import UBI firewalld-0.9.11-10.el8_10

.firewalld.metadata

@@ -1 +1 @@
-69d687526f2d2483470e5175b246f462fd84ee0b SOURCES/firewalld-0.9.3.tar.gz
+e5b8b96e901d81ea8e806f44306acbf73487f3ad SOURCES/firewalld-0.9.11.tar.gz

.gitignore

@@ -1 +1 @@
-SOURCES/firewalld-0.9.3.tar.gz
+SOURCES/firewalld-0.9.11.tar.gz

SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch

@@ -1,7 +1,7 @@
-From 87ecae78c07da6db1faa18504b06345ab3ba51a0 Mon Sep 17 00:00:00 2001
+From feb06c3d50c737183c08fd05592d5c9209f4b966 Mon Sep 17 00:00:00 2001
 From: Eric Garver <e@erig.me>
 Date: Mon, 9 Jul 2018 11:29:33 -0400
-Subject: [PATCH 01/22] RHEL only: Add cockpit by default to some zones
+Subject: [PATCH 01/10] RHEL only: Add cockpit by default to some zones
 
 Fixes: #1581578
 ---
@@ -53,13 +53,13 @@ index 6ea5550a40bd..9609ee6f65c2 100644
 +  <service name="cockpit"/>
  </zone>
 diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 582fdcc19314..6b1263b178dc 100644
+index 72db26d5ce0c..2f8183966760 100644
 --- a/src/tests/functions.at
 +++ b/src/tests/functions.at
-@@ -105,6 +105,13 @@ m4_define([FWD_START_TEST], [
+@@ -112,6 +112,13 @@ m4_define([FWD_START_TEST], [
+     fi
  
      m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
-         AT_KEYWORDS(offline)
 +        dnl cockpit is added by default downstream, but upstream tests don't expect
 +        dnl it. Simply remove it at the start of every test.
 +        dnl
@@ -68,9 +68,9 @@ index 582fdcc19314..6b1263b178dc 100644
 +        FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore])
 +        FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore])
      ], [
-         m4_define_default([FIREWALL_BACKEND], [nftables])
- 
-@@ -226,6 +233,18 @@ m4_define([FWD_START_TEST], [
+         dnl don't unload modules or bother cleaning up, the namespace will be deleted
+         AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
+@@ -229,6 +236,18 @@ m4_define([FWD_START_TEST], [
          ])
  
          FWD_START_FIREWALLD
@@ -90,5 +90,5 @@ index 582fdcc19314..6b1263b178dc 100644
  ])
  
 -- 
-2.27.0
+2.39.1
 

SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch

@@ -1,7 +1,7 @@
-From bccc66877af7baa95e70c4314e3016ac78c4bbc7 Mon Sep 17 00:00:00 2001
+From 6b88f757186f0b6479c2a334c0c0362a2ba05570 Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Tue, 4 Feb 2020 09:12:17 -0500
-Subject: [PATCH 02/22] RHEL only: default to AllowZoneDrifting=yes
+Subject: [PATCH 02/10] RHEL only: default to AllowZoneDrifting=yes
 
 ---
  config/firewalld.conf              | 4 ++--
@@ -12,10 +12,10 @@ Subject: [PATCH 02/22] RHEL only: default to AllowZoneDrifting=yes
  5 files changed, 10 insertions(+), 5 deletions(-)
 
 diff --git a/config/firewalld.conf b/config/firewalld.conf
-index 532f0452212e..f791b2358ab8 100644
+index 99d573dcf06f..a0556c0bbf5b 100644
 --- a/config/firewalld.conf
 +++ b/config/firewalld.conf
-@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
+@@ -73,5 +73,5 @@ RFC3964_IPv4=yes
  # Note: If "yes" packets will only drift from source based zones to interface
  # based zones (including the default zone). Packets never drift from interface
  # based zones to other interfaces based zones (including the default zone).
@@ -24,10 +24,10 @@ index 532f0452212e..f791b2358ab8 100644
 +# Possible values; "yes", "no". Defaults to "yes".
 +AllowZoneDrifting=yes
 diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
-index fcfbfd2b68c1..c21ef87813bc 100644
+index 8155c547a216..0a6e8f2fdebf 100644
 --- a/doc/xml/firewalld.conf.xml
 +++ b/doc/xml/firewalld.conf.xml
-@@ -197,7 +197,7 @@
+@@ -206,7 +206,7 @@
                  to interface based zones (including the default zone). Packets
                  never drift from interface based zones to other interfaces
                  based zones (including the default zone).
@@ -37,7 +37,7 @@ index fcfbfd2b68c1..c21ef87813bc 100644
              </listitem>
          </varlistentry>
 diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
-index b75067e12c51..d68c775ee5bf 100644
+index da442f3f41b9..1c33ad5ee918 100644
 --- a/doc/xml/firewalld.dbus.xml
 +++ b/doc/xml/firewalld.dbus.xml
 @@ -2787,7 +2787,7 @@
@@ -60,10 +60,10 @@ index e875e849dec1..0dec7913f694 100644
 -FALLBACK_ALLOW_ZONE_DRIFTING = False
 +FALLBACK_ALLOW_ZONE_DRIFTING = True
 diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 6b1263b178dc..7ac28d514233 100644
+index 2f8183966760..a2989c6345da 100644
 --- a/src/tests/functions.at
 +++ b/src/tests/functions.at
-@@ -123,6 +123,11 @@ m4_define([FWD_START_TEST], [
+@@ -126,6 +126,11 @@ m4_define([FWD_START_TEST], [
          dnl set the appropriate backend
          AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
  
@@ -76,5 +76,5 @@ index 6b1263b178dc..7ac28d514233 100644
          dnl kernels.
          m4_if(nftables, FIREWALL_BACKEND, [
 -- 
-2.27.0
+2.39.1
 

SOURCES/0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch

@@ -1,7 +1,8 @@
-From 78f004c3cbe01107aadd26771c07e479507f2d62 Mon Sep 17 00:00:00 2001
+From 17a69c4dd7feff3c6101b5541497b8304447ed40 Mon Sep 17 00:00:00 2001
 From: Vrinda Punj <vpunj@redhat.com>
 Date: Tue, 1 Dec 2020 11:58:19 -0500
-Subject: [PATCH 03/22] feat(service): add galera service Fixes: rhbz1696260
+Subject: [PATCH 03/10] v1.0.0: feat(service): add galera service Fixes:
+ rhbz1696260
 
 (cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
 ---
@@ -51,5 +52,5 @@ index 666eb677855b..249cff8d0d2f 100644
  config/services/ganglia-master.xml
  config/services/git.xml
 -- 
-2.27.0
+2.39.1
 

SOURCES/0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch

@@ -1,85 +0,0 @@
-From 9c26e2d1eb45c5afc0e6430d2736aeefe9f07cf1 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 25 Jan 2021 11:29:48 -0500
-Subject: [PATCH 04/22] fix(dbus): conf: setting deprecated properties should
- be ignored
-
-They weren't being written to the config file, but the runtime dbus
-values were being changed.
-
-(cherry picked from commit 9001e0cfc18fdcf8526d774fad396414d223c70a)
-(cherry picked from commit e8451a455461b5cf177ea8a9aaab7a5e5100991b)
----
- src/firewall/server/config.py    | 23 +++++------------------
- src/tests/dbus/firewalld.conf.at |  4 ++--
- 2 files changed, 7 insertions(+), 20 deletions(-)
-
-diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
-index 1f832a459915..031ef5d1afaa 100644
---- a/src/firewall/server/config.py
-+++ b/src/firewall/server/config.py
-@@ -706,22 +706,11 @@ class FirewallDConfig(slip.dbus.service.Object):
-         self.accessCheck(sender)
- 
-         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
--            if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
-+            if property_name in [ "CleanupOnExit", "Lockdown",
-                                   "IPv6_rpfilter", "IndividualCalls",
--                                  "LogDenied", "AutomaticHelpers",
-+                                  "LogDenied",
-                                   "FirewallBackend", "FlushAllOnReload",
-                                   "RFC3964_IPv4", "AllowZoneDrifting" ]:
--                if property_name == "MinimalMark":
--                    try:
--                        int(new_value)
--                    except ValueError:
--                        raise FirewallError(errors.INVALID_MARK, new_value)
--                try:
--                    new_value = str(new_value)
--                except:
--                    raise FirewallError(errors.INVALID_VALUE,
--                                        "'%s' for %s" % \
--                                        (new_value, property_name))
-                 if property_name in [ "CleanupOnExit", "Lockdown",
-                                       "IPv6_rpfilter", "IndividualCalls" ]:
-                     if new_value.lower() not in [ "yes", "no",
-@@ -734,11 +723,6 @@ class FirewallDConfig(slip.dbus.service.Object):
-                         raise FirewallError(errors.INVALID_VALUE,
-                                             "'%s' for %s" % \
-                                             (new_value, property_name))
--                if property_name == "AutomaticHelpers":
--                    if new_value not in config.AUTOMATIC_HELPERS_VALUES:
--                        raise FirewallError(errors.INVALID_VALUE,
--                                            "'%s' for %s" % \
--                                            (new_value, property_name))
-                 if property_name == "FirewallBackend":
-                     if new_value not in config.FIREWALL_BACKEND_VALUES:
-                         raise FirewallError(errors.INVALID_VALUE,
-@@ -764,6 +748,9 @@ class FirewallDConfig(slip.dbus.service.Object):
-                 self.config.get_firewalld_conf().write()
-                 self.PropertiesChanged(interface_name,
-                                        { property_name: new_value }, [ ])
-+            elif property_name in ["MinimalMark", "AutomaticHelpers"]:
-+                # deprecated fields. Ignore setting them.
-+                pass
-             else:
-                 raise dbus.exceptions.DBusException(
-                     "org.freedesktop.DBus.Error.InvalidArgs: "
-diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
-index cc15318c78dc..9fc5502a8d0b 100644
---- a/src/tests/dbus/firewalld.conf.at
-+++ b/src/tests/dbus/firewalld.conf.at
-@@ -37,8 +37,8 @@ $3
- ])
- 
- dnl Test individual Set/Get
--_helper([MinimalMark], [int32:1234], [variant int32 1234])
--_helper([AutomaticHelpers], [string:"no"], [variant string "no"])
-+_helper([MinimalMark], [int32:1234], [variant int32 100])
-+_helper([AutomaticHelpers], [string:"yes"], [variant string "no"])
- _helper([Lockdown], [string:"yes"], [variant string "yes"])
- _helper([LogDenied], [string:"all"], [variant string "all"])
- _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
--- 
-2.27.0
-

SOURCES/0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch

@@ -1,7 +1,7 @@
-From e399840e91c766531923c017ffa00bbc01e7bbe6 Mon Sep 17 00:00:00 2001
+From 430dee713b69a32e5c5bf6b1f68a605564fe93ef Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Fri, 12 Feb 2021 14:23:21 -0500
-Subject: [PATCH 35/36] fix(ipset): normalize entries in CIDR notation
+Subject: [PATCH 04/10] v1.0.0: fix(ipset): normalize entries in CIDR notation
 
 This will convert things like 10.0.1.0/22 to 10.0.0.0/22. Fix up test
 cases in which the error code changed due to this.
@@ -62,7 +62,7 @@ index 51bf09c8fad6..aa6bd7cd282b 100644
  
  # ipset config
 diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
-index 6ebda2d56213..e5348949413c 100644
+index e90082407562..57e0e6cb51db 100644
 --- a/src/firewall/core/fw_ipset.py
 +++ b/src/firewall/core/fw_ipset.py
 @@ -24,7 +24,8 @@
@@ -83,7 +83,7 @@ index 6ebda2d56213..e5348949413c 100644
  
          IPSet.check_entry(entry, obj.options, obj.type)
          if entry in obj.entries:
-@@ -208,6 +210,7 @@ class FirewallIPSet(object):
+@@ -207,6 +209,7 @@ class FirewallIPSet(object):
  
      def remove_entry(self, name, entry):
          obj = self.get_ipset(name, applied=True)
@@ -91,7 +91,7 @@ index 6ebda2d56213..e5348949413c 100644
  
          # no entry check for removal
          if entry not in obj.entries:
-@@ -226,6 +229,7 @@ class FirewallIPSet(object):
+@@ -224,6 +227,7 @@ class FirewallIPSet(object):
  
      def query_entry(self, name, entry):
          obj = self.get_ipset(name, applied=True)
@@ -99,7 +99,7 @@ index 6ebda2d56213..e5348949413c 100644
          if "timeout" in obj.options and obj.options["timeout"] != "0":
              # no entries visible for ipsets with timeout
              raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
-@@ -239,6 +243,11 @@ class FirewallIPSet(object):
+@@ -237,6 +241,11 @@ class FirewallIPSet(object):
      def set_entries(self, name, entries):
          obj = self.get_ipset(name, applied=True)
  
@@ -238,5 +238,5 @@ index ede2c45b88c1..a716539a8acf 100644
 +              -e '/Kernel support protocol versions/d'dnl
 +              -e '/WARNING: ALREADY_ENABLED:/d'])
 -- 
-2.27.0
+2.39.1
 

SOURCES/0005-test-nftables-normalize-reject-statement-output.patch

@@ -1,29 +0,0 @@
-From 41aee42de0f55e45b55f94a66d31731697e5fc73 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 3 Feb 2021 14:37:44 -0500
-Subject: [PATCH 05/22] test(nftables): normalize reject statement output
-
-The output became more verbose in nftables commit 7ca3368cd757 ("reject:
-Unify inet, netdev and bridge delinearization").
-
-(cherry picked from commit 00835e746cf48c73e386d3ad24af7e8fcf3c73ed)
-(cherry picked from commit a47186bda1a308a34b5e114a634ae6450d17205b)
----
- src/tests/functions.at | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 7ac28d514233..4c8a4603f287 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -419,6 +419,7 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
-         -e '/type.*hook.*priority.*policy.*/d'dnl
-         dnl tranform ct state { established,related } to ct state established,related
-         -e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
-+        -e 's/reject with icmp[[x6]]\? type port-unreachable/reject/' dnl
- ])
- 
- m4_define([NFT_LIST_RULES_ALWAYS], [
--- 
-2.27.0
-

SOURCES/0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch

@@ -1,7 +1,7 @@
-From 3d7ec2dabb164cbc2dce5aa8aa37ae156ebad275 Mon Sep 17 00:00:00 2001
+From bba9a6860dd358791d0be3f075718d7cf8dca261 Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Tue, 23 Feb 2021 09:18:33 -0500
-Subject: [PATCH 36/36] fix(ipset): disallow overlapping entries
+Subject: [PATCH 05/10] v1.0.0: fix(ipset): disallow overlapping entries
 
 These are already being blocked by the ipset backend, but we should
 catch them higher up to avoid differences in the backends.
@@ -45,7 +45,7 @@ index aa6bd7cd282b..3715ffd29316 100644
          else:
              raise FirewallError(errors.ALREADY_ENABLED, entry)
 diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
-index e5348949413c..a285fd4a4aab 100644
+index 57e0e6cb51db..711c86a062be 100644
 --- a/src/firewall/core/fw_ipset.py
 +++ b/src/firewall/core/fw_ipset.py
 @@ -25,7 +25,7 @@ __all__ = [ "FirewallIPSet" ]
@@ -65,7 +65,7 @@ index e5348949413c..a285fd4a4aab 100644
  
          try:
              for backend in self.backends():
-@@ -245,6 +246,7 @@ class FirewallIPSet(object):
+@@ -243,6 +244,7 @@ class FirewallIPSet(object):
  
          _entries = set()
          for _entry in entries:
@@ -153,5 +153,5 @@ index b5165d94b220..fd08afd3b57c 100644
 -FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
 +FWD_END_TEST([-e '/ERROR: INVALID_ENTRY:/d'])
 -- 
-2.27.0
+2.39.1
 

SOURCES/0006-test-nftables-fix-normalization-of-reject-statement-.patch

@@ -1,29 +0,0 @@
-From f29791c69afc760c2356c9d72d4c1d7333e7b814 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 3 Feb 2021 17:02:42 -0500
-Subject: [PATCH 06/22] test(nftables): fix normalization of reject statement
- output for icmpv6
-
-Fixes: 00835e746cf4 ("test(nftables): normalize reject statement output")
-(cherry picked from commit 3a3b4676ccb7b40cf304b773456dec2662783425)
-(cherry picked from commit 3bfef89745cfb2c4d90d721c377a409de9c60611)
----
- src/tests/functions.at | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 4c8a4603f287..562bc6105a8f 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -419,7 +419,7 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
-         -e '/type.*hook.*priority.*policy.*/d'dnl
-         dnl tranform ct state { established,related } to ct state established,related
-         -e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
--        -e 's/reject with icmp[[x6]]\? type port-unreachable/reject/' dnl
-+        -e 's/reject with icmp\(x\|v6\)\? type port-unreachable/reject/' dnl
- ])
- 
- m4_define([NFT_LIST_RULES_ALWAYS], [
--- 
-2.27.0
-

SOURCES/0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch

@@ -0,0 +1,302 @@
+From 4779d5bf08ff1c24777df4b88b4af2e8e5918f84 Mon Sep 17 00:00:00 2001
+From: Paul Laufer <50234787+refual@users.noreply.github.com>
+Date: Fri, 27 Nov 2020 12:23:11 +0100
+Subject: [PATCH 06/10] v1.0.0: feat(config): add CleanupModulesOnExit
+ configuration option
+
+Fixes: rhbz 1520532
+Fixes: #533
+Closes: #721
+(cherry picked from commit 152a51537a7840afd0879ab4b60178bef4ec16a2)
+---
+ config/firewalld.conf                  |  9 +++++++-
+ doc/xml/firewalld.conf.xml             | 11 ++++++++++
+ doc/xml/firewalld.dbus.xml             |  9 ++++++++
+ src/firewall/config/__init__.py.in     |  1 +
+ src/firewall/core/fw.py                | 29 +++++++++++++++++++-------
+ src/firewall/core/io/firewalld_conf.py | 19 +++++++++++++----
+ src/firewall/server/config.py          | 23 +++++++++++++-------
+ src/tests/dbus/firewalld.conf.at       |  2 ++
+ 8 files changed, 82 insertions(+), 21 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index a0556c0bbf5b..3abbc9c998c1 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -7,10 +7,17 @@ DefaultZone=public
+ 
+ # Clean up on exit
+ # If set to no or false the firewall configuration will not get cleaned up
+-# on exit or stop of firewalld
++# on exit or stop of firewalld.
+ # Default: yes
+ CleanupOnExit=yes
+ 
++# Clean up kernel modules on exit
++# If set to yes or true the firewall related kernel modules will be
++# unloaded on exit or stop of firewalld. This might attempt to unload
++# modules not originally loaded by firewalld.
++# Default: no
++CleanupModulesOnExit=no
++
+ # Lockdown
+ # If set to enabled, firewall changes with the D-Bus interface will be limited
+ # to applications that are listed in the lockdown whitelist.
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index 0a6e8f2fdebf..3ae531bcd94a 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -88,6 +88,17 @@
+ 	</listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term><option>CleanupModulesOnExit</option></term>
++        <listitem>
++          <para>
++            Setting this option to yes or true unloads all firewall-related
++            kernel modules when firewalld is stopped. The default value is no
++            or false.
++          </para>
++        </listitem>
++      </varlistentry>
++
+       <varlistentry>
+ 	<term><option>CleanupOnExit</option></term>
+         <listitem>
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index 1c33ad5ee918..cc4593e1883f 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -2798,6 +2798,15 @@
+               </para>
+             </listitem>
+           </varlistentry>
++          <varlistentry id="FirewallD1.config.Properties.CleanupModulesOnExit">
++            <term>CleanupModulesOnExit - s - (rw)</term>
++            <listitem>
++              <para>
++                Setting this option to yes or true unloads all firewall-related
++                kernel modules when firewalld is stopped.
++              </para>
++            </listitem>
++          </varlistentry>
+           <varlistentry id="FirewallD1.config.Properties.CleanupOnExit">
+             <term>CleanupOnExit - s - (rw)</term>
+             <listitem>
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 0dec7913f694..5d6d769fbf15 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -125,6 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
+ FALLBACK_ZONE = "public"
+ FALLBACK_MINIMAL_MARK = 100
+ FALLBACK_CLEANUP_ON_EXIT = True
++FALLBACK_CLEANUP_MODULES_ON_EXIT = False
+ FALLBACK_LOCKDOWN = False
+ FALLBACK_IPV6_RPFILTER = True
+ FALLBACK_INDIVIDUAL_CALLS = False
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 3eb54e37ab5c..4171697bdb94 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -105,12 +105,13 @@ class Firewall(object):
+         self.__init_vars()
+ 
+     def __repr__(self):
+-        return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
++        return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
+             (self.__class__, self.ip4tables_enabled, self.ip6tables_enabled,
+              self.ebtables_enabled, self._state, self._panic,
+              self._default_zone, self._module_refcount, self._marks,
+-             self.cleanup_on_exit, self.ipv6_rpfilter_enabled,
+-             self.ipset_enabled, self._individual_calls, self._log_denied)
++             self.cleanup_on_exit, self.cleanup_modules_on_exit,
++             self.ipv6_rpfilter_enabled, self.ipset_enabled,
++             self._individual_calls, self._log_denied)
+ 
+     def __init_vars(self):
+         self._state = "INIT"
+@@ -120,6 +121,7 @@ class Firewall(object):
+         self._marks = [ ]
+         # fallback settings will be overloaded by firewalld.conf
+         self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT
++        self.cleanup_modules_on_exit = config.FALLBACK_CLEANUP_MODULES_ON_EXIT
+         self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER
+         self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS
+         self._log_denied = config.FALLBACK_LOG_DENIED
+@@ -232,6 +234,13 @@ class Firewall(object):
+                 log.debug1("CleanupOnExit is set to '%s'",
+                            self.cleanup_on_exit)
+ 
++            if self._firewalld_conf.get("CleanupModulesOnExit"):
++                value = self._firewalld_conf.get("CleanupModulesOnExit")
++                if value is not None and value.lower() in [ "yes", "true" ]:
++                    self.cleanup_modules_on_exit = True
++                log.debug1("CleanupModulesOnExit is set to '%s'",
++                           self.cleanup_modules_on_exit)
++
+             if self._firewalld_conf.get("Lockdown"):
+                 value = self._firewalld_conf.get("Lockdown")
+                 if value is not None and value.lower() in [ "yes", "true" ]:
+@@ -667,11 +676,15 @@ class Firewall(object):
+         self.__init_vars()
+ 
+     def stop(self):
+-        if self.cleanup_on_exit and not self._offline:
+-            self.flush()
+-            self.ipset.flush()
+-            self.set_policy("ACCEPT")
+-            self.modules_backend.unload_firewall_modules()
++        if not self._offline:
++            if self.cleanup_on_exit:
++                self.flush()
++                self.ipset.flush()
++                self.set_policy("ACCEPT")
++
++            if self.cleanup_modules_on_exit:
++                log.debug1('Unloading firewall kernel modules')
++                self.modules_backend.unload_firewall_modules()
+ 
+         self.cleanup()
+ 
+diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
+index 7c7092120676..70258400ef06 100644
+--- a/src/firewall/core/io/firewalld_conf.py
++++ b/src/firewall/core/io/firewalld_conf.py
+@@ -28,10 +28,11 @@ from firewall import config
+ from firewall.core.logger import log
+ from firewall.functions import b2u, u2b, PY2
+ 
+-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
+-               "IPv6_rpfilter", "IndividualCalls", "LogDenied",
+-               "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload",
+-               "RFC3964_IPv4", "AllowZoneDrifting" ]
++valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit",
++               "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
++               "IndividualCalls", "LogDenied", "AutomaticHelpers",
++               "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
++               "AllowZoneDrifting" ]
+ 
+ class firewalld_conf(object):
+     def __init__(self, filename):
+@@ -75,6 +76,7 @@ class firewalld_conf(object):
+             self.set("DefaultZone", config.FALLBACK_ZONE)
+             self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
+             self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
++            self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
+             self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
+             self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
+             self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
+@@ -135,6 +137,15 @@ class firewalld_conf(object):
+                             config.FALLBACK_CLEANUP_ON_EXIT)
+             self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
+ 
++        # check module cleanup on exit
++        value = self.get("CleanupModulesOnExit")
++        if not value or value.lower() not in [ "no", "false", "yes", "true" ]:
++            if value is not None:
++                log.warning("CleanupModulesOnExit '%s' is not valid, using default "
++                            "value %s", value if value else '',
++                            config.FALLBACK_CLEANUP_MODULES_ON_EXIT)
++            self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
++
+         # check lockdown
+         value = self.get("Lockdown")
+         if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
+diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
+index 031ef5d1afaa..8815920c6893 100644
+--- a/src/firewall/server/config.py
++++ b/src/firewall/server/config.py
+@@ -100,6 +100,7 @@ class FirewallDConfig(slip.dbus.service.Object):
+         dbus_introspection_prepare_properties(self,
+                                               config.dbus.DBUS_INTERFACE_CONFIG,
+                                               { "CleanupOnExit": "readwrite",
++                                                "CleanupModulesOnExit": "readwrite",
+                                                 "IPv6_rpfilter": "readwrite",
+                                                 "Lockdown": "readwrite",
+                                                 "MinimalMark": "readwrite",
+@@ -554,9 +555,9 @@ class FirewallDConfig(slip.dbus.service.Object):
+     @dbus_handle_exceptions
+     def _get_property(self, prop):
+         if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
+-                         "Lockdown", "IPv6_rpfilter", "IndividualCalls",
+-                         "LogDenied", "AutomaticHelpers", "FirewallBackend",
+-                         "FlushAllOnReload", "RFC3964_IPv4",
++                         "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
++                         "IndividualCalls", "LogDenied", "AutomaticHelpers",
++                         "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
+                          "AllowZoneDrifting" ]:
+             raise dbus.exceptions.DBusException(
+                 "org.freedesktop.DBus.Error.InvalidArgs: "
+@@ -578,6 +579,10 @@ class FirewallDConfig(slip.dbus.service.Object):
+             if value is None:
+                 value = "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no"
+             return dbus.String(value)
++        elif prop == "CleanupModulesOnExit":
++            if value is None:
++                value = "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no"
++            return dbus.String(value)
+         elif prop == "Lockdown":
+             if value is None:
+                 value = "yes" if config.FALLBACK_LOCKDOWN else "no"
+@@ -623,6 +628,8 @@ class FirewallDConfig(slip.dbus.service.Object):
+             return dbus.Int32(self._get_property(prop))
+         elif prop == "CleanupOnExit":
+             return dbus.String(self._get_property(prop))
++        elif prop == "CleanupModulesOnExit":
++            return dbus.String(self._get_property(prop))
+         elif prop == "Lockdown":
+             return dbus.String(self._get_property(prop))
+         elif prop == "IPv6_rpfilter":
+@@ -679,9 +686,9 @@ class FirewallDConfig(slip.dbus.service.Object):
+         ret = { }
+         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+             for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
+-                       "Lockdown", "IPv6_rpfilter", "IndividualCalls",
+-                       "LogDenied", "AutomaticHelpers", "FirewallBackend",
+-                       "FlushAllOnReload", "RFC3964_IPv4",
++                       "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
++                       "IndividualCalls", "LogDenied", "AutomaticHelpers",
++                       "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
+                        "AllowZoneDrifting" ]:
+                 ret[x] = self._get_property(x)
+         elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
+@@ -706,12 +713,12 @@ class FirewallDConfig(slip.dbus.service.Object):
+         self.accessCheck(sender)
+ 
+         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
+-            if property_name in [ "CleanupOnExit", "Lockdown",
++            if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit",
+                                   "IPv6_rpfilter", "IndividualCalls",
+                                   "LogDenied",
+                                   "FirewallBackend", "FlushAllOnReload",
+                                   "RFC3964_IPv4", "AllowZoneDrifting" ]:
+-                if property_name in [ "CleanupOnExit", "Lockdown",
++                if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit",
+                                       "IPv6_rpfilter", "IndividualCalls" ]:
+                     if new_value.lower() not in [ "yes", "no",
+                                                   "true", "false" ]:
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index 9fc5502a8d0b..9a04a3bd491c 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -17,6 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
+ DBUS_GETALL([config], [config], 0, [dnl
+ string "AllowZoneDrifting" : variant string "no"
+ string "AutomaticHelpers" : variant string "no"
++string "CleanupModulesOnExit" : variant string "no"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+ string "FirewallBackend" : variant string "nftables"
+@@ -45,6 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+ _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
+ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
+ _helper([FlushAllOnReload], [string:"no"], [variant string "no"])
++_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"])
+ _helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
+ _helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
+ _helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
+-- 
+2.39.1
+

SOURCES/0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch

@@ -0,0 +1,95 @@
+From 82b49bd47d0073f2c2bc4bd296c1a52e4d4d3732 Mon Sep 17 00:00:00 2001
+From: Eric Garver <egarver@redhat.com>
+Date: Mon, 20 Dec 2021 13:56:55 -0500
+Subject: [PATCH 07/10] RHEL only: default to CleanupModulesOnExit=yes
+
+Resolves: rhbz1980206
+---
+ config/firewalld.conf              | 4 ++--
+ doc/xml/firewalld.conf.xml         | 4 ++--
+ src/firewall/config/__init__.py.in | 2 +-
+ src/firewall/core/fw.py            | 2 ++
+ src/tests/dbus/firewalld.conf.at   | 4 ++--
+ 5 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index 3abbc9c998c1..c387f87c28be 100644
+--- a/config/firewalld.conf
++++ b/config/firewalld.conf
+@@ -15,8 +15,8 @@ CleanupOnExit=yes
+ # If set to yes or true the firewall related kernel modules will be
+ # unloaded on exit or stop of firewalld. This might attempt to unload
+ # modules not originally loaded by firewalld.
+-# Default: no
+-CleanupModulesOnExit=no
++# Default: yes
++CleanupModulesOnExit=yes
+ 
+ # Lockdown
+ # If set to enabled, firewall changes with the D-Bus interface will be limited
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index 3ae531bcd94a..c94073dbf84f 100644
+--- a/doc/xml/firewalld.conf.xml
++++ b/doc/xml/firewalld.conf.xml
+@@ -93,8 +93,8 @@
+         <listitem>
+           <para>
+             Setting this option to yes or true unloads all firewall-related
+-            kernel modules when firewalld is stopped. The default value is no
+-            or false.
++            kernel modules when firewalld is stopped. The default value is yes
++            or true.
+           </para>
+         </listitem>
+       </varlistentry>
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 5d6d769fbf15..285e2f034b6b 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -125,7 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
+ FALLBACK_ZONE = "public"
+ FALLBACK_MINIMAL_MARK = 100
+ FALLBACK_CLEANUP_ON_EXIT = True
+-FALLBACK_CLEANUP_MODULES_ON_EXIT = False
++FALLBACK_CLEANUP_MODULES_ON_EXIT = True
+ FALLBACK_LOCKDOWN = False
+ FALLBACK_IPV6_RPFILTER = True
+ FALLBACK_INDIVIDUAL_CALLS = False
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 4171697bdb94..5cef18b5f889 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -238,6 +238,8 @@ class Firewall(object):
+                 value = self._firewalld_conf.get("CleanupModulesOnExit")
+                 if value is not None and value.lower() in [ "yes", "true" ]:
+                     self.cleanup_modules_on_exit = True
++                if value is not None and value.lower() in [ "no", "false" ]:
++                    self.cleanup_modules_on_exit = False
+                 log.debug1("CleanupModulesOnExit is set to '%s'",
+                            self.cleanup_modules_on_exit)
+ 
+diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
+index 9a04a3bd491c..68832bca33bc 100644
+--- a/src/tests/dbus/firewalld.conf.at
++++ b/src/tests/dbus/firewalld.conf.at
+@@ -17,7 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
+ DBUS_GETALL([config], [config], 0, [dnl
+ string "AllowZoneDrifting" : variant string "no"
+ string "AutomaticHelpers" : variant string "no"
+-string "CleanupModulesOnExit" : variant string "no"
++string "CleanupModulesOnExit" : variant string "yes"
+ string "CleanupOnExit" : variant string "no"
+ string "DefaultZone" : variant string "public"
+ string "FirewallBackend" : variant string "nftables"
+@@ -46,7 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+ _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
+ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
+ _helper([FlushAllOnReload], [string:"no"], [variant string "no"])
+-_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"])
++_helper([CleanupModulesOnExit], [string:"no"], [variant string "no"])
+ _helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
+ _helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
+ _helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
+-- 
+2.39.1
+

SOURCES/0007-test-functions-increase-debug-level.patch

@@ -1,27 +0,0 @@
-From 9f1e32fd5dea726904ba3fc9373269d15b70dd7d Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Fri, 5 Feb 2021 12:34:01 -0500
-Subject: [PATCH 07/22] test(functions): increase debug level
-
-(cherry picked from commit 39b7ad4a5568bb65cc46db4b70eb133e8625974f)
-(cherry picked from commit f78cc99a67a4b4ef3660703fd2e43db00634b6ca)
----
- src/tests/functions.at | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 562bc6105a8f..631beee6e2d8 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -11,7 +11,7 @@ m4_define([FWD_STOP_FIREWALLD], [
- m4_define([FWD_START_FIREWALLD], [
-     FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --system-config ./"
-     dnl if testsuite ran with debug flag, add debug output
--    ${at_debug_p} && FIREWALLD_ARGS="--debug=3 ${FIREWALLD_ARGS}"
-+    ${at_debug_p} && FIREWALLD_ARGS="--debug=10 ${FIREWALLD_ARGS}"
-     if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
-         FIREWALLD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
-     fi
--- 
-2.27.0
-

SOURCES/0008-test-functions-format-xml-output-with-xmllint.patch

@@ -1,27 +0,0 @@
-From a9e05358d0070d4326be0df882f4d480822f4f06 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Fri, 5 Feb 2021 14:50:03 -0500
-Subject: [PATCH 08/22] test(functions): format xml output with xmllint
-
-(cherry picked from commit 53684e4b3b458b91fe7a71e7c3f8aa3363e5d108)
-(cherry picked from commit c509b9a4c0749087e462bbb62a9808a43a74b3d9)
----
- src/tests/functions.at | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 631beee6e2d8..8632f49e442f 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -471,7 +471,7 @@ m4_define([DBUS_INTROSPECT], [
-     NS_CHECK([PIPESTATUS0([gdbus introspect --xml --system --dest=org.fedoraproject.FirewallD1 dnl
-                            m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
-                                             [--object-path /org/fedoraproject/FirewallD1/$1])], dnl
--                          [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --c14n - | TRIM_WHITESPACE])],
-+                          [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --format - | xmllint --c14n - | TRIM_WHITESPACE])],
-              [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
- ])
- 
--- 
-2.27.0
-

SOURCES/0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch

@@ -0,0 +1,141 @@
+From ae057df0222e6e1dd1556436fad93b669da8f653 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 30 Nov 2021 14:54:20 -0500
+Subject: [PATCH 08/10] v1.1.0: fix(ipset): reduce cost of entry overlap
+ detection
+
+This increases peak memory usage to reduce the duration it takes to
+apply the set entries. Building the list of IPv4Network objects up front
+means we don't have to build them multiple times inside the for loop.
+
+Fixes: #881
+(cherry picked from commit 7f5b736378c0133f46470c42e0c1fb3b95087de5)
+---
+ src/firewall/client.py              | 10 ++++------
+ src/firewall/core/fw_ipset.py       |  9 +++------
+ src/firewall/core/ipset.py          | 27 ++++++++++++++++++++++-----
+ src/firewall/server/config_ipset.py | 10 ++++------
+ 4 files changed, 33 insertions(+), 23 deletions(-)
+
+diff --git a/src/firewall/client.py b/src/firewall/client.py
+index 3715ffd29316..fdc88ac7946b 100644
+--- a/src/firewall/client.py
++++ b/src/firewall/client.py
+@@ -34,7 +34,8 @@ from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAU
+ from firewall.dbus_utils import dbus_to_python
+ from firewall.functions import b2u
+ from firewall.core.rich import Rich_Rule
+-from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing
++from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing, \
++                                check_for_overlapping_entries
+ from firewall import errors
+ from firewall.errors import FirewallError
+ 
+@@ -1617,11 +1618,8 @@ class FirewallClientIPSetSettings(object):
+         if "timeout" in self.settings[4] and \
+            self.settings[4]["timeout"] != "0":
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
+-        _entries = set()
+-        for _entry in dbus_to_python(entries, list):
+-            check_entry_overlaps_existing(_entry, _entries)
+-            _entries.add(normalize_ipset_entry(_entry))
+-        self.settings[5] = list(_entries)
++        check_for_overlapping_entries(entries)
++        self.settings[5] = entries
+     @handle_exceptions
+     def addEntry(self, entry):
+         if "timeout" in self.settings[4] and \
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index 711c86a062be..d4bf99eaadcc 100644
+--- a/src/firewall/core/fw_ipset.py
++++ b/src/firewall/core/fw_ipset.py
+@@ -25,7 +25,8 @@ __all__ = [ "FirewallIPSet" ]
+ 
+ from firewall.core.logger import log
+ from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
+-                                normalize_ipset_entry, check_entry_overlaps_existing
++                                normalize_ipset_entry, check_entry_overlaps_existing, \
++                                check_for_overlapping_entries
+ from firewall.core.io.ipset import IPSet
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -242,11 +243,7 @@ class FirewallIPSet(object):
+     def set_entries(self, name, entries):
+         obj = self.get_ipset(name, applied=True)
+ 
+-        _entries = set()
+-        for _entry in entries:
+-            check_entry_overlaps_existing(_entry, _entries)
+-            _entries.add(normalize_ipset_entry(_entry))
+-        entries = list(_entries)
++        check_for_overlapping_entries(entries)
+ 
+         for entry in entries:
+             IPSet.check_entry(entry, obj.options, obj.type)
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index d6defa395241..66ea4335536d 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -309,9 +309,26 @@ def check_entry_overlaps_existing(entry, entries):
+     if len(entry.split(",")) > 1:
+         return
+ 
++    try:
++        entry_network = ipaddress.ip_network(entry, strict=False)
++    except ValueError:
++        # could not parse the new IP address, maybe a MAC
++        return
++
+     for itr in entries:
+-        try:
+-            if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)):
+-                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry))
+-        except ValueError:
+-            pass
++        if entry_network.overlaps(ipaddress.ip_network(itr, strict=False)):
++            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(entry, itr))
++
++def check_for_overlapping_entries(entries):
++    """ Check if any entry overlaps any entry in the list of entries """
++    try:
++        entries = [ipaddress.ip_network(x, strict=False) for x in entries]
++    except ValueError:
++        # at least one entry can not be parsed
++        return
++
++    while entries:
++        entry = entries.pop()
++        for itr in entries:
++            if entry.overlaps(itr):
++                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr))
+diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py
+index f33c2a02926f..499ffcb9227a 100644
+--- a/src/firewall/server/config_ipset.py
++++ b/src/firewall/server/config_ipset.py
+@@ -34,7 +34,8 @@ from firewall.dbus_utils import dbus_to_python, \
+     dbus_introspection_add_properties
+ from firewall.core.io.ipset import IPSet
+ from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \
+-                                check_entry_overlaps_existing
++                                check_entry_overlaps_existing, \
++                                check_for_overlapping_entries
+ from firewall.core.logger import log
+ from firewall.server.decorators import handle_exceptions, \
+     dbus_handle_exceptions, dbus_service_method
+@@ -407,11 +408,8 @@ class FirewallDConfigIPSet(slip.dbus.service.Object):
+                          in_signature='as')
+     @dbus_handle_exceptions
+     def setEntries(self, entries, sender=None):
+-        _entries = set()
+-        for _entry in dbus_to_python(entries, list):
+-            check_entry_overlaps_existing(_entry, _entries)
+-            _entries.add(normalize_ipset_entry(_entry))
+-        entries = list(_entries)
++        entries = dbus_to_python(entries, list)
++        check_for_overlapping_entries(entries)
+         log.debug1("%s.setEntries('[%s]')", self._log_prefix,
+                    ",".join(entries))
+         self.parent.accessCheck(sender)
+-- 
+2.39.1
+

SOURCES/0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch

@@ -1,43 +0,0 @@
-From 3f5c45753a172bd1c713b318cd530c667a7f41b1 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 23 Dec 2020 09:22:30 -0500
-Subject: [PATCH 09/22] docs(firewall-cmd): reload does not affect direct rules
- if FlushAllOnReload=no
-
-(cherry picked from commit b682ba874ef879797d681fb018ce3c7b9c57efdb)
-(cherry picked from commit ab4ce6fb13607dba4f8a0e771455ad34d3adb77a)
----
- doc/xml/firewall-cmd.xml.in | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
-index 3369c2d3f942..691117f3dbff 100644
---- a/doc/xml/firewall-cmd.xml.in
-+++ b/doc/xml/firewall-cmd.xml.in
-@@ -133,9 +133,9 @@
- 	      if they have not been also in permanent configuration.
- 	    </para>
- 	    <para>
--	      Note: Runtime changes applied via the direct interface are not
-+	      Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not
- 	      affected and will therefore stay in place until firewalld daemon
--	      is restarted completely.
-+	      is restarted completely. For FlushAllOnReload, see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- 	    </para>
- 	  </listitem>
- 	</varlistentry>
-@@ -147,9 +147,9 @@
- 	      Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.
- 	    </para>
- 	    <para>
--	      Note: Runtime changes applied via the direct interface are not
-+	      Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not
- 	      affected and will therefore stay in place until firewalld daemon
--	      is restarted completely.
-+	      is restarted completely. For FlushAllOnReload, see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- 	    </para>
- 	  </listitem>
- 	</varlistentry>
--- 
-2.27.0
-

SOURCES/0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch

@@ -0,0 +1,56 @@
+From 885d308c1457e9ea0d839d852dd98a1c134b448c Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 30 Nov 2021 14:50:17 -0500
+Subject: [PATCH 09/10] v1.1.0: test(ipset): huge set of entries benchmark
+
+Coverage: #881
+(cherry picked from commit 114936c71ab1b12a5598d06805b7e9e13f7ee190)
+---
+ src/tests/regression/gh881.at      | 25 +++++++++++++++++++++++++
+ src/tests/regression/regression.at |  1 +
+ 2 files changed, 26 insertions(+)
+ create mode 100644 src/tests/regression/gh881.at
+
+diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at
+new file mode 100644
+index 000000000000..c7326805b555
+--- /dev/null
++++ b/src/tests/regression/gh881.at
+@@ -0,0 +1,25 @@
++FWD_START_TEST([ipset entry overlap detect perf])
++AT_KEYWORDS(ipset gh881)
++
++dnl build a large ipset
++dnl
++AT_DATA([./deny_cidr], [])
++NS_CHECK([sh -c '
++for I in $(seq 10); do
++  for J in $(seq 250); do
++    echo "10.${I}.${J}.0/24" >> ./deny_cidr
++  done
++done
++'])
++
++dnl verify non-overlapping does not error
++dnl
++FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore])
++NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
++
++dnl verify overlap detection actually detects an overlap
++dnl
++NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr])
++NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++FWD_END_TEST()
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 104f784cbe93..143298d3235f 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -50,3 +50,4 @@ m4_include([regression/gh874.at])
+ m4_include([regression/service_includes_for_builtin.at])
+ m4_include([regression/rhbz2181406.at])
+ m4_include([regression/ipset_scale.at])
++m4_include([regression/gh881.at])
+-- 
+2.39.1
+

SOURCES/0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch

@@ -1,27 +0,0 @@
-From 1e633c4f475e5cc43aca2d2f381abac85718ae22 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 23 Dec 2020 09:54:57 -0500
-Subject: [PATCH 10/22] docs(dbus): fix copy/paste error for FlushAllOnReload
-
-(cherry picked from commit 63b1f5cfa73071153f732947dcf9ea3064d64970)
-(cherry picked from commit e74da4714ca9a64d8891f8fc340a0cab0087d609)
----
- doc/xml/firewalld.dbus.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
-index d68c775ee5bf..57560e93da67 100644
---- a/doc/xml/firewalld.dbus.xml
-+++ b/doc/xml/firewalld.dbus.xml
-@@ -2825,7 +2825,7 @@
-             </listitem>
-           </varlistentry>
-           <varlistentry id="FirewallD1.config.Properties.FlushAllOnReload">
--            <term>FirewallBackend - s - (rw)</term>
-+            <term>FlushAllOnReload - s - (rw)</term>
-             <listitem>
-               <para>
-                 Flush all runtime rules on a reload. Valid options are; yes, no.
--- 
-2.27.0
-

SOURCES/0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch

@@ -0,0 +1,150 @@
+From d8d6d313acd50aa1c87c42fb7a7334b01c516227 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 25 Jan 2022 09:29:32 -0500
+Subject: [PATCH 10/10] v1.1.0: fix(ipset): further reduce cost of entry
+ overlap detection
+
+This makes the complexity linear by sorting the networks ahead of time.
+
+Fixes: #881
+Fixes: rhbz2043289
+(cherry picked from commit 36c170db265265e838a089858be4b20dbbd582eb)
+---
+ src/firewall/core/ipset.py    | 59 ++++++++++++++++++++++++++++++++---
+ src/tests/regression/gh881.at | 42 ++++++++++++++++++++++---
+ 2 files changed, 92 insertions(+), 9 deletions(-)
+
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index 66ea4335536d..b160d8345669 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -327,8 +327,57 @@ def check_for_overlapping_entries(entries):
+         # at least one entry can not be parsed
+         return
+ 
+-    while entries:
+-        entry = entries.pop()
+-        for itr in entries:
+-            if entry.overlaps(itr):
+-                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr))
++    # We can take advantage of some facts of IPv4Network/IPv6Network and
++    # how Python sorts the networks to quickly detect overlaps.
++    #
++    # Facts:
++    #
++    #   1. IPv{4,6}Network are normalized to remove host bits, e.g.
++    #     10.1.1.0/16 will become 10.1.0.0/16.
++    #
++    #   2. IPv{4,6}Network objects are sorted by:
++    #     a. IP address (network bits)
++    #   then
++    #     b. netmask (significant bits count)
++    #
++    # Because of the above we have these properties:
++    #
++    #   1. big networks (netA) are sorted before smaller networks (netB)
++    #      that overlap the big network (netA)
++    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.129.0/24 (netB)
++    #   2. same value addresses (network bits) are grouped together even
++    #      if the number of network bits vary. e.g. /16 vs /24
++    #     - recall that address are normalized to remove host bits
++    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.128.0/24 (netC)
++    #   3. non-overlapping networks (netD, netE) are always sorted before or
++    #      after networks that overlap (netB, netC) the current one (netA)
++    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.2.128.0/16 (netD)
++    #     - e.g. 10.1.128.0/17 (netA) sorts after 9.1.128.0/17 (netE)
++    #     - e.g. 9.1.128.0/17 (netE) sorts before 10.1.129.0/24 (netB)
++    #
++    # With this we know the sorted list looks like:
++    #
++    #   list: [ netE, netA, netB, netC, netD ]
++    #
++    #   netE = non-overlapping network
++    #   netA = big network
++    #   netB = smaller network that overlaps netA (subnet)
++    #   netC = smaller network that overlaps netA (subnet)
++    #   netD = non-overlapping network
++    #
++    #   If networks netB and netC exist in the list, they overlap and are
++    #   adjacent to netA.
++    #
++    # Checking for overlaps on a sorted list is thus:
++    #
++    #   1. compare adjacent elements in the list for overlaps
++    #
++    # Recall that we only need to detect a single overlap. We do not need to
++    # detect them all.
++    #
++    entries.sort()
++    prev_network = entries.pop(0)
++    for current_network in entries:
++        if prev_network.overlaps(current_network):
++            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(prev_network, current_network))
++        prev_network = current_network
+diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at
+index c7326805b555..a5cf7e4eb912 100644
+--- a/src/tests/regression/gh881.at
++++ b/src/tests/regression/gh881.at
+@@ -5,21 +5,55 @@ dnl build a large ipset
+ dnl
+ AT_DATA([./deny_cidr], [])
+ NS_CHECK([sh -c '
+-for I in $(seq 10); do
++for I in $(seq 250); do
+   for J in $(seq 250); do
+     echo "10.${I}.${J}.0/24" >> ./deny_cidr
+   done
+ done
+ '])
++NS_CHECK([echo "10.254.0.0/16" >> ./deny_cidr])
+ 
+ dnl verify non-overlapping does not error
+ dnl
+ FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore])
+-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
++
++dnl still no overlap
++dnl
++AT_DATA([./deny_cidr], [
++9.0.0.0/8
++11.1.0.0/16
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
+ 
+ dnl verify overlap detection actually detects an overlap
+ dnl
+-NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr])
+-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++AT_DATA([./deny_cidr], [
++10.1.0.0/16
++10.2.0.0/16
++10.250.0.0/16
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++AT_DATA([./deny_cidr], [
++10.253.0.0/16
++10.253.128.0/17
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++AT_DATA([./deny_cidr], [
++10.1.1.1/32
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++AT_DATA([./deny_cidr], [
++10.0.0.0/8
++10.0.0.0/25
++])
++NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
++
++dnl empty file, no additions, but previous ones will remain
++AT_DATA([./deny_cidr], [])
++FWD_CHECK([--permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
+ 
+ FWD_END_TEST()
+-- 
+2.39.1
+

SOURCES/0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch

@@ -1,27 +0,0 @@
-From c22d8092863d323eb795cf6f9a27bb70a0743fd0 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 23 Dec 2020 09:55:22 -0500
-Subject: [PATCH 11/22] docs(dbus): fix copy/paste error for RFC3964_IPv4
-
-(cherry picked from commit b530915ec8e8f035d363d9dedf226bb20259d0e4)
-(cherry picked from commit 35f4ca803cd8042b4541ca0e9f8b2449c3a7c1b4)
----
- doc/xml/firewalld.dbus.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
-index 57560e93da67..d17cb8b6c1ec 100644
---- a/doc/xml/firewalld.dbus.xml
-+++ b/doc/xml/firewalld.dbus.xml
-@@ -2867,7 +2867,7 @@
-             </listitem>
-           </varlistentry>
-           <varlistentry id="FirewallD1.config.Properties.RFC3964_IPv4">
--            <term>FirewallBackend - s - (rw)</term>
-+            <term>RFC3964_IPv4 - s - (rw)</term>
-             <listitem>
-               <para>
-                 As per RFC 3964, filter IPv6 traffic with 6to4 destination
--- 
-2.27.0
-

SOURCES/0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch

@@ -0,0 +1,32 @@
+From e9e1edef3af8bd1a6b7c27fdd2d580e2f1571440 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= <rigault.francois@gmail.com>
+Date: Sun, 28 Aug 2022 10:25:33 +0200
+Subject: [PATCH 11/17] v1.1.0: fix(ipset): exception on overlap checking empty
+ set
+
+In the case of --remove-entries-from-file, check_for_overlapping_entries
+can be called with no entry in input, which fails with an exception.
+
+Fixes: rhbz2121985
+(cherry picked from commit 1ea554e6263ed21aa9ae6e5f0abb629d53b4a7bc)
+---
+ src/firewall/core/ipset.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index b160d8345669..d8e0a1ab1e56 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -327,6 +327,9 @@ def check_for_overlapping_entries(entries):
+         # at least one entry can not be parsed
+         return
+ 
++    if len(entries) == 0:
++        return
++
+     # We can take advantage of some facts of IPv4Network/IPv6Network and
+     # how Python sorts the networks to quickly detect overlaps.
+     #
+-- 
+2.39.3
+

SOURCES/0012-test-dbus-direct-add-coverage-for-signatures.patch

@@ -1,379 +0,0 @@
-From e0bc051a52bccdbd17ada7ab974b1c32d25ac7c1 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 8 Feb 2021 14:53:38 -0500
-Subject: [PATCH 12/22] test(dbus): direct: add coverage for signatures
-
-(cherry picked from commit 4673e0e55353c3f0243035f47d7c2832db9928e4)
-(cherry picked from commit 1b1b27ec0c19046ef041d465e44c81ad0f675fc9)
----
- src/tests/dbus/dbus.at   |   1 +
- src/tests/dbus/direct.at | 348 +++++++++++++++++++++++++++++++++++++++
- 2 files changed, 349 insertions(+)
- create mode 100644 src/tests/dbus/direct.at
-
-diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
-index 5f7b6cbdc108..a9707f825041 100644
---- a/src/tests/dbus/dbus.at
-+++ b/src/tests/dbus/dbus.at
-@@ -9,3 +9,4 @@ m4_include([dbus/policy_permanent_signatures.at])
- m4_include([dbus/policy_runtime_signatures.at])
- m4_include([dbus/policy_permanent_functional.at])
- m4_include([dbus/policy_runtime_functional.at])
-+m4_include([dbus/direct.at])
-diff --git a/src/tests/dbus/direct.at b/src/tests/dbus/direct.at
-new file mode 100644
-index 000000000000..fe92db6bb510
---- /dev/null
-+++ b/src/tests/dbus/direct.at
-@@ -0,0 +1,348 @@
-+FWD_START_TEST([dbus api - direct signatures])
-+AT_KEYWORDS(dbus direct)
-+
-+dnl ###############################
-+dnl ########## runtime ############
-+dnl ###############################
-+
-+DBUS_INTROSPECT([], [[//method[@name="addChain"]]], 0, [dnl
-+    <method name="addChain">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="addPassthrough"]]], 0, [dnl
-+    <method name="addPassthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="addRule"]]], 0, [dnl
-+    <method name="addRule">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="in" name="priority" type="i"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="getAllChains"]]], 0, [dnl
-+    <method name="getAllChains">
-+        <arg direction="out" type="a(sss)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="getAllPassthroughs"]]], 0, [dnl
-+    <method name="getAllPassthroughs">
-+        <arg direction="out" type="a(sas)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="getAllRules"]]], 0, [dnl
-+    <method name="getAllRules">
-+        <arg direction="out" type="a(sssias)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="getChains"]]], 0, [dnl
-+    <method name="getChains">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="out" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="getPassthroughs"]]], 0, [dnl
-+    <method name="getPassthroughs">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="out" type="aas"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="getRules"]]], 0, [dnl
-+    <method name="getRules">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="out" type="a(ias)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="passthrough"]]], 0, [dnl
-+    <method name="passthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+        <arg direction="out" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="queryChain"]]], 0, [dnl
-+    <method name="queryChain">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="out" type="b"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="queryPassthrough"]]], 0, [dnl
-+    <method name="queryPassthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+        <arg direction="out" type="b"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="queryRule"]]], 0, [dnl
-+    <method name="queryRule">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="in" name="priority" type="i"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+        <arg direction="out" type="b"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="removeAllPassthroughs"]]], 0, [dnl
-+    <method name="removeAllPassthroughs">
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="removeChain"]]], 0, [dnl
-+    <method name="removeChain">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="removePassthrough"]]], 0, [dnl
-+    <method name="removePassthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="removeRule"]]], 0, [dnl
-+    <method name="removeRule">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="in" name="priority" type="i"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//method[@name="removeRules"]]], 0, [dnl
-+    <method name="removeRules">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([], [[//signal[@name="ChainAdded"]]], 0, [dnl
-+    <signal name="ChainAdded">
-+        <arg name="ipv" type="s"></arg>
-+        <arg name="table" type="s"></arg>
-+        <arg name="chain" type="s"></arg>
-+    </signal>  
-+])
-+
-+DBUS_INTROSPECT([], [[//signal[@name="ChainRemoved"]]], 0, [dnl
-+    <signal name="ChainRemoved">
-+        <arg name="ipv" type="s"></arg>
-+        <arg name="table" type="s"></arg>
-+        <arg name="chain" type="s"></arg>
-+    </signal>
-+])
-+
-+DBUS_INTROSPECT([], [[//signal[@name="PassthroughAdded"]]], 0, [dnl
-+    <signal name="PassthroughAdded">
-+        <arg name="ipv" type="s"></arg>
-+        <arg name="args" type="as"></arg>
-+    </signal>
-+])
-+
-+DBUS_INTROSPECT([], [[//signal[@name="PassthroughRemoved"]]], 0, [dnl
-+    <signal name="PassthroughRemoved">
-+        <arg name="ipv" type="s"></arg>
-+        <arg name="args" type="as"></arg>
-+    </signal>
-+])
-+
-+DBUS_INTROSPECT([], [[//signal[@name="RuleAdded"]]], 0, [dnl
-+    <signal name="RuleAdded">
-+        <arg name="ipv" type="s"></arg>
-+        <arg name="table" type="s"></arg>
-+        <arg name="chain" type="s"></arg>
-+        <arg name="priority" type="i"></arg>
-+        <arg name="args" type="as"></arg>
-+    </signal>
-+])
-+
-+DBUS_INTROSPECT([], [[//signal[@name="RuleRemoved"]]], 0, [dnl
-+    <signal name="RuleRemoved">
-+        <arg name="ipv" type="s"></arg>
-+        <arg name="table" type="s"></arg>
-+        <arg name="chain" type="s"></arg>
-+        <arg name="priority" type="i"></arg>
-+        <arg name="args" type="as"></arg>
-+    </signal>
-+])
-+
-+dnl ###############################
-+dnl ######### permanent ###########
-+dnl ###############################
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getSettings"]]], 0, [dnl
-+    <method name="getSettings">
-+        <arg direction="out" type="(a(sss)a(sssias)a(sas))"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="update"]]], 0, [dnl
-+    <method name="update">
-+        <arg direction="in" name="settings" type="(a(sss)a(sssias)a(sas))"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addChain"]]], 0, [dnl
-+    <method name="addChain">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addPassthrough"]]], 0, [dnl
-+    <method name="addPassthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addRule"]]], 0, [dnl
-+    <method name="addRule">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="in" name="priority" type="i"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllChains"]]], 0, [dnl
-+    <method name="getAllChains">
-+        <arg direction="out" type="a(sss)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllPassthroughs"]]], 0, [dnl
-+    <method name="getAllPassthroughs">
-+        <arg direction="out" type="a(sas)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllRules"]]], 0, [dnl
-+    <method name="getAllRules">
-+        <arg direction="out" type="a(sssias)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getChains"]]], 0, [dnl
-+    <method name="getChains">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="out" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getPassthroughs"]]], 0, [dnl
-+    <method name="getPassthroughs">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="out" type="aas"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getRules"]]], 0, [dnl
-+    <method name="getRules">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="out" type="a(ias)"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryChain"]]], 0, [dnl
-+    <method name="queryChain">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="out" type="b"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryPassthrough"]]], 0, [dnl
-+    <method name="queryPassthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+        <arg direction="out" type="b"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryRule"]]], 0, [dnl
-+    <method name="queryRule">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="in" name="priority" type="i"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+        <arg direction="out" type="b"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeChain"]]], 0, [dnl
-+    <method name="removeChain">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removePassthrough"]]], 0, [dnl
-+    <method name="removePassthrough">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeRule"]]], 0, [dnl
-+    <method name="removeRule">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+        <arg direction="in" name="priority" type="i"></arg>
-+        <arg direction="in" name="args" type="as"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeRules"]]], 0, [dnl
-+    <method name="removeRules">
-+        <arg direction="in" name="ipv" type="s"></arg>
-+        <arg direction="in" name="table" type="s"></arg>
-+        <arg direction="in" name="chain" type="s"></arg>
-+    </method>
-+])
-+
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//signal[@name="Updated"]]], 0, [dnl
-+    <signal name="Updated">
-+    </signal>
-+])
-+
-+FWD_END_TEST
--- 
-2.27.0
-

SOURCES/0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch

@@ -0,0 +1,48 @@
+From a7b4212df4e1aa05d8dcb8fd4cf5e353a84d3481 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 29 Aug 2022 08:37:50 -0400
+Subject: [PATCH 12/17] v1.1.0: test(ipset): verify --remove-entries-from-file
+
+Specifically if it results in an empty set.
+
+Coverage: rhbz2121985
+(cherry picked from commit edea40189e10d3f7777e69746592fb5e2e0e36ea)
+---
+ src/tests/regression/gh1011.at     | 15 +++++++++++++++
+ src/tests/regression/regression.at |  1 +
+ 2 files changed, 16 insertions(+)
+ create mode 100644 src/tests/regression/gh1011.at
+
+diff --git a/src/tests/regression/gh1011.at b/src/tests/regression/gh1011.at
+new file mode 100644
+index 000000000000..037ab70648eb
+--- /dev/null
++++ b/src/tests/regression/gh1011.at
+@@ -0,0 +1,15 @@
++FWD_START_TEST([remove entries results in empty])
++AT_KEYWORDS(ipset gh1011 rhbz2121985)
++
++FWD_CHECK([--permanent --new-ipset foobar --type hash:net], 0, [ignore])
++AT_DATA([./empty], [dnl
++10.10.10.0/24
++])
++FWD_CHECK([--permanent --ipset foobar --add-entry 10.10.10.0/24], 0, [ignore])
++FWD_CHECK([--permanent --ipset foobar --remove-entries-from-file ./empty], 0, [ignore])
++
++FWD_RELOAD()
++FWD_CHECK([--ipset foobar --add-entry 10.10.10.0/24], 0, [ignore])
++FWD_CHECK([--ipset foobar --remove-entries-from-file ./empty], 0, [ignore])
++
++FWD_END_TEST()
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 143298d3235f..889c66dd175d 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -51,3 +51,4 @@ m4_include([regression/service_includes_for_builtin.at])
+ m4_include([regression/rhbz2181406.at])
+ m4_include([regression/ipset_scale.at])
+ m4_include([regression/gh881.at])
++m4_include([regression/gh1011.at])
+-- 
+2.39.3
+

SOURCES/0013-test-dbus-policy-scope-introspection-checks-to-inter.patch

@@ -1,119 +0,0 @@
-From 25e0354c7a582df802a54d1dd5bd22462e50f5b3 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Tue, 9 Feb 2021 12:19:53 -0500
-Subject: [PATCH 13/22] test(dbus): policy: scope introspection checks to
- interface
-
-(cherry picked from commit 76c7ef5140de4e578e7409113c26e6c223b8ed60)
-(cherry picked from commit 2236a03c212ac9abb173a5d5a5ba68a4f75e7989)
----
- src/tests/dbus/policy_permanent_signatures.at | 18 +++++++++---------
- src/tests/dbus/policy_runtime_signatures.at   |  8 ++++----
- 2 files changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/src/tests/dbus/policy_permanent_signatures.at b/src/tests/dbus/policy_permanent_signatures.at
-index d9dc38179840..7363b7715947 100644
---- a/src/tests/dbus/policy_permanent_signatures.at
-+++ b/src/tests/dbus/policy_permanent_signatures.at
-@@ -5,23 +5,23 @@ dnl ####################
- dnl Global APIs
- dnl ####################
- 
--DBUS_INTROSPECT([config], [[//method[@name="listPolicies"]]], 0, [dnl
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="listPolicies"]]], 0, [dnl
-     <method name="listPolicies">
-         <arg direction="out" type="ao"></arg>
-     </method>
- ])
--DBUS_INTROSPECT([config], [[//method[@name="getPolicyNames"]]], 0, [dnl
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getPolicyNames"]]], 0, [dnl
-     <method name="getPolicyNames">
-         <arg direction="out" type="as"></arg>
-     </method>
- ])
--DBUS_INTROSPECT([config], [[//method[@name="getPolicyByName"]]], 0, [dnl
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getPolicyByName"]]], 0, [dnl
-     <method name="getPolicyByName">
-         <arg direction="in" name="policy" type="s"></arg>
-         <arg direction="out" type="o"></arg>
-     </method>
- ])
--DBUS_INTROSPECT([config], [[//method[@name="addPolicy"]]], 0, [dnl
-+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="addPolicy"]]], 0, [dnl
-     <method name="addPolicy">
-         <arg direction="in" name="policy" type="s"></arg>
-         <arg direction="in" name="settings" type="a{sv}"></arg>
-@@ -37,30 +37,30 @@ DBUS_CHECK([config], [config.getPolicyByName], ["allow-host-ipv6"], 0, [stdout])
- DBUS_POLICY_OBJ=[$(sed -e "s/.*config\/policy\/\([^']\+\)['].*/\1/" ./stdout)]
- export DBUS_POLICY_OBJ
- 
--DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="getSettings"]]], 0, [dnl
-     <method name="getSettings">
-         <arg direction="out" type="a{sv}"></arg>
-     </method>
- ])
- 
--DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="update"]]], 0, [dnl
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="update"]]], 0, [dnl
-     <method name="update">
-         <arg direction="in" name="settings" type="a{sv}"></arg>
-     </method>
- ])
- 
--DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="remove"]]], 0, [dnl
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="remove"]]], 0, [dnl
-     <method name="remove">
-     </method>
- ])
- 
--DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="rename"]]], 0, [dnl
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="rename"]]], 0, [dnl
-     <method name="rename">
-         <arg direction="in" name="name" type="s"></arg>
-     </method>
- ])
- 
--DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="loadDefaults"]]], 0, [dnl
-     <method name="loadDefaults">
-     </method>
- ])
-diff --git a/src/tests/dbus/policy_runtime_signatures.at b/src/tests/dbus/policy_runtime_signatures.at
-index 2f0c5e75496b..c651ae981adf 100644
---- a/src/tests/dbus/policy_runtime_signatures.at
-+++ b/src/tests/dbus/policy_runtime_signatures.at
-@@ -3,13 +3,13 @@ AT_KEYWORDS(dbus policy)
- 
- dnl Settings
- dnl
--DBUS_INTROSPECT([], [[//method[@name="getPolicySettings"]]], 0, [dnl
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicySettings"]]], 0, [dnl
-     <method name="getPolicySettings">
-         <arg direction="in" name="policy" type="s"></arg>
-         <arg direction="out" type="a{sv}"></arg>
-     </method>
- ])
--DBUS_INTROSPECT([], [[//method[@name="setPolicySettings"]]], 0, [dnl
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="setPolicySettings"]]], 0, [dnl
-     <method name="setPolicySettings">
-         <arg direction="in" name="policy" type="s"></arg>
-         <arg direction="in" name="settings" type="a{sv}"></arg>
-@@ -17,12 +17,12 @@ DBUS_INTROSPECT([], [[//method[@name="setPolicySettings"]]], 0, [dnl
- ])
- 
- dnl Fetching Policies
--DBUS_INTROSPECT([], [[//method[@name="getPolicies"]]], 0, [dnl
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicies"]]], 0, [dnl
-     <method name="getPolicies">
-         <arg direction="out" type="as"></arg>
-     </method>
- ])
--DBUS_INTROSPECT([], [[//method[@name="getActivePolicies"]]], 0, [dnl
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getActivePolicies"]]], 0, [dnl
-     <method name="getActivePolicies">
-         <arg direction="out" type="a{sa{sas}}"></arg>
-     </method>
--- 
-2.27.0
-

SOURCES/0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch

@@ -0,0 +1,138 @@
+From 90412a5fae831dcb1a8c9d9f4a798efabcc46567 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Tue, 11 Jul 2023 15:26:56 +0200
+Subject: [PATCH 13/17] v1.2.0: fix(ipset): fix configuring IP range for ipsets
+ with nftables
+
+Setting an IP range with nftables did not work:
+
+    firewall-cmd --permanent --delete-ipset=testipset || :
+    firewall-cmd --permanent --delete-zone=testzone || :
+
+    ENTRY=1.1.1.1-1.1.1.10
+
+    firewall-cmd --permanent --new-ipset=testipset --type=hash:ip
+    firewall-cmd --permanent --ipset=testipset --add-entry="$ENTRY"
+    firewall-cmd --permanent --info-ipset=testipset
+    firewall-cmd --permanent --new-zone=testzone
+    firewall-cmd --permanent --zone=testzone --add-rich-rule='rule family="ipv4" source ipset="testipset" service name="ssh" accept'
+
+    firewall-cmd --reload &
+
+This would generate the following JSON request:
+
+    {
+      "add": {
+        "element": {
+          "family": "inet",
+          "table": "firewalld",
+          "name": "testipset",
+          "elem": [
+            "1.1.1.1-1.1.1.10"
+          ]
+        }
+      }
+    }
+
+libnftables will try to resolve "1.1.1.1-1.1.1.10" via getaddrinfo().  Calling
+getaddrinfo() to resolve names is bound to fail, and it blocks the process for
+a very long time. libnftables should not block the calling process ([1]).
+
+We need to generate the correct JSON request, which is
+
+    {
+      "add": {
+        "element": {
+          "family": "inet",
+          "table": "firewalld",
+          "name": "testipset",
+          "elem": [
+            {
+              "range": [
+                "1.1.1.1",
+                "1.1.1.10"
+              ]
+            }
+          ]
+        }
+      }
+    }
+
+This is an ugly fix, because the parsing of ipset entries is duplicated
+and inconsistent.  A better solution for that shall follow.
+
+[1] https://marc.info/?l=netfilter-devel&m=168901121103612
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2028748
+
+Fixes: 1582c5dd736a ('feat: nftables: convert to libnftables JSON interface')
+(cherry picked from commit 4db89e316f2d60f3cf856a7025a96a61e40b1e5a)
+---
+ src/firewall/core/nftables.py | 27 +++++++++++++++------------
+ src/tests/cli/firewall-cmd.at |  4 ++--
+ 2 files changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 19a649aaaa71..2764bcf93645 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1850,19 +1850,22 @@ class nftables(object):
+                     fragment.append({"range": [port_str[:index], port_str[index+1:]]})
+ 
+             elif type_format[i] in ["ip", "net"]:
+-                try:
+-                    index = entry_tokens[i].index("/")
+-                except ValueError:
+-                    addr = entry_tokens[i]
+-                    if "family" in obj.options and obj.options["family"] == "inet6":
+-                        addr = normalizeIP6(addr)
+-                    fragment.append(addr)
++                if '-' in entry_tokens[i]:
++                    fragment.append({"range": entry_tokens[i].split('-') })
+                 else:
+-                    addr = entry_tokens[i][:index]
+-                    if "family" in obj.options and obj.options["family"] == "inet6":
+-                        addr = normalizeIP6(addr)
+-                    fragment.append({"prefix": {"addr": addr,
+-                                                "len": int(entry_tokens[i][index+1:])}})
++                    try:
++                        index = entry_tokens[i].index("/")
++                    except ValueError:
++                        addr = entry_tokens[i]
++                        if "family" in obj.options and obj.options["family"] == "inet6":
++                            addr = normalizeIP6(addr)
++                        fragment.append(addr)
++                    else:
++                        addr = entry_tokens[i][:index]
++                        if "family" in obj.options and obj.options["family"] == "inet6":
++                            addr = normalizeIP6(addr)
++                        fragment.append({"prefix": {"addr": addr,
++                                                    "len": int(entry_tokens[i][index+1:])}})
+             else:
+                 fragment.append(entry_tokens[i])
+         return [{"concat": fragment}] if len(type_format) > 1 else fragment
+diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
+index 47bdd81f5194..c4ab3108d37c 100644
+--- a/src/tests/cli/firewall-cmd.at
++++ b/src/tests/cli/firewall-cmd.at
+@@ -908,7 +908,7 @@ FWD_START_TEST([ipset])
+ 
+     dnl multi dimensional sets
+     FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore)
+-    FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,1234], 0, ignore)
++    FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10-10.10.10.12,1234], 0, ignore)
+     FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,2000-2100], 0, ignore)
+     FWD_RELOAD
+     NFT_LIST_SET([foobar], 0, [dnl
+@@ -916,7 +916,7 @@ FWD_START_TEST([ipset])
+             set foobar {
+                 type ipv4_addr . inet_proto . inet_service
+                 flags interval
+-                elements = { 10.10.10.10 . tcp . 1234,
++                elements = { 10.10.10.10-10.10.10.12 . tcp . 1234,
+                              10.10.10.10 . tcp . 2000-2100 }
+             }
+         }
+-- 
+2.39.3
+

SOURCES/0014-v1.2.0-chore-nftables-add-delete-table-helper.patch

@@ -0,0 +1,45 @@
+From 08f76e2aa6d7ca35cfb626f20ace1f9036cda3a0 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 14 Aug 2023 09:13:29 -0400
+Subject: [PATCH 14/17] v1.2.0: chore(nftables): add delete table helper
+
+This is to workaround an nftables issue where using the "delete" verb on
+a table that does not exist will throw ENOENT. We can't use the newer
+"destroy" verb because it's too new to rely upon.
+
+A simple hack is to always add the table before deleting it. The "add"
+is ignored if the table already exists.
+
+(cherry picked from commit 8be561d26931832f000526cc41293700faa6c877)
+---
+ src/firewall/core/nftables.py | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 2764bcf93645..1959bdce73be 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -396,6 +396,20 @@ class nftables(object):
+         # Tables always exist in nftables
+         return [table] if table else IPTABLES_TO_NFT_HOOK.keys()
+ 
++    def _build_delete_table_rules(self, table):
++        # To avoid nftables returning ENOENT we always add the table before
++        # deleting to guarantee it will exist.
++        #
++        # In the future, this add+delete should be replaced with "destroy", but
++        # that verb is too new to rely upon.
++        rules = []
++        for family in ["inet", "ip", "ip6"]:
++            rules.append({"add": {"table": {"family": family,
++                                            "name": table}}})
++            rules.append({"delete": {"table": {"family": family,
++                                               "name": table}}})
++        return rules
++
+     def build_flush_rules(self):
+         # Policy is stashed in a separate table that we're _not_ going to
+         # flush. As such, we retain the policy rule handles and ref counts.
+-- 
+2.39.3
+

SOURCES/0015-test-dbus-policy-introspect-signals.patch

@@ -1,69 +0,0 @@
-From a97286a71ea39200fdbd6ad876a3b597f9ece6a7 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Tue, 9 Feb 2021 12:20:27 -0500
-Subject: [PATCH 15/22] test(dbus): policy: introspect signals
-
-(cherry picked from commit 4ef37228e9bb1f564597b4cd654c2092cef0cca8)
-(cherry picked from commit 9aac1417b2d10a4793756b4bdfa10047a2240ecd)
----
- src/tests/dbus/policy_permanent_signatures.at | 15 +++++++++++++++
- src/tests/dbus/policy_runtime_signatures.at   |  6 ++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/src/tests/dbus/policy_permanent_signatures.at b/src/tests/dbus/policy_permanent_signatures.at
-index 7363b7715947..9ad36fa131e7 100644
---- a/src/tests/dbus/policy_permanent_signatures.at
-+++ b/src/tests/dbus/policy_permanent_signatures.at
-@@ -48,17 +48,32 @@ DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fed
-         <arg direction="in" name="settings" type="a{sv}"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Updated"]]], 0, [dnl
-+    <signal name="Updated">
-+        <arg name="name" type="s"></arg>
-+    </signal>
-+])
- 
- DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="remove"]]], 0, [dnl
-     <method name="remove">
-     </method>
- ])
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Removed"]]], 0, [dnl
-+    <signal name="Removed">
-+        <arg name="name" type="s"></arg>
-+    </signal>
-+])
- 
- DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="rename"]]], 0, [dnl
-     <method name="rename">
-         <arg direction="in" name="name" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Renamed"]]], 0, [dnl
-+    <signal name="Renamed">
-+        <arg name="name" type="s"></arg>
-+    </signal>
-+])
- 
- DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="loadDefaults"]]], 0, [dnl
-     <method name="loadDefaults">
-diff --git a/src/tests/dbus/policy_runtime_signatures.at b/src/tests/dbus/policy_runtime_signatures.at
-index c651ae981adf..e299329e4f4f 100644
---- a/src/tests/dbus/policy_runtime_signatures.at
-+++ b/src/tests/dbus/policy_runtime_signatures.at
-@@ -15,6 +15,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//
-         <arg direction="in" name="settings" type="a{sv}"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//signal[@name="PolicyUpdated"]]], 0, [dnl
-+    <signal name="PolicyUpdated">
-+        <arg name="policy" type="s"></arg>
-+        <arg name="settings" type="a{sv}"></arg>
-+    </signal>
-+])
- 
- dnl Fetching Policies
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicies"]]], 0, [dnl
--- 
-2.27.0
-

SOURCES/0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch

@@ -0,0 +1,38 @@
+From 0704ea3fef79cc1532f913ac1598e297016e1905 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 10 Aug 2023 08:43:03 -0400
+Subject: [PATCH 15/17] v1.2.0: fix(nftables): always flush main table on start
+
+On start created_tables will not contain the main "firewalld" table so a
+flush command is not issued. We should always attempt to flush. If
+CleanupOnExit=no, then not flushing causes duplicate rules on restart.
+
+Fixes: rhbz2222044
+(cherry picked from commit 6a155ea7195f2c720625e2452afa41544b4b4227)
+---
+ src/firewall/core/nftables.py | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 1959bdce73be..e3e06d75f663 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -427,13 +427,11 @@ class nftables(object):
+         self.policy_priority_counts = {}
+         self.zone_source_index_cache = {}
+ 
+-        rules = []
+         for family in ["inet", "ip", "ip6"]:
+             if TABLE_NAME in self.created_tables[family]:
+-                rules.append({"delete": {"table": {"family": family,
+-                                                   "name": TABLE_NAME}}})
+                 self.created_tables[family].remove(TABLE_NAME)
+-        return rules
++
++        return self._build_delete_table_rules(TABLE_NAME)
+ 
+     def _build_set_policy_rules_ct_rules(self, enable):
+         add_del = { True: "add", False: "delete" }[enable]
+-- 
+2.39.3
+

SOURCES/0016-test-dbus-zone-introspect-signals.patch

@@ -1,369 +0,0 @@
-From c15f2c1b94faf21eb39e4d1c525d205cb1b71dbc Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Tue, 9 Feb 2021 14:31:53 -0500
-Subject: [PATCH 16/22] test(dbus): zone: introspect signals
-
-(cherry picked from commit 04548b4c3be23288ccaeee74f7b1fda5e9d5e047)
-(cherry picked from commit 2f9a05fbaf5882ca91cf4e4141aec27b6f58855c)
----
- src/tests/dbus/zone_permanent_signatures.at |  15 ++
- src/tests/dbus/zone_runtime_signatures.at   | 152 ++++++++++++++++++++
- 2 files changed, 167 insertions(+)
-
-diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
-index 31b27925495a..2db55c5b3936 100644
---- a/src/tests/dbus/zone_permanent_signatures.at
-+++ b/src/tests/dbus/zone_permanent_signatures.at
-@@ -64,6 +64,11 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.
-         <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Updated"]]], 0, [dnl
-+    <signal name="Updated">
-+        <arg name="name" type="s"></arg>
-+    </signal>
-+])
- 
- DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="loadDefaults"]]], 0, [dnl
-     <method name="loadDefaults">
-@@ -74,12 +79,22 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.
-     <method name="remove">
-     </method>
- ])
-+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Removed"]]], 0, [dnl
-+    <signal name="Removed">
-+        <arg name="name" type="s"></arg>
-+    </signal>
-+])
- 
- DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="rename"]]], 0, [dnl
-     <method name="rename">
-         <arg direction="in" name="name" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Renamed"]]], 0, [dnl
-+    <signal name="Renamed">
-+        <arg name="name" type="s"></arg>
-+    </signal>
-+])
- 
- dnl Version
- dnl
-diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
-index 29571a48ec5f..68aec78153ae 100644
---- a/src/tests/dbus/zone_runtime_signatures.at
-+++ b/src/tests/dbus/zone_runtime_signatures.at
-@@ -69,6 +69,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="InterfaceAdded"]]], 0, [dnl
-+    <signal name="InterfaceAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="interface" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZone"]]], 0, [dnl
-     <method name="changeZone">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -76,6 +82,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ZoneChanged"]]], 0, [dnl
-+    <signal name="ZoneChanged">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="interface" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfInterface"]]], 0, [dnl
-     <method name="changeZoneOfInterface">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -90,6 +102,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="InterfaceRemoved"]]], 0, [dnl
-+    <signal name="InterfaceRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="interface" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryInterface"]]], 0, [dnl
-     <method name="queryInterface">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -112,6 +130,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourceAdded"]]], 0, [dnl
-+    <signal name="SourceAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="source" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfSource"]]], 0, [dnl
-     <method name="changeZoneOfSource">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -126,6 +150,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourceRemoved"]]], 0, [dnl
-+    <signal name="SourceRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="source" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySource"]]], 0, [dnl
-     <method name="querySource">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -149,6 +179,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ServiceAdded"]]], 0, [dnl
-+    <signal name="ServiceAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="service" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeService"]]], 0, [dnl
-     <method name="removeService">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -156,6 +193,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ServiceRemoved"]]], 0, [dnl
-+    <signal name="ServiceRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="service" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryService"]]], 0, [dnl
-     <method name="queryService">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -179,6 +222,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ProtocolAdded"]]], 0, [dnl
-+    <signal name="ProtocolAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeProtocol"]]], 0, [dnl
-     <method name="removeProtocol">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -186,6 +236,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ProtocolRemoved"]]], 0, [dnl
-+    <signal name="ProtocolRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryProtocol"]]], 0, [dnl
-     <method name="queryProtocol">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -210,6 +266,14 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="PortAdded"]]], 0, [dnl
-+    <signal name="PortAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="port" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removePort"]]], 0, [dnl
-     <method name="removePort">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -218,6 +282,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="PortRemoved"]]], 0, [dnl
-+    <signal name="PortRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="port" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryPort"]]], 0, [dnl
-     <method name="queryPort">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -245,6 +316,14 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourcePortAdded"]]], 0, [dnl
-+    <signal name="SourcePortAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="port" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeSourcePort"]]], 0, [dnl
-     <method name="removeSourcePort">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -253,6 +332,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourcePortRemoved"]]], 0, [dnl
-+    <signal name="SourcePortRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="port" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySourcePort"]]], 0, [dnl
-     <method name="querySourcePort">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -282,6 +368,16 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ForwardPortAdded"]]], 0, [dnl
-+    <signal name="ForwardPortAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="port" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+        <arg name="toport" type="s"></arg>
-+        <arg name="toaddr" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeForwardPort"]]], 0, [dnl
-     <method name="removeForwardPort">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -292,6 +388,15 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ForwardPortRemoved"]]], 0, [dnl
-+    <signal name="ForwardPortRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="port" type="s"></arg>
-+        <arg name="protocol" type="s"></arg>
-+        <arg name="toport" type="s"></arg>
-+        <arg name="toaddr" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryForwardPort"]]], 0, [dnl
-     <method name="queryForwardPort">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -319,12 +424,23 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="MasqueradeAdded"]]], 0, [dnl
-+    <signal name="MasqueradeAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeMasquerade"]]], 0, [dnl
-     <method name="removeMasquerade">
-         <arg direction="in" name="zone" type="s"></arg>
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="MasqueradeRemoved"]]], 0, [dnl
-+    <signal name="MasqueradeRemoved">
-+        <arg name="zone" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryMasquerade"]]], 0, [dnl
-     <method name="queryMasquerade">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -341,6 +457,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockAdded"]]], 0, [dnl
-+    <signal name="IcmpBlockAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="icmp" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlock"]]], 0, [dnl
-     <method name="removeIcmpBlock">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -348,6 +471,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockRemoved"]]], 0, [dnl
-+    <signal name="IcmpBlockRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="icmp" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlock"]]], 0, [dnl
-     <method name="queryIcmpBlock">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -369,12 +498,22 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockInversionAdded"]]], 0, [dnl
-+    <signal name="IcmpBlockInversionAdded">
-+        <arg name="zone" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
-     <method name="removeIcmpBlockInversion">
-         <arg direction="in" name="zone" type="s"></arg>
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockInversionRemoved"]]], 0, [dnl
-+    <signal name="IcmpBlockInversionRemoved">
-+        <arg name="zone" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
-     <method name="queryIcmpBlockInversion">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -391,6 +530,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="RichRuleAdded"]]], 0, [dnl
-+    <signal name="RichRuleAdded">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="rule" type="s"></arg>
-+        <arg name="timeout" type="i"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeRichRule"]]], 0, [dnl
-     <method name="removeRichRule">
-         <arg direction="in" name="zone" type="s"></arg>
-@@ -398,6 +544,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
-         <arg direction="out" type="s"></arg>
-     </method>
- ])
-+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="RichRuleRemoved"]]], 0, [dnl
-+    <signal name="RichRuleRemoved">
-+        <arg name="zone" type="s"></arg>
-+        <arg name="rule" type="s"></arg>
-+    </signal>
-+])
- DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryRichRule"]]], 0, [dnl
-     <method name="queryRichRule">
-         <arg direction="in" name="zone" type="s"></arg>
--- 
-2.27.0
-

SOURCES/0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch

@@ -0,0 +1,82 @@
+From 8c79246dbc5b8945c22b313ad51be698f2b61316 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 9 Aug 2023 14:39:08 -0400
+Subject: [PATCH 16/17] v1.2.0: test(CleanUpOnExit): verify restart does not
+ duplicate rules
+
+Coverage: rhbz2222044
+(cherry picked from commit c66e752a00c05a5afa58904850d244f50528059e)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz2222044.at | 50 +++++++++++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+ create mode 100644 src/tests/regression/rhbz2222044.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 889c66dd175d..bc9aeb1a8624 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -52,3 +52,4 @@ m4_include([regression/rhbz2181406.at])
+ m4_include([regression/ipset_scale.at])
+ m4_include([regression/gh881.at])
+ m4_include([regression/gh1011.at])
++m4_include([regression/rhbz2222044.at])
+diff --git a/src/tests/regression/rhbz2222044.at b/src/tests/regression/rhbz2222044.at
+new file mode 100644
+index 000000000000..9f3b1615b2f9
+--- /dev/null
++++ b/src/tests/regression/rhbz2222044.at
+@@ -0,0 +1,50 @@
++FWD_START_TEST([duplicate rules after restart])
++AT_KEYWORDS(rhbz2222044)
++AT_SKIP_IF([! NS_CMD([command -v wc >/dev/null 2>&1])])
++
++dnl rules have not changed so rule count should not change
++m4_define([check_rule_count], [
++m4_if(nftables, FIREWALL_BACKEND, [
++NS_CHECK([nft list table inet firewalld | wc -l], 0, [dnl
++237
++])
++NS_CHECK([nft list table ip firewalld | wc -l], 0, [dnl
++105
++])
++NS_CHECK([nft list table ip6 firewalld | wc -l], 0, [dnl
++105
++])
++], [ dnl iptables
++NS_CHECK([iptables-save | wc -l], 0, [dnl
++256
++])
++])])
++
++dnl --------------------------
++dnl --------------------------
++
++AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=yes/' ./firewalld.conf])
++FWD_RELOAD()
++
++check_rule_count()
++FWD_RESTART()
++check_rule_count()
++
++check_rule_count()
++FWD_RELOAD()
++check_rule_count()
++
++dnl Now do it again, but with CleanupOnExit=no
++AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
++FWD_RELOAD()
++
++check_rule_count()
++FWD_RESTART()
++check_rule_count()
++
++check_rule_count()
++FWD_RELOAD()
++check_rule_count()
++
++m4_undefine([check_rule_count])
++FWD_END_TEST()
+-- 
+2.39.3
+

SOURCES/0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch

@@ -1,35 +0,0 @@
-From 633f2335b9305514b36b50455063070c4888be61 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 10 Feb 2021 16:35:12 -0500
-Subject: [PATCH 17/22] fix(dbus): properties: IPv4 and IPv6 should be true if
- using nftables
-
-(cherry picked from commit 85feb6cf091d4e03c1175770a7cacb9d994f1126)
-(cherry picked from commit 94cc358fe90f4926e588f568edec9fd4efe49370)
----
- src/firewall/server/firewalld.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
-index 895e9635d1aa..f74e6e6ae6ff 100644
---- a/src/firewall/server/firewalld.py
-+++ b/src/firewall/server/firewalld.py
-@@ -158,13 +158,13 @@ class FirewallD(slip.dbus.service.Object):
-             return dbus.String(self.fw.get_state())
- 
-         elif prop == "IPv4":
--            return dbus.Boolean(self.fw.ip4tables_enabled)
-+            return dbus.Boolean(self.fw.is_ipv_enabled("ipv4"))
- 
-         elif prop == "IPv4ICMPTypes":
-             return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
- 
-         elif prop == "IPv6":
--            return dbus.Boolean(self.fw.ip6tables_enabled)
-+            return dbus.Boolean(self.fw.is_ipv_enabled("ipv6"))
- 
-         elif prop == "IPv6_rpfilter":
-             return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
--- 
-2.27.0
-

SOURCES/0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch

@@ -0,0 +1,32 @@
+From 2ca79f8ebbadcf39f9b378b7fd296fcef13a4c54 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 14 Aug 2023 09:21:17 -0400
+Subject: [PATCH 17/17] v1.2.0: chore(nftables): policy: use delete table
+ helper
+
+Use the new table delete helper when deleting the policy table.
+
+(cherry picked from commit a291a5d2f03711c2c6b0079128626204229ad79e)
+---
+ src/firewall/core/nftables.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index e3e06d75f663..2a13b2678a94 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -489,9 +489,9 @@ class nftables(object):
+                 if policy_key in self.rule_to_handle:
+                     rules.append(rule)
+ 
++            rules += self._build_delete_table_rules(TABLE_NAME_POLICY)
++
+             if TABLE_NAME_POLICY in self.created_tables["inet"]:
+-                rules.append({"delete": {"table": {"family": "inet",
+-                                                   "name": TABLE_NAME_POLICY}}})
+                 self.created_tables["inet"].remove(TABLE_NAME_POLICY)
+         else:
+             FirewallError(UNKNOWN_ERROR, "not implemented")
+-- 
+2.39.3
+

SOURCES/0018-test-ipset-add-missing-CHECK_IPSET.patch

@@ -1,52 +0,0 @@
-From 04b9b7138e4af55f56a82f0b3727b0e70de3a5a0 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Thu, 11 Feb 2021 15:10:04 -0500
-Subject: [PATCH 18/22] test(ipset): add missing CHECK_IPSET
-
-(cherry picked from commit 61a2f56e889f5a370e28bf98f8dcf2e864a01283)
-(cherry picked from commit 95f18c89e22271ec437377f8fed753997f5828aa)
----
- src/tests/regression/gh567.at       |  1 +
- src/tests/regression/rhbz1779835.at | 10 +++++++++-
- 2 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/regression/gh567.at b/src/tests/regression/gh567.at
-index 03c3bde4a0fe..7faa9a5b0291 100644
---- a/src/tests/regression/gh567.at
-+++ b/src/tests/regression/gh567.at
-@@ -1,5 +1,6 @@
- FWD_START_TEST([rich rule source w/ mark action])
- AT_KEYWORDS(gh567 rich ipset)
-+CHECK_IPSET
- 
- FWD_CHECK([-q --permanent --new-ipset=Teste --type=hash:net])
- FWD_CHECK([-q --permanent --add-rich-rule "rule family=ipv4 source ipset=Teste mark set=2"])
-diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at
-index 8de5c0353b6e..1c6738bce468 100644
---- a/src/tests/regression/rhbz1779835.at
-+++ b/src/tests/regression/rhbz1779835.at
-@@ -1,5 +1,6 @@
- FWD_START_TEST([ipv6 address with brackets])
--AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich)
-+AT_KEYWORDS(rhbz1779835 ipset)
-+CHECK_IPSET
- 
- IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
- 
-@@ -10,6 +11,13 @@ FWD_CHECK([-q --permanent --new-ipset=foobar2 --type=hash:net --family=inet6])
- FWD_CHECK([[-q --permanent --ipset foobar2 --add-entry='[1234::]/64']])
- FWD_RELOAD
- 
-+FWD_END_TEST
-+
-+FWD_START_TEST([ipv6 address with brackets])
-+AT_KEYWORDS(rhbz1779835 zone forward_port rich)
-+
-+IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
-+
- dnl zone source
- FWD_CHECK([[-q --zone internal --add-source='[::1234]']])
- FWD_CHECK([[-q --zone internal --add-source='[1234::]/64']])
--- 
-2.27.0
-

SOURCES/0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch

@@ -0,0 +1,242 @@
+From 0715e07a68d50d33797a724d24157a96afee3de6 Mon Sep 17 00:00:00 2001
+From: Derek Dai <daiderek@gmail.com>
+Date: Tue, 10 Nov 2020 20:37:36 +0800
+Subject: [PATCH 18/26] v1.0.0: feat(rich): support using ipset in destination
+
+Fixes: #706
+Closes: #711
+(cherry picked from commit 286d00031f431f3c3d0f94028975a409e78be8c8)
+---
+ doc/xml/firewalld.richlanguage.xml |  2 +-
+ src/firewall/core/io/policy.py     | 21 ++++++++++----
+ src/firewall/core/io/zone.py       |  4 +--
+ src/firewall/core/ipXtables.py     | 25 +++++++++++------
+ src/firewall/core/nftables.py      |  7 ++++-
+ src/firewall/core/rich.py          | 44 ++++++++++++++++++++++--------
+ 6 files changed, 74 insertions(+), 29 deletions(-)
+
+diff --git a/doc/xml/firewalld.richlanguage.xml b/doc/xml/firewalld.richlanguage.xml
+index e336bfd0b464..19bd038fc1fd 100644
+--- a/doc/xml/firewalld.richlanguage.xml
++++ b/doc/xml/firewalld.richlanguage.xml
+@@ -129,7 +129,7 @@ source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"
+       <title>Destination</title>
+       <para>
+ 	<programlisting>
+-destination [not] address="address[/mask]"
++destination [not] address="address[/mask]"|ipset="ipset"
+ 	</programlisting>
+ 	With the destination address the target can be limited to the destination address. The destination address is using the same syntax as the source address.
+       </para>
+diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
+index c543aa1b42a6..3b951545e975 100644
+--- a/src/firewall/core/io/policy.py
++++ b/src/firewall/core/io/policy.py
+@@ -186,11 +186,18 @@ def common_startElement(obj, name, attrs):
+                         str(obj._rule))
+             return True
+         invert = False
++        address = None
++        if "address" in attrs:
++            address = attrs["address"]
++        ipset = None
++        if "ipset" in attrs:
++            ipset = attrs["ipset"]
+         if "invert" in attrs and \
+                 attrs["invert"].lower() in [ "yes", "true" ]:
+             invert = True
+-        obj._rule.destination = rich.Rich_Destination(attrs["address"],
+-                                                       invert)
++        obj._rule.destination = rich.Rich_Destination(address,
++                                                      ipset,
++                                                      invert)
+ 
+     elif name in [ "accept", "reject", "drop", "mark" ]:
+         if not obj._rule:
+@@ -447,7 +454,11 @@ def common_writer(obj, handler):
+ 
+         # destination
+         if rule.destination:
+-            attrs = { "address": rule.destination.addr }
++            attrs = { }
++            if rule.destination.addr:
++                attrs["address"] = rule.destination.addr
++            if rule.destination.ipset:
++                attrs["ipset"] = rule.destination.ipset
+             if rule.destination.invert:
+                 attrs["invert"] = "True"
+             handler.ignorableWhitespace("    ")
+@@ -607,7 +618,7 @@ class Policy(IO_Object):
+         "forward-port": [ "port", "protocol" ],
+         "rule": None,
+         "source": None,
+-        "destination": [ "address" ],
++        "destination": None,
+         "protocol": [ "value" ],
+         "source-port": [ "port", "protocol" ],
+         "log":  None,
+@@ -625,7 +636,7 @@ class Policy(IO_Object):
+         "forward-port": [ "to-port", "to-addr" ],
+         "rule": [ "family", "priority" ],
+         "source": [ "address", "mac", "invert", "family", "ipset" ],
+-        "destination": [ "invert" ],
++        "destination": [ "address", "invert", "ipset" ],
+         "log": [ "prefix", "level" ],
+         "reject": [ "type" ],
+         }
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 4291ec9cba00..0c419ee0f2bd 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -73,7 +73,7 @@ class Zone(IO_Object):
+         "interface": [ "name" ],
+         "rule": None,
+         "source": None,
+-        "destination": [ "address" ],
++        "destination": None,
+         "protocol": [ "value" ],
+         "source-port": [ "port", "protocol" ],
+         "log":  None,
+@@ -91,7 +91,7 @@ class Zone(IO_Object):
+         "forward-port": [ "to-port", "to-addr" ],
+         "rule": [ "family", "priority" ],
+         "source": [ "address", "mac", "invert", "family", "ipset" ],
+-        "destination": [ "invert" ],
++        "destination": [ "address", "invert", "ipset" ],
+         "log": [ "prefix", "level" ],
+         "reject": [ "type" ],
+         }
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index cf6c6e03e7ad..401377104ce1 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -1093,15 +1093,22 @@ class ip4tables(object):
+             return []
+ 
+         rule_fragment = []
+-        if rich_dest.invert:
+-            rule_fragment.append("!")
+-        if check_single_address("ipv6", rich_dest.addr):
+-            rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ]
+-        elif check_address("ipv6", rich_dest.addr):
+-            addr_split = rich_dest.addr.split("/")
+-            rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ]
+-        else:
+-            rule_fragment += [ "-d", rich_dest.addr ]
++        if rich_dest.addr:
++            if rich_dest.invert:
++                rule_fragment.append("!")
++            if check_single_address("ipv6", rich_dest.addr):
++                rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ]
++            elif check_address("ipv6", rich_dest.addr):
++                addr_split = rich_dest.addr.split("/")
++                rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ]
++            else:
++                rule_fragment += [ "-d", rich_dest.addr ]
++        elif rich_dest.ipset:
++            rule_fragment += [ "-m", "set" ]
++            if rich_dest.invert:
++                rule_fragment.append("!")
++            flags = self._fw.zone._ipset_match_flags(rich_dest.ipset, "dst")
++            rule_fragment += [ "--match-set", rich_dest.ipset, flags ]
+ 
+         return rule_fragment
+ 
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 2a13b2678a94..d238451ebd5d 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1253,7 +1253,12 @@ class nftables(object):
+     def _rich_rule_destination_fragment(self, rich_dest):
+         if not rich_dest:
+             return {}
+-        return self._rule_addr_fragment("daddr", rich_dest.addr, invert=rich_dest.invert)
++        if rich_dest.addr:
++            address = rich_dest.addr
++        elif rich_dest.ipset:
++            address = "ipset:" + rich_dest.ipset
++
++        return self._rule_addr_fragment("daddr", address, invert=rich_dest.invert)
+ 
+     def _rich_rule_source_fragment(self, rich_source):
+         if not rich_source:
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index 03bc194c2b28..6a03eeca5d8a 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -63,13 +63,27 @@ class Rich_Source(object):
+                                 "no address, mac and ipset")
+ 
+ class Rich_Destination(object):
+-    def __init__(self, addr, invert=False):
++    def __init__(self, addr, ipset, invert=False):
+         self.addr = addr
++        if self.addr == "":
++            self.addr = None
++        self.ipset = ipset
++        if self.ipset == "":
++            self.ipset = None
+         self.invert = invert
++        if self.addr is None and self.ipset is None:
++            raise FirewallError(errors.INVALID_RULE,
++                                "no address and ipset")
+ 
+     def __str__(self):
+-        return 'destination %saddress="%s"' % ("not " if self.invert else "",
+-                                               self.addr)
++        ret = 'destination%s ' % (" NOT" if self.invert else "")
++        if self.addr is not None:
++            return ret + 'address="%s"' % self.addr
++        elif self.ipset is not None:
++            return ret + 'ipset="%s"' % self.ipset
++        else:
++            raise FirewallError(errors.INVALID_RULE,
++                                "no address and ipset")
+ 
+ class Rich_Service(object):
+     def __init__(self, name):
+@@ -404,12 +418,12 @@ class Rich_Rule(object):
+                     attrs.clear()
+                     index = index -1 # return token to input
+             elif in_element == 'destination':
+-                if attr_name in ['address', 'invert']:
++                if attr_name in ['address', 'ipset', 'invert']:
+                     attrs[attr_name] = attr_value
+                 elif element in ['not', 'NOT']:
+                     attrs['invert'] = True
+                 else:
+-                    self.destination = Rich_Destination(attrs.get('address'), attrs.get('invert'))
++                    self.destination = Rich_Destination(attrs.get('address'), attrs.get('ipset'), attrs.get('invert', False))
+                     in_elements.pop() # destination
+                     attrs.clear()
+                     index = index -1 # return token to input
+@@ -587,12 +601,20 @@ class Rich_Rule(object):
+ 
+         # destination
+         if self.destination is not None:
+-            if self.family is None:
+-                raise FirewallError(errors.INVALID_FAMILY)
+-            if self.destination.addr is None or \
+-                    not functions.check_address(self.family,
+-                                                self.destination.addr):
+-                raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr))
++            if self.destination.addr is not None:
++                if self.family is None:
++                    raise FirewallError(errors.INVALID_FAMILY)
++                if self.destination.ipset is not None:
++                    raise FirewallError(errors.INVALID_DESTINATION, "address and ipset")
++                if not functions.check_address(self.family, self.destination.addr):
++                    raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr))
++
++            elif self.destination.ipset is not None:
++                if not check_ipset_name(self.destination.ipset):
++                    raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset))
++
++            else:
++                raise FirewallError(errors.INVALID_RULE, "invalid destination")
+ 
+         # service
+         if type(self.element) == Rich_Service:
+-- 
+2.43.0
+

SOURCES/0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch

@@ -1,48 +0,0 @@
-From 0ada4672b42c426de1ffc7f3ae2416629225369f Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 15 Feb 2021 09:53:02 -0500
-Subject: [PATCH 19/22] fix(fw): when checking tables make sure to check the
- actual backend
-
-Calling get_backend_by_ipv() will return nftables if we're using
-nftables backend, but we really need to check if iptables, et al. are
-available.
-
-(cherry picked from commit 48d97fb40929afbc1b0bc82759ad75b1937f6e3f)
-(cherry picked from commit fba59a99735ec46d787141350564137abfec0c87)
----
- src/firewall/core/fw.py | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
-index 15284a4929e9..3eb54e37ab5c 100644
---- a/src/firewall/core/fw.py
-+++ b/src/firewall/core/fw.py
-@@ -131,18 +131,18 @@ class Firewall(object):
-     def _check_tables(self):
-         # check if iptables, ip6tables and ebtables are usable, else disable
-         if self.ip4tables_enabled and \
--           "filter" not in self.get_backend_by_ipv("ipv4").get_available_tables():
--            log.warning("iptables not usable, disabling IPv4 firewall.")
-+           "filter" not in self.ip4tables_backend.get_available_tables():
-+            log.info1("iptables is not usable.")
-             self.ip4tables_enabled = False
- 
-         if self.ip6tables_enabled and \
--           "filter" not in self.get_backend_by_ipv("ipv6").get_available_tables():
--            log.warning("ip6tables not usable, disabling IPv6 firewall.")
-+           "filter" not in self.ip6tables_backend.get_available_tables():
-+            log.info1("ip6tables is not usable.")
-             self.ip6tables_enabled = False
- 
-         if self.ebtables_enabled and \
--           "filter" not in self.get_backend_by_ipv("eb").get_available_tables():
--            log.warning("ebtables not usable, disabling ethernet bridge firewall.")
-+           "filter" not in self.ebtables_backend.get_available_tables():
-+            log.info1("ebtables is not usable.")
-             self.ebtables_enabled = False
- 
-         # is there at least support for ipv4 or ipv6
--- 
-2.27.0
-

SOURCES/0019-v1.0.0-test-rich-destination-ipset.patch

@@ -0,0 +1,60 @@
+From cf8a55d1fe769a9e4632fbccf5ae4738ab661421 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 12 Nov 2020 17:11:58 -0500
+Subject: [PATCH 19/26] v1.0.0: test(rich): destination ipset
+
+(cherry picked from commit f274bfd0f7bc0e466c42b732e03002e11e99ed88)
+---
+ src/tests/features/features.at               |  1 +
+ src/tests/features/rich_destination_ipset.at | 30 ++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+ create mode 100644 src/tests/features/rich_destination_ipset.at
+
+diff --git a/src/tests/features/features.at b/src/tests/features/features.at
+index 2340853aeca7..381bf6dba0e4 100644
+--- a/src/tests/features/features.at
++++ b/src/tests/features/features.at
+@@ -13,3 +13,4 @@ m4_include([features/rich_rules.at])
+ m4_include([features/icmp_blocks.at])
+ m4_include([features/rpfilter.at])
+ m4_include([features/zone_combine.at])
++m4_include([features/rich_destination_ipset.at])
+diff --git a/src/tests/features/rich_destination_ipset.at b/src/tests/features/rich_destination_ipset.at
+new file mode 100644
+index 000000000000..c07809141851
+--- /dev/null
++++ b/src/tests/features/rich_destination_ipset.at
+@@ -0,0 +1,30 @@
++FWD_START_TEST([rich destination ipset])
++AT_KEYWORDS(rich ipset)
++
++FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, [ignore])
++FWD_RELOAD
++
++FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
++FWD_CHECK([            --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
++    table inet firewalld {
++        chain filter_IN_public_allow {
++            tcp dport 22 ct state new,untracked accept
++            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
++            ip daddr @foobar accept
++        }
++    }
++])
++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
++    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst
++])
++
++dnl negative tests
++FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
++FWD_CHECK([            --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
++FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
++FWD_CHECK([            --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
++
++FWD_END_TEST([-e '/ERROR: INVALID_RULE: bad attribute/d'dnl
++              -e '/ERROR: INVALID_DESTINATION: address and ipset/d'])
+-- 
+2.43.0
+

SOURCES/0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch

@@ -1,118 +0,0 @@
-From 12b83f9c9381e60496a63082343512e62b03de5f Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 22 Feb 2021 15:11:21 -0500
-Subject: [PATCH 20/22] fix(ipset): nftables: use interval flag for "ip" types
-
-This is to be compatible with ipset. ipset allows adding to a non-mask
-type, e.g. "ip", by using a mask. ipset translates this into many
-entries. Support it in nftables simply by using intervals.
-
-(cherry picked from commit faaf3ac649a347f0bccae800fd0e4daeebbd1539)
-(cherry picked from commit c9d1c88e91c84561af0dbfb5999f722a3b6bb397)
----
- src/firewall/core/nftables.py       | 2 +-
- src/tests/cli/firewall-cmd.at       | 1 +
- src/tests/regression/gh330.at       | 6 ++++++
- src/tests/regression/rhbz1734765.at | 2 ++
- 4 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index ff077aded340..e6907421e111 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -1767,7 +1767,7 @@ class nftables(object):
- 
-         # Some types need the interval flag
-         for t in type.split(":")[1].split(","):
--            if t in ["net", "port"]:
-+            if t in ["ip", "net", "port"]:
-                 set_dict["flags"] = ["interval"]
-                 break
- 
-diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
-index 67af8a19c072..450737776a9f 100644
---- a/src/tests/cli/firewall-cmd.at
-+++ b/src/tests/cli/firewall-cmd.at
-@@ -974,6 +974,7 @@ FWD_START_TEST([ipset])
-         table inet firewalld {
-             set foobar {
-                 type ipv4_addr . mark
-+                flags interval
-                 elements = { 10.10.10.10 . 0x00000100,
-                              20.20.20.20 . 0x00000200 }
-             }
-diff --git a/src/tests/regression/gh330.at b/src/tests/regression/gh330.at
-index fd8d2f8d2dd8..0564501aa18d 100644
---- a/src/tests/regression/gh330.at
-+++ b/src/tests/regression/gh330.at
-@@ -17,6 +17,7 @@ NFT_LIST_SET([foobar], 0, [dnl
-     table inet firewalld {
-         set foobar {
-             type ipv4_addr
-+            flags interval
-             elements = { 1.2.3.4 }
-         }
-     }
-@@ -43,6 +44,7 @@ NFT_LIST_SET([foobar], 0, [dnl
-     table inet firewalld {
-         set foobar {
-             type ipv4_addr
-+            flags interval
-             elements = { 1.2.3.4, 10.10.10.10 }
-         }
-     }
-@@ -60,6 +62,7 @@ NFT_LIST_SET([foobar], 0, [dnl
-     table inet firewalld {
-         set foobar {
-             type ipv4_addr
-+            flags interval
-             elements = { 1.2.3.4, 10.10.10.10 }
-         }
-     }
-@@ -80,6 +83,7 @@ NFT_LIST_SET([foobar], 0, [dnl
-     table inet firewalld {
-         set foobar {
-             type ipv4_addr
-+            flags interval
-             elements = { 1.2.3.4, 4.3.2.1,
-                          10.10.10.10 }
-         }
-@@ -104,6 +108,7 @@ NFT_LIST_SET([foobar], 0, [dnl
-     table inet firewalld {
-         set foobar {
-             type ipv4_addr
-+            flags interval
-             elements = { 1.2.3.4, 4.3.2.1,
-                          6.6.6.6, 10.10.10.10 }
-         }
-@@ -129,6 +134,7 @@ NFT_LIST_SET([foobar], 0, [dnl
-     table inet firewalld {
-         set foobar {
-             type ipv4_addr
-+            flags interval
-             elements = { 1.2.3.4 }
-         }
-     }
-diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
-index b9f6aa5d49a1..b5023a058a55 100644
---- a/src/tests/regression/rhbz1734765.at
-+++ b/src/tests/regression/rhbz1734765.at
-@@ -47,6 +47,7 @@ NFT_LIST_SET([ipsetv4], 0, [dnl
-     table inet firewalld {
-         set ipsetv4 {
-             type ipv4_addr
-+            flags interval
-             elements = { 192.0.2.12 }
-         }
-     }
-@@ -55,6 +56,7 @@ NFT_LIST_SET([ipsetv6], 0, [dnl
-     table inet firewalld {
-         set ipsetv6 {
-             type ipv6_addr
-+            flags interval
-             elements = { ::2 }
-         }
-     }
--- 
-2.27.0
-

SOURCES/0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch

@@ -0,0 +1,63 @@
+From 63100ca625942e6be2c68422e7a48bc68f8d01c5 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 13 Nov 2020 13:32:22 -0500
+Subject: [PATCH 20/26] v1.0.0: test(rich): destination ipset: verify policy
+ support
+
+(cherry picked from commit fdd120572cd45a6ea2515bc906b89482de6560ea)
+---
+ src/tests/features/rich_destination_ipset.at | 23 ++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/src/tests/features/rich_destination_ipset.at b/src/tests/features/rich_destination_ipset.at
+index c07809141851..3286755d2252 100644
+--- a/src/tests/features/rich_destination_ipset.at
++++ b/src/tests/features/rich_destination_ipset.at
+@@ -1,9 +1,14 @@
+ FWD_START_TEST([rich destination ipset])
+ AT_KEYWORDS(rich ipset)
+ 
++FWD_CHECK([--permanent --new-policy=mypolicy], 0, [ignore])
++FWD_CHECK([--permanent --policy=mypolicy --add-ingress-zone ANY], 0, [ignore])
++FWD_CHECK([--permanent --policy=mypolicy --add-egress-zone HOST], 0, [ignore])
++
+ FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, [ignore])
+ FWD_RELOAD
+ 
++dnl zone
+ FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
+ FWD_CHECK([            --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+@@ -20,11 +25,29 @@ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst
+ ])
+ 
++dnl policy
++FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
++FWD_CHECK([            --policy mypolicy --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
++NFT_LIST_RULES([inet], [filter_IN_policy_mypolicy_allow], 0, [dnl
++    table inet firewalld {
++        chain filter_IN_policy_mypolicy_allow {
++            ip daddr @foobar accept
++        }
++    }
++])
++IPTABLES_LIST_RULES([filter], [IN_mypolicy_allow], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst
++])
++
+ dnl negative tests
+ FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
+ FWD_CHECK([            --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
+ FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
+ FWD_CHECK([            --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
++FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
++FWD_CHECK([            --policy mypolicy --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
++FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
++FWD_CHECK([            --policy mypolicy --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
+ 
+ FWD_END_TEST([-e '/ERROR: INVALID_RULE: bad attribute/d'dnl
+               -e '/ERROR: INVALID_DESTINATION: address and ipset/d'])
+-- 
+2.43.0
+

SOURCES/0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch

@@ -1,54 +0,0 @@
-From 8adac165dc93d28802c645a3626a3bcf29503ace Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 15 Feb 2021 11:29:07 -0500
-Subject: [PATCH 21/22] test(ipset): verify ipset netmask allowed for hash:ip
-
-(cherry picked from commit b7718f0dfa9ce7247911ef49c62e3ef2e4208343)
-(cherry picked from commit 1fd50036a51b6147f9e77d61d7e63c8a8e564756)
----
- src/tests/regression/ipset_netmask_allowed.at | 23 +++++++++++++++++++
- src/tests/regression/regression.at            |  1 +
- 2 files changed, 24 insertions(+)
- create mode 100644 src/tests/regression/ipset_netmask_allowed.at
-
-diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at
-new file mode 100644
-index 000000000000..b5165d94b220
---- /dev/null
-+++ b/src/tests/regression/ipset_netmask_allowed.at
-@@ -0,0 +1,23 @@
-+FWD_START_TEST([ipset netmask allowed type hash:ip])
-+AT_KEYWORDS(ipset reload)
-+
-+FWD_CHECK([--permanent --new-ipset foobar --type hash:ip], 0, [ignore])
-+FWD_RELOAD
-+
-+dnl ipset allows specifying a mask for hash:ip, but it will translate it into
-+dnl an add for the whole range. i.e. 1.2.3.4/24  --> 1.2.3.[0.255] (256
-+dnl entries).
-+dnl
-+dnl In nftables, we allow this by using actual intervals.
-+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
-+FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
-+
-+dnl check the edge case
-+FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
-+FWD_CHECK([            --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
-+
-+dnl overlaps should be denied by ipset
-+FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore])
-+FWD_CHECK([            --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore])
-+
-+FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
-diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
-index a90fc37d51c6..a49bb3b756e7 100644
---- a/src/tests/regression/regression.at
-+++ b/src/tests/regression/regression.at
-@@ -38,3 +38,4 @@ m4_include([regression/rhbz1855140.at])
- m4_include([regression/rhbz1871298.at])
- m4_include([regression/rhbz1596304.at])
- m4_include([regression/gh703.at])
-+m4_include([regression/ipset_netmask_allowed.at])
--- 
-2.27.0
-

SOURCES/0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch

@@ -0,0 +1,131 @@
+From b18ab581731a302ddba0428b685360d315293e73 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Wed, 29 Nov 2023 17:02:07 +0100
+Subject: [PATCH 21/26] v2.1.0: feat(icmp): add ICMPv6 Multicast Listener
+ Discovery (MLD) types
+
+Note that ip6tables does not support these ICMPv6 types. Currently,
+the name of the ICMP types in firewalld must correspond to the names
+in iptables. As ip6tables doesn't support it, it does not. If ip6tables
+adds support for "mld-listener-query", but calls it differently, we have
+a problem. Nothing that can be done about that.
+
+`man nft` also lists an alias "mld-listener-reduction" (for
+"mld-listener-done", type 132). That alias is not supported. Use the
+name as from RFC 4890.
+
+(cherry picked from commit dd88bbf812e0a50766b69c2bf12470ecf9d2466a)
+---
+ config/Makefile.am                        | 4 ++++
+ config/icmptypes/mld-listener-done.xml    | 7 +++++++
+ config/icmptypes/mld-listener-query.xml   | 7 +++++++
+ config/icmptypes/mld-listener-report.xml  | 7 +++++++
+ config/icmptypes/mld2-listener-report.xml | 7 +++++++
+ po/POTFILES.in                            | 4 ++++
+ src/firewall/core/nftables.py             | 4 ++++
+ 7 files changed, 40 insertions(+)
+ create mode 100644 config/icmptypes/mld-listener-done.xml
+ create mode 100644 config/icmptypes/mld-listener-query.xml
+ create mode 100644 config/icmptypes/mld-listener-report.xml
+ create mode 100644 config/icmptypes/mld2-listener-report.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index f844a5a00e2f..a11c6abae583 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -83,6 +83,10 @@ CONFIG_FILES = \
+ 	icmptypes/host-unknown.xml \
+ 	icmptypes/host-unreachable.xml \
+ 	icmptypes/ip-header-bad.xml \
++	icmptypes/mld-listener-done.xml \
++	icmptypes/mld-listener-query.xml \
++	icmptypes/mld-listener-report.xml \
++	icmptypes/mld2-listener-report.xml \
+ 	icmptypes/neighbour-advertisement.xml \
+ 	icmptypes/neighbour-solicitation.xml \
+ 	icmptypes/network-prohibited.xml \
+diff --git a/config/icmptypes/mld-listener-done.xml b/config/icmptypes/mld-listener-done.xml
+new file mode 100644
+index 000000000000..09b8bbba5b90
+--- /dev/null
++++ b/config/icmptypes/mld-listener-done.xml
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="utf-8"?>
++<icmptype>
++  <short>MLD Listener Done</short>
++  <description>ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Done (type 132) (RFC 4890 section 4.4.1). Also known as mld-listener-reduction to nft.</description>
++  <destination ipv4="no"/>
++  <destination ipv6="yes"/>
++</icmptype>
+diff --git a/config/icmptypes/mld-listener-query.xml b/config/icmptypes/mld-listener-query.xml
+new file mode 100644
+index 000000000000..418685578d1d
+--- /dev/null
++++ b/config/icmptypes/mld-listener-query.xml
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="utf-8"?>
++<icmptype>
++  <short>MLD Listener Query</short>
++  <description>ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Query (type 130) (RFC 4890 section 4.4.1).</description>
++  <destination ipv4="no"/>
++  <destination ipv6="yes"/>
++</icmptype>
+diff --git a/config/icmptypes/mld-listener-report.xml b/config/icmptypes/mld-listener-report.xml
+new file mode 100644
+index 000000000000..98fb4161b298
+--- /dev/null
++++ b/config/icmptypes/mld-listener-report.xml
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="utf-8"?>
++<icmptype>
++  <short>MLD Listener Report</short>
++  <description>ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Report (type 131) (RFC 4890 section 4.4.1).</description>
++  <destination ipv4="no"/>
++  <destination ipv6="yes"/>
++</icmptype>
+diff --git a/config/icmptypes/mld2-listener-report.xml b/config/icmptypes/mld2-listener-report.xml
+new file mode 100644
+index 000000000000..faee68c95b20
+--- /dev/null
++++ b/config/icmptypes/mld2-listener-report.xml
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="utf-8"?>
++<icmptype>
++  <short>MLDv2 Multicast Listener Report</short>
++  <description>ICMPv6 Link-Local Multicast Listener Discovery (MDLv2) of type Multicast Listener Report (type 143) (RFC 4890 section 4.4.1).</description>
++  <destination ipv4="no"/>
++  <destination ipv6="yes"/>
++</icmptype>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 249cff8d0d2f..3bb71fd3d332 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -15,6 +15,10 @@ config/icmptypes/host-redirect.xml
+ config/icmptypes/host-unknown.xml
+ config/icmptypes/host-unreachable.xml
+ config/icmptypes/ip-header-bad.xml
++config/icmptypes/mld-listener-done.xml
++config/icmptypes/mld-listener-query.xml
++config/icmptypes/mld-listener-report.xml
++config/icmptypes/mld2-listener-report.xml
+ config/icmptypes/neighbour-advertisement.xml
+ config/icmptypes/neighbour-solicitation.xml
+ config/icmptypes/network-prohibited.xml
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index d238451ebd5d..67fb6457e86c 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -140,6 +140,10 @@ ICMP_TYPES_FRAGMENTS = {
+         "echo-reply":                   _icmp_types_fragments("icmpv6", "echo-reply"),
+         "echo-request":                 _icmp_types_fragments("icmpv6", "echo-request"),
+         "failed-policy":                _icmp_types_fragments("icmpv6", "destination-unreachable", 5),
++        "mld-listener-done":            _icmp_types_fragments("icmpv6", "mld-listener-done"),
++        "mld-listener-query":           _icmp_types_fragments("icmpv6", "mld-listener-query"),
++        "mld-listener-report":          _icmp_types_fragments("icmpv6", "mld-listener-report"),
++        "mld2-listener-report":         _icmp_types_fragments("icmpv6", "mld2-listener-report"),
+         "neighbour-advertisement":      _icmp_types_fragments("icmpv6", "nd-neighbor-advert"),
+         "neighbour-solicitation":       _icmp_types_fragments("icmpv6", "nd-neighbor-solicit"),
+         "no-route":                     _icmp_types_fragments("icmpv6", "destination-unreachable", 0),
+-- 
+2.43.0
+

SOURCES/0022-test-offline-always-allow-ipset-tests.patch

@@ -1,34 +0,0 @@
-From be0b7cac7e80d51cc976085f9575b0feb3f1fbe7 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Fri, 19 Feb 2021 10:27:18 -0500
-Subject: [PATCH 22/22] test(offline): always allow ipset tests
-
-(cherry picked from commit 50c713a8b82be5a3499a15f825cdceb373fe3698)
-(cherry picked from commit f17e1937597455257a29ae848ea51c5e089c1077)
----
- src/tests/functions.at | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 8632f49e442f..54afcf14585a 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -519,6 +519,7 @@ m4_define([DBUS_SET], [
- ])
- 
- m4_define([CHECK_IPSET], [
-+    m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
-     m4_if(nftables, FIREWALL_BACKEND, [
-         dnl If our nft binary has buggy flush set, then skip the test
-         NS_CHECK([nft add table inet firewalld_check_ipset])
-@@ -537,6 +538,7 @@ m4_define([CHECK_IPSET], [
- 
-         NS_CHECK([nft delete table inet firewalld_check_ipset])
-     ])
-+    ])
- ])
- 
- m4_define([CHECK_IPSET_HASH_MAC], [
--- 
-2.27.0
-

SOURCES/0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch

@@ -0,0 +1,82 @@
+From 5266735bf4827178ddd9a12edc37b1b0a93e0d3a Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Tue, 12 Dec 2023 14:58:07 +0100
+Subject: [PATCH 22/26] v2.1.0: fix(rich): validate service name of rich rule
+
+Previously, validation of valid service names was not done.
+That meant:
+
+  $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
+  success
+  $ firewall-cmd --reload
+  Error: INVALID_SERVICE: listen
+
+which left firewalld in a bad state.
+
+Now:
+
+  $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
+  Error: INVALID_SERVICE: Zone 'public': 'listen' not among existing services
+
+https://issues.redhat.com/browse/RHEL-5790
+(cherry picked from commit fbcdddd3e38c31a7b8325bf02764b84344c216b0)
+---
+ src/firewall/core/io/policy.py   | 11 +++++++++++
+ src/tests/features/rich_rules.at |  8 +++++++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
+index 3b951545e975..514a20251ef4 100644
+--- a/src/firewall/core/io/policy.py
++++ b/src/firewall/core/io/policy.py
+@@ -304,6 +304,8 @@ def common_endElement(obj, name):
+         obj._limit_ok = None
+ 
+ def common_check_config(obj, config, item, all_config):
++    obj_type = "Policy" if isinstance(obj, Policy) else "Zone"
++
+     if item == "services" and obj.fw_config:
+         existing_services = obj.fw_config.get_services()
+         for service in config:
+@@ -360,6 +362,15 @@ def common_check_config(obj, config, item, all_config):
+                         raise FirewallError(errors.INVALID_ICMPTYPE,
+                                             "rich rule family '%s' conflicts with icmp type '%s'" % \
+                                             (obj_rich.family, obj_rich.element.name))
++            elif obj.fw_config and isinstance(obj_rich.element, rich.Rich_Service):
++                existing_services = obj.fw_config.get_services()
++                if obj_rich.element.name not in existing_services:
++                    raise FirewallError(
++                        errors.INVALID_SERVICE,
++                        "{} '{}': '{}' not among existing services".format(
++                            obj_type, obj.name, obj_rich.element.name
++                        ),
++                    )
+ 
+ def common_writer(obj, handler):
+     # short
+diff --git a/src/tests/features/rich_rules.at b/src/tests/features/rich_rules.at
+index bb5e4b72a516..de98bf0ce268 100644
+--- a/src/tests/features/rich_rules.at
++++ b/src/tests/features/rich_rules.at
+@@ -46,6 +46,11 @@ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priorit
+ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0  source address=10.10.10.13 drop'], 0, ignore)
+ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore)
+ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1  source address=10.10.10.15 accept'], 0, ignore)
++
++dnl Invalid service name is rejected.
++FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore)
++FWD_CHECK([--policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore)
++
+ FWD_RELOAD
+ NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
+     table inet firewalld {
+@@ -289,4 +294,5 @@ IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
+     ACCEPT all ::/0 ::/0
+ ])
+ 
+-FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d'])
++FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d' dnl
++              -e "/ERROR: INVALID_SERVICE: Policy 'foobar': 'bogusservice' not among existing services/d"])
+-- 
+2.43.0
+

SOURCES/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch

@@ -1,167 +0,0 @@
-From 44dff592c200f81d74b64ba1c729ec8ec3b8612e Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Tue, 13 Apr 2021 14:35:31 -0400
-Subject: [PATCH 23/30] fix(direct): rule order with multiple address with
- -s/-d
-
-Fixes: rhbz 1940928
-Fixes: rhbz 1949552
-(cherry picked from commit 2be50d366b9ba073e5f86edcd0b412ff48c3fed1)
-(cherry picked from commit a545183d6916169cd16648707b9f876ea0833955)
----
- src/firewall/core/fw_direct.py | 53 +++++++++++++++++++++++++++++-----
- src/firewall/core/ipXtables.py | 32 --------------------
- 2 files changed, 46 insertions(+), 39 deletions(-)
-
-diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
-index e53a72e3326a..76aeda9f19cb 100644
---- a/src/firewall/core/fw_direct.py
-+++ b/src/firewall/core/fw_direct.py
-@@ -298,7 +298,7 @@ class FirewallDirect(object):
-                 r.append((ipv, table, chain, priority, list(args)))
-         return r
- 
--    def _register_rule(self, rule_id, chain_id, priority, enable):
-+    def _register_rule(self, rule_id, chain_id, priority, enable, count):
-         if enable:
-             if chain_id not in self._rules:
-                 self._rules[chain_id] = LastUpdatedOrderedDict()
-@@ -307,14 +307,14 @@ class FirewallDirect(object):
-                 self._rule_priority_positions[chain_id] = { }
- 
-             if priority in self._rule_priority_positions[chain_id]:
--                self._rule_priority_positions[chain_id][priority] += 1
-+                self._rule_priority_positions[chain_id][priority] += count
-             else:
--                self._rule_priority_positions[chain_id][priority] = 1
-+                self._rule_priority_positions[chain_id][priority] = count
-         else:
-             del self._rules[chain_id][rule_id]
-             if len(self._rules[chain_id]) == 0:
-                 del self._rules[chain_id]
--            self._rule_priority_positions[chain_id][priority] -= 1
-+            self._rule_priority_positions[chain_id][priority] -= count
- 
-     # DIRECT PASSTHROUGH (untracked)
- 
-@@ -376,6 +376,34 @@ class FirewallDirect(object):
-                 r.append(list(args))
-         return r
- 
-+    def split_value(self, rules, opts):
-+        """Split values combined with commas for options in opts"""
-+
-+        out_rules = [ ]
-+        for rule in rules:
-+            processed = False
-+            for opt in opts:
-+                try:
-+                    i = rule.index(opt)
-+                except ValueError:
-+                    pass
-+                else:
-+                    if len(rule) > i and "," in rule[i+1]:
-+                        # For all items in the comma separated list in index
-+                        # i of the rule, a new rule is created with a single
-+                        # item from this list
-+                        processed = True
-+                        items = rule[i+1].split(",")
-+                        for item in items:
-+                            _rule = rule[:]
-+                            _rule[i+1] = item
-+                            out_rules.append(_rule)
-+            if not processed:
-+                out_rules.append(rule)
-+
-+        return out_rules
-+
-+
-     def _rule(self, enable, ipv, table, chain, priority, args, transaction):
-         self._check_ipv_table(ipv, table)
-         # Do not create zone chains if we're using nftables. Only allow direct
-@@ -458,6 +486,7 @@ class FirewallDirect(object):
-         # has index 1.
- 
-         index = 1
-+        count = 0
-         if chain_id in self._rule_priority_positions:
-             positions = sorted(self._rule_priority_positions[chain_id].keys())
-             j = 0
-@@ -465,11 +494,21 @@ class FirewallDirect(object):
-                 index += self._rule_priority_positions[chain_id][positions[j]]
-                 j += 1
- 
--        transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, args))
-+        # split the direct rule in some cases as iptables-restore can't handle
-+        # compound args.
-+        #
-+        args_list = [list(args)]
-+        args_list = self.split_value(args_list, [ "-s", "--source" ])
-+        args_list = self.split_value(args_list, [ "-d", "--destination" ])
-+
-+        for _args in args_list:
-+            transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, tuple(_args)))
-+            index += 1
-+            count += 1
- 
--        self._register_rule(rule_id, chain_id, priority, enable)
-+        self._register_rule(rule_id, chain_id, priority, enable, count)
-         transaction.add_fail(self._register_rule,
--                             rule_id, chain_id, priority, not enable)
-+                             rule_id, chain_id, priority, not enable, count)
- 
-     def _chain(self, add, ipv, table, chain, transaction):
-         self._check_ipv_table(ipv, table)
-diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
-index 968b75867849..818ce3f153d0 100644
---- a/src/firewall/core/ipXtables.py
-+++ b/src/firewall/core/ipXtables.py
-@@ -200,36 +200,6 @@ class ip4tables(object):
-                                                      " ".join(_args), ret))
-         return ret
- 
--    def split_value(self, rules, opts=None):
--        """Split values combined with commas for options in opts"""
--
--        if opts is None:
--            return rules
--
--        out_rules = [ ]
--        for rule in rules:
--            processed = False
--            for opt in opts:
--                try:
--                    i = rule.index(opt)
--                except ValueError:
--                    pass
--                else:
--                    if len(rule) > i and "," in rule[i+1]:
--                        # For all items in the comma separated list in index
--                        # i of the rule, a new rule is created with a single
--                        # item from this list
--                        processed = True
--                        items = rule[i+1].split(",")
--                        for item in items:
--                            _rule = rule[:]
--                            _rule[i+1] = item
--                            out_rules.append(_rule)
--            if not processed:
--                out_rules.append(rule)
--
--        return out_rules
--
-     def _rule_replace(self, rule, pattern, replacement):
-         try:
-             i = rule.index(pattern)
-@@ -472,8 +442,6 @@ class ip4tables(object):
- 
-         for table in table_rules:
-             rules = table_rules[table]
--            rules = self.split_value(rules, [ "-s", "--source" ])
--            rules = self.split_value(rules, [ "-d", "--destination" ])
- 
-             temp_file.write("*%s\n" % table)
-             for rule in rules:
--- 
-2.27.0
-

SOURCES/0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch

@@ -0,0 +1,27 @@
+From 39e8946ba75fc3ce36c3ff72e3af1fb2ae0d95ec Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 5 Feb 2024 13:24:25 +0100
+Subject: [PATCH 23/26] v2.2.0: fix(rich): fix range check for large rule limit
+
+Fixes: 555ae1307a3e ('New rich language usable in zones')
+(cherry picked from commit e790c64ebb5760e8d8f8afd1b978baab891d5933)
+---
+ src/firewall/core/rich.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index 6a03eeca5d8a..b150a0dca402 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -264,7 +264,7 @@ class Rich_Limit(object):
+         elif duration == "d":
+             mult = 24*60*60
+ 
+-        if 10000 * mult / rate == 0:
++        if 10000 * mult // rate == 0:
+             raise FirewallError(errors.INVALID_LIMIT,
+                                 "%s too fast" % self.value)
+ 
+-- 
+2.43.0
+

SOURCES/0024-test-direct-verify-rule-order-with-multiple-address-.patch

@@ -1,86 +0,0 @@
-From ed0b0a7f967f33729e4ec7472b4229f0317fd92d Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Fri, 9 Apr 2021 13:34:31 -0400
-Subject: [PATCH 24/30] test(direct): verify rule order with multiple address
- with -s/-d
-
-Coverage: rhbz 1940928
-Coverage: rhbz 1949552
-(cherry picked from commit 80c30dacc066af4d6d71d298b5e47625ecee5bdf)
-(cherry picked from commit c1262441db90108eb8044053ae1b93f66f0c2839)
----
- src/tests/regression/regression.at  |  1 +
- src/tests/regression/rhbz1940928.at | 52 +++++++++++++++++++++++++++++
- 2 files changed, 53 insertions(+)
- create mode 100644 src/tests/regression/rhbz1940928.at
-
-diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
-index a49bb3b756e7..8156ee608189 100644
---- a/src/tests/regression/regression.at
-+++ b/src/tests/regression/regression.at
-@@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at])
- m4_include([regression/rhbz1596304.at])
- m4_include([regression/gh703.at])
- m4_include([regression/ipset_netmask_allowed.at])
-+m4_include([regression/rhbz1940928.at])
-diff --git a/src/tests/regression/rhbz1940928.at b/src/tests/regression/rhbz1940928.at
-new file mode 100644
-index 000000000000..0a4367080b5e
---- /dev/null
-+++ b/src/tests/regression/rhbz1940928.at
-@@ -0,0 +1,52 @@
-+FWD_START_TEST([direct -s/-d multiple addresses])
-+AT_KEYWORDS(direct rhbz1940928 rhbz1949552)
-+CHECK_IPTABLES
-+
-+dnl test triggers a limitation in iptables-restore
-+dnl
-+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf])
-+FWD_RELOAD
-+
-+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
-+
-+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
-+		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
-+		ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8
-+		ACCEPT     tcp  --  0.0.0.0/0            172.16.0.0/16
-+		ACCEPT     tcp  --  0.0.0.0/0            192.168.0.0/24
-+		ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8
-+		ACCEPT     udp  --  0.0.0.0/0            172.16.0.0/16
-+		ACCEPT     udp  --  0.0.0.0/0            192.168.0.0/24
-+		DROP       all  --  0.0.0.0/0            0.0.0.0/0
-+])
-+
-+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
-+
-+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
-+		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
-+		ACCEPT     sctp --  0.0.0.0/0            10.0.0.0/8
-+		ACCEPT     sctp --  0.0.0.0/0            172.16.0.0/16
-+		ACCEPT     sctp --  0.0.0.0/0            192.168.0.0/24
-+		ACCEPT     tcp  --  0.0.0.0/0            10.0.0.0/8
-+		ACCEPT     tcp  --  0.0.0.0/0            172.16.0.0/16
-+		ACCEPT     tcp  --  0.0.0.0/0            192.168.0.0/24
-+		ACCEPT     udp  --  0.0.0.0/0            10.0.0.0/8
-+		ACCEPT     udp  --  0.0.0.0/0            172.16.0.0/16
-+		ACCEPT     udp  --  0.0.0.0/0            192.168.0.0/24
-+		DROP       all  --  0.0.0.0/0            0.0.0.0/0
-+])
-+
-+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
-+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
-+
-+
-+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
-+])
-+
-+FWD_END_TEST
--- 
-2.27.0
-

SOURCES/0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch

@@ -0,0 +1,63 @@
+From 028529e33ed45507bcb1f3eb2722de3344eea091 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 5 Feb 2024 13:09:02 +0100
+Subject: [PATCH 24/26] v2.2.0: improvement(policy): extract helper function
+ for writing limit rule element
+
+Soon the Rich_Limit will also get a burst attribute. Then _handler_add_rich_limit()
+will become more complicated. We wouldn't want to duplicated that code.
+
+(cherry picked from commit f662606891569f09553c73023a2f70086d137512)
+---
+ src/firewall/core/io/policy.py | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
+index 514a20251ef4..66535e0d0368 100644
+--- a/src/firewall/core/io/policy.py
++++ b/src/firewall/core/io/policy.py
+@@ -372,6 +372,11 @@ def common_check_config(obj, config, item, all_config):
+                         ),
+                     )
+ 
++
++def _handler_add_rich_limit(handler, limit):
++    handler.simpleElement("limit", {"value": limit.value})
++
++
+ def common_writer(obj, handler):
+     # short
+     if obj.short and obj.short != "":
+@@ -533,8 +538,7 @@ def common_writer(obj, handler):
+                 handler.ignorableWhitespace("    ")
+                 handler.startElement("log", attrs)
+                 handler.ignorableWhitespace("\n      ")
+-                handler.simpleElement("limit",
+-                                      { "value": rule.log.limit.value })
++                _handler_add_rich_limit(handler, rule.log.limit)
+                 handler.ignorableWhitespace("\n    ")
+                 handler.endElement("log")
+             else:
+@@ -549,8 +553,7 @@ def common_writer(obj, handler):
+                 handler.ignorableWhitespace("    ")
+                 handler.startElement("audit", { })
+                 handler.ignorableWhitespace("\n      ")
+-                handler.simpleElement("limit",
+-                                      { "value": rule.audit.limit.value })
++                _handler_add_rich_limit(handler, rule.audit.limit)
+                 handler.ignorableWhitespace("\n    ")
+                 handler.endElement("audit")
+             else:
+@@ -579,8 +582,7 @@ def common_writer(obj, handler):
+                 handler.ignorableWhitespace("    ")
+                 handler.startElement(action, attrs)
+                 handler.ignorableWhitespace("\n      ")
+-                handler.simpleElement("limit",
+-                                      { "value": rule.action.limit.value })
++                _handler_add_rich_limit(handler, rule.action.limit)
+                 handler.ignorableWhitespace("\n    ")
+                 handler.endElement(action)
+             else:
+-- 
+2.43.0
+

SOURCES/0025-fix-ipset-fix-hash-net-net-functionality.patch

@@ -1,31 +0,0 @@
-From 44442eace5a5a4330fb40d47cd9fb3c561d38c56 Mon Sep 17 00:00:00 2001
-From: Fabrizio D'Angelo <fdangelo@redhat.com>
-Date: Mon, 12 Apr 2021 13:56:00 -0400
-Subject: [PATCH 25/30] fix(ipset): fix hash:net,net functionality
-
-Fixes: rhbz 1936896
-
-Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
-(cherry picked from commit 36f3d50d729d3329ce99653d8227e3f52a02a43f)
-(cherry picked from commit 3ea4779dc4a957f9c0eb795ab0b00e67d653b772)
----
- src/firewall/core/nftables.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index e6907421e111..e3ae988bbdab 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -1742,8 +1742,8 @@ class nftables(object):
-             "hash:ip,mark" : [ipv_addr[ipv], "mark"],
- 
-             "hash:net" : ipv_addr[ipv],
-+            "hash:net,net" : [ipv_addr[ipv], ipv_addr[ipv]],
-             "hash:net,port" : [ipv_addr[ipv], "inet_proto", "inet_service"],
--            "hash:net,port,ip" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
-             "hash:net,port,net" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
-             "hash:net,iface" : [ipv_addr[ipv], "ifname"],
- 
--- 
-2.27.0
-

SOURCES/0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch

@@ -0,0 +1,189 @@
+From 2844fedea7b0c65d864f9960b513150c4468adb2 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Wed, 13 Dec 2023 19:42:37 +0100
+Subject: [PATCH 25/26] v2.2.0: improvement(rich): add Rich_Limit.value_parse()
+ and normalize value
+
+Instead of duplicating the parsing, add a Rich_Limit.value_parse()
+function that can be used to "understand" the value string.
+
+Note that already previously, Rich_Limit.__init__() would normalize the
+value (e.g. modify "/minute" to "/m"). Go one step further with this.
+Now parse and stringify the value, so that it is normalized. Invalid
+values are left unnormalized, and Rich_Limit.__init__() still does not
+fail the operation (like before). For that we have check().
+
+This normalization matters. For example, the parser is (rightfully)
+graceful and will accept 'limit value="1 /m"'. If we add two rules
+that are identical, except for the white space, we want that the
+normalize string is identical. That's useful, because the normalized
+string of a rule is used as identity for the rule.
+
+(cherry picked from commit 8d2f9502db98b349cabf76bb9c0a303fe6e3512a)
+---
+ src/firewall-config.in        |  6 +--
+ src/firewall/core/nftables.py |  9 ++---
+ src/firewall/core/rich.py     | 76 ++++++++++++++++++++++-------------
+ 3 files changed, 53 insertions(+), 38 deletions(-)
+
+diff --git a/src/firewall-config.in b/src/firewall-config.in
+index f91e945ca7de..e4fbb029ac6d 100755
+--- a/src/firewall-config.in
++++ b/src/firewall-config.in
+@@ -3245,7 +3245,7 @@ class FirewallConfig(object):
+ 
+                 if old_obj.action.limit:
+                     self.richRuleDialogActionLimitCheck.set_active(True)
+-                    (rate, duration) = old_obj.action.limit.value.split("/")
++                    (rate, duration) = old_obj.action.limit.value_parse()
+                     self.richRuleDialogActionLimitRateEntry.set_text(rate)
+                     combobox_select_text( \
+                         self.richRuleDialogActionLimitDurationCombobox,
+@@ -3288,7 +3288,7 @@ class FirewallConfig(object):
+                                      loglevel[log_level])
+                 if old_obj.log.limit:
+                     self.richRuleDialogLogLimitCheck.set_active(True)
+-                    (rate, duration) = old_obj.log.limit.value.split("/")
++                    (rate, duration) = old_obj.log.limit.value_parse()
+                     self.richRuleDialogLogLimitRateEntry.set_text(rate)
+                     combobox_select_text( \
+                         self.richRuleDialogLogLimitDurationCombobox,
+@@ -3299,7 +3299,7 @@ class FirewallConfig(object):
+                 self.richRuleDialogAuditCheck.set_active(True)
+                 if old_obj.audit.limit:
+                     self.richRuleDialogAuditLimitCheck.set_active(True)
+-                    (rate, duration) = old_obj.audit.limit.value.split("/")
++                    (rate, duration) = old_obj.audit.limit.value_parse()
+                     self.richRuleDialogAuditLimitRateEntry.set_text(rate)
+                     combobox_select_text( \
+                         self.richRuleDialogAuditLimitDurationCombobox,
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 67fb6457e86c..f24095ce729c 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1071,13 +1071,10 @@ class nftables(object):
+             "d" : "day",
+         }
+ 
+-        try:
+-            i = limit.value.index("/")
+-        except ValueError:
+-            raise FirewallError(INVALID_RULE, "Expected '/' in limit")
++        rate, duration = limit.value_parse()
+ 
+-        return {"limit": {"rate": int(limit.value[0:i]),
+-                          "per": rich_to_nft[limit.value[i+1]]}}
++        return {"limit": {"rate": rate,
++                          "per": rich_to_nft[duration]}}
+ 
+     def _rich_rule_chain_suffix(self, rich_rule):
+         if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]:
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index b150a0dca402..a77f2b4aa495 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -230,54 +230,72 @@ class Rich_Mark(object):
+                 # value is uint32
+                 raise FirewallError(errors.INVALID_MARK, x)
+ 
++DURATION_TO_MULT = {
++    "s": 1,
++    "m": 60,
++    "h": 60 * 60,
++    "d": 24 * 60 * 60,
++}
++
+ class Rich_Limit(object):
+     def __init__(self, value):
+         self.value = value
+-        if "/" in self.value:
+-            splits = self.value.split("/")
+-            if len(splits) == 2 and \
+-               splits[1] in [ "second", "minute", "hour", "day" ]:
+-                self.value = "%s/%s" % (splits[0], splits[1][:1])
+ 
+     def check(self):
++        self.value_parse()
++
++    @property
++    def value(self):
++        return self._value
++
++    @value.setter
++    def value(self, value):
++        if value is None:
++            self._value = None
++            return
++        try:
++            rate, duration = self._value_parse(value)
++        except FirewallError:
++            # The value is invalid. We cannot normalize it.
++            v = value
++        else:
++            v = f"{rate}/{duration}"
++        if getattr(self, "_value", None) != v:
++            self._value = v
++
++    @staticmethod
++    def _value_parse(value):
+         splits = None
+-        if "/" in self.value:
+-            splits = self.value.split("/")
++        if "/" in value:
++            splits = value.split("/")
+         if not splits or len(splits) != 2:
+-            raise FirewallError(errors.INVALID_LIMIT, self.value)
++            raise FirewallError(errors.INVALID_LIMIT, value)
+         (rate, duration) = splits
+         try:
+             rate = int(rate)
+         except:
+-            raise FirewallError(errors.INVALID_LIMIT, self.value)
++            raise FirewallError(errors.INVALID_LIMIT, value)
+ 
+-        if rate < 1 or duration not in [ "s", "m", "h", "d" ]:
+-            raise FirewallError(errors.INVALID_LIMIT, self.value)
++        if duration in ["second", "minute", "hour", "day"]:
++            duration = duration[:1]
+ 
+-        mult = 1
+-        if duration == "s":
+-            mult = 1
+-        elif duration == "m":
+-            mult = 60
+-        elif duration == "h":
+-            mult = 60*60
+-        elif duration == "d":
+-            mult = 24*60*60
++        if rate < 1 or duration not in ["s", "m", "h", "d"]:
++            raise FirewallError(errors.INVALID_LIMIT, value)
+ 
+-        if 10000 * mult // rate == 0:
+-            raise FirewallError(errors.INVALID_LIMIT,
+-                                "%s too fast" % self.value)
++        if 10000 * DURATION_TO_MULT[duration] // rate == 0:
++            raise FirewallError(errors.INVALID_LIMIT, "%s too fast" % (value,))
+ 
+         if rate == 1 and duration == "d":
+             # iptables (v1.4.21) doesn't accept 1/d
+-            raise FirewallError(errors.INVALID_LIMIT,
+-                                "%s too slow" % self.value)
++            raise FirewallError(errors.INVALID_LIMIT, "%s too slow" % (value,))
+ 
+-    def __str__(self):
+-        return 'limit value="%s"' % (self.value)
++        return rate, duration
+ 
+-    def command(self):
+-        return ''
++    def value_parse(self):
++        return self._value_parse(self._value)
++
++    def __str__(self):
++        return f'limit value="{self._value}"'
+ 
+ class Rich_Rule(object):
+     priority_min = -32768
+-- 
+2.43.0
+

SOURCES/0026-test-ipset-add-test-to-verify-hash-net-net.patch

@@ -1,64 +0,0 @@
-From 6d19a0bdb26f0eeb08dfdd9957c184e90db8766e Mon Sep 17 00:00:00 2001
-From: Fabrizio D'Angelo <fdangelo@redhat.com>
-Date: Mon, 12 Apr 2021 14:05:36 -0400
-Subject: [PATCH 26/30] test(ipset): add test to verify hash:net,net
-
-Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
-(cherry picked from commit f3bd1297f656217031957eee7cfb4b3ee5ef42f2)
-(cherry picked from commit 690ad9abf26f8ec3486704553d891d7d2ce11a80)
----
- src/tests/regression/regression.at  |  1 +
- src/tests/regression/rhbz1936896.at | 32 +++++++++++++++++++++++++++++
- 2 files changed, 33 insertions(+)
- create mode 100644 src/tests/regression/rhbz1936896.at
-
-diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
-index 8156ee608189..2a5ad9ef995a 100644
---- a/src/tests/regression/regression.at
-+++ b/src/tests/regression/regression.at
-@@ -40,3 +40,4 @@ m4_include([regression/rhbz1596304.at])
- m4_include([regression/gh703.at])
- m4_include([regression/ipset_netmask_allowed.at])
- m4_include([regression/rhbz1940928.at])
-+m4_include([regression/rhbz1936896.at])
-diff --git a/src/tests/regression/rhbz1936896.at b/src/tests/regression/rhbz1936896.at
-new file mode 100644
-index 000000000000..911db0bc448d
---- /dev/null
-+++ b/src/tests/regression/rhbz1936896.at
-@@ -0,0 +1,32 @@
-+FWD_START_TEST([ipset type hash:net,net])
-+AT_KEYWORDS(rhbz1936896)
-+CHECK_IPSET
-+
-+FWD_CHECK([-q --permanent --new-ipset testset --type hash:net,net])
-+FWD_CHECK([--permanent --ipset=testset --add-entry=192.168.0.0/24,10.0.1.0/24], 0, ignore)
-+FWD_RELOAD
-+FWD_CHECK([--permanent --info-ipset=testset | TRIM_WHITESPACE], 0, [m4_strip([dnl
-+    testset
-+    type: hash:net,net
-+    options:
-+    entries: 192.168.0.0/24,10.0.1.0/24
-+])])
-+
-+IPSET_LIST_SET([testset], 0, [dnl
-+    Name: testset
-+    Type: hash:net,net
-+    Members:
-+    192.168.0.0/24,10.0.1.0/24
-+])
-+
-+NFT_LIST_SET([testset], 0, [dnl
-+    table inet firewalld {
-+        set testset {
-+            type ipv4_addr . ipv4_addr
-+            flags interval
-+            elements = { 192.168.0.0/24 . 10.0.1.0/24 }
-+        }
-+    }
-+])
-+
-+FWD_END_TEST
--- 
-2.27.0
-

SOURCES/0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch

@@ -0,0 +1,238 @@
+From 45ebffc5521db62064f365f4a9100b4ab40dce90 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Wed, 13 Dec 2023 20:35:51 +0100
+Subject: [PATCH 26/26] v2.2.0: improvement(rich): support "burst" attribute to
+ limit in rich rules
+
+For iptables, this is `-m limit --limit rate/suffix --limit-burst burst`.
+
+For nftables, this is `limit rate [over] packet_number / TIME_UNIT [burst packet_number packets]`
+
+Not implemented in `src/firewall-config.in`.
+
+https://issues.redhat.com/browse/RHEL-9316
+(cherry picked from commit 58dfdcafabaaad639bfcf389ebbd6b2c242965a4)
+---
+ src/firewall/core/io/policy.py |  9 +++--
+ src/firewall/core/io/zone.py   |  1 +
+ src/firewall/core/ipXtables.py |  9 +++--
+ src/firewall/core/nftables.py  | 12 +++++--
+ src/firewall/core/rich.py      | 63 ++++++++++++++++++++++++++++++----
+ src/tests/cli/firewall-cmd.at  |  4 +--
+ 6 files changed, 82 insertions(+), 16 deletions(-)
+
+diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
+index 66535e0d0368..c732324c441b 100644
+--- a/src/firewall/core/io/policy.py
++++ b/src/firewall/core/io/policy.py
+@@ -278,7 +278,7 @@ def common_startElement(obj, name, attrs):
+             obj._rule_error = True
+             return True
+         value = attrs["value"]
+-        obj._limit_ok.limit = rich.Rich_Limit(value)
++        obj._limit_ok.limit = rich.Rich_Limit(value, attrs.get("burst"))
+     else:
+         return False
+ 
+@@ -374,7 +374,11 @@ def common_check_config(obj, config, item, all_config):
+ 
+ 
+ def _handler_add_rich_limit(handler, limit):
+-    handler.simpleElement("limit", {"value": limit.value})
++    d = {"value": limit.value}
++    burst = limit.burst
++    if burst is not None:
++        d["burst"] = burst
++    handler.simpleElement("limit", d)
+ 
+ 
+ def common_writer(obj, handler):
+@@ -652,6 +656,7 @@ class Policy(IO_Object):
+         "destination": [ "address", "invert", "ipset" ],
+         "log": [ "prefix", "level" ],
+         "reject": [ "type" ],
++        "limit": ["burst"],
+         }
+ 
+     def __init__(self):
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 0c419ee0f2bd..753036e4fb55 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -94,6 +94,7 @@ class Zone(IO_Object):
+         "destination": [ "address", "invert", "ipset" ],
+         "log": [ "prefix", "level" ],
+         "reject": [ "type" ],
++        "limit": ["burst"],
+         }
+ 
+     @staticmethod
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index 401377104ce1..0f9a1518380e 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -967,9 +967,12 @@ class ip4tables(object):
+         return rules
+ 
+     def _rule_limit(self, limit):
+-        if limit:
+-            return [ "-m", "limit", "--limit", limit.value ]
+-        return []
++        if not limit:
++            return []
++        s = ["-m", "limit", "--limit", limit.value]
++        if limit.burst is not None:
++            s += ["--limit-burst", limit.burst]
++        return s
+ 
+     def _rich_rule_chain_suffix(self, rich_rule):
+         if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]:
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index f24095ce729c..834176c09cbc 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1073,8 +1073,16 @@ class nftables(object):
+ 
+         rate, duration = limit.value_parse()
+ 
+-        return {"limit": {"rate": rate,
+-                          "per": rich_to_nft[duration]}}
++        d = {
++            "rate": rate,
++            "per": rich_to_nft[duration],
++        }
++
++        burst = limit.burst_parse()
++        if burst is not None:
++            d["burst"] = burst
++
++        return {"limit": d}
+ 
+     def _rich_rule_chain_suffix(self, rich_rule):
+         if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]:
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index a77f2b4aa495..c561709af0e2 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -238,11 +238,13 @@ DURATION_TO_MULT = {
+ }
+ 
+ class Rich_Limit(object):
+-    def __init__(self, value):
++    def __init__(self, value, burst=None):
+         self.value = value
++        self.burst = burst
+ 
+     def check(self):
+         self.value_parse()
++        self.burst_parse()
+ 
+     @property
+     def value(self):
+@@ -263,6 +265,24 @@ class Rich_Limit(object):
+         if getattr(self, "_value", None) != v:
+             self._value = v
+ 
++    @property
++    def burst(self):
++        return self._burst
++
++    @burst.setter
++    def burst(self, burst):
++        if burst is None:
++            self._burst = None
++            return
++        try:
++            b = self._burst_parse(burst)
++        except FirewallError:
++            b = burst
++        else:
++            b = str(burst)
++        if getattr(self, "_burst", None) != b:
++            self._burst = b
++
+     @staticmethod
+     def _value_parse(value):
+         splits = None
+@@ -294,8 +314,28 @@ class Rich_Limit(object):
+     def value_parse(self):
+         return self._value_parse(self._value)
+ 
++    @staticmethod
++    def _burst_parse(burst):
++        if burst is None:
++            return None
++        try:
++            b = int(burst)
++        except:
++            raise FirewallError(errors.INVALID_LIMIT, burst)
++
++        if b < 1 or b > 10_000_000:
++            raise FirewallError(errors.INVALID_LIMIT, burst)
++
++        return b
++
++    def burst_parse(self):
++        return self._burst_parse(self._burst)
++
+     def __str__(self):
+-        return f'limit value="{self._value}"'
++        s = f'limit value="{self._value}"'
++        if self._burst is not None:
++            s += f" burst={self._burst}"
++        return s
+ 
+ class Rich_Rule(object):
+     priority_min = -32768
+@@ -368,7 +408,7 @@ class Rich_Rule(object):
+                                      'invert', 'value',
+                                      'port', 'protocol', 'to-port', 'to-addr',
+                                      'name', 'prefix', 'level', 'type',
+-                                     'set']:
++                                     'set', 'burst']:
+                     raise FirewallError(errors.INVALID_RULE, "bad attribute '%s'" % attr_name)
+             else:             # element
+                 if element in ['rule', 'source', 'destination', 'protocol',
+@@ -554,11 +594,20 @@ class Rich_Rule(object):
+                     attrs.clear()
+                     index = index -1 # return token to input
+             elif in_element == 'limit':
+-                if attr_name == 'value':
+-                    attrs['limit'] = Rich_Limit(attr_value)
+-                    in_elements.pop() # limit
++                if attr_name in ["value", "burst"]:
++                    attrs[f"limit.{attr_name}"] = attr_value
+                 else:
+-                    raise FirewallError(errors.INVALID_RULE, "invalid 'limit' element")
++                    if "limit.value" not in attrs:
++                        raise FirewallError(
++                            errors.INVALID_RULE, "invalid 'limit' element"
++                        )
++                    attrs["limit"] = Rich_Limit(
++                        attrs["limit.value"], attrs.get("limit.burst")
++                    )
++                    attrs.pop("limit.value", None)
++                    attrs.pop("limit.burst", None)
++                    in_elements.pop()  # limit
++                    index = index - 1  # return token to input
+ 
+             index = index + 1
+ 
+diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
+index c4ab3108d37c..6c69f0ccebd4 100644
+--- a/src/tests/cli/firewall-cmd.at
++++ b/src/tests/cli/firewall-cmd.at
+@@ -1356,8 +1356,8 @@ FWD_START_TEST([rich rules good])
+     rich_rule_test([rule protocol value="ah" reject])
+     rich_rule_test([rule protocol value="esp" accept])
+     rich_rule_test([rule protocol value="sctp" log])
+-    rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept])
+-    rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop])
++    rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" burst=5 accept])
++    rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" burst=5 drop])
+     IF_HOST_SUPPORTS_IPV6_RULES([
+     rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"])
+     rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop])
+-- 
+2.43.0
+

SOURCES/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch

@@ -1,45 +0,0 @@
-From 1cbe39d4260c633da4b7110d6e2e7722b8454af4 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Tue, 27 Apr 2021 08:56:13 -0400
-Subject: [PATCH 27/30] fix(nm): reload: only consider NM connections with a
- real interface
-
-Where real interface means linux interface capable of having an IP
-address and does not exceed IFNAMSIZ.
-
-Fixes: rhbz 1928860
-(cherry picked from commit f18f1cc96503fbc5d42f30ecdc6f0da4c56aac4d)
-(cherry picked from commit 7e9c4a5072ee3fd1aaf4162ef6ef1bf84b8a82eb)
----
- src/firewall/core/fw_nm.py | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
-index 37282a1a7711..0e38dd47e927 100644
---- a/src/firewall/core/fw_nm.py
-+++ b/src/firewall/core/fw_nm.py
-@@ -141,7 +141,9 @@ def nm_get_connections(connections, connections_name):
- 
-         connections_name[uuid] = name
-         for dev in devices:
--            connections[dev.get_iface()] = uuid
-+            ip_iface = dev.get_ip_iface()
-+            if ip_iface:
-+                connections[ip_iface] = uuid
- 
- def nm_get_interfaces():
-     """Get active interfaces from NM
-@@ -169,7 +171,9 @@ def nm_get_interfaces():
-                 continue
- 
-         for dev in active_con.get_devices():
--            active_interfaces.append(dev.get_iface())
-+            ip_iface = dev.get_ip_iface()
-+            if ip_iface:
-+                active_interfaces.append(ip_iface)
- 
-     return active_interfaces
- 
--- 
-2.27.0
-

SOURCES/0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch

@@ -0,0 +1,38 @@
+From 3a56ea30acb41358742a94f088f12bd4f1ba1f80 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 31 Jan 2023 09:24:56 -0500
+Subject: [PATCH 27/30] v2.0.0: test(atlocal): pass EBTABLES to testsuite
+
+(cherry picked from commit a5adb26a5eebdaa6e978c580d4fb73f7aa06802f)
+---
+ src/tests/atlocal.in   | 1 +
+ src/tests/functions.at | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/atlocal.in b/src/tests/atlocal.in
+index 8c5493ac38df..595a96f0f5c9 100644
+--- a/src/tests/atlocal.in
++++ b/src/tests/atlocal.in
+@@ -1,5 +1,6 @@
+ export PYTHON="@PYTHON@"
+ 
++export EBTABLES="@EBTABLES@"
+ export IPTABLES="@IPTABLES@"
+ export IPTABLES_RESTORE="@IPTABLES_RESTORE@"
+ export IP6TABLES="@IP6TABLES@"
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index a2989c6345da..35e3271ce68d 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -368,7 +368,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
+ m4_define([EBTABLES_LIST_RULES], [
+     dnl ebtables commit 5f508b76a0ce change list output for inversion.
+     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
+-        NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
++        NS_CHECK([PIPESTATUS0([$EBTABLES --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
+                  [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+     ])
+ ])
+-- 
+2.43.0
+

SOURCES/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch

@@ -1,81 +0,0 @@
-From 1a2c50e5cf165a5392764ff435b7183a6d6610a7 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Tue, 27 Apr 2021 09:06:22 -0400
-Subject: [PATCH 28/30] test(nm): reload: only consider NM connections with a
- real interface
-
-Coverage: rhbz 1928860
-(cherry picked from commit 7566d3dc5664955064b14314b3d3ef20bcebd6e4)
-(cherry picked from commit e936e005898e18caa628b5b61d7589c2bbc461cb)
----
- src/tests/Makefile.am                   |  4 ++--
- src/tests/integration/networkmanager.at |  1 +
- src/tests/integration/rhbz1928860.at    | 26 +++++++++++++++++++++++++
- 3 files changed, 29 insertions(+), 2 deletions(-)
- create mode 100644 src/tests/integration/rhbz1928860.at
-
-diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
-index b7556b30ecc8..e936454faf6a 100644
---- a/src/tests/Makefile.am
-+++ b/src/tests/Makefile.am
-@@ -71,7 +71,7 @@ check-container-fedora-rawhide-image: check-container-%-image:
- 	                 iptables iptables-nft libtool libxml2 libxslt make nftables \
- 	                 python3-nftables python3-slip-dbus python3-gobject-base \
- 	                 diffutils procps-ng iproute which dbus-daemon \
--	                 NetworkManager" && \
-+	                 NetworkManager NetworkManager-ovs" && \
- 	echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
- 	echo "COPY . /tmp/firewalld"; \
- 	} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
-@@ -86,7 +86,7 @@ check-container-centos8-stream-image: check-container-%-image:
- 	                 iptables iptables-ebtables nftables libtool libxml2 \
- 	                 libxslt make nftables python3-nftables python3-slip-dbus \
- 	                 python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
--	                 NetworkManager" && \
-+	                 NetworkManager NetworkManager-ovs" && \
- 	echo "COPY . /tmp/firewalld"; \
- 	} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
- 
-diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
-index 08cf6d28451a..0b20adce0462 100644
---- a/src/tests/integration/networkmanager.at
-+++ b/src/tests/integration/networkmanager.at
-@@ -1,2 +1,3 @@
- AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
- m4_include([integration/rhbz1773809.at])
-+m4_include([integration/rhbz1928860.at])
-diff --git a/src/tests/integration/rhbz1928860.at b/src/tests/integration/rhbz1928860.at
-new file mode 100644
-index 000000000000..8ef2a1dcbd01
---- /dev/null
-+++ b/src/tests/integration/rhbz1928860.at
-@@ -0,0 +1,26 @@
-+FWD_START_TEST([reload don't consider non IP capable interfaces])
-+AT_KEYWORDS(reload rhbz1928860)
-+
-+START_NETWORKMANAGER
-+
-+dnl OVS bridge and port
-+NMCLI_CHECK([connection add type ovs-bridge conn.interface ovs-br con-name ovs-br], 0, [ignore])
-+NMCLI_CHECK([connection add type ovs-port conn.interface ovs-interface-port master ovs-br con-name ovs-interface-port], 0, [ignore])
-+echo NS_CMD([nmcli connection delete ovs-br]) >> ./cleanup
-+echo NS_CMD([nmcli connection delete ovs-interface-port]) >> ./cleanup
-+
-+dnl Up them
-+NMCLI_CHECK([connection up ovs-br], 0, [ignore])
-+NMCLI_CHECK([connection up ovs-interface-port], 0, [ignore])
-+
-+dnl Omit the actual linux interface because it requires the OVS daemon to be
-+dnl running. The bug is reproducible without it.
-+dnl 
-+dnl NMCLI_CHECK([connection add type ovs-interface slave-type ovs-port conn.interface ovs-br master ovs-interface-port con-name ovs-interface ipv4.method disabled ipv6.method disabled], 0, [ignore])
-+dnl echo NS_CMD([nmcli connection delete ovs-interface]) >> ./cleanup
-+dnl NMCLI_CHECK([connection up ovs-interface], 0, [ignore])
-+
-+dnl just need to verify reload
-+FWD_RELOAD
-+
-+FWD_END_TEST
--- 
-2.27.0
-

SOURCES/0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch

@@ -0,0 +1,34 @@
+From f61b27ffc91da3d5e634a2d90edd164ac4102086 Mon Sep 17 00:00:00 2001
+From: Eric Garver <egarver@redhat.com>
+Date: Wed, 26 Jun 2024 11:13:00 -0400
+Subject: [PATCH 28/30] v2.0.0: chore(direct): add has_runtime_configuration()
+
+This is originally from cdd015475e83 ("fix(ipset): defer native ipset
+creation if nftables").
+---
+ src/firewall/core/fw_direct.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
+index 76aeda9f19cb..a35ebce1f276 100644
+--- a/src/firewall/core/fw_direct.py
++++ b/src/firewall/core/fw_direct.py
+@@ -64,9 +64,14 @@ class FirewallDirect(object):
+     def set_permanent_config(self, obj):
+         self._obj = obj
+ 
+-    def has_configuration(self):
++    def has_runtime_configuration(self):
+         if len(self._chains) + len(self._rules) + len(self._passthroughs) > 0:
+             return True
++        return False
++
++    def has_configuration(self):
++        if self.has_runtime_configuration():
++            return True
+         if len(self._obj.get_all_chains()) + \
+            len(self._obj.get_all_rules()) + \
+            len(self._obj.get_all_passthroughs()) > 0:
+-- 
+2.43.0
+

SOURCES/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch

@@ -1,36 +0,0 @@
-From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 17 May 2021 15:43:13 -0400
-Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance
- penalty
-
-Fixes: rhbz 1871860
-(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4)
-(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837)
----
- doc/xml/firewalld.conf.xml | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
-index c21ef87813bc..0bf4c2d4d011 100644
---- a/doc/xml/firewalld.conf.xml
-+++ b/doc/xml/firewalld.conf.xml
-@@ -114,6 +114,15 @@
- 	    If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
-             For IPv4 the rp_filter is controlled using sysctl.
- 	  </para>
-+      <para>
-+        <emphasis role="bold">Note</emphasis>: This feature has a performance
-+        impact. In most cases the impact is not enough to cause a noticeable
-+        difference. It requires route lookups and its execution occurs before
-+        the established connections fast path. As such it can have a
-+        significant performance impact if there is a lot of traffic. It's
-+        enabled by default for security, but can be disabled if performance is
-+        a concern.
-+      </para>
- 	</listitem>
-       </varlistentry>
- 
--- 
-2.27.0
-

SOURCES/0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch

@@ -0,0 +1,117 @@
+From 17c70eba7ddfd8a8687b16102cf5ee988e33993f Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 30 Jan 2023 16:42:50 -0500
+Subject: [PATCH 29/30] v2.0.0: feat(direct): avoid iptables flush if using
+ nftables backend
+
+If FirewallBackend=nftables and there are no direct rules; then we can
+avoid flushing iptables at startup and shutdown. This means other
+applications can control iptables while firewalld only touches nftables.
+
+Fixes: #863
+(cherry picked from commit b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87)
+---
+ src/firewall/core/fw.py        | 31 +++++++++++++++++++++++++++----
+ src/firewall/core/fw_direct.py |  9 +++++++++
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 5cef18b5f889..a2ad39bd9f5f 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -425,7 +425,8 @@ class Firewall(object):
+         transaction = FirewallTransaction(self)
+ 
+         # flush rules
+-        self.flush(use_transaction=transaction)
++        if not reload:
++            self.flush(use_transaction=transaction)
+ 
+         # If modules need to be unloaded in complete reload or if there are
+         # ipsets to get applied, limit the transaction to flush.
+@@ -836,7 +837,26 @@ class Firewall(object):
+         if use_transaction is None:
+             transaction.execute(True)
+ 
+-    # flush and policy
++    def may_skip_flush_direct_backends(self):
++        if self.nftables_enabled and not self.direct.has_runtime_configuration():
++            return True
++
++        return False
++
++    def flush_direct_backends(self, use_transaction=None):
++        if use_transaction is None:
++            transaction = FirewallTransaction(self)
++        else:
++            transaction = use_transaction
++
++        for backend in self.all_backends():
++            if backend in self.enabled_backends():
++                continue
++            rules = backend.build_flush_rules()
++            transaction.add_rules(backend, rules)
++
++        if use_transaction is None:
++            transaction.execute(True)
+ 
+     def flush(self, use_transaction=None):
+         if use_transaction is None:
+@@ -846,7 +866,10 @@ class Firewall(object):
+ 
+         log.debug1("Flushing rule set")
+ 
+-        for backend in self.all_backends():
++        if not self.may_skip_flush_direct_backends():
++            self.flush_direct_backends(use_transaction=transaction)
++
++        for backend in self.enabled_backends():
+             rules = backend.build_flush_rules()
+             transaction.add_rules(backend, rules)
+ 
+@@ -1002,7 +1025,7 @@ class Firewall(object):
+         if not _panic:
+             self.set_policy("DROP")
+ 
+-        # stop
++        self.flush()
+         self.cleanup()
+ 
+         start_exception = None
+diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
+index a35ebce1f276..5d4cc6a6918e 100644
+--- a/src/firewall/core/fw_direct.py
++++ b/src/firewall/core/fw_direct.py
+@@ -219,6 +219,9 @@ class FirewallDirect(object):
+         else:
+             transaction = use_transaction
+ 
++        if self._fw.may_skip_flush_direct_backends():
++            transaction.add_pre(self._fw.flush_direct_backends)
++
+         #TODO: policy="ACCEPT"
+         self._chain(True, ipv, table, chain, transaction)
+ 
+@@ -265,6 +268,9 @@ class FirewallDirect(object):
+         else:
+             transaction = use_transaction
+ 
++        if self._fw.may_skip_flush_direct_backends():
++            transaction.add_pre(self._fw.flush_direct_backends)
++
+         self._rule(True, ipv, table, chain, priority, args, transaction)
+ 
+         if use_transaction is None:
+@@ -347,6 +353,9 @@ class FirewallDirect(object):
+         else:
+             transaction = use_transaction
+ 
++        if self._fw.may_skip_flush_direct_backends():
++            transaction.add_pre(self._fw.flush_direct_backends)
++
+         self._passthrough(True, ipv, list(args), transaction)
+ 
+         if use_transaction is None:
+-- 
+2.43.0
+

SOURCES/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch

@@ -1,28 +0,0 @@
-From 60e4181ca9ac8dbd1acb6baf85b42b0666aa56b7 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 19 May 2021 12:52:52 -0400
-Subject: [PATCH 30/30] improvement(conf): note that IPv6_rpfilter has a
- performance penalty
-
-(cherry picked from commit cf8e0df944322f1ad283946c64bf7f933c25340d)
-(cherry picked from commit 1a8bb7e5dcee3bcd691219104427daf39ead1f82)
----
- config/firewalld.conf | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/config/firewalld.conf b/config/firewalld.conf
-index f791b2358ab8..a0556c0bbf5b 100644
---- a/config/firewalld.conf
-+++ b/config/firewalld.conf
-@@ -23,6 +23,8 @@ Lockdown=no
- # packet would be sent via the same interface that the packet arrived on, the 
- # packet will match and be accepted, otherwise dropped.
- # The rp_filter for IPv4 is controlled using sysctl.
-+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
-+# for details.
- # Default: yes
- IPv6_rpfilter=yes
- 
--- 
-2.27.0
-

SOURCES/0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch

@@ -0,0 +1,175 @@
+From 2e34d7361f8a7528f5e5d86f794bc87c94f8214e Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 30 Jan 2023 14:43:18 -0500
+Subject: [PATCH 30/30] v2.0.0: test(direct): avoid iptables flush if using
+ nftables backend
+
+Coverage: #863
+(cherry picked from commit dcd0dd3674ea8ef757a1b41f6b53717a45e821aa)
+---
+ src/tests/features/features.at                |   1 +
+ .../features/iptables_no_flush_on_shutdown.at | 143 ++++++++++++++++++
+ 2 files changed, 144 insertions(+)
+ create mode 100644 src/tests/features/iptables_no_flush_on_shutdown.at
+
+diff --git a/src/tests/features/features.at b/src/tests/features/features.at
+index 381bf6dba0e4..cfe8e88b46a9 100644
+--- a/src/tests/features/features.at
++++ b/src/tests/features/features.at
+@@ -14,3 +14,4 @@ m4_include([features/icmp_blocks.at])
+ m4_include([features/rpfilter.at])
+ m4_include([features/zone_combine.at])
+ m4_include([features/rich_destination_ipset.at])
++m4_include([features/iptables_no_flush_on_shutdown.at])
+diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at
+new file mode 100644
+index 000000000000..a3bb1395791d
+--- /dev/null
++++ b/src/tests/features/iptables_no_flush_on_shutdown.at
+@@ -0,0 +1,143 @@
++m4_if(nftables, FIREWALL_BACKEND, [
++
++dnl If FirewallBackend=nftables, and there are no --direct rules, then we can
++dnl avoid flushing iptables on shutdown. We can also avoid a flush on startup
++dnl if there are no permanent direct rules. But we will have to flush on the
++dnl first direct rule added.
++FWD_START_TEST([avoid iptables flush if using nftables])
++AT_KEYWORDS(direct gh863)
++
++dnl no flush on reload if no direct rules
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++FWD_RELOAD()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++
++dnl no flush on restart (or stop) if no direct rules
++FWD_RESTART()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++
++dnl the first runtime direct rule should trigger an iptables flush
++FWD_CHECK([--direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++FWD_RELOAD()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
++])
++
++dnl permanent direct rules should trigger a flush at start
++FWD_CHECK([--permanent --direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++FWD_RELOAD()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
++])
++
++FWD_CHECK([--permanent --direct --remove-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
++FWD_RELOAD()
++
++dnl adding a chain should trigger a flush
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++FWD_CHECK([--direct --add-chain ipv4 filter firewalld_foobar], 0, [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++FWD_RELOAD()
++
++dnl adding a chain should trigger a flush
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++FWD_CHECK([--direct --add-passthrough ipv4 -t filter -I INPUT -j ACCEPT], 0, [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++
++FWD_END_TEST()
++
++])
+-- 
+2.43.0
+

SOURCES/0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch

@@ -1,28 +0,0 @@
-From 8d8ec4530dea1a74254c6cc14ece4fa14f7f94fe Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Thu, 3 Jun 2021 12:00:06 -0400
-Subject: [PATCH 31/36] test(functions): FWD_GREP_LOG: allow checking error
- code
-
-(cherry picked from commit 748bcaee9a1d1151cf0e4bc9229f7b46774332ae)
-(cherry picked from commit 69c6a91ca507bdf0e18784ce06d3d872a1c2e5ab)
----
- src/tests/functions.at | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 54afcf14585a..4b298644d7e4 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -328,7 +328,7 @@ m4_define([FWD_CHECK], [
- ])
- 
- m4_define([FWD_GREP_LOG], [
--    AT_CHECK([grep "$1" ./firewalld.log], 0, [ignore], [ignore])
-+    AT_CHECK([grep "$1" ./firewalld.log], $2, [ignore], [ignore])
- ])
- 
- m4_define([TRIM], [[sed -e 's/^[ \t]*//' -e 's/[ \t]*$//']])
--- 
-2.27.0
-

SOURCES/0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch

@@ -0,0 +1,29 @@
+From 4c95c843cd21f618677fe4d047b187facb00d027 Mon Sep 17 00:00:00 2001
+From: Pierre Riteau <pierre@stackhpc.com>
+Date: Mon, 22 Apr 2024 11:50:25 +0200
+Subject: [PATCH] v2.2.0: fix(service): update highest port number for ceph
+
+The highest port number used by Ceph was updated in
+https://github.com/ceph/ceph/pull/42210.
+
+Fixes https://github.com/firewalld/firewalld/issues/1329
+
+(cherry picked from commit f514a3ea4b59a0be11467d1b68a992329b6dc8dd)
+---
+ config/services/ceph.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/services/ceph.xml b/config/services/ceph.xml
+index efed53691afd..eb6a3f2d1e3d 100644
+--- a/config/services/ceph.xml
++++ b/config/services/ceph.xml
+@@ -2,5 +2,5 @@
+ <service>
+   <short>ceph</short>
+   <description>Ceph is a distributed object store and file system. Enable this option to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).</description>
+-  <port protocol="tcp" port="6800-7300"/>
++  <port protocol="tcp" port="6800-7568"/>
+ </service>
+-- 
+2.43.0
+

SOURCES/0032-test-functions-improve-checking-firewalld.log-for-er.patch

@@ -1,41 +0,0 @@
-From fd61eebac7618b1f9051497904d4392ac9b6f53b Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Thu, 3 Jun 2021 12:12:03 -0400
-Subject: [PATCH 32/36] test(functions): improve checking firewalld.log for
- errors
-
-Don't delete the errors/warnings from the log. Use sed/grep in a pipe
-instead.
-
-(cherry picked from commit 23dc028083dbdbd291f022ab60bad0462e23d48e)
-(cherry picked from commit 1bafb54763926f49f930038fb6ecd9ab3e05c796)
----
- src/tests/functions.at | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 4b298644d7e4..03795bc3c132 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -255,14 +255,11 @@ m4_define([FWD_START_TEST], [
- 
- m4_define([FWD_END_TEST], [
-     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
--        IF_HOST_SUPPORTS_IP6TABLES([], [
--            sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
--        ])
-         if test x"$1" != x"ignore"; then
--            if test -n "$1"; then
--                sed -i $1 ./firewalld.log
--            fi
--            AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
-+            AT_FAIL_IF([cat ./firewalld.log | dnl
-+                       sed "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" | dnl
-+                       m4_ifnblank([$1], [sed $1 |]) dnl
-+                       [grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)']])
-         fi
-         m4_undefine([CURRENT_DBUS_ADDRESS])
-         m4_undefine([CURRENT_TEST_NS])
--- 
-2.27.0
-

SOURCES/0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch

@@ -1,46 +0,0 @@
-From a79321b79b0543cff0c99702c1ab9eeaab8bfe06 Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Thu, 3 Jun 2021 11:42:58 -0400
-Subject: [PATCH 33/36] fix(policy): warn instead of error for overlapping
- ports
-
-Fixes: rhbz 1914935
-(cherry picked from commit b71e532bc21fb6a06345b5ecfeb60683c7a194e9)
-(cherry picked from commit 66ca4b0fd9588d60d31998ad792f04962053aaab)
----
- src/firewall/core/fw_policy.py | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py
-index 3f5dab808ff0..79a52d8d97c0 100644
---- a/src/firewall/core/fw_policy.py
-+++ b/src/firewall/core/fw_policy.py
-@@ -98,11 +98,23 @@ class FirewallPolicy(object):
-         for args in obj.services:
-             self.add_service(policy, args)
-         for args in obj.ports:
--            self.add_port(policy, *args)
-+            try:
-+                self.add_port(policy, *args)
-+            except FirewallError as error:
-+                if error.code in [errors.ALREADY_ENABLED]:
-+                    log.warning(error)
-+                else:
-+                    raise error
-         for args in obj.protocols:
-             self.add_protocol(policy, args)
-         for args in obj.source_ports:
--            self.add_source_port(policy, *args)
-+            try:
-+                self.add_source_port(policy, *args)
-+            except FirewallError as error:
-+                if error.code in [errors.ALREADY_ENABLED]:
-+                    log.warning(error)
-+                else:
-+                    raise error
-         for args in obj.rules:
-             self.add_rule(policy, args)
-         if obj.masquerade:
--- 
-2.27.0
-

SOURCES/0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch

@@ -1,99 +0,0 @@
-From 7c1e62b4933f2b110dcedc411b4381c00abe799f Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Thu, 3 Jun 2021 11:27:11 -0400
-Subject: [PATCH 34/36] test(zone): verify overlapping ports don't halt zone
- loading
-
-We can warn about the overlapping ports, but don't completely error out.
-
-Coverage: rhbz 1914935
-(cherry picked from commit 012a87a343673c7699f48fa6af973c890be08671)
-(cherry picked from commit 50e4c979283eee83bf0c707184cd0ca9bf112e85)
----
- src/tests/regression/regression.at  |  1 +
- src/tests/regression/rhbz1914935.at | 64 +++++++++++++++++++++++++++++
- 2 files changed, 65 insertions(+)
- create mode 100644 src/tests/regression/rhbz1914935.at
-
-diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
-index 2a5ad9ef995a..aadd948a459f 100644
---- a/src/tests/regression/regression.at
-+++ b/src/tests/regression/regression.at
-@@ -41,3 +41,4 @@ m4_include([regression/gh703.at])
- m4_include([regression/ipset_netmask_allowed.at])
- m4_include([regression/rhbz1940928.at])
- m4_include([regression/rhbz1936896.at])
-+m4_include([regression/rhbz1914935.at])
-diff --git a/src/tests/regression/rhbz1914935.at b/src/tests/regression/rhbz1914935.at
-new file mode 100644
-index 000000000000..5b110ea4cf4d
---- /dev/null
-+++ b/src/tests/regression/rhbz1914935.at
-@@ -0,0 +1,64 @@
-+FWD_START_TEST([zone overlapping ports])
-+AT_KEYWORDS(zone port rhbz1914935)
-+
-+AT_CHECK([mkdir -p ./zones])
-+
-+AT_DATA([./zones/foobar.xml], [dnl
-+<?xml version="1.0" encoding="utf-8"?>
-+<zone>
-+<port port="1024-65535" protocol="tcp" />
-+<port port="1234" protocol="tcp" />
-+<port port="2000-3000" protocol="tcp" />
-+</zone>
-+])
-+FWD_RELOAD
-+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
-+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
-+FWD_CHECK([--zone foobar --list-ports], 0, [dnl
-+1024-65535/tcp
-+])
-+
-+AT_DATA([./zones/foobar.xml], [dnl
-+<?xml version="1.0" encoding="utf-8"?>
-+<zone>
-+<source-port port="1024-65535" protocol="tcp" />
-+<source-port port="1234" protocol="tcp" />
-+<source-port port="2000-3000" protocol="tcp" />
-+</zone>
-+])
-+FWD_RELOAD
-+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
-+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
-+FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
-+1024-65535/tcp
-+])
-+
-+dnl this one partially overlaps so it should not throw a warning.
-+AT_DATA([./zones/foobar.xml], [dnl
-+<?xml version="1.0" encoding="utf-8"?>
-+<zone>
-+<port port="1024-2000" protocol="tcp" />
-+<port port="1500-2500" protocol="tcp" />
-+</zone>
-+])
-+FWD_RELOAD
-+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
-+FWD_CHECK([--zone foobar --list-ports], 0, [dnl
-+1024-2500/tcp
-+])
-+
-+dnl this one partially overlaps so it should not throw a warning.
-+AT_DATA([./zones/foobar.xml], [dnl
-+<?xml version="1.0" encoding="utf-8"?>
-+<zone>
-+<source-port port="1024-2000" protocol="tcp" />
-+<source-port port="1500-2500" protocol="tcp" />
-+</zone>
-+])
-+FWD_RELOAD
-+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
-+FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
-+1024-2500/tcp
-+])
-+
-+FWD_END_TEST([-e '/WARNING: ALREADY_ENABLED:/d'])
--- 
-2.27.0
-

SPECS/firewalld.spec

@@ -1,46 +1,41 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
-Version: 0.9.3
-Release: 7%{?dist}
+Version: 0.9.11
+Release: 10%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
-Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
-Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
-Patch3: v1.0.0-0003-feat-service-add-galera-service.patch
-Patch4: 0004-fix-dbus-conf-setting-deprecated-properties-should-b.patch
-Patch5: 0005-test-nftables-normalize-reject-statement-output.patch
-Patch6: 0006-test-nftables-fix-normalization-of-reject-statement-.patch
-Patch7: 0007-test-functions-increase-debug-level.patch
-Patch8: 0008-test-functions-format-xml-output-with-xmllint.patch
-Patch9: 0009-docs-firewall-cmd-reload-does-not-affect-direct-rule.patch
-Patch10: 0010-docs-dbus-fix-copy-paste-error-for-FlushAllOnReload.patch
-Patch11: 0011-docs-dbus-fix-copy-paste-error-for-RFC3964_IPv4.patch
-Patch12: 0012-test-dbus-direct-add-coverage-for-signatures.patch
-Patch13: 0013-test-dbus-policy-scope-introspection-checks-to-inter.patch
-Patch14: 0014-test-dbus-zone-scope-introspection-checks-to-interfa.patch
-Patch15: 0015-test-dbus-policy-introspect-signals.patch
-Patch16: 0016-test-dbus-zone-introspect-signals.patch
-Patch17: 0017-fix-dbus-properties-IPv4-and-IPv6-should-be-true-if-.patch
-Patch18: 0018-test-ipset-add-missing-CHECK_IPSET.patch
-Patch19: 0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch
-Patch20: 0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch
-Patch21: 0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch
-Patch22: 0022-test-offline-always-allow-ipset-tests.patch
-Patch23: 0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch
-Patch24: 0024-test-direct-verify-rule-order-with-multiple-address-.patch
-Patch25: 0025-fix-ipset-fix-hash-net-net-functionality.patch
-Patch26: 0026-test-ipset-add-test-to-verify-hash-net-net.patch
-Patch27: 0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
-Patch28: 0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
-Patch29: 0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
-Patch30: 0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
-Patch31: 0031-test-functions-FWD_GREP_LOG-allow-checking-error-cod.patch
-Patch32: 0032-test-functions-improve-checking-firewalld.log-for-er.patch
-Patch33: 0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch
-Patch34: 0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch
-Patch35: v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch
-Patch36: v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch
+Patch1:  0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
+Patch2:  0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
+Patch3:  0003-v1.0.0-feat-service-add-galera-service-Fixes-rhbz169.patch
+Patch4:  0004-v1.0.0-fix-ipset-normalize-entries-in-CIDR-notation.patch
+Patch5:  0005-v1.0.0-fix-ipset-disallow-overlapping-entries.patch
+Patch6:  0006-v1.0.0-feat-config-add-CleanupModulesOnExit-configur.patch
+Patch7:  0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch
+Patch8:  0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch
+Patch9:  0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch
+Patch10: 0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch
+Patch11: 0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch
+Patch12: 0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch
+Patch13: 0013-v1.2.0-fix-ipset-fix-configuring-IP-range-for-ipsets.patch
+Patch14: 0014-v1.2.0-chore-nftables-add-delete-table-helper.patch
+Patch15: 0015-v1.2.0-fix-nftables-always-flush-main-table-on-start.patch
+Patch16: 0016-v1.2.0-test-CleanUpOnExit-verify-restart-does-not-du.patch
+Patch17: 0017-v1.2.0-chore-nftables-policy-use-delete-table-helper.patch
+Patch18: 0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch
+Patch19: 0019-v1.0.0-test-rich-destination-ipset.patch
+Patch20: 0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch
+Patch21: 0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch
+Patch22: 0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch
+Patch23: 0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch
+Patch24: 0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch
+Patch25: 0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch
+Patch26: 0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch
+Patch27: 0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
+Patch28: 0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch
+Patch29: 0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
+Patch30: 0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch
+Patch31: 0031-v2.2.0-fix-service-update-highest-port-number-for-ce.patch
 
 BuildArch: noarch
 BuildRequires: autoconf
@@ -242,6 +237,55 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Tue Feb 04 2025 Eric Garver <egarver@redhat.com> - 0.9.11-10
+- fix(service): update highest port number for ceph
+
+* Fri Aug 02 2024 Eric Garver <egarver@redhat.com> - 0.9.11-9
+- feat(direct): avoid iptables flush if using nftables backend
+
+* Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-8
+- feat(rich): support "burst" attribute to limit in rich rules
+
+* Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-7
+- fix(rich): validate service name of rich rule
+
+* Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-6
+- feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types
+
+* Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-5
+- feat(rich): support using ipset in destination
+
+* Fri Nov 03 2023 Eric Garver <egarver@redhat.com> - 0.9.11-4
+- fix(nftables): always flush main table on start
+
+* Fri Nov 03 2023 Eric Garver <egarver@redhat.com> - 0.9.11-3
+- fix(ipset): fix configuring IP range for ipsets with nftables
+
+* Fri Nov 03 2023 Eric Garver <egarver@redhat.com> - 0.9.11-2
+- fix(ipset): exception on overlap checking empty set
+
+* Tue Apr 18 2023 Eric Garver <egarver@redhat.com> - 0.9.11-1
+- rebase to v0.9.11
+
+* Thu Feb 03 2022 Eric Garver <egarver@redhat.com> - 0.9.3-13
+- change default CleanupModulesOnExit=yes
+
+* Mon Dec 20 2021 Eric Garver <egarver@redhat.com> - 0.9.3-12
+- feat(config): add CleanupModulesOnExit configuration option
+- change default CleanupModulesOnExit=yes
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-11
+- fix(zone): detect same source/interface in zones
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-10
+- fix(nftables): rich: source address with netmask
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-9
+- fix(nftables): do not log icmp block if inversion
+
+* Tue Nov 16 2021 Eric Garver <egarver@redhat.com> - 0.9.3-8
+- docs(firewall-*cmd): client conntrack helpers must use a policy
+
 * Tue Jul 13 2021 Eric Garver <egarver@redhat.com> - 0.9.3-7
 - fix(ipset): disallow overlapping entries