From eaa47e8f0f62c1811f398d55017b1e17a904018c Mon Sep 17 00:00:00 2001
From: James Antill <jantill@redhat.com>
Date: Thu, 26 May 2022 07:06:35 -0400
Subject: [PATCH] Auto sync2gitlab import of firewalld-0.9.3-13.el8.src.rpm

---
 .gitignore                                    |    1 +
 ...Add-cockpit-by-default-to-some-zones.patch |   94 +
 ...nly-default-to-AllowZoneDrifting-yes.patch |   80 +
 ...tting-deprecated-properties-should-b.patch |   85 +
 ...es-normalize-reject-statement-output.patch |   29 +
 ...x-normalization-of-reject-statement-.patch |   29 +
 ...-test-functions-increase-debug-level.patch |   27 +
 ...tions-format-xml-output-with-xmllint.patch |   27 +
 ...d-reload-does-not-affect-direct-rule.patch |   43 +
 ...opy-paste-error-for-FlushAllOnReload.patch |   27 +
 ...ix-copy-paste-error-for-RFC3964_IPv4.patch |   27 +
 ...s-direct-add-coverage-for-signatures.patch |  379 ++++
 ...-scope-introspection-checks-to-inter.patch |  119 ++
 ...cope-introspection-checks-to-interfa.patch | 1017 ++++++++++
 ...-test-dbus-policy-introspect-signals.patch |   69 +
 0016-test-dbus-zone-introspect-signals.patch  |  369 ++++
 ...ies-IPv4-and-IPv6-should-be-true-if-.patch |   35 +
 0018-test-ipset-add-missing-CHECK_IPSET.patch |   52 +
 ...king-tables-make-sure-to-check-the-a.patch |   48 +
 ...ables-use-interval-flag-for-ip-types.patch |  118 ++
 ...fy-ipset-netmask-allowed-for-hash-ip.patch |   54 +
 ...est-offline-always-allow-ipset-tests.patch |   34 +
 ...order-with-multiple-address-with-s-d.patch |  167 ++
 ...fy-rule-order-with-multiple-address-.patch |   86 +
 ...ipset-fix-hash-net-net-functionality.patch |   31 +
 ...pset-add-test-to-verify-hash-net-net.patch |   64 +
 ...ly-consider-NM-connections-with-a-re.patch |   45 +
 ...nly-consider-NM-connections-with-a-r.patch |   81 +
 ...hat-IPv6_rpfilter-has-a-performance-.patch |   36 +
 ...-note-that-IPv6_rpfilter-has-a-perfo.patch |   28 +
 ...WD_GREP_LOG-allow-checking-error-cod.patch |   28 +
 ...mprove-checking-firewalld.log-for-er.patch |   41 +
 ...instead-of-error-for-overlapping-por.patch |   46 +
 ...-overlapping-ports-don-t-halt-zone-l.patch |   99 +
 ...d-client-conntrack-helpers-must-use-.patch |   74 +
 ...s-do-not-log-icmp-block-if-inversion.patch |   29 +
 ...-don-t-log-blocked-if-ICMP-inversion.patch |  135 ++
 ...les-rich-source-address-with-netmask.patch |   38 +
 ...est-rich-source-address-with-netmask.patch |   56 +
 0042-test-zone-source-with-netmask.patch      |   26 +
 ...onfig-zone-on-rename-remove-then-add.patch |   43 +
 ...ns-check_config-against-on-disk-conf.patch |   98 +
 ...etect-same-source-interface-in-zones.patch |   46 +
 ...etect-same-source-interface-in-zones.patch |   88 +
 ...CleanupModulesOnExit-configuration-o.patch |  302 +++
 ...-default-to-CleanupModulesOnExit-yes.patch |   95 +
 EMPTY                                         |    1 -
 firewalld.spec                                | 1721 +++++++++++++++++
 sources                                       |    1 +
 ...0003-feat-service-add-galera-service.patch |   55 +
 ...t-normalize-entries-in-CIDR-notation.patch |  242 +++
 ...x-ipset-disallow-overlapping-entries.patch |  157 ++
 ...duce-cost-of-entry-overlap-detection.patch |  140 ++
 ...-ipset-huge-set-of-entries-benchmark.patch |   56 +
 ...r-reduce-cost-of-entry-overlap-detec.patch |  150 ++
 55 files changed, 7067 insertions(+), 1 deletion(-)
 create mode 100644 .gitignore
 create mode 100644 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
 create mode 100644 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
 create mode 100644 0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch
 create mode 100644 0005-test-nftables-normalize-reject-statement-output.patch
 create mode 100644 0006-test-nftables-fix-normalization-of-reject-statement-.patch
 create mode 100644 0007-test-functions-increase-debug-level.patch
 create mode 100644 0008-test-functions-format-xml-output-with-xmllint.patch
 create mode 100644 0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch
 create mode 100644 0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch
 create mode 100644 0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch
 create mode 100644 0012-test-dbus-direct-add-coverage-for-signatures.patch
 create mode 100644 0013-test-dbus-policy-scope-introspection-checks-to-inter.patch
 create mode 100644 0014-test-dbus-zone-scope-introspection-checks-to-interfa.patch
 create mode 100644 0015-test-dbus-policy-introspect-signals.patch
 create mode 100644 0016-test-dbus-zone-introspect-signals.patch
 create mode 100644 0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch
 create mode 100644 0018-test-ipset-add-missing-CHECK_IPSET.patch
 create mode 100644 0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch
 create mode 100644 0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch
 create mode 100644 0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch
 create mode 100644 0022-test-offline-always-allow-ipset-tests.patch
 create mode 100644 0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch
 create mode 100644 0024-test-direct-verify-rule-order-with-multiple-address-.patch
 create mode 100644 0025-fix-ipset-fix-hash-net-net-functionality.patch
 create mode 100644 0026-test-ipset-add-test-to-verify-hash-net-net.patch
 create mode 100644 0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
 create mode 100644 0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
 create mode 100644 0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
 create mode 100644 0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
 create mode 100644 0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
 create mode 100644 0032-test-functions-improve-checking-firewalld.log-for-er.patch
 create mode 100644 0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
 create mode 100644 0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
 create mode 100644 0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch
 create mode 100644 0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch
 create mode 100644 0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch
 create mode 100644 0040-fix-nftables-rich-source-address-with-netmask.patch
 create mode 100644 0041-test-rich-source-address-with-netmask.patch
 create mode 100644 0042-test-zone-source-with-netmask.patch
 create mode 100644 0043-fix-fw_config-zone-on-rename-remove-then-add.patch
 create mode 100644 0044-fix-io-functions-check_config-against-on-disk-conf.patch
 create mode 100644 0045-fix-zone-detect-same-source-interface-in-zones.patch
 create mode 100644 0046-test-zone-detect-same-source-interface-in-zones.patch
 create mode 100644 0047-feat-config-add-CleanupModulesOnExit-configuration-o.patch
 create mode 100644 0048-RHEL-only-default-to-CleanupModulesOnExit-yes.patch
 delete mode 100644 EMPTY
 create mode 100644 firewalld.spec
 create mode 100644 sources
 create mode 100644 v1.0.0-0003-feat-service-add-galera-service.patch
 create mode 100644 v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
 create mode 100644 v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
 create mode 100644 v1.0.0-0049-fix-ipset-reduce-cost-of-entry-overlap-detection.patch
 create mode 100644 v1.0.0-0050-test-ipset-huge-set-of-entries-benchmark.patch
 create mode 100644 v1.0.0-0051-fix-ipset-further-reduce-cost-of-entry-overlap-detec.patch

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bdc7c12
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/firewalld-0.9.3.tar.gz
diff --git a/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch b/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
new file mode 100644
index 0000000..4903181
--- /dev/null
+++ b/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
@@ -0,0 +1,94 @@
+From 87ecae78c07da6db1faa18504b06345ab3ba51a0 Mon Sep 17 00:00:00 2001
+From: Eric Garver <e@erig.me>
+Date: Mon, 9 Jul 2018 11:29:33 -0400
+Subject: [PATCH 01/22] RHEL only: Add cockpit by default to some zones
+
+Fixes: #1581578
+---
+ config/zones/home.xml     |  1 +
+ config/zones/internal.xml |  1 +
+ config/zones/public.xml   |  1 +
+ config/zones/work.xml     |  1 +
+ src/tests/functions.at    | 19 +++++++++++++++++++
+ 5 files changed, 23 insertions(+)
+
+diff --git a/config/zones/home.xml b/config/zones/home.xml
+index 42b29b2f2d50..8aa8afa0e8aa 100644
+--- a/config/zones/home.xml
++++ b/config/zones/home.xml
+@@ -6,4 +6,5 @@
+   <service name="mdns"/>
+   <service name="samba-client"/>
+   <service name="dhcpv6-client"/>
++  <service name="cockpit"/>
+ </zone>
+diff --git a/config/zones/internal.xml b/config/zones/internal.xml
+index e646b48c94e8..40cb7e14424b 100644
+--- a/config/zones/internal.xml
++++ b/config/zones/internal.xml
+@@ -6,4 +6,5 @@
+   <service name="mdns"/>
+   <service name="samba-client"/>
+   <service name="dhcpv6-client"/>
++  <service name="cockpit"/>
+ </zone>
+diff --git a/config/zones/public.xml b/config/zones/public.xml
+index 49795d8c9068..617e131a4895 100644
+--- a/config/zones/public.xml
++++ b/config/zones/public.xml
+@@ -4,4 +4,5 @@
+   <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+   <service name="ssh"/>
+   <service name="dhcpv6-client"/>
++  <service name="cockpit"/>
+ </zone>
+diff --git a/config/zones/work.xml b/config/zones/work.xml
+index 6ea5550a40bd..9609ee6f65c2 100644
+--- a/config/zones/work.xml
++++ b/config/zones/work.xml
+@@ -4,4 +4,5 @@
+   <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+   <service name="ssh"/>
+   <service name="dhcpv6-client"/>
++  <service name="cockpit"/>
+ </zone>
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 582fdcc19314..6b1263b178dc 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -105,6 +105,13 @@ m4_define([FWD_START_TEST], [
+ 
+     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
+         AT_KEYWORDS(offline)
++        dnl cockpit is added by default downstream, but upstream tests don't expect
++        dnl it. Simply remove it at the start of every test.
++        dnl
++        FWD_OFFLINE_CHECK([--zone home --remove-service-from-zone cockpit], 0, [ignore])
++        FWD_OFFLINE_CHECK([--zone internal --remove-service-from-zone cockpit], 0, [ignore])
++        FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore])
++        FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore])
+     ], [
+         m4_define_default([FIREWALL_BACKEND], [nftables])
+ 
+@@ -226,6 +233,18 @@ m4_define([FWD_START_TEST], [
+         ])
+ 
+         FWD_START_FIREWALLD
++
++        dnl cockpit is added by default downstream, but upstream tests don't expect
++        dnl it. Simply remove it at the start of every test.
++        dnl
++        FWD_CHECK([--permanent --zone home --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([            --zone home --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([--permanent --zone internal --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([            --zone internal --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([--permanent --zone public --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([            --zone public --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([--permanent --zone work --remove-service cockpit], 0, [ignore])
++        FWD_CHECK([            --zone work --remove-service cockpit], 0, [ignore])
+     ])
+ ])
+ 
+-- 
+2.27.0
+
diff --git a/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
new file mode 100644
index 0000000..9cf03b7
--- /dev/null
+++ b/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
@@ -0,0 +1,80 @@
+From bccc66877af7baa95e70c4314e3016ac78c4bbc7 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 4 Feb 2020 09:12:17 -0500
+Subject: [PATCH 02/22] RHEL only: default to AllowZoneDrifting=yes
+
+---
+ config/firewalld.conf              | 4 ++--
+ doc/xml/firewalld.conf.xml         | 2 +-
+ doc/xml/firewalld.dbus.xml         | 2 +-
+ src/firewall/config/__init__.py.in | 2 +-
+ src/tests/functions.at             | 5 +++++
+ 5 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index 532f0452212e..f791b2358ab8 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
+ # Note: If "yes" packets will only drift from source based zones to interface
+ # based zones (including the default zone). Packets never drift from interface
+ # based zones to other interfaces based zones (including the default zone).
+-# Possible values; "yes", "no". Defaults to "no".
+-AllowZoneDrifting=no
++# Possible values; "yes", "no". Defaults to "yes".
++AllowZoneDrifting=yes
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index fcfbfd2b68c1..c21ef87813bc 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -197,7 +197,7 @@
+                 to interface based zones (including the default zone). Packets
+                 never drift from interface based zones to other interfaces
+                 based zones (including the default zone).
+-                Valid values; "yes", "no". Defaults to "no".
++                Valid values; "yes", "no". Defaults to "yes".
+                 </para>
+             </listitem>
+         </varlistentry>
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index b75067e12c51..d68c775ee5bf 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2787,7 +2787,7 @@
+                 to interface based zones (including the default zone). Packets
+                 never drift from interface based zones to other interfaces
+                 based zones (including the default zone).
+-                Valid values; "yes", "no". Defaults to "no".
++                Valid values; "yes", "no". Defaults to "yes".
+             </para></listitem>
+           </varlistentry>
+           <varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index e875e849dec1..0dec7913f694 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -133,4 +133,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
+ FALLBACK_FIREWALL_BACKEND = "nftables"
+ FALLBACK_FLUSH_ALL_ON_RELOAD = True
+ FALLBACK_RFC3964_IPV4 = True
+-FALLBACK_ALLOW_ZONE_DRIFTING = False
++FALLBACK_ALLOW_ZONE_DRIFTING = True
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 6b1263b178dc..7ac28d514233 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -123,6 +123,11 @@ m4_define([FWD_START_TEST], [
+         dnl set the appropriate backend
+         AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+ 
++        dnl Expected test results assume this is set to "no", but downstream
++        dnl RHEL overrides it to "yes". Override it back to "no" so we don't
++        dnl have to fix up all the tests when bringing them from upstream.
++        AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
++
+         dnl fib matching is pretty new in nftables. Don't use rpfilter on older
+         dnl kernels.
+         m4_if(nftables, FIREWALL_BACKEND, [
+-- 
+2.27.0
+
diff --git a/0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch b/0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch
new file mode 100644
index 0000000..1e1ae7c
--- /dev/null
+++ b/0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch
@@ -0,0 +1,85 @@
+From 9c26e2d1eb45c5afc0e6430d2736aeefe9f07cf1 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 25 Jan 2021 11:29:48 -0500
+Subject: [PATCH 04/22] fix(dbus): conf: setting deprecated properties should
+ be ignored
+
+They weren't being written to the config file, but the runtime dbus
+values were being changed.
+
+(cherry picked from commit 9001e0cfc18fdcf8526d774fad396414d223c70a)
+(cherry picked from commit e8451a455461b5cf177ea8a9aaab7a5e5100991b)
+---
+ src/firewall/server/config.py    | 23 +++++------------------
+ src/tests/dbus/firewalld.conf.at |  4 ++--
+ 2 files changed, 7 insertions(+), 20 deletions(-)
+
+diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
+index 1f832a459915..031ef5d1afaa 100644
+--- a/src/firewall/server/config.py
++++ b/src/firewall/server/config.py
+@@ -706,22 +706,11 @@ class FirewallDConfig(slip.dbus.service.Object):
+         self.accessCheck(sender)
+ 
+         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+-            if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
++            if property_name in [ "CleanupOnExit", "Lockdown",
+                                   "IPv6_rpfilter", "IndividualCalls",
+-                                  "LogDenied", "AutomaticHelpers",
++                                  "LogDenied",
+                                   "FirewallBackend", "FlushAllOnReload",
+                                   "RFC3964_IPv4", "AllowZoneDrifting" ]:
+-                if property_name == "MinimalMark":
+-                    try:
+-                        int(new_value)
+-                    except ValueError:
+-                        raise FirewallError(errors.INVALID_MARK, new_value)
+-                try:
+-                    new_value = str(new_value)
+-                except:
+-                    raise FirewallError(errors.INVALID_VALUE,
+-                                        "'%s' for %s" % \
+-                                        (new_value, property_name))
+                 if property_name in [ "CleanupOnExit", "Lockdown",
+                                       "IPv6_rpfilter", "IndividualCalls" ]:
+                     if new_value.lower() not in [ "yes", "no",
+@@ -734,11 +723,6 @@ class FirewallDConfig(slip.dbus.service.Object):
+                         raise FirewallError(errors.INVALID_VALUE,
+                                             "'%s' for %s" % \
+                                             (new_value, property_name))
+-                if property_name == "AutomaticHelpers":
+-                    if new_value not in config.AUTOMATIC_HELPERS_VALUES:
+-                        raise FirewallError(errors.INVALID_VALUE,
+-                                            "'%s' for %s" % \
+-                                            (new_value, property_name))
+                 if property_name == "FirewallBackend":
+                     if new_value not in config.FIREWALL_BACKEND_VALUES:
+                         raise FirewallError(errors.INVALID_VALUE,
+@@ -764,6 +748,9 @@ class FirewallDConfig(slip.dbus.service.Object):
+                 self.config.get_firewalld_conf().write()
+                 self.PropertiesChanged(interface_name,
+                                        { property_name: new_value }, [ ])
++            elif property_name in ["MinimalMark", "AutomaticHelpers"]:
++                # deprecated fields. Ignore setting them.
++                pass
+             else:
+                 raise dbus.exceptions.DBusException(
+                     "org.freedesktop.DBus.Error.InvalidArgs: "
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index cc15318c78dc..9fc5502a8d0b 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -37,8 +37,8 @@ $3
+ ])
+ 
+ dnl Test individual Set/Get
+-_helper([MinimalMark], [int32:1234], [variant int32 1234])
+-_helper([AutomaticHelpers], [string:"no"], [variant string "no"])
++_helper([MinimalMark], [int32:1234], [variant int32 100])
++_helper([AutomaticHelpers], [string:"yes"], [variant string "no"])
+ _helper([Lockdown], [string:"yes"], [variant string "yes"])
+ _helper([LogDenied], [string:"all"], [variant string "all"])
+ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+-- 
+2.27.0
+
diff --git a/0005-test-nftables-normalize-reject-statement-output.patch b/0005-test-nftables-normalize-reject-statement-output.patch
new file mode 100644
index 0000000..25a6e7c
--- /dev/null
+++ b/0005-test-nftables-normalize-reject-statement-output.patch
@@ -0,0 +1,29 @@
+From 41aee42de0f55e45b55f94a66d31731697e5fc73 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 3 Feb 2021 14:37:44 -0500
+Subject: [PATCH 05/22] test(nftables): normalize reject statement output
+
+The output became more verbose in nftables commit 7ca3368cd757 ("reject:
+Unify inet, netdev and bridge delinearization").
+
+(cherry picked from commit 00835e746cf48c73e386d3ad24af7e8fcf3c73ed)
+(cherry picked from commit a47186bda1a308a34b5e114a634ae6450d17205b)
+---
+ src/tests/functions.at | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 7ac28d514233..4c8a4603f287 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -419,6 +419,7 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
+         -e '/type.*hook.*priority.*policy.*/d'dnl
+         dnl tranform ct state { established,related } to ct state established,related
+         -e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
++        -e 's/reject with icmp[[x6]]\? type port-unreachable/reject/' dnl
+ ])
+ 
+ m4_define([NFT_LIST_RULES_ALWAYS], [
+-- 
+2.27.0
+
diff --git a/0006-test-nftables-fix-normalization-of-reject-statement-.patch b/0006-test-nftables-fix-normalization-of-reject-statement-.patch
new file mode 100644
index 0000000..6fdb76f
--- /dev/null
+++ b/0006-test-nftables-fix-normalization-of-reject-statement-.patch
@@ -0,0 +1,29 @@
+From f29791c69afc760c2356c9d72d4c1d7333e7b814 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 3 Feb 2021 17:02:42 -0500
+Subject: [PATCH 06/22] test(nftables): fix normalization of reject statement
+ output for icmpv6
+
+Fixes: 00835e746cf4 ("test(nftables): normalize reject statement output")
+(cherry picked from commit 3a3b4676ccb7b40cf304b773456dec2662783425)
+(cherry picked from commit 3bfef89745cfb2c4d90d721c377a409de9c60611)
+---
+ src/tests/functions.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 4c8a4603f287..562bc6105a8f 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -419,7 +419,7 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
+         -e '/type.*hook.*priority.*policy.*/d'dnl
+         dnl tranform ct state { established,related } to ct state established,related
+         -e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
+-        -e 's/reject with icmp[[x6]]\? type port-unreachable/reject/' dnl
++        -e 's/reject with icmp\(x\|v6\)\? type port-unreachable/reject/' dnl
+ ])
+ 
+ m4_define([NFT_LIST_RULES_ALWAYS], [
+-- 
+2.27.0
+
diff --git a/0007-test-functions-increase-debug-level.patch b/0007-test-functions-increase-debug-level.patch
new file mode 100644
index 0000000..5bc8a57
--- /dev/null
+++ b/0007-test-functions-increase-debug-level.patch
@@ -0,0 +1,27 @@
+From 9f1e32fd5dea726904ba3fc9373269d15b70dd7d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 5 Feb 2021 12:34:01 -0500
+Subject: [PATCH 07/22] test(functions): increase debug level
+
+(cherry picked from commit 39b7ad4a5568bb65cc46db4b70eb133e8625974f)
+(cherry picked from commit f78cc99a67a4b4ef3660703fd2e43db00634b6ca)
+---
+ src/tests/functions.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 562bc6105a8f..631beee6e2d8 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -11,7 +11,7 @@ m4_define([FWD_STOP_FIREWALLD], [
+ m4_define([FWD_START_FIREWALLD], [
+     FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --system-config ./"
+     dnl if testsuite ran with debug flag, add debug output
+-    ${at_debug_p} && FIREWALLD_ARGS="--debug=3 ${FIREWALLD_ARGS}"
++    ${at_debug_p} && FIREWALLD_ARGS="--debug=10 ${FIREWALLD_ARGS}"
+     if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
+         FIREWALLD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
+     fi
+-- 
+2.27.0
+
diff --git a/0008-test-functions-format-xml-output-with-xmllint.patch b/0008-test-functions-format-xml-output-with-xmllint.patch
new file mode 100644
index 0000000..43fb4dd
--- /dev/null
+++ b/0008-test-functions-format-xml-output-with-xmllint.patch
@@ -0,0 +1,27 @@
+From a9e05358d0070d4326be0df882f4d480822f4f06 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 5 Feb 2021 14:50:03 -0500
+Subject: [PATCH 08/22] test(functions): format xml output with xmllint
+
+(cherry picked from commit 53684e4b3b458b91fe7a71e7c3f8aa3363e5d108)
+(cherry picked from commit c509b9a4c0749087e462bbb62a9808a43a74b3d9)
+---
+ src/tests/functions.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 631beee6e2d8..8632f49e442f 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -471,7 +471,7 @@ m4_define([DBUS_INTROSPECT], [
+     NS_CHECK([PIPESTATUS0([gdbus introspect --xml --system --dest=org.fedoraproject.FirewallD1 dnl
+                            m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
+                                             [--object-path /org/fedoraproject/FirewallD1/$1])], dnl
+-                          [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --c14n - | TRIM_WHITESPACE])],
++                          [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --format - | xmllint --c14n - | TRIM_WHITESPACE])],
+              [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+ ])
+ 
+-- 
+2.27.0
+
diff --git a/0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch b/0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch
new file mode 100644
index 0000000..c940cda
--- /dev/null
+++ b/0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch
@@ -0,0 +1,43 @@
+From 3f5c45753a172bd1c713b318cd530c667a7f41b1 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 23 Dec 2020 09:22:30 -0500
+Subject: [PATCH 09/22] docs(firewall-cmd): reload does not affect direct rules
+ if FlushAllOnReload=no
+
+(cherry picked from commit b682ba874ef879797d681fb018ce3c7b9c57efdb)
+(cherry picked from commit ab4ce6fb13607dba4f8a0e771455ad34d3adb77a)
+---
+ doc/xml/firewall-cmd.xml.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index 3369c2d3f942..691117f3dbff 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -133,9 +133,9 @@
+ 	      if they have not been also in permanent configuration.
+ 	    </para>
+ 	    <para>
+-	      Note: Runtime changes applied via the direct interface are not
++	      Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not
+ 	      affected and will therefore stay in place until firewalld daemon
+-	      is restarted completely.
++	      is restarted completely. For FlushAllOnReload, see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ 	    </para>
+ 	  </listitem>
+ 	</varlistentry>
+@@ -147,9 +147,9 @@
+ 	      Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.
+ 	    </para>
+ 	    <para>
+-	      Note: Runtime changes applied via the direct interface are not
++	      Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not
+ 	      affected and will therefore stay in place until firewalld daemon
+-	      is restarted completely.
++	      is restarted completely. For FlushAllOnReload, see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ 	    </para>
+ 	  </listitem>
+ 	</varlistentry>
+-- 
+2.27.0
+
diff --git a/0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch b/0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch
new file mode 100644
index 0000000..7f6bc53
--- /dev/null
+++ b/0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch
@@ -0,0 +1,27 @@
+From 1e633c4f475e5cc43aca2d2f381abac85718ae22 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 23 Dec 2020 09:54:57 -0500
+Subject: [PATCH 10/22] docs(dbus): fix copy/paste error for FlushAllOnReload
+
+(cherry picked from commit 63b1f5cfa73071153f732947dcf9ea3064d64970)
+(cherry picked from commit e74da4714ca9a64d8891f8fc340a0cab0087d609)
+---
+ doc/xml/firewalld.dbus.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index d68c775ee5bf..57560e93da67 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2825,7 +2825,7 @@
+             </listitem>
+           </varlistentry>
+           <varlistentry id="FirewallD1.config.Properties.FlushAllOnReload">
+-            <term>FirewallBackend - s - (rw)</term>
++            <term>FlushAllOnReload - s - (rw)</term>
+             <listitem>
+               <para>
+                 Flush all runtime rules on a reload. Valid options are; yes, no.
+-- 
+2.27.0
+
diff --git a/0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch b/0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch
new file mode 100644
index 0000000..91eb70f
--- /dev/null
+++ b/0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch
@@ -0,0 +1,27 @@
+From c22d8092863d323eb795cf6f9a27bb70a0743fd0 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 23 Dec 2020 09:55:22 -0500
+Subject: [PATCH 11/22] docs(dbus): fix copy/paste error for RFC3964_IPv4
+
+(cherry picked from commit b530915ec8e8f035d363d9dedf226bb20259d0e4)
+(cherry picked from commit 35f4ca803cd8042b4541ca0e9f8b2449c3a7c1b4)
+---
+ doc/xml/firewalld.dbus.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index 57560e93da67..d17cb8b6c1ec 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2867,7 +2867,7 @@
+             </listitem>
+           </varlistentry>
+           <varlistentry id="FirewallD1.config.Properties.RFC3964_IPv4">
+-            <term>FirewallBackend - s - (rw)</term>
++            <term>RFC3964_IPv4 - s - (rw)</term>
+             <listitem>
+               <para>
+                 As per RFC 3964, filter IPv6 traffic with 6to4 destination
+-- 
+2.27.0
+
diff --git a/0012-test-dbus-direct-add-coverage-for-signatures.patch b/0012-test-dbus-direct-add-coverage-for-signatures.patch
new file mode 100644
index 0000000..d7bbd87
--- /dev/null
+++ b/0012-test-dbus-direct-add-coverage-for-signatures.patch
@@ -0,0 +1,379 @@
+From e0bc051a52bccdbd17ada7ab974b1c32d25ac7c1 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 8 Feb 2021 14:53:38 -0500
+Subject: [PATCH 12/22] test(dbus): direct: add coverage for signatures
+
+(cherry picked from commit 4673e0e55353c3f0243035f47d7c2832db9928e4)
+(cherry picked from commit 1b1b27ec0c19046ef041d465e44c81ad0f675fc9)
+---
+ src/tests/dbus/dbus.at   |   1 +
+ src/tests/dbus/direct.at | 348 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 349 insertions(+)
+ create mode 100644 src/tests/dbus/direct.at
+
+diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
+index 5f7b6cbdc108..a9707f825041 100644
+--- a/src/tests/dbus/dbus.at
++++ b/src/tests/dbus/dbus.at
+@@ -9,3 +9,4 @@ m4_include([dbus/policy_permanent_signatures.at])
+ m4_include([dbus/policy_runtime_signatures.at])
+ m4_include([dbus/policy_permanent_functional.at])
+ m4_include([dbus/policy_runtime_functional.at])
++m4_include([dbus/direct.at])
+diff --git a/src/tests/dbus/direct.at b/src/tests/dbus/direct.at
+new file mode 100644
+index 000000000000..fe92db6bb510
+--- /dev/null
++++ b/src/tests/dbus/direct.at
+@@ -0,0 +1,348 @@
++FWD_START_TEST([dbus api - direct signatures])
++AT_KEYWORDS(dbus direct)
++
++dnl ###############################
++dnl ########## runtime ############
++dnl ###############################
++
++DBUS_INTROSPECT([], [[//method[@name="addChain"]]], 0, [dnl
++    <method name="addChain">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="addPassthrough"]]], 0, [dnl
++    <method name="addPassthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="addRule"]]], 0, [dnl
++    <method name="addRule">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="in" name="priority" type="i"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="getAllChains"]]], 0, [dnl
++    <method name="getAllChains">
++        <arg direction="out" type="a(sss)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="getAllPassthroughs"]]], 0, [dnl
++    <method name="getAllPassthroughs">
++        <arg direction="out" type="a(sas)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="getAllRules"]]], 0, [dnl
++    <method name="getAllRules">
++        <arg direction="out" type="a(sssias)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="getChains"]]], 0, [dnl
++    <method name="getChains">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="out" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="getPassthroughs"]]], 0, [dnl
++    <method name="getPassthroughs">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="out" type="aas"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="getRules"]]], 0, [dnl
++    <method name="getRules">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="out" type="a(ias)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="passthrough"]]], 0, [dnl
++    <method name="passthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++        <arg direction="out" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="queryChain"]]], 0, [dnl
++    <method name="queryChain">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="out" type="b"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="queryPassthrough"]]], 0, [dnl
++    <method name="queryPassthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++        <arg direction="out" type="b"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="queryRule"]]], 0, [dnl
++    <method name="queryRule">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="in" name="priority" type="i"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++        <arg direction="out" type="b"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="removeAllPassthroughs"]]], 0, [dnl
++    <method name="removeAllPassthroughs">
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="removeChain"]]], 0, [dnl
++    <method name="removeChain">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="removePassthrough"]]], 0, [dnl
++    <method name="removePassthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="removeRule"]]], 0, [dnl
++    <method name="removeRule">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="in" name="priority" type="i"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//method[@name="removeRules"]]], 0, [dnl
++    <method name="removeRules">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([], [[//signal[@name="ChainAdded"]]], 0, [dnl
++    <signal name="ChainAdded">
++        <arg name="ipv" type="s"></arg>
++        <arg name="table" type="s"></arg>
++        <arg name="chain" type="s"></arg>
++    </signal>  
++])
++
++DBUS_INTROSPECT([], [[//signal[@name="ChainRemoved"]]], 0, [dnl
++    <signal name="ChainRemoved">
++        <arg name="ipv" type="s"></arg>
++        <arg name="table" type="s"></arg>
++        <arg name="chain" type="s"></arg>
++    </signal>
++])
++
++DBUS_INTROSPECT([], [[//signal[@name="PassthroughAdded"]]], 0, [dnl
++    <signal name="PassthroughAdded">
++        <arg name="ipv" type="s"></arg>
++        <arg name="args" type="as"></arg>
++    </signal>
++])
++
++DBUS_INTROSPECT([], [[//signal[@name="PassthroughRemoved"]]], 0, [dnl
++    <signal name="PassthroughRemoved">
++        <arg name="ipv" type="s"></arg>
++        <arg name="args" type="as"></arg>
++    </signal>
++])
++
++DBUS_INTROSPECT([], [[//signal[@name="RuleAdded"]]], 0, [dnl
++    <signal name="RuleAdded">
++        <arg name="ipv" type="s"></arg>
++        <arg name="table" type="s"></arg>
++        <arg name="chain" type="s"></arg>
++        <arg name="priority" type="i"></arg>
++        <arg name="args" type="as"></arg>
++    </signal>
++])
++
++DBUS_INTROSPECT([], [[//signal[@name="RuleRemoved"]]], 0, [dnl
++    <signal name="RuleRemoved">
++        <arg name="ipv" type="s"></arg>
++        <arg name="table" type="s"></arg>
++        <arg name="chain" type="s"></arg>
++        <arg name="priority" type="i"></arg>
++        <arg name="args" type="as"></arg>
++    </signal>
++])
++
++dnl ###############################
++dnl ######### permanent ###########
++dnl ###############################
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getSettings"]]], 0, [dnl
++    <method name="getSettings">
++        <arg direction="out" type="(a(sss)a(sssias)a(sas))"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="update"]]], 0, [dnl
++    <method name="update">
++        <arg direction="in" name="settings" type="(a(sss)a(sssias)a(sas))"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addChain"]]], 0, [dnl
++    <method name="addChain">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addPassthrough"]]], 0, [dnl
++    <method name="addPassthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addRule"]]], 0, [dnl
++    <method name="addRule">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="in" name="priority" type="i"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllChains"]]], 0, [dnl
++    <method name="getAllChains">
++        <arg direction="out" type="a(sss)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllPassthroughs"]]], 0, [dnl
++    <method name="getAllPassthroughs">
++        <arg direction="out" type="a(sas)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllRules"]]], 0, [dnl
++    <method name="getAllRules">
++        <arg direction="out" type="a(sssias)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getChains"]]], 0, [dnl
++    <method name="getChains">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="out" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getPassthroughs"]]], 0, [dnl
++    <method name="getPassthroughs">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="out" type="aas"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getRules"]]], 0, [dnl
++    <method name="getRules">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="out" type="a(ias)"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryChain"]]], 0, [dnl
++    <method name="queryChain">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="out" type="b"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryPassthrough"]]], 0, [dnl
++    <method name="queryPassthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++        <arg direction="out" type="b"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryRule"]]], 0, [dnl
++    <method name="queryRule">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="in" name="priority" type="i"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++        <arg direction="out" type="b"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeChain"]]], 0, [dnl
++    <method name="removeChain">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removePassthrough"]]], 0, [dnl
++    <method name="removePassthrough">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeRule"]]], 0, [dnl
++    <method name="removeRule">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++        <arg direction="in" name="priority" type="i"></arg>
++        <arg direction="in" name="args" type="as"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeRules"]]], 0, [dnl
++    <method name="removeRules">
++        <arg direction="in" name="ipv" type="s"></arg>
++        <arg direction="in" name="table" type="s"></arg>
++        <arg direction="in" name="chain" type="s"></arg>
++    </method>
++])
++
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//signal[@name="Updated"]]], 0, [dnl
++    <signal name="Updated">
++    </signal>
++])
++
++FWD_END_TEST
+-- 
+2.27.0
+
diff --git a/0013-test-dbus-policy-scope-introspection-checks-to-inter.patch b/0013-test-dbus-policy-scope-introspection-checks-to-inter.patch
new file mode 100644
index 0000000..5ad6ad5
--- /dev/null
+++ b/0013-test-dbus-policy-scope-introspection-checks-to-inter.patch
@@ -0,0 +1,119 @@
+From 25e0354c7a582df802a54d1dd5bd22462e50f5b3 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 9 Feb 2021 12:19:53 -0500
+Subject: [PATCH 13/22] test(dbus): policy: scope introspection checks to
+ interface
+
+(cherry picked from commit 76c7ef5140de4e578e7409113c26e6c223b8ed60)
+(cherry picked from commit 2236a03c212ac9abb173a5d5a5ba68a4f75e7989)
+---
+ src/tests/dbus/policy_permanent_signatures.at | 18 +++++++++---------
+ src/tests/dbus/policy_runtime_signatures.at   |  8 ++++----
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/src/tests/dbus/policy_permanent_signatures.at b/src/tests/dbus/policy_permanent_signatures.at
+index d9dc38179840..7363b7715947 100644
+--- a/src/tests/dbus/policy_permanent_signatures.at
++++ b/src/tests/dbus/policy_permanent_signatures.at
+@@ -5,23 +5,23 @@ dnl ####################
+ dnl Global APIs
+ dnl ####################
+ 
+-DBUS_INTROSPECT([config], [[//method[@name="listPolicies"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="listPolicies"]]], 0, [dnl
+     <method name="listPolicies">
+         <arg direction="out" type="ao"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="getPolicyNames"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getPolicyNames"]]], 0, [dnl
+     <method name="getPolicyNames">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="getPolicyByName"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getPolicyByName"]]], 0, [dnl
+     <method name="getPolicyByName">
+         <arg direction="in" name="policy" type="s"></arg>
+         <arg direction="out" type="o"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="addPolicy"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="addPolicy"]]], 0, [dnl
+     <method name="addPolicy">
+         <arg direction="in" name="policy" type="s"></arg>
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+@@ -37,30 +37,30 @@ DBUS_CHECK([config], [config.getPolicyByName], ["allow-host-ipv6"], 0, [stdout])
+ DBUS_POLICY_OBJ=[$(sed -e "s/.*config\/policy\/\([^']\+\)['].*/\1/" ./stdout)]
+ export DBUS_POLICY_OBJ
+ 
+-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="getSettings"]]], 0, [dnl
+     <method name="getSettings">
+         <arg direction="out" type="a{sv}"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="update"]]], 0, [dnl
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="update"]]], 0, [dnl
+     <method name="update">
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="remove"]]], 0, [dnl
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="remove"]]], 0, [dnl
+     <method name="remove">
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="rename"]]], 0, [dnl
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="rename"]]], 0, [dnl
+     <method name="rename">
+         <arg direction="in" name="name" type="s"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="loadDefaults"]]], 0, [dnl
+     <method name="loadDefaults">
+     </method>
+ ])
+diff --git a/src/tests/dbus/policy_runtime_signatures.at b/src/tests/dbus/policy_runtime_signatures.at
+index 2f0c5e75496b..c651ae981adf 100644
+--- a/src/tests/dbus/policy_runtime_signatures.at
++++ b/src/tests/dbus/policy_runtime_signatures.at
+@@ -3,13 +3,13 @@ AT_KEYWORDS(dbus policy)
+ 
+ dnl Settings
+ dnl
+-DBUS_INTROSPECT([], [[//method[@name="getPolicySettings"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicySettings"]]], 0, [dnl
+     <method name="getPolicySettings">
+         <arg direction="in" name="policy" type="s"></arg>
+         <arg direction="out" type="a{sv}"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="setPolicySettings"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="setPolicySettings"]]], 0, [dnl
+     <method name="setPolicySettings">
+         <arg direction="in" name="policy" type="s"></arg>
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+@@ -17,12 +17,12 @@ DBUS_INTROSPECT([], [[//method[@name="setPolicySettings"]]], 0, [dnl
+ ])
+ 
+ dnl Fetching Policies
+-DBUS_INTROSPECT([], [[//method[@name="getPolicies"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicies"]]], 0, [dnl
+     <method name="getPolicies">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getActivePolicies"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getActivePolicies"]]], 0, [dnl
+     <method name="getActivePolicies">
+         <arg direction="out" type="a{sa{sas}}"></arg>
+     </method>
+-- 
+2.27.0
+
diff --git a/0014-test-dbus-zone-scope-introspection-checks-to-interfa.patch b/0014-test-dbus-zone-scope-introspection-checks-to-interfa.patch
new file mode 100644
index 0000000..f1ecd83
--- /dev/null
+++ b/0014-test-dbus-zone-scope-introspection-checks-to-interfa.patch
@@ -0,0 +1,1017 @@
+From 8a2baab5205793c5e1ad14ec5a49c16c9fab310a Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 9 Feb 2021 13:29:02 -0500
+Subject: [PATCH 14/22] test(dbus): zone: scope introspection checks to
+ interface
+
+(cherry picked from commit ed6a3cc4f64eb4e778c1a7d336d36dc1ab4f6556)
+(cherry picked from commit c2194e87337ebf71d52fffb3761ae4f7bb916e9a)
+---
+ src/tests/dbus/zone_permanent_signatures.at | 154 ++++++++++----------
+ src/tests/dbus/zone_runtime_signatures.at   | 110 +++++++-------
+ 2 files changed, 132 insertions(+), 132 deletions(-)
+
+diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
+index bea47aab16ac..31b27925495a 100644
+--- a/src/tests/dbus/zone_permanent_signatures.at
++++ b/src/tests/dbus/zone_permanent_signatures.at
+@@ -5,23 +5,23 @@ dnl ####################
+ dnl Global APIs
+ dnl ####################
+ 
+-DBUS_INTROSPECT([config], [[//method[@name="listZones"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="listZones"]]], 0, [dnl
+     <method name="listZones">
+         <arg direction="out" type="ao"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="getZoneNames"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getZoneNames"]]], 0, [dnl
+     <method name="getZoneNames">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="getZoneByName"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getZoneByName"]]], 0, [dnl
+     <method name="getZoneByName">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="o"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="addZone"]]], 0, [dnl
+     <method name="addZone">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+@@ -30,13 +30,13 @@ DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl
+ ])
+ 
+ dnl zone relation to interface/sources
+-DBUS_INTROSPECT([config], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getZoneOfInterface"]]], 0, [dnl
+     <method name="getZoneOfInterface">
+         <arg direction="in" name="iface" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config], [[//method[@name="getZoneOfSource"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getZoneOfSource"]]], 0, [dnl
+     <method name="getZoneOfSource">
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+@@ -53,29 +53,29 @@ DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+ DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+ export DBUS_PUBLIC_ZONE_OBJ
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getSettings"]]], 0, [dnl
+     <method name="getSettings">
+         <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="update"]]], 0, [dnl
+     <method name="update">
+         <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="loadDefaults"]]], 0, [dnl
+     <method name="loadDefaults">
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="remove"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="remove"]]], 0, [dnl
+     <method name="remove">
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="rename"]]], 0, [dnl
+     <method name="rename">
+         <arg direction="in" name="name" type="s"></arg>
+     </method>
+@@ -83,12 +83,12 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"
+ 
+ dnl Version
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getVersion"]]], 0, [dnl
+     <method name="getVersion">
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setVersion"]]], 0, [dnl
+     <method name="setVersion">
+         <arg direction="in" name="version" type="s"></arg>
+     </method>
+@@ -96,12 +96,12 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVers
+ 
+ dnl Short
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getShort"]]], 0, [dnl
+     <method name="getShort">
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setShort"]]], 0, [dnl
+     <method name="setShort">
+         <arg direction="in" name="short" type="s"></arg>
+     </method>
+@@ -109,12 +109,12 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShor
+ 
+ dnl Description
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getDescription"]]], 0, [dnl
+     <method name="getDescription">
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setDescription"]]], 0, [dnl
+     <method name="setDescription">
+         <arg direction="in" name="description" type="s"></arg>
+     </method>
+@@ -122,12 +122,12 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDesc
+ 
+ dnl Target
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getTarget"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getTarget"]]], 0, [dnl
+     <method name="getTarget">
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarget"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setTarget"]]], 0, [dnl
+     <method name="setTarget">
+         <arg direction="in" name="target" type="s"></arg>
+     </method>
+@@ -135,27 +135,27 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarg
+ 
+ dnl Interfaces
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getInterfaces"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getInterfaces"]]], 0, [dnl
+     <method name="getInterfaces">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setInterfaces"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setInterfaces"]]], 0, [dnl
+     <method name="setInterfaces">
+         <arg direction="in" name="interfaces" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addInterface"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addInterface"]]], 0, [dnl
+     <method name="addInterface">
+         <arg direction="in" name="interface" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeInterface"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeInterface"]]], 0, [dnl
+     <method name="removeInterface">
+         <arg direction="in" name="interface" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryInterface"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryInterface"]]], 0, [dnl
+     <method name="queryInterface">
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -164,27 +164,27 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIn
+ 
+ dnl Sources
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSources"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getSources"]]], 0, [dnl
+     <method name="getSources">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSources"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setSources"]]], 0, [dnl
+     <method name="setSources">
+         <arg direction="in" name="sources" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSource"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addSource"]]], 0, [dnl
+     <method name="addSource">
+         <arg direction="in" name="source" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSource"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeSource"]]], 0, [dnl
+     <method name="removeSource">
+         <arg direction="in" name="source" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySource"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="querySource"]]], 0, [dnl
+     <method name="querySource">
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -193,27 +193,27 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySo
+ 
+ dnl Services
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getServices"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getServices"]]], 0, [dnl
+     <method name="getServices">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setServices"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setServices"]]], 0, [dnl
+     <method name="setServices">
+         <arg direction="in" name="services" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addService"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addService"]]], 0, [dnl
+     <method name="addService">
+         <arg direction="in" name="service" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeService"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeService"]]], 0, [dnl
+     <method name="removeService">
+         <arg direction="in" name="service" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryService"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryService"]]], 0, [dnl
+     <method name="queryService">
+         <arg direction="in" name="service" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -222,29 +222,29 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySe
+ 
+ dnl Ports
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getPorts"]]], 0, [dnl
+     <method name="getPorts">
+         <arg direction="out" type="a(ss)"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setPorts"]]], 0, [dnl
+     <method name="setPorts">
+         <arg direction="in" name="ports" type="a(ss)"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addPort"]]], 0, [dnl
+     <method name="addPort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removePort"]]], 0, [dnl
+     <method name="removePort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryPort"]]], 0, [dnl
+     <method name="queryPort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+@@ -254,29 +254,29 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPo
+ 
+ dnl Source Ports
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getSourcePorts"]]], 0, [dnl
+     <method name="getSourcePorts">
+         <arg direction="out" type="a(ss)"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setSourcePorts"]]], 0, [dnl
+     <method name="setSourcePorts">
+         <arg direction="in" name="ports" type="a(ss)"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addSourcePort"]]], 0, [dnl
+     <method name="addSourcePort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeSourcePort"]]], 0, [dnl
+     <method name="removeSourcePort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="querySourcePort"]]], 0, [dnl
+     <method name="querySourcePort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+@@ -286,27 +286,27 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySo
+ 
+ dnl Protocol
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getProtocols"]]], 0, [dnl
+     <method name="getProtocols">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setProtocols"]]], 0, [dnl
+     <method name="setProtocols">
+         <arg direction="in" name="protocols" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addProtocol"]]], 0, [dnl
+     <method name="addProtocol">
+         <arg direction="in" name="protocol" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeProtocol"]]], 0, [dnl
+     <method name="removeProtocol">
+         <arg direction="in" name="protocol" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryProtocol"]]], 0, [dnl
+     <method name="queryProtocol">
+         <arg direction="in" name="protocol" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -315,17 +315,17 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPr
+ 
+ dnl Forward Ports
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getForwardPorts"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getForwardPorts"]]], 0, [dnl
+     <method name="getForwardPorts">
+         <arg direction="out" type="a(ssss)"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setForwardPorts"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setForwardPorts"]]], 0, [dnl
+     <method name="setForwardPorts">
+         <arg direction="in" name="ports" type="a(ssss)"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForwardPort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addForwardPort"]]], 0, [dnl
+     <method name="addForwardPort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+@@ -333,7 +333,7 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForw
+         <arg direction="in" name="toaddr" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeForwardPort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeForwardPort"]]], 0, [dnl
+     <method name="removeForwardPort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+@@ -341,7 +341,7 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeF
+         <arg direction="in" name="toaddr" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryForwardPort"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryForwardPort"]]], 0, [dnl
+     <method name="queryForwardPort">
+         <arg direction="in" name="port" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+@@ -353,25 +353,25 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryFo
+ 
+ dnl Masquerade
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getMasquerade"]]], 0, [dnl
+     <method name="getMasquerade">
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setMasquerade"]]], 0, [dnl
+     <method name="setMasquerade">
+         <arg direction="in" name="masquerade" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addMasquerade"]]], 0, [dnl
+     <method name="addMasquerade">
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeMasquerade"]]], 0, [dnl
+     <method name="removeMasquerade">
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryMasquerade"]]], 0, [dnl
+     <method name="queryMasquerade">
+         <arg direction="out" type="b"></arg>
+     </method>
+@@ -379,27 +379,27 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMa
+ 
+ dnl ICMP Block
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getIcmpBlocks"]]], 0, [dnl
+     <method name="getIcmpBlocks">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlocks"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setIcmpBlocks"]]], 0, [dnl
+     <method name="setIcmpBlocks">
+         <arg direction="in" name="icmptypes" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlock"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addIcmpBlock"]]], 0, [dnl
+     <method name="addIcmpBlock">
+         <arg direction="in" name="icmptype" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeIcmpBlock"]]], 0, [dnl
+     <method name="removeIcmpBlock">
+         <arg direction="in" name="icmptype" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryIcmpBlock"]]], 0, [dnl
+     <method name="queryIcmpBlock">
+         <arg direction="in" name="icmptype" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -408,25 +408,25 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIc
+ 
+ dnl ICMP Block Inversion
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getIcmpBlockInversion"]]], 0, [dnl
+     <method name="getIcmpBlockInversion">
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setIcmpBlockInversion"]]], 0, [dnl
+     <method name="setIcmpBlockInversion">
+         <arg direction="in" name="flag" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+     <method name="addIcmpBlockInversion">
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+     <method name="removeIcmpBlockInversion">
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+     <method name="queryIcmpBlockInversion">
+         <arg direction="out" type="b"></arg>
+     </method>
+@@ -434,27 +434,27 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIc
+ 
+ dnl Rich Rules
+ dnl
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getRichRules"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getRichRules"]]], 0, [dnl
+     <method name="getRichRules">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setRichRules"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="setRichRules"]]], 0, [dnl
+     <method name="setRichRules">
+         <arg direction="in" name="rules" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addRichRule"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="addRichRule"]]], 0, [dnl
+     <method name="addRichRule">
+         <arg direction="in" name="rule" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeRichRule"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="removeRichRule"]]], 0, [dnl
+     <method name="removeRichRule">
+         <arg direction="in" name="rule" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryRichRule"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="queryRichRule"]]], 0, [dnl
+     <method name="queryRichRule">
+         <arg direction="in" name="rule" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -465,7 +465,7 @@ dnl ###################
+ dnl new dict based APIs
+ dnl ###################
+ 
+-DBUS_INTROSPECT([config], [[//method[@name="addZone2"]]], 0, [dnl
++DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="addZone2"]]], 0, [dnl
+     <method name="addZone2">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+@@ -473,13 +473,13 @@ DBUS_INTROSPECT([config], [[//method[@name="addZone2"]]], 0, [dnl
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings2"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="getSettings2"]]], 0, [dnl
+     <method name="getSettings2">
+         <arg direction="out" type="a{sv}"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update2"]]], 0, [dnl
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="update2"]]], 0, [dnl
+     <method name="update2">
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+     </method>
+diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
+index 0b9b030a6612..29571a48ec5f 100644
+--- a/src/tests/dbus/zone_runtime_signatures.at
++++ b/src/tests/dbus/zone_runtime_signatures.at
+@@ -5,7 +5,7 @@ dnl ####################
+ dnl Global APIs
+ dnl ####################
+ 
+-DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1"]//method[@name="getZoneSettings"]]], 0, [dnl
+     <method name="getZoneSettings">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+@@ -13,37 +13,37 @@ DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl
+ ])
+ 
+ dnl Default Zone
+-DBUS_INTROSPECT([], [[//method[@name="getDefaultZone"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1"]//method[@name="getDefaultZone"]]], 0, [dnl
+     <method name="getDefaultZone">
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="setDefaultZone"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1"]//method[@name="setDefaultZone"]]], 0, [dnl
+     <method name="setDefaultZone">
+         <arg direction="in" name="zone" type="s"></arg>
+     </method>
+ ])
+ 
+ dnl Fetching Zones
+-DBUS_INTROSPECT([], [[//method[@name="getZones"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getZones"]]], 0, [dnl
+     <method name="getZones">
+         <arg direction="out" type="as"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getActiveZones"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getActiveZones"]]], 0, [dnl
+     <method name="getActiveZones">
+         <arg direction="out" type="a{sa{sas}}"></arg>
+     </method>
+ ])
+ 
+ dnl Interface/Source
+-DBUS_INTROSPECT([], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getZoneOfInterface"]]], 0, [dnl
+     <method name="getZoneOfInterface">
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getZoneOfSource"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getZoneOfSource"]]], 0, [dnl
+     <method name="getZoneOfSource">
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+@@ -54,7 +54,7 @@ dnl ####################
+ dnl Zone APIs
+ dnl ####################
+ 
+-DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="isImmutable"]]], 0, [dnl
+     <method name="isImmutable">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -62,42 +62,42 @@ DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl
+ ])
+ 
+ dnl Interfaces
+-DBUS_INTROSPECT([], [[//method[@name="addInterface"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addInterface"]]], 0, [dnl
+     <method name="addInterface">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="changeZone"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZone"]]], 0, [dnl
+     <method name="changeZone">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="changeZoneOfInterface"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfInterface"]]], 0, [dnl
+     <method name="changeZoneOfInterface">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeInterface"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeInterface"]]], 0, [dnl
+     <method name="removeInterface">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryInterface"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryInterface"]]], 0, [dnl
+     <method name="queryInterface">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="interface" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getInterfaces"]]], 0, [dnl
+     <method name="getInterfaces">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="as"></arg>
+@@ -105,35 +105,35 @@ DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl
+ ])
+ 
+ dnl Sources
+-DBUS_INTROSPECT([], [[//method[@name="addSource"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addSource"]]], 0, [dnl
+     <method name="addSource">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="changeZoneOfSource"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfSource"]]], 0, [dnl
+     <method name="changeZoneOfSource">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeSource"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeSource"]]], 0, [dnl
+     <method name="removeSource">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="querySource"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySource"]]], 0, [dnl
+     <method name="querySource">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="source" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getSources"]]], 0, [dnl
+     <method name="getSources">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="as"></arg>
+@@ -141,7 +141,7 @@ DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl
+ ])
+ 
+ dnl Services
+-DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addService"]]], 0, [dnl
+     <method name="addService">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="service" type="s"></arg>
+@@ -149,21 +149,21 @@ DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeService"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeService"]]], 0, [dnl
+     <method name="removeService">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="service" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryService"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryService"]]], 0, [dnl
+     <method name="queryService">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="service" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getServices"]]], 0, [dnl
+     <method name="getServices">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="as"></arg>
+@@ -171,7 +171,7 @@ DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl
+ ])
+ 
+ dnl Protocols
+-DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addProtocol"]]], 0, [dnl
+     <method name="addProtocol">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+@@ -179,21 +179,21 @@ DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeProtocol"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeProtocol"]]], 0, [dnl
+     <method name="removeProtocol">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryProtocol"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryProtocol"]]], 0, [dnl
+     <method name="queryProtocol">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="protocol" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getProtocols"]]], 0, [dnl
+     <method name="getProtocols">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="as"></arg>
+@@ -201,7 +201,7 @@ DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl
+ ])
+ 
+ dnl Ports
+-DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addPort"]]], 0, [dnl
+     <method name="addPort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -210,7 +210,7 @@ DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removePort"]]], 0, [dnl
+     <method name="removePort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -218,7 +218,7 @@ DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryPort"]]], 0, [dnl
+     <method name="queryPort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -226,7 +226,7 @@ DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getPorts"]]], 0, [dnl
+     <method name="getPorts">
+         <arg direction="in" name="zone" type="s"></arg>
+         dnl NOTE: The signature is "aas", but getPorts() actually returns
+@@ -236,7 +236,7 @@ DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl
+ ])
+ 
+ dnl Source Ports
+-DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addSourcePort"]]], 0, [dnl
+     <method name="addSourcePort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -245,7 +245,7 @@ DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeSourcePort"]]], 0, [dnl
+     <method name="removeSourcePort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -253,7 +253,7 @@ DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySourcePort"]]], 0, [dnl
+     <method name="querySourcePort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -261,7 +261,7 @@ DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getSourcePorts"]]], 0, [dnl
+     <method name="getSourcePorts">
+         <arg direction="in" name="zone" type="s"></arg>
+         dnl NOTE: The signature is "aas", but getPorts() actually returns
+@@ -271,7 +271,7 @@ DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ ])
+ 
+ dnl Forward Ports
+-DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addForwardPort"]]], 0, [dnl
+     <method name="addForwardPort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -282,7 +282,7 @@ DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeForwardPort"]]], 0, [dnl
+     <method name="removeForwardPort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -292,7 +292,7 @@ DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryForwardPort"]]], 0, [dnl
+     <method name="queryForwardPort">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="port" type="s"></arg>
+@@ -302,7 +302,7 @@ DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getForwardPorts"]]], 0, [dnl
+     <method name="getForwardPorts">
+         <arg direction="in" name="zone" type="s"></arg>
+         dnl NOTE: The signature is "aas", but getPorts() actually returns
+@@ -312,20 +312,20 @@ DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ ])
+ 
+ dnl Masquerade
+-DBUS_INTROSPECT([], [[//method[@name="addMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addMasquerade"]]], 0, [dnl
+     <method name="addMasquerade">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="timeout" type="i"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeMasquerade"]]], 0, [dnl
+     <method name="removeMasquerade">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryMasquerade"]]], 0, [dnl
+     <method name="queryMasquerade">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -333,7 +333,7 @@ DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ ])
+ 
+ dnl ICMP Block
+-DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addIcmpBlock"]]], 0, [dnl
+     <method name="addIcmpBlock">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="icmp" type="s"></arg>
+@@ -341,21 +341,21 @@ DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlock"]]], 0, [dnl
+     <method name="removeIcmpBlock">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="icmp" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlock"]]], 0, [dnl
+     <method name="queryIcmpBlock">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="icmp" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getIcmpBlocks"]]], 0, [dnl
+     <method name="getIcmpBlocks">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="as"></arg>
+@@ -363,19 +363,19 @@ DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ ])
+ 
+ dnl ICMP Block Inversion
+-DBUS_INTROSPECT([], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+     <method name="addIcmpBlockInversion">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+     <method name="removeIcmpBlockInversion">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+     <method name="queryIcmpBlockInversion">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+@@ -383,7 +383,7 @@ DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ ])
+ 
+ dnl Rich Rules
+-DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="addRichRule"]]], 0, [dnl
+     <method name="addRichRule">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="rule" type="s"></arg>
+@@ -391,21 +391,21 @@ DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="removeRichRule"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeRichRule"]]], 0, [dnl
+     <method name="removeRichRule">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="rule" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="queryRichRule"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryRichRule"]]], 0, [dnl
+     <method name="queryRichRule">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="rule" type="s"></arg>
+         <arg direction="out" type="b"></arg>
+     </method>
+ ])
+-DBUS_INTROSPECT([], [[//method[@name="getRichRules"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getRichRules"]]], 0, [dnl
+     <method name="getRichRules">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="as"></arg>
+@@ -416,14 +416,14 @@ dnl ###################
+ dnl new dict based APIs
+ dnl ###################
+ 
+-DBUS_INTROSPECT([], [[//method[@name="getZoneSettings2"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="getZoneSettings2"]]], 0, [dnl
+     <method name="getZoneSettings2">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="a{sv}"></arg>
+     </method>
+ ])
+ 
+-DBUS_INTROSPECT([], [[//method[@name="setZoneSettings2"]]], 0, [dnl
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="setZoneSettings2"]]], 0, [dnl
+     <method name="setZoneSettings2">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+-- 
+2.27.0
+
diff --git a/0015-test-dbus-policy-introspect-signals.patch b/0015-test-dbus-policy-introspect-signals.patch
new file mode 100644
index 0000000..5775905
--- /dev/null
+++ b/0015-test-dbus-policy-introspect-signals.patch
@@ -0,0 +1,69 @@
+From a97286a71ea39200fdbd6ad876a3b597f9ece6a7 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 9 Feb 2021 12:20:27 -0500
+Subject: [PATCH 15/22] test(dbus): policy: introspect signals
+
+(cherry picked from commit 4ef37228e9bb1f564597b4cd654c2092cef0cca8)
+(cherry picked from commit 9aac1417b2d10a4793756b4bdfa10047a2240ecd)
+---
+ src/tests/dbus/policy_permanent_signatures.at | 15 +++++++++++++++
+ src/tests/dbus/policy_runtime_signatures.at   |  6 ++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/tests/dbus/policy_permanent_signatures.at b/src/tests/dbus/policy_permanent_signatures.at
+index 7363b7715947..9ad36fa131e7 100644
+--- a/src/tests/dbus/policy_permanent_signatures.at
++++ b/src/tests/dbus/policy_permanent_signatures.at
+@@ -48,17 +48,32 @@ DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fed
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Updated"]]], 0, [dnl
++    <signal name="Updated">
++        <arg name="name" type="s"></arg>
++    </signal>
++])
+ 
+ DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="remove"]]], 0, [dnl
+     <method name="remove">
+     </method>
+ ])
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Removed"]]], 0, [dnl
++    <signal name="Removed">
++        <arg name="name" type="s"></arg>
++    </signal>
++])
+ 
+ DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="rename"]]], 0, [dnl
+     <method name="rename">
+         <arg direction="in" name="name" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Renamed"]]], 0, [dnl
++    <signal name="Renamed">
++        <arg name="name" type="s"></arg>
++    </signal>
++])
+ 
+ DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="loadDefaults"]]], 0, [dnl
+     <method name="loadDefaults">
+diff --git a/src/tests/dbus/policy_runtime_signatures.at b/src/tests/dbus/policy_runtime_signatures.at
+index c651ae981adf..e299329e4f4f 100644
+--- a/src/tests/dbus/policy_runtime_signatures.at
++++ b/src/tests/dbus/policy_runtime_signatures.at
+@@ -15,6 +15,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//
+         <arg direction="in" name="settings" type="a{sv}"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//signal[@name="PolicyUpdated"]]], 0, [dnl
++    <signal name="PolicyUpdated">
++        <arg name="policy" type="s"></arg>
++        <arg name="settings" type="a{sv}"></arg>
++    </signal>
++])
+ 
+ dnl Fetching Policies
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicies"]]], 0, [dnl
+-- 
+2.27.0
+
diff --git a/0016-test-dbus-zone-introspect-signals.patch b/0016-test-dbus-zone-introspect-signals.patch
new file mode 100644
index 0000000..9261907
--- /dev/null
+++ b/0016-test-dbus-zone-introspect-signals.patch
@@ -0,0 +1,369 @@
+From c15f2c1b94faf21eb39e4d1c525d205cb1b71dbc Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 9 Feb 2021 14:31:53 -0500
+Subject: [PATCH 16/22] test(dbus): zone: introspect signals
+
+(cherry picked from commit 04548b4c3be23288ccaeee74f7b1fda5e9d5e047)
+(cherry picked from commit 2f9a05fbaf5882ca91cf4e4141aec27b6f58855c)
+---
+ src/tests/dbus/zone_permanent_signatures.at |  15 ++
+ src/tests/dbus/zone_runtime_signatures.at   | 152 ++++++++++++++++++++
+ 2 files changed, 167 insertions(+)
+
+diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
+index 31b27925495a..2db55c5b3936 100644
+--- a/src/tests/dbus/zone_permanent_signatures.at
++++ b/src/tests/dbus/zone_permanent_signatures.at
+@@ -64,6 +64,11 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.
+         <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Updated"]]], 0, [dnl
++    <signal name="Updated">
++        <arg name="name" type="s"></arg>
++    </signal>
++])
+ 
+ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="loadDefaults"]]], 0, [dnl
+     <method name="loadDefaults">
+@@ -74,12 +79,22 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.
+     <method name="remove">
+     </method>
+ ])
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Removed"]]], 0, [dnl
++    <signal name="Removed">
++        <arg name="name" type="s"></arg>
++    </signal>
++])
+ 
+ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="rename"]]], 0, [dnl
+     <method name="rename">
+         <arg direction="in" name="name" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Renamed"]]], 0, [dnl
++    <signal name="Renamed">
++        <arg name="name" type="s"></arg>
++    </signal>
++])
+ 
+ dnl Version
+ dnl
+diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
+index 29571a48ec5f..68aec78153ae 100644
+--- a/src/tests/dbus/zone_runtime_signatures.at
++++ b/src/tests/dbus/zone_runtime_signatures.at
+@@ -69,6 +69,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="InterfaceAdded"]]], 0, [dnl
++    <signal name="InterfaceAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="interface" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZone"]]], 0, [dnl
+     <method name="changeZone">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -76,6 +82,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ZoneChanged"]]], 0, [dnl
++    <signal name="ZoneChanged">
++        <arg name="zone" type="s"></arg>
++        <arg name="interface" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfInterface"]]], 0, [dnl
+     <method name="changeZoneOfInterface">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -90,6 +102,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="InterfaceRemoved"]]], 0, [dnl
++    <signal name="InterfaceRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="interface" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryInterface"]]], 0, [dnl
+     <method name="queryInterface">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -112,6 +130,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourceAdded"]]], 0, [dnl
++    <signal name="SourceAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="source" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfSource"]]], 0, [dnl
+     <method name="changeZoneOfSource">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -126,6 +150,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourceRemoved"]]], 0, [dnl
++    <signal name="SourceRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="source" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySource"]]], 0, [dnl
+     <method name="querySource">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -149,6 +179,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ServiceAdded"]]], 0, [dnl
++    <signal name="ServiceAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="service" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeService"]]], 0, [dnl
+     <method name="removeService">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -156,6 +193,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ServiceRemoved"]]], 0, [dnl
++    <signal name="ServiceRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="service" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryService"]]], 0, [dnl
+     <method name="queryService">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -179,6 +222,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ProtocolAdded"]]], 0, [dnl
++    <signal name="ProtocolAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeProtocol"]]], 0, [dnl
+     <method name="removeProtocol">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -186,6 +236,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ProtocolRemoved"]]], 0, [dnl
++    <signal name="ProtocolRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryProtocol"]]], 0, [dnl
+     <method name="queryProtocol">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -210,6 +266,14 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="PortAdded"]]], 0, [dnl
++    <signal name="PortAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="port" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removePort"]]], 0, [dnl
+     <method name="removePort">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -218,6 +282,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="PortRemoved"]]], 0, [dnl
++    <signal name="PortRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="port" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryPort"]]], 0, [dnl
+     <method name="queryPort">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -245,6 +316,14 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourcePortAdded"]]], 0, [dnl
++    <signal name="SourcePortAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="port" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeSourcePort"]]], 0, [dnl
+     <method name="removeSourcePort">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -253,6 +332,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourcePortRemoved"]]], 0, [dnl
++    <signal name="SourcePortRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="port" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySourcePort"]]], 0, [dnl
+     <method name="querySourcePort">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -282,6 +368,16 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ForwardPortAdded"]]], 0, [dnl
++    <signal name="ForwardPortAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="port" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++        <arg name="toport" type="s"></arg>
++        <arg name="toaddr" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeForwardPort"]]], 0, [dnl
+     <method name="removeForwardPort">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -292,6 +388,15 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ForwardPortRemoved"]]], 0, [dnl
++    <signal name="ForwardPortRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="port" type="s"></arg>
++        <arg name="protocol" type="s"></arg>
++        <arg name="toport" type="s"></arg>
++        <arg name="toaddr" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryForwardPort"]]], 0, [dnl
+     <method name="queryForwardPort">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -319,12 +424,23 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="MasqueradeAdded"]]], 0, [dnl
++    <signal name="MasqueradeAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeMasquerade"]]], 0, [dnl
+     <method name="removeMasquerade">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="MasqueradeRemoved"]]], 0, [dnl
++    <signal name="MasqueradeRemoved">
++        <arg name="zone" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryMasquerade"]]], 0, [dnl
+     <method name="queryMasquerade">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -341,6 +457,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockAdded"]]], 0, [dnl
++    <signal name="IcmpBlockAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="icmp" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlock"]]], 0, [dnl
+     <method name="removeIcmpBlock">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -348,6 +471,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockRemoved"]]], 0, [dnl
++    <signal name="IcmpBlockRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="icmp" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlock"]]], 0, [dnl
+     <method name="queryIcmpBlock">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -369,12 +498,22 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockInversionAdded"]]], 0, [dnl
++    <signal name="IcmpBlockInversionAdded">
++        <arg name="zone" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+     <method name="removeIcmpBlockInversion">
+         <arg direction="in" name="zone" type="s"></arg>
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockInversionRemoved"]]], 0, [dnl
++    <signal name="IcmpBlockInversionRemoved">
++        <arg name="zone" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+     <method name="queryIcmpBlockInversion">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -391,6 +530,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="RichRuleAdded"]]], 0, [dnl
++    <signal name="RichRuleAdded">
++        <arg name="zone" type="s"></arg>
++        <arg name="rule" type="s"></arg>
++        <arg name="timeout" type="i"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeRichRule"]]], 0, [dnl
+     <method name="removeRichRule">
+         <arg direction="in" name="zone" type="s"></arg>
+@@ -398,6 +544,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
+         <arg direction="out" type="s"></arg>
+     </method>
+ ])
++DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="RichRuleRemoved"]]], 0, [dnl
++    <signal name="RichRuleRemoved">
++        <arg name="zone" type="s"></arg>
++        <arg name="rule" type="s"></arg>
++    </signal>
++])
+ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryRichRule"]]], 0, [dnl
+     <method name="queryRichRule">
+         <arg direction="in" name="zone" type="s"></arg>
+-- 
+2.27.0
+
diff --git a/0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch b/0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch
new file mode 100644
index 0000000..380bf9d
--- /dev/null
+++ b/0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch
@@ -0,0 +1,35 @@
+From 633f2335b9305514b36b50455063070c4888be61 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 10 Feb 2021 16:35:12 -0500
+Subject: [PATCH 17/22] fix(dbus): properties: IPv4 and IPv6 should be true if
+ using nftables
+
+(cherry picked from commit 85feb6cf091d4e03c1175770a7cacb9d994f1126)
+(cherry picked from commit 94cc358fe90f4926e588f568edec9fd4efe49370)
+---
+ src/firewall/server/firewalld.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 895e9635d1aa..f74e6e6ae6ff 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -158,13 +158,13 @@ class FirewallD(slip.dbus.service.Object):
+             return dbus.String(self.fw.get_state())
+ 
+         elif prop == "IPv4":
+-            return dbus.Boolean(self.fw.ip4tables_enabled)
++            return dbus.Boolean(self.fw.is_ipv_enabled("ipv4"))
+ 
+         elif prop == "IPv4ICMPTypes":
+             return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
+ 
+         elif prop == "IPv6":
+-            return dbus.Boolean(self.fw.ip6tables_enabled)
++            return dbus.Boolean(self.fw.is_ipv_enabled("ipv6"))
+ 
+         elif prop == "IPv6_rpfilter":
+             return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
+-- 
+2.27.0
+
diff --git a/0018-test-ipset-add-missing-CHECK_IPSET.patch b/0018-test-ipset-add-missing-CHECK_IPSET.patch
new file mode 100644
index 0000000..696128a
--- /dev/null
+++ b/0018-test-ipset-add-missing-CHECK_IPSET.patch
@@ -0,0 +1,52 @@
+From 04b9b7138e4af55f56a82f0b3727b0e70de3a5a0 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 11 Feb 2021 15:10:04 -0500
+Subject: [PATCH 18/22] test(ipset): add missing CHECK_IPSET
+
+(cherry picked from commit 61a2f56e889f5a370e28bf98f8dcf2e864a01283)
+(cherry picked from commit 95f18c89e22271ec437377f8fed753997f5828aa)
+---
+ src/tests/regression/gh567.at       |  1 +
+ src/tests/regression/rhbz1779835.at | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/regression/gh567.at b/src/tests/regression/gh567.at
+index 03c3bde4a0fe..7faa9a5b0291 100644
+--- a/src/tests/regression/gh567.at
++++ b/src/tests/regression/gh567.at
+@@ -1,5 +1,6 @@
+ FWD_START_TEST([rich rule source w/ mark action])
+ AT_KEYWORDS(gh567 rich ipset)
++CHECK_IPSET
+ 
+ FWD_CHECK([-q --permanent --new-ipset=Teste --type=hash:net])
+ FWD_CHECK([-q --permanent --add-rich-rule "rule family=ipv4 source ipset=Teste mark set=2"])
+diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at
+index 8de5c0353b6e..1c6738bce468 100644
+--- a/src/tests/regression/rhbz1779835.at
++++ b/src/tests/regression/rhbz1779835.at
+@@ -1,5 +1,6 @@
+ FWD_START_TEST([ipv6 address with brackets])
+-AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich)
++AT_KEYWORDS(rhbz1779835 ipset)
++CHECK_IPSET
+ 
+ IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
+ 
+@@ -10,6 +11,13 @@ FWD_CHECK([-q --permanent --new-ipset=foobar2 --type=hash:net --family=inet6])
+ FWD_CHECK([[-q --permanent --ipset foobar2 --add-entry='[1234::]/64']])
+ FWD_RELOAD
+ 
++FWD_END_TEST
++
++FWD_START_TEST([ipv6 address with brackets])
++AT_KEYWORDS(rhbz1779835 zone forward_port rich)
++
++IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
++
+ dnl zone source
+ FWD_CHECK([[-q --zone internal --add-source='[::1234]']])
+ FWD_CHECK([[-q --zone internal --add-source='[1234::]/64']])
+-- 
+2.27.0
+
diff --git a/0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch b/0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch
new file mode 100644
index 0000000..ec343aa
--- /dev/null
+++ b/0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch
@@ -0,0 +1,48 @@
+From 0ada4672b42c426de1ffc7f3ae2416629225369f Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 15 Feb 2021 09:53:02 -0500
+Subject: [PATCH 19/22] fix(fw): when checking tables make sure to check the
+ actual backend
+
+Calling get_backend_by_ipv() will return nftables if we're using
+nftables backend, but we really need to check if iptables, et al. are
+available.
+
+(cherry picked from commit 48d97fb40929afbc1b0bc82759ad75b1937f6e3f)
+(cherry picked from commit fba59a99735ec46d787141350564137abfec0c87)
+---
+ src/firewall/core/fw.py | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 15284a4929e9..3eb54e37ab5c 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -131,18 +131,18 @@ class Firewall(object):
+     def _check_tables(self):
+         # check if iptables, ip6tables and ebtables are usable, else disable
+         if self.ip4tables_enabled and \
+-           "filter" not in self.get_backend_by_ipv("ipv4").get_available_tables():
+-            log.warning("iptables not usable, disabling IPv4 firewall.")
++           "filter" not in self.ip4tables_backend.get_available_tables():
++            log.info1("iptables is not usable.")
+             self.ip4tables_enabled = False
+ 
+         if self.ip6tables_enabled and \
+-           "filter" not in self.get_backend_by_ipv("ipv6").get_available_tables():
+-            log.warning("ip6tables not usable, disabling IPv6 firewall.")
++           "filter" not in self.ip6tables_backend.get_available_tables():
++            log.info1("ip6tables is not usable.")
+             self.ip6tables_enabled = False
+ 
+         if self.ebtables_enabled and \
+-           "filter" not in self.get_backend_by_ipv("eb").get_available_tables():
+-            log.warning("ebtables not usable, disabling ethernet bridge firewall.")
++           "filter" not in self.ebtables_backend.get_available_tables():
++            log.info1("ebtables is not usable.")
+             self.ebtables_enabled = False
+ 
+         # is there at least support for ipv4 or ipv6
+-- 
+2.27.0
+
diff --git a/0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch b/0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch
new file mode 100644
index 0000000..5cded79
--- /dev/null
+++ b/0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch
@@ -0,0 +1,118 @@
+From 12b83f9c9381e60496a63082343512e62b03de5f Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 22 Feb 2021 15:11:21 -0500
+Subject: [PATCH 20/22] fix(ipset): nftables: use interval flag for "ip" types
+
+This is to be compatible with ipset. ipset allows adding to a non-mask
+type, e.g. "ip", by using a mask. ipset translates this into many
+entries. Support it in nftables simply by using intervals.
+
+(cherry picked from commit faaf3ac649a347f0bccae800fd0e4daeebbd1539)
+(cherry picked from commit c9d1c88e91c84561af0dbfb5999f722a3b6bb397)
+---
+ src/firewall/core/nftables.py       | 2 +-
+ src/tests/cli/firewall-cmd.at       | 1 +
+ src/tests/regression/gh330.at       | 6 ++++++
+ src/tests/regression/rhbz1734765.at | 2 ++
+ 4 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index ff077aded340..e6907421e111 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1767,7 +1767,7 @@ class nftables(object):
+ 
+         # Some types need the interval flag
+         for t in type.split(":")[1].split(","):
+-            if t in ["net", "port"]:
++            if t in ["ip", "net", "port"]:
+                 set_dict["flags"] = ["interval"]
+                 break
+ 
+diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
+index 67af8a19c072..450737776a9f 100644
+--- a/src/tests/cli/firewall-cmd.at
++++ b/src/tests/cli/firewall-cmd.at
+@@ -974,6 +974,7 @@ FWD_START_TEST([ipset])
+         table inet firewalld {
+             set foobar {
+                 type ipv4_addr . mark
++                flags interval
+                 elements = { 10.10.10.10 . 0x00000100,
+                              20.20.20.20 . 0x00000200 }
+             }
+diff --git a/src/tests/regression/gh330.at b/src/tests/regression/gh330.at
+index fd8d2f8d2dd8..0564501aa18d 100644
+--- a/src/tests/regression/gh330.at
++++ b/src/tests/regression/gh330.at
+@@ -17,6 +17,7 @@ NFT_LIST_SET([foobar], 0, [dnl
+     table inet firewalld {
+         set foobar {
+             type ipv4_addr
++            flags interval
+             elements = { 1.2.3.4 }
+         }
+     }
+@@ -43,6 +44,7 @@ NFT_LIST_SET([foobar], 0, [dnl
+     table inet firewalld {
+         set foobar {
+             type ipv4_addr
++            flags interval
+             elements = { 1.2.3.4, 10.10.10.10 }
+         }
+     }
+@@ -60,6 +62,7 @@ NFT_LIST_SET([foobar], 0, [dnl
+     table inet firewalld {
+         set foobar {
+             type ipv4_addr
++            flags interval
+             elements = { 1.2.3.4, 10.10.10.10 }
+         }
+     }
+@@ -80,6 +83,7 @@ NFT_LIST_SET([foobar], 0, [dnl
+     table inet firewalld {
+         set foobar {
+             type ipv4_addr
++            flags interval
+             elements = { 1.2.3.4, 4.3.2.1,
+                          10.10.10.10 }
+         }
+@@ -104,6 +108,7 @@ NFT_LIST_SET([foobar], 0, [dnl
+     table inet firewalld {
+         set foobar {
+             type ipv4_addr
++            flags interval
+             elements = { 1.2.3.4, 4.3.2.1,
+                          6.6.6.6, 10.10.10.10 }
+         }
+@@ -129,6 +134,7 @@ NFT_LIST_SET([foobar], 0, [dnl
+     table inet firewalld {
+         set foobar {
+             type ipv4_addr
++            flags interval
+             elements = { 1.2.3.4 }
+         }
+     }
+diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
+index b9f6aa5d49a1..b5023a058a55 100644
+--- a/src/tests/regression/rhbz1734765.at
++++ b/src/tests/regression/rhbz1734765.at
+@@ -47,6 +47,7 @@ NFT_LIST_SET([ipsetv4], 0, [dnl
+     table inet firewalld {
+         set ipsetv4 {
+             type ipv4_addr
++            flags interval
+             elements = { 192.0.2.12 }
+         }
+     }
+@@ -55,6 +56,7 @@ NFT_LIST_SET([ipsetv6], 0, [dnl
+     table inet firewalld {
+         set ipsetv6 {
+             type ipv6_addr
++            flags interval
+             elements = { ::2 }
+         }
+     }
+-- 
+2.27.0
+
diff --git a/0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch b/0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch
new file mode 100644
index 0000000..cbace62
--- /dev/null
+++ b/0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch
@@ -0,0 +1,54 @@
+From 8adac165dc93d28802c645a3626a3bcf29503ace Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 15 Feb 2021 11:29:07 -0500
+Subject: [PATCH 21/22] test(ipset): verify ipset netmask allowed for hash:ip
+
+(cherry picked from commit b7718f0dfa9ce7247911ef49c62e3ef2e4208343)
+(cherry picked from commit 1fd50036a51b6147f9e77d61d7e63c8a8e564756)
+---
+ src/tests/regression/ipset_netmask_allowed.at | 23 +++++++++++++++++++
+ src/tests/regression/regression.at            |  1 +
+ 2 files changed, 24 insertions(+)
+ create mode 100644 src/tests/regression/ipset_netmask_allowed.at
+
+diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at
+new file mode 100644
+index 000000000000..b5165d94b220
+--- /dev/null
++++ b/src/tests/regression/ipset_netmask_allowed.at
+@@ -0,0 +1,23 @@
++FWD_START_TEST([ipset netmask allowed type hash:ip])
++AT_KEYWORDS(ipset reload)
++
++FWD_CHECK([--permanent --new-ipset foobar --type hash:ip], 0, [ignore])
++FWD_RELOAD
++
++dnl ipset allows specifying a mask for hash:ip, but it will translate it into
++dnl an add for the whole range. i.e. 1.2.3.4/24  --> 1.2.3.[0.255] (256
++dnl entries).
++dnl
++dnl In nftables, we allow this by using actual intervals.
++FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
++FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
++
++dnl check the edge case
++FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
++FWD_CHECK([            --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
++
++dnl overlaps should be denied by ipset
++FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore])
++FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore])
++
++FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index a90fc37d51c6..a49bb3b756e7 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -38,3 +38,4 @@ m4_include([regression/rhbz1855140.at])
+ m4_include([regression/rhbz1871298.at])
+ m4_include([regression/rhbz1596304.at])
+ m4_include([regression/gh703.at])
++m4_include([regression/ipset_netmask_allowed.at])
+-- 
+2.27.0
+
diff --git a/0022-test-offline-always-allow-ipset-tests.patch b/0022-test-offline-always-allow-ipset-tests.patch
new file mode 100644
index 0000000..0077def
--- /dev/null
+++ b/0022-test-offline-always-allow-ipset-tests.patch
@@ -0,0 +1,34 @@
+From be0b7cac7e80d51cc976085f9575b0feb3f1fbe7 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 19 Feb 2021 10:27:18 -0500
+Subject: [PATCH 22/22] test(offline): always allow ipset tests
+
+(cherry picked from commit 50c713a8b82be5a3499a15f825cdceb373fe3698)
+(cherry picked from commit f17e1937597455257a29ae848ea51c5e089c1077)
+---
+ src/tests/functions.at | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 8632f49e442f..54afcf14585a 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -519,6 +519,7 @@ m4_define([DBUS_SET], [
+ ])
+ 
+ m4_define([CHECK_IPSET], [
++    m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
+     m4_if(nftables, FIREWALL_BACKEND, [
+         dnl If our nft binary has buggy flush set, then skip the test
+         NS_CHECK([nft add table inet firewalld_check_ipset])
+@@ -537,6 +538,7 @@ m4_define([CHECK_IPSET], [
+ 
+         NS_CHECK([nft delete table inet firewalld_check_ipset])
+     ])
++    ])
+ ])
+ 
+ m4_define([CHECK_IPSET_HASH_MAC], [
+-- 
+2.27.0
+
diff --git a/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch b/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch
new file mode 100644
index 0000000..52b94ea
--- /dev/null
+++ b/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch
@@ -0,0 +1,167 @@
+From 44dff592c200f81d74b64ba1c729ec8ec3b8612e Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 13 Apr 2021 14:35:31 -0400
+Subject: [PATCH 23/30] fix(direct): rule order with multiple address with
+ -s/-d
+
+Fixes: rhbz 1940928
+Fixes: rhbz 1949552
+(cherry picked from commit 2be50d366b9ba073e5f86edcd0b412ff48c3fed1)
+(cherry picked from commit a545183d6916169cd16648707b9f876ea0833955)
+---
+ src/firewall/core/fw_direct.py | 53 +++++++++++++++++++++++++++++-----
+ src/firewall/core/ipXtables.py | 32 --------------------
+ 2 files changed, 46 insertions(+), 39 deletions(-)
+
+diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
+index e53a72e3326a..76aeda9f19cb 100644
+--- a/src/firewall/core/fw_direct.py
++++ b/src/firewall/core/fw_direct.py
+@@ -298,7 +298,7 @@ class FirewallDirect(object):
+                 r.append((ipv, table, chain, priority, list(args)))
+         return r
+ 
+-    def _register_rule(self, rule_id, chain_id, priority, enable):
++    def _register_rule(self, rule_id, chain_id, priority, enable, count):
+         if enable:
+             if chain_id not in self._rules:
+                 self._rules[chain_id] = LastUpdatedOrderedDict()
+@@ -307,14 +307,14 @@ class FirewallDirect(object):
+                 self._rule_priority_positions[chain_id] = { }
+ 
+             if priority in self._rule_priority_positions[chain_id]:
+-                self._rule_priority_positions[chain_id][priority] += 1
++                self._rule_priority_positions[chain_id][priority] += count
+             else:
+-                self._rule_priority_positions[chain_id][priority] = 1
++                self._rule_priority_positions[chain_id][priority] = count
+         else:
+             del self._rules[chain_id][rule_id]
+             if len(self._rules[chain_id]) == 0:
+                 del self._rules[chain_id]
+-            self._rule_priority_positions[chain_id][priority] -= 1
++            self._rule_priority_positions[chain_id][priority] -= count
+ 
+     # DIRECT PASSTHROUGH (untracked)
+ 
+@@ -376,6 +376,34 @@ class FirewallDirect(object):
+                 r.append(list(args))
+         return r
+ 
++    def split_value(self, rules, opts):
++        """Split values combined with commas for options in opts"""
++
++        out_rules = [ ]
++        for rule in rules:
++            processed = False
++            for opt in opts:
++                try:
++                    i = rule.index(opt)
++                except ValueError:
++                    pass
++                else:
++                    if len(rule) > i and "," in rule[i+1]:
++                        # For all items in the comma separated list in index
++                        # i of the rule, a new rule is created with a single
++                        # item from this list
++                        processed = True
++                        items = rule[i+1].split(",")
++                        for item in items:
++                            _rule = rule[:]
++                            _rule[i+1] = item
++                            out_rules.append(_rule)
++            if not processed:
++                out_rules.append(rule)
++
++        return out_rules
++
++
+     def _rule(self, enable, ipv, table, chain, priority, args, transaction):
+         self._check_ipv_table(ipv, table)
+         # Do not create zone chains if we're using nftables. Only allow direct
+@@ -458,6 +486,7 @@ class FirewallDirect(object):
+         # has index 1.
+ 
+         index = 1
++        count = 0
+         if chain_id in self._rule_priority_positions:
+             positions = sorted(self._rule_priority_positions[chain_id].keys())
+             j = 0
+@@ -465,11 +494,21 @@ class FirewallDirect(object):
+                 index += self._rule_priority_positions[chain_id][positions[j]]
+                 j += 1
+ 
+-        transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, args))
++        # split the direct rule in some cases as iptables-restore can't handle
++        # compound args.
++        #
++        args_list = [list(args)]
++        args_list = self.split_value(args_list, [ "-s", "--source" ])
++        args_list = self.split_value(args_list, [ "-d", "--destination" ])
++
++        for _args in args_list:
++            transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, tuple(_args)))
++            index += 1
++            count += 1
+ 
+-        self._register_rule(rule_id, chain_id, priority, enable)
++        self._register_rule(rule_id, chain_id, priority, enable, count)
+         transaction.add_fail(self._register_rule,
+-                             rule_id, chain_id, priority, not enable)
++                             rule_id, chain_id, priority, not enable, count)
+ 
+     def _chain(self, add, ipv, table, chain, transaction):
+         self._check_ipv_table(ipv, table)
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index 968b75867849..818ce3f153d0 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -200,36 +200,6 @@ class ip4tables(object):
+                                                      " ".join(_args), ret))
+         return ret
+ 
+-    def split_value(self, rules, opts=None):
+-        """Split values combined with commas for options in opts"""
+-
+-        if opts is None:
+-            return rules
+-
+-        out_rules = [ ]
+-        for rule in rules:
+-            processed = False
+-            for opt in opts:
+-                try:
+-                    i = rule.index(opt)
+-                except ValueError:
+-                    pass
+-                else:
+-                    if len(rule) > i and "," in rule[i+1]:
+-                        # For all items in the comma separated list in index
+-                        # i of the rule, a new rule is created with a single
+-                        # item from this list
+-                        processed = True
+-                        items = rule[i+1].split(",")
+-                        for item in items:
+-                            _rule = rule[:]
+-                            _rule[i+1] = item
+-                            out_rules.append(_rule)
+-            if not processed:
+-                out_rules.append(rule)
+-
+-        return out_rules
+-
+     def _rule_replace(self, rule, pattern, replacement):
+         try:
+             i = rule.index(pattern)
+@@ -472,8 +442,6 @@ class ip4tables(object):
+ 
+         for table in table_rules:
+             rules = table_rules[table]
+-            rules = self.split_value(rules, [ "-s", "--source" ])
+-            rules = self.split_value(rules, [ "-d", "--destination" ])
+ 
+             temp_file.write("*%s\n" % table)
+             for rule in rules:
+-- 
+2.27.0
+
diff --git a/0024-test-direct-verify-rule-order-with-multiple-address-.patch b/0024-test-direct-verify-rule-order-with-multiple-address-.patch
new file mode 100644
index 0000000..a86b378
--- /dev/null
+++ b/0024-test-direct-verify-rule-order-with-multiple-address-.patch
@@ -0,0 +1,86 @@
+From ed0b0a7f967f33729e4ec7472b4229f0317fd92d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 9 Apr 2021 13:34:31 -0400
+Subject: [PATCH 24/30] test(direct): verify rule order with multiple address
+ with -s/-d
+
+Coverage: rhbz 1940928
+Coverage: rhbz 1949552
+(cherry picked from commit 80c30dacc066af4d6d71d298b5e47625ecee5bdf)
+(cherry picked from commit c1262441db90108eb8044053ae1b93f66f0c2839)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1940928.at | 52 +++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1940928.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index a49bb3b756e7..8156ee608189 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at])
+ m4_include([regression/rhbz1596304.at])
+ m4_include([regression/gh703.at])
+ m4_include([regression/ipset_netmask_allowed.at])
++m4_include([regression/rhbz1940928.at])
+diff --git a/src/tests/regression/rhbz1940928.at b/src/tests/regression/rhbz1940928.at
+new file mode 100644
+index 000000000000..0a4367080b5e
+--- /dev/null
++++ b/src/tests/regression/rhbz1940928.at
+@@ -0,0 +1,52 @@
++FWD_START_TEST([direct -s/-d multiple addresses])
++AT_KEYWORDS(direct rhbz1940928 rhbz1949552)
++CHECK_IPTABLES
++
++dnl test triggers a limitation in iptables-restore
++dnl
++AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf])
++FWD_RELOAD
++
++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
++
++IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
++		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
++		ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8
++		ACCEPT     tcp  --  0.0.0.0/0            172.16.0.0/16
++		ACCEPT     tcp  --  0.0.0.0/0            192.168.0.0/24
++		ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8
++		ACCEPT     udp  --  0.0.0.0/0            172.16.0.0/16
++		ACCEPT     udp  --  0.0.0.0/0            192.168.0.0/24
++		DROP       all  --  0.0.0.0/0            0.0.0.0/0
++])
++
++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
++
++IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
++		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
++		ACCEPT     sctp --  0.0.0.0/0            10.0.0.0/8
++		ACCEPT     sctp --  0.0.0.0/0            172.16.0.0/16
++		ACCEPT     sctp --  0.0.0.0/0            192.168.0.0/24
++		ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8
++		ACCEPT     tcp  --  0.0.0.0/0            172.16.0.0/16
++		ACCEPT     tcp  --  0.0.0.0/0            192.168.0.0/24
++		ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8
++		ACCEPT     udp  --  0.0.0.0/0            172.16.0.0/16
++		ACCEPT     udp  --  0.0.0.0/0            192.168.0.0/24
++		DROP       all  --  0.0.0.0/0            0.0.0.0/0
++])
++
++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
++
++
++IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
++])
++
++FWD_END_TEST
+-- 
+2.27.0
+
diff --git a/0025-fix-ipset-fix-hash-net-net-functionality.patch b/0025-fix-ipset-fix-hash-net-net-functionality.patch
new file mode 100644
index 0000000..2ad0bc0
--- /dev/null
+++ b/0025-fix-ipset-fix-hash-net-net-functionality.patch
@@ -0,0 +1,31 @@
+From 44442eace5a5a4330fb40d47cd9fb3c561d38c56 Mon Sep 17 00:00:00 2001
+From: Fabrizio D'Angelo <fdangelo@redhat.com>
+Date: Mon, 12 Apr 2021 13:56:00 -0400
+Subject: [PATCH 25/30] fix(ipset): fix hash:net,net functionality
+
+Fixes: rhbz 1936896
+
+Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
+(cherry picked from commit 36f3d50d729d3329ce99653d8227e3f52a02a43f)
+(cherry picked from commit 3ea4779dc4a957f9c0eb795ab0b00e67d653b772)
+---
+ src/firewall/core/nftables.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index e6907421e111..e3ae988bbdab 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1742,8 +1742,8 @@ class nftables(object):
+             "hash:ip,mark" : [ipv_addr[ipv], "mark"],
+ 
+             "hash:net" : ipv_addr[ipv],
++            "hash:net,net" : [ipv_addr[ipv], ipv_addr[ipv]],
+             "hash:net,port" : [ipv_addr[ipv], "inet_proto", "inet_service"],
+-            "hash:net,port,ip" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
+             "hash:net,port,net" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
+             "hash:net,iface" : [ipv_addr[ipv], "ifname"],
+ 
+-- 
+2.27.0
+
diff --git a/0026-test-ipset-add-test-to-verify-hash-net-net.patch b/0026-test-ipset-add-test-to-verify-hash-net-net.patch
new file mode 100644
index 0000000..40c8dd7
--- /dev/null
+++ b/0026-test-ipset-add-test-to-verify-hash-net-net.patch
@@ -0,0 +1,64 @@
+From 6d19a0bdb26f0eeb08dfdd9957c184e90db8766e Mon Sep 17 00:00:00 2001
+From: Fabrizio D'Angelo <fdangelo@redhat.com>
+Date: Mon, 12 Apr 2021 14:05:36 -0400
+Subject: [PATCH 26/30] test(ipset): add test to verify hash:net,net
+
+Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
+(cherry picked from commit f3bd1297f656217031957eee7cfb4b3ee5ef42f2)
+(cherry picked from commit 690ad9abf26f8ec3486704553d891d7d2ce11a80)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1936896.at | 32 +++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1936896.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 8156ee608189..2a5ad9ef995a 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -40,3 +40,4 @@ m4_include([regression/rhbz1596304.at])
+ m4_include([regression/gh703.at])
+ m4_include([regression/ipset_netmask_allowed.at])
+ m4_include([regression/rhbz1940928.at])
++m4_include([regression/rhbz1936896.at])
+diff --git a/src/tests/regression/rhbz1936896.at b/src/tests/regression/rhbz1936896.at
+new file mode 100644
+index 000000000000..911db0bc448d
+--- /dev/null
++++ b/src/tests/regression/rhbz1936896.at
+@@ -0,0 +1,32 @@
++FWD_START_TEST([ipset type hash:net,net])
++AT_KEYWORDS(rhbz1936896)
++CHECK_IPSET
++
++FWD_CHECK([-q --permanent --new-ipset testset --type hash:net,net])
++FWD_CHECK([--permanent --ipset=testset --add-entry=192.168.0.0/24,10.0.1.0/24], 0, ignore)
++FWD_RELOAD
++FWD_CHECK([--permanent --info-ipset=testset | TRIM_WHITESPACE], 0, [m4_strip([dnl
++    testset
++    type: hash:net,net
++    options:
++    entries: 192.168.0.0/24,10.0.1.0/24
++])])
++
++IPSET_LIST_SET([testset], 0, [dnl
++    Name: testset
++    Type: hash:net,net
++    Members:
++    192.168.0.0/24,10.0.1.0/24
++])
++
++NFT_LIST_SET([testset], 0, [dnl
++    table inet firewalld {
++        set testset {
++            type ipv4_addr . ipv4_addr
++            flags interval
++            elements = { 192.168.0.0/24 . 10.0.1.0/24 }
++        }
++    }
++])
++
++FWD_END_TEST
+-- 
+2.27.0
+
diff --git a/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch b/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
new file mode 100644
index 0000000..dd50e1b
--- /dev/null
+++ b/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
@@ -0,0 +1,45 @@
+From 1cbe39d4260c633da4b7110d6e2e7722b8454af4 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 27 Apr 2021 08:56:13 -0400
+Subject: [PATCH 27/30] fix(nm): reload: only consider NM connections with a
+ real interface
+
+Where real interface means linux interface capable of having an IP
+address and does not exceed IFNAMSIZ.
+
+Fixes: rhbz 1928860
+(cherry picked from commit f18f1cc96503fbc5d42f30ecdc6f0da4c56aac4d)
+(cherry picked from commit 7e9c4a5072ee3fd1aaf4162ef6ef1bf84b8a82eb)
+---
+ src/firewall/core/fw_nm.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
+index 37282a1a7711..0e38dd47e927 100644
+--- a/src/firewall/core/fw_nm.py
++++ b/src/firewall/core/fw_nm.py
+@@ -141,7 +141,9 @@ def nm_get_connections(connections, connections_name):
+ 
+         connections_name[uuid] = name
+         for dev in devices:
+-            connections[dev.get_iface()] = uuid
++            ip_iface = dev.get_ip_iface()
++            if ip_iface:
++                connections[ip_iface] = uuid
+ 
+ def nm_get_interfaces():
+     """Get active interfaces from NM
+@@ -169,7 +171,9 @@ def nm_get_interfaces():
+                 continue
+ 
+         for dev in active_con.get_devices():
+-            active_interfaces.append(dev.get_iface())
++            ip_iface = dev.get_ip_iface()
++            if ip_iface:
++                active_interfaces.append(ip_iface)
+ 
+     return active_interfaces
+ 
+-- 
+2.27.0
+
diff --git a/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch b/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
new file mode 100644
index 0000000..205968a
--- /dev/null
+++ b/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
@@ -0,0 +1,81 @@
+From 1a2c50e5cf165a5392764ff435b7183a6d6610a7 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 27 Apr 2021 09:06:22 -0400
+Subject: [PATCH 28/30] test(nm): reload: only consider NM connections with a
+ real interface
+
+Coverage: rhbz 1928860
+(cherry picked from commit 7566d3dc5664955064b14314b3d3ef20bcebd6e4)
+(cherry picked from commit e936e005898e18caa628b5b61d7589c2bbc461cb)
+---
+ src/tests/Makefile.am                   |  4 ++--
+ src/tests/integration/networkmanager.at |  1 +
+ src/tests/integration/rhbz1928860.at    | 26 +++++++++++++++++++++++++
+ 3 files changed, 29 insertions(+), 2 deletions(-)
+ create mode 100644 src/tests/integration/rhbz1928860.at
+
+diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
+index b7556b30ecc8..e936454faf6a 100644
+--- a/src/tests/Makefile.am
++++ b/src/tests/Makefile.am
+@@ -71,7 +71,7 @@ check-container-fedora-rawhide-image: check-container-%-image:
+ 	                 iptables iptables-nft libtool libxml2 libxslt make nftables \
+ 	                 python3-nftables python3-slip-dbus python3-gobject-base \
+ 	                 diffutils procps-ng iproute which dbus-daemon \
+-	                 NetworkManager" && \
++	                 NetworkManager NetworkManager-ovs" && \
+ 	echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
+ 	echo "COPY . /tmp/firewalld"; \
+ 	} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+@@ -86,7 +86,7 @@ check-container-centos8-stream-image: check-container-%-image:
+ 	                 iptables iptables-ebtables nftables libtool libxml2 \
+ 	                 libxslt make nftables python3-nftables python3-slip-dbus \
+ 	                 python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
+-	                 NetworkManager" && \
++	                 NetworkManager NetworkManager-ovs" && \
+ 	echo "COPY . /tmp/firewalld"; \
+ 	} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+ 
+diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
+index 08cf6d28451a..0b20adce0462 100644
+--- a/src/tests/integration/networkmanager.at
++++ b/src/tests/integration/networkmanager.at
+@@ -1,2 +1,3 @@
+ AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
+ m4_include([integration/rhbz1773809.at])
++m4_include([integration/rhbz1928860.at])
+diff --git a/src/tests/integration/rhbz1928860.at b/src/tests/integration/rhbz1928860.at
+new file mode 100644
+index 000000000000..8ef2a1dcbd01
+--- /dev/null
++++ b/src/tests/integration/rhbz1928860.at
+@@ -0,0 +1,26 @@
++FWD_START_TEST([reload don't consider non IP capable interfaces])
++AT_KEYWORDS(reload rhbz1928860)
++
++START_NETWORKMANAGER
++
++dnl OVS bridge and port
++NMCLI_CHECK([connection add type ovs-bridge conn.interface ovs-br con-name ovs-br], 0, [ignore])
++NMCLI_CHECK([connection add type ovs-port conn.interface ovs-interface-port master ovs-br con-name ovs-interface-port], 0, [ignore])
++echo NS_CMD([nmcli connection delete ovs-br]) >> ./cleanup
++echo NS_CMD([nmcli connection delete ovs-interface-port]) >> ./cleanup
++
++dnl Up them
++NMCLI_CHECK([connection up ovs-br], 0, [ignore])
++NMCLI_CHECK([connection up ovs-interface-port], 0, [ignore])
++
++dnl Omit the actual linux interface because it requires the OVS daemon to be
++dnl running. The bug is reproducible without it.
++dnl 
++dnl NMCLI_CHECK([connection add type ovs-interface slave-type ovs-port conn.interface ovs-br master ovs-interface-port con-name ovs-interface ipv4.method disabled ipv6.method disabled], 0, [ignore])
++dnl echo NS_CMD([nmcli connection delete ovs-interface]) >> ./cleanup
++dnl NMCLI_CHECK([connection up ovs-interface], 0, [ignore])
++
++dnl just need to verify reload
++FWD_RELOAD
++
++FWD_END_TEST
+-- 
+2.27.0
+
diff --git a/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch b/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
new file mode 100644
index 0000000..faa8d8e
--- /dev/null
+++ b/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
@@ -0,0 +1,36 @@
+From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 17 May 2021 15:43:13 -0400
+Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance
+ penalty
+
+Fixes: rhbz 1871860
+(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4)
+(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837)
+---
+ doc/xml/firewalld.conf.xml | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index c21ef87813bc..0bf4c2d4d011 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -114,6 +114,15 @@
+ 	    If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
+             For IPv4 the rp_filter is controlled using sysctl.
+ 	  </para>
++      <para>
++        <emphasis role="bold">Note</emphasis>: This feature has a performance
++        impact. In most cases the impact is not enough to cause a noticeable
++        difference. It requires route lookups and its execution occurs before
++        the established connections fast path. As such it can have a
++        significant performance impact if there is a lot of traffic. It's
++        enabled by default for security, but can be disabled if performance is
++        a concern.
++      </para>
+ 	</listitem>
+       </varlistentry>
+ 
+-- 
+2.27.0
+
diff --git a/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch b/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
new file mode 100644
index 0000000..0dcb24d
--- /dev/null
+++ b/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
@@ -0,0 +1,28 @@
+From 60e4181ca9ac8dbd1acb6baf85b42b0666aa56b7 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 19 May 2021 12:52:52 -0400
+Subject: [PATCH 30/30] improvement(conf): note that IPv6_rpfilter has a
+ performance penalty
+
+(cherry picked from commit cf8e0df944322f1ad283946c64bf7f933c25340d)
+(cherry picked from commit 1a8bb7e5dcee3bcd691219104427daf39ead1f82)
+---
+ config/firewalld.conf | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index f791b2358ab8..a0556c0bbf5b 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -23,6 +23,8 @@ Lockdown=no
+ # packet would be sent via the same interface that the packet arrived on, the 
+ # packet will match and be accepted, otherwise dropped.
+ # The rp_filter for IPv4 is controlled using sysctl.
++# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
++# for details.
+ # Default: yes
+ IPv6_rpfilter=yes
+ 
+-- 
+2.27.0
+
diff --git a/0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch b/0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
new file mode 100644
index 0000000..787f4a4
--- /dev/null
+++ b/0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
@@ -0,0 +1,28 @@
+From 8d8ec4530dea1a74254c6cc14ece4fa14f7f94fe Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 12:00:06 -0400
+Subject: [PATCH 31/36] test(functions): FWD_GREP_LOG: allow checking error
+ code
+
+(cherry picked from commit 748bcaee9a1d1151cf0e4bc9229f7b46774332ae)
+(cherry picked from commit 69c6a91ca507bdf0e18784ce06d3d872a1c2e5ab)
+---
+ src/tests/functions.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 54afcf14585a..4b298644d7e4 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -328,7 +328,7 @@ m4_define([FWD_CHECK], [
+ ])
+ 
+ m4_define([FWD_GREP_LOG], [
+-    AT_CHECK([grep "$1" ./firewalld.log], 0, [ignore], [ignore])
++    AT_CHECK([grep "$1" ./firewalld.log], $2, [ignore], [ignore])
+ ])
+ 
+ m4_define([TRIM], [[sed -e 's/^[ \t]*//' -e 's/[ \t]*$//']])
+-- 
+2.27.0
+
diff --git a/0032-test-functions-improve-checking-firewalld.log-for-er.patch b/0032-test-functions-improve-checking-firewalld.log-for-er.patch
new file mode 100644
index 0000000..c68de27
--- /dev/null
+++ b/0032-test-functions-improve-checking-firewalld.log-for-er.patch
@@ -0,0 +1,41 @@
+From fd61eebac7618b1f9051497904d4392ac9b6f53b Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 12:12:03 -0400
+Subject: [PATCH 32/36] test(functions): improve checking firewalld.log for
+ errors
+
+Don't delete the errors/warnings from the log. Use sed/grep in a pipe
+instead.
+
+(cherry picked from commit 23dc028083dbdbd291f022ab60bad0462e23d48e)
+(cherry picked from commit 1bafb54763926f49f930038fb6ecd9ab3e05c796)
+---
+ src/tests/functions.at | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 4b298644d7e4..03795bc3c132 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -255,14 +255,11 @@ m4_define([FWD_START_TEST], [
+ 
+ m4_define([FWD_END_TEST], [
+     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
+-        IF_HOST_SUPPORTS_IP6TABLES([], [
+-            sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
+-        ])
+         if test x"$1" != x"ignore"; then
+-            if test -n "$1"; then
+-                sed -i $1 ./firewalld.log
+-            fi
+-            AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
++            AT_FAIL_IF([cat ./firewalld.log | dnl
++                       sed "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" | dnl
++                       m4_ifnblank([$1], [sed $1 |]) dnl
++                       [grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)']])
+         fi
+         m4_undefine([CURRENT_DBUS_ADDRESS])
+         m4_undefine([CURRENT_TEST_NS])
+-- 
+2.27.0
+
diff --git a/0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch b/0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
new file mode 100644
index 0000000..341cdf1
--- /dev/null
+++ b/0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
@@ -0,0 +1,46 @@
+From a79321b79b0543cff0c99702c1ab9eeaab8bfe06 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 11:42:58 -0400
+Subject: [PATCH 33/36] fix(policy): warn instead of error for overlapping
+ ports
+
+Fixes: rhbz 1914935
+(cherry picked from commit b71e532bc21fb6a06345b5ecfeb60683c7a194e9)
+(cherry picked from commit 66ca4b0fd9588d60d31998ad792f04962053aaab)
+---
+ src/firewall/core/fw_policy.py | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py
+index 3f5dab808ff0..79a52d8d97c0 100644
+--- a/src/firewall/core/fw_policy.py
++++ b/src/firewall/core/fw_policy.py
+@@ -98,11 +98,23 @@ class FirewallPolicy(object):
+         for args in obj.services:
+             self.add_service(policy, args)
+         for args in obj.ports:
+-            self.add_port(policy, *args)
++            try:
++                self.add_port(policy, *args)
++            except FirewallError as error:
++                if error.code in [errors.ALREADY_ENABLED]:
++                    log.warning(error)
++                else:
++                    raise error
+         for args in obj.protocols:
+             self.add_protocol(policy, args)
+         for args in obj.source_ports:
+-            self.add_source_port(policy, *args)
++            try:
++                self.add_source_port(policy, *args)
++            except FirewallError as error:
++                if error.code in [errors.ALREADY_ENABLED]:
++                    log.warning(error)
++                else:
++                    raise error
+         for args in obj.rules:
+             self.add_rule(policy, args)
+         if obj.masquerade:
+-- 
+2.27.0
+
diff --git a/0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch b/0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
new file mode 100644
index 0000000..83c1d99
--- /dev/null
+++ b/0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
@@ -0,0 +1,99 @@
+From 7c1e62b4933f2b110dcedc411b4381c00abe799f Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 3 Jun 2021 11:27:11 -0400
+Subject: [PATCH 34/36] test(zone): verify overlapping ports don't halt zone
+ loading
+
+We can warn about the overlapping ports, but don't completely error out.
+
+Coverage: rhbz 1914935
+(cherry picked from commit 012a87a343673c7699f48fa6af973c890be08671)
+(cherry picked from commit 50e4c979283eee83bf0c707184cd0ca9bf112e85)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1914935.at | 64 +++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1914935.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 2a5ad9ef995a..aadd948a459f 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -41,3 +41,4 @@ m4_include([regression/gh703.at])
+ m4_include([regression/ipset_netmask_allowed.at])
+ m4_include([regression/rhbz1940928.at])
+ m4_include([regression/rhbz1936896.at])
++m4_include([regression/rhbz1914935.at])
+diff --git a/src/tests/regression/rhbz1914935.at b/src/tests/regression/rhbz1914935.at
+new file mode 100644
+index 000000000000..5b110ea4cf4d
+--- /dev/null
++++ b/src/tests/regression/rhbz1914935.at
+@@ -0,0 +1,64 @@
++FWD_START_TEST([zone overlapping ports])
++AT_KEYWORDS(zone port rhbz1914935)
++
++AT_CHECK([mkdir -p ./zones])
++
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++<port port="1024-65535" protocol="tcp" />
++<port port="1234" protocol="tcp" />
++<port port="2000-3000" protocol="tcp" />
++</zone>
++])
++FWD_RELOAD
++FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
++FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
++FWD_CHECK([--zone foobar --list-ports], 0, [dnl
++1024-65535/tcp
++])
++
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++<source-port port="1024-65535" protocol="tcp" />
++<source-port port="1234" protocol="tcp" />
++<source-port port="2000-3000" protocol="tcp" />
++</zone>
++])
++FWD_RELOAD
++FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
++FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
++FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
++1024-65535/tcp
++])
++
++dnl this one partially overlaps so it should not throw a warning.
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++<port port="1024-2000" protocol="tcp" />
++<port port="1500-2500" protocol="tcp" />
++</zone>
++])
++FWD_RELOAD
++FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
++FWD_CHECK([--zone foobar --list-ports], 0, [dnl
++1024-2500/tcp
++])
++
++dnl this one partially overlaps so it should not throw a warning.
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++<source-port port="1024-2000" protocol="tcp" />
++<source-port port="1500-2500" protocol="tcp" />
++</zone>
++])
++FWD_RELOAD
++FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
++FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
++1024-2500/tcp
++])
++
++FWD_END_TEST([-e '/WARNING: ALREADY_ENABLED:/d'])
+-- 
+2.27.0
+
diff --git a/0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch b/0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch
new file mode 100644
index 0000000..6b2607d
--- /dev/null
+++ b/0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch
@@ -0,0 +1,74 @@
+From 78060c945be591b4fe8a1b0d3f206585d3948676 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 2 Jul 2021 11:19:18 -0400
+Subject: [PATCH 37/50] docs(firewall-*cmd): client conntrack helpers must use
+ a policy
+
+Fixes: rhbz 1899933
+Fixes: rhbz 1975484
+(cherry picked from commit adb4ccd88e6c1fd460c9c674d89fdf89299c3970)
+(cherry picked from commit 8cd0da7032080ada6b80b7f97faec6a30a8d45f5)
+---
+ doc/xml/firewall-cmd.xml.in      | 17 +++++++++++++++++
+ doc/xml/firewall-offline-cmd.xml | 17 +++++++++++++++++
+ 2 files changed, 34 insertions(+)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index 691117f3dbff..8cd67e388ef5 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -634,6 +634,23 @@
+ 	    <para>
+ 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
+ 	    </para>
++            <para>
++              <emphasis role="bold">Note</emphasis>: Some services define connection tracking helpers.
++              Helpers that may operate in client mode (e.g. tftp) must be added to an
++              outbound policy instead of a zone to take effect for clients. Otherwise
++              the helper will not be applied to the outbound traffic. The related
++              traffic, as defined by the connection tracking helper, on the return
++              path (ingress) will be allowed by the stateful firewall rules.
++            </para>
++            <para>
++              An example of an outbound policy for connection tracking helpers:
++              <programlisting>
++# firewall-cmd --permanent --new-policy clientConntrack
++# firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
++# firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
++# firewall-cmd --permanent --policy clientConntrack --add-service tftp
++              </programlisting>
++            </para>
+ 	  </listitem>
+ 	</varlistentry>
+ 
+diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
+index 92ec55be4623..8e2dd7989956 100644
+--- a/doc/xml/firewall-offline-cmd.xml
++++ b/doc/xml/firewall-offline-cmd.xml
+@@ -722,6 +722,23 @@
+ 	    <para>
+ 	      The service is one of the firewalld provided services. To get a list of the supported services, use <command>firewall-cmd --get-services</command>.
+ 	    </para>
++            <para>
++              <emphasis role="bold">Note</emphasis>: Some services define connection tracking helpers.
++              Helpers that may operate in client mode (e.g. tftp) must be added to an
++              outbound policy instead of a zone to take effect for clients. Otherwise
++              the helper will not be applied to the outbound traffic. The related
++              traffic, as defined by the connection tracking helper, on the return
++              path (ingress) will be allowed by the stateful firewall rules.
++            </para>
++            <para>
++              An example of an outbound policy for connection tracking helpers:
++              <programlisting>
++# firewall-cmd --new-policy clientConntrack
++# firewall-cmd --policy clientConntrack --add-ingress-zone HOST
++# firewall-cmd --policy clientConntrack --add-egress-zone ANY
++# firewall-cmd --policy clientConntrack --add-service tftp
++              </programlisting>
++            </para>
+ 	  </listitem>
+ 	</varlistentry>
+ 
+-- 
+2.27.0
+
diff --git a/0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch b/0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch
new file mode 100644
index 0000000..f6c5b0b
--- /dev/null
+++ b/0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch
@@ -0,0 +1,29 @@
+From de28755c4e14224f6303c864327fffe7d2639268 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 13 Sep 2021 15:45:53 -0400
+Subject: [PATCH 38/50] fix(nftables): do not log icmp block if inversion
+
+Fixes: #696
+Fixes: rhbz1945833
+(cherry picked from commit 50a5ed2d0fa6169c6780488dae931a3b4fce47ab)
+(cherry picked from commit a451b033200b289c6fac823f7dce23c37a38a3d1)
+---
+ src/firewall/core/nftables.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index e3ae988bbdab..29a9a2492032 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1601,7 +1601,7 @@ class nftables(object):
+                     rule.update(self._rich_rule_priority_fragment(rich_rule))
+                     rules.append({add_del: {"rule": rule}})
+             else:
+-                if self._fw.get_log_denied() != "off" and self._fw.policy.query_icmp_block_inversion(policy):
++                if self._fw.get_log_denied() != "off" and not self._fw.policy.query_icmp_block_inversion(policy):
+                     rules.append({add_del: {"rule": {"family": "inet",
+                                                      "table": TABLE_NAME,
+                                                      "chain": final_chain,
+-- 
+2.27.0
+
diff --git a/0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch b/0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch
new file mode 100644
index 0000000..bcc8fe3
--- /dev/null
+++ b/0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch
@@ -0,0 +1,135 @@
+From b2075eb46f1798ba897ca443ea14872b17267d69 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 13 Sep 2021 14:54:42 -0400
+Subject: [PATCH 39/50] test(icmp): don't log blocked if ICMP inversion
+
+Coverage: #696
+Coverage: rhbz1945833
+(cherry picked from commit b7d9a74731f9c5a1a6faf0f2959adcc315d2ca16)
+(cherry picked from commit d45c614967cec6a608c93c1e8531089d7b1150bb)
+---
+ src/tests/regression/gh696.at      | 102 +++++++++++++++++++++++++++++
+ src/tests/regression/regression.at |   1 +
+ 2 files changed, 103 insertions(+)
+ create mode 100644 src/tests/regression/gh696.at
+
+diff --git a/src/tests/regression/gh696.at b/src/tests/regression/gh696.at
+new file mode 100644
+index 000000000000..19b8d485a0a5
+--- /dev/null
++++ b/src/tests/regression/gh696.at
+@@ -0,0 +1,102 @@
++FWD_START_TEST([icmp-block-inversion no log blocked])
++AT_KEYWORDS(icmp gh696 rhbz1945833)
++
++FWD_CHECK([--permanent --zone public --remove-icmp-block-inversion], 0, [ignore], [ignore])
++FWD_CHECK([--permanent --zone public --add-icmp-block echo-request], 0, [ignore])
++FWD_RELOAD()
++
++NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
++    table inet firewalld {
++        chain filter_IN_public_deny {
++            icmp type echo-request reject with icmpx type admin-prohibited
++            icmpv6 type echo-request reject with icmpx type admin-prohibited
++        }
++    }
++])
++
++IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
++    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
++])
++IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
++    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
++])
++
++dnl since inversion is disabled we should get logs when the ICMP is blocked.
++FWD_CHECK([--set-log-denied all], 0, [ignore])
++
++NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
++    table inet firewalld {
++        chain filter_IN_public_deny {
++            icmp type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""
++            icmp type echo-request reject with icmpx type admin-prohibited
++            icmpv6 type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""
++            icmpv6 type echo-request reject with icmpx type admin-prohibited
++        }
++    }
++])
++
++IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
++    LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "
++    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
++])
++IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
++    LOG icmpv6 ::/0 ::/0 ipv6-icmptype 128 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "
++    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
++])
++
++dnl ########################################
++dnl ########################################
++dnl Same as above, but with icmp block inversion.
++dnl ########################################
++dnl ########################################
++
++FWD_CHECK([--permanent --zone public --add-icmp-block-inversion], 0, [ignore])
++FWD_CHECK([--set-log-denied off], 0, [ignore])
++
++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
++    table inet firewalld {
++        chain filter_IN_public_allow {
++            tcp dport 22 ct state new,untracked accept
++            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
++            icmp type echo-request accept
++            icmpv6 type echo-request accept
++        }
++    }
++])
++
++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
++    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
++    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
++])
++IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
++    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
++    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
++    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
++])
++
++dnl since inversion is enabled, it should be the same whether set-log-denied is
++dnl enabled or not.
++FWD_CHECK([--set-log-denied all], 0, [ignore])
++
++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
++    table inet firewalld {
++        chain filter_IN_public_allow {
++            tcp dport 22 ct state new,untracked accept
++            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
++            icmp type echo-request accept
++            icmpv6 type echo-request accept
++        }
++    }
++])
++
++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
++    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
++    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
++])
++IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
++    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
++    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
++    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
++])
++
++FWD_END_TEST([-d '/WARNING: NOT_ENABLED: icmp-block-inversion/d'])
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index aadd948a459f..ba41a56b29b5 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -42,3 +42,4 @@ m4_include([regression/ipset_netmask_allowed.at])
+ m4_include([regression/rhbz1940928.at])
+ m4_include([regression/rhbz1936896.at])
+ m4_include([regression/rhbz1914935.at])
++m4_include([regression/gh696.at])
+-- 
+2.27.0
+
diff --git a/0040-fix-nftables-rich-source-address-with-netmask.patch b/0040-fix-nftables-rich-source-address-with-netmask.patch
new file mode 100644
index 0000000..740dcf0
--- /dev/null
+++ b/0040-fix-nftables-rich-source-address-with-netmask.patch
@@ -0,0 +1,38 @@
+From 12fd98893d190df9581d04155fa9207d2adb5573 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 15 Sep 2021 14:12:37 -0400
+Subject: [PATCH 40/50] fix(nftables): rich: source address with netmask
+
+Fixes: rhbz1917766
+(cherry picked from commit 3809fef17dc779052a3f050041fe90e3599f35be)
+(cherry picked from commit 32d5eb8d94a2b39a4dda10fec351ad6fbab7d486)
+---
+ src/firewall/core/nftables.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 29a9a2492032..059cd8869dbb 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -22,6 +22,7 @@ from __future__ import absolute_import
+ 
+ import copy
+ import json
++import ipaddress
+ 
+ from firewall.core.logger import log
+ from firewall.functions import check_mac, getPortRange, normalizeIP6, \
+@@ -1213,8 +1214,8 @@ class nftables(object):
+                 family = "ip"
+             elif check_address("ipv4", address):
+                 family = "ip"
+-                addr_len = address.split("/")
+-                address = {"prefix": {"addr": addr_len[0], "len": int(addr_len[1])}}
++                normalized_address = ipaddress.IPv4Network(address, strict=False)
++                address = {"prefix": {"addr": normalized_address.network_address.compressed, "len": normalized_address.prefixlen}}
+             elif check_single_address("ipv6", address):
+                 family = "ip6"
+                 address = normalizeIP6(address)
+-- 
+2.27.0
+
diff --git a/0041-test-rich-source-address-with-netmask.patch b/0041-test-rich-source-address-with-netmask.patch
new file mode 100644
index 0000000..51f4366
--- /dev/null
+++ b/0041-test-rich-source-address-with-netmask.patch
@@ -0,0 +1,56 @@
+From 0be3d6ba5d6a1cb17c965a5454cc156fbb2ac867 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 15 Sep 2021 13:47:01 -0400
+Subject: [PATCH 41/50] test(rich): source address with netmask
+
+Coverage: rhbz1917766
+(cherry picked from commit 9e9f94061b129e22e8c6fc2f8985d782bfe09689)
+(cherry picked from commit 498c6b221ebbca09401ae5f98498c6a148ae602f)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1917766.at | 24 ++++++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1917766.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index ba41a56b29b5..f9d42d6e2765 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -43,3 +43,4 @@ m4_include([regression/rhbz1940928.at])
+ m4_include([regression/rhbz1936896.at])
+ m4_include([regression/rhbz1914935.at])
+ m4_include([regression/gh696.at])
++m4_include([regression/rhbz1917766.at])
+diff --git a/src/tests/regression/rhbz1917766.at b/src/tests/regression/rhbz1917766.at
+new file mode 100644
+index 000000000000..b25d0a2f9740
+--- /dev/null
++++ b/src/tests/regression/rhbz1917766.at
+@@ -0,0 +1,24 @@
++FWD_START_TEST([rich rule source with netmask])
++AT_KEYWORDS(rich rhbz1917766)
++
++dnl Note: IPv6 only supports CIDR notation. It does not support address/netmask
++dnl notation.
++
++FWD_CHECK([            --zone public --add-rich-rule='rule family=ipv4 source address="192.168.1.0/255.255.255.0" accept'], 0, [ignore])
++FWD_CHECK([--permanent --zone public --add-rich-rule='rule family=ipv4 source address="192.168.1.0/255.255.255.0" accept'], 0, [ignore])
++
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++  <short>foobar</short>
++  <description>foobar</description>
++  <rule family="ipv4">
++    <source address="192.168.0.1/255.255.255.240"/>
++    <accept/>
++  </rule>
++</zone>
++])
++FWD_RELOAD()
++FWD_CHECK([--zone foobar --add-interface foobar0], 0, [ignore])
++
++FWD_END_TEST()
+-- 
+2.27.0
+
diff --git a/0042-test-zone-source-with-netmask.patch b/0042-test-zone-source-with-netmask.patch
new file mode 100644
index 0000000..b63d66e
--- /dev/null
+++ b/0042-test-zone-source-with-netmask.patch
@@ -0,0 +1,26 @@
+From 8ef0683614704039f1dc7bfe22ace159f9961f15 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 15 Sep 2021 14:38:28 -0400
+Subject: [PATCH 42/50] test(zone): source with netmask
+
+(cherry picked from commit e635bdffa630c827ff0ed2fc2bb201d560631be0)
+(cherry picked from commit 818f39d4c3b029b12e744505cfe35b0b47bed7db)
+---
+ src/tests/cli/firewall-cmd.at | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
+index 450737776a9f..f36f634853fa 100644
+--- a/src/tests/cli/firewall-cmd.at
++++ b/src/tests/cli/firewall-cmd.at
+@@ -214,6 +214,7 @@ sources: $1
+ 
+     check_zone_source([1.2.3.4])
+     check_zone_source([192.168.1.0/24])
++    check_zone_source([192.168.1.1/255.255.255.0])
+     IF_HOST_SUPPORTS_IPV6_RULES([
+     check_zone_source([3ffe:501:ffff::/64])
+     check_zone_source([dead:beef::babe])
+-- 
+2.27.0
+
diff --git a/0043-fix-fw_config-zone-on-rename-remove-then-add.patch b/0043-fix-fw_config-zone-on-rename-remove-then-add.patch
new file mode 100644
index 0000000..2c597fd
--- /dev/null
+++ b/0043-fix-fw_config-zone-on-rename-remove-then-add.patch
@@ -0,0 +1,43 @@
+From b2c9302e8a4ad1ab7535a557b2f9c9aa49b49629 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 27 Oct 2021 11:09:39 -0400
+Subject: [PATCH 43/50] fix(fw_config): zone: on rename remove then add
+
+Remove the old object before creating the new one. This avoids issues
+such as conflicting configuration in the objects that check_config() may
+trip over.
+
+(cherry picked from commit 3aec1dfe449d0bcb52884341770e4def0de27f56)
+(cherry picked from commit a58b45d8ee3221309ec0c6f919c266b5cfc6f89a)
+---
+ src/firewall/core/fw_config.py | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py
+index 148ce1b4e32c..a97d0b23a6ac 100644
+--- a/src/firewall/core/fw_config.py
++++ b/src/firewall/core/fw_config.py
+@@ -984,13 +984,16 @@ class FirewallConfig(object):
+ 
+     def rename_zone(self, obj, name):
+         self.check_builtin_zone(obj)
+-        new_zone = self._copy_zone(obj, name)
++        obj_conf = obj.export_config_dict()
+         self._remove_zone(obj)
++        try:
++            new_zone = self.new_zone_dict(name, obj_conf)
++        except:
++            # re-add original if rename failed
++            self.new_zone_dict(obj.name, obj_conf)
++            raise
+         return new_zone
+ 
+-    def _copy_zone(self, obj, name):
+-        return self.new_zone_dict(name, obj.export_config_dict())
+-
+     # policy objects
+ 
+     def get_policy_objects(self):
+-- 
+2.27.0
+
diff --git a/0044-fix-io-functions-check_config-against-on-disk-conf.patch b/0044-fix-io-functions-check_config-against-on-disk-conf.patch
new file mode 100644
index 0000000..39bce67
--- /dev/null
+++ b/0044-fix-io-functions-check_config-against-on-disk-conf.patch
@@ -0,0 +1,98 @@
+From 0e28840f5c3362d032f2f805cbbe6fbbaa217437 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 27 Oct 2021 13:58:27 -0400
+Subject: [PATCH 44/50] fix(io/functions): check_config against on disk conf
+
+Before this change the runtime FirewallConfig() instance was used. This
+caused some permanent configuration issues to not be caught due to
+comparing against the runtime instances of all objects.
+
+For example, two zones in permanent configuration may use the same
+interface (which is not valid), but if the runtime configuration does
+not have have these interface assignments then check_config() won't
+catch the issue since it compares against the runtime configuration.
+
+Fix is to build a temporary FirewallConfig() instance for all the
+on-disk/permanent configuration.
+
+(cherry picked from commit 35d4facc8962cd1b66bc245fe03f658d491e1061)
+(cherry picked from commit 55a799e872dc88b1341a6bc38af33e77dfedb72f)
+---
+ src/firewall/core/io/functions.py | 47 ++++++++++++++++++++++---------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py
+index 0c7b1886426c..35a7eaf8dec8 100644
+--- a/src/firewall/core/io/functions.py
++++ b/src/firewall/core/io/functions.py
+@@ -24,6 +24,7 @@ import os
+ from firewall import config
+ from firewall.errors import FirewallError
+ 
++from firewall.core.fw_config import FirewallConfig
+ from firewall.core.io.zone import zone_reader
+ from firewall.core.io.service import service_reader
+ from firewall.core.io.ipset import ipset_reader
+@@ -34,26 +35,46 @@ from firewall.core.io.direct import Direct
+ from firewall.core.io.lockdown_whitelist import LockdownWhitelist
+ from firewall.core.io.firewalld_conf import firewalld_conf
+ 
+-def check_config(fw=None):
++def check_config(fw):
++    fw_config = FirewallConfig(fw)
+     readers = {
+-        "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]),
+-        "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]),
+-        "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]),
+-        "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]),
+-        "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]),
+-        "policy" : (policy_reader, [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES]),
++        "ipset":    {"reader": ipset_reader,
++                     "add": fw_config.add_ipset,
++                     "dirs": [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS],
++                    },
++        "helper":   {"reader": helper_reader,
++                     "add": fw_config.add_helper,
++                     "dirs": [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS],
++                    },
++        "icmptype": {"reader": icmptype_reader,
++                     "add": fw_config.add_icmptype,
++                     "dirs": [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES],
++                    },
++        "service":  {"reader": service_reader,
++                     "add": fw_config.add_service,
++                     "dirs": [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES],
++                    },
++        "zone":     {"reader": zone_reader,
++                     "add": fw_config.add_zone,
++                     "dirs": [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES],
++                    },
++        "policy":   {"reader": policy_reader,
++                     "add": fw_config.add_policy_object,
++                     "dirs": [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES],
++                    },
+     }
+     for reader in readers.keys():
+-        for dir in readers[reader][1]:
+-            if not os.path.isdir(dir):
++        for _dir in readers[reader]["dirs"]:
++            if not os.path.isdir(_dir):
+                 continue
+-            for file in sorted(os.listdir(dir)):
++            for file in sorted(os.listdir(_dir)):
+                 if file.endswith(".xml"):
+                     try:
+-                        obj = readers[reader][0](file, dir)
+-                        if fw and reader in ["zone", "policy"]:
+-                            obj.fw_config = fw.config
++                        obj = readers[reader]["reader"](file, _dir)
++                        if reader in ["zone", "policy"]:
++                            obj.fw_config = fw_config
+                         obj.check_config(obj.export_config())
++                        readers[reader]["add"](obj)
+                     except FirewallError as error:
+                         raise FirewallError(error.code, "'%s': %s" % (file, error.msg))
+                     except Exception as msg:
+-- 
+2.27.0
+
diff --git a/0045-fix-zone-detect-same-source-interface-in-zones.patch b/0045-fix-zone-detect-same-source-interface-in-zones.patch
new file mode 100644
index 0000000..a5542f3
--- /dev/null
+++ b/0045-fix-zone-detect-same-source-interface-in-zones.patch
@@ -0,0 +1,46 @@
+From 8311259a6e2a6ac475c3d8c9a2df099469bf8277 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 27 Oct 2021 10:13:59 -0400
+Subject: [PATCH 45/50] fix(zone): detect same source/interface in zones
+
+Fixes: rhbz2014383
+(cherry picked from commit 4b721abb087a529596722a045a63a65af2e0566a)
+(cherry picked from commit 081fcfe7b255b2e0f91c4a3dc55539e4cfd4b7d1)
+---
+ src/firewall/core/io/zone.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 3aea94a13155..4291ec9cba00 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -193,11 +193,26 @@ class Zone(IO_Object):
+             for interface in config:
+                 if not checkInterface(interface):
+                     raise FirewallError(errors.INVALID_INTERFACE, interface)
++                if self.fw_config:
++                    for zone in self.fw_config.get_zones():
++                        if zone == self.name:
++                            continue
++                        if interface in self.fw_config.get_zone(zone).interfaces:
++                            raise FirewallError(errors.INVALID_INTERFACE,
++                                    "interface '{}' already bound to zone '{}'".format(interface, zone))
+         elif item == "sources":
+             for source in config:
+                 if not checkIPnMask(source) and not checkIP6nMask(source) and \
+                    not check_mac(source) and not source.startswith("ipset:"):
+                     raise FirewallError(errors.INVALID_ADDR, source)
++                if self.fw_config:
++                    for zone in self.fw_config.get_zones():
++                        if zone == self.name:
++                            continue
++                        if source in self.fw_config.get_zone(zone).sources:
++                            raise FirewallError(errors.INVALID_ADDR,
++                                    "source '{}' already bound to zone '{}'".format(source, zone))
++
+ 
+     def check_name(self, name):
+         super(Zone, self).check_name(name)
+-- 
+2.27.0
+
diff --git a/0046-test-zone-detect-same-source-interface-in-zones.patch b/0046-test-zone-detect-same-source-interface-in-zones.patch
new file mode 100644
index 0000000..3ee2c37
--- /dev/null
+++ b/0046-test-zone-detect-same-source-interface-in-zones.patch
@@ -0,0 +1,88 @@
+From 63754e688baba56c7e625b53d39aa7380a754094 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 25 Oct 2021 09:35:51 -0400
+Subject: [PATCH 46/50] test(zone): detect same source/interface in zones
+
+Coverage: rhbz2014383
+(cherry picked from commit 6f68d295ac5edcdb10c062e2fba7b810ce2db58c)
+(cherry picked from commit a15069d5542c2af391266f2da5f4137766d11a57)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz2014383.at | 56 +++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+)
+ create mode 100644 src/tests/regression/rhbz2014383.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index f9d42d6e2765..a20b913fbe59 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -44,3 +44,4 @@ m4_include([regression/rhbz1936896.at])
+ m4_include([regression/rhbz1914935.at])
+ m4_include([regression/gh696.at])
+ m4_include([regression/rhbz1917766.at])
++m4_include([regression/rhbz2014383.at])
+diff --git a/src/tests/regression/rhbz2014383.at b/src/tests/regression/rhbz2014383.at
+new file mode 100644
+index 000000000000..f2ef766dc1b2
+--- /dev/null
++++ b/src/tests/regression/rhbz2014383.at
+@@ -0,0 +1,56 @@
++FWD_START_TEST([same source in two zone xml])
++AT_KEYWORDS(zone rhbz2014383)
++
++AT_CHECK([mkdir -p ./zones])
++
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++  <short>foobar</short>
++  <description>foobar</description>
++  <service name="ssh"/>
++  <source address="10.10.10.10"/>
++  <forward/>
++</zone>
++])
++
++AT_DATA([./zones/foobar2.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++  <short>foobar2</short>
++  <description>foobar2</description>
++  <service name="ssh"/>
++  <source address="10.10.10.10"/>
++  <forward/>
++</zone>
++])
++
++FWD_CHECK([--check-config], 105, [ignore], [ignore])
++
++dnl Do the same thing, but with interfaces
++
++AT_DATA([./zones/foobar.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++  <short>foobar</short>
++  <description>foobar</description>
++  <service name="ssh"/>
++  <interface name="foobar0"/>
++  <forward/>
++</zone>
++])
++
++AT_DATA([./zones/foobar2.xml], [dnl
++<?xml version="1.0" encoding="utf-8"?>
++<zone>
++  <short>foobar2</short>
++  <description>foobar2</description>
++  <service name="ssh"/>
++  <interface name="foobar0"/>
++  <forward/>
++</zone>
++])
++
++FWD_CHECK([--check-config], 104, [ignore], [ignore])
++
++FWD_END_TEST([ignore])
+-- 
+2.27.0
+
diff --git a/0047-feat-config-add-CleanupModulesOnExit-configuration-o.patch b/0047-feat-config-add-CleanupModulesOnExit-configuration-o.patch
new file mode 100644
index 0000000..fdccfe5
--- /dev/null
+++ b/0047-feat-config-add-CleanupModulesOnExit-configuration-o.patch
@@ -0,0 +1,302 @@
+From fb11903b8efd287f72e634fb8a4b4ff2034151fe Mon Sep 17 00:00:00 2001
+From: Paul Laufer <50234787+refual@users.noreply.github.com>
+Date: Fri, 27 Nov 2020 12:23:11 +0100
+Subject: [PATCH 47/48] feat(config): add CleanupModulesOnExit configuration
+ option
+
+Fixes: rhbz 1520532
+Fixes: #533
+Closes: #721
+(cherry picked from commit 152a51537a7840afd0879ab4b60178bef4ec16a2)
+---
+ config/firewalld.conf                  |  9 +++++++-
+ doc/xml/firewalld.conf.xml             | 11 ++++++++++
+ doc/xml/firewalld.dbus.xml             |  9 ++++++++
+ src/firewall/config/__init__.py.in     |  1 +
+ src/firewall/core/fw.py                | 29 +++++++++++++++++++-------
+ src/firewall/core/io/firewalld_conf.py | 19 +++++++++++++----
+ src/firewall/server/config.py          | 23 +++++++++++++-------
+ src/tests/dbus/firewalld.conf.at       |  2 ++
+ 8 files changed, 82 insertions(+), 21 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index a0556c0bbf5b..3abbc9c998c1 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -7,10 +7,17 @@ DefaultZone=public
+ 
+ # Clean up on exit
+ # If set to no or false the firewall configuration will not get cleaned up
+-# on exit or stop of firewalld
++# on exit or stop of firewalld.
+ # Default: yes
+ CleanupOnExit=yes
+ 
++# Clean up kernel modules on exit
++# If set to yes or true the firewall related kernel modules will be
++# unloaded on exit or stop of firewalld. This might attempt to unload
++# modules not originally loaded by firewalld.
++# Default: no
++CleanupModulesOnExit=no
++
+ # Lockdown
+ # If set to enabled, firewall changes with the D-Bus interface will be limited
+ # to applications that are listed in the lockdown whitelist.
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index 0bf4c2d4d011..dd6ffb214eb3 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -88,6 +88,17 @@
+ 	</listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term><option>CleanupModulesOnExit</option></term>
++        <listitem>
++          <para>
++            Setting this option to yes or true unloads all firewall-related
++            kernel modules when firewalld is stopped. The default value is no
++            or false.
++          </para>
++        </listitem>
++      </varlistentry>
++
+       <varlistentry>
+ 	<term><option>CleanupOnExit</option></term>
+         <listitem>
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index d17cb8b6c1ec..466220b40b21 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2798,6 +2798,15 @@
+               </para>
+             </listitem>
+           </varlistentry>
++          <varlistentry id="FirewallD1.config.Properties.CleanupModulesOnExit">
++            <term>CleanupModulesOnExit - s - (rw)</term>
++            <listitem>
++              <para>
++                Setting this option to yes or true unloads all firewall-related
++                kernel modules when firewalld is stopped.
++              </para>
++            </listitem>
++          </varlistentry>
+           <varlistentry id="FirewallD1.config.Properties.CleanupOnExit">
+             <term>CleanupOnExit - s - (rw)</term>
+             <listitem>
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 0dec7913f694..5d6d769fbf15 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -125,6 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
+ FALLBACK_ZONE = "public"
+ FALLBACK_MINIMAL_MARK = 100
+ FALLBACK_CLEANUP_ON_EXIT = True
++FALLBACK_CLEANUP_MODULES_ON_EXIT = False
+ FALLBACK_LOCKDOWN = False
+ FALLBACK_IPV6_RPFILTER = True
+ FALLBACK_INDIVIDUAL_CALLS = False
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 3eb54e37ab5c..4171697bdb94 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -105,12 +105,13 @@ class Firewall(object):
+         self.__init_vars()
+ 
+     def __repr__(self):
+-        return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
++        return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
+             (self.__class__, self.ip4tables_enabled, self.ip6tables_enabled,
+              self.ebtables_enabled, self._state, self._panic,
+              self._default_zone, self._module_refcount, self._marks,
+-             self.cleanup_on_exit, self.ipv6_rpfilter_enabled,
+-             self.ipset_enabled, self._individual_calls, self._log_denied)
++             self.cleanup_on_exit, self.cleanup_modules_on_exit,
++             self.ipv6_rpfilter_enabled, self.ipset_enabled,
++             self._individual_calls, self._log_denied)
+ 
+     def __init_vars(self):
+         self._state = "INIT"
+@@ -120,6 +121,7 @@ class Firewall(object):
+         self._marks = [ ]
+         # fallback settings will be overloaded by firewalld.conf
+         self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT
++        self.cleanup_modules_on_exit = config.FALLBACK_CLEANUP_MODULES_ON_EXIT
+         self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER
+         self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS
+         self._log_denied = config.FALLBACK_LOG_DENIED
+@@ -232,6 +234,13 @@ class Firewall(object):
+                 log.debug1("CleanupOnExit is set to '%s'",
+                            self.cleanup_on_exit)
+ 
++            if self._firewalld_conf.get("CleanupModulesOnExit"):
++                value = self._firewalld_conf.get("CleanupModulesOnExit")
++                if value is not None and value.lower() in [ "yes", "true" ]:
++                    self.cleanup_modules_on_exit = True
++                log.debug1("CleanupModulesOnExit is set to '%s'",
++                           self.cleanup_modules_on_exit)
++
+             if self._firewalld_conf.get("Lockdown"):
+                 value = self._firewalld_conf.get("Lockdown")
+                 if value is not None and value.lower() in [ "yes", "true" ]:
+@@ -667,11 +676,15 @@ class Firewall(object):
+         self.__init_vars()
+ 
+     def stop(self):
+-        if self.cleanup_on_exit and not self._offline:
+-            self.flush()
+-            self.ipset.flush()
+-            self.set_policy("ACCEPT")
+-            self.modules_backend.unload_firewall_modules()
++        if not self._offline:
++            if self.cleanup_on_exit:
++                self.flush()
++                self.ipset.flush()
++                self.set_policy("ACCEPT")
++
++            if self.cleanup_modules_on_exit:
++                log.debug1('Unloading firewall kernel modules')
++                self.modules_backend.unload_firewall_modules()
+ 
+         self.cleanup()
+ 
+diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
+index 7c7092120676..70258400ef06 100644
+--- a/src/firewall/core/io/firewalld_conf.py
++++ b/src/firewall/core/io/firewalld_conf.py
+@@ -28,10 +28,11 @@ from firewall import config
+ from firewall.core.logger import log
+ from firewall.functions import b2u, u2b, PY2
+ 
+-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
+-               "IPv6_rpfilter", "IndividualCalls", "LogDenied",
+-               "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload",
+-               "RFC3964_IPv4", "AllowZoneDrifting" ]
++valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit",
++               "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
++               "IndividualCalls", "LogDenied", "AutomaticHelpers",
++               "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
++               "AllowZoneDrifting" ]
+ 
+ class firewalld_conf(object):
+     def __init__(self, filename):
+@@ -75,6 +76,7 @@ class firewalld_conf(object):
+             self.set("DefaultZone", config.FALLBACK_ZONE)
+             self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
+             self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
++            self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
+             self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
+             self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
+             self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
+@@ -135,6 +137,15 @@ class firewalld_conf(object):
+                             config.FALLBACK_CLEANUP_ON_EXIT)
+             self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
+ 
++        # check module cleanup on exit
++        value = self.get("CleanupModulesOnExit")
++        if not value or value.lower() not in [ "no", "false", "yes", "true" ]:
++            if value is not None:
++                log.warning("CleanupModulesOnExit '%s' is not valid, using default "
++                            "value %s", value if value else '',
++                            config.FALLBACK_CLEANUP_MODULES_ON_EXIT)
++            self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
++
+         # check lockdown
+         value = self.get("Lockdown")
+         if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
+diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
+index 031ef5d1afaa..8815920c6893 100644
+--- a/src/firewall/server/config.py
++++ b/src/firewall/server/config.py
+@@ -100,6 +100,7 @@ class FirewallDConfig(slip.dbus.service.Object):
+         dbus_introspection_prepare_properties(self,
+                                               config.dbus.DBUS_INTERFACE_CONFIG,
+                                               { "CleanupOnExit": "readwrite",
++                                                "CleanupModulesOnExit": "readwrite",
+                                                 "IPv6_rpfilter": "readwrite",
+                                                 "Lockdown": "readwrite",
+                                                 "MinimalMark": "readwrite",
+@@ -554,9 +555,9 @@ class FirewallDConfig(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def _get_property(self, prop):
+         if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
+-                         "Lockdown", "IPv6_rpfilter", "IndividualCalls",
+-                         "LogDenied", "AutomaticHelpers", "FirewallBackend",
+-                         "FlushAllOnReload", "RFC3964_IPv4",
++                         "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
++                         "IndividualCalls", "LogDenied", "AutomaticHelpers",
++                         "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
+                          "AllowZoneDrifting" ]:
+             raise dbus.exceptions.DBusException(
+                 "org.freedesktop.DBus.Error.InvalidArgs: "
+@@ -578,6 +579,10 @@ class FirewallDConfig(slip.dbus.service.Object):
+             if value is None:
+                 value = "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no"
+             return dbus.String(value)
++        elif prop == "CleanupModulesOnExit":
++            if value is None:
++                value = "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no"
++            return dbus.String(value)
+         elif prop == "Lockdown":
+             if value is None:
+                 value = "yes" if config.FALLBACK_LOCKDOWN else "no"
+@@ -623,6 +628,8 @@ class FirewallDConfig(slip.dbus.service.Object):
+             return dbus.Int32(self._get_property(prop))
+         elif prop == "CleanupOnExit":
+             return dbus.String(self._get_property(prop))
++        elif prop == "CleanupModulesOnExit":
++            return dbus.String(self._get_property(prop))
+         elif prop == "Lockdown":
+             return dbus.String(self._get_property(prop))
+         elif prop == "IPv6_rpfilter":
+@@ -679,9 +686,9 @@ class FirewallDConfig(slip.dbus.service.Object):
+         ret = { }
+         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+             for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
+-                       "Lockdown", "IPv6_rpfilter", "IndividualCalls",
+-                       "LogDenied", "AutomaticHelpers", "FirewallBackend",
+-                       "FlushAllOnReload", "RFC3964_IPv4",
++                       "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
++                       "IndividualCalls", "LogDenied", "AutomaticHelpers",
++                       "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
+                        "AllowZoneDrifting" ]:
+                 ret[x] = self._get_property(x)
+         elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
+@@ -706,12 +713,12 @@ class FirewallDConfig(slip.dbus.service.Object):
+         self.accessCheck(sender)
+ 
+         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+-            if property_name in [ "CleanupOnExit", "Lockdown",
++            if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit",
+                                   "IPv6_rpfilter", "IndividualCalls",
+                                   "LogDenied",
+                                   "FirewallBackend", "FlushAllOnReload",
+                                   "RFC3964_IPv4", "AllowZoneDrifting" ]:
+-                if property_name in [ "CleanupOnExit", "Lockdown",
++                if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit",
+                                       "IPv6_rpfilter", "IndividualCalls" ]:
+                     if new_value.lower() not in [ "yes", "no",
+                                                   "true", "false" ]:
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index 9fc5502a8d0b..9a04a3bd491c 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -17,6 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
+ DBUS_GETALL([config], [config], 0, [dnl
+ string "AllowZoneDrifting" : variant string "no"
+ string "AutomaticHelpers" : variant string "no"
++string "CleanupModulesOnExit" : variant string "no"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+ string "FirewallBackend" : variant string "nftables"
+@@ -45,6 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+ _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
+ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
+ _helper([FlushAllOnReload], [string:"no"], [variant string "no"])
++_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"])
+ _helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
+ _helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
+ _helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
+-- 
+2.31.1
+
diff --git a/0048-RHEL-only-default-to-CleanupModulesOnExit-yes.patch b/0048-RHEL-only-default-to-CleanupModulesOnExit-yes.patch
new file mode 100644
index 0000000..1d05ba3
--- /dev/null
+++ b/0048-RHEL-only-default-to-CleanupModulesOnExit-yes.patch
@@ -0,0 +1,95 @@
+From 1aef58a8ff6d232cefcc6bd19ea63c0f071bfee3 Mon Sep 17 00:00:00 2001
+From: Eric Garver <egarver@redhat.com>
+Date: Mon, 20 Dec 2021 13:56:55 -0500
+Subject: [PATCH 48/48] RHEL only: default to CleanupModulesOnExit=yes
+
+Resolves: rhbz1980206
+---
+ config/firewalld.conf              | 4 ++--
+ doc/xml/firewalld.conf.xml         | 4 ++--
+ src/firewall/config/__init__.py.in | 2 +-
+ src/firewall/core/fw.py            | 2 ++
+ src/tests/dbus/firewalld.conf.at   | 4 ++--
+ 5 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index 3abbc9c998c1..c387f87c28be 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -15,8 +15,8 @@ CleanupOnExit=yes
+ # If set to yes or true the firewall related kernel modules will be
+ # unloaded on exit or stop of firewalld. This might attempt to unload
+ # modules not originally loaded by firewalld.
+-# Default: no
+-CleanupModulesOnExit=no
++# Default: yes
++CleanupModulesOnExit=yes
+ 
+ # Lockdown
+ # If set to enabled, firewall changes with the D-Bus interface will be limited
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index dd6ffb214eb3..12d9f5fc563e 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -93,8 +93,8 @@
+         <listitem>
+           <para>
+             Setting this option to yes or true unloads all firewall-related
+-            kernel modules when firewalld is stopped. The default value is no
+-            or false.
++            kernel modules when firewalld is stopped. The default value is yes
++            or true.
+           </para>
+         </listitem>
+       </varlistentry>
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 5d6d769fbf15..285e2f034b6b 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -125,7 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
+ FALLBACK_ZONE = "public"
+ FALLBACK_MINIMAL_MARK = 100
+ FALLBACK_CLEANUP_ON_EXIT = True
+-FALLBACK_CLEANUP_MODULES_ON_EXIT = False
++FALLBACK_CLEANUP_MODULES_ON_EXIT = True
+ FALLBACK_LOCKDOWN = False
+ FALLBACK_IPV6_RPFILTER = True
+ FALLBACK_INDIVIDUAL_CALLS = False
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 4171697bdb94..5cef18b5f889 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -238,6 +238,8 @@ class Firewall(object):
+                 value = self._firewalld_conf.get("CleanupModulesOnExit")
+                 if value is not None and value.lower() in [ "yes", "true" ]:
+                     self.cleanup_modules_on_exit = True
++                if value is not None and value.lower() in [ "no", "false" ]:
++                    self.cleanup_modules_on_exit = False
+                 log.debug1("CleanupModulesOnExit is set to '%s'",
+                            self.cleanup_modules_on_exit)
+ 
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index 9a04a3bd491c..68832bca33bc 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -17,7 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
+ DBUS_GETALL([config], [config], 0, [dnl
+ string "AllowZoneDrifting" : variant string "no"
+ string "AutomaticHelpers" : variant string "no"
+-string "CleanupModulesOnExit" : variant string "no"
++string "CleanupModulesOnExit" : variant string "yes"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+ string "FirewallBackend" : variant string "nftables"
+@@ -46,7 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+ _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
+ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
+ _helper([FlushAllOnReload], [string:"no"], [variant string "no"])
+-_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"])
++_helper([CleanupModulesOnExit], [string:"no"], [variant string "no"])
+ _helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
+ _helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
+ _helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
+-- 
+2.31.1
+
diff --git a/EMPTY b/EMPTY
deleted file mode 100644
index 0519ecb..0000000
--- a/EMPTY
+++ /dev/null
@@ -1 +0,0 @@
- 
\ No newline at end of file
diff --git a/firewalld.spec b/firewalld.spec
new file mode 100644
index 0000000..a4ad0e7
--- /dev/null
+++ b/firewalld.spec
@@ -0,0 +1,1721 @@
+Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
+Name: firewalld
+Version: 0.9.3
+Release: 13%{?dist}
+URL:     http://www.firewalld.org
+License: GPLv2+
+Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
+Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
+Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
+Patch3: v1.0.0-0003-feat-service-add-galera-service.patch
+Patch4: 0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch
+Patch5: 0005-test-nftables-normalize-reject-statement-output.patch
+Patch6: 0006-test-nftables-fix-normalization-of-reject-statement-.patch
+Patch7: 0007-test-functions-increase-debug-level.patch
+Patch8: 0008-test-functions-format-xml-output-with-xmllint.patch
+Patch9: 0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch
+Patch10: 0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch
+Patch11: 0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch
+Patch12: 0012-test-dbus-direct-add-coverage-for-signatures.patch
+Patch13: 0013-test-dbus-policy-scope-introspection-checks-to-inter.patch
+Patch14: 0014-test-dbus-zone-scope-introspection-checks-to-interfa.patch
+Patch15: 0015-test-dbus-policy-introspect-signals.patch
+Patch16: 0016-test-dbus-zone-introspect-signals.patch
+Patch17: 0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch
+Patch18: 0018-test-ipset-add-missing-CHECK_IPSET.patch
+Patch19: 0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch
+Patch20: 0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch
+Patch21: 0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch
+Patch22: 0022-test-offline-always-allow-ipset-tests.patch
+Patch23: 0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch
+Patch24: 0024-test-direct-verify-rule-order-with-multiple-address-.patch
+Patch25: 0025-fix-ipset-fix-hash-net-net-functionality.patch
+Patch26: 0026-test-ipset-add-test-to-verify-hash-net-net.patch
+Patch27: 0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
+Patch28: 0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
+Patch29: 0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
+Patch30: 0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
+Patch31: 0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
+Patch32: 0032-test-functions-improve-checking-firewalld.log-for-er.patch
+Patch33: 0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
+Patch34: 0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
+Patch35: v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
+Patch36: v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
+Patch37: 0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch
+Patch38: 0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch
+Patch39: 0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch
+Patch40: 0040-fix-nftables-rich-source-address-with-netmask.patch
+Patch41: 0041-test-rich-source-address-with-netmask.patch
+Patch42: 0042-test-zone-source-with-netmask.patch
+Patch43: 0043-fix-fw_config-zone-on-rename-remove-then-add.patch
+Patch44: 0044-fix-io-functions-check_config-against-on-disk-conf.patch
+Patch45: 0045-fix-zone-detect-same-source-interface-in-zones.patch
+Patch46: 0046-test-zone-detect-same-source-interface-in-zones.patch
+Patch47: 0047-feat-config-add-CleanupModulesOnExit-configuration-o.patch
+Patch48: 0048-RHEL-only-default-to-CleanupModulesOnExit-yes.patch
+Patch49: v1.0.0-0049-fix-ipset-reduce-cost-of-entry-overlap-detection.patch
+Patch50: v1.0.0-0050-test-ipset-huge-set-of-entries-benchmark.patch
+Patch51: v1.0.0-0051-fix-ipset-further-reduce-cost-of-entry-overlap-detec.patch
+
+BuildArch: noarch
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: desktop-file-utils
+BuildRequires: gettext
+BuildRequires: intltool
+# glib2-devel is needed for gsettings.m4
+BuildRequires: glib2, glib2-devel
+BuildRequires: systemd-units
+BuildRequires: docbook-style-xsl
+BuildRequires: libxslt
+BuildRequires: iptables, ebtables, ipset
+BuildRequires: python3-devel
+Requires: iptables, ebtables, ipset
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires: firewalld-filesystem = %{version}-%{release}
+Requires: python3-firewall  = %{version}-%{release}
+Conflicts: selinux-policy < 3.14.1-28
+Conflicts: squid < 7:3.5.10-1
+Obsoletes: firewalld-selinux < 0.4.4.2-2
+# bz1581578
+Conflicts: cockpit-ws < 171-2
+
+%description
+firewalld is a firewall service daemon that provides a dynamic customizable 
+firewall with a D-Bus interface.
+
+%package -n python3-firewall
+Summary: Python3 bindings for firewalld
+
+%{?python_provide:%python_provide python3-firewall}
+
+Obsoletes: python-firewall < 0.5.2-2
+Obsoletes: python2-firewall < 0.5.2-2
+Requires: python3-dbus
+Requires: python3-slip-dbus
+Requires: python3-decorator
+Requires: python3-gobject-base
+Requires: python3-nftables
+
+%description -n python3-firewall
+Python3 bindings for firewalld.
+
+%package -n firewalld-filesystem
+Summary: Firewalld directory layout and rpm macros
+
+%description -n firewalld-filesystem
+This package provides directories and rpm macros which
+are required by other packages that add firewalld configuration files.
+
+%package -n firewall-applet
+Summary: Firewall panel applet
+Requires: %{name} = %{version}-%{release}
+Requires: firewall-config = %{version}-%{release}
+Requires: hicolor-icon-theme
+Requires: python3-qt5-base
+Requires: python3-gobject
+Requires: libnotify
+Requires: NetworkManager-libnm
+Requires: dbus-x11
+
+%description -n firewall-applet
+The firewall panel applet provides a status information of firewalld and also 
+the firewall settings.
+
+%package -n firewall-config
+Summary: Firewall configuration application
+Requires: %{name} = %{version}-%{release}
+Requires: hicolor-icon-theme
+Requires: gtk3
+Requires: python3-gobject
+Requires: NetworkManager-libnm
+Requires: dbus-x11
+
+%description -n firewall-config
+The firewall configuration application provides an configuration interface for 
+firewalld.
+
+%prep
+%autosetup -p1
+# must autogen since a patch above touched a Makefile.am
+./autogen.sh
+
+%build
+%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}"
+make %{?_smp_mflags}
+
+%install
+make install DESTDIR=%{buildroot}
+desktop-file-install --delete-original \
+  --dir %{buildroot}%{_sysconfdir}/xdg/autostart \
+  %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop
+desktop-file-install --delete-original \
+  --dir %{buildroot}%{_datadir}/applications \
+  %{buildroot}%{_datadir}/applications/firewall-config.desktop
+
+%find_lang %{name} --all-name
+
+%post
+%systemd_post firewalld.service
+
+%preun
+%systemd_preun firewalld.service
+
+%postun
+%systemd_postun_with_restart firewalld.service 
+
+%files -f %{name}.lang
+%doc COPYING README
+%{_sbindir}/firewalld
+%{_bindir}/firewall-cmd
+%{_bindir}/firewall-offline-cmd
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/firewall-cmd
+%dir %{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/_firewalld
+%{_prefix}/lib/firewalld/icmptypes/*.xml
+%{_prefix}/lib/firewalld/ipsets/README
+%{_prefix}/lib/firewalld/services/*.xml
+%{_prefix}/lib/firewalld/policies/*.xml
+%{_prefix}/lib/firewalld/zones/*.xml
+%{_prefix}/lib/firewalld/helpers/*.xml
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld
+%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
+%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/policies
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones
+%defattr(0644,root,root)
+%config(noreplace) %{_sysconfdir}/sysconfig/firewalld
+%{_unitdir}/firewalld.service
+%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf
+%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
+%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
+%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+%{_mandir}/man1/firewall*cmd*.1*
+%{_mandir}/man1/firewalld*.1*
+%{_mandir}/man5/firewall*.5*
+%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
+%{_sysconfdir}/logrotate.d/firewalld
+
+%files -n python3-firewall
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server
+%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__
+%{python3_sitelib}/firewall/__pycache__/*.py*
+%{python3_sitelib}/firewall/*.py*
+%{python3_sitelib}/firewall/config/*.py*
+%{python3_sitelib}/firewall/config/__pycache__/*.py*
+%{python3_sitelib}/firewall/core/*.py*
+%{python3_sitelib}/firewall/core/__pycache__/*.py*
+%{python3_sitelib}/firewall/core/io/*.py*
+%{python3_sitelib}/firewall/core/io/__pycache__/*.py*
+%{python3_sitelib}/firewall/server/*.py*
+%{python3_sitelib}/firewall/server/__pycache__/*.py*
+
+%files -n firewalld-filesystem
+%dir %{_prefix}/lib/firewalld
+%dir %{_prefix}/lib/firewalld/helpers
+%dir %{_prefix}/lib/firewalld/icmptypes
+%dir %{_prefix}/lib/firewalld/ipsets
+%dir %{_prefix}/lib/firewalld/services
+%dir %{_prefix}/lib/firewalld/policies
+%dir %{_prefix}/lib/firewalld/zones
+%{_rpmconfigdir}/macros.d/macros.firewalld
+
+%files -n firewall-applet
+%attr(0755,root,root) %dir %{_sysconfdir}/firewall
+%{_bindir}/firewall-applet
+%defattr(0644,root,root)
+%{_sysconfdir}/xdg/autostart/firewall-applet.desktop
+%{_sysconfdir}/firewall/applet.conf
+%{_datadir}/icons/hicolor/*/apps/firewall-applet*.*
+%{_mandir}/man1/firewall-applet*.1*
+
+%files -n firewall-config
+%{_bindir}/firewall-config
+%defattr(0644,root,root)
+%{_datadir}/firewalld/firewall-config.glade
+%{_datadir}/firewalld/gtk3_chooserbutton.py*
+%{_datadir}/firewalld/gtk3_niceexpander.py*
+%{_datadir}/applications/firewall-config.desktop
+%{_datadir}/metainfo/firewall-config.appdata.xml
+%{_datadir}/icons/hicolor/*/apps/firewall-config*.*
+%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml
+%{_mandir}/man1/firewall-config*.1*
+
+%changelog
+* Thu Feb 03 2022 Eric Garver <egarver@redhat.com> - 0.9.3-13
+- change default CleanupModulesOnExit=yes
+
+* Mon Dec 20 2021 Eric Garver <egarver@redhat.com> - 0.9.3-12
+- feat(config): add CleanupModulesOnExit configuration option
+- change default CleanupModulesOnExit=yes
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-11
+- fix(zone): detect same source/interface in zones
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-10
+- fix(nftables): rich: source address with netmask
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-9
+- fix(nftables): do not log icmp block if inversion
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-8
+- docs(firewall-*cmd): client conntrack helpers must use a policy
+
+* Tue Jul 13 2021 Eric Garver <egarver@redhat.com> - 0.9.3-7
+- fix(ipset): disallow overlapping entries
+
+* Tue Jul 13 2021 Eric Garver <egarver@redhat.com> - 0.9.3-6
+- fix(policy): warn instead of error for overlapping ports
+
+* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-5
+- docs(conf): note that IPv6_rpfilter has a performance penalty
+
+* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-4
+- fix(nm): reload: only consider NM connections with a real interface
+
+* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-3
+- fix(ipset): fix hash:net,net functionality
+
+* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-2
+- fix(direct): rule order with multiple address with -s/-d
+
+* Thu Feb 25 2021 Eric Garver <egarver@redhat.com> - 0.9.3-1
+- rebase to v0.9.3
+- fixes from upstream branch stable-0.9
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
+- feat(service): add galera service
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-5
+- fix(zone): add source with mac address
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-4
+- fix(rich): non-printable characters removed from rich
+
+* Mon Oct 26 2020 Eric Garver <egarver@redhat.com> - 0.8.2-3
+- fix(nftables): packet marks with masks
+- fix(nftables): icmp types with code == 0
+- fix(rich icmptype): verify rule and icmptype families
+- fix(zone): cache rule_str for rich rules
+- improvement(service): IPsec: Update description and add TCP port 4500
+- feat(service): add collectd service
+- feat(service): Add rpc-rquotad.service
+
+* Tue Aug 04 2020 Eric Garver <egarver@redhat.com> - 0.8.2-2
+- fix(cli): add ipset type hash:mac is incompatible with the family parameter
+- fix(cli): add --zone is an invalid option with --direct
+- fix: update dynamic DCE RPC ports in freeipa-trust service
+- fix: core: rich: Catch ValueError on non-numeric priority values
+- fix(rich): icmptypes with one family
+- fix(direct): rule in a zone chain
+- plus additional upstream stable fixes
+
+* Mon Apr 06 2020 Eric Garver <egarver@redhat.com> - 0.8.2-1
+- rebase to v0.8.2
+
+* Thu Feb 27 2020 Eric Garver <egarver@redhat.com> - 0.8.0-4
+- doc: direct: add CAVEATS section
+
+* Mon Feb 03 2020 Eric Garver <egarver@redhat.com> - 0.8.0-3
+- restore zone drifting as a feature
+
+* Tue Nov 12 2019 Eric Garver <egarver@redhat.com> - 0.8.0-2
+- fix: CLI: service: also output helpers for service info
+
+* Tue Nov 05 2019 Eric Garver <egarver@redhat.com> - 0.8.0-1
+- rebase to v0.8.0
+
+* Tue Aug 13 2019 Eric Garver <egarver@redhat.com> - 0.7.0-5
+- bump nftables version requirements
+
+* Tue Aug 06 2019 Eric Garver <egarver@redhat.com> - 0.7.0-4
+- backport patches to sort source-based zone dispatch by zone name
+
+* Tue Jul 23 2019 Eric Garver <egarver@redhat.com> - 0.7.0-3
+- backport patch to show service includes in service output
+- backport patches to fix dbus API break
+
+* Thu Jun 13 2019 Eric Garver <egarver@redhat.com> - 0.7.0-2
+- package rebuild
+
+* Wed Jun 12 2019 Eric Garver <egarver@redhat.com> - 0.7.0-1
+- rebase to v0.7.0
+
+* Sun Jan 13 2019 Eric Garver <egarver@redhat.com> - 0.6.3-7
+- backport additional patches for RFC3964_IPv4 filter feature
+
+* Tue Jan 08 2019 Eric Garver <egarver@redhat.com> - 0.6.3-6
+- backport nftables support for wildcard interfaces
+- backport RFC3964_IPv4 filter feature
+
+* Tue Dec 18 2018 Eric Garver <egarver@redhat.com> - 0.6.3-5
+- backport fix for lost NM interfaces in default zone during reload
+
+* Thu Dec 13 2018 Eric Garver <egarver@redhat.com> - 0.6.3-4
+- backport recent stable fixes
+- backport fix for lost NM interfaces during reload
+- backport rich rule priorities
+- backport fix for set entries not applied
+- update translations
+
+* Tue Oct 16 2018 Eric Garver <egarver@redhat.com> - 0.6.3-3
+- backport FlushAllOnReload feature
+
+* Fri Oct 12 2018 Eric Garver <egarver@redhat.com> - 0.6.3-2
+- use py3_shbang_opts for lockdown-whitelist
+- fix cockpit patch causing test failure
+
+* Thu Oct 11 2018 Eric Garver <egarver@redhat.com> - 0.6.3-1
+- rebase package to v0.6.3
+- use py3_shbang_opts for interpreter invocations
+
+* Mon Sep 10 2018 Eric Garver <egarver@redhat.com> - 0.6.1-5
+- python3-firewalld can get by with python3-gobject-base
+- firewall-config can get by with python3-qt5-base
+
+* Thu Aug 16 2018 Eric Garver <egarver@redhat.com> - 0.6.1-4
+- backports for new failed state if startup fails
+- backports to use explicit RETURN on user defined ebtables chains
+- backports to fix nftables AUDIT log support
+
+* Tue Aug 14 2018 Eric Garver <egarver@redhat.com> - 0.6.1-3
+- drop support for ebtables broute table
+
+* Fri Aug 10 2018 Eric Garver <egarver@redhat.com> - 0.6.1-2
+- add more ports to high-availability service
+
+* Thu Aug 09 2018 Eric Garver <egarver@redhat.com> - 0.6.1-1
+- rebase to v0.6.1
+- fix patch adding cockpit by default, fixes testsuite
+
+* Mon Jul 09 2018 Eric Garver <egarver@redhat.com> - 0.6.0-2
+- Use correct conflicts version for cockpit-ws
+- Enable cockpit by default in some zones
+
+* Fri Jul 06 2018 Eric Garver <egarver@redhat.com> - 0.6.0-1
+- rebase to v0.6.0
+
+* Tue May 01 2018 Eric Garver <egarver@redhat.com> - 0.6.0-0.1.alpha1
+- rebase to v0.6.0-alpha
+
+* Wed Mar 21 2018 Eric Garver <egarver@redhat.com> - 0.5.2-3
+- remove fedora-isms and clean up spec file
+
+* Wed Mar 21 2018 Eric Garver <egarver@redhat.com> - 0.5.2-2
+- remove python2-firewall subpackage
+
+* Mon Mar 19 2018 Eric Garver <egarver@redhat.com> - 0.5.2-1
+- rebase package to v0.5.2
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.5.1-2
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Eric Garver <egarver@redhat.com> - 0.5.1-1
+- rebase package to v0.5.1
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.4.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 05 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.4.4.5-5
+- Remove obsolete scriptlets
+
+* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.4.4.5-4
+- Python 2 binary package renamed to python2-firewall
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+
+* Mon Jul 31 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.5-3
+- Fix spec file for next RHEL versions
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.4.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun  9 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.5-1
+- Rebase to firewalld-0.4.4.5
+  http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release
+  - Fix build from spec
+  - Fix –remove-service-from-zone option (RHBZ#1438127)
+  - Support sctp and dccp in ports, source-ports, forward-ports, helpers and
+    rich rules (RHBZ#1429808)
+  - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238)
+  - firewall.core.ipXtables: Use new wait option for restore commands if
+    available
+  - New services for oVirt:
+    ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe
+  - Rename extension for policy choices (server and desktop) to .policy.choice
+    (RHBZ#1449754)
+  - D-Bus interfaces: Fix GetAll for interfaces without properties
+    (RHBZ#1452017)
+  - Load NAT helpers with conntrack helpers (RHBZ#1452681)
+  - Translation updates
+- Additional upstream patches:
+  - Rich-rule source validation (d69b7cb)
+  - IPv6 ICMP type only rich-rule fix (cf50bd0)
+
+* Mon Mar 27 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.4-1
+- Rebase to firewalld-0.4.4.4
+  http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release
+- Drop references to fedorahosted.org from spec file and Makefile.am, use
+  archive from github
+- Fix inconsistent ordering of rules in INPUT_ZONE_SOURCE (issue#166)
+- Fix ipset overloading from /etc/firewalld/ipsets
+- Fix permanent rich rules using icmp-type elements (RHBZ#1434594)
+- firewall-config: Deactivate edit, remove, .. buttons if there are no items
+- Check if ICMP types are supported by kernel before trying to use them
+- firewall-config: Show invalid ipset type in the ipset configuration dialog
+  in a special label
+
+* Tue Feb 21 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-2
+- Fixed ipset overloading, dropped applied check in get_ipset (issue#206)
+
+* Fri Feb 10 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-1
+- Rebase to firewalld-0.4.4.3
+  http://www.firewalld.org/2017/02/firewalld-0-4-4-3-release
+- Speed up of large file loading
+- Support for more ipset types
+- Speed up of adding or removing entries for ipsets from files
+- Support icmp-type usage in rich rules
+- Support for more icmp types
+- Support for h323 conntrack helper
+- New services
+- Code cleanup and several other bug fixes
+- Translation updates
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.4.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Dec 13 2016 Stratakis Charalampos <cstratak@redhat.com> - 0.4.4.2-3
+- Rebuild for Python 3.6
+
+* Mon Dec  5 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.4.2-2
+- Dropping firewalld-selinux package again as the required fix made it into
+  selinux-policy packages for F-23+, updated selinux-policy version conflicts
+
+* Thu Dec  1 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.4.2-1
+- New firewalld-selinux sub package delivering the SELinux policy module for
+  firewalld (RHBZ#1396765) (RHBZ#1394625) (RHBZ#1394578) (RHBZ#1394573)
+  (RHBZ#1394569)
+- New firewalld release 0.4.4.2:
+  - firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem
+  - firewall.core.fw_nm: create NMClient lazily
+  - Do not use hard-coded path for modinfo, use autofoo to detect it
+  - firewall.core.io.ifcfg: Dropped invalid option warning with bad format
+    string
+  - firewall.core.io.ifcfg: Properly handle quoted ifcfg values
+  - firewall.core.fw_zone: Do not reset ZONE with ifdown
+  - Updated translations from zanata
+  - firewall-config: Extra grid at bottom to visualize firewalld settings
+
+* Wed Nov  9 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.4.1-1
+- firewall-config: Use proper source check in sourceDialog (fixes issue#162)
+- firewallctl: New support for helpers
+- Translation updates
+
+* Fri Oct 28 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.4-1
+- Fix dist-check
+- src/Makefile.am: Install new helper files
+- config/Makefile.am: Install helpers
+- Merged translations
+- Updated translations from zanata
+- firewalld.spec: Adapt requires for PyQt5
+- firewall-applet: Fix fromUTF8 for python2 PyQt5 usage
+- firewall-applet: Use PyQt5
+- firewall-config: New nf_conntrack_select dialog, use nf_conntrack_helpers D-Bus property
+- shell-completion/bash/firewall-cmd: Updates for helpers and also some fixes
+- src/tests/firewall-[offline-]cmd_test.sh: New helper tests, adapted module tests for services
+- doc/xml/seealso.xml: Add firewalld.helper(5) man page
+- doc/xml/seealso.xml: Add firewalld.ipset(5) man page
+- Fixed typo in firewalld.ipset(5) man page
+- Updated firewalld.dbus(5) man page
+- New firewalld.helper(5) man page
+- doc/xml/firewall-offline-cmd.xml: Updated firewall-offline-cmd man page
+- doc/xml/firewall-cmd.xml: Updated firewall-cmd man page
+- firewall-offline-cmd: New support for helpers
+- firewall-cmd: New support for helpers
+- firewall.command: New check_helper_family, check_module and print_helper_info methods
+- firewall.core.fw_test: Add helpers also to offline backend
+- firewall.server.config: New AutomaticHelpers property (rw)
+- firewall.server.config: Fix an dict size changed error for firewall.conf file changes
+- firewall.server.config: Make LogDenied property readwrite to be consistent
+- Some renames of nf_conntrack_helper* functions and structures, helpers is a dict
+- firewall.core.fw: Properly check helper setting in set_automatic_helpers
+- firewall.errors: Add missing BUILTIN_HELPER error code
+- No extra interface for helpers needed in runtime, dropped DBUS_INTERFACE_HELPER
+- firewall.server.firewalld: Drop unused queryHelper D-Bus method
+- New helpers Q.931 and RAS from nf_conntrack_h323
+- firewall.core.io.helper: Allow dots in helper names, remove underscore
+- firewall.core.io.firewalld_conf: Fixed typo in FALLBACK_AUTOMATIC_HELPERS
+- firewall-[offline-]cmd: Use sys.excepthook to force exception_handler usage always
+- firewall.core.fw_config: new_X methods should also check builtins
+- firewall.client: Set helper family to "" if None
+- firewall.client: Add missing module string to FirewallClientHelperSettings.settings
+- config/firewalld.conf: Add possible values description for AutomaticHelpers
+- helpers/amanda.xml: Fix typo in helper module
+- firewall-config: Added support for helper module setting
+- firewall.client: Added support for helper module setting
+- firewall.server.config_helper: Added support for helper module setting
+- firewall.core.io.service, firewall.server.config_service: Only replace underscore by dash if module start with nf_conntrack_
+- firewall.core.fw_zone: Use helper module instead of a generated name from helper name
+- helpers: Added kernel module
+- firewall.core.io.helper: Add module to helper
+- firewall-cmd: Removed duplicate --get-ipset-types from help output
+- firewall.core.fw_zone: Add zone bingings for PREROUTING in the raw table
+- firewall.core.ipXtables: Add PREROUTING default rules for zones in raw table
+- firewall-config: New support to handle helpers, new dialogs, new helper tab, ..
+- config/org.fedoraproject.FirewallConfig.gschema.xml.in: New show-helpers setting
+- firewall.client: New helper management for runtime and permanent configuration
+- firewall.server.firewalld: New runtime helper management, new nf_conntrack_helper property
+- firewall.server.config_service: Fix module name handling (no nf_conntrack_ prefix needed)
+- firewall.server.config: New permanent D-Bus helper management
+- New firewall.server.config_helper to provide the permanent D-Bus interface for helpers
+- firewall.core.fw_zone: Use helpers fw.nf_conntrack_helper for services using helpers
+- firewall.core.fw: New helper management, new _automatic_helpers and nf_conntrack_helper settings
+- firewall.core.fw_config: Add support for permanent helper handling
+- firewall.core.io.service: The module does not need to start with nf_conntrack_ anymore
+- firewall.functions: New functions to get and set nf_conntrack_helper kernel setting
+- firewall.core.io.firewalld_conf: New support for AutomaticHelpers setting
+- firewall.config.dbus: New D-Bus definitions for helpers, new DBUS_INTERFACE_REVISION 12
+- New firewall.core.fw_helper providing FirewallHelper backend
+- New firewall.core.helper with HELPER_MAXNAMELEN definition
+- config/firewalld.conf: New AutomaticHelpers setting with description
+- firewall.config.__init__.py.in: New helpers variables
+- firewalld.spec: Add new helpers directory
+- config/Makefile.am: Install new helpers
+- New helper configuration files for amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp and tftp
+- firewall.core.io.helper: New IO handler for netfilter helpers
+- firewall.errors: New INVALID_HELPER error code
+- firewall.core.io.ifcfg: Use .bak for save files
+- firewall-config: Set internal log_denied setting after changing
+- firewall.server.config: Copy props before removing items
+- doc/xml/firewalld.ipset: Replaced icmptype name remains with ipset
+- firewall.core.fw_zone: Fix LOG rule placement for LogDenied
+- firewall.command: Use "source-ports" in print_zone_info
+- firewall.core.logger: Use syslog.openlog() and syslog.closelog()
+- firewall-[offline-]cmd man pages: Document --path-{zone,icmptype,ipset,service}
+- firewall-cmd: Enable --path-{zone,icmptype,service} options again
+- firewall.core.{ipXtables,ebtables}: Copy rule before extracting items in set_rules
+- firewall.core.fw: Do not abort transaction on failed ipv6_rpfilter rules
+- config/Makefile.am: Added cfengine, condor-collector and smtp-submission services
+- Makefile.am: New dist-check used in the archive target
+- src/Makefile.am: Reordered nobase_dist_python_DATA to be sorted
+- config/Makefile.am: New CONFIG_FILES variable to contain the config files
+- Merge pull request #150 from hspaans/master
+- Merge pull request #146 from canvon/bugfix/spelling
+- Merge pull request #145 from jcpunk/condor
+- Command line tools man pages: New section about sequence options and exit codes
+- Creating service file for SMTP-Submission.
+- Creating service file for CFEngine.
+- Fix typo in documentation: iptables mangle table
+- Only use sort on lists of main items, but not for item properties
+- firewall.core.io.io_object: import_config should not change ordering of lists
+- firewall.core.fw_transaction: Load helper modules in FirewallZoneTransaction
+- firewall.command: Fail with NOT_AUTHORIZED if authorization fails (RHBZ#1368549)
+- firewall.command: Fix sequence exit code with at least one succeeded item
+- Add condor collector service
+- firewall-cmd: Fixed --{get,set}-{description,short} for permanent zones
+- firewall.command: Do not use error code 254 for {ALREADY,NOT}_ENABLED sequences
+
+* Tue Aug 16 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.3.3-1
+- Fix CVE-2016-5410: Firewall configuration can be modified by any logged in
+  user
+- firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO
+- Update AppData configuration file.
+- tests/firewalld_rich.py: Use new import structure and FirewallClient classes
+- tests/firewalld_direct.py: Use new import structure
+- tests: firewalld_direct: Fix assert to check for True instead of False
+- tests: firewalld_config: Fix expected value when querying the zone target
+- tests: firewalld_config: Use real nf_conntrack modules
+- firewalld.spec: Added comment about make call for %%build
+- firewall-config: Use also width_request and height_request with default size
+- Updated firewall-config screenshot
+- firewall-cmd: Fixed typo in help output (RHBZ#1367171)
+- test-suite: Ignore stderr to get default zone also for missing firewalld.conf
+- firewall.core.logger: Warnings should be printed to stderr per default
+- firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails
+- firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired
+- firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired
+- test-suite: Do not fail on ALREADY_ENABLED --add-destination tests
+- firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings
+- doc/xml/firewalld.dbus.xml: Removed undefined reference
+- doc/xml/transform-html.xsl.in: Fixed references in the document
+- doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para
+- doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page
+- firewall: core: fw_nm: Instantiate the NM client only once
+- firewall/core/io/*.py: Do not traceback on a general sax parsing issue
+- firewall-offline-cmd: Fix --{add,remove}-entries-from-file
+- firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file
+- firewall.core.prog: Do not output stderr, but return it in the error case
+- firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171)
+- config/firewall.service.in: use KillMode=mixed
+- config/firewalld.service.in: use network-pre.target
+- firewall-config: Add missing gettext.textdomain call to fix translations
+- Add UDP to transmission-client.xml service
+- tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings
+- firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls
+- firewall.client: Fix NOT_ENABLED errors in icmptype destination calls
+- firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination
+  calls
+- firewall.command: Add the removed FirewallError handling to the action
+  (a17ce50)
+- firewall.command: Do not use query methods for sequences and also single
+  options
+- Add missing information about MAC and ipset sources to man pages and help
+  output
+- firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages
+- firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr}
+- firewallctl: Fix traceback if not connected to firewalld
+- firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked
+- firewall.command: Convert errors to string for Python3
+- firewall.command: Get proper firewall error code from D-BusExceptions
+- firewall-cmd: Fixed traceback without args
+- Add missing service files to Makefile.am
+- shell-completion: Add shell completion support for
+  --{get,set}--{description,short}
+- Updated RHEL-7 selinux-policy and squid conflict
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.3.2-2
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Mon Jul  4 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.3.2-1
+- Fix regression with unavailable optional commands
+- All missing backend messages should be warnings
+- Individual calls for missing restore commands
+- Only one authenticate call for add and remove options and also sequences
+- New service RH-Satellite-6
+- Fixed selinux-policy conflict version for RHEL-7
+
+* Wed Jun 29 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.3.1-2
+- Fixed selinux-policy conflict version for Fedora 24
+
+* Tue Jun 28 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.3.1-1
+- New firewalld release 0.4.3.1
+- firewall.command: Fix python3 DBusException message not interable error
+- src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing
+- firewallctl: Do not trace back on list command without further arguments
+- firewallctl (man1): Added remaining sections zone, service, ..
+- firewallctl: Added runtime-to-permanent, interface and source parser,
+  IndividualCalls setting
+- firewall.server.config: Allow to set IndividualCalls property in config
+  interface
+- Fix missing icmp rules for some zones
+- runProg: Fix issue with running programs
+- firewall-offline-cmd: Fix issues with missing system-config-firewall
+- firewall.core.ipXtables: Split up source and dest addresses for transaction
+- firewall.server.config: Log error in case of loading malformed files in
+  watcher
+- Install and package the firewallctl man page
+- New firewallctl utility (RHBZ#1147959)
+- doc.xml.seealso: Show firewalld.dbus in See Also sections
+- firewall.core.fw_config: Create backup on zone, service, ipset and icmptype
+  removal (RHBZ#1339251)
+- {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
+- firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
+- firewall-cmd: Dropped duplicate setType call in --new-ipset
+- radius service: Support also tcp ports (RBZ#1219717)
+- xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset
+  sources
+- config.xmlschema.service.xsd: Fix service destination conflicts
+  (RHBZ#1296573)
+- firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
+- firewall.command: Only print summary and description in print_X_info with
+  verbose
+- firewall.command: print_msg should be able to print empty lines
+- firewall-config: No processing of runtime passthroughs signals in permanent
+- Landspace.io fixes and pylint calm downs
+- firewall.core.io.zone: Add zone_reader and zone_writer to __all__, pylint
+  fixes
+- firewall-config: Fixed titles of command and context dialogs, also entry
+  lenths
+- firewall-config: pylint calm downs
+- firewall.core.fw_zone: Fix use of MAC source in rich rules without ipv limit
+- firewall-config: Use self.active_zoens in conf_zone_added_cb
+- firewall.command: New parse_port, extended parse methods with more checks
+- firewall.command: Fixed parse_port to use the separator in the split call
+- firewall.command: New [de]activate_exception_handler, raise error in parse_X
+- services ha: Allow corosync-qnetd port
+- firewall-applet: Support for kde5-nm-connection-editor
+- tests/firewall-offline-cmd_test.sh: New tests for service and icmptype
+  modifications
+- firewall-offline-cmd: Use FirewallCommand for simplification and sequence
+  options
+- tests/firewall-cmd_test.sh: New tests for service and icmptype modifications
+- firewall-cmd: Fixed set, remove and query destination options for services
+- firewall.core.io.service: Source ports have not been checked in _check_config
+- firewall.core.fw_zone: Method check_source_port is not used, removed
+- firewall.core.base: Added default to ZONE_TARGETS
+- firewall.client: Allow to remove ipv:address pair for service destinations
+- tests/firewall-offline-cmd_test.sh: There is no timeout option in permanent
+- firewall-cmd: Landscape.io fixes, pylint calm downs
+- firewall-cmd: Use FirewallCommand for simplification and sequence options
+- firewall.command: New FirewallCommand for command line client simplification
+- New services: kshell, rsh, ganglia-master, ganglia-client
+- firewalld: Cleanup of unused imports, do not translate some deamon messages
+- firewalld: With fd close interation in runProg, it is not needed here anymore
+- firewall.core.prog: Add fd close iteration to runProg
+- firewall.core.fw_nm: Hide NM typelib import, new nm_get_dbus_interface
+  function
+- firewalld.spec: Require NetworkManager-libnm instead of NetworkManager-glib
+- firewall-config: New add/remove ipset entries from file, remove all entries
+- firewall-applet: Fix tooltip after applet start with connection to firewalld
+- firewall-config: Select new zone, service or icmptype if the view was empty
+- firewalld.spec: Added build requires for iptables, ebtables and ipset
+- Adding nf_conntrack_sip module to the service SIP
+- firewall: core: fw_ifcfg: Quickly return if ifcfg directory does not exist
+- Drop unneeded python shebangs
+- Translation updates
+
+* Mon May 30 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.2-1
+- New module to search for and change ifcfg files for interfaces not under
+  control of NM
+- firewall_config: Enhanced messages in status bar
+- firewall-config: New message window as overlay if not connected
+- firewall-config: Fix sentivity of option, view menus and main paned if not
+  connected
+- firewall-applet: Quit on SIGINT (Ctrl-C), reduced D-Bus calls, some cleanup
+- firewall-[offline]cmd: Show target in zone information
+- D-Bus: Completed masquerade methods in FirewallClientZoneSettings
+- Fixed log-denied rules for icmp-blocks
+- Keep sorting of interfaces, services, icmp-blocks and other settings in zones
+- Fixed runtime-to-permanent not to save interfaces under control of NM
+- New icmp-block-inversion flag in the zones
+- ICMP type filtering in the zones
+- New services: sip, sips, managesieve
+- rich rules: Allow destination action (RHBZ#1163428)
+- firewall-offline-cmd: New option -q/--quiet
+- firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
+- firewall-[offline-]cmd: Fix option for setting the destination address
+- firewall-config: Fixed resizing behaviour
+- New transaction model for speed ups in start, restart, stop and other actions
+- firewall-cmd: New options --load{zone,service,ipset,icmptype}-defaults
+- Fixed memory leak in dbus_introspection_add_properties
+- Landscape.io fixes, pylint calm downs
+- New D-Bus getXnames methods to speed up firewall-config and firewall-cmd
+- ebtables-restore: No support for COMMIT command
+- Source port support in services, zones and rich rules
+- firewall-offline-cmd: Added --{add,remove}-entries-from-file for ipsets
+- firewall-config: New active bindings side bar for simple binding changes
+- Reworked NetworkManager module
+- Proper default zone handling for NM connections
+- Try to set zone binding with NM if interface is under control of NM
+- Code cleanup and bug fixes
+- Include test suite in the release and install in /usr/share/firewalld/tests
+- New Travis-CI configuration file
+- Fixed more broken frensh translations
+- Translation updates
+
+* Mon May  9 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.1.2-2
+- Fixed ebtables-restore does not support the COMMIT command issue
+
+* Wed Apr 20 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.1.2-1
+- Fixed translations with python3
+- Fixed exception for failed NM import, new doc string
+- Make ipsets visible per default in firewall-config
+- Install new fw_nm module
+- Do not fail if log file could not be opened
+- Fixed broken fr translation
+
+* Tue Apr 19 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.1-1
+- Enhancements of ipset handling
+  - No cleanup of ipsets using timeouts while reloading
+  - Only destroy conflicting ipsets
+  - Only use ipset types supported by the system
+  - Add and remove several ipset entries in one call using a file
+- Reduce time frame where builtin chains are on policy DROP while reloading
+- Include descriptions in --info-X calls
+- Command line interface support to get and alter descriptions of zones,
+  services, ipsets and icmptypes with permanent option
+- Properly watch changes in combined zones
+- Fix logging in rich rule forward rules
+- Transformed direct.passthrough errors into warnings
+- Rework of import structures
+- Reduced calls to get ids for port and protocol names (RHBZ#1305434)
+- Build and installation fixes by Markos Chandras
+- Provide D-Bus properties in introspection data
+- Fix for flaws found by landscape.io
+- Fix for repeated SUGHUP
+- New NetworkManager module to get and set zones of connections, used in
+  firewall-applet and firewall-config
+- configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset)
+- Code cleanups
+- Bug fixes
+
+* Mon Feb 22 2016 Jiri Popelka <jpopelka@redhat.com> - 0.4.0-4
+- Revert one commit to temporary work-around RHBZ#1309754
+
+* Mon Feb 08 2016 Jiri Popelka <jpopelka@redhat.com> - 0.4.0-3
+- Make sure tempdir is created even in offline mode. (RHBZ#1305175)
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Feb  1 2016 Thomas Woerner <twoerner@redhat.com> - 0.4.0-1
+- Version 0.4.0
+  - Speed ups
+  - ipset support
+  - MAC address support
+  - Log of denied packets
+  - Mark action in rich rules
+  - Enhanced alteration of config files with command line tools
+  - Use of zone chains in direct interface
+  - firewall-applet enhancement
+  - New services: ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio,
+    smtps, snmptrap, snmp, syslog-tls and syslog
+  - Several bug fixes
+  - Code optimizations
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.14.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Wed Jul 22 2015 Adam Williamson <awilliam@redhat.com> - 0.3.14.2-4
+- bump versions on old config package obsoletes (f21 is on 0.3.14 now)
+
+* Mon Jul 13 2015 Thomas Woerner <twoerner@redhat.com> - 0.3.14.2-3
+- Require python3-gobject-base for fedora >= 23 and rhel >= 8 (RHBZ#1242076)
+- Fix rhel defines: No python3 for rhel-7
+
+* Thu Jun 18 2015 Thomas Woerner <twoerner@redhat.com> - 0.3.14.2-2
+- Fixed 'pid_file' referenced before assignment (RHBZ#1233232)
+
+* Wed Jun 17 2015 Thomas Woerner <twoerner@redhat.com> - 0.3.14.2-1
+- reunification of the firewalld spec files for all Fedora releases
+- fix dependencies for -applet and -config: use_python3 is the proper switch
+  not with_python3 (RHBZ#1232493)
+- firewalld.spec:
+  - fixed requirements for -applet and -config
+- man pages:
+  - adapted firewall-applet man page to new version
+- firewall-applet:
+  - Only honour active connections for zone changes
+  - Change QSettings path and file names
+- firewall-config:
+  - Only honour active connections for zone changes in the “Change Zones of Connections” menu
+- Translations:
+  - updated translations
+  - marked translations for “Connections” for review
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.14.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.14.1-2
+- Fix issue with missing polkit policy when installing firewalld on
+  Cloud Edition.
+
+* Fri Jun 12 2015 Thomas Woerner <twoerner@redhat.com> - 0.3.14.1-1
+- firewall-applet
+  - do not use isSystemTrayAvailable check to fix KDE5 startup
+  - dropped gtk applet remain: org.fedoraproject.FirewallApplet.gschema.xml
+
+* Fri Jun 12 2015 Thomas Woerner <twoerner@redhat.com> - 0.3.14-1
+- renamed python2-firewall to python-firewall
+- fixed requirements for GUI parts with Python3
+- dropped upstream merged python3 patch
+- firewalld:
+  - print real zone names in error messages
+  - iptables 1.4.21 does not accept limits of 1/day, minimum is 2/day now
+  - rate limit fix for rich rules
+  - fix readdition of removed permanent direct settings
+  - adaption of the polkit domains to use PK_ACTION_DIRECT_INFO
+  - fixed two minor Python3 issues in firewall.core.io.direct
+  - fixed use of fallback configuration values
+  - fixed use without firewalld.conf
+  - firewalld main restructureization
+  - IPv6_rpfilter now also available as a property on D-Bus in the config interface
+  - fixed wait option use for ipXtables
+  - added --concurrent support for ebtables
+  - richLanguage: allow masquerading with destination
+  - richLanguage: limit masquerading forward rule to new connections
+  - ipXtables: No dns lookups in available_tables and _detect_wait_option
+  - full ebtables support: start, stop, reload, panic mode, direct chains and rules
+  - fix for reload with direct rules
+  - fix or flaws found by landscape.io
+  - pid file handling fixes in case of pid file removal
+  - fix for client issue in case of a dbus NoReply error
+- configuration
+  - new services: dropbox-lansync, ptp
+  - new icmptypes: timestamp-request, timestamp-reply
+- man pages:
+  - firewalld.zones(5): fixed typos
+  - firewalld.conf(5): Fixed wrong reference to firewalld.lockdown-whitelist page
+- firewall-applet:
+  - new version using Qt4 fixing several issues with the Gtk version
+- spec file:
+  - enabled Python3 support: new backends python-firewall and python3-firewall
+  - some cleanup
+- git:
+  - migrated to github
+- translations:
+  - migrated to zanata
+- build environment:
+  - no need for autoconf-2.69, 2.68 is sufficient
+
+* Thu May 07 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.13-7
+- Use VARIANT_ID instead of VARIANT for making decisions
+
+* Thu Apr 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.13-6
+- Switch to using $VARIANT directly from /etc/os-release
+
+* Fri Mar 13 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.13-5
+- Fix bugs with posttrans
+- Remove nonexistent fedora-cloud.conf symlink
+
+* Fri Mar 13 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.13-4
+- Remove per-edition config files
+- Decide on default configuration based on /etc/os-release
+
+* Mon Feb 23 2015 Jiri Popelka <jpopelka@redhat.com> - 0.3.13-3
+- use python3 bindings on fedora >=23
+
+*  Wed Jan 28 2015 Thomas Woerner <twoerner@redhat.com> - 0.3.13-2
+- enable python2 and python3 bindings for fedora >= 20 and rhel >= 7
+- use python3 bindings on fedora >= 22 and rhel >= 8 for firewalld,
+  firewall-config and firewall-applet
+
+* Thu Dec 04 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.13-1
+- firewalld:
+  - ipXtables: use -w or -w2 if supported (RHBZ#1161745, RHBZ#1151067)
+  - DROP INVALID packets (RHBZ#1169837)
+  - don't use ipv6header for protocol matching. (RHBZ#1065565)
+  - removeAllPassthroughs(): remove passthroughs in reverse order (RHBZ#1167100)
+  - fix config.service.removeDestination() (RHBZ#1164584)
+- firewall-config:
+  - portProtoDialog: other protocol excludes port number/range
+  - better fix for updating zoneStore also in update_active_zones()
+  - fix typo in menu
+- configuration:
+  - new services: tinc, vdsm, mosh, iscsi-target, rsyncd
+  - ship and install XML Schema files. (#8)
+- man pages:
+  - firewalld.dbus, firewalld.direct, firewalld, firewall-cmd
+- spec file:
+  - filesystem subpackage
+  - make dirs&files in /usr/lib/ world-readable (RHBZ#915988)
+
+* Tue Oct 14 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.12-1
+- firewalld:
+  - new runtimeToPermanent and tracked passsthrough support
+  - make permanent D-Bus interfaces more fine grained like the runtime versions (RHBZ#1127706)
+  - richLanguage: allow using destination with forward-port
+  - Rich_Rule.check(): action can't be used with icmp-block/forward-port/masquerade
+  - fixed Python specific D-Bus exception (RHBZ#1132441)
+- firewall-cmd:
+  - new --runtime-to-permanent to create permanent from runtime configuration
+  - use new D-Bus methods for permanent changes
+  - show target REJECT instead of %%REJECT%% (RHBZ#1058794)
+  - --direct: make fail messages consistent (RHBZ#1141835)
+- firewall-config:
+  - richRuleDialog - OK button tooltip indicates problem
+  - use new D-Bus methods for permanent changes
+  - show target REJECT instead of %%REJECT%% (RHBZ#1058794)
+  - update "Change Zones of Connections" menu on default zone change (RHBZ#11120212)
+  - fixed rename of zones, services and icmptypes to not create new entry (RBHZ#1131064)
+- configuration:
+  - new service for Squid HTTP proxy server
+  - new service for Kerberos admin server
+  - new services for syslog and syslog-tls
+  - new services for SNMP and SNMP traps
+  - add Keywords to .desktop to improve software searchability
+- docs:
+  - updated translations
+  - firewalld.richlanguage: improvements suggested by Rufe Glick
+  - firewalld.dbus: various improvements
+  - firewalld.zone: better description of Limit tag
+  - mention new homepage everywhere
+
+* Wed Aug 27 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.11-3
+- Quiet systemctl if cups-browsed.service is not installed
+
+* Mon Aug 25 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.11-2
+- add few Requires to spec (RHBZ#1133167)
+
+* Wed Aug 20 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.11-1
+- firewalld:
+  - improve error messages
+  - check built-in chains in direct chain handling functions (RHBZ#1120619)
+  - dbus_to_python() check whether input is of expected type (RHBZ#1122018)
+  - handle negative timeout values (RHBZ#1124476)
+  - warn when Command/Uid/Use/Context already in lockdown whitelist (RHBZ#1126405)
+  - make --lockdown-{on,off} work again (RHBZ#1111573)
+- firewall-cmd:
+  - --timeout now accepts time units (RHBZ#994044)
+- firewall-config:
+  - show active (not default) zones in bold (RHBZ#993655)
+- configuration:
+  - remove ipp-client service from all zones (RHBZ#1105639).
+  - fallbacks for missing values in firewalld.conf
+  - create missing dirs under /etc if needed
+  - add -Es to python command in lockdown-whitelist.xml (RHBZ#1099065)
+- docs:
+  - 'direct' methods concern only chains/rules added via 'direct' (RHBZ#1120619)
+  - --remove-[interface/source] don't need a zone to be specified (RHBZ#1125851)
+  - various fixes in firewalld.zone(5), firewalld.dbus(5), firewalld.direct(5)
+- others:
+  - rpm macros for easier packaging of e.g. services
+
+* Tue Jul 22 2014 Thomas Woerner <twoerner@redhat.com> - 0.3.10-5
+- Fixed wrong default zone names for server and workstation (RHBZ#1120296)
+
+* Tue Jul  8 2014 Thomas Woerner <twoerner@redhat.com> - 0.3.10-4
+- renamed fedora specific zones to FedoraServer and FedoraWorkstation for 
+  zone name limitations (length and allowed chars)
+
+* Mon Jul  7 2014 Thomas Woerner <twoerner@redhat.com> - 0.3.10-3
+- New support for Fedora per-product configuration settings for Fedora.next
+  https://fedoraproject.org/wiki/Per-Product_Configuration_Packaging_Draft
+- Added Fedora server zone (RHBZ#1110711)
+- Added Fedora workstation zone(RHBZ#1113775)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.10-1
+- new services: freeipa-*, puppermaster, amanda-k5, synergy,
+                xmpp-*, tor, privoxy, sane
+- do not use at_console in D-Bus policies (RHBZ#1094745)
+- apply all rich rules for non-default targets
+- AppData file (RHBZ#1094754)
+- separate Polkit actions for desktop & server (RHBZ#1091068)
+- sanitize missing ip6t_rpfilter (RHBZ#1074427)
+- firewall/core/io/*: few improvements (RHBZ#1065738)
+- no load failed error for absent direct.xml file
+- new DBUS_INTERFACE.getZoneSettings to get all run-time zone settings
+- fixed creation and deletion of zones, services and icmptypes over D-Bus signals
+- FirewallClientZoneSettings: Set proper default target
+- if Python2 then encode strings from sax parser (RHBZ#1059104, RHBZ#1058853)
+- firewall-cmd:
+  - don't colour output of query commands (RHBZ#1097841)
+  - use "default" instead of {chain}_{zone} (RHBZ#1075675)
+  - New --get-target and --set-target
+  - Create and remove permanent zones, services and icmptypes
+- firewall-config:
+  - Adding services and icmptypes resulted in duplicates in UI
+  - Use left button menu of -applet in Option menu
+- firewall-offline-cmd: same functionality as 'firewall-cmd --permanent'
+- firewall-applet: ZoneConnectionEditor was missing the Default Zone entry
+- bash-completion: getting zones/services/icmps is different with/without --permanent
+- firewalld.zone(5): removed superfluous slash (RHBZ#1091575)
+- updated translations
+
+* Wed Feb 05 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.9.3-1
+- Fixed persistent port forwarding (RHBZ#1056154)
+- Stop default zone rules being applied to all zones (RHBZ#1057875)
+- Enforce trust, block and drop zones in the filter table only (RHBZ#1055190)
+- Allow RAs prior to applying IPv6_rpfilter (RHBZ#1058505)
+- Fix writing of rule.audit in zone_writer()
+
+* Fri Jan 17 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.9.2-1
+- fix regression introduced in 0.3.9 (RHBZ#1053932)
+
+* Thu Jan 16 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.9.1-1
+- fix regressions introduced in 0.3.9 (RHBZ#1054068, RHBZ#1054120)
+
+* Mon Jan 13 2014 Jiri Popelka <jpopelka@redhat.com> - 0.3.9-1
+- translation updates
+- New IPv6_rpfilter setting to enable source address validation (RHBZ#847707)
+- Do not mix original and customized zones in case of target changes,
+  apply only used zones
+- firewall-cmd: fix --*_lockdown_whitelist_uid to work with uid 0
+- Don't show main window maximized. (RHBZ#1046811)
+- Use rmmod instead of 'modprobe -r' (RHBZ#1031102)
+- Deprecate 'enabled' attribute of 'masquerade' element
+- firewall-config: new zone was added twice to the list
+- firewalld.dbus(5)
+- Enable python shebang fix again
+- firewall/client: handle_exceptions: Use loop in decorator
+- firewall-offline-cmd: Do not mask firewalld service with disabled option
+- firewall-config: richRuleDialogActionRejectType Entry -> ComboBox
+- Rich_Rule: fix parsing of reject element (RHBZ#1027373)
+- Show combined zones in permanent configuration (RHBZ#1002016)
+- firewall-cmd(1): document exit code 2 and colored output (RHBZ#1028507)
+- firewall-config: fix RHBZ#1028853
+
+* Tue Nov 05 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.8-1
+- fix memory leaks
+- New option --debug-gc
+- Python3 compatibility
+- Better non-ascii support
+- several firewall-config & firewall-applet fixes
+- New --remove-rules commands for firewall-cmd and removeRules methods for D-Bus
+- Fixed FirewallDirect.get_rules to return proper list
+- Fixed LastUpdatedOrderedDict.keys()
+- Enable rich rule usage in trusted zone (RHBZ#994144)
+- New error codes: INVALID_CONTEXT, INVALID_COMMAND, INVALID_USER and INVALID_UID
+
+* Thu Oct 17 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.7-1
+- Don't fail on missing ip[6]tables/ebtables table. (RHBZ#967376)
+- bash-completion: --permanent --direct options
+- firewall/core/fw.py: fix checking for iptables & ip6tables (RHBZ#1017087)
+- firewall-cmd: use client's exception_handler instead of catching exceptions ourselves
+- FirewallClientZoneSettings: fix {add|remove|query}RichRule()
+- Extend amanda-client service with 10080/tcp (RHBZ#1016867)
+- Simplify Rich_Rule()_lexer() by using functions.splitArgs()
+- Fix encoding problems in exception handling (RHBZ#1015941)
+
+* Fri Oct 04 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.6.2-1
+- firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958)
+- firewall-cmd: fix variable name (RHBZ#1015011)
+
+* Thu Oct 03 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.6.1-1
+- remove superfluous po files from archive
+
+* Wed Oct 02 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.6-1
+- firewalld.richlanguage.xml: correct log levels (RHBZ#993740)
+- firewall-config: Make sure that all zone settings are updated properly on firewalld restart
+- Rich_Limit: Allow long representation for duration (RHBZ#994103
+- firewall-config: Show "Changes applied." after changes (RHBZ#993643)
+- Use own connection dialog to change zones for NM connections
+- Rename service cluster-suite to high-availability (RHBZ#885257)
+- Permanent direct support for firewall-config and firewall-cmd
+- Try to avoid file descriptor leaking (RHBZ#951900)
+- New functions to split and join args properly (honoring quotes)
+- firewall-cmd(1): 2 simple examples
+- Better IPv6 NAT checking.
+- Ship firewalld.direct(5).
+
+* Mon Sep 30 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.5-1
+- Only use one PK action for configuration (RHBZ#994729)
+- firewall-cmd: indicate non-zero exit code with red color
+- rich-rule: enable to have log without prefix & log_level & limit
+- log-level warn/err -> warning/error (RHBZ#1009436)
+- Use policy DROP while reloading, do not reset policy in restart twice
+- Add _direct chains to all table and chain combinations
+- documentation improvements
+- New firewalld.direct(5) man page docbook source
+- tests/firewall-cmd_test.sh: make rich language tests work
+- Rich_Rule._import_from_string(): improve error messages (RHBZ#994150)
+- direct.passthrough wasn't always matching out_signature (RHBZ#967800)
+- firewall-config: twist ICMP Type IP address family logic.
+- firewall-config: port-forwarding/masquerading dialog (RHBZ#993658)
+- firewall-offline-cmd: New --remove-service=<service> option (BZ#969106)
+- firewall-config: Options->Lockdown was not changing permanent.
+- firewall-config: edit line on doubleclick (RHBZ#993572)
+- firewall-config: System Default Zone -> Default Zone (RHBZ#993811)
+- New direct D-Bus interface, persistent direct rule handling, enabled passthough
+- src/firewall-cmd: Fixed help output to use more visual parameters
+- src/firewall-cmd: New usage output, no redirection to man page anymore
+- src/firewall/core/rich.py: Fixed forwad port destinations
+- src/firewall-offline-cmd: Early enable/disable handling now with mask/unmask
+- doc/xml/firewalld.zone.xml: Added more information about masquerade use
+- Prefix to log message is optional (RHBZ#998079)
+- firewall-cmd: fix --permanent --change-interface (RHBZ#997974)
+- Sort zones/interfaces/service/icmptypes on output.
+- wbem-https service (RHBZ#996668)
+- applet&config: add support for KDE NetworkManager connection editor
+- firewall/core/fw_config.py: New method update_lockdown_whitelist
+- Added missing file watcher for lockdown whitelist in config D-Bus interface
+- firewall/core/watcher: New add_watch_file for lockdown-whitelist and direct
+- Make use of IPv6 NAT conditional, based on kernel number (RHBZ#967376)
+
+* Tue Jul 30 2013 Thomas Woerner <twoerner@redhat.com> 0.3.4-1
+- several rich rule check enhancements and fixes
+- firewall-cmd: direct options - check ipv4|ipv6|eb (RHBZ#970505)
+- firewall-cmd(1): improve description of direct options (RHBZ#970509)
+- several firewall-applet enhancements and fixes
+- New README
+- several doc and man page fixes
+- Service definitions for PCP daemons (RHBZ#972262)
+- bash-completion: add lockdown and rich language options
+- firewall-cmd: add --permanent --list-all[-zones]
+- firewall-cmd: new -q/--quiet option
+- firewall-cmd: warn when default zone not active (RHBZ#971843)
+- firewall-cmd: check priority in --add-rule (RHBZ#914955)
+- add dhcpv6 (for server) service (RHBZ#917866)
+- firewall-cmd: add --permanent --get-zone-of-interface/source --change-interface/source
+- firewall-cmd: print result (yes/no) of all --query-* commands
+- move permanent-getZoneOf{Interface|Source} from firewall-cmd to server
+- Check Interfaces/sources when updating permanent zone settings.
+- FirewallDConfig: getZoneOfInterface/Source can actually return more zones
+- Fixed toaddr check in forward port to only allow single address, no range
+- firewall-cmd: various output improvements
+- fw_zone: use check_single_address from firewall.functions
+- getZoneOfInterface/Source does not need to throw exception
+- firewall.functions: Use socket.inet_pton in checkIP, fixed checkIP*nMask
+- firewall.core.io.service: Properly check port/proto and destination address
+- Install applet desktop file into /etc/xdg/autostart
+- Fixed option problem with rich rule destinations (RHBZ#979804)
+- Better exception creation in dbus_handle_exceptions() decorator (RHBZ#979790)
+- Updated firewall-offline-cmd
+- Use priority in add, remove, query and list of direct rules (RHBZ#979509)
+- New documentation (man pages are created from docbook sources)
+- firewall/core/io/direct.py: use prirority for rule methods, new get_all_ methods
+- direct: pass priority also to client.py and firewall-cmd
+- applet: New blink and blink-count settings
+- firewall.functions: New function ppid_of_pid
+- applet: Check for gnome3 and fix it, use new settings, new size-changed cb
+- firewall-offline-cmd: Fix use of systemctl in chroot
+- firewall-config: use string.ascii_letters instead of string.letters
+- dbus_to_python(): handle non-ascii chars in dbus.String.
+- Modernize old syntax constructions.
+- dict.keys() in Python 3 returns a "view" instead of list
+- Use gettext.install() to install _() in builtins namespace.
+- Allow non-ascii chars in 'short' and 'description'
+- README: More information for "Working With The Source Repository"
+- Build environment fixes
+- firewalld.spec: Added missing checks for rhel > 6 for pygobject3-base
+- firewall-applet: New setting show-inactive
+- Don't stop on reload when lockdown already enabled (RHBZ#987403)
+- firewall-cmd: --lockdown-on/off did not touch firewalld.conf
+- FirewallApplet.gschema.xml: Dropped unused sender-info setting
+- doc/firewall-applet.xml: Added information about gsettings
+- several debug and log message fixes
+- Add chain for sources so they can be checked before interfaces (RHBZ#903222)
+- Add dhcp and proxy-dhcp services (RHBZ#986947)
+- io/Zone(): don't error on deprecated family attr of source elem
+- Limit length of zone file name (to 12 chars) due to Netfilter internals.
+- It was not possible to overload a zone with defined source(s).
+- DEFAULT_ZONE_TARGET: {chain}_ZONE_{zone} -> {chain}_{zone}
+- New runtime get<X>Settings for services and icmptypes, fixed policies callbacks
+- functions: New functions checkUser, checkUid and checkCommand
+- src/firewall/client: Fixed lockdown-whitelist-updated signal handling
+- firewall-cmd(1): move firewalld.richlanguage(5) reference in --*-rich-rule
+- Rich rule service: Only add modules for accept action
+- firewall/core/rich: Several fixes and enhanced checks
+- Fixed reload of direct rules
+- firewall/client: New functions to set and get the exception handler
+- firewall-config: New and enhanced UI to handle lockdown and rich rules
+- zone's immutable attribute is redundant
+- Do not allow to set settings in config for immutable zones.
+- Ignore deprecated 'immutable' attribute in zone files.
+- Eviscerate 'immutable' completely.
+- FirewallDirect.query_rule(): fix it
+- permanent direct: activate firewall.core.io.direct:Direct reader
+- core/io/*: simplify getting of character data
+- FirewallDirect.set_config(): allow reloading
+
+* Thu Jun 20 2013  Jiri Popelka <jpopelka@redhat.com>
+- Remove migrating to a systemd unit file from a SysV initscript
+- Remove pointless "ExclusiveOS" tag
+
+* Fri Jun  7 2013 Thomas Woerner <twoerner@redhat.com> 0.3.3-2
+- Fixed rich rule check for use in D-Bus
+
+* Thu Jun  6 2013 Thomas Woerner <twoerner@redhat.com> 0.3.3-1
+- new service files
+- relicensed logger.py under GPLv2+
+- firewall-config: sometimes we don't want to use client's exception handler
+- When removing Service/IcmpType remove it from zones too (RHBZ#958401)
+- firewall-config: work-around masquerade_check_cb() being called more times
+- Zone(IO): add interfaces/sources to D-Bus signature
+- Added missing UNKNOWN_SOURCE error code
+- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid
+- New changeZoneOfInterface method, marked changeZone as deprecated
+- Fixed firewall-cmd man page entry for --panic-on
+- firewall-applet: Fixed possible problems of unescaped strings used for markup
+- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet
+- Cleanup of unused variables in FirewallD.start
+- New firewall/fw_types.py with LastUpdatedOrderedDict
+- direct.chains, direct.rules: Using LastUpdatedOrderedDict
+- Support splitted zone files
+- New reader and writer for stored direct chains and rules
+- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts()
+- fix service_writer() and icmptype_writer() to put newline at end of file
+- firewall-cmd: fix --list-sources
+- No need to specify whether source address family is IPv4 or IPv6
+- add getZoneOfSource() to D-Bus interface
+- Add tests and bash-completion for the new "source" operations
+- Convert all input args in D-Bus methods
+- setDefaultZone() was calling accessCheck() *after* the action
+- New uniqify() function to remove duplicates from list whilst preserving order
+- Zone.combine() merge also services and ports
+- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518)
+- firewall-applet: more fixes to make the address sources family agnostic
+- Better defaults for lockdown white list
+- Use auth_admin_keep for allow_any and allow_inactive also
+- New D-Bus API for lockdown policies
+- Use IPv4, IPv6 and BRIDGE for FirewallD properties
+- Use rich rule action as audit type
+- Prototype of string-only D-Bus interface for rich language
+- Fixed wrongly merged source family check in firewall/core/io/zone.py
+- handle_cmr: report errors, cleanup modules in error case only, mark handling
+- Use audit type from rule action, fixed rule output
+- Fixed lockdown whitelist D-Bus handling method names
+- New rich rule handling in runtime D-Bus interface
+- Added interface, source and rich rule handling (runtime and permanent)
+- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown
+- Write changes in setLockdownWhitelist
+- Fixed typo in policies log message in method calls
+- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling
+- Don't check access in query/getLockdownWhitelist*()
+- firewall-cmd: Also output masquerade flag in --list-all
+- firewall-cmd: argparse is able to convert argument to desired type itself
+- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist
+- Makefile.am: add missing files
+- firewall-cmd_test.sh: tests for rich rules
+- Added lockdown, source, interface and rich rule docs to firewall-cmd
+- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098)
+- Use <rule> in metavar for firewall-cmd parser
+
+* Fri May 10 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.2-2
+- removed unintentional en_US.po from tarball
+
+* Tue Apr 30 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.2-1
+- Fix signal handling for SIGTERM
+- Additional service files (RHBZ#914859)
+- Updated po files
+- s/persistent/permanent/ (Trac Ticket #7)
+- Better behaviour when running without valid DISPLAY (RHBZ#955414)
+- client.handle_exceptions(): do not loop forever
+- Set Zone.defaults in zone_reader (RHBZ#951747)
+- client: do not pass the dbus exception name to handler
+- IO_Object_XMLGenerator: make it work with Python 2.7.4 (RHBZ#951741)
+- firewall-cmd: do not use deprecated BaseException.message
+- client.py: fix handle_exceptions() (RHBZ#951314)
+- firewall-config: check zone/service/icmptype name (RHBZ#947820)
+- Allow 3121/tcp (pacemaker_remote) in cluster-suite service. (RHBZ#885257)
+- firewall-applet: fix default zone hangling in 'shields-up' (RHBZ#947230)
+- FirewallError.get_code(): check for unknown error
+
+* Wed Apr 17 2013 Jiri Popelka <jpopelka@redhat.com> - 0.3.1-2
+- Make permanenent changes work with Python 2.7.4 (RHBZ#951741)
+
+* Thu Mar 28 2013 Thomas Woerner <twoerner@redhat.com> 0.3.1-1
+- Use explicit file lists for make dist
+- New rich rule validation check code
+- New global check_port and check_address functions
+- Allow source white and black listing with the rich rule
+- Fix error handling in case of unsupported family in rich rule
+- Enable ip_forwarding in masquerade and forward-port
+- New functions to read and write simple files using filename and content
+- Add --enable-sysconfig to install Fedora-specific sysconfig config file.
+- Add chains for security table (RHBZ#927015)
+- firewalld.spec: no need to specify --with-systemd-unitdir
+- firewalld.service: remove syslog.target and dbus.target
+- firewalld.service: replace hard-coded paths
+- Move bash-completion to new location.
+- Revert "Added configure for new build env"
+- Revert "Added Makefile.in files"
+- Revert "Added po/Makefile.in.in"
+- Revert "Added po/LINGUAS"
+- Revert "Added aclocal.m4"
+- Amend zone XML Schema
+
+* Wed Mar 20 2013 Thomas Woerner <twoerner@redhat.com> 0.3.0-1
+- Added rich language support
+- Added lockdown feature
+- Allow to bind interfaces and sources to zones permanently
+- Enabled IPv6 NAT support
+  masquerading and port/packet forwarding for IPv6 only with rich language
+- Handle polkit errors in client class and firewall-config
+- Added priority description for --direct --add-rule in firewall-cmd man page
+- Add XML Schemas for zones/services/icmptypes XMLs
+- Don't keep file descriptors open when forking
+- Introduce --nopid option for firewalld
+- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782)
+- Update cluster-suite service (RHBZ#885257)
+- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912)
+- Fix interaction problem of changed event of gtk combobox with polkit-kde
+  by processing all remaining events (RHBZ#915892)
+- Stop default zone rules being applied to all zones (RHBZ#912782)
+- Firewall.start(): don't call set_default_zone()
+- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages
+- firewalld-cmd: make --state verbose (RHBZ#886484)
+- improve firewalld --help (RHBZ#910492)
+- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834)
+- Continue loading zone in case of wrong service/port etc. (RHBZ#909466)
+- Check also services and icmptypes in Zone() (RHBZ#909466)
+- Increase the maximum length of the port forwarding fields from 5 to 11 in
+  firewall-config
+- firewall-cmd: add usage to fail message
+- firewall-cmd: redefine usage to point to man page
+- firewall-cmd: fix visible problems with arg. parsing
+- Use argparse module for parsing command line options and arguments
+- firewall-cmd.1: better clarify where to find ACTIONs
+- firewall-cmd Bash completion
+- firewall-cmd.1: comment --zone=<zone> usage and move some options
+- Use zone's target only in %%s_ZONES chains
+- default zone in firewalld.conf was set to public with every restart (#902845)
+- man page cleanup
+- code cleanup
+
+* Thu Mar 07 2013 Jiri Popelka <jpopelka@redhat.com> - 0.2.12-5
+- Another fix for RHBZ#912782
+
+* Wed Feb 20 2013 Jiri Popelka <jpopelka@redhat.com> - 0.2.12-4
+- Stop default zone rules being applied to all zones (RHBZ#912782)
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Jan 22 2013 Jiri Popelka <jpopelka@redhat.com> - 0.2.12-2
+- Default zone in firewalld.conf was reseted with every restart (RHBZ#902845)
+- Add icon cache related scriptlets for firewall-config (RHBZ#902680)
+- Fix typo in firewall-config (RHBZ#895812)
+- Fix few mistakes in firewall-cmd(1) man page
+
+* Mon Jan 14 2013 Thomas Woerner <twoerner@redhat.com> 0.2.12-1
+- firewall-cmd: use -V instead of -v for version info (RHBZ#886477)
+- firewall-cmd: don't check reload()'s return value (RHBZ#886461)
+- actually install firewalld.zones.5
+- firewall-config: treat exceptions when adding new zone/service/icmp
+  (RHBZ#886602)
+- firewalld.spec: Fixed requirements of firewall-config to use gtk2 and
+  pygobject3
+- Fail gracefully when running in non X environment.(RHBZ#886551)
+- offline-cmd: fail gracefully when no s-c-f config
+- fix duplicated iptables rules (RHBZ#886515)
+- detect errors and duplicates in config file (RHBZ#886581)
+- firewall-config: don't make 'Edit Service' and 'Edit ICMP Type' insensitive
+- firewalld.spec: fixed requirements, require pygobject3-base
+- frewall-applet: Unused code cleanup
+- firewall-applet: several usability fixes and enhancements
+  (RHBZ#886531) (RHBZ#886534)
+- firewall/server/server.py: fixed KeyboardInterrupt message (RHBZ#886558)
+- Moved fallback zone and minimal_mark to firewall.config.__init__
+- Do not raise ZONE_ALREADY_SET in change_zone if old zone is set again
+  (RHBZ#886432)
+- Make default zone default for all unset connections/interfaces
+  (RHBZ#888288) (RHBZ#882736)
+- firewall-config: Use Gtk.MessageType.WARNING for warning dialog
+- firewall-config: Handle unknown services and icmptypes in persistent mode
+- firewall-config: Do not load settings more than once
+- firewall-config: UI cleanup and fixes (RHBZ#888242)
+- firewall-cmd: created alias --change-zone for --change-interface
+- firewall-cmd man page updates (RHBZ#806511)
+- Merged branch 'build-cleanups'
+- dropped call to autogen.sh in build stage, not needed anymore due to 
+  'build-cleanups' merge
+
+* Thu Dec 13 2012 Thomas Woerner <twoerner@redhat.com> 0.2.11-2
+- require pygobject3-base instead of pygobject3 (no cairo needed) (RHBZ#874378)
+- fixed dependencies of firewall-config to use gtk3 with pygobject3-base and 
+  not pygtk2
+
+* Tue Dec 11 2012 Thomas Woerner <twoerner@redhat.com> 0.2.11-1
+- Fixed more _xmlplus (PyXML) incompatibilities to python xml
+- Several man page updates
+- Fixed error in addForwardPort, removeForwardPort and queryForwardPort
+- firewall-cmd: use already existing queryForwardPort()
+- Update firewall.cmd man page, use man page as firewall-cmd usage (rhbz#876394)
+- firewall-config: Do not force to show labels in the main toolbar
+- firewall-config: Dropped "Change default zone" from toolbar
+- firewall-config: Added menu entry to change zones of connections
+- firewall-applet: Zones can be changed now using nm-connection-editor
+  (rhbz#876661)
+- translation updates: cs, hu, ja
+
+* Tue Nov 20 2012 Thomas Woerner <twoerner@redhat.com> 0.2.10-1
+- tests/firewalld_config.py: tests for config.service and config.icmptype
+- FirewallClientConfigServiceSettings(): destinations are dict not list
+- service/zone/icmptype: do not write deprecated name attribute
+- New service ntp
+- firewall-config: Fixed name of about dialog
+- configure.in: Fixed getting of error codes
+- Added coding to all pyhton files
+- Fixed copyright years
+- Beautified file headers
+- Force use of pygobject3 in python-slip (RHBZ#874378)
+- Log: firewall.server.config_icmptype, firewall.server.config_service and
+  firewall.server.config_zone: Prepend full path
+- Allow ":" in interface names for interface aliases
+- Add name argument to Updated and Renamed signal
+- Disable IPv4, IPv6 and EB tables if missing - for IPv4/IPv6 only environments
+- firewall-config.glade file cleanup
+- firewall-config: loadDefaults() can throw exception
+- Use toolbars for Add/Edit/Remove/LoadDefaults buttons for zones, services
+  and icmp types
+- New vnc-server service, opens ports for displays :0 to :3 (RHBZ#877035)
+- firewall-cmd: Fix typo in help output, allow default zone usage for
+  permanenent options
+- Translation updates: cs, fr, ja, pt_BR and zh_CN
+
+* Wed Oct 17 2012 Thomas Woerner <twoerner@redhat.com> 0.2.9-1
+- firewall-config: some UI usability changes
+- firewall-cmd: New option --list-all-zones, output of --list-all changed,
+  more option combination checks
+- firewall-applet: Replaced NMClient by direct DBUS calls to fix python core
+  dumps in case of connection activates/deactivates
+- Use fallback 'C' locale if current locale isn't supported (RHBZ#860278)
+- Add interfaces to zones again after reload
+- firewall-cmd: use FirewallClient().connected value
+- firewall-cmd: --remove-interface was not working due to a typo
+- Do not use restorecon for new and backup files
+- Fixed use of properties REJECT and DROP
+- firewalld_test.py: check interfaces after reload
+- Translation updates
+- Renamed firewall-convert-scfw-config to firewall-offline-cmd, used by
+  anaconda for firewall configuration (e.g. kickstart)
+- Fix python shebang to use -Es at installation time for bin_SCRIPTS and
+  sbin_SCRIPTS and at all times in gtk3_chooserbutton.py
+- tests/firewalld_config.py: update test_zones() test case
+- Config interface: improve renaming of zones/services/icmp_types
+- Move emiting of Added signals closer to source.
+- FirewallClient(): config:ServiceAdded signal was wrongly mapped
+- Add argument 'name' to Removed signal
+- firewall-config: Add callbacks for config:[service|icmp]-[added|removed]
+- firewall-config: catch INVALID_X error when removing zone/service/icmp_type
+- firewall-config: remove unused code
+- Revert "Neutralize _xmlplus instead of conforming it"
+- firewall-applet: some UI usability changes
+- firewall-cmd: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings
+
+* Fri Sep  7 2012 Thomas Woerner <twoerner@redhat.com> 0.2.8-1
+- Do not apply old settings to zones after reload
+- FirewallClient: Added callback structure for firewalld signals
+- New firewall-config with full zone, service and icmptype support
+- Added Shields Up/Down configuration dialog to firewall-applet
+- Name attribute of main tag deprecated for zones, services and icmptypes,
+  will be ignored if present
+- Fixed wrong references in firewalld man page
+- Unregister DBus interfaces after sending out the Removed signal
+- Use proper DBus signature in addIcmpType, addService and addZone
+- New builtin property for config interfaces
+- New test case for Config interface
+- spec: use new systemd-rpm macros (rhbz#850110)
+- More config file verifications
+- Lots of smaller fixes and enhancements
+
+* Tue Aug 21 2012 Jiri Popelka <jpopelka@redhat.com> 0.2.7-2
+- use new systemd-rpm macros (rhbz#850110)
+
+* Mon Aug 13 2012 Thomas Woerner <twoerner@redhat.com> 0.2.7-1
+- Update of firewall-config
+- Some bug fixes
+
+* Tue Aug  7 2012 Thomas Woerner <twoerner@redhat.com> 0.2.6-1
+- New D-BUS interface for persistent configuration
+- Aded support for persistent zone configuration in firewall-cmd
+- New Shields Up feature in firewall-applet
+- New requirements for python-decorator and pygobject3
+- New firewall-config sub-package
+- New firewall-convert-scfw-config config script
+
+* Fri Apr 20 2012 Thomas Woerner <twoerner@redhat.com> 0.2.5-1
+- Fixed traceback in firewall-cmd for failed or canceled authorization, 
+  return proper error codes, new error codes NOT_RUNNING and NOT_AUTHORIZED
+- Enhanced firewalld service file (RHBZ#806868) and (RHBZ#811240)
+- Fixed duplicates in zone after reload, enabled timed settings after reload
+- Removed conntrack --ctstate INVALID check from default ruleset, because it
+  results in ICMP problems (RHBZ#806017).
+- Update interfaces in default zone after reload (rhbz#804814)
+- New man pages for firewalld(1), firewalld.conf(5), firewalld.icmptype(5),
+  firewalld.service(5) and firewalld.zone(5), updated firewall-cmd man page
+  (RHBZ#811257)
+- Fixed firewall-cmd help output
+- Fixed missing icon for firewall-applet (RHBZ#808759)
+- Added root user check for firewalld (RHBZ#767654)
+- Fixed requirements of firewall-applet sub package (RHBZ#808746)
+- Update interfaces in default zone after changing of default zone (RHBZ#804814)
+- Start firewalld before NetworkManager (RHBZ#811240)
+- Add Type=dbus and BusName to service file (RHBZ#811240)
+
+* Fri Mar 16 2012 Thomas Woerner <twoerner@redhat.com> 0.2.4-1
+- fixed firewalld.conf save exception if no temporary file can be written to 
+  /etc/firewalld/
+
+* Thu Mar 15 2012 Thomas Woerner <twoerner@redhat.com> 0.2.3-1
+- firewall-cmd: several changes and fixes
+- code cleanup
+- fixed icmp protocol used for ipv6 (rhbz#801182)
+- added and fixed some comments
+- properly restore zone settings, timeout is always set, check for 0
+- some FirewallError exceptions were actually not raised
+- do not REJECT in each zone
+- removeInterface() don't require zone
+- new tests in firewall-test script
+- dbus_to_python() was ignoring certain values
+- added functions for the direct interface: chains, rules, passthrough
+- fixed inconsistent data after reload
+- some fixes for the direct interface: priority positions are bound to ipv,
+  table and chain
+- added support for direct interface in firewall-cmd:
+- added isImmutable(zone) to zone D-Bus interface
+- renamed policy file
+- enhancements for error messages, enables output for direct.passthrough
+- added allow_any to firewald policies, using at leas auth_admin for policies
+- replaced ENABLE_FAILED, DISABLE_FAILED, ADD_FAILED and REMOVE_FAILED by
+  COMMAND_FAILED, resorted error codes
+- new firewalld configuration setting CleanupOnExit
+- enabled polkit again, found a fix for property problem with slip.dbus.service
+- added dhcpv6-client to 'public' (the default) and to 'internal' zones.
+- fixed missing settings form zone config files in
+  "firewall-cmd --list=all --zone=<zone>" call
+- added list functions for services and icmptypes, added --list=services and
+  --list=icmptypes to firewall-cmd
+
+* Tue Mar  6 2012 Thomas Woerner <twoerner@redhat.com> 0.2.2-1
+- enabled dhcpv6-client service for zones home and work
+- new dhcpv6-client service
+- firewall-cmd: query mode returns reversed values
+- new zone.changeZone(zone, interface)
+- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded
+  by files in /etc/firewalld (no overload of immutable zones block, drop,
+  trusted)
+- reset MinimalMark in firewalld.cnf to default value
+- fixed service destination (addresses not used)
+- fix xmlplus to be compatible with the python xml sax parser and python 3
+  by adding __contains__ to xml.sax.xmlreader.AttributesImpl
+- use icon and glib related post, postun and posttrans scriptes for firewall
+- firewall-cmd: fix typo in state
+- firewall-cmd: fix usage()
+- firewall-cmd: fix interface action description in usage()
+- client.py: fix definition of queryInterface()
+- client.py: fix typo in getInterfaces()
+- firewalld.service: do not fork
+- firewall-cmd: fix bug in --list=port and --port action help message
+- firewall-cmd: fix bug in --list=service
+
+* Mon Mar  5 2012 Thomas Woerner <twoerner@redhat.com>
+- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded
+  by files in /etc/firewalld (no overload of immutable zones block, drop,
+  trusted)
+
+* Tue Feb 21 2012 Thomas Woerner <twoerner@redhat.com> 0.2.1-1
+- added missing firewall.dbus_utils
+
+* Tue Feb  7 2012 Thomas Woerner <twoerner@redhat.com> 0.2.0-2
+- added glib2-devel to build requires, needed for gsettings.m4
+- added --with-system-unitdir arg to fix installaiton of system file
+- added glib-compile-schemas calls for postun and posttrans
+- added EXTRA_DIST file lists
+
+* Mon Feb  6 2012 Thomas Woerner <twoerner@redhat.com> 0.2.0-1
+- version 0.2.0 with new FirewallD1 D-BUS interface
+- supports zones with a default zone
+- new direct interface as a replacement of the partial virt interface with 
+  additional passthrough functionality
+- dropped custom rules, use direct interface instead
+- dropped trusted interface funcionality, use trusted zone instead
+- using zone, service and icmptype configuration files
+- not using any system-config-firewall parts anymore
+
+* Mon Feb 14 2011 Thomas Woerner <twoerner@redhat.com> 0.1.3-1
+- new version 0.1.3
+- restore all firewall features for reload: panic and virt rules and chains
+- string fixes for firewall-cmd man page (by Jiri Popelka)
+- fixed firewall-cmd port list (by Jiri Popelka)
+- added firewall dbus client connect check to firewall-cmd (by Jiri Popelka)
+- translation updates: de, es, gu, it, ja, kn, ml, nl, or, pa, pl, ru, ta,
+                       uk, zh_CN
+
+* Mon Jan  3 2011 Thomas Woerner <twoerner@redhat.com> 0.1.2-1
+- fixed package according to package review (rhbz#665395):
+  - non executable scripts: dropped shebang
+  - using newer GPL license file
+  - made /etc/dbus-1/system.d/FirewallD.conf config(noreplace)
+  - added requires(post) and (pre) for chkconfig
+
+* Mon Jan  3 2011 Thomas Woerner <twoerner@redhat.com> 0.1.1-1
+- new version 0.1.1
+- fixed source path in POTFILES*
+- added missing firewall_config.py.in
+- added misssing space for spec_ver line
+- using firewall_config.VARLOGFILE
+- added date to logging output
+- also log fatal and error logs to stderr and firewall_config.VARLOGFILE
+- make log message for active_firewalld fatal
+
+* Mon Dec 20 2010 Thomas Woerner <twoerner@redhat.com> 0.1-1
+- initial package (proof of concept implementation)
diff --git a/sources b/sources
new file mode 100644
index 0000000..40cbb9c
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA512 (firewalld-0.9.3.tar.gz) = 9be24a2186179a347cb4c29137423e4a4dcf5faf8fad28bc5258383d6415b1c5fad049dcb20312f6c80181a6a3cf72ecb9b6bcaee1b2a82399674aedc9d568bb
diff --git a/v1.0.0-0003-feat-service-add-galera-service.patch b/v1.0.0-0003-feat-service-add-galera-service.patch
new file mode 100644
index 0000000..3878c19
--- /dev/null
+++ b/v1.0.0-0003-feat-service-add-galera-service.patch
@@ -0,0 +1,55 @@
+From 78f004c3cbe01107aadd26771c07e479507f2d62 Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Tue, 1 Dec 2020 11:58:19 -0500
+Subject: [PATCH 03/22] feat(service): add galera service Fixes: rhbz1696260
+
+(cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
+---
+ config/Makefile.am         | 1 +
+ config/services/galera.xml | 9 +++++++++
+ po/POTFILES.in             | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 config/services/galera.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index fef3b55dc527..f844a5a00e2f 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -159,6 +159,7 @@ CONFIG_FILES = \
+ 	services/freeipa-replication.xml \
+ 	services/freeipa-trust.xml \
+ 	services/ftp.xml \
++	services/galera.xml \
+ 	services/ganglia-client.xml \
+ 	services/ganglia-master.xml \
+ 	services/git.xml \
+diff --git a/config/services/galera.xml b/config/services/galera.xml
+new file mode 100644
+index 000000000000..2305713fbcab
+--- /dev/null
++++ b/config/services/galera.xml
+@@ -0,0 +1,9 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++  <short>Galera</short>
++  <description>MariaDB-Galera Database Server</description>
++  <port protocol="tcp" port="3306"/>
++  <port protocol="tcp" port="4567"/>
++  <port protocol="tcp" port="4568"/>
++  <port protocol="tcp" port="4444"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 666eb677855b..249cff8d0d2f 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -91,6 +91,7 @@ config/services/freeipa-ldap.xml
+ config/services/freeipa-replication.xml
+ config/services/freeipa-trust.xml
+ config/services/ftp.xml
++config/services/galera.xml
+ config/services/ganglia-client.xml
+ config/services/ganglia-master.xml
+ config/services/git.xml
+-- 
+2.27.0
+
diff --git a/v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch b/v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
new file mode 100644
index 0000000..3257fac
--- /dev/null
+++ b/v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
@@ -0,0 +1,242 @@
+From e399840e91c766531923c017ffa00bbc01e7bbe6 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 12 Feb 2021 14:23:21 -0500
+Subject: [PATCH 35/36] fix(ipset): normalize entries in CIDR notation
+
+This will convert things like 10.0.1.0/22 to 10.0.0.0/22. Fix up test
+cases in which the error code changed due to this.
+
+(cherry picked from commit e4dc44fcfd214b27c718eb4d99d3b137495b9626)
+---
+ src/firewall/client.py              |  9 ++++++++-
+ src/firewall/core/fw_ipset.py       | 11 ++++++++++-
+ src/firewall/core/ipset.py          | 13 +++++++++++++
+ src/firewall/server/config_ipset.py | 10 ++++++++--
+ src/tests/regression/rhbz1601610.at | 19 +++++++++++++------
+ 5 files changed, 52 insertions(+), 10 deletions(-)
+
+diff --git a/src/firewall/client.py b/src/firewall/client.py
+index 51bf09c8fad6..aa6bd7cd282b 100644
+--- a/src/firewall/client.py
++++ b/src/firewall/client.py
+@@ -34,6 +34,7 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU
+ from firewall.dbus_utils import dbus_to_python
+ from firewall.functions import b2u
+ from firewall.core.rich import Rich_Rule
++from firewall.core.ipset import normalize_ipset_entry
+ from firewall import errors
+ from firewall.errors import FirewallError
+ 
+@@ -1616,12 +1617,16 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+-        self.settings[5] = entries
++        _entries = set()
++        for _entry in dbus_to_python(entries, list):
++            _entries.add(normalize_ipset_entry(_entry))
++        self.settings[5] = list(_entries)
+     @handle_exceptions
+     def addEntry(self, entry):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
++        entry = normalize_ipset_entry(entry)
+         if entry not in self.settings[5]:
+             self.settings[5].append(entry)
+         else:
+@@ -1631,6 +1636,7 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
++        entry = normalize_ipset_entry(entry)
+         if entry in self.settings[5]:
+             self.settings[5].remove(entry)
+         else:
+@@ -1640,6 +1646,7 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
++        entry = normalize_ipset_entry(entry)
+         return entry in self.settings[5]
+ 
+ # ipset config
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index 6ebda2d56213..e5348949413c 100644
+--- a/src/firewall/core/fw_ipset.py
++++ b/src/firewall/core/fw_ipset.py
+@@ -24,7 +24,8 @@
+ __all__ = [ "FirewallIPSet" ]
+ 
+ from firewall.core.logger import log
+-from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts
++from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
++                                normalize_ipset_entry
+ from firewall.core.io.ipset import IPSet
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -189,6 +190,7 @@ class FirewallIPSet(object):
+ 
+     def add_entry(self, name, entry):
+         obj = self.get_ipset(name, applied=True)
++        entry = normalize_ipset_entry(entry)
+ 
+         IPSet.check_entry(entry, obj.options, obj.type)
+         if entry in obj.entries:
+@@ -208,6 +210,7 @@ class FirewallIPSet(object):
+ 
+     def remove_entry(self, name, entry):
+         obj = self.get_ipset(name, applied=True)
++        entry = normalize_ipset_entry(entry)
+ 
+         # no entry check for removal
+         if entry not in obj.entries:
+@@ -226,6 +229,7 @@ class FirewallIPSet(object):
+ 
+     def query_entry(self, name, entry):
+         obj = self.get_ipset(name, applied=True)
++        entry = normalize_ipset_entry(entry)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -239,6 +243,11 @@ class FirewallIPSet(object):
+     def set_entries(self, name, entries):
+         obj = self.get_ipset(name, applied=True)
+ 
++        _entries = set()
++        for _entry in entries:
++            _entries.add(normalize_ipset_entry(_entry))
++        entries = list(_entries)
++
+         for entry in entries:
+             IPSet.check_entry(entry, obj.options, obj.type)
+         if "timeout" not in obj.options or obj.options["timeout"] == "0":
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index 0d632143ce13..5bb21856f648 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -24,6 +24,7 @@
+ __all__ = [ "ipset", "check_ipset_name", "remove_default_create_options" ]
+ 
+ import os.path
++import ipaddress
+ 
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -289,3 +290,15 @@ def remove_default_create_options(options):
+            IPSET_DEFAULT_CREATE_OPTIONS[opt] == _options[opt]:
+             del _options[opt]
+     return _options
++
++def normalize_ipset_entry(entry):
++    """ Normalize IP addresses in entry """
++    _entry = []
++    for _part in entry.split(","):
++        try:
++            _part.index("/")
++            _entry.append(str(ipaddress.ip_network(_part, strict=False)))
++        except ValueError:
++            _entry.append(_part)
++
++    return ",".join(_entry)
+diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py
+index 8c647bc29ab9..18ef5783de62 100644
+--- a/src/firewall/server/config_ipset.py
++++ b/src/firewall/server/config_ipset.py
+@@ -33,7 +33,7 @@ from firewall.dbus_utils import dbus_to_python, \
+     dbus_introspection_prepare_properties, \
+     dbus_introspection_add_properties
+ from firewall.core.io.ipset import IPSet
+-from firewall.core.ipset import IPSET_TYPES
++from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry
+ from firewall.core.logger import log
+ from firewall.server.decorators import handle_exceptions, \
+     dbus_handle_exceptions, dbus_service_method
+@@ -406,7 +406,10 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+                          in_signature='as')
+     @dbus_handle_exceptions
+     def setEntries(self, entries, sender=None):
+-        entries = dbus_to_python(entries, list)
++        _entries = set()
++        for _entry in dbus_to_python(entries, list):
++            _entries.add(normalize_ipset_entry(_entry))
++        entries = list(_entries)
+         log.debug1("%s.setEntries('[%s]')", self._log_prefix,
+                    ",".join(entries))
+         self.parent.accessCheck(sender)
+@@ -421,6 +424,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def addEntry(self, entry, sender=None):
+         entry = dbus_to_python(entry, str)
++        entry = normalize_ipset_entry(entry)
+         log.debug1("%s.addEntry('%s')", self._log_prefix, entry)
+         self.parent.accessCheck(sender)
+         settings = list(self.getSettings())
+@@ -436,6 +440,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def removeEntry(self, entry, sender=None):
+         entry = dbus_to_python(entry, str)
++        entry = normalize_ipset_entry(entry)
+         log.debug1("%s.removeEntry('%s')", self._log_prefix, entry)
+         self.parent.accessCheck(sender)
+         settings = list(self.getSettings())
+@@ -451,6 +456,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def queryEntry(self, entry, sender=None): # pylint: disable=W0613
+         entry = dbus_to_python(entry, str)
++        entry = normalize_ipset_entry(entry)
+         log.debug1("%s.queryEntry('%s')", self._log_prefix, entry)
+         settings = list(self.getSettings())
+         if "timeout" in settings[4] and settings[4]["timeout"] != "0":
+diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
+index ede2c45b88c1..a716539a8acf 100644
+--- a/src/tests/regression/rhbz1601610.at
++++ b/src/tests/regression/rhbz1601610.at
+@@ -6,11 +6,14 @@ CHECK_IPSET
+ FWD_CHECK([-q --new-ipset=foobar --permanent --type=hash:net])
+ FWD_RELOAD
+ 
+-FWD_CHECK([-q --ipset=foobar --add-entry=10.1.1.0/22])
+-FWD_CHECK([-q --ipset=foobar --add-entry=10.1.2.0/22], 13, ignore, ignore)
+-FWD_CHECK([-q --ipset=foobar --add-entry=10.2.0.0/22])
++FWD_CHECK([--ipset=foobar --add-entry=10.1.1.0/22], 0, [ignore])
++FWD_CHECK([--ipset=foobar --query-entry 10.1.2.0/22], 0, [ignore])
++FWD_CHECK([--ipset=foobar --add-entry=10.1.2.0/22], 0, [ignore], [dnl
++Warning: ALREADY_ENABLED: '10.1.0.0/22' already is in 'foobar'
++])
++FWD_CHECK([--ipset=foobar --add-entry=10.2.0.0/22], 0, [ignore])
+ FWD_CHECK([--ipset=foobar --get-entries], 0, [dnl
+-10.1.1.0/22
++10.1.0.0/22
+ 10.2.0.0/22
+ ])
+ NFT_LIST_SET([foobar], 0, [dnl
+@@ -31,6 +34,9 @@ Members:
+ ])
+ 
+ FWD_CHECK([-q --ipset=foobar --remove-entry=10.1.1.0/22])
++FWD_CHECK([--ipset=foobar --query-entry 10.1.1.0/22], 1, [ignore])
++FWD_CHECK([--ipset=foobar --query-entry 10.1.2.0/22], 1, [ignore])
++FWD_CHECK([--ipset=foobar --query-entry 10.2.0.0/22], 0, [ignore])
+ FWD_CHECK([--ipset=foobar --get-entries], 0, [dnl
+ 10.2.0.0/22
+ ])
+@@ -52,7 +58,7 @@ Members:
+ 
+ FWD_CHECK([-q --permanent --ipset=foobar --add-entry=10.1.1.0/22])
+ FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [dnl
+-10.1.1.0/22
++10.1.0.0/22
+ ])
+ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
+ FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
+@@ -101,4 +107,5 @@ Members:
+ 
+ FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
+               -e '/ERROR: COMMAND_FAILED:.*element.*exists/d'dnl
+-              -e '/Kernel support protocol versions/d'])
++              -e '/Kernel support protocol versions/d'dnl
++              -e '/WARNING: ALREADY_ENABLED:/d'])
+-- 
+2.27.0
+
diff --git a/v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch b/v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
new file mode 100644
index 0000000..78681bb
--- /dev/null
+++ b/v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
@@ -0,0 +1,157 @@
+From 3d7ec2dabb164cbc2dce5aa8aa37ae156ebad275 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 23 Feb 2021 09:18:33 -0500
+Subject: [PATCH 36/36] fix(ipset): disallow overlapping entries
+
+These are already being blocked by the ipset backend, but we should
+catch them higher up to avoid differences in the backends.
+
+(cherry picked from commit 5b4e8918715a1d2e4abf77ed4eb3252486a19109)
+---
+ src/firewall/client.py                        |  4 +++-
+ src/firewall/core/fw_ipset.py                 |  4 +++-
+ src/firewall/core/ipset.py                    | 13 +++++++++++++
+ src/firewall/server/config_ipset.py           |  5 ++++-
+ src/tests/regression/ipset_netmask_allowed.at | 14 ++++++++------
+ 5 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/src/firewall/client.py b/src/firewall/client.py
+index aa6bd7cd282b..3715ffd29316 100644
+--- a/src/firewall/client.py
++++ b/src/firewall/client.py
+@@ -34,7 +34,7 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU
+ from firewall.dbus_utils import dbus_to_python
+ from firewall.functions import b2u
+ from firewall.core.rich import Rich_Rule
+-from firewall.core.ipset import normalize_ipset_entry
++from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing
+ from firewall import errors
+ from firewall.errors import FirewallError
+ 
+@@ -1619,6 +1619,7 @@ class FirewallClientIPSetSettings(object):
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+         _entries = set()
+         for _entry in dbus_to_python(entries, list):
++            check_entry_overlaps_existing(_entry, _entries)
+             _entries.add(normalize_ipset_entry(_entry))
+         self.settings[5] = list(_entries)
+     @handle_exceptions
+@@ -1628,6 +1629,7 @@ class FirewallClientIPSetSettings(object):
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+         entry = normalize_ipset_entry(entry)
+         if entry not in self.settings[5]:
++            check_entry_overlaps_existing(entry, self.settings[5])
+             self.settings[5].append(entry)
+         else:
+             raise FirewallError(errors.ALREADY_ENABLED, entry)
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index e5348949413c..a285fd4a4aab 100644
+--- a/src/firewall/core/fw_ipset.py
++++ b/src/firewall/core/fw_ipset.py
+@@ -25,7 +25,7 @@ __all__ = [ "FirewallIPSet" ]
+ 
+ from firewall.core.logger import log
+ from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
+-                                normalize_ipset_entry
++                                normalize_ipset_entry, check_entry_overlaps_existing
+ from firewall.core.io.ipset import IPSet
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -196,6 +196,7 @@ class FirewallIPSet(object):
+         if entry in obj.entries:
+             raise FirewallError(errors.ALREADY_ENABLED,
+                                 "'%s' already is in '%s'" % (entry, name))
++        check_entry_overlaps_existing(entry, obj.entries)
+ 
+         try:
+             for backend in self.backends():
+@@ -245,6 +246,7 @@ class FirewallIPSet(object):
+ 
+         _entries = set()
+         for _entry in entries:
++            check_entry_overlaps_existing(_entry, _entries)
+             _entries.add(normalize_ipset_entry(_entry))
+         entries = list(_entries)
+ 
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index 5bb21856f648..d6defa395241 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -302,3 +302,16 @@ def normalize_ipset_entry(entry):
+             _entry.append(_part)
+ 
+     return ",".join(_entry)
++
++def check_entry_overlaps_existing(entry, entries):
++    """ Check if entry overlaps any entry in the list of entries """
++    # Only check simple types
++    if len(entry.split(",")) > 1:
++        return
++
++    for itr in entries:
++        try:
++            if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)):
++                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry))
++        except ValueError:
++            pass
+diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py
+index 18ef5783de62..f33c2a02926f 100644
+--- a/src/firewall/server/config_ipset.py
++++ b/src/firewall/server/config_ipset.py
+@@ -33,7 +33,8 @@ from firewall.dbus_utils import dbus_to_python, \
+     dbus_introspection_prepare_properties, \
+     dbus_introspection_add_properties
+ from firewall.core.io.ipset import IPSet
+-from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry
++from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \
++                                check_entry_overlaps_existing
+ from firewall.core.logger import log
+ from firewall.server.decorators import handle_exceptions, \
+     dbus_handle_exceptions, dbus_service_method
+@@ -408,6 +409,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+     def setEntries(self, entries, sender=None):
+         _entries = set()
+         for _entry in dbus_to_python(entries, list):
++            check_entry_overlaps_existing(_entry, _entries)
+             _entries.add(normalize_ipset_entry(_entry))
+         entries = list(_entries)
+         log.debug1("%s.setEntries('[%s]')", self._log_prefix,
+@@ -432,6 +434,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+         if entry in settings[5]:
+             raise FirewallError(errors.ALREADY_ENABLED, entry)
++        check_entry_overlaps_existing(entry, settings[5])
+         settings[5].append(entry)
+         self.update(settings)
+ 
+diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at
+index b5165d94b220..fd08afd3b57c 100644
+--- a/src/tests/regression/ipset_netmask_allowed.at
++++ b/src/tests/regression/ipset_netmask_allowed.at
+@@ -9,15 +9,17 @@ dnl an add for the whole range. i.e. 1.2.3.4/24  --> 1.2.3.[0.255] (256
+ dnl entries).
+ dnl
+ dnl In nftables, we allow this by using actual intervals.
+-FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
+-FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
++FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.4/24], 0, [ignore])
++FWD_CHECK([            --ipset foobar --add-entry 1.2.3.4/24], 0, [ignore])
+ 
+ dnl check the edge case
+ FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
+ FWD_CHECK([            --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
+ 
+-dnl overlaps should be denied by ipset
+-FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore])
+-FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore])
++dnl overlaps should be denied
++FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/22], 136, [ignore], [ignore])
++FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/22], 136, [ignore], [ignore])
++FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.4/30], 136, [ignore], [ignore])
++FWD_CHECK([            --ipset foobar --add-entry 1.2.3.4/30], 136, [ignore], [ignore])
+ 
+-FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
++FWD_END_TEST([-e '/ERROR: INVALID_ENTRY:/d'])
+-- 
+2.27.0
+
diff --git a/v1.0.0-0049-fix-ipset-reduce-cost-of-entry-overlap-detection.patch b/v1.0.0-0049-fix-ipset-reduce-cost-of-entry-overlap-detection.patch
new file mode 100644
index 0000000..ebebd8b
--- /dev/null
+++ b/v1.0.0-0049-fix-ipset-reduce-cost-of-entry-overlap-detection.patch
@@ -0,0 +1,140 @@
+From 34967402eda57d051b239c1551ecc0259881e7d4 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 30 Nov 2021 14:54:20 -0500
+Subject: [PATCH 49/51] fix(ipset): reduce cost of entry overlap detection
+
+This increases peak memory usage to reduce the duration it takes to
+apply the set entries. Building the list of IPv4Network objects up front
+means we don't have to build them multiple times inside the for loop.
+
+Fixes: #881
+(cherry picked from commit 7f5b736378c0133f46470c42e0c1fb3b95087de5)
+---
+ src/firewall/client.py              | 10 ++++------
+ src/firewall/core/fw_ipset.py       |  9 +++------
+ src/firewall/core/ipset.py          | 27 ++++++++++++++++++++++-----
+ src/firewall/server/config_ipset.py | 10 ++++------
+ 4 files changed, 33 insertions(+), 23 deletions(-)
+
+diff --git a/src/firewall/client.py b/src/firewall/client.py
+index 3715ffd29316..fdc88ac7946b 100644
+--- a/src/firewall/client.py
++++ b/src/firewall/client.py
+@@ -34,7 +34,8 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU
+ from firewall.dbus_utils import dbus_to_python
+ from firewall.functions import b2u
+ from firewall.core.rich import Rich_Rule
+-from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing
++from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing, \
++                                check_for_overlapping_entries
+ from firewall import errors
+ from firewall.errors import FirewallError
+ 
+@@ -1617,11 +1618,8 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+-        _entries = set()
+-        for _entry in dbus_to_python(entries, list):
+-            check_entry_overlaps_existing(_entry, _entries)
+-            _entries.add(normalize_ipset_entry(_entry))
+-        self.settings[5] = list(_entries)
++        check_for_overlapping_entries(entries)
++        self.settings[5] = entries
+     @handle_exceptions
+     def addEntry(self, entry):
+         if "timeout" in self.settings[4] and \
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index a285fd4a4aab..d7878c01921e 100644
+--- a/src/firewall/core/fw_ipset.py
++++ b/src/firewall/core/fw_ipset.py
+@@ -25,7 +25,8 @@ __all__ = [ "FirewallIPSet" ]
+ 
+ from firewall.core.logger import log
+ from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
+-                                normalize_ipset_entry, check_entry_overlaps_existing
++                                normalize_ipset_entry, check_entry_overlaps_existing, \
++                                check_for_overlapping_entries
+ from firewall.core.io.ipset import IPSet
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -244,11 +245,7 @@ class FirewallIPSet(object):
+     def set_entries(self, name, entries):
+         obj = self.get_ipset(name, applied=True)
+ 
+-        _entries = set()
+-        for _entry in entries:
+-            check_entry_overlaps_existing(_entry, _entries)
+-            _entries.add(normalize_ipset_entry(_entry))
+-        entries = list(_entries)
++        check_for_overlapping_entries(entries)
+ 
+         for entry in entries:
+             IPSet.check_entry(entry, obj.options, obj.type)
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index d6defa395241..66ea4335536d 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -309,9 +309,26 @@ def check_entry_overlaps_existing(entry, entries):
+     if len(entry.split(",")) > 1:
+         return
+ 
++    try:
++        entry_network = ipaddress.ip_network(entry, strict=False)
++    except ValueError:
++        # could not parse the new IP address, maybe a MAC
++        return
++
+     for itr in entries:
+-        try:
+-            if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)):
+-                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry))
+-        except ValueError:
+-            pass
++        if entry_network.overlaps(ipaddress.ip_network(itr, strict=False)):
++            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(entry, itr))
++
++def check_for_overlapping_entries(entries):
++    """ Check if any entry overlaps any entry in the list of entries """
++    try:
++        entries = [ipaddress.ip_network(x, strict=False) for x in entries]
++    except ValueError:
++        # at least one entry can not be parsed
++        return
++
++    while entries:
++        entry = entries.pop()
++        for itr in entries:
++            if entry.overlaps(itr):
++                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr))
+diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py
+index f33c2a02926f..499ffcb9227a 100644
+--- a/src/firewall/server/config_ipset.py
++++ b/src/firewall/server/config_ipset.py
+@@ -34,7 +34,8 @@ from firewall.dbus_utils import dbus_to_python, \
+     dbus_introspection_add_properties
+ from firewall.core.io.ipset import IPSet
+ from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \
+-                                check_entry_overlaps_existing
++                                check_entry_overlaps_existing, \
++                                check_for_overlapping_entries
+ from firewall.core.logger import log
+ from firewall.server.decorators import handle_exceptions, \
+     dbus_handle_exceptions, dbus_service_method
+@@ -407,11 +408,8 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+                          in_signature='as')
+     @dbus_handle_exceptions
+     def setEntries(self, entries, sender=None):
+-        _entries = set()
+-        for _entry in dbus_to_python(entries, list):
+-            check_entry_overlaps_existing(_entry, _entries)
+-            _entries.add(normalize_ipset_entry(_entry))
+-        entries = list(_entries)
++        entries = dbus_to_python(entries, list)
++        check_for_overlapping_entries(entries)
+         log.debug1("%s.setEntries('[%s]')", self._log_prefix,
+                    ",".join(entries))
+         self.parent.accessCheck(sender)
+-- 
+2.31.1
+
diff --git a/v1.0.0-0050-test-ipset-huge-set-of-entries-benchmark.patch b/v1.0.0-0050-test-ipset-huge-set-of-entries-benchmark.patch
new file mode 100644
index 0000000..32e8a22
--- /dev/null
+++ b/v1.0.0-0050-test-ipset-huge-set-of-entries-benchmark.patch
@@ -0,0 +1,56 @@
+From 344753267f6b40d029a3b690cce74720a355cb4d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 30 Nov 2021 14:50:17 -0500
+Subject: [PATCH 50/51] test(ipset): huge set of entries benchmark
+
+Coverage: #881
+(cherry picked from commit 114936c71ab1b12a5598d06805b7e9e13f7ee190)
+---
+ src/tests/regression/gh881.at      | 25 +++++++++++++++++++++++++
+ src/tests/regression/regression.at |  1 +
+ 2 files changed, 26 insertions(+)
+ create mode 100644 src/tests/regression/gh881.at
+
+diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at
+new file mode 100644
+index 000000000000..c7326805b555
+--- /dev/null
++++ b/src/tests/regression/gh881.at
+@@ -0,0 +1,25 @@
++FWD_START_TEST([ipset entry overlap detect perf])
++AT_KEYWORDS(ipset gh881)
++
++dnl build a large ipset
++dnl
++AT_DATA([./deny_cidr], [])
++NS_CHECK([sh -c '
++for I in $(seq 10); do
++  for J in $(seq 250); do
++    echo "10.${I}.${J}.0/24" >> ./deny_cidr
++  done
++done
++'])
++
++dnl verify non-overlapping does not error
++dnl
++FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore])
++NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
++
++dnl verify overlap detection actually detects an overlap
++dnl
++NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr])
++NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++FWD_END_TEST()
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index a20b913fbe59..4045563d0b91 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -45,3 +45,4 @@ m4_include([regression/rhbz1914935.at])
+ m4_include([regression/gh696.at])
+ m4_include([regression/rhbz1917766.at])
+ m4_include([regression/rhbz2014383.at])
++m4_include([regression/gh881.at])
+-- 
+2.31.1
+
diff --git a/v1.0.0-0051-fix-ipset-further-reduce-cost-of-entry-overlap-detec.patch b/v1.0.0-0051-fix-ipset-further-reduce-cost-of-entry-overlap-detec.patch
new file mode 100644
index 0000000..7d1e8a1
--- /dev/null
+++ b/v1.0.0-0051-fix-ipset-further-reduce-cost-of-entry-overlap-detec.patch
@@ -0,0 +1,150 @@
+From 33b10b9112f2f51df049315438204efec7a5434c Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 25 Jan 2022 09:29:32 -0500
+Subject: [PATCH 51/51] fix(ipset): further reduce cost of entry overlap
+ detection
+
+This makes the complexity linear by sorting the networks ahead of time.
+
+Fixes: #881
+Fixes: rhbz2043289
+(cherry picked from commit 36c170db265265e838a089858be4b20dbbd582eb)
+---
+ src/firewall/core/ipset.py    | 59 ++++++++++++++++++++++++++++++++---
+ src/tests/regression/gh881.at | 42 ++++++++++++++++++++++---
+ 2 files changed, 92 insertions(+), 9 deletions(-)
+
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index 66ea4335536d..b160d8345669 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -327,8 +327,57 @@ def check_for_overlapping_entries(entries):
+         # at least one entry can not be parsed
+         return
+ 
+-    while entries:
+-        entry = entries.pop()
+-        for itr in entries:
+-            if entry.overlaps(itr):
+-                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr))
++    # We can take advantage of some facts of IPv4Network/IPv6Network and
++    # how Python sorts the networks to quickly detect overlaps.
++    #
++    # Facts:
++    #
++    #   1. IPv{4,6}Network are normalized to remove host bits, e.g.
++    #     10.1.1.0/16 will become 10.1.0.0/16.
++    #
++    #   2. IPv{4,6}Network objects are sorted by:
++    #     a. IP address (network bits)
++    #   then
++    #     b. netmask (significant bits count)
++    #
++    # Because of the above we have these properties:
++    #
++    #   1. big networks (netA) are sorted before smaller networks (netB)
++    #      that overlap the big network (netA)
++    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.129.0/24 (netB)
++    #   2. same value addresses (network bits) are grouped together even
++    #      if the number of network bits vary. e.g. /16 vs /24
++    #     - recall that address are normalized to remove host bits
++    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.128.0/24 (netC)
++    #   3. non-overlapping networks (netD, netE) are always sorted before or
++    #      after networks that overlap (netB, netC) the current one (netA)
++    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.2.128.0/16 (netD)
++    #     - e.g. 10.1.128.0/17 (netA) sorts after 9.1.128.0/17 (netE)
++    #     - e.g. 9.1.128.0/17 (netE) sorts before 10.1.129.0/24 (netB)
++    #
++    # With this we know the sorted list looks like:
++    #
++    #   list: [ netE, netA, netB, netC, netD ]
++    #
++    #   netE = non-overlapping network
++    #   netA = big network
++    #   netB = smaller network that overlaps netA (subnet)
++    #   netC = smaller network that overlaps netA (subnet)
++    #   netD = non-overlapping network
++    #
++    #   If networks netB and netC exist in the list, they overlap and are
++    #   adjacent to netA.
++    #
++    # Checking for overlaps on a sorted list is thus:
++    #
++    #   1. compare adjacent elements in the list for overlaps
++    #
++    # Recall that we only need to detect a single overlap. We do not need to
++    # detect them all.
++    #
++    entries.sort()
++    prev_network = entries.pop(0)
++    for current_network in entries:
++        if prev_network.overlaps(current_network):
++            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(prev_network, current_network))
++        prev_network = current_network
+diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at
+index c7326805b555..a5cf7e4eb912 100644
+--- a/src/tests/regression/gh881.at
++++ b/src/tests/regression/gh881.at
+@@ -5,21 +5,55 @@ dnl build a large ipset
+ dnl
+ AT_DATA([./deny_cidr], [])
+ NS_CHECK([sh -c '
+-for I in $(seq 10); do
++for I in $(seq 250); do
+   for J in $(seq 250); do
+     echo "10.${I}.${J}.0/24" >> ./deny_cidr
+   done
+ done
+ '])
++NS_CHECK([echo "10.254.0.0/16" >> ./deny_cidr])
+ 
+ dnl verify non-overlapping does not error
+ dnl
+ FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore])
+-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
++
++dnl still no overlap
++dnl
++AT_DATA([./deny_cidr], [
++9.0.0.0/8
++11.1.0.0/16
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
+ 
+ dnl verify overlap detection actually detects an overlap
+ dnl
+-NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr])
+-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++AT_DATA([./deny_cidr], [
++10.1.0.0/16
++10.2.0.0/16
++10.250.0.0/16
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++AT_DATA([./deny_cidr], [
++10.253.0.0/16
++10.253.128.0/17
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++AT_DATA([./deny_cidr], [
++10.1.1.1/32
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++AT_DATA([./deny_cidr], [
++10.0.0.0/8
++10.0.0.0/25
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++dnl empty file, no additions, but previous ones will remain
++AT_DATA([./deny_cidr], [])
++FWD_CHECK([--permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
+ 
+ FWD_END_TEST()
+-- 
+2.31.1
+