diff --git a/SOURCES/0025-v2.3.0-test-functions-fix-iptables-normalization-for.patch b/SOURCES/0025-v2.3.0-test-functions-fix-iptables-normalization-for.patch new file mode 100644 index 0000000..03fbba1 --- /dev/null +++ b/SOURCES/0025-v2.3.0-test-functions-fix-iptables-normalization-for.patch @@ -0,0 +1,38 @@ +From 1557b7bd45499c738d17a97dbb1713a59faddc1f Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 1 Jul 2024 15:07:27 -0400 +Subject: [PATCH 25/31] v2.3.0: test(functions): fix iptables normalization for + opt field + +The sed expression didn't consume multiple spaces. All of the +normalization nuances are stacking. :( + +@@ -3,5 +3,5 @@ + IN_public_deny 0 -- ::/0 ::/0 + IN_public_allow 0 -- ::/0 ::/0 + IN_public_post 0 -- ::/0 ::/0 +-ACCEPT 58 -- ::/0 ::/0 ++ACCEPT 58 -- -- ::/0 ::/0 + +Fixes: 9a11ab13c109 ("test(functions): ip6tables: normalize opt field output") +(cherry picked from commit e3f44a77be2f64be1beb7441314c37a9d773c063) +--- + src/tests/functions.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index d1c89ed5b982..8b07908c667c 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -423,7 +423,7 @@ m4_define([IPXTABLES_LIST_RULES_NORMALIZE], [dnl + dnl commit 6e41c2d8747b ("iptables: xshared: Output '--' in the opt field + dnl in ipv6's fake mode") added "--" to the output of ip6tables. This regex + dnl adds the "--" for older ip6tables versions. +- -e ['s/^\([-a-zA-Z0-9_]\+\)[ ]\([^ ]*\)[ ][-]\?[-]\?[ ]\?/\1 \2 -- /g'] dnl ++ -e ['s/^\([-a-zA-Z0-9_]\+\)[ ]\+\([^ ]*\)[ ]\+[-]\?[-]\?[ ]\?/\1 \2 -- /g'] dnl + ]) + + m4_define([IPTABLES_LIST_RULES_NORMALIZE], [dnl +-- +2.48.1 + diff --git a/SOURCES/0026-v2.4.0-test-add-scale-keyword-to-scale-tests.patch b/SOURCES/0026-v2.4.0-test-add-scale-keyword-to-scale-tests.patch new file mode 100644 index 0000000..685361e --- /dev/null +++ b/SOURCES/0026-v2.4.0-test-add-scale-keyword-to-scale-tests.patch @@ -0,0 +1,46 @@ +From 3a306425ecdc2b6024449404cfffaa1b11234e24 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 21 Nov 2024 09:21:51 -0500 +Subject: [PATCH 26/31] v2.4.0: test: add scale keyword to scale tests + +This allows skipping scale tests or running them separately. + +e.g. skip + + # make check TESTSUITEFLAGS="-j6 -k !scale" + +e.g. run scale tests separately and serially + + # make check TESTSUITEFLAGS="-k scale" + +(cherry picked from commit 106d3df926296163ed8a2aa7f924b4eb55b7b24f) +--- + src/tests/regression/ipset_scale.at | 2 +- + src/tests/regression/rhbz1871298.at | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tests/regression/ipset_scale.at b/src/tests/regression/ipset_scale.at +index 2ceef1a56816..0aef986434f0 100644 +--- a/src/tests/regression/ipset_scale.at ++++ b/src/tests/regression/ipset_scale.at +@@ -1,5 +1,5 @@ + FWD_START_TEST([ipset scale]) +-AT_KEYWORDS(ipset gh738) ++AT_KEYWORDS(ipset gh738 scale) + + dnl Create a huge ipset + AT_CHECK([touch ./entries], 0, [ignore]) +diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at +index 3a40e2a5ae13..e9fcfe69cf88 100644 +--- a/src/tests/regression/rhbz1871298.at ++++ b/src/tests/regression/rhbz1871298.at +@@ -1,5 +1,5 @@ + FWD_START_TEST([rich rule parsing bottleneck]) +-AT_KEYWORDS(rich offline rhbz1871298) ++AT_KEYWORDS(rich offline rhbz1871298 scale) + + AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])]) + +-- +2.48.1 + diff --git a/SOURCES/0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch b/SOURCES/0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch new file mode 100644 index 0000000..d3a2fb5 --- /dev/null +++ b/SOURCES/0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch @@ -0,0 +1,39 @@ +From b5ed698e4393089a55f0e81d6b687c27affaca1a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Mar 2025 12:04:44 -0500 +Subject: [PATCH 27/31] v2.4.0: fix(systemd): verify firewalld is responsive to + dbus + +`systemctl start firewalld` will return as soon as firewalld claims the +well-known bus name. However, this is too early. Signal handlers, etc. +may not have been setup. To verify firewalld has completed its startup +and entered the GLib mainloop use ExecStartPost to check that it's +responsive to dbus calls. The ExecStartPost will block until its gets a +response or times out (dbus default is 20s). On the firewalld side, the +dbus call is buffered until the GLib mainloop handles it. + +This fixes a race where a `systemctl reload` immediately after a start +could hit a timing window during which the signal handlers have not yet +been setup, thus killing firewalld. + +Fixes: RHEL-77738 +(cherry picked from commit 4ddfe5672e3a51e1c081b410144155553f256e91) +--- + config/firewalld.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index b757a08f28dc..1c6b8f4d78dc 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -10,6 +10,7 @@ Documentation=man:firewalld(1) + [Service] + EnvironmentFile=-/etc/sysconfig/firewalld + ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS ++ExecStartPost=@bindir@/firewall-cmd --state + ExecReload=/bin/kill -HUP $MAINPID + # supress to log debug and error output also to /var/log/messages + StandardOutput=null +-- +2.48.1 + diff --git a/SOURCES/0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch b/SOURCES/0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch new file mode 100644 index 0000000..2ba724f --- /dev/null +++ b/SOURCES/0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch @@ -0,0 +1,25 @@ +From b61048559be0995beee05a5d61958a13f7bf1bb5 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Mar 2025 12:10:46 -0500 +Subject: [PATCH 28/31] v2.4.0: fix(systemd): remove unnecessary comment + +(cherry picked from commit ad6f103e1d656d263116ef0178c08792e32aac84) +--- + config/firewalld.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index 1c6b8f4d78dc..cd7f772b8581 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -12,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/firewalld + ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS + ExecStartPost=@bindir@/firewall-cmd --state + ExecReload=/bin/kill -HUP $MAINPID +-# supress to log debug and error output also to /var/log/messages + StandardOutput=null + StandardError=null + Type=dbus +-- +2.48.1 + diff --git a/SOURCES/0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch b/SOURCES/0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch new file mode 100644 index 0000000..5dc44c6 --- /dev/null +++ b/SOURCES/0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch @@ -0,0 +1,74 @@ +From 6ce8e4cf508d45e5b0d05192eb06dc0768dbbb56 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 7 May 2025 11:31:03 -0400 +Subject: [PATCH 29/31] v2.4.0: test(nftables): table owner: use grep instead + of head + +Using `head -n 2` will cause head to terminate early while the prior +commands in the pipeline still have output. This will trigger SIGPIPE +and in some cases causes messages on stderr. Use grep to consume all the +output. + +Fixes: #1403 +Fixes: e7728b843c2e ("test(nftables): table ownership") + +--->8--- + +./nftables_table_owner.at:1: env DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}" ip netns exec fwd-test-${at_group_normalized} nft list table inet firewalld | sed -e 's/^[ \t]*//' -e 's/[ \t]*$//' | sed -e '/^[ \t]*$/d' | sed -e 's/[ \t]\+/ /g' | { printf "%s" "$(cat /dev/stdin)"; echo; } | head -n 2 +--- /dev/null 2025-05-06 18:20:20.014443085 +0000 ++++ /home/runner/work/firewalld/firewalld/src/tests/testsuite.dir/at-groups/228/stderr 2025-05-06 18:31:38.431177759 +0000 +@@ -0,0 +1,2 @@ ++/home/runner/work/firewalld/firewalld/src/tests/testsuite.dir/at-groups/228/test-source: line 409: printf: write error: Broken pipe ++/home/runner/work/firewalld/firewalld/src/tests/testsuite.dir/at-groups/228/test-source: line 409: echo: write error: Broken pipe +228. nftables_table_owner.at:1: FAILED (nftables_table_owner.at: + +(cherry picked from commit 31e2584c5ada874639cbd80174c3fd745e392852) +--- + src/tests/features/nftables_table_owner.at | 21 +++++---------------- + 1 file changed, 5 insertions(+), 16 deletions(-) + +diff --git a/src/tests/features/nftables_table_owner.at b/src/tests/features/nftables_table_owner.at +index abc946da0ad7..dd9c3deed2ba 100644 +--- a/src/tests/features/nftables_table_owner.at ++++ b/src/tests/features/nftables_table_owner.at +@@ -7,32 +7,21 @@ FWD_RELOAD() + + AT_SKIP_IF([grep "Configuration has NftablesTableOwner=True, but it's not supported by nftables." ./firewalld.log]) + +-NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl +- table inet firewalld { # progname firewalld +- flags owner,persist +-])]) ++dnl Make sure it's initially working ++dnl ++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | grep "flags owner,persist"], 0, [ignore]) + + dnl Test the transitions from On to Off + dnl +- + AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=no/' ./firewalld.conf]) + FWD_RELOAD() +- +-NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl +- table inet firewalld { +- chain mangle_PREROUTING { +-])]) ++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | grep "flags owner,persist"], 1) + + dnl Test the transitions from Off to On + dnl +- + AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=yes/' ./firewalld.conf]) + FWD_RELOAD() +- +-NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl +- table inet firewalld { # progname firewalld +- flags owner,persist +-])]) ++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | grep "flags owner,persist"], 0, [ignore]) + + FWD_END_TEST() + ]) +-- +2.48.1 + diff --git a/SOURCES/0030-v2.4.0-chore-ipset-remove-set_supported_types.patch b/SOURCES/0030-v2.4.0-chore-ipset-remove-set_supported_types.patch new file mode 100644 index 0000000..7c50815 --- /dev/null +++ b/SOURCES/0030-v2.4.0-chore-ipset-remove-set_supported_types.patch @@ -0,0 +1,63 @@ +From c1ef9701fa5d33f2116a67f7e20c3c4f525c57f1 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 2 May 2025 16:33:14 -0400 +Subject: [PATCH 30/31] v2.4.0: chore(ipset): remove set_supported_types() + +"ipset --help" doesn't actual guarantee that the types are supported in +the kernel. As such, this probe is useless. + +(cherry picked from commit 1e401a7d22d4d00be90330e171929c78ddd9b55b) +--- + src/firewall/core/fw.py | 3 --- + src/firewall/core/ipset.py | 21 --------------------- + 2 files changed, 24 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 557b6e527dbd..92574bc7e650 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -228,9 +228,6 @@ class Firewall(object): + self.ipset_supported_types = [ ] + # ipset is not usable + self.ipset_enabled = False +- else: +- # ipset is usable, get all supported types +- self.ipset_supported_types = self.ipset_backend.set_supported_types() + + self.ip4tables_backend.fill_exists() + if not self.ip4tables_backend.restore_command_exists: +diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py +index d8e0a1ab1e56..a7f0ce17a61b 100644 +--- a/src/firewall/core/ipset.py ++++ b/src/firewall/core/ipset.py +@@ -93,27 +93,6 @@ class ipset(object): + raise FirewallError(errors.INVALID_NAME, + "ipset name '%s' is not valid" % name) + +- def set_supported_types(self): +- """Return types that are supported by the ipset command and kernel""" +- ret = [ ] +- output = "" +- try: +- output = self.__run(["--help"]) +- except ValueError as ex: +- log.debug1("ipset error: %s" % ex) +- lines = output.splitlines() +- +- in_types = False +- for line in lines: +- #print(line) +- if in_types: +- splits = line.strip().split(None, 2) +- if splits[0] not in ret and splits[0] in IPSET_TYPES: +- ret.append(splits[0]) +- if line.startswith("Supported set types:"): +- in_types = True +- return ret +- + def check_type(self, type_name): + """Check ipset type""" + if len(type_name) > IPSET_MAXNAMELEN or type_name not in IPSET_TYPES: +-- +2.48.1 + diff --git a/SOURCES/0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch b/SOURCES/0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch new file mode 100644 index 0000000..63e22f6 --- /dev/null +++ b/SOURCES/0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch @@ -0,0 +1,41 @@ +From 6b9c44e3fcc861342cb6624d35eac9d192ce1a2a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 2 May 2025 16:37:27 -0400 +Subject: [PATCH 31/31] v2.4.0: fix(fw): start: remove ipset probe + +This probe is causing kernel modules to be loaded even if the ipset +backend will not be used due to "omit native ipsets". Since the backend +and iptables are deprecated lets just remove the probe and let it fail +at runtime. + +Fixes: RHEL-36234 +(cherry picked from commit ac20628701509165feaacab679c0699db2c7b8b8) +--- + src/firewall/core/fw.py | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 92574bc7e650..877ad028d4e2 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -218,17 +218,6 @@ class Firewall(object): + raise FirewallError(errors.UNKNOWN_ERROR, "No IPv4 and IPv6 firewall.") + + def _start_probe_backends(self): +- try: +- self.ipset_backend.set_list() +- except ValueError: +- if self.nftables_enabled: +- log.info1("ipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.") +- else: +- log.warning("ipset not usable, disabling ipset usage in firewall.") +- self.ipset_supported_types = [ ] +- # ipset is not usable +- self.ipset_enabled = False +- + self.ip4tables_backend.fill_exists() + if not self.ip4tables_backend.restore_command_exists: + if self.ip4tables_backend.command_exists: +-- +2.48.1 + diff --git a/SOURCES/0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch b/SOURCES/0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch new file mode 100644 index 0000000..9126b2f --- /dev/null +++ b/SOURCES/0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch @@ -0,0 +1,31 @@ +From 257dce8a7769d0b4268973065dfe0a77455d1ce6 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 2 Jun 2025 11:27:10 -0400 +Subject: [PATCH] v2.4.0: fix(systemd): allow start code 251 (RUNNING_BUT_FAILED) + +Do not fail to start the service if `firewall-cmd --state` returns this +error code. The daemon is started, but in a recovery mode due to invalid +configuration. + +Fixes: 4ddfe5672e3a ("fix(systemd): verify firewalld is responsive to dbus") +(cherry picked from commit d52815e198f05378a3f34633adfedd29165cc64e) +--- + config/firewalld.service.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index cd7f772b8581..bd8690fd87a6 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -11,6 +11,8 @@ Documentation=man:firewalld(1) + EnvironmentFile=-/etc/sysconfig/firewalld + ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS + ExecStartPost=@bindir@/firewall-cmd --state ++# don't fail ExecStartPost on RUNNING_BUT_FAILED ++SuccessExitStatus=251 + ExecReload=/bin/kill -HUP $MAINPID + StandardOutput=null + StandardError=null +-- +2.47.1 + diff --git a/SOURCES/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch b/SOURCES/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch new file mode 100644 index 0000000..69f65f6 --- /dev/null +++ b/SOURCES/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch @@ -0,0 +1,42 @@ +From b3c8cbff1bd9867150f804a8f7f67098de515d6b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 3 Jun 2025 16:36:10 -0400 +Subject: [PATCH 33/34] v2.4.0: fix(policy): rich: verify ipset exists + +Fixes: RHEL-67103 +Fixes: RHEL-67331 +(cherry picked from commit bd9b7fe87f337aff29142034282e7156cb678b41) +--- + src/firewall/core/io/policy.py | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py +index f9a1114d7969..de636631d28c 100644 +--- a/src/firewall/core/io/policy.py ++++ b/src/firewall/core/io/policy.py +@@ -479,6 +479,22 @@ def common_check_config(obj, config, item, all_config, all_io_objects): + obj_type, obj.name, obj_rich.element.name + ), + ) ++ elif obj_rich.source and obj_rich.source.ipset: ++ if obj_rich.source.ipset not in all_io_objects["ipsets"]: ++ raise FirewallError( ++ errors.INVALID_IPSET, ++ "{} '{}': '{}' not among existing ipsets".format( ++ obj_type, obj.name, obj_rich.source.ipset ++ ), ++ ) ++ elif obj_rich.destination and obj_rich.destination.ipset: ++ if obj_rich.destination.ipset not in all_io_objects["ipsets"]: ++ raise FirewallError( ++ errors.INVALID_IPSET, ++ "{} '{}': '{}' not among existing ipsets".format( ++ obj_type, obj.name, obj_rich.destination.ipset ++ ), ++ ) + + def common_writer(obj, handler): + # short +-- +2.47.1 + diff --git a/SOURCES/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch b/SOURCES/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch new file mode 100644 index 0000000..153358c --- /dev/null +++ b/SOURCES/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch @@ -0,0 +1,66 @@ +From 7d2e41d3bcbf23765efc01e55d73dda6c0bced78 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 3 Jun 2025 16:20:11 -0400 +Subject: [PATCH 34/34] v2.4.0: test: rich: rule reference invalid ipset + +Coverage: RHEL-67103 +Coverage: RHEL-67331 +(cherry picked from commit d99076a59692af306e4dd6c909351a69e80b082a) +--- + src/tests/regression/RHEL-67103.at | 34 ++++++++++++++++++++++++++++++ + src/tests/regression/regression.at | 1 + + 2 files changed, 35 insertions(+) + create mode 100644 src/tests/regression/RHEL-67103.at + +diff --git a/src/tests/regression/RHEL-67103.at b/src/tests/regression/RHEL-67103.at +new file mode 100644 +index 000000000000..0cca717246bf +--- /dev/null ++++ b/src/tests/regression/RHEL-67103.at +@@ -0,0 +1,34 @@ ++FWD_START_TEST([rich rule invalid ipset]) ++AT_KEYWORDS(rich ipset RHEL-67103 RHEL-67331) ++ ++dnl valid ipset ++FWD_CHECK([--permanent --new-ipset thisexists --type=hash:net], 0, [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 source ipset=thisexists accept"], 0, [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 destination ipset=thisexists accept"], 0, [ignore]) ++FWD_RELOAD() ++ ++dnl invalid ipset ++FWD_CHECK([ --add-rich-rule="rule family=ipv4 source ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 source ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++FWD_CHECK([ --add-rich-rule="rule family=ipv4 destination ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 destination ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++ ++dnl verify checks for manually added XML ++AT_DATA([./zones/broken.xml], [m4_strip([dnl ++ ++ ++ broken ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++])]) ++FWD_RELOAD(135, [ignore], [ignore]) ++ ++FWD_END_TEST([-e '/ERROR: INVALID_IPSET/d']) +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index e85641932b58..ea1357a91d44 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -57,3 +57,4 @@ m4_include([regression/ipset_scale.at]) + m4_include([regression/gh1129.at]) + m4_include([regression/gh1146.at]) + m4_include([regression/rhbz2222044.at]) ++m4_include([regression/RHEL-67103.at]) +-- +2.47.1 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 54d28aa..649cc18 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 1.3.4 -Release: 9%{?dist} +Release: 15%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 @@ -29,6 +29,16 @@ Patch21: 0021-v2.2.0-test-nftables-table-ownership.patch Patch22: 0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch Patch23: 0023-v2.2.0-fix-service-update-highest-port-number-for-ce.patch Patch24: 0024-v2.2.0-feat-service-x-rootd-file-server.patch +Patch25: 0025-v2.3.0-test-functions-fix-iptables-normalization-for.patch +Patch26: 0026-v2.4.0-test-add-scale-keyword-to-scale-tests.patch +Patch27: 0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch +Patch28: 0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch +Patch29: 0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch +Patch30: 0030-v2.4.0-chore-ipset-remove-set_supported_types.patch +Patch31: 0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch +Patch32: 0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch +Patch33: 0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch +Patch34: 0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -252,6 +262,24 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Jun 17 2025 Eric Garver - 1.3.4-15 +- fix(policy): rich: verify ipset exists + +* Mon Jun 02 2025 Eric Garver - 1.3.4-14 +- fix(systemd): allow start code 251 (RUNNING_BUT_FAILED) + +* Mon May 19 2025 Eric Garver - 1.3.4-13 +- fix(fw): start: remove ipset probe + +* Mon May 19 2025 Eric Garver - 1.3.4-12 +- fix(systemd): verify firewalld is responsive to dbus + +* Mon May 19 2025 Eric Garver - 1.3.4-11 +- test: add scale keyword to scale tests + +* Mon May 19 2025 Eric Garver - 1.3.4-10 +- test(functions): fix iptables normalization for opt field + * Wed Nov 06 2024 Eric Garver - 1.3.4-9 - feat(service): (x)rootd file server