From dcf3c6db0375bd2f041674259423fe92d7a0dc74 Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Thu, 26 Oct 2023 09:09:07 -0400
Subject: [PATCH] rebase to v1.3.4

Resolves: RHEL-14485
Resolves: RHEL-5975
Resolves: RHEL-5802
Resolves: RHEL-427
---
 .gitignore                                    |  1 +
 ...Add-cockpit-by-default-to-some-zones.patch | 16 +++++-----
 ...t-atlocal-pass-EBTABLES-to-testsuite.patch |  8 ++---
 ...ct-avoid-iptables-flush-if-using-nft.patch | 21 ++++++------
 ...ct-avoid-iptables-flush-if-using-nft.patch | 32 +++++++++----------
 firewalld.spec                                |  7 ++--
 sources                                       |  2 +-
 7 files changed, 45 insertions(+), 42 deletions(-)

diff --git a/.gitignore b/.gitignore
index 87a11aa..5144411 100644
--- a/.gitignore
+++ b/.gitignore
@@ -69,3 +69,4 @@
 /firewalld-1.1.1.tar.gz
 /firewalld-1.2.1.tar.gz
 /firewalld-1.2.5.tar.gz
+/firewalld-1.3.4.tar.bz2
diff --git a/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch b/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
index cc703c8..3a97961 100644
--- a/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
+++ b/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
@@ -1,4 +1,4 @@
-From f3fa74bb2710b0089db4026443ae67c4cabae1e1 Mon Sep 17 00:00:00 2001
+From f113f17734cfb964bd2b72f233c48e650e205cb9 Mon Sep 17 00:00:00 2001
 From: Eric Garver <egarver@redhat.com>
 Date: Tue, 25 May 2021 13:31:41 -0400
 Subject: [PATCH 1/4] RHEL only: Add cockpit by default to some zones
@@ -58,19 +58,19 @@ index f1a14a9b4682..27b54a7783c4 100644
    <forward/>
  </zone>
 diff --git a/src/tests/features/startup_failsafe.at b/src/tests/features/startup_failsafe.at
-index d251d354abfb..5178f40cec46 100644
+index 3cdf7c3c307a..b9401d460114 100644
 --- a/src/tests/features/startup_failsafe.at
 +++ b/src/tests/features/startup_failsafe.at
 @@ -20,6 +20,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
          chain filter_IN_public_allow {
-             tcp dport 22 ct state new,untracked accept
-             ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
-+            tcp dport 9090 ct state new,untracked accept
-             tcp dport 443 ct state new,untracked accept
+             tcp dport 22 accept
+             ip6 daddr fe80::/64 udp dport 546 accept
++            tcp dport 9090 accept
+             tcp dport 443 accept
          }
      }
 diff --git a/src/tests/functions.at b/src/tests/functions.at
-index aea87c1cb4fc..4ef61a3147a4 100644
+index 244d24686c86..ad3462c6715f 100644
 --- a/src/tests/functions.at
 +++ b/src/tests/functions.at
 @@ -128,6 +128,14 @@ m4_define([FWD_START_TEST], [
@@ -108,5 +108,5 @@ index aea87c1cb4fc..4ef61a3147a4 100644
  ])
  
 -- 
-2.39.1
+2.39.3
 
diff --git a/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch b/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
index 17f84f8..0cb67f2 100644
--- a/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
+++ b/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
@@ -1,4 +1,4 @@
-From c1aadce88b0adc4e116254a80f3a7f4634958e01 Mon Sep 17 00:00:00 2001
+From 0598abdbc3dd1816e9cc19186de9e95c6485519d Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Tue, 31 Jan 2023 09:24:56 -0500
 Subject: [PATCH 2/4] v1.4.0: test(atlocal): pass EBTABLES to testsuite
@@ -21,7 +21,7 @@ index 8c5493ac38df..595a96f0f5c9 100644
  export IPTABLES_RESTORE="@IPTABLES_RESTORE@"
  export IP6TABLES="@IP6TABLES@"
 diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 4ef61a3147a4..50fb6bfb4541 100644
+index ad3462c6715f..f454ca980046 100644
 --- a/src/tests/functions.at
 +++ b/src/tests/functions.at
 @@ -104,6 +104,7 @@ m4_define([FWD_START_TEST], [
@@ -32,7 +32,7 @@ index 4ef61a3147a4..50fb6bfb4541 100644
      test -z "$IPTABLES" && export IPTABLES="iptables"
      test -z "$IPTABLES_RESTORE" && export IPTABLES_RESTORE="iptables-restore"
      test -z "$IP6TABLES" && export IP6TABLES="ip6tables"
-@@ -395,7 +396,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
+@@ -398,7 +399,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
  m4_define([EBTABLES_LIST_RULES], [
      dnl ebtables commit 5f508b76a0ce change list output for inversion.
      m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
@@ -42,5 +42,5 @@ index 4ef61a3147a4..50fb6bfb4541 100644
      ])
  ])
 -- 
-2.39.1
+2.39.3
 
diff --git a/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch b/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
index 2b428d1..d142b2d 100644
--- a/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
+++ b/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
@@ -1,4 +1,4 @@
-From fbe4244b3663c3b96c174f6ed8d3d222cc1adcf8 Mon Sep 17 00:00:00 2001
+From 35a4e98cfee37b2883a58ac586f0bdb34810293b Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Mon, 30 Jan 2023 16:42:50 -0500
 Subject: [PATCH 3/4] v1.4.0: feat(direct): avoid iptables flush if using
@@ -11,15 +11,15 @@ applications can control iptables while firewalld only touches nftables.
 Fixes: #863
 (cherry picked from commit b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87)
 ---
- src/firewall/core/fw.py        | 31 +++++++++++++++++++++++++++----
+ src/firewall/core/fw.py        | 30 ++++++++++++++++++++++++++----
  src/firewall/core/fw_direct.py |  9 +++++++++
- 2 files changed, 36 insertions(+), 4 deletions(-)
+ 2 files changed, 35 insertions(+), 4 deletions(-)
 
 diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
-index 3e1bab575769..6710900839f8 100644
+index e9db1c6fede0..f1bc124b9443 100644
 --- a/src/firewall/core/fw.py
 +++ b/src/firewall/core/fw.py
-@@ -469,7 +469,8 @@ class Firewall(object):
+@@ -473,7 +473,8 @@ class Firewall(object):
      def _start_apply_objects(self, reload=False, complete_reload=False):
          transaction = FirewallTransaction(self)
  
@@ -29,7 +29,7 @@ index 3e1bab575769..6710900839f8 100644
  
          # If modules need to be unloaded in complete reload or if there are
          # ipsets to get applied, limit the transaction to flush.
-@@ -939,7 +940,26 @@ class Firewall(object):
+@@ -943,7 +944,26 @@ class Firewall(object):
          if use_transaction is None:
              transaction.execute(True)
  
@@ -57,7 +57,7 @@ index 3e1bab575769..6710900839f8 100644
  
      def flush(self, use_transaction=None):
          if use_transaction is None:
-@@ -949,7 +969,10 @@ class Firewall(object):
+@@ -953,7 +973,10 @@ class Firewall(object):
  
          log.debug1("Flushing rule set")
  
@@ -69,15 +69,14 @@ index 3e1bab575769..6710900839f8 100644
              rules = backend.build_flush_rules()
              transaction.add_rules(backend, rules)
  
-@@ -1109,7 +1132,7 @@ class Firewall(object):
+@@ -1114,7 +1137,6 @@ class Firewall(object):
          if not _panic:
              self.set_policy("DROP")
  
 -        # stop
-+        self.flush()
+         self.flush()
          self.cleanup()
  
-         start_exception = None
 diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
 index 508cfa54f7fa..a4cd8a77e773 100644
 --- a/src/firewall/core/fw_direct.py
@@ -113,5 +112,5 @@ index 508cfa54f7fa..a4cd8a77e773 100644
              transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
  
 -- 
-2.39.1
+2.39.3
 
diff --git a/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch b/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
index 07ebcd6..11c6b1d 100644
--- a/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
+++ b/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
@@ -1,4 +1,4 @@
-From 5f092d3665463b764b957ef219010e0640babde7 Mon Sep 17 00:00:00 2001
+From 6069c94b5033fc82d8f35f2068a61374559d22de Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Mon, 30 Jan 2023 14:43:18 -0500
 Subject: [PATCH 4/4] v1.4.0: test(direct): avoid iptables flush if using
@@ -13,17 +13,17 @@ Coverage: #863
  create mode 100644 src/tests/features/iptables_no_flush_on_shutdown.at
 
 diff --git a/src/tests/features/features.at b/src/tests/features/features.at
-index 96b098de6e82..59725eb9fdf4 100644
+index 78fe78c483ad..f59baea1cd70 100644
 --- a/src/tests/features/features.at
 +++ b/src/tests/features/features.at
-@@ -18,3 +18,4 @@ m4_include([features/rpfilter.at])
- m4_include([features/zone_combine.at])
+@@ -19,3 +19,4 @@ m4_include([features/zone_combine.at])
  m4_include([features/startup_failsafe.at])
  m4_include([features/ipset.at])
+ m4_include([features/reset_defaults.at])
 +m4_include([features/iptables_no_flush_on_shutdown.at])
 diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at
 new file mode 100644
-index 000000000000..753a8251f732
+index 000000000000..fbd7c793375c
 --- /dev/null
 +++ b/src/tests/features/iptables_no_flush_on_shutdown.at
 @@ -0,0 +1,144 @@
@@ -47,20 +47,20 @@ index 000000000000..753a8251f732
 +NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
 +NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
 +IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++    ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
 +])
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all ::/0 ::/0
++    ACCEPT 0 -- ::/0 ::/0
 +])
 +EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
 +    -j ACCEPT
 +])
 +FWD_RELOAD()
 +IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++    ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
 +])
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all ::/0 ::/0
++    ACCEPT 0 -- ::/0 ::/0
 +])
 +EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
 +    -j ACCEPT
@@ -69,10 +69,10 @@ index 000000000000..753a8251f732
 +dnl no flush on restart (or stop) if no direct rules
 +FWD_RESTART()
 +IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++    ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
 +])
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all ::/0 ::/0
++    ACCEPT 0 -- ::/0 ::/0
 +])
 +EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
 +    -j ACCEPT
@@ -84,7 +84,7 @@ index 000000000000..753a8251f732
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
 +EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
 +IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
-+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++    ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
 +])
 +NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
 +NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
@@ -95,10 +95,10 @@ index 000000000000..753a8251f732
 +NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
 +NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
 +IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++    ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
 +])
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
-+    ACCEPT all ::/0 ::/0
++    ACCEPT 0 -- ::/0 ::/0
 +])
 +EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
 +    -j ACCEPT
@@ -127,7 +127,7 @@ index 000000000000..753a8251f732
 +FWD_RELOAD()
 +IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
 +IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
-+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++    ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
 +])
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
 +IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
@@ -172,5 +172,5 @@ index 000000000000..753a8251f732
 +
 +])
 -- 
-2.39.1
+2.39.3
 
diff --git a/firewalld.spec b/firewalld.spec
index af09694..b2b2a55 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,10 +1,10 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
-Version: 1.2.5
+Version: 1.3.4
 Release: 1%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
-Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
+Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
 Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
 Patch2: 0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
 Patch3: 0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
@@ -230,6 +230,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Thu Oct 26 2023 Eric Garver <egarver@redhat.com> - 1.3.4-1
+- package rebase to v1.3.4
+
 * Mon Apr 24 2023 Eric Garver <egarver@redhat.com> - 1.2.5-1
 - package rebase to v1.2.5
 - feat(direct): avoid iptables flush if using nftables backend
diff --git a/sources b/sources
index 3d3f7a7..c52d27e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (firewalld-1.2.5.tar.gz) = 77ab650f63b00facd41c9d2c0e25cb84cac4b35c23695f4a8c6c803a30d6c884a1d5fb8def4ef99926ca1213c39c04cfa4e5a8a76767f49ee49bd7824a709962
+SHA512 (firewalld-1.3.4.tar.bz2) = 01e97fc0fc8f926ef5a6257bafeabda1e74fd4068e047d8a46f730bcc636f5d0f43fb4bbb6d0a2bdf9319184b4420a5b792a82dbc05026ea0bf5218ee1eaa79d