Another fix for RHBZ#912782

firewalld-0.2.12-bz912782_2.patch

@@ -0,0 +1,72 @@
+From 41a1a4c69448991bb89b22081b29bffe47bfcca1 Mon Sep 17 00:00:00 2001
+From: Jiri Popelka <jpopelka@redhat.com>
+Date: Wed, 6 Mar 2013 17:21:00 +0100
+Subject: [PATCH] FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains
+ (RHBZ#912782)
+
+We need to separate top-level FORWARD_ZONES chain
+into these two chains to be able to correctly match
+rules for input and output interface, see
+https://bugzilla.redhat.com/show_bug.cgi?id=912782#c11
+---
+ src/firewall/core/base.py      |  4 ++--
+ src/firewall/core/fw_zone.py   |  2 +-
+ src/firewall/core/ipXtables.py | 10 ++++++----
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/firewall/core/base.py b/src/firewall/core/base.py
+index b89870d..1dcf30b 100644
+--- a/src/firewall/core/base.py
++++ b/src/firewall/core/base.py
+@@ -44,8 +44,8 @@ INTERFACE_ZONE_SRC = {
+     "PREROUTING": "PREROUTING",
+     "POSTROUTING": "POSTROUTING",
+     "INPUT": "INPUT",
+-    "FORWARD_IN": "FORWARD",
+-    "FORWARD_OUT": "FORWARD",
++    "FORWARD_IN": "FORWARD_IN",
++    "FORWARD_OUT": "FORWARD_OUT",
+     "OUTPUT": "OUTPUT",
+ }
+ 
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 2b0ac8b..c72055e 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -264,7 +264,7 @@ class FirewallZone:
+                     target = self._zones[zone].target.format(
+                         chain=SHORTCUTS[chain], zone=zone)
+                     if target in [ "REJECT", "%%REJECT%%" ] and \
+-                            src_chain not in [ "INPUT", "FORWARD", "OUTPUT" ]:
++                            src_chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
+                         # REJECT is only valid in the INPUT, FORWARD and
+                         # OUTPUT chains, and user-defined chains which are 
+                         # only called from those chains
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index d172151..311f9e4 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -83,14 +83,16 @@ DEFAULT_RULES["filter"] = [
+     "-I INPUT 6 -j %%REJECT%%",
+ 
+     "-N FORWARD_direct",
+-    "-N FORWARD_ZONES",
++    "-N FORWARD_IN_ZONES",
++    "-N FORWARD_OUT_ZONES",
+ 
+     "-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+     "-I FORWARD 2 -i lo -j ACCEPT",
+     "-I FORWARD 3 -j FORWARD_direct",
+-    "-I FORWARD 4 -j FORWARD_ZONES",
+-    "-I FORWARD 5 -p %%ICMP%% -j ACCEPT",
+-    "-I FORWARD 6 -j %%REJECT%%",
++    "-I FORWARD 4 -j FORWARD_IN_ZONES",
++    "-I FORWARD 5 -j FORWARD_OUT_ZONES",
++    "-I FORWARD 6 -p %%ICMP%% -j ACCEPT",
++    "-I FORWARD 7 -j %%REJECT%%",
+ 
+     "-N OUTPUT_direct",
+ 
+-- 
+1.8.1.4
+

firewalld.spec

@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-BUS interface providing a dynamic firewall
 Name: firewalld
 Version: 0.2.12
-Release: 3%{?dist}
+Release: 4%{?dist}
 URL: http://fedorahosted.org/firewalld
 License: GPLv2+
 ExclusiveOS: Linux
@@ -14,6 +14,7 @@ Patch0: firewalld-0.2.6-MDNS-default.patch
 Patch1: firewalld-0.2.12-conf.patch
 Patch2: firewalld-0.2.12-gtk.patch
 Patch3: firewalld-0.2.12-bz912782.patch
+Patch4: firewalld-0.2.12-bz912782_2.patch
 BuildRequires: desktop-file-utils
 BuildRequires: gettext
 BuildRequires: intltool
@@ -82,6 +83,7 @@ firewalld.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 %configure --with-systemd-unitdir=%{_unitdir}
@@ -198,6 +200,9 @@ fi
 %{_datadir}/icons/hicolor/*/apps/firewall-config*.*
 
 %changelog
+* Thu Mar 07 2013 Jiri Popelka <jpopelka@redhat.com> - 0.2.12-4
+- Another fix for RHBZ#912782
+
 * Wed Feb 20 2013 Jiri Popelka <jpopelka@redhat.com> - 0.2.12-3
 - Stop default zone rules being applied to all zones (RHBZ#912782)