rebase to v0.6.0

This commit is contained in:
Eric Garver 2018-07-19 17:54:30 -04:00
parent 00cd29af08
commit cb592bb50d
4 changed files with 13 additions and 105 deletions

1
.gitignore vendored
View File

@ -49,3 +49,4 @@
/firewalld-0.5.1.tar.gz /firewalld-0.5.1.tar.gz
/firewalld-0.5.2.tar.gz /firewalld-0.5.2.tar.gz
/firewalld-0.5.3.tar.gz /firewalld-0.5.3.tar.gz
/firewalld-0.6.0.tar.gz

View File

@ -1,48 +0,0 @@
From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 3 Jul 2018 09:12:28 -0400
Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation
Some kernel versions (4.16-4.17) have a bug which causes the rpfilter
extension to not match neighbor solicitation frames. This causes the
IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel
versions by explicitly allowing neighbor solicitation.
Fixes: rhbz 1575431
(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e)
---
src/firewall/core/ipXtables.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 437808027155..c2aac90d838c 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -474,16 +474,21 @@ class ip6tables(ip4tables):
def apply_rpfilter_rules(self, transaction, log_denied=False):
transaction.add_rule(self.ipv,
- [ "-I", "PREROUTING", "1", "-t", "raw",
+ [ "-I", "PREROUTING", "1", "-t", "raw",
+ "-p", "ipv6-icmp",
+ "--icmpv6-type=neighbour-solicitation",
+ "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17
+ transaction.add_rule(self.ipv,
+ [ "-I", "PREROUTING", "2", "-t", "raw",
"-p", "ipv6-icmp",
"--icmpv6-type=router-advertisement",
"-j", "ACCEPT" ]) # RHBZ#1058505
transaction.add_rule(self.ipv,
- [ "-I", "PREROUTING", "2", "-t", "raw",
+ [ "-I", "PREROUTING", "3", "-t", "raw",
"-m", "rpfilter", "--invert", "-j", "DROP" ])
if log_denied != "off":
transaction.add_rule(self.ipv,
- [ "-I", "PREROUTING", "2", "-t", "raw",
+ [ "-I", "PREROUTING", "3", "-t", "raw",
"-m", "rpfilter", "--invert",
"-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ])
--
2.16.3

View File

@ -1,18 +1,13 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld Name: firewalld
Version: 0.5.3 Version: 0.6.0
Release: 4%{?dist} Release: 1%{?dist}
URL: http://www.firewalld.org URL: http://www.firewalld.org
License: GPLv2+ License: GPLv2+
Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
%if 0%{?fedora}
Source1: FedoraServer.xml Source1: FedoraServer.xml
Source2: FedoraWorkstation.xml Source2: FedoraWorkstation.xml
%endif
%if 0%{?fedora}
Patch0: firewalld-0.2.6-MDNS-default.patch Patch0: firewalld-0.2.6-MDNS-default.patch
Patch1: 0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch
%endif
BuildArch: noarch BuildArch: noarch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -25,33 +20,19 @@ BuildRequires: systemd-units
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: iptables, ebtables, ipset BuildRequires: iptables, ebtables, ipset
BuildRequires: nftables
BuildRequires: python3-devel BuildRequires: python3-devel
Requires: iptables, ebtables, ipset Requires: iptables, ebtables, ipset
Requires: nftables >= 0.9.0
Requires: kernel >= 4.18.0
Requires(post): systemd Requires(post): systemd
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
Requires: firewalld-filesystem = %{version}-%{release} Requires: firewalld-filesystem = %{version}-%{release}
Requires: python3-firewall = %{version}-%{release} Requires: python3-firewall = %{version}-%{release}
%if 0%{?fedora} == 23
Conflicts: selinux-policy < 3.13.1-158.25
%endif
%if 0%{?fedora} == 24
Conflicts: selinux-policy < 3.13.1-191.23
%endif
%if 0%{?fedora} == 25
Conflicts: selinux-policy < 3.13.1-225
%endif
%if 0%{?fedora} > 25
Conflicts: selinux-policy < 3.13.1-227
%endif
%if 0%{?rhel} >= 7
Conflicts: selinux-policy < 3.13.1-89
Conflicts: squid < 7:3.5.10-1
%endif
# Obsolete firewalld-selinux-0.4.4.2-1
Obsoletes: firewalld-selinux < 0.4.4.2-2 Obsoletes: firewalld-selinux < 0.4.4.2-2
Conflicts: selinux-policy < 3.14.1-28
%if 0%{?fedora} > 21
Provides: variant_config(Server) Provides: variant_config(Server)
Provides: variant_config(Workstation) Provides: variant_config(Workstation)
@ -60,7 +41,6 @@ Obsoletes: firewalld-config-standard <= 0.3.15
Obsoletes: firewalld-config-cloud <= 0.3.15 Obsoletes: firewalld-config-cloud <= 0.3.15
Obsoletes: firewalld-config-server <= 0.3.15 Obsoletes: firewalld-config-server <= 0.3.15
Obsoletes: firewalld-config-workstation <= 0.3.15 Obsoletes: firewalld-config-workstation <= 0.3.15
%endif
%description %description
firewalld is a firewall service daemon that provides a dynamic customizable firewalld is a firewall service daemon that provides a dynamic customizable
@ -76,11 +56,7 @@ Obsoletes: python2-firewall < 0.5.2-2
Requires: python3-dbus Requires: python3-dbus
Requires: python3-slip-dbus Requires: python3-slip-dbus
Requires: python3-decorator Requires: python3-decorator
%if (0%{?fedora} >= 23 || 0%{?rhel} >= 8)
Requires: python3-gobject-base Requires: python3-gobject-base
%else
Requires: python3-gobject
%endif
%description -n python3-firewall %description -n python3-firewall
Python3 bindings for firewalld. Python3 bindings for firewalld.
@ -97,11 +73,7 @@ Summary: Firewall panel applet
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires: firewall-config = %{version}-%{release} Requires: firewall-config = %{version}-%{release}
Requires: hicolor-icon-theme Requires: hicolor-icon-theme
%if 0%{?fedora} >= 26
Requires: python3-qt5-base Requires: python3-qt5-base
%else
Requires: python3-qt5
%endif
Requires: python3-gobject Requires: python3-gobject
Requires: libnotify Requires: libnotify
Requires: NetworkManager-libnm Requires: NetworkManager-libnm
@ -127,8 +99,6 @@ firewalld.
%prep %prep
%autosetup -p1 %autosetup -p1
./autogen.sh ./autogen.sh
sed -i -e 's|/usr/bin/python -Es|%{__python3} -Es|' ./fix_python_shebang.sh
sed -i 's|/usr/bin/python|%{__python3}|' ./config/lockdown-whitelist.xml
%build %build
%configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3} %configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3}
@ -145,7 +115,6 @@ desktop-file-install --delete-original \
--dir %{buildroot}%{_datadir}/applications \ --dir %{buildroot}%{_datadir}/applications \
%{buildroot}%{_datadir}/applications/firewall-config.desktop %{buildroot}%{_datadir}/applications/firewall-config.desktop
%if 0%{?fedora} > 20
install -d -m 755 %{buildroot}%{_prefix}/lib/firewalld/zones/ install -d -m 755 %{buildroot}%{_prefix}/lib/firewalld/zones/
install -c -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/zones/FedoraServer.xml install -c -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/zones/FedoraServer.xml
install -c -m 644 %{SOURCE2} %{buildroot}%{_prefix}/lib/firewalld/zones/FedoraWorkstation.xml install -c -m 644 %{SOURCE2} %{buildroot}%{_prefix}/lib/firewalld/zones/FedoraWorkstation.xml
@ -167,7 +136,6 @@ sed -i 's|^DefaultZone=.*|DefaultZone=FedoraWorkstation|g' \
%{buildroot}%{_sysconfdir}/firewalld/firewalld-workstation.conf %{buildroot}%{_sysconfdir}/firewalld/firewalld-workstation.conf
rm -f %{buildroot}%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy rm -f %{buildroot}%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
%endif
%find_lang %{name} --all-name %find_lang %{name} --all-name
@ -180,7 +148,6 @@ rm -f %{buildroot}%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.poli
%postun %postun
%systemd_postun_with_restart firewalld.service %systemd_postun_with_restart firewalld.service
%if 0%{?fedora} > 21
%posttrans %posttrans
# If we don't yet have a symlink or existing file for firewalld.conf, # If we don't yet have a symlink or existing file for firewalld.conf,
# create it. Note: this will intentionally reset the policykit policy # create it. Note: this will intentionally reset the policykit policy
@ -213,14 +180,12 @@ if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; th
ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
esac esac
fi fi
%endif
%files -f %{name}.lang %files -f %{name}.lang
%doc COPYING README %doc COPYING README
%{_sbindir}/firewalld %{_sbindir}/firewalld
%{_bindir}/firewall-cmd %{_bindir}/firewall-cmd
%{_bindir}/firewall-offline-cmd %{_bindir}/firewall-offline-cmd
%{_bindir}/firewallctl
%dir %{_datadir}/bash-completion/completions %dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/firewall-cmd %{_datadir}/bash-completion/completions/firewall-cmd
%{_prefix}/lib/firewalld/icmptypes/*.xml %{_prefix}/lib/firewalld/icmptypes/*.xml
@ -228,18 +193,11 @@ fi
%{_prefix}/lib/firewalld/services/*.xml %{_prefix}/lib/firewalld/services/*.xml
%{_prefix}/lib/firewalld/zones/*.xml %{_prefix}/lib/firewalld/zones/*.xml
%{_prefix}/lib/firewalld/helpers/*.xml %{_prefix}/lib/firewalld/helpers/*.xml
%{_prefix}/lib/firewalld/xmlschema/check.sh
%{_prefix}/lib/firewalld/xmlschema/*.xsd
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld %attr(0750,root,root) %dir %{_sysconfdir}/firewalld
%if 0%{?fedora} > 21
%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf %ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
%config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf
%config(noreplace) %{_sysconfdir}/firewalld/firewalld-server.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld-server.conf
%config(noreplace) %{_sysconfdir}/firewalld/firewalld-workstation.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld-workstation.conf
%endif
%if 0%{?rhel} >= 8
%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
%endif
%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml %config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
@ -252,14 +210,8 @@ fi
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
%if 0%{?fedora} > 21
%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy %ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
%endif
%if 0%{?rhel} >= 8
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
%endif
%{_mandir}/man1/firewall*cmd*.1* %{_mandir}/man1/firewall*cmd*.1*
%{_mandir}/man1/firewallctl*.1*
%{_mandir}/man1/firewalld*.1* %{_mandir}/man1/firewalld*.1*
%{_mandir}/man5/firewall*.5* %{_mandir}/man5/firewall*.5*
%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
@ -293,7 +245,6 @@ fi
%dir %{_prefix}/lib/firewalld/ipsets %dir %{_prefix}/lib/firewalld/ipsets
%dir %{_prefix}/lib/firewalld/services %dir %{_prefix}/lib/firewalld/services
%dir %{_prefix}/lib/firewalld/zones %dir %{_prefix}/lib/firewalld/zones
%dir %{_prefix}/lib/firewalld/xmlschema
%{_rpmconfigdir}/macros.d/macros.firewalld %{_rpmconfigdir}/macros.d/macros.firewalld
%files -n firewall-applet %files -n firewall-applet
@ -318,6 +269,10 @@ fi
%{_mandir}/man1/firewall-config*.1* %{_mandir}/man1/firewall-config*.1*
%changelog %changelog
* Thu Jul 19 2018 Eric Garver <egarver@redhat.com> - 0.6.0-1
- rebase package to v0.6.0
- simplify spec file
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.3-4 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

View File

@ -1 +1 @@
SHA512 (firewalld-0.5.3.tar.gz) = be6074f1b02d42635c7f03a32372290365229caef91fda72c3c29cf3d2e4232e1901a79ccd27357e0cb69db9fc22730c957d479eefe0070c690fddabdcd0799d SHA512 (firewalld-0.6.0.tar.gz) = 38f757c9cdfdd3cc2765c94253581f01bad2f9ce279f96add0f4c6517200452ce1e38ed5b08fb2fba34b064cf93de0cdb50e8e10bf42efea0bc34032716dd5b6