Commit Graph

85 Commits

Author SHA1 Message Date
Thomas Woerner
b2398523d9 New version 0.4.0
- Speed ups
  - ipset support
  - MAC address support
  - Log of denied packets
  - Mark action in rich rules
  - Enhanced alteration of config files with command line tools
  - Use of zone chains in direct interface
  - firewall-applet enhancement
  - New services: ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio,
    smtps, snmptrap, snmp, syslog-tls and syslog
  - Several bug fixes
  - Code optimizations
2016-02-01 17:53:28 +01:00
Peter Robinson
01f44ea547 - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 2015-11-10 14:19:55 +00:00
Adam Williamson
edff2d5149 bump versions on old config package obsoletes (f21 is on 0.3.14)
The versions being too low meant that on upgrade from F21 to
F22 or F23 you didn't get the obsolete kicking in as it should.
2015-07-22 14:50:09 -07:00
Thomas Woerner
6daecaddcb - Require python3-gobject-base for fedora >= 23 and rhel >= 8 (RHBZ#1242076)
- Fix rhel defines: No python3 for rhel-7
2015-07-13 15:35:33 +02:00
Thomas Woerner
400c17b1f3 - Fixed 'pid_file' referenced before assignment (RHBZ#1233232) 2015-06-18 17:54:59 +02:00
Thomas Woerner
a852a77a23 - reunification of the firewalld spec files for all Fedora releases
- fix dependencies for -applet and -config: use_python3 is the proper switch
  not with_python3 (RHBZ#1232493)

* New upstream version 0.3.14.2:

- firewalld.spec:
  - fixed requirements for -applet and -config
- man pages:
  - adapted firewall-applet man page to new version
- firewall-applet:
  - Only honour active connections for zone changes
  - Change QSettings path and file names
- firewall-config:
  - Only honour active connections for zone changes in the “Change Zones of Connections” menu
- Translations:
  - updated translations
  - marked translations for “Connections” for review
2015-06-17 11:54:16 +02:00
Dennis Gilmore
3467da0208 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-17 06:22:13 +00:00
Stephen Gallagher
bc01174b62 Make sure we always create the polkit policy
There were cases (like Cloud Edition) where we would not create
the polkit policy if firewalld.conf already existed.
2015-06-16 15:09:50 -04:00
Thomas Woerner
95cd8262fa * 0.3.14.1-1
- firewall-applet
  - do not use isSystemTrayAvailable check to fix KDE5 startup
  - dropped gtk applet remain: org.fedoraproject.FirewallApplet.gschema.xml

* 0.3.14-1
- renamed python2-firewall to python-firewall
- fixed requirements for GUI parts with Python3
- dropped upstream merged python3 patch
- firewalld:
  - print real zone names in error messages
  - iptables 1.4.21 does not accept limits of 1/day, minimum is 2/day now
  - rate limit fix for rich rules
  - fix readdition of removed permanent direct settings
  - adaption of the polkit domains to use PK_ACTION_DIRECT_INFO
  - fixed two minor Python3 issues in firewall.core.io.direct
  - fixed use of fallback configuration values
  - fixed use without firewalld.conf
  - firewalld main restructureization
  - IPv6_rpfilter now also available as a property on D-Bus in the config interface
  - fixed wait option use for ipXtables
  - added --concurrent support for ebtables
  - richLanguage: allow masquerading with destination
  - richLanguage: limit masquerading forward rule to new connections
  - ipXtables: No dns lookups in available_tables and _detect_wait_option
  - full ebtables support: start, stop, reload, panic mode, direct chains and rules
  - fix for reload with direct rules
  - fix or flaws found by landscape.io
  - pid file handling fixes in case of pid file removal
  - fix for client issue in case of a dbus NoReply error
- configuration
  - new services: dropbox-lansync, ptp
  - new icmptypes: timestamp-request, timestamp-reply
- man pages:
  - firewalld.zones(5): fixed typos
  - firewalld.conf(5): Fixed wrong reference to firewalld.lockdown-whitelist page
- firewall-applet:
  - new version using Qt4 fixing several issues with the Gtk version
- spec file:
  - enabled Python3 support: new backends python-firewall and python3-firewall
  - some cleanup
- git:
  - migrated to github
- translations:
  - migrated to zanata
- build environment:
  - no need for autoconf-2.69, 2.68 is sufficient
2015-06-12 23:58:58 +02:00
Stephen Gallagher
d651ec2e2c Use VARIANT_ID for decisions instead of VARIANT 2015-05-07 10:41:16 -04:00
Stephen Gallagher
07c43f280d Update per-product config specification to latest version
See: https://fedoraproject.org/w/index.php?title=User:Sgallagh/Per-Product_Configuration_Packaging_Draft&oldid=410792
2015-04-23 13:25:57 -04:00
Stephen Gallagher
88e1545c03 Remove unneeded backslash escape 2015-04-16 15:45:22 -04:00
Stephen Gallagher
8aec79859f Switch to using $VARIANT directly from /etc/os-release 2015-04-16 15:37:25 -04:00
Stephen Gallagher
82cf3d8869 Fix bugs with posttrans
- Remove nonexistent fedora-cloud.conf symlink
2015-03-13 21:35:17 -04:00
Stephen Gallagher
4c9547c601 Remove per-edition config files
- Decide on default configuration based on /etc/os-release
2015-03-13 13:48:57 -04:00
Jiri Popelka
e24f6cfcb4 use python3 bindings on fedora >=23
https://lists.fedoraproject.org/pipermail/devel/2015-February/208208.html
2015-02-23 14:44:14 +01:00
Thomas Woerner
75272d6aaa Enable Python3 support in spec file
- enable python2 and python3 bindings for fedora >= 20 and rhel >= 7
- use python3 bindings on fedora >= 22 and rhel >= 8 for firewalld,
  firewall-config and firewall-applet
2015-01-28 14:16:48 +01:00
Jiri Popelka
f70602740c Merge branch 'f20' into f21 2014-12-04 19:22:47 +01:00
Jiri Popelka
959b2db1fd 0.3.13 2014-12-04 19:13:21 +01:00
Jiri Popelka
68cca00bb6 Merge branch 'f20' into f21 2014-10-14 18:21:58 +02:00
Jiri Popelka
e89b2b2ecd 0.3.12 2014-10-14 18:20:55 +02:00
Jiri Popelka
9ad9772159 Merge branch 'f20' into f21 2014-08-27 10:40:58 +02:00
Jiri Popelka
1c3b179dfb Quiet systemctl if cups-browsed.service is not installed 2014-08-27 10:40:20 +02:00
Orion Poplawski
e4cb880aa3 Quiet systemctl if cups-browsed.service is not installed 2014-08-27 10:37:27 +02:00
Orion Poplawski
1e43ccc8ce Quiet systemctl if cups-browsed.service is not installed 2014-08-26 09:59:32 -06:00
Jiri Popelka
c1a852fecb Merge branch 'f20' into f21 2014-08-25 12:15:24 +02:00
Jiri Popelka
b42d00a678 add few Requires to spec (RHBZ#1133167) 2014-08-25 12:14:12 +02:00
Jiri Popelka
8b10fa9e19 Merge branch 'f20' into f21 2014-08-20 19:07:00 +02:00
Jiri Popelka
0b65a30f38 0.3.11 2014-08-20 18:53:02 +02:00
Thomas Woerner
92eb709782 - Bump release 2014-07-22 10:34:12 +02:00
Thomas Woerner
fd6e3ebbd5 - Fixed wrong default zone names for server and workstation (RHBZ#1120296) 2014-07-22 10:31:34 +02:00
Thomas Woerner
3bcc74d626 - renamed fedora specific zones to FedoraServer and FedoraWorkstation for
zone name limitations (length and allowed chars)
2014-07-08 13:39:14 +02:00
Thomas Woerner
3f62620b7f - Added Fedora server zone with cockpit enabled (RHBZ#1110711)
- Added Fedora workstation zone(RHBZ#1113775)
2014-07-07 19:16:42 +02:00
Thomas Woerner
7ab6dab432 - New support for Fedora per-product configuration settings for Fedora.next
https://fedoraproject.org/wiki/Per-Product_Configuration_Packaging_Draft
2014-07-07 18:47:24 +02:00
Dennis Gilmore
f51ba2801b - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 07:10:38 -05:00
Jiri Popelka
c27a83cb8e 0.3.10 2014-05-29 10:34:57 +02:00
Jiri Popelka
cabfc2d180 0.3.9.3
- Fixed persistent port forwarding (RHBZ#1056154)
- Stop default zone rules being applied to all zones (RHBZ#1057875)
- Enforce trust, block and drop zones in the filter table only (RHBZ#1055190)
- Allow RAs prior to applying IPv6_rpfilter (RHBZ#1058505)
2014-02-05 17:52:17 +01:00
Jiri Popelka
660f9abf4a fix regression introduced in 0.3.9 (RHBZ#1053932) 2014-01-17 07:03:33 +01:00
Jiri Popelka
3c3e49e817 0.3.9.1 2014-01-16 16:11:10 +01:00
Jiri Popelka
ad89fb7fd0 0.3.9 2014-01-13 17:22:51 +01:00
Jiri Popelka
15e74e15b5 0.3.8 - memleaks fixed, python3 support 2013-11-05 16:06:55 +01:00
Jiri Popelka
71ed8131bf 0.3.7 2013-10-17 17:30:19 +02:00
Jiri Popelka
f9bb7ae3b6 0.3.6.2
firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958)
firewall-cmd: fix variable name (RHBZ#1015011)
2013-10-04 17:38:32 +02:00
Jiri Popelka
8606b62ae8 0.3.6.1: removed superfluous po files 2013-10-03 11:06:47 +02:00
Jiri Popelka
87ffdf6d8d 0.3.6 2013-10-02 16:41:08 +02:00
Jiri Popelka
606593b832 0.3.5 2013-09-30 14:05:37 +02:00
Thomas Woerner
e7b59ed68a New version 0.3.4
- several rich rule check enhancements and fixes
- firewall-cmd: direct options - check ipv4|ipv6|eb (RHBZ#970505)
- firewall-cmd(1): improve description of direct options (RHBZ#970509)
- several firewall-applet enhancements and fixes
- New README
- several doc and man page fixes
- Service definitions for PCP daemons (RHBZ#972262)
- bash-completion: add lockdown and rich language options
- firewall-cmd: add --permanent --list-all[-zones]
- firewall-cmd: new -q/--quiet option
- firewall-cmd: warn when default zone not active (RHBZ#971843)
- firewall-cmd: check priority in --add-rule (RHBZ#914955)
- add dhcpv6 (for server) service (RHBZ#917866)
- firewall-cmd: add --permanent --get-zone-of-interface/source --change-interface/source
- firewall-cmd: print result (yes/no) of all --query-* commands
- move permanent-getZoneOf{Interface|Source} from firewall-cmd to server
- Check Interfaces/sources when updating permanent zone settings.
- FirewallDConfig: getZoneOfInterface/Source can actually return more zones
- Fixed toaddr check in forward port to only allow single address, no range
- firewall-cmd: various output improvements
- fw_zone: use check_single_address from firewall.functions
- getZoneOfInterface/Source does not need to throw exception
- firewall.functions: Use socket.inet_pton in checkIP, fixed checkIP*nMask
- firewall.core.io.service: Properly check port/proto and destination address
- Install applet desktop file into /etc/xdg/autostart
- Fixed option problem with rich rule destinations (RHBZ#979804)
- Better exception creation in dbus_handle_exceptions() decorator (RHBZ#979790)
- Updated firewall-offline-cmd
- Use priority in add, remove, query and list of direct rules (RHBZ#979509)
- New documentation (man pages are created from docbook sources)
- firewall/core/io/direct.py: use prirority for rule methods, new get_all_ methods
- direct: pass priority also to client.py and firewall-cmd
- applet: New blink and blink-count settings
- firewall.functions: New function ppid_of_pid
- applet: Check for gnome3 and fix it, use new settings, new size-changed cb
- firewall-offline-cmd: Fix use of systemctl in chroot
- firewall-config: use string.ascii_letters instead of string.letters
- dbus_to_python(): handle non-ascii chars in dbus.String.
- Modernize old syntax constructions.
- dict.keys() in Python 3 returns a "view" instead of list
- Use gettext.install() to install _() in builtins namespace.
- Allow non-ascii chars in 'short' and 'description'
- README: More information for "Working With The Source Repository"
- Build environment fixes
- firewalld.spec: Added missing checks for rhel > 6 for pygobject3-base
- firewall-applet: New setting show-inactive
- Don't stop on reload when lockdown already enabled (RHBZ#987403)
- firewall-cmd: --lockdown-on/off did not touch firewalld.conf
- FirewallApplet.gschema.xml: Dropped unused sender-info setting
- doc/firewall-applet.xml: Added information about gsettings
- several debug and log message fixes
- Add chain for sources so they can be checked before interfaces (RHBZ#903222)
- Add dhcp and proxy-dhcp services (RHBZ#986947)
- io/Zone(): don't error on deprecated family attr of source elem
- Limit length of zone file name (to 12 chars) due to Netfilter internals.
- It was not possible to overload a zone with defined source(s).
- DEFAULT_ZONE_TARGET: {chain}_ZONE_{zone} -> {chain}_{zone}
- New runtime get<X>Settings for services and icmptypes, fixed policies callbacks
- functions: New functions checkUser, checkUid and checkCommand
- src/firewall/client: Fixed lockdown-whitelist-updated signal handling
- firewall-cmd(1): move firewalld.richlanguage(5) reference in --*-rich-rule
- Rich rule service: Only add modules for accept action
- firewall/core/rich: Several fixes and enhanced checks
- Fixed reload of direct rules
- firewall/client: New functions to set and get the exception handler
- firewall-config: New and enhanced UI to handle lockdown and rich rules
- zone's immutable attribute is redundant
- Do not allow to set settings in config for immutable zones.
- Ignore deprecated 'immutable' attribute in zone files.
- Eviscerate 'immutable' completely.
- FirewallDirect.query_rule(): fix it
- permanent direct: activate firewall.core.io.direct:Direct reader
- core/io/*: simplify getting of character data
- FirewallDirect.set_config(): allow reloading
2013-07-30 20:09:59 +02:00
Thomas Woerner
158ba25727 - Fixed rich rule check for use in D-Bus 2013-06-07 13:06:32 +02:00
Thomas Woerner
09913dec88 New version 0.3.3
- new service files
- relicensed logger.py under GPLv2+
- firewall-config: sometimes we don't want to use client's exception handler
- When removing Service/IcmpType remove it from zones too (RHBZ#958401)
- firewall-config: work-around masquerade_check_cb() being called more times
- Zone(IO): add interfaces/sources to D-Bus signature
- Added missing UNKNOWN_SOURCE error code
- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid
- New changeZoneOfInterface method, marked changeZone as deprecated
- Fixed firewall-cmd man page entry for --panic-on
- firewall-applet: Fixed possible problems of unescaped strings used for markup
- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet
- Cleanup of unused variables in FirewallD.start
- New firewall/fw_types.py with LastUpdatedOrderedDict
- direct.chains, direct.rules: Using LastUpdatedOrderedDict
- Support splitted zone files
- New reader and writer for stored direct chains and rules
- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts()
- fix service_writer() and icmptype_writer() to put newline at end of file
- firewall-cmd: fix --list-sources
- No need to specify whether source address family is IPv4 or IPv6
- add getZoneOfSource() to D-Bus interface
- Add tests and bash-completion for the new "source" operations
- Convert all input args in D-Bus methods
- setDefaultZone() was calling accessCheck() *after* the action
- New uniqify() function to remove duplicates from list whilst preserving order
- Zone.combine() merge also services and ports
- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518)
- firewall-applet: more fixes to make the address sources family agnostic
- Better defaults for lockdown white list
- Use auth_admin_keep for allow_any and allow_inactive also
- New D-Bus API for lockdown policies
- Use IPv4, IPv6 and BRIDGE for FirewallD properties
- Use rich rule action as audit type
- Prototype of string-only D-Bus interface for rich language
- Fixed wrongly merged source family check in firewall/core/io/zone.py
- handle_cmr: report errors, cleanup modules in error case only, mark handling
- Use audit type from rule action, fixed rule output
- Fixed lockdown whitelist D-Bus handling method names
- New rich rule handling in runtime D-Bus interface
- Added interface, source and rich rule handling (runtime and permanent)
- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown
- Write changes in setLockdownWhitelist
- Fixed typo in policies log message in method calls
- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling
- Don't check access in query/getLockdownWhitelist*()
- firewall-cmd: Also output masquerade flag in --list-all
- firewall-cmd: argparse is able to convert argument to desired type itself
- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist
- Makefile.am: add missing files
- firewall-cmd_test.sh: tests for rich rules
- Added lockdown, source, interface and rich rule docs to firewall-cmd
- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098)
- Use <rule> in metavar for firewall-cmd parser
2013-06-06 18:16:48 +02:00
Jiri Popelka
153e91a20e removed unintentional en_US.po from tarball 2013-05-10 12:15:41 +02:00