Commit Graph

46 Commits

Author SHA1 Message Date
Thomas Woerner
a81efa3c56 - Fixed translations with python3
- Fixed exception for failed NM import, new doc string
- Make ipsets visible per default in firewall-config
- Install new fw_nm module
- Do not fail if log file could not be opened
- Fixed broken fr translation
2016-04-20 19:13:31 +02:00
Thomas Woerner
59f898339e New firewalld version 0.4.1
- Enhancements of ipset handling
  - No cleanup of ipsets using timeouts while reloading
  - Only destroy conflicting ipsets
  - Only use ipset types supported by the system
  - Add and remove several ipset entries in one call using a file
- Reduce time frame where builtin chains are on policy DROP while reloading
- Include descriptions in --info-X calls
- Command line interface support to get and alter descriptions of zones,
  services, ipsets and icmptypes with permanent option
- Properly watch changes in combined zones
- Fix logging in rich rule forward rules
- Transformed direct.passthrough errors into warnings
- Rework of import structures
- Reduced calls to get ids for port and protocol names (RHBZ#1305434)
- Build and installation fixes by Markos Chandras
- Provide D-Bus properties in introspection data
- Fix for flaws found by landscape.io
- Fix for repeated SUGHUP
- New NetworkManager module to get and set zones of connections, used in
  firewall-applet and firewall-config
- configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset)
- Code cleanups
- Bug fixes
2016-04-19 17:22:50 +02:00
Thomas Woerner
b2398523d9 New version 0.4.0
- Speed ups
  - ipset support
  - MAC address support
  - Log of denied packets
  - Mark action in rich rules
  - Enhanced alteration of config files with command line tools
  - Use of zone chains in direct interface
  - firewall-applet enhancement
  - New services: ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio,
    smtps, snmptrap, snmp, syslog-tls and syslog
  - Several bug fixes
  - Code optimizations
2016-02-01 17:53:28 +01:00
Thomas Woerner
a852a77a23 - reunification of the firewalld spec files for all Fedora releases
- fix dependencies for -applet and -config: use_python3 is the proper switch
  not with_python3 (RHBZ#1232493)

* New upstream version 0.3.14.2:

- firewalld.spec:
  - fixed requirements for -applet and -config
- man pages:
  - adapted firewall-applet man page to new version
- firewall-applet:
  - Only honour active connections for zone changes
  - Change QSettings path and file names
- firewall-config:
  - Only honour active connections for zone changes in the “Change Zones of Connections” menu
- Translations:
  - updated translations
  - marked translations for “Connections” for review
2015-06-17 11:54:16 +02:00
Thomas Woerner
5daf27c45b use 0.3.14.1 2015-06-13 00:02:20 +02:00
Jiri Popelka
959b2db1fd 0.3.13 2014-12-04 19:13:21 +01:00
Jiri Popelka
e89b2b2ecd 0.3.12 2014-10-14 18:20:55 +02:00
Jiri Popelka
0b65a30f38 0.3.11 2014-08-20 18:53:02 +02:00
Jiri Popelka
c27a83cb8e 0.3.10 2014-05-29 10:34:57 +02:00
Jiri Popelka
cabfc2d180 0.3.9.3
- Fixed persistent port forwarding (RHBZ#1056154)
- Stop default zone rules being applied to all zones (RHBZ#1057875)
- Enforce trust, block and drop zones in the filter table only (RHBZ#1055190)
- Allow RAs prior to applying IPv6_rpfilter (RHBZ#1058505)
2014-02-05 17:52:17 +01:00
Jiri Popelka
660f9abf4a fix regression introduced in 0.3.9 (RHBZ#1053932) 2014-01-17 07:03:33 +01:00
Jiri Popelka
3c3e49e817 0.3.9.1 2014-01-16 16:11:10 +01:00
Jiri Popelka
ad89fb7fd0 0.3.9 2014-01-13 17:22:51 +01:00
Jiri Popelka
15e74e15b5 0.3.8 - memleaks fixed, python3 support 2013-11-05 16:06:55 +01:00
Jiri Popelka
71ed8131bf 0.3.7 2013-10-17 17:30:19 +02:00
Jiri Popelka
f9bb7ae3b6 0.3.6.2
firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958)
firewall-cmd: fix variable name (RHBZ#1015011)
2013-10-04 17:38:32 +02:00
Jiri Popelka
8606b62ae8 0.3.6.1: removed superfluous po files 2013-10-03 11:06:47 +02:00
Jiri Popelka
87ffdf6d8d 0.3.6 2013-10-02 16:41:08 +02:00
Jiri Popelka
606593b832 0.3.5 2013-09-30 14:05:37 +02:00
Thomas Woerner
264441a52b Uploaded source archive 2013-07-30 20:18:11 +02:00
Thomas Woerner
09913dec88 New version 0.3.3
- new service files
- relicensed logger.py under GPLv2+
- firewall-config: sometimes we don't want to use client's exception handler
- When removing Service/IcmpType remove it from zones too (RHBZ#958401)
- firewall-config: work-around masquerade_check_cb() being called more times
- Zone(IO): add interfaces/sources to D-Bus signature
- Added missing UNKNOWN_SOURCE error code
- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid
- New changeZoneOfInterface method, marked changeZone as deprecated
- Fixed firewall-cmd man page entry for --panic-on
- firewall-applet: Fixed possible problems of unescaped strings used for markup
- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet
- Cleanup of unused variables in FirewallD.start
- New firewall/fw_types.py with LastUpdatedOrderedDict
- direct.chains, direct.rules: Using LastUpdatedOrderedDict
- Support splitted zone files
- New reader and writer for stored direct chains and rules
- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts()
- fix service_writer() and icmptype_writer() to put newline at end of file
- firewall-cmd: fix --list-sources
- No need to specify whether source address family is IPv4 or IPv6
- add getZoneOfSource() to D-Bus interface
- Add tests and bash-completion for the new "source" operations
- Convert all input args in D-Bus methods
- setDefaultZone() was calling accessCheck() *after* the action
- New uniqify() function to remove duplicates from list whilst preserving order
- Zone.combine() merge also services and ports
- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518)
- firewall-applet: more fixes to make the address sources family agnostic
- Better defaults for lockdown white list
- Use auth_admin_keep for allow_any and allow_inactive also
- New D-Bus API for lockdown policies
- Use IPv4, IPv6 and BRIDGE for FirewallD properties
- Use rich rule action as audit type
- Prototype of string-only D-Bus interface for rich language
- Fixed wrongly merged source family check in firewall/core/io/zone.py
- handle_cmr: report errors, cleanup modules in error case only, mark handling
- Use audit type from rule action, fixed rule output
- Fixed lockdown whitelist D-Bus handling method names
- New rich rule handling in runtime D-Bus interface
- Added interface, source and rich rule handling (runtime and permanent)
- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown
- Write changes in setLockdownWhitelist
- Fixed typo in policies log message in method calls
- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling
- Don't check access in query/getLockdownWhitelist*()
- firewall-cmd: Also output masquerade flag in --list-all
- firewall-cmd: argparse is able to convert argument to desired type itself
- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist
- Makefile.am: add missing files
- firewall-cmd_test.sh: tests for rich rules
- Added lockdown, source, interface and rich rule docs to firewall-cmd
- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098)
- Use <rule> in metavar for firewall-cmd parser
2013-06-06 18:16:48 +02:00
Jiri Popelka
153e91a20e removed unintentional en_US.po from tarball 2013-05-10 12:15:41 +02:00
Jiri Popelka
621401bf15 0.3.2
- Fix signal handling for SIGTERM
- Additional service files (RHBZ#914859)
- Updated po files
- s/persistent/permanent/ (Trac Ticket #7)
- Better behaviour when running without valid DISPLAY (RHBZ#955414)
- client.handle_exceptions(): do not loop forever
- Set Zone.defaults in zone_reader (RHBZ#951747)
- client: do not pass the dbus exception name to handler
- IO_Object_XMLGenerator: make it work with Python 2.7.4 (RHBZ#951741)
- firewall-cmd: do not use deprecated BaseException.message
- client.py: fix handle_exceptions() (RHBZ#951314)
- firewall-config: check zone/service/icmptype name (RHBZ#947820)
- Allow 3121/tcp (pacemaker_remote) in cluster-suite service. (RHBZ#885257)
- firewall-applet: fix default zone hangling in 'shields-up' (RHBZ#947230)
- FirewallError.get_code(): check for unknown error
2013-04-30 18:24:00 +02:00
Jiri Popelka
c802b43c04 0.3.1
- Use explicit file lists for make dist
- New rich rule validation check code
- New global check_port and check_address functions
- Allow source white and black listing with the rich rule
- Fix error handling in case of unsupported family in rich rule
- Enable ip_forwarding in masquerade and forward-port
- New functions to read and write simple files using filename and content
- Add --enable-sysconfig to install Fedora-specific sysconfig config file.
- Add chains for security table (RHBZ#927015)
- firewalld.spec: no need to specify --with-systemd-unitdir
- firewalld.service: remove syslog.target and dbus.target
- firewalld.service: replace hard-coded paths
- Move bash-completion to new location.
2013-03-28 15:32:35 +01:00
Thomas Woerner
7b258f3cda New version 0.3.0
- Added rich language support
- Added lockdown feature
- Allow to bind interfaces and sources to zones permanently
- Enabled IPv6 NAT support
  masquerading and port/packet forwarding for IPv6 only with rich language
- Handle polkit errors in client class and firewall-config
- Added priority description for --direct --add-rule in firewall-cmd man page
- Add XML Schemas for zones/services/icmptypes XMLs
- Don't keep file descriptors open when forking
- Introduce --nopid option for firewalld
- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782)
- Update cluster-suite service (RHBZ#885257)
- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912)
- Fix interaction problem of changed event of gtk combobox with polkit-kde
  by processing all remaining events (RHBZ#915892)
- Stop default zone rules being applied to all zones (RHBZ#912782)
- Firewall.start(): don't call set_default_zone()
- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages
- firewalld-cmd: make --state verbose (RHBZ#886484)
- improve firewalld --help (RHBZ#910492)
- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834)
- Continue loading zone in case of wrong service/port etc. (RHBZ#909466)
- Check also services and icmptypes in Zone() (RHBZ#909466)
- Increase the maximum length of the port forwarding fields from 5 to 11 in
  firewall-config
- firewall-cmd: add usage to fail message
- firewall-cmd: redefine usage to point to man page
- firewall-cmd: fix visible problems with arg. parsing
- Use argparse module for parsing command line options and arguments
- firewall-cmd.1: better clarify where to find ACTIONs
- firewall-cmd Bash completion
- firewall-cmd.1: comment --zone=<zone> usage and move some options
- Use zone's target only in %s_ZONES chains
- default zone in firewalld.conf was set to public with every restart (#902845)
- man page cleanup
- code cleanup
2013-03-20 18:04:20 +01:00
Thomas Woerner
d9e0d917c2 updated source 2013-01-14 16:39:18 +01:00
Thomas Woerner
d801abc3f0 Added missing files for new build env 2013-01-14 15:45:21 +01:00
Thomas Woerner
2c00316c83 New version 0.2.12:
- firewall-cmd: use -V instead of -v for version info (RHBZ#886477)
- firewall-cmd: don't check reload()'s return value (RHBZ#886461)
- actually install firewalld.zones.5
- firewall-config: treat exceptions when adding new zone/service/icmp
  (RHBZ#886602)
- firewalld.spec: Fixed requirements of firewall-config to use gtk2 and
  pygobject3
- Fail gracefully when running in non X environment.(RHBZ#886551)
- offline-cmd: fail gracefully when no s-c-f config
- fix duplicated iptables rules (RHBZ#886515)
- detect errors and duplicates in config file (RHBZ#886581)
- firewall-config: don't make 'Edit Service' and 'Edit ICMP Type' insensitive
- firewalld.spec: fixed requirements, require pygobject3-base
- frewall-applet: Unused code cleanup
- firewall-applet: several usability fixes and enhancements
  (RHBZ#886531) (RHBZ#886534)
- firewall/server/server.py: fixed KeyboardInterrupt message (RHBZ#886558)
- Moved fallback zone and minimal_mark to firewall.config.__init__
- Do not raise ZONE_ALREADY_SET in change_zone if old zone is set again
  (RHBZ#886432)
- Make default zone default for all unset connections/interfaces
  (RHBZ#888288) (RHBZ#882736)
- firewall-config: Use Gtk.MessageType.WARNING for warning dialog
- firewall-config: Handle unknown services and icmptypes in persistent mode
- firewall-config: Do not load settings more than once
- firewall-config: UI cleanup and fixes (RHBZ#888242)
- firewall-cmd: created alias --change-zone for --change-interface
- firewall-cmd man page updates (RHBZ#806511)
- Merged branch 'build-cleanups'
- dropped call to autogen.sh in build stage, not needed anymore due to
  'build-cleanups' merge
2013-01-14 15:29:15 +01:00
Thomas Woerner
144b73b24a New version 0.2.11
- Fixed more _xmlplus (PyXML) incompatibilities to python xml
- Several man page updates
- Fixed error in addForwardPort, removeForwardPort and queryForwardPort
- firewall-cmd: use already existing queryForwardPort()
- Update firewall.cmd man page, use man page as firewall-cmd usage (rhbz#876394)
- firewall-config: Do not force to show labels in the main toolbar
- firewall-config: Dropped "Change default zone" from toolbar
- firewall-config: Added menu entry to change zones of connections
- firewall-applet: Zones can be changed now using nm-connection-editor
  (rhbz#876661)
- translation updates: cs, hu, ja
2012-12-11 21:34:31 +01:00
Thomas Woerner
802d9266c0 New version 0.2.10
- tests/firewalld_config.py: tests for config.service and config.icmptype
- FirewallClientConfigServiceSettings(): destinations are dict not list
- service/zone/icmptype: do not write deprecated name attribute
- New service ntp
- firewall-config: Fixed name of about dialog
- configure.in: Fixed getting of error codes
- Added coding to all pyhton files
- Fixed copyright years
- Beautified file headers
- Force use of pygobject3 in python-slip (RHBZ#874378)
- Log: firewall.server.config_icmptype, firewall.server.config_service and
  firewall.server.config_zone: Prepend full path
- Allow ":" in interface names for interface aliases
- Add name argument to Updated and Renamed signal
- Disable IPv4, IPv6 and EB tables if missing - for IPv4/IPv6 only environments
- firewall-config.glade file cleanup
- firewall-config: loadDefaults() can throw exception
- Use toolbars for Add/Edit/Remove/LoadDefaults buttons for zones, services
  and icmp types
- New vnc-server service, opens ports for displays :0 to :3 (RHBZ#877035)
- firewall-cmd: Fix typo in help output, allow default zone usage for
  permanenent options
- Translation updates: cs, fr, ja, pt_BR and zh_CN
2012-11-20 16:35:51 +01:00
Thomas Woerner
a6b084ef3e New version 0.2.9
- firewall-config: some UI usability changes
- firewall-cmd: New option --list-all-zones, output of --list-all changed,
  more option combination checks
- firewall-applet: Replaced NMClient by direct DBUS calls to fix python core
  dumps in case of connection activates/deactivates
- Use fallback 'C' locale if current locale isn't supported (RHBZ#860278)
- Add interfaces to zones again after reload
- firewall-cmd: use FirewallClient().connected value
- firewall-cmd: --remove-interface was not working due to a typo
- Do not use restorecon for new and backup files
- Fixed use of properties REJECT and DROP
- firewalld_test.py: check interfaces after reload
- Translation updates
- Renamed firewall-convert-scfw-config to firewall-offline-cmd, used by
  anaconda for firewall configuration (e.g. kickstart)
- Fix python shebang to use -Es at installation time for bin_SCRIPTS and
  sbin_SCRIPTS and at all times in gtk3_chooserbutton.py
- tests/firewalld_config.py: update test_zones() test case
- Config interface: improve renaming of zones/services/icmp_types
- Move emiting of Added signals closer to source.
- FirewallClient(): config:ServiceAdded signal was wrongly mapped
- Add argument 'name' to Removed signal
- firewall-config: Add callbacks for config:[service|icmp]-[added|removed]
- firewall-config: catch INVALID_X error when removing zone/service/icmp_type
- firewall-config: remove unused code
- Revert "Neutralize _xmlplus instead of conforming it"
- firewall-applet: some UI usability changes
- firewall-cmd: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings
2012-10-17 17:16:19 +02:00
Thomas Woerner
7fa1b0edb2 New version 0.2.8:
- Do not apply old settings to zones after reload
- FirewallClient: Added callback structure for firewalld signals
- New firewall-config with full zone, service and icmptype support
- Added Shields Up/Down configuration dialog to firewall-applet
- Name attribute of main tag deprecated for zones, services and icmptypes,
  will be ignored if present
- Fixed wrong references in firewalld man page
- Unregister DBus interfaces after sending out the Removed signal
- Use proper DBus signature in addIcmpType, addService and addZone
- New builtin property for config interfaces
- New test case for Config interface
- spec: use new systemd-rpm macros (rhbz#850110)
- More config file verifications
- Lots of smaller fixes and enhancements
2012-09-07 17:44:38 +02:00
Thomas Woerner
a7e552c674 - Update of firewall-config
- Some bug fixes
2012-08-13 13:38:11 +02:00
Thomas Woerner
ecdf399bdc New version 0.2.6
- New D-BUS interface for persistent configuration
- Aded support for persistent zone configuration in firewall-cmd
- New Shields Up feature in firewall-applet
- New requirements for python-decorator and pygobject3
- New firewall-config sub-package
- New firewall-convert-scfw-config config script
2012-08-07 13:25:11 +02:00
Thomas Woerner
14ea6c41ba - Add man pages to spec 2012-04-20 21:26:55 +02:00
Thomas Woerner
dae3b70b2f New version 0.2.5
- Fixed traceback in firewall-cmd for failed or canceled authorization,
  return proper error codes, new error codes NOT_RUNNING and NOT_AUTHORIZED
- Enhanced firewalld service file (RHBZ#806868) and (RHBZ#811240)
- Fixed duplicates in zone after reload, enabled timed settings after reload
- Removed conntrack --ctstate INVALID check from default ruleset, because it
  results in ICMP problems (RHBZ#806017).
- Update interfaces in default zone after reload (rhbz#804814)
- New man pages for firewalld(1), firewalld.conf(5), firewalld.icmptype(5),
  firewalld.service(5) and firewalld.zone(5), updated firewall-cmd man page
  (RHBZ#811257)
- Fixed firewall-cmd help output
- Fixed missing icon for firewall-applet (RHBZ#808759)
- Added root user check for firewalld (RHBZ#767654)
- Fixed requirements of firewall-applet sub package (RHBZ#808746)
- Update interfaces in default zone after changing of default zone (RHBZ#804814)
- Start firewalld before NetworkManager (RHBZ#811240)
- Add Type=dbus and BusName to service file (RHBZ#811240)
2012-04-20 21:16:48 +02:00
Thomas Woerner
7fffbdc6e7 - forgot to upload sources 2012-03-16 16:40:37 +01:00
Thomas Woerner
8c3ae5b467 - firewall-cmd: several changes and fixes
- code cleanup
- fixed icmp protocol used for ipv6 (rhbz#801182)
- added and fixed some comments
- properly restore zone settings, timeout is always set, check for 0
- some FirewallError exceptions were actually not raised
- do not REJECT in each zone
- removeInterface() don't require zone
- new tests in firewall-test script
- dbus_to_python() was ignoring certain values
- added functions for the direct interface: chains, rules, passthrough
- fixed inconsistent data after reload
- some fixes for the direct interface: priority positions are bound to ipv,
  table and chain
- added support for direct interface in firewall-cmd:
- added isImmutable(zone) to zone D-Bus interface
- renamed policy file
- enhancements for error messages, enables output for direct.passthrough
- added allow_any to firewald policies, using at leas auth_admin for policies
- replaced ENABLE_FAILED, DISABLE_FAILED, ADD_FAILED and REMOVE_FAILED by
  COMMAND_FAILED, resorted error codes
- new firewalld configuration setting CleanupOnExit
- enabled polkit again, found a fix for property problem with slip.dbus.service
- added dhcpv6-client to 'public' (the default) and to 'internal' zones.
- fixed missing settings form zone config files in
  "firewall-cmd --list=all --zone=<zone>" call
- added list functions for services and icmptypes, added --list=services and
  --list=icmptypes to firewall-cmd
2012-03-15 22:36:11 +01:00
Thomas Woerner
2b8e74fdfd new version 0.2.2
- enabled dhcpv6-client service for zones home and work
- new dhcpv6-client service
- firewall-cmd: query mode returns reversed values
- new zone.changeZone(zone, interface)
- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded
  by files in /etc/firewalld (no overload of immutable zones block, drop,
  trusted)
- reset MinimalMark in firewalld.cnf to default value
- fixed service destination (addresses not used)
- fix xmlplus to be compatible with the python xml sax parser and python 3
  by adding __contains__ to xml.sax.xmlreader.AttributesImpl
- use icon and glib related post, postun and posttrans scriptes for firewall
- firewall-cmd: fix typo in state
- firewall-cmd: fix usage()
- firewall-cmd: fix interface action description in usage()
- client.py: fix definition of queryInterface()
- client.py: fix typo in getInterfaces()
- firewalld.service: do not fork
- firewall-cmd: fix bug in --list=port and --port action help message
- firewall-cmd: fix bug in --list=service
2012-03-06 13:56:05 +01:00
Thomas Woerner
50e8c24f76 - added missing firewall.dbus_utils 2012-02-21 13:37:40 +01:00
Thomas Woerner
1f080390bb - added glib2-devel to build requires, needed for gsettings.m4
- added --with-system-unitdir arg to fix installaiton of system file
- added glib-compile-schemas calls for postun and posttrans
- fixed EXTRA_DIST file lists
2012-02-07 12:05:54 +01:00
Thomas Woerner
9871af494f - added missing build requires for glib2 (glib-compile-schemas) 2012-02-07 00:41:29 +01:00
Thomas Woerner
b734914bda - version 0.2.0 with new FirewallD1 D-BUS interface
- supports zones with a default zone
- new direct interface as a replacement of the partial virt interface with
  additional passthrough functionality
- dropped custom rules, use direct interface instead
- dropped trusted interface funcionality, use trusted zone instead
- using zone, service and icmptype configuration files
- not using any system-config-firewall parts anymore
2012-02-07 00:32:16 +01:00
Thomas Woerner
066a5d2fef - new version 0.1.3
- restore all firewall features for reload: panic and virt rules and chains
- string fixes for firewall-cmd man page (by Jiri Popelka)
- fixed firewall-cmd port list (by Jiri Popelka)
- added firewall dbus client connect check to firewall-cmd (by Jiri Popelka)
- translation updates: de, es, gu, it, ja, kn, ml, nl, or, pa, pl, ru, ta,
                       uk, zh_CN
2011-02-15 18:54:04 +01:00
Thomas Woerner
73638b8ffb Initial import (#665395) 2011-01-07 16:38:25 +01:00
Fedora Release Engineering
41db2d6177 Initial setup of the repo 2011-01-06 14:44:01 +00:00