From d79f3b30242e75fba4177c9eeeea707cd43746c7 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Thu, 7 Mar 2013 10:52:21 +0100 Subject: [PATCH] Another fix for RHBZ#912782 --- firewalld-0.2.12-bz912782_2.patch | 72 +++++++++++++++++++++++++++++++ firewalld.spec | 7 ++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 firewalld-0.2.12-bz912782_2.patch diff --git a/firewalld-0.2.12-bz912782_2.patch b/firewalld-0.2.12-bz912782_2.patch new file mode 100644 index 0000000..076a78a --- /dev/null +++ b/firewalld-0.2.12-bz912782_2.patch @@ -0,0 +1,72 @@ +From 41a1a4c69448991bb89b22081b29bffe47bfcca1 Mon Sep 17 00:00:00 2001 +From: Jiri Popelka +Date: Wed, 6 Mar 2013 17:21:00 +0100 +Subject: [PATCH] FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains + (RHBZ#912782) + +We need to separate top-level FORWARD_ZONES chain +into these two chains to be able to correctly match +rules for input and output interface, see +https://bugzilla.redhat.com/show_bug.cgi?id=912782#c11 +--- + src/firewall/core/base.py | 4 ++-- + src/firewall/core/fw_zone.py | 2 +- + src/firewall/core/ipXtables.py | 10 ++++++---- + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/firewall/core/base.py b/src/firewall/core/base.py +index b89870d..1dcf30b 100644 +--- a/src/firewall/core/base.py ++++ b/src/firewall/core/base.py +@@ -44,8 +44,8 @@ INTERFACE_ZONE_SRC = { + "PREROUTING": "PREROUTING", + "POSTROUTING": "POSTROUTING", + "INPUT": "INPUT", +- "FORWARD_IN": "FORWARD", +- "FORWARD_OUT": "FORWARD", ++ "FORWARD_IN": "FORWARD_IN", ++ "FORWARD_OUT": "FORWARD_OUT", + "OUTPUT": "OUTPUT", + } + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 2b0ac8b..c72055e 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -264,7 +264,7 @@ class FirewallZone: + target = self._zones[zone].target.format( + chain=SHORTCUTS[chain], zone=zone) + if target in [ "REJECT", "%%REJECT%%" ] and \ +- src_chain not in [ "INPUT", "FORWARD", "OUTPUT" ]: ++ src_chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: + # REJECT is only valid in the INPUT, FORWARD and + # OUTPUT chains, and user-defined chains which are + # only called from those chains +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index d172151..311f9e4 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -83,14 +83,16 @@ DEFAULT_RULES["filter"] = [ + "-I INPUT 6 -j %%REJECT%%", + + "-N FORWARD_direct", +- "-N FORWARD_ZONES", ++ "-N FORWARD_IN_ZONES", ++ "-N FORWARD_OUT_ZONES", + + "-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", + "-I FORWARD 2 -i lo -j ACCEPT", + "-I FORWARD 3 -j FORWARD_direct", +- "-I FORWARD 4 -j FORWARD_ZONES", +- "-I FORWARD 5 -p %%ICMP%% -j ACCEPT", +- "-I FORWARD 6 -j %%REJECT%%", ++ "-I FORWARD 4 -j FORWARD_IN_ZONES", ++ "-I FORWARD 5 -j FORWARD_OUT_ZONES", ++ "-I FORWARD 6 -p %%ICMP%% -j ACCEPT", ++ "-I FORWARD 7 -j %%REJECT%%", + + "-N OUTPUT_direct", + +-- +1.8.1.4 + diff --git a/firewalld.spec b/firewalld.spec index 4c3b00b..4b6bff5 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-BUS interface providing a dynamic firewall Name: firewalld Version: 0.2.12 -Release: 3%{?dist} +Release: 4%{?dist} URL: http://fedorahosted.org/firewalld License: GPLv2+ ExclusiveOS: Linux @@ -14,6 +14,7 @@ Patch0: firewalld-0.2.6-MDNS-default.patch Patch1: firewalld-0.2.12-conf.patch Patch2: firewalld-0.2.12-gtk.patch Patch3: firewalld-0.2.12-bz912782.patch +Patch4: firewalld-0.2.12-bz912782_2.patch BuildRequires: desktop-file-utils BuildRequires: gettext BuildRequires: intltool @@ -82,6 +83,7 @@ firewalld. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build %configure --with-systemd-unitdir=%{_unitdir} @@ -198,6 +200,9 @@ fi %{_datadir}/icons/hicolor/*/apps/firewall-config*.* %changelog +* Thu Mar 07 2013 Jiri Popelka - 0.2.12-4 +- Another fix for RHBZ#912782 + * Wed Feb 20 2013 Jiri Popelka - 0.2.12-3 - Stop default zone rules being applied to all zones (RHBZ#912782)