape.io fixes, pylint calm downs -- firewall-cmd: Use FirewallCommand for simplification and sequence options -- firewall.command: New FirewallCommand for command line client simplification -- New services: kshell, rsh, ganglia-master, ganglia-client -- firewalld: Cleanup of unused imports, do not translate some deamon messages -- firewalld: With fd close interation in runProg, it is not needed here anymore -- firewall.core.prog: Add fd close iteration to runProg -- firewall.core.fw_nm: Hide NM typelib import, new nm_get_dbus_interface - function -- firewalld.spec: Require NetworkManager-libnm instead of NetworkManager-glib -- firewall-config: New add/remove ipset entries from file, remove all entries -- firewall-applet: Fix tooltip after applet start with connection to firewalld -- firewall-config: Select new zone, service or icmptype if the view was empty -- firewalld.spec: Added build requires for iptables, ebtables and ipset -- Adding nf_conntrack_sip module to the service SIP -- firewall: core: fw_ifcfg: Quickly return if ifcfg directory does not exist -- Drop unneeded python shebangs -- Translation updates - -* Mon May 30 2016 Thomas Woerner - 0.4.2-1 -- New module to search for and change ifcfg files for interfaces not under - control of NM -- firewall_config: Enhanced messages in status bar -- firewall-config: New message window as overlay if not connected -- firewall-config: Fix sentivity of option, view menus and main paned if not - connected -- firewall-applet: Quit on SIGINT (Ctrl-C), reduced D-Bus calls, some cleanup -- firewall-[offline]cmd: Show target in zone information -- D-Bus: Completed masquerade methods in FirewallClientZoneSettings -- Fixed log-denied rules for icmp-blocks -- Keep sorting of interfaces, services, icmp-blocks and other settings in zones -- Fixed runtime-to-permanent not to save interfaces under control of NM -- New icmp-block-inversion flag in the zones -- ICMP type filtering in the zones -- New services: sip, sips, managesieve -- rich rules: Allow destination action (RHBZ#1163428) -- firewall-offline-cmd: New option -q/--quiet -- firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file -- firewall-[offline-]cmd: Fix option for setting the destination address -- firewall-config: Fixed resizing behaviour -- New transaction model for speed ups in start, restart, stop and other actions -- firewall-cmd: New options --load{zone,service,ipset,icmptype}-defaults -- Fixed memory leak in dbus_introspection_add_properties -- Landscape.io fixes, pylint calm downs -- New D-Bus getXnames methods to speed up firewall-config and firewall-cmd -- ebtables-restore: No support for COMMIT command -- Source port support in services, zones and rich rules -- firewall-offline-cmd: Added --{add,remove}-entries-from-file for ipsets -- firewall-config: New active bindings side bar for simple binding changes -- Reworked NetworkManager module -- Proper default zone handling for NM connections -- Try to set zone binding with NM if interface is under control of NM -- Code cleanup and bug fixes -- Include test suite in the release and install in /usr/share/firewalld/tests -- New Travis-CI configuration file -- Fixed more broken frensh translations -- Translation updates - -* Mon May 9 2016 Thomas Woerner - 0.4.1.2-2 -- Fixed ebtables-restore does not support the COMMIT command issue - -* Wed Apr 20 2016 Thomas Woerner - 0.4.1.2-1 -- Fixed translations with python3 -- Fixed exception for failed NM import, new doc string -- Make ipsets visible per default in firewall-config -- Install new fw_nm module -- Do not fail if log file could not be opened -- Fixed broken fr translation - -* Tue Apr 19 2016 Thomas Woerner - 0.4.1-1 -- Enhancements of ipset handling - - No cleanup of ipsets using timeouts while reloading - - Only destroy conflicting ipsets - - Only use ipset types supported by the system - - Add and remove several ipset entries in one call using a file -- Reduce time frame where builtin chains are on policy DROP while reloading -- Include descriptions in --info-X calls -- Command line interface support to get and alter descriptions of zones, - services, ipsets and icmptypes with permanent option -- Properly watch changes in combined zones -- Fix logging in rich rule forward rules -- Transformed direct.passthrough errors into warnings -- Rework of import structures -- Reduced calls to get ids for port and protocol names (RHBZ#1305434) -- Build and installation fixes by Markos Chandras -- Provide D-Bus properties in introspection data -- Fix for flaws found by landscape.io -- Fix for repeated SUGHUP -- New NetworkManager module to get and set zones of connections, used in - firewall-applet and firewall-config -- configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset) -- Code cleanups -- Bug fixes - -* Mon Feb 22 2016 Jiri Popelka - 0.4.0-4 -- Revert one commit to temporary work-around RHBZ#1309754 - -* Mon Feb 08 2016 Jiri Popelka - 0.4.0-3 -- Make sure tempdir is created even in offline mode. (RHBZ#1305175) - -* Wed Feb 03 2016 Fedora Release Engineering - 0.4.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Mon Feb 1 2016 Thomas Woerner - 0.4.0-1 -- Version 0.4.0 - - Speed ups - - ipset support - - MAC address support - - Log of denied packets - - Mark action in rich rules - - Enhanced alteration of config files with command line tools - - Use of zone chains in direct interface - - firewall-applet enhancement - - New services: ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio, - smtps, snmptrap, snmp, syslog-tls and syslog - - Several bug fixes - - Code optimizations - -* Tue Nov 10 2015 Fedora Release Engineering - 0.3.14.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 - -* Wed Jul 22 2015 Adam Williamson - 0.3.14.2-4 -- bump versions on old config package obsoletes (f21 is on 0.3.14 now) - -* Mon Jul 13 2015 Thomas Woerner - 0.3.14.2-3 -- Require python3-gobject-base for fedora >= 23 and rhel >= 8 (RHBZ#1242076) -- Fix rhel defines: No python3 for rhel-7 - -* Thu Jun 18 2015 Thomas Woerner - 0.3.14.2-2 -- Fixed 'pid_file' referenced before assignment (RHBZ#1233232) - -* Wed Jun 17 2015 Thomas Woerner - 0.3.14.2-1 -- reunification of the firewalld spec files for all Fedora releases -- fix dependencies for -applet and -config: use_python3 is the proper switch - not with_python3 (RHBZ#1232493) -- firewalld.spec: - - fixed requirements for -applet and -config -- man pages: - - adapted firewall-applet man page to new version -- firewall-applet: - - Only honour active connections for zone changes - - Change QSettings path and file names -- firewall-config: - - Only honour active connections for zone changes in the “Change Zones of Connections” menu -- Translations: - - updated translations - - marked translations for “Connections” for review - -* Wed Jun 17 2015 Fedora Release Engineering - 0.3.14.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Tue Jun 16 2015 Stephen Gallagher 0.3.14.1-2 -- Fix issue with missing polkit policy when installing firewalld on - Cloud Edition. - -* Fri Jun 12 2015 Thomas Woerner - 0.3.14.1-1 -- firewall-applet - - do not use isSystemTrayAvailable check to fix KDE5 startup - - dropped gtk applet remain: org.fedoraproject.FirewallApplet.gschema.xml - -* Fri Jun 12 2015 Thomas Woerner - 0.3.14-1 -- renamed python2-firewall to python-firewall -- fixed requirements for GUI parts with Python3 -- dropped upstream merged python3 patch -- firewalld: - - print real zone names in error messages - - iptables 1.4.21 does not accept limits of 1/day, minimum is 2/day now - - rate limit fix for rich rules - - fix readdition of removed permanent direct settings - - adaption of the polkit domains to use PK_ACTION_DIRECT_INFO - - fixed two minor Python3 issues in firewall.core.io.direct - - fixed use of fallback configuration values - - fixed use without firewalld.conf - - firewalld main restructureization - - IPv6_rpfilter now also available as a property on D-Bus in the config interface - - fixed wait option use for ipXtables - - added --concurrent support for ebtables - - richLanguage: allow masquerading with destination - - richLanguage: limit masquerading forward rule to new connections - - ipXtables: No dns lookups in available_tables and _detect_wait_option - - full ebtables support: start, stop, reload, panic mode, direct chains and rules - - fix for reload with direct rules - - fix or flaws found by landscape.io - - pid file handling fixes in case of pid file removal - - fix for client issue in case of a dbus NoReply error -- configuration - - new services: dropbox-lansync, ptp - - new icmptypes: timestamp-request, timestamp-reply -- man pages: - - firewalld.zones(5): fixed typos - - firewalld.conf(5): Fixed wrong reference to firewalld.lockdown-whitelist page -- firewall-applet: - - new version using Qt4 fixing several issues with the Gtk version -- spec file: - - enabled Python3 support: new backends python-firewall and python3-firewall - - some cleanup -- git: - - migrated to github -- translations: - - migrated to zanata -- build environment: - - no need for autoconf-2.69, 2.68 is sufficient - -* Thu May 07 2015 Stephen Gallagher 0.3.13-7 -- Use VARIANT_ID instead of VARIANT for making decisions - -* Thu Apr 16 2015 Stephen Gallagher 0.3.13-6 -- Switch to using $VARIANT directly from /etc/os-release - -* Fri Mar 13 2015 Stephen Gallagher 0.3.13-5 -- Fix bugs with posttrans -- Remove nonexistent fedora-cloud.conf symlink - -* Fri Mar 13 2015 Stephen Gallagher 0.3.13-4 -- Remove per-edition config files -- Decide on default configuration based on /etc/os-release - -* Mon Feb 23 2015 Jiri Popelka - 0.3.13-3 -- use python3 bindings on fedora >=23 - -* Wed Jan 28 2015 Thomas Woerner - 0.3.13-2 -- enable python2 and python3 bindings for fedora >= 20 and rhel >= 7 -- use python3 bindings on fedora >= 22 and rhel >= 8 for firewalld, - firewall-config and firewall-applet - -* Thu Dec 04 2014 Jiri Popelka - 0.3.13-1 -- firewalld: - - ipXtables: use -w or -w2 if supported (RHBZ#1161745, RHBZ#1151067) - - DROP INVALID packets (RHBZ#1169837) - - don't use ipv6header for protocol matching. (RHBZ#1065565) - - removeAllPassthroughs(): remove passthroughs in reverse order (RHBZ#1167100) - - fix config.service.removeDestination() (RHBZ#1164584) -- firewall-config: - - portProtoDialog: other protocol excludes port number/range - - better fix for updating zoneStore also in update_active_zones() - - fix typo in menu -- configuration: - - new services: tinc, vdsm, mosh, iscsi-target, rsyncd - - ship and install XML Schema files. (#8) -- man pages: - - firewalld.dbus, firewalld.direct, firewalld, firewall-cmd -- spec file: - - filesystem subpackage - - make dirs&files in /usr/lib/ world-readable (RHBZ#915988) - -* Tue Oct 14 2014 Jiri Popelka - 0.3.12-1 -- firewalld: - - new runtimeToPermanent and tracked passsthrough support - - make permanent D-Bus interfaces more fine grained like the runtime versions (RHBZ#1127706) - - richLanguage: allow using destination with forward-port - - Rich_Rule.check(): action can't be used with icmp-block/forward-port/masquerade - - fixed Python specific D-Bus exception (RHBZ#1132441) -- firewall-cmd: - - new --runtime-to-permanent to create permanent from runtime configuration - - use new D-Bus methods for permanent changes - - show target REJECT instead of %%REJECT%% (RHBZ#1058794) - - --direct: make fail messages consistent (RHBZ#1141835) -- firewall-config: - - richRuleDialog - OK button tooltip indicates problem - - use new D-Bus methods for permanent changes - - show target REJECT instead of %%REJECT%% (RHBZ#1058794) - - update "Change Zones of Connections" menu on default zone change (RHBZ#11120212) - - fixed rename of zones, services and icmptypes to not create new entry (RBHZ#1131064) -- configuration: - - new service for Squid HTTP proxy server - - new service for Kerberos admin server - - new services for syslog and syslog-tls - - new services for SNMP and SNMP traps - - add Keywords to .desktop to improve software searchability -- docs: - - updated translations - - firewalld.richlanguage: improvements suggested by Rufe Glick - - firewalld.dbus: various improvements - - firewalld.zone: better description of Limit tag - - mention new homepage everywhere - -* Wed Aug 27 2014 Jiri Popelka - 0.3.11-3 -- Quiet systemctl if cups-browsed.service is not installed - -* Mon Aug 25 2014 Jiri Popelka - 0.3.11-2 -- add few Requires to spec (RHBZ#1133167) - -* Wed Aug 20 2014 Jiri Popelka - 0.3.11-1 -- firewalld: - - improve error messages - - check built-in chains in direct chain handling functions (RHBZ#1120619) - - dbus_to_python() check whether input is of expected type (RHBZ#1122018) - - handle negative timeout values (RHBZ#1124476) - - warn when Command/Uid/Use/Context already in lockdown whitelist (RHBZ#1126405) - - make --lockdown-{on,off} work again (RHBZ#1111573) -- firewall-cmd: - - --timeout now accepts time units (RHBZ#994044) -- firewall-config: - - show active (not default) zones in bold (RHBZ#993655) -- configuration: - - remove ipp-client service from all zones (RHBZ#1105639). - - fallbacks for missing values in firewalld.conf - - create missing dirs under /etc if needed - - add -Es to python command in lockdown-whitelist.xml (RHBZ#1099065) -- docs: - - 'direct' methods concern only chains/rules added via 'direct' (RHBZ#1120619) - - --remove-[interface/source] don't need a zone to be specified (RHBZ#1125851) - - various fixes in firewalld.zone(5), firewalld.dbus(5), firewalld.direct(5) -- others: - - rpm macros for easier packaging of e.g. services - -* Tue Jul 22 2014 Thomas Woerner - 0.3.10-5 -- Fixed wrong default zone names for server and workstation (RHBZ#1120296) - -* Tue Jul 8 2014 Thomas Woerner - 0.3.10-4 -- renamed fedora specific zones to FedoraServer and FedoraWorkstation for - zone name limitations (length and allowed chars) - -* Mon Jul 7 2014 Thomas Woerner - 0.3.10-3 -- New support for Fedora per-product configuration settings for Fedora.next - https://fedoraproject.org/wiki/Per-Product_Configuration_Packaging_Draft -- Added Fedora server zone (RHBZ#1110711) -- Added Fedora workstation zone(RHBZ#1113775) - -* Sat Jun 07 2014 Fedora Release Engineering - 0.3.10-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Wed May 28 2014 Jiri Popelka - 0.3.10-1 -- new services: freeipa-*, puppermaster, amanda-k5, synergy, - xmpp-*, tor, privoxy, sane -- do not use at_console in D-Bus policies (RHBZ#1094745) -- apply all rich rules for non-default targets -- AppData file (RHBZ#1094754) -- separate Polkit actions for desktop & server (RHBZ#1091068) -- sanitize missing ip6t_rpfilter (RHBZ#1074427) -- firewall/core/io/*: few improvements (RHBZ#1065738) -- no load failed error for absent direct.xml file -- new DBUS_INTERFACE.getZoneSettings to get all run-time zone settings -- fixed creation and deletion of zones, services and icmptypes over D-Bus signals -- FirewallClientZoneSettings: Set proper default target -- if Python2 then encode strings from sax parser (RHBZ#1059104, RHBZ#1058853) -- firewall-cmd: - - don't colour output of query commands (RHBZ#1097841) - - use "default" instead of {chain}_{zone} (RHBZ#1075675) - - New --get-target and --set-target - - Create and remove permanent zones, services and icmptypes -- firewall-config: - - Adding services and icmptypes resulted in duplicates in UI - - Use left button menu of -applet in Option menu -- firewall-offline-cmd: same functionality as 'firewall-cmd --permanent' -- firewall-applet: ZoneConnectionEditor was missing the Default Zone entry -- bash-completion: getting zones/services/icmps is different with/without --permanent -- firewalld.zone(5): removed superfluous slash (RHBZ#1091575) -- updated translations - -* Wed Feb 05 2014 Jiri Popelka - 0.3.9.3-1 -- Fixed persistent port forwarding (RHBZ#1056154) -- Stop default zone rules being applied to all zones (RHBZ#1057875) -- Enforce trust, block and drop zones in the filter table only (RHBZ#1055190) -- Allow RAs prior to applying IPv6_rpfilter (RHBZ#1058505) -- Fix writing of rule.audit in zone_writer() - -* Fri Jan 17 2014 Jiri Popelka - 0.3.9.2-1 -- fix regression introduced in 0.3.9 (RHBZ#1053932) - -* Thu Jan 16 2014 Jiri Popelka - 0.3.9.1-1 -- fix regressions introduced in 0.3.9 (RHBZ#1054068, RHBZ#1054120) - -* Mon Jan 13 2014 Jiri Popelka - 0.3.9-1 -- translation updates -- New IPv6_rpfilter setting to enable source address validation (RHBZ#847707) -- Do not mix original and customized zones in case of target changes, - apply only used zones -- firewall-cmd: fix --*_lockdown_whitelist_uid to work with uid 0 -- Don't show main window maximized. (RHBZ#1046811) -- Use rmmod instead of 'modprobe -r' (RHBZ#1031102) -- Deprecate 'enabled' attribute of 'masquerade' element -- firewall-config: new zone was added twice to the list -- firewalld.dbus(5) -- Enable python shebang fix again -- firewall/client: handle_exceptions: Use loop in decorator -- firewall-offline-cmd: Do not mask firewalld service with disabled option -- firewall-config: richRuleDialogActionRejectType Entry -> ComboBox -- Rich_Rule: fix parsing of reject element (RHBZ#1027373) -- Show combined zones in permanent configuration (RHBZ#1002016) -- firewall-cmd(1): document exit code 2 and colored output (RHBZ#1028507) -- firewall-config: fix RHBZ#1028853 - -* Tue Nov 05 2013 Jiri Popelka - 0.3.8-1 -- fix memory leaks -- New option --debug-gc -- Python3 compatibility -- Better non-ascii support -- several firewall-config & firewall-applet fixes -- New --remove-rules commands for firewall-cmd and removeRules methods for D-Bus -- Fixed FirewallDirect.get_rules to return proper list -- Fixed LastUpdatedOrderedDict.keys() -- Enable rich rule usage in trusted zone (RHBZ#994144) -- New error codes: INVALID_CONTEXT, INVALID_COMMAND, INVALID_USER and INVALID_UID - -* Thu Oct 17 2013 Jiri Popelka - 0.3.7-1 -- Don't fail on missing ip[6]tables/ebtables table. (RHBZ#967376) -- bash-completion: --permanent --direct options -- firewall/core/fw.py: fix checking for iptables & ip6tables (RHBZ#1017087) -- firewall-cmd: use client's exception_handler instead of catching exceptions ourselves -- FirewallClientZoneSettings: fix {add|remove|query}RichRule() -- Extend amanda-client service with 10080/tcp (RHBZ#1016867) -- Simplify Rich_Rule()_lexer() by using functions.splitArgs() -- Fix encoding problems in exception handling (RHBZ#1015941) - -* Fri Oct 04 2013 Jiri Popelka - 0.3.6.2-1 -- firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958) -- firewall-cmd: fix variable name (RHBZ#1015011) - -* Thu Oct 03 2013 Jiri Popelka - 0.3.6.1-1 -- remove superfluous po files from archive - -* Wed Oct 02 2013 Jiri Popelka - 0.3.6-1 -- firewalld.richlanguage.xml: correct log levels (RHBZ#993740) -- firewall-config: Make sure that all zone settings are updated properly on firewalld restart -- Rich_Limit: Allow long representation for duration (RHBZ#994103 -- firewall-config: Show "Changes applied." after changes (RHBZ#993643) -- Use own connection dialog to change zones for NM connections -- Rename service cluster-suite to high-availability (RHBZ#885257) -- Permanent direct support for firewall-config and firewall-cmd -- Try to avoid file descriptor leaking (RHBZ#951900) -- New functions to split and join args properly (honoring quotes) -- firewall-cmd(1): 2 simple examples -- Better IPv6 NAT checking. -- Ship firewalld.direct(5). - -* Mon Sep 30 2013 Jiri Popelka - 0.3.5-1 -- Only use one PK action for configuration (RHBZ#994729) -- firewall-cmd: indicate non-zero exit code with red color -- rich-rule: enable to have log without prefix & log_level & limit -- log-level warn/err -> warning/error (RHBZ#1009436) -- Use policy DROP while reloading, do not reset policy in restart twice -- Add _direct chains to all table and chain combinations -- documentation improvements -- New firewalld.direct(5) man page docbook source -- tests/firewall-cmd_test.sh: make rich language tests work -- Rich_Rule._import_from_string(): improve error messages (RHBZ#994150) -- direct.passthrough wasn't always matching out_signature (RHBZ#967800) -- firewall-config: twist ICMP Type IP address family logic. -- firewall-config: port-forwarding/masquerading dialog (RHBZ#993658) -- firewall-offline-cmd: New --remove-service= option (BZ#969106) -- firewall-config: Options->Lockdown was not changing permanent. -- firewall-config: edit line on doubleclick (RHBZ#993572) -- firewall-config: System Default Zone -> Default Zone (RHBZ#993811) -- New direct D-Bus interface, persistent direct rule handling, enabled passthough -- src/firewall-cmd: Fixed help output to use more visual parameters -- src/firewall-cmd: New usage output, no redirection to man page anymore -- src/firewall/core/rich.py: Fixed forwad port destinations -- src/firewall-offline-cmd: Early enable/disable handling now with mask/unmask -- doc/xml/firewalld.zone.xml: Added more information about masquerade use -- Prefix to log message is optional (RHBZ#998079) -- firewall-cmd: fix --permanent --change-interface (RHBZ#997974) -- Sort zones/interfaces/service/icmptypes on output. -- wbem-https service (RHBZ#996668) -- applet&config: add support for KDE NetworkManager connection editor -- firewall/core/fw_config.py: New method update_lockdown_whitelist -- Added missing file watcher for lockdown whitelist in config D-Bus interface -- firewall/core/watcher: New add_watch_file for lockdown-whitelist and direct -- Make use of IPv6 NAT conditional, based on kernel number (RHBZ#967376) - -* Tue Jul 30 2013 Thomas Woerner 0.3.4-1 -- several rich rule check enhancements and fixes -- firewall-cmd: direct options - check ipv4|ipv6|eb (RHBZ#970505) -- firewall-cmd(1): improve description of direct options (RHBZ#970509) -- several firewall-applet enhancements and fixes -- New README -- several doc and man page fixes -- Service definitions for PCP daemons (RHBZ#972262) -- bash-completion: add lockdown and rich language options -- firewall-cmd: add --permanent --list-all[-zones] -- firewall-cmd: new -q/--quiet option -- firewall-cmd: warn when default zone not active (RHBZ#971843) -- firewall-cmd: check priority in --add-rule (RHBZ#914955) -- add dhcpv6 (for server) service (RHBZ#917866) -- firewall-cmd: add --permanent --get-zone-of-interface/source --change-interface/source -- firewall-cmd: print result (yes/no) of all --query-* commands -- move permanent-getZoneOf{Interface|Source} from firewall-cmd to server -- Check Interfaces/sources when updating permanent zone settings. -- FirewallDConfig: getZoneOfInterface/Source can actually return more zones -- Fixed toaddr check in forward port to only allow single address, no range -- firewall-cmd: various output improvements -- fw_zone: use check_single_address from firewall.functions -- getZoneOfInterface/Source does not need to throw exception -- firewall.functions: Use socket.inet_pton in checkIP, fixed checkIP*nMask -- firewall.core.io.service: Properly check port/proto and destination address -- Install applet desktop file into /etc/xdg/autostart -- Fixed option problem with rich rule destinations (RHBZ#979804) -- Better exception creation in dbus_handle_exceptions() decorator (RHBZ#979790) -- Updated firewall-offline-cmd -- Use priority in add, remove, query and list of direct rules (RHBZ#979509) -- New documentation (man pages are created from docbook sources) -- firewall/core/io/direct.py: use prirority for rule methods, new get_all_ methods -- direct: pass priority also to client.py and firewall-cmd -- applet: New blink and blink-count settings -- firewall.functions: New function ppid_of_pid -- applet: Check for gnome3 and fix it, use new settings, new size-changed cb -- firewall-offline-cmd: Fix use of systemctl in chroot -- firewall-config: use string.ascii_letters instead of string.letters -- dbus_to_python(): handle non-ascii chars in dbus.String. -- Modernize old syntax constructions. -- dict.keys() in Python 3 returns a "view" instead of list -- Use gettext.install() to install _() in builtins namespace. -- Allow non-ascii chars in 'short' and 'description' -- README: More information for "Working With The Source Repository" -- Build environment fixes -- firewalld.spec: Added missing checks for rhel > 6 for pygobject3-base -- firewall-applet: New setting show-inactive -- Don't stop on reload when lockdown already enabled (RHBZ#987403) -- firewall-cmd: --lockdown-on/off did not touch firewalld.conf -- FirewallApplet.gschema.xml: Dropped unused sender-info setting -- doc/firewall-applet.xml: Added information about gsettings -- several debug and log message fixes -- Add chain for sources so they can be checked before interfaces (RHBZ#903222) -- Add dhcp and proxy-dhcp services (RHBZ#986947) -- io/Zone(): don't error on deprecated family attr of source elem -- Limit length of zone file name (to 12 chars) due to Netfilter internals. -- It was not possible to overload a zone with defined source(s). -- DEFAULT_ZONE_TARGET: {chain}_ZONE_{zone} -> {chain}_{zone} -- New runtime getSettings for services and icmptypes, fixed policies callbacks -- functions: New functions checkUser, checkUid and checkCommand -- src/firewall/client: Fixed lockdown-whitelist-updated signal handling -- firewall-cmd(1): move firewalld.richlanguage(5) reference in --*-rich-rule -- Rich rule service: Only add modules for accept action -- firewall/core/rich: Several fixes and enhanced checks -- Fixed reload of direct rules -- firewall/client: New functions to set and get the exception handler -- firewall-config: New and enhanced UI to handle lockdown and rich rules -- zone's immutable attribute is redundant -- Do not allow to set settings in config for immutable zones. -- Ignore deprecated 'immutable' attribute in zone files. -- Eviscerate 'immutable' completely. -- FirewallDirect.query_rule(): fix it -- permanent direct: activate firewall.core.io.direct:Direct reader -- core/io/*: simplify getting of character data -- FirewallDirect.set_config(): allow reloading - -* Thu Jun 20 2013 Jiri Popelka -- Remove migrating to a systemd unit file from a SysV initscript -- Remove pointless "ExclusiveOS" tag - -* Fri Jun 7 2013 Thomas Woerner 0.3.3-2 -- Fixed rich rule check for use in D-Bus - -* Thu Jun 6 2013 Thomas Woerner 0.3.3-1 -- new service files -- relicensed logger.py under GPLv2+ -- firewall-config: sometimes we don't want to use client's exception handler -- When removing Service/IcmpType remove it from zones too (RHBZ#958401) -- firewall-config: work-around masquerade_check_cb() being called more times -- Zone(IO): add interfaces/sources to D-Bus signature -- Added missing UNKNOWN_SOURCE error code -- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid -- New changeZoneOfInterface method, marked changeZone as deprecated -- Fixed firewall-cmd man page entry for --panic-on -- firewall-applet: Fixed possible problems of unescaped strings used for markup -- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet -- Cleanup of unused variables in FirewallD.start -- New firewall/fw_types.py with LastUpdatedOrderedDict -- direct.chains, direct.rules: Using LastUpdatedOrderedDict -- Support splitted zone files -- New reader and writer for stored direct chains and rules -- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts() -- fix service_writer() and icmptype_writer() to put newline at end of file -- firewall-cmd: fix --list-sources -- No need to specify whether source address family is IPv4 or IPv6 -- add getZoneOfSource() to D-Bus interface -- Add tests and bash-completion for the new "source" operations -- Convert all input args in D-Bus methods -- setDefaultZone() was calling accessCheck() *after* the action -- New uniqify() function to remove duplicates from list whilst preserving order -- Zone.combine() merge also services and ports -- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518) -- firewall-applet: more fixes to make the address sources family agnostic -- Better defaults for lockdown white list -- Use auth_admin_keep for allow_any and allow_inactive also -- New D-Bus API for lockdown policies -- Use IPv4, IPv6 and BRIDGE for FirewallD properties -- Use rich rule action as audit type -- Prototype of string-only D-Bus interface for rich language -- Fixed wrongly merged source family check in firewall/core/io/zone.py -- handle_cmr: report errors, cleanup modules in error case only, mark handling -- Use audit type from rule action, fixed rule output -- Fixed lockdown whitelist D-Bus handling method names -- New rich rule handling in runtime D-Bus interface -- Added interface, source and rich rule handling (runtime and permanent) -- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown -- Write changes in setLockdownWhitelist -- Fixed typo in policies log message in method calls -- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling -- Don't check access in query/getLockdownWhitelist*() -- firewall-cmd: Also output masquerade flag in --list-all -- firewall-cmd: argparse is able to convert argument to desired type itself -- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist -- Makefile.am: add missing files -- firewall-cmd_test.sh: tests for rich rules -- Added lockdown, source, interface and rich rule docs to firewall-cmd -- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098) -- Use in metavar for firewall-cmd parser - -* Fri May 10 2013 Jiri Popelka - 0.3.2-2 -- removed unintentional en_US.po from tarball - -* Tue Apr 30 2013 Jiri Popelka - 0.3.2-1 -- Fix signal handling for SIGTERM -- Additional service files (RHBZ#914859) -- Updated po files -- s/persistent/permanent/ (Trac Ticket #7) -- Better behaviour when running without valid DISPLAY (RHBZ#955414) -- client.handle_exceptions(): do not loop forever -- Set Zone.defaults in zone_reader (RHBZ#951747) -- client: do not pass the dbus exception name to handler -- IO_Object_XMLGenerator: make it work with Python 2.7.4 (RHBZ#951741) -- firewall-cmd: do not use deprecated BaseException.message -- client.py: fix handle_exceptions() (RHBZ#951314) -- firewall-config: check zone/service/icmptype name (RHBZ#947820) -- Allow 3121/tcp (pacemaker_remote) in cluster-suite service. (RHBZ#885257) -- firewall-applet: fix default zone hangling in 'shields-up' (RHBZ#947230) -- FirewallError.get_code(): check for unknown error - -* Wed Apr 17 2013 Jiri Popelka - 0.3.1-2 -- Make permanenent changes work with Python 2.7.4 (RHBZ#951741) - -* Thu Mar 28 2013 Thomas Woerner 0.3.1-1 -- Use explicit file lists for make dist -- New rich rule validation check code -- New global check_port and check_address functions -- Allow source white and black listing with the rich rule -- Fix error handling in case of unsupported family in rich rule -- Enable ip_forwarding in masquerade and forward-port -- New functions to read and write simple files using filename and content -- Add --enable-sysconfig to install Fedora-specific sysconfig config file. -- Add chains for security table (RHBZ#927015) -- firewalld.spec: no need to specify --with-systemd-unitdir -- firewalld.service: remove syslog.target and dbus.target -- firewalld.service: replace hard-coded paths -- Move bash-completion to new location. -- Revert "Added configure for new build env" -- Revert "Added Makefile.in files" -- Revert "Added po/Makefile.in.in" -- Revert "Added po/LINGUAS" -- Revert "Added aclocal.m4" -- Amend zone XML Schema - -* Wed Mar 20 2013 Thomas Woerner 0.3.0-1 -- Added rich language support -- Added lockdown feature -- Allow to bind interfaces and sources to zones permanently -- Enabled IPv6 NAT support - masquerading and port/packet forwarding for IPv6 only with rich language -- Handle polkit errors in client class and firewall-config -- Added priority description for --direct --add-rule in firewall-cmd man page -- Add XML Schemas for zones/services/icmptypes XMLs -- Don't keep file descriptors open when forking -- Introduce --nopid option for firewalld -- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782) -- Update cluster-suite service (RHBZ#885257) -- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912) -- Fix interaction problem of changed event of gtk combobox with polkit-kde - by processing all remaining events (RHBZ#915892) -- Stop default zone rules being applied to all zones (RHBZ#912782) -- Firewall.start(): don't call set_default_zone() -- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages -- firewalld-cmd: make --state verbose (RHBZ#886484) -- improve firewalld --help (RHBZ#910492) -- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834) -- Continue loading zone in case of wrong service/port etc. (RHBZ#909466) -- Check also services and icmptypes in Zone() (RHBZ#909466) -- Increase the maximum length of the port forwarding fields from 5 to 11 in - firewall-config -- firewall-cmd: add usage to fail message -- firewall-cmd: redefine usage to point to man page -- firewall-cmd: fix visible problems with arg. parsing -- Use argparse module for parsing command line options and arguments -- firewall-cmd.1: better clarify where to find ACTIONs -- firewall-cmd Bash completion -- firewall-cmd.1: comment --zone= usage and move some options -- Use zone's target only in %%s_ZONES chains -- default zone in firewalld.conf was set to public with every restart (#902845) -- man page cleanup -- code cleanup - -* Thu Mar 07 2013 Jiri Popelka - 0.2.12-5 -- Another fix for RHBZ#912782 - -* Wed Feb 20 2013 Jiri Popelka - 0.2.12-4 -- Stop default zone rules being applied to all zones (RHBZ#912782) - -* Wed Feb 13 2013 Fedora Release Engineering - 0.2.12-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Tue Jan 22 2013 Jiri Popelka - 0.2.12-2 -- Default zone in firewalld.conf was reseted with every restart (RHBZ#902845) -- Add icon cache related scriptlets for firewall-config (RHBZ#902680) -- Fix typo in firewall-config (RHBZ#895812) -- Fix few mistakes in firewall-cmd(1) man page - -* Mon Jan 14 2013 Thomas Woerner 0.2.12-1 -- firewall-cmd: use -V instead of -v for version info (RHBZ#886477) -- firewall-cmd: don't check reload()'s return value (RHBZ#886461) -- actually install firewalld.zones.5 -- firewall-config: treat exceptions when adding new zone/service/icmp - (RHBZ#886602) -- firewalld.spec: Fixed requirements of firewall-config to use gtk2 and - pygobject3 -- Fail gracefully when running in non X environment.(RHBZ#886551) -- offline-cmd: fail gracefully when no s-c-f config -- fix duplicated iptables rules (RHBZ#886515) -- detect errors and duplicates in config file (RHBZ#886581) -- firewall-config: don't make 'Edit Service' and 'Edit ICMP Type' insensitive -- firewalld.spec: fixed requirements, require pygobject3-base -- frewall-applet: Unused code cleanup -- firewall-applet: several usability fixes and enhancements - (RHBZ#886531) (RHBZ#886534) -- firewall/server/server.py: fixed KeyboardInterrupt message (RHBZ#886558) -- Moved fallback zone and minimal_mark to firewall.config.__init__ -- Do not raise ZONE_ALREADY_SET in change_zone if old zone is set again - (RHBZ#886432) -- Make default zone default for all unset connections/interfaces - (RHBZ#888288) (RHBZ#882736) -- firewall-config: Use Gtk.MessageType.WARNING for warning dialog -- firewall-config: Handle unknown services and icmptypes in persistent mode -- firewall-config: Do not load settings more than once -- firewall-config: UI cleanup and fixes (RHBZ#888242) -- firewall-cmd: created alias --change-zone for --change-interface -- firewall-cmd man page updates (RHBZ#806511) -- Merged branch 'build-cleanups' -- dropped call to autogen.sh in build stage, not needed anymore due to - 'build-cleanups' merge - -* Thu Dec 13 2012 Thomas Woerner 0.2.11-2 -- require pygobject3-base instead of pygobject3 (no cairo needed) (RHBZ#874378) -- fixed dependencies of firewall-config to use gtk3 with pygobject3-base and - not pygtk2 - -* Tue Dec 11 2012 Thomas Woerner 0.2.11-1 -- Fixed more _xmlplus (PyXML) incompatibilities to python xml -- Several man page updates -- Fixed error in addForwardPort, removeForwardPort and queryForwardPort -- firewall-cmd: use already existing queryForwardPort() -- Update firewall.cmd man page, use man page as firewall-cmd usage (rhbz#876394) -- firewall-config: Do not force to show labels in the main toolbar -- firewall-config: Dropped "Change default zone" from toolbar -- firewall-config: Added menu entry to change zones of connections -- firewall-applet: Zones can be changed now using nm-connection-editor - (rhbz#876661) -- translation updates: cs, hu, ja - -* Tue Nov 20 2012 Thomas Woerner 0.2.10-1 -- tests/firewalld_config.py: tests for config.service and config.icmptype -- FirewallClientConfigServiceSettings(): destinations are dict not list -- service/zone/icmptype: do not write deprecated name attribute -- New service ntp -- firewall-config: Fixed name of about dialog -- configure.in: Fixed getting of error codes -- Added coding to all pyhton files -- Fixed copyright years -- Beautified file headers -- Force use of pygobject3 in python-slip (RHBZ#874378) -- Log: firewall.server.config_icmptype, firewall.server.config_service and - firewall.server.config_zone: Prepend full path -- Allow ":" in interface names for interface aliases -- Add name argument to Updated and Renamed signal -- Disable IPv4, IPv6 and EB tables if missing - for IPv4/IPv6 only environments -- firewall-config.glade file cleanup -- firewall-config: loadDefaults() can throw exception -- Use toolbars for Add/Edit/Remove/LoadDefaults buttons for zones, services - and icmp types -- New vnc-server service, opens ports for displays :0 to :3 (RHBZ#877035) -- firewall-cmd: Fix typo in help output, allow default zone usage for - permanenent options -- Translation updates: cs, fr, ja, pt_BR and zh_CN - -* Wed Oct 17 2012 Thomas Woerner 0.2.9-1 -- firewall-config: some UI usability changes -- firewall-cmd: New option --list-all-zones, output of --list-all changed, - more option combination checks -- firewall-applet: Replaced NMClient by direct DBUS calls to fix python core - dumps in case of connection activates/deactivates -- Use fallback 'C' locale if current locale isn't supported (RHBZ#860278) -- Add interfaces to zones again after reload -- firewall-cmd: use FirewallClient().connected value -- firewall-cmd: --remove-interface was not working due to a typo -- Do not use restorecon for new and backup files -- Fixed use of properties REJECT and DROP -- firewalld_test.py: check interfaces after reload -- Translation updates -- Renamed firewall-convert-scfw-config to firewall-offline-cmd, used by - anaconda for firewall configuration (e.g. kickstart) -- Fix python shebang to use -Es at installation time for bin_SCRIPTS and - sbin_SCRIPTS and at all times in gtk3_chooserbutton.py -- tests/firewalld_config.py: update test_zones() test case -- Config interface: improve renaming of zones/services/icmp_types -- Move emiting of Added signals closer to source. -- FirewallClient(): config:ServiceAdded signal was wrongly mapped -- Add argument 'name' to Removed signal -- firewall-config: Add callbacks for config:[service|icmp]-[added|removed] -- firewall-config: catch INVALID_X error when removing zone/service/icmp_type -- firewall-config: remove unused code -- Revert "Neutralize _xmlplus instead of conforming it" -- firewall-applet: some UI usability changes -- firewall-cmd: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings - -* Fri Sep 7 2012 Thomas Woerner 0.2.8-1 -- Do not apply old settings to zones after reload -- FirewallClient: Added callback structure for firewalld signals -- New firewall-config with full zone, service and icmptype support -- Added Shields Up/Down configuration dialog to firewall-applet -- Name attribute of main tag deprecated for zones, services and icmptypes, - will be ignored if present -- Fixed wrong references in firewalld man page -- Unregister DBus interfaces after sending out the Removed signal -- Use proper DBus signature in addIcmpType, addService and addZone -- New builtin property for config interfaces -- New test case for Config interface -- spec: use new systemd-rpm macros (rhbz#850110) -- More config file verifications -- Lots of smaller fixes and enhancements - -* Tue Aug 21 2012 Jiri Popelka 0.2.7-2 -- use new systemd-rpm macros (rhbz#850110) - -* Mon Aug 13 2012 Thomas Woerner 0.2.7-1 -- Update of firewall-config -- Some bug fixes - -* Tue Aug 7 2012 Thomas Woerner 0.2.6-1 -- New D-BUS interface for persistent configuration -- Aded support for persistent zone configuration in firewall-cmd -- New Shields Up feature in firewall-applet -- New requirements for python-decorator and pygobject3 -- New firewall-config sub-package -- New firewall-convert-scfw-config config script - -* Fri Apr 20 2012 Thomas Woerner 0.2.5-1 -- Fixed traceback in firewall-cmd for failed or canceled authorization, - return proper error codes, new error codes NOT_RUNNING and NOT_AUTHORIZED -- Enhanced firewalld service file (RHBZ#806868) and (RHBZ#811240) -- Fixed duplicates in zone after reload, enabled timed settings after reload -- Removed conntrack --ctstate INVALID check from default ruleset, because it - results in ICMP problems (RHBZ#806017). -- Update interfaces in default zone after reload (rhbz#804814) -- New man pages for firewalld(1), firewalld.conf(5), firewalld.icmptype(5), - firewalld.service(5) and firewalld.zone(5), updated firewall-cmd man page - (RHBZ#811257) -- Fixed firewall-cmd help output -- Fixed missing icon for firewall-applet (RHBZ#808759) -- Added root user check for firewalld (RHBZ#767654) -- Fixed requirements of firewall-applet sub package (RHBZ#808746) -- Update interfaces in default zone after changing of default zone (RHBZ#804814) -- Start firewalld before NetworkManager (RHBZ#811240) -- Add Type=dbus and BusName to service file (RHBZ#811240) - -* Fri Mar 16 2012 Thomas Woerner 0.2.4-1 -- fixed firewalld.conf save exception if no temporary file can be written to - /etc/firewalld/ - -* Thu Mar 15 2012 Thomas Woerner 0.2.3-1 -- firewall-cmd: several changes and fixes -- code cleanup -- fixed icmp protocol used for ipv6 (rhbz#801182) -- added and fixed some comments -- properly restore zone settings, timeout is always set, check for 0 -- some FirewallError exceptions were actually not raised -- do not REJECT in each zone -- removeInterface() don't require zone -- new tests in firewall-test script -- dbus_to_python() was ignoring certain values -- added functions for the direct interface: chains, rules, passthrough -- fixed inconsistent data after reload -- some fixes for the direct interface: priority positions are bound to ipv, - table and chain -- added support for direct interface in firewall-cmd: -- added isImmutable(zone) to zone D-Bus interface -- renamed policy file -- enhancements for error messages, enables output for direct.passthrough -- added allow_any to firewald policies, using at leas auth_admin for policies -- replaced ENABLE_FAILED, DISABLE_FAILED, ADD_FAILED and REMOVE_FAILED by - COMMAND_FAILED, resorted error codes -- new firewalld configuration setting CleanupOnExit -- enabled polkit again, found a fix for property problem with slip.dbus.service -- added dhcpv6-client to 'public' (the default) and to 'internal' zones. -- fixed missing settings form zone config files in - "firewall-cmd --list=all --zone=" call -- added list functions for services and icmptypes, added --list=services and - --list=icmptypes to firewall-cmd - -* Tue Mar 6 2012 Thomas Woerner 0.2.2-1 -- enabled dhcpv6-client service for zones home and work -- new dhcpv6-client service -- firewall-cmd: query mode returns reversed values -- new zone.changeZone(zone, interface) -- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded - by files in /etc/firewalld (no overload of immutable zones block, drop, - trusted) -- reset MinimalMark in firewalld.cnf to default value -- fixed service destination (addresses not used) -- fix xmlplus to be compatible with the python xml sax parser and python 3 - by adding __contains__ to xml.sax.xmlreader.AttributesImpl -- use icon and glib related post, postun and posttrans scriptes for firewall -- firewall-cmd: fix typo in state -- firewall-cmd: fix usage() -- firewall-cmd: fix interface action description in usage() -- client.py: fix definition of queryInterface() -- client.py: fix typo in getInterfaces() -- firewalld.service: do not fork -- firewall-cmd: fix bug in --list=port and --port action help message -- firewall-cmd: fix bug in --list=service - -* Mon Mar 5 2012 Thomas Woerner -- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded - by files in /etc/firewalld (no overload of immutable zones block, drop, - trusted) - -* Tue Feb 21 2012 Thomas Woerner 0.2.1-1 -- added missing firewall.dbus_utils - -* Tue Feb 7 2012 Thomas Woerner 0.2.0-2 -- added glib2-devel to build requires, needed for gsettings.m4 -- added --with-system-unitdir arg to fix installaiton of system file -- added glib-compile-schemas calls for postun and posttrans -- added EXTRA_DIST file lists - -* Mon Feb 6 2012 Thomas Woerner 0.2.0-1 -- version 0.2.0 with new FirewallD1 D-BUS interface -- supports zones with a default zone -- new direct interface as a replacement of the partial virt interface with - additional passthrough functionality -- dropped custom rules, use direct interface instead -- dropped trusted interface funcionality, use trusted zone instead -- using zone, service and icmptype configuration files -- not using any system-config-firewall parts anymore - -* Mon Feb 14 2011 Thomas Woerner 0.1.3-1 -- new version 0.1.3 -- restore all firewall features for reload: panic and virt rules and chains -- string fixes for firewall-cmd man page (by Jiri Popelka) -- fixed firewall-cmd port list (by Jiri Popelka) -- added firewall dbus client connect check to firewall-cmd (by Jiri Popelka) -- translation updates: de, es, gu, it, ja, kn, ml, nl, or, pa, pl, ru, ta, - uk, zh_CN - -* Mon Jan 3 2011 Thomas Woerner 0.1.2-1 -- fixed package according to package review (rhbz#665395): - - non executable scripts: dropped shebang - - using newer GPL license file - - made /etc/dbus-1/system.d/FirewallD.conf config(noreplace) - - added requires(post) and (pre) for chkconfig - -* Mon Jan 3 2011 Thomas Woerner 0.1.1-1 -- new version 0.1.1 -- fixed source path in POTFILES* -- added missing firewall_config.py.in -- added misssing space for spec_ver line -- using firewall_config.VARLOGFILE -- added date to logging output -- also log fatal and error logs to stderr and firewall_config.VARLOGFILE -- make log message for active_firewalld fatal - -* Mon Dec 20 2010 Thomas Woerner 0.1-1 -- initial package (proof of concept implementation) diff --git a/firewalld.spec b/firewalld.spec new file mode 100644 index 0000000..51f05e4 --- /dev/null +++ b/firewalld.spec @@ -0,0 +1,285 @@ +Summary: A firewall daemon with D-Bus interface providing a dynamic firewall +Name: firewalld +Version: 2.3.0 +Release: 2%{?dist} +URL: http://www.firewalld.org +License: GPL-2.0-or-later +Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 +Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +BuildArch: noarch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: desktop-file-utils +BuildRequires: gettext +BuildRequires: intltool +# glib2-devel is needed for gsettings.m4 +BuildRequires: glib2, glib2-devel +BuildRequires: systemd-units +BuildRequires: docbook-style-xsl +BuildRequires: libxslt +BuildRequires: iptables, ebtables, ipset +BuildRequires: python3-devel +BuildRequires: make +Recommends: iptables, ebtables, ipset +Suggests: iptables-nft +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: firewalld-filesystem = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Obsoletes: firewalld-selinux < 0.4.4.2-2 +Conflicts: selinux-policy < 3.14.1-28 +Conflicts: cockpit-ws < 173-2 +Recommends: libcap-ng-python3 + +%description +firewalld is a firewall service daemon that provides a dynamic customizable +firewall with a D-Bus interface. + +%package -n python3-firewall +Summary: Python3 bindings for firewalld + +%{?python_provide:%python_provide python3-firewall} + +Requires: python3-dbus +Requires: python3-gobject-base +Requires: python3-nftables + +%description -n python3-firewall +Python3 bindings for firewalld. + +%package -n firewalld-filesystem +Summary: Firewalld directory layout and rpm macros + +%description -n firewalld-filesystem +This package provides directories and rpm macros which +are required by other packages that add firewalld configuration files. + +%package -n firewalld-test +Summary: Firewalld testsuite + +%description -n firewalld-test +This package provides the firewalld testsuite. + +%package -n firewall-applet +Summary: Firewall panel applet +Requires: %{name} = %{version}-%{release} +Requires: firewall-config = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Requires: hicolor-icon-theme +%if (0%{?fedora} >= 39 || 0%{?rhel} >= 10) +Requires: python3-pyqt6-base +%else +Requires: python3-qt5-base +%endif +Requires: python3-gobject +Requires: libnotify +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-applet +The firewall panel applet provides a status information of firewalld and also +the firewall settings. + +%package -n firewall-config +Summary: Firewall configuration application +Requires: %{name} = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: gtk3 +Requires: python3-gobject +Requires: NetworkManager-libnm +Requires: dbus-x11 +Recommends: polkit + +%description -n firewall-config +The firewall configuration application provides an configuration interface for +firewalld. + +%prep +%autosetup -p1 + +%build +%configure --enable-sysconfig --enable-rpmmacros \ + --with-systemd-unitdir=%{_unitdir} \ + PYTHON="%{__python3} %{py3_shbang_opts}" +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +desktop-file-install --delete-original \ + --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ + %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +desktop-file-install --delete-original \ + --dir %{buildroot}%{_datadir}/applications \ + %{buildroot}%{_datadir}/applications/firewall-config.desktop + +install -d -m 755 %{buildroot}%{_prefix}/lib/firewalld/zones/ + +%py_byte_compile %{__python3} %{buildroot}%{_datadir}/firewalld/gtk3_* + +%find_lang %{name} --all-name + +%post +%systemd_post firewalld.service + +%preun +%systemd_preun firewalld.service + +%postun +%systemd_postun_with_restart firewalld.service + +%pretrans -p +-- HACK: Old rpm versions had an untracked (%ghost) symlink for +-- /etc/firewalld/firewalld.conf. RPM won't handle replacing the symlink due to +-- "%config(noreplace)". As such, we remove the symlink here before attempting +-- to install the new version which is a real file. Only replace the symlink if +-- the target matches one of the previous package's expected targets. +-- +-- Unfortunately this must be done in pretrans in order to occur before RPM +-- makes decisions about file replacement. +-- +local old_package_symlinks = {"firewalld-standard.conf", "firewalld-server.conf", + "firewalld-workstation.conf"} +local symlink_target = posix.readlink("%{_sysconfdir}/firewalld/firewalld.conf") +for k,v in ipairs(old_package_symlinks) do + if symlink_target == v then + posix.unlink("%{_sysconfdir}/firewalld/firewalld.conf") + break + end +end + +%files -f %{name}.lang +%doc COPYING README.md +%{_sbindir}/firewalld +%{_bindir}/firewall-cmd +%{_bindir}/firewall-offline-cmd +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/firewall-cmd +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_firewalld +%{_prefix}/lib/firewalld/icmptypes/*.xml +%{_prefix}/lib/firewalld/ipsets/README.md +%{_prefix}/lib/firewalld/policies/*.xml +%{_prefix}/lib/firewalld/services/*.xml +%{_prefix}/lib/firewalld/zones/*.xml +%{_prefix}/lib/firewalld/helpers/*.xml +%{_prefix}/lib/firewalld/xmlschema/check.sh +%{_prefix}/lib/firewalld/xmlschema/*.xsd +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld +%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/policies +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/sysconfig/firewalld +%{_unitdir}/firewalld.service +%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy +%{_mandir}/man1/firewall*cmd*.1* +%{_mandir}/man1/firewalld*.1* +%{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/firewalld + +%files -n python3-firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__ +%{python3_sitelib}/firewall/__pycache__/*.py* +%{python3_sitelib}/firewall/*.py* +%{python3_sitelib}/firewall/config/*.py* +%{python3_sitelib}/firewall/config/__pycache__/*.py* +%{python3_sitelib}/firewall/core/*.py* +%{python3_sitelib}/firewall/core/__pycache__/*.py* +%{python3_sitelib}/firewall/core/io/*.py* +%{python3_sitelib}/firewall/core/io/__pycache__/*.py* +%{python3_sitelib}/firewall/server/*.py* +%{python3_sitelib}/firewall/server/__pycache__/*.py* + +%files -n firewalld-filesystem +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/helpers +%dir %{_prefix}/lib/firewalld/icmptypes +%dir %{_prefix}/lib/firewalld/ipsets +%dir %{_prefix}/lib/firewalld/policies +%dir %{_prefix}/lib/firewalld/services +%dir %{_prefix}/lib/firewalld/zones +%{_rpmmacrodir}/macros.firewalld + +%files -n firewalld-test +%dir %{_datadir}/firewalld/testsuite +%{_datadir}/firewalld/testsuite/README.md +%{_datadir}/firewalld/testsuite/testsuite +%dir %{_datadir}/firewalld/testsuite/integration +%{_datadir}/firewalld/testsuite/integration/testsuite +%dir %{_datadir}/firewalld/testsuite/python +%{_datadir}/firewalld/testsuite/python/firewalld_config.py +%{_datadir}/firewalld/testsuite/python/firewalld_direct.py +%{_datadir}/firewalld/testsuite/python/firewalld_rich.py +%{_datadir}/firewalld/testsuite/python/firewalld_misc.py + +%files -n firewall-applet +%{_bindir}/firewall-applet +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/xdg/autostart/firewall-applet.desktop +%dir %{_sysconfdir}/firewall +%config(noreplace) %{_sysconfdir}/firewall/applet.conf +%{_datadir}/icons/hicolor/*/apps/firewall-applet*.* +%{_mandir}/man1/firewall-applet*.1* + +%files -n firewall-config +%{_bindir}/firewall-config +%defattr(0644,root,root) +%{_datadir}/firewalld/firewall-config.glade +%pycached %{_datadir}/firewalld/gtk3_chooserbutton.py +%pycached %{_datadir}/firewalld/gtk3_niceexpander.py +%{_datadir}/applications/firewall-config.desktop +%{_datadir}/metainfo/firewall-config.appdata.xml +%{_datadir}/icons/hicolor/*/apps/firewall-config*.* +%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml +%{_mandir}/man1/firewall-config*.1* + +%changelog +* Wed Jan 15 2025 Eric Garver - 2.3.0-2 +- revert RHEL only patch to default StrictForwardPorts=yes + +* Tue Nov 05 2024 Eric Garver - 2.3.0-1 +- rebase package to v2.3.0 + +* Tue Oct 29 2024 Troy Dawson - 2.2.1-2 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Wed Jul 24 2024 Eric Garver - 2.2.1-1 +- rebase package to v2.2.1 + +* Fri Jul 12 2024 Eric Garver - 2.2.0-2 +- fix firewalld.conf when upgrading from old versions that had a symlink + +* Fri Jul 12 2024 Eric Garver - 2.2.0-1 +- rebase package to v2.2.0 + +* Mon Jun 24 2024 Troy Dawson - 2.1.2-3 +- Bump release for June 2024 mass rebuild + +* Wed Apr 17 2024 Eric Garver - 2.1.2-2 +- fix missing policykit symlink + +* Tue Apr 16 2024 Eric Garver - 2.1.2-1 +- rebase package to v2.1.2 + +* Mon Jan 29 2024 Eric Garver - 2.1.1-1 +- rebase package to v2.1.1 diff --git a/sources b/sources new file mode 100644 index 0000000..35457e3 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (firewalld-2.3.0.tar.bz2) = 9a0fe1098c8bbb63bc4af04f56b7810d3d4e94be4247574daba64fb7a344488053f80426b7422c3a4620a54fee69a4264e1b0d66580757aac29aa65d723007c5