From bbae99e926d4c5762f615e8ac5383739b9e75c44 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Mon, 1 Jul 2024 10:54:49 -0400 Subject: [PATCH] feat(nftables): table ownership Resolves: RHEL-17002 --- ...tions-start-firewalld-with-file-logg.patch | 31 ++ ...v2.2.0-feat-nftables-table-ownership.patch | 417 ++++++++++++++++++ ...v2.2.0-test-nftables-table-ownership.patch | 69 +++ ...rvice-remove-Conflicts-with-nftables.patch | 29 ++ firewalld.spec | 9 +- 5 files changed, 554 insertions(+), 1 deletion(-) create mode 100644 0019-v2.2.0-test-functions-start-firewalld-with-file-logg.patch create mode 100644 0020-v2.2.0-feat-nftables-table-ownership.patch create mode 100644 0021-v2.2.0-test-nftables-table-ownership.patch create mode 100644 0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch diff --git a/0019-v2.2.0-test-functions-start-firewalld-with-file-logg.patch b/0019-v2.2.0-test-functions-start-firewalld-with-file-logg.patch new file mode 100644 index 0000000..750810c --- /dev/null +++ b/0019-v2.2.0-test-functions-start-firewalld-with-file-logg.patch @@ -0,0 +1,31 @@ +From e031ce8e41d2fc23735be91f7070127f8812b490 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 21 Jun 2024 16:17:44 -0400 +Subject: [PATCH 19/22] v2.2.0: test(functions): start firewalld with file + logging + +This is a test environment. Trying to log to syslog does not make sense. +The default, mixed, sends to both file and syslog, but with different +log level settings. + +(cherry picked from commit 5e0c28d5f7f71a216485169610d8c72a3a3518d1) +--- + src/tests/functions.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index b2372dd4075b..d1c89ed5b982 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -9,7 +9,7 @@ m4_define([FWD_STOP_FIREWALLD], [ + ]) + + m4_define([FWD_START_FIREWALLD], [ +- FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --system-config ./" ++ FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --log-target file --system-config ./" + dnl if testsuite ran with debug flag, add debug output + ${at_debug_p} && FIREWALLD_ARGS="--debug=9 ${FIREWALLD_ARGS}" + if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then +-- +2.43.5 + diff --git a/0020-v2.2.0-feat-nftables-table-ownership.patch b/0020-v2.2.0-feat-nftables-table-ownership.patch new file mode 100644 index 0000000..0d116fe --- /dev/null +++ b/0020-v2.2.0-feat-nftables-table-ownership.patch @@ -0,0 +1,417 @@ +From ce75ad2920f457d5b2ce578ead5d8c64f0daa490 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 21 Jun 2024 17:38:29 -0400 +Subject: [PATCH 20/22] v2.2.0: feat(nftables): table ownership + +This allows using the nftables table flags "owner" and "persist". When +these are in use ONLY firewalld will be able to change the firewalld +table/rules. All other processes will be blocked. This enhances +firewalld robustness by guaranteeing that firewalld's rules can not be +modified without it's knowledge, e.g. by other entities. + +This also allows firewalld and nftables services to coexist. An "nft +flush ruleset" will NOT flush the "firewalld" table. + +Fixes: RHEL-17002 +(cherry picked from commit becd083fc2905921651af73cb15ce8c9aba9203b) +--- + config/firewalld.conf | 8 +++ + doc/xml/firewalld.conf.xml | 13 ++++ + doc/xml/firewalld.dbus.xml | 11 ++++ + src/firewall/config/__init__.py.in | 1 + + src/firewall/core/fw.py | 22 +++++++ + src/firewall/core/io/firewalld_conf.py | 6 +- + src/firewall/core/nftables.py | 83 ++++++++++++++++++++++---- + src/firewall/server/config.py | 16 +++-- + src/tests/dbus/firewalld.conf.at | 2 + + src/tests/regression/rhbz2222044.at | 5 ++ + 10 files changed, 150 insertions(+), 17 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index cf95af3eea8e..28345a13d54e 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -93,3 +93,11 @@ ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP + # internet. + # Defaults to "yes". + RFC3964_IPv4=yes ++ ++# NftablesTableOwner ++# If set to yes, the generated nftables rule set will be owned exclusively by ++# firewalld. This prevents other entities from mistakenly (or maliciously) ++# modifying firewalld's rule set. If you intentionally modify firewalld's ++# rules, then you will have to set this to "no". ++# Defaults to "yes". ++NftablesTableOwner=yes +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index 4b9bfdad15be..cf7134c04012 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -247,6 +247,19 @@ + + + ++ ++ ++ ++ ++ If set to yes, the generated nftables rule set will be owned exclusively by ++ firewalld. This prevents other entities from mistakenly (or maliciously) ++ modifying firewalld's rule set. If you intentionally modify firewalld's ++ rules, then you will have to set this to "no". ++ Defaults to "yes". ++ ++ ++ ++ + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index f04cf5ae757b..00d7e8fbe5b1 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2905,6 +2905,17 @@ + + + ++ ++ NftablesTableOwner - s - (rw) ++ ++ ++ If set to yes, the generated nftables rule set will be owned exclusively by ++ firewalld. This prevents other entities from mistakenly (or maliciously) ++ modifying firewalld's rule set. If you intentionally modify firewalld's ++ rules, then you will have to set this to "no". ++ ++ ++ + + + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 2eda337e8180..16291fcf795a 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -138,3 +138,4 @@ FALLBACK_FLUSH_ALL_ON_RELOAD = True + FALLBACK_RELOAD_POLICY = "INPUT:DROP,FORWARD:DROP,OUTPUT:DROP" + FALLBACK_RFC3964_IPV4 = True + FALLBACK_ALLOW_ZONE_DRIFTING = False ++FALLBACK_NFTABLES_TABLE_OWNER = True +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index f91ff53fc37a..557b6e527dbd 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -119,6 +119,7 @@ class Firewall(object): + self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD + self._rfc3964_ipv4 = config.FALLBACK_RFC3964_IPV4 + self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING ++ self._nftables_table_owner = config.FALLBACK_NFTABLES_TABLE_OWNER + + if self._offline: + self.ip4tables_enabled = False +@@ -290,6 +291,17 @@ class Firewall(object): + log.debug1("ebtables-restore is not supporting the --noflush " + "option, will therefore not be used") + ++ self.nftables_backend.probe_support() ++ ++ if ( ++ self._nftables_table_owner ++ and not self.nftables_backend.supports_table_owner ++ ): ++ log.info1( ++ "Configuration has NftablesTableOwner=True, but it's " ++ "not supported by nftables. Table ownership will be disabled." ++ ) ++ + def _start_load_firewalld_conf(self): + # load firewalld config + log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF) +@@ -378,6 +390,16 @@ class Firewall(object): + log.debug1("RFC3964_IPv4 is set to '%s'", + self._rfc3964_ipv4) + ++ if self._firewalld_conf.get("NftablesTableOwner"): ++ value = self._firewalld_conf.get("NftablesTableOwner") ++ if value.lower() in ["no", "false"]: ++ self._nftables_table_owner = False ++ else: ++ self._nftables_table_owner = True ++ log.debug1( ++ "NftablesTableOwner is set to '%s'", self._nftables_table_owner ++ ) ++ + self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) + + def _start_load_lockdown_whitelist(self): +diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py +index 20072e26cfcd..d5b47666c0f0 100644 +--- a/src/firewall/core/io/firewalld_conf.py ++++ b/src/firewall/core/io/firewalld_conf.py +@@ -32,7 +32,7 @@ valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", + "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter", + "IndividualCalls", "LogDenied", "AutomaticHelpers", + "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4", +- "AllowZoneDrifting", "ReloadPolicy" ] ++ "AllowZoneDrifting", "ReloadPolicy", "NftablesTableOwner" ] + + class firewalld_conf(object): + def __init__(self, filename): +@@ -81,6 +81,10 @@ class firewalld_conf(object): + self.set("ReloadPolicy", config.FALLBACK_RELOAD_POLICY) + self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no") + self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no") ++ self.set( ++ "NftablesTableOwner", ++ "yes" if config.FALLBACK_NFTABLES_TABLE_OWNER else "no", ++ ) + + def sanity_check(self): + if self.get("FirewallBackend") == "iptables" and self.get("IPv6_rpfilter") in ( +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 5a49b34e3a4f..8115bcb9d7f4 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -36,6 +36,7 @@ from nftables.nftables import Nftables + + TABLE_NAME = "firewalld" + TABLE_NAME_POLICY = TABLE_NAME + "_" + "policy_drop" ++TABLE_NAME_PROBE = TABLE_NAME + "_" + "probe" + POLICY_CHAIN_PREFIX = "policy_" + + # Map iptables (table, chain) to hooks and priorities. +@@ -169,6 +170,7 @@ class nftables(object): + def __init__(self, fw): + self._fw = fw + self.restore_command_exists = True ++ self.supports_table_owner = False + self.available_tables = [] + self.rule_to_handle = {} + self.rule_ref_count = {} +@@ -180,6 +182,57 @@ class nftables(object): + self.nftables.set_echo_output(True) + self.nftables.set_handle_output(True) + ++ def _probe_support_table_owner(self): ++ try: ++ rules = { ++ "nftables": [ ++ {"metainfo": {"json_schema_version": 1}}, ++ { ++ "add": { ++ "table": { ++ "family": "inet", ++ "name": TABLE_NAME_PROBE, ++ "flags": ["owner", "persist"], ++ } ++ } ++ }, ++ ] ++ } ++ ++ rc, output, _ = self.nftables.json_cmd(rules) ++ if rc: ++ raise ValueError("nftables probe table owner failed") ++ ++ # old nftables versions would ignore table flags in JSON, so we ++ # must parse back and verify the flags are set. ++ rules = { ++ "nftables": [ ++ {"metainfo": {"json_schema_version": 1}}, ++ {"list": {"table": {"family": "inet", "name": TABLE_NAME_PROBE}}}, ++ ] ++ } ++ self.nftables.set_echo_output(False) ++ rc, output, _ = self.nftables.json_cmd(rules) ++ self.nftables.set_echo_output(True) ++ flags = output["nftables"][1]["table"]["flags"] ++ ++ self.set_rule( ++ {"delete": {"table": {"family": "inet", "name": TABLE_NAME_PROBE}}}, ++ self._fw.get_log_denied(), ++ ) ++ ++ if "owner" not in flags or "persist" not in flags: ++ raise ValueError("nftables probe table owner failed") ++ ++ log.debug2("nftables: probe_support(): owner flag is supported.") ++ self.supports_table_owner = True ++ except: ++ log.debug2("nftables: probe_support(): owner flag is NOT supported.") ++ self.supports_table_owner = False ++ ++ def probe_support(self): ++ self._probe_support_table_owner() ++ + def _run_replace_zone_source(self, rule, zone_source_index_cache): + for verb in ["add", "insert", "delete"]: + if verb in rule: +@@ -401,16 +454,27 @@ class nftables(object): + # Tables always exist in nftables + return [table] if table else IPTABLES_TO_NFT_HOOK.keys() + ++ def _build_add_table_rules(self, table): ++ rule = {"add": {"table": {"family": "inet", "name": table}}} ++ ++ if ( ++ table == TABLE_NAME ++ and self._fw._nftables_table_owner ++ and self.supports_table_owner ++ ): ++ rule["add"]["table"]["flags"] = ["owner", "persist"] ++ ++ return [rule] ++ + def _build_delete_table_rules(self, table): + # To avoid nftables returning ENOENT we always add the table before + # deleting to guarantee it will exist. + # + # In the future, this add+delete should be replaced with "destroy", but + # that verb is too new to rely upon. +- return [{"add": {"table": {"family": "inet", +- "name": table}}}, +- {"delete": {"table": {"family": "inet", +- "name": table}}}] ++ return self._build_add_table_rules(table) + [ ++ {"delete": {"table": {"family": "inet", "name": table}}}, ++ ] + + def build_flush_rules(self): + self.rule_to_handle = {} +@@ -437,8 +501,7 @@ class nftables(object): + # a higher priority than our base chains is sufficient. + rules = [] + if policy == "PANIC": +- rules.append({"add": {"table": {"family": "inet", +- "name": TABLE_NAME_POLICY}}}) ++ rules.extend(self._build_add_table_rules(TABLE_NAME_POLICY)) + + # Use "raw" priority for panic mode. This occurs before + # conntrack, mangle, nat, etc +@@ -451,8 +514,7 @@ class nftables(object): + "prio": -300 + NFT_HOOK_OFFSET - 1, + "policy": "drop"}}}) + elif policy == "DROP": +- rules.append({"add": {"table": {"family": "inet", +- "name": TABLE_NAME_POLICY}}}) ++ rules.extend(self._build_add_table_rules(TABLE_NAME_POLICY)) + + # To drop everything except existing connections we use + # "filter" because it occurs _after_ conntrack. +@@ -511,10 +573,7 @@ class nftables(object): + return list(supported) + + def build_default_tables(self): +- default_tables = [] +- default_tables.append({"add": {"table": {"family": "inet", +- "name": TABLE_NAME}}}) +- return default_tables ++ return self._build_add_table_rules(TABLE_NAME) + + def build_default_rules(self, log_denied="off"): + default_rules = [] +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index b805e497bb05..c07a1e6a2503 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -110,6 +110,7 @@ class FirewallDConfig(DbusServiceObject): + "FlushAllOnReload": "readwrite", + "RFC3964_IPv4": "readwrite", + "AllowZoneDrifting": "readwrite", ++ "NftablesTableOwner": "readwrite", + } + ) + +@@ -565,7 +566,7 @@ class FirewallDConfig(DbusServiceObject): + "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter", + "IndividualCalls", "LogDenied", "AutomaticHelpers", + "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4", +- "AllowZoneDrifting", "IPv6_rpfilter2" ]: ++ "AllowZoneDrifting", "IPv6_rpfilter2", "NftablesTableOwner" ]: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " + "Property '%s' does not exist" % prop) +@@ -631,6 +632,10 @@ class FirewallDConfig(DbusServiceObject): + if value is None: + value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no" + return dbus.String(value) ++ elif prop == "NftablesTableOwner": ++ if value is None: ++ value = "yes" if config.FALLBACK_NFTABLES_TABLE_OWNER else "no" ++ return dbus.String(value) + + @dbus_handle_exceptions + def _get_dbus_property(self, prop): +@@ -662,6 +667,8 @@ class FirewallDConfig(DbusServiceObject): + return dbus.String(self._get_property(prop)) + elif prop == "AllowZoneDrifting": + return dbus.String(self._get_property(prop)) ++ elif prop == "NftablesTableOwner": ++ return dbus.String(self._get_property(prop)) + else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " +@@ -701,7 +708,7 @@ class FirewallDConfig(DbusServiceObject): + "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter", + "IndividualCalls", "LogDenied", "AutomaticHelpers", + "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4", +- "AllowZoneDrifting", "IPv6_rpfilter2" ]: ++ "AllowZoneDrifting", "IPv6_rpfilter2", "NftablesTableOwner" ]: + ret[x] = self._get_property(x) + elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, + config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: +@@ -730,11 +737,12 @@ class FirewallDConfig(DbusServiceObject): + "IPv6_rpfilter", "IndividualCalls", + "LogDenied", + "FirewallBackend", "FlushAllOnReload", +- "RFC3964_IPv4", "IPv6_rpfilter2"]: ++ "RFC3964_IPv4", "IPv6_rpfilter2", ++ "NftablesTableOwner" ]: + if property_name in [ "CleanupOnExit", "CleanupModulesOnExit", + "Lockdown", "IPv6_rpfilter", + "IndividualCalls", "FlushAllOnReload", +- "RFC3964_IPv4"]: ++ "RFC3964_IPv4", "NftablesTableOwner" ]: + if new_value.lower() not in [ "yes", "no", + "true", "false" ]: + raise FirewallError(errors.INVALID_VALUE, +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 61c220f3e59c..2ead41baa00a 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -30,6 +30,7 @@ string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALL + string "Lockdown" : variant string "no" + string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 ++string "NftablesTableOwner" : variant string "yes" + string "RFC3964_IPv4" : variant string "yes" + ]) + +@@ -54,6 +55,7 @@ _helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"]) + _helper([CleanupOnExit], [string:"no"], [variant string "no"]) + _helper([RFC3964_IPv4], [string:"no"], [variant string "no"]) + _helper([AllowZoneDrifting], [string:"yes"], [variant string "no"]) ++_helper([NftablesTableOwner], [string:"no"], [variant string "no"]) + dnl Note: DefaultZone is RO + m4_undefine([_helper]) + +diff --git a/src/tests/regression/rhbz2222044.at b/src/tests/regression/rhbz2222044.at +index 7e3454509188..2d0333865076 100644 +--- a/src/tests/regression/rhbz2222044.at ++++ b/src/tests/regression/rhbz2222044.at +@@ -2,6 +2,11 @@ FWD_START_TEST([duplicate rules after restart]) + AT_KEYWORDS(rhbz2222044) + AT_SKIP_IF([! NS_CMD([command -v wc >/dev/null 2>&1])]) + ++dnl Disable for this test because CI do not support table owner. It's very new ++dnl in nftables. ++AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=no/' ./firewalld.conf]) ++FWD_RELOAD() ++ + dnl rules have not changed so rule count should not change + m4_define([check_rule_count], [ + m4_if(nftables, FIREWALL_BACKEND, [ +-- +2.43.5 + diff --git a/0021-v2.2.0-test-nftables-table-ownership.patch b/0021-v2.2.0-test-nftables-table-ownership.patch new file mode 100644 index 0000000..2c90e8b --- /dev/null +++ b/0021-v2.2.0-test-nftables-table-ownership.patch @@ -0,0 +1,69 @@ +From bf91ea35e7faf66484bdae7d0b3260c4717ee39a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 18 Jun 2024 16:20:06 -0400 +Subject: [PATCH 21/22] v2.2.0: test(nftables): table ownership + +Coverage: RHEL-17002 +(cherry picked from commit e7728b843c2ec3a61dbe436575c977e2ad9c8674) +--- + src/tests/features/features.at | 1 + + src/tests/features/nftables_table_owner.at | 38 ++++++++++++++++++++++ + 2 files changed, 39 insertions(+) + create mode 100644 src/tests/features/nftables_table_owner.at + +diff --git a/src/tests/features/features.at b/src/tests/features/features.at +index 065cb2872e88..83ad9d122189 100644 +--- a/src/tests/features/features.at ++++ b/src/tests/features/features.at +@@ -21,3 +21,4 @@ m4_include([features/ipset.at]) + m4_include([features/reset_defaults.at]) + m4_include([features/iptables_no_flush_on_shutdown.at]) + m4_include([features/reloadpolicy.at]) ++m4_include([features/nftables_table_owner.at]) +diff --git a/src/tests/features/nftables_table_owner.at b/src/tests/features/nftables_table_owner.at +new file mode 100644 +index 000000000000..abc946da0ad7 +--- /dev/null ++++ b/src/tests/features/nftables_table_owner.at +@@ -0,0 +1,38 @@ ++m4_if(nftables, FIREWALL_BACKEND, [ ++FWD_START_TEST([nftables table owner]) ++AT_KEYWORDS(RHEL-17002) ++ ++AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=yes/' ./firewalld.conf]) ++FWD_RELOAD() ++ ++AT_SKIP_IF([grep "Configuration has NftablesTableOwner=True, but it's not supported by nftables." ./firewalld.log]) ++ ++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl ++ table inet firewalld { # progname firewalld ++ flags owner,persist ++])]) ++ ++dnl Test the transitions from On to Off ++dnl ++ ++AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=no/' ./firewalld.conf]) ++FWD_RELOAD() ++ ++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl ++ table inet firewalld { ++ chain mangle_PREROUTING { ++])]) ++ ++dnl Test the transitions from Off to On ++dnl ++ ++AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=yes/' ./firewalld.conf]) ++FWD_RELOAD() ++ ++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl ++ table inet firewalld { # progname firewalld ++ flags owner,persist ++])]) ++ ++FWD_END_TEST() ++]) +-- +2.43.5 + diff --git a/0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch b/0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch new file mode 100644 index 0000000..f416968 --- /dev/null +++ b/0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch @@ -0,0 +1,29 @@ +From 8d87974a34c055e0daee3a83f11c539fc98fd6bf Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Jun 2024 15:31:38 -0400 +Subject: [PATCH 22/22] v2.2.0: chore(service): remove Conflicts with nftables + +Now that firewalld uses the table owner flag it can coexist with the +nftables service. + +(cherry picked from commit 9c6cb982981ad0aee5b85773823614ca7fd69073) +--- + config/firewalld.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index afbe0ac5def7..b757a08f28dc 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -4,7 +4,7 @@ Before=network-pre.target + Wants=network-pre.target + After=dbus.service + After=polkit.service +-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service ++Conflicts=iptables.service ip6tables.service ebtables.service ipset.service + Documentation=man:firewalld(1) + + [Service] +-- +2.43.5 + diff --git a/firewalld.spec b/firewalld.spec index 753f62f..f211caf 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 1.3.4 -Release: 6%{?dist} +Release: 7%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 @@ -23,6 +23,10 @@ Patch15: 0015-v2.2.0-chore-IPv6_rpfilter-prepare-for-new-config-va.patch Patch16: 0016-v2.2.0-feat-IPv6_rpfilter-support-loose-rpfilter.patch Patch17: 0017-v2.2.0-feat-IPv6_rpfilter-support-loose-forward-rpfi.patch Patch18: 0018-v2.2.0-feat-IPv6_rpfilter-support-strict-forward-rpf.patch +Patch19: 0019-v2.2.0-test-functions-start-firewalld-with-file-logg.patch +Patch20: 0020-v2.2.0-feat-nftables-table-ownership.patch +Patch21: 0021-v2.2.0-test-nftables-table-ownership.patch +Patch22: 0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -246,6 +250,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite %{_mandir}/man1/firewall-config*.1* %changelog +* Mon Jul 01 2024 Eric Garver - 1.3.4-7 +- feat(nftables): table ownership + * Mon Jul 01 2024 Eric Garver - 1.3.4-6 - feat(IPv6_rpfilter): support loose rpfilter - feat(IPv6_rpfilter): support loose-forward rpfilter