firewalld/0001-firewall-backend-Switch-default-backend-to-iptables.patch

Index: firewalld-0.8.3/config/firewalld.conf
===================================================================
--- firewalld-0.8.3.orig/config/firewalld.conf
+++ firewalld-0.8.3/config/firewalld.conf
@@ -43,9 +43,9 @@ LogDenied=off
 # FirewallBackend
 # Selects the firewall backend implementation.
 # Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
+#	- nftables
+#	- iptables (iptables, ip6tables, ebtables and ipset) (default)
+FirewallBackend=iptables
 
 # FlushAllOnReload
 # Flush all runtime rules on a reload. In previous releases some runtime
Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml
===================================================================
--- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml
+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml
@@ -149,8 +149,8 @@
             <listitem>
                 <para>
                 Selects the firewall backend implementation. Possible values
-                are; <replaceable>nftables</replaceable> (default), or
-                <replaceable>iptables</replaceable>. This applies to all
+                are; <replaceable>nftables</replaceable>, or
+                <replaceable>iptables</replaceable> (default). This applies to all
                 firewalld primitives. The only exception is direct and
                 passthrough rules which always use the traditional iptables,
                 ip6tables, and ebtables backends.
Index: firewalld-0.8.3/src/firewall/config/__init__.py.in
===================================================================
--- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in
+++ firewalld-0.8.3/src/firewall/config/__init__.py.in
@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True
 FALLBACK_INDIVIDUAL_CALLS = False
 FALLBACK_LOG_DENIED = "off"
 FALLBACK_AUTOMATIC_HELPERS = "no"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
 FALLBACK_FLUSH_ALL_ON_RELOAD = True
 FALLBACK_RFC3964_IPV4 = True
 FALLBACK_ALLOW_ZONE_DRIFTING = False
Accepting request 827072 from home:dirkmueller:branches:security:netfilter - update to 0.8.3: * nftables: convert to libnftables JSON interface * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”. * allow custom helpers using standard helper modules (rhbz 1733066) * testsuite is now shipped in the dist tarball * Typo in firewall-config(1) * Fix typo in TFTP service description * doc: README: add note about language translations * fix: rich: source/dest only matching with mark action * feat: AllowZoneDrifting config option * feat: nftables: support AllowZoneDrifting=yes * feat: ipXtables: support AllowZoneDrifting=yes * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting * fix: add logrotate policy * doc: direct: add CAVEATS section * fix: checkIP6: strip leading/trailing square brackets * fix: nftables: remove square brackets from IPv6 addresses * fix: ipXtables: remove square brackets from IPv6 addresses * fix: nftables: ipset types using “port” * fix: nftables: zone dispatch with multidimensional ipsets * fix: ipset: destroy runtime sets on reload/stop * fix: port: support querying sub ranges * fix: source_port: support querying sub ranges * doc: specify accepted characters for object names * fix: doc: address copy/paste mistakes in short/description * fix: configure: atlocal: quote variable values * fix: nftables: allow set intervals with concatenations * doc: clarify –set-target values “default” vs “reject” * fix: update dynamic DCE RPC ports in freeipa-trust service * fix: nftables: ipset: port ranges for non-default protocols OBS-URL: https://build.opensuse.org/request/show/827072 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=103 2020-08-17 09:45:59 +02:00			`Index: firewalld-0.8.3/config/firewalld.conf`
			`===================================================================`
			`--- firewalld-0.8.3.orig/config/firewalld.conf`
			`+++ firewalld-0.8.3/config/firewalld.conf`
			`@@ -43,9 +43,9 @@ LogDenied=off`
Accepting request 736856 from home:lemmy04:branches:security:netfilter - rebased the original patch from revision 19 - apply patch only on openSUSE < TW, and SLES. - Added a patch to make iptables the default again on openSUSE - Update to version 0.7.2: This is a bug fix only release. * fix: direct: removeRules() was mistakenly removing all rules * fix: guarantee zone source dispatch is sorted by zone name * fix: nftables: fix zone dispatch using ipset sources in nat chains * doc: add --default-config and --system-config * fix: --add-masquerade should only affect ipv4 * fix: nftables: --forward-ports should only affect IPv4 * fix: direct: removeRules() not removing all rules in chain * dbus: service: fix service includes individual APIs * fix: allow custom helpers using standard helper modules * fix: service: usage of helpers with '-' in name * fix: Revert "ebtables: drop support for broute table" * fix: ebtables: don't use tables that aren't available * fix: fw: initialize _rfc3964_ipv4 OBS-URL: https://build.opensuse.org/request/show/736856 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=96 2019-10-10 15:08:15 +02:00			`# FirewallBackend`
			`# Selects the firewall backend implementation.`
			`# Choices are:`
			`-# - nftables (default)`
			`-# - iptables (iptables, ip6tables, ebtables and ipset)`
			`-FirewallBackend=nftables`
			`+# - nftables`
			`+# - iptables (iptables, ip6tables, ebtables and ipset) (default)`
			`+FirewallBackend=iptables`

			`# FlushAllOnReload`
			`# Flush all runtime rules on a reload. In previous releases some runtime`
Accepting request 827072 from home:dirkmueller:branches:security:netfilter - update to 0.8.3: * nftables: convert to libnftables JSON interface * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”. * allow custom helpers using standard helper modules (rhbz 1733066) * testsuite is now shipped in the dist tarball * Typo in firewall-config(1) * Fix typo in TFTP service description * doc: README: add note about language translations * fix: rich: source/dest only matching with mark action * feat: AllowZoneDrifting config option * feat: nftables: support AllowZoneDrifting=yes * feat: ipXtables: support AllowZoneDrifting=yes * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting * fix: add logrotate policy * doc: direct: add CAVEATS section * fix: checkIP6: strip leading/trailing square brackets * fix: nftables: remove square brackets from IPv6 addresses * fix: ipXtables: remove square brackets from IPv6 addresses * fix: nftables: ipset types using “port” * fix: nftables: zone dispatch with multidimensional ipsets * fix: ipset: destroy runtime sets on reload/stop * fix: port: support querying sub ranges * fix: source_port: support querying sub ranges * doc: specify accepted characters for object names * fix: doc: address copy/paste mistakes in short/description * fix: configure: atlocal: quote variable values * fix: nftables: allow set intervals with concatenations * doc: clarify –set-target values “default” vs “reject” * fix: update dynamic DCE RPC ports in freeipa-trust service * fix: nftables: ipset: port ranges for non-default protocols OBS-URL: https://build.opensuse.org/request/show/827072 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=103 2020-08-17 09:45:59 +02:00			`Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml`
			`===================================================================`
			`--- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml`
			`+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml`
Accepting request 736856 from home:lemmy04:branches:security:netfilter - rebased the original patch from revision 19 - apply patch only on openSUSE < TW, and SLES. - Added a patch to make iptables the default again on openSUSE - Update to version 0.7.2: This is a bug fix only release. * fix: direct: removeRules() was mistakenly removing all rules * fix: guarantee zone source dispatch is sorted by zone name * fix: nftables: fix zone dispatch using ipset sources in nat chains * doc: add --default-config and --system-config * fix: --add-masquerade should only affect ipv4 * fix: nftables: --forward-ports should only affect IPv4 * fix: direct: removeRules() not removing all rules in chain * dbus: service: fix service includes individual APIs * fix: allow custom helpers using standard helper modules * fix: service: usage of helpers with '-' in name * fix: Revert "ebtables: drop support for broute table" * fix: ebtables: don't use tables that aren't available * fix: fw: initialize _rfc3964_ipv4 OBS-URL: https://build.opensuse.org/request/show/736856 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=96 2019-10-10 15:08:15 +02:00			`@@ -149,8 +149,8 @@`
			`<listitem>`
			`<para>`
			`Selects the firewall backend implementation. Possible values`
			`- are; <replaceable>nftables</replaceable> (default), or`
			`- <replaceable>iptables</replaceable>. This applies to all`
			`+ are; <replaceable>nftables</replaceable>, or`
			`+ <replaceable>iptables</replaceable> (default). This applies to all`
			`firewalld primitives. The only exception is direct and`
			`passthrough rules which always use the traditional iptables,`
			`ip6tables, and ebtables backends.`
Accepting request 827072 from home:dirkmueller:branches:security:netfilter - update to 0.8.3: * nftables: convert to libnftables JSON interface * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”. * allow custom helpers using standard helper modules (rhbz 1733066) * testsuite is now shipped in the dist tarball * Typo in firewall-config(1) * Fix typo in TFTP service description * doc: README: add note about language translations * fix: rich: source/dest only matching with mark action * feat: AllowZoneDrifting config option * feat: nftables: support AllowZoneDrifting=yes * feat: ipXtables: support AllowZoneDrifting=yes * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting * fix: add logrotate policy * doc: direct: add CAVEATS section * fix: checkIP6: strip leading/trailing square brackets * fix: nftables: remove square brackets from IPv6 addresses * fix: ipXtables: remove square brackets from IPv6 addresses * fix: nftables: ipset types using “port” * fix: nftables: zone dispatch with multidimensional ipsets * fix: ipset: destroy runtime sets on reload/stop * fix: port: support querying sub ranges * fix: source_port: support querying sub ranges * doc: specify accepted characters for object names * fix: doc: address copy/paste mistakes in short/description * fix: configure: atlocal: quote variable values * fix: nftables: allow set intervals with concatenations * doc: clarify –set-target values “default” vs “reject” * fix: update dynamic DCE RPC ports in freeipa-trust service * fix: nftables: ipset: port ranges for non-default protocols OBS-URL: https://build.opensuse.org/request/show/827072 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=103 2020-08-17 09:45:59 +02:00			`Index: firewalld-0.8.3/src/firewall/config/__init__.py.in`
			`===================================================================`
			`--- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in`
			`+++ firewalld-0.8.3/src/firewall/config/__init__.py.in`
			`@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True`
Accepting request 736856 from home:lemmy04:branches:security:netfilter - rebased the original patch from revision 19 - apply patch only on openSUSE < TW, and SLES. - Added a patch to make iptables the default again on openSUSE - Update to version 0.7.2: This is a bug fix only release. * fix: direct: removeRules() was mistakenly removing all rules * fix: guarantee zone source dispatch is sorted by zone name * fix: nftables: fix zone dispatch using ipset sources in nat chains * doc: add --default-config and --system-config * fix: --add-masquerade should only affect ipv4 * fix: nftables: --forward-ports should only affect IPv4 * fix: direct: removeRules() not removing all rules in chain * dbus: service: fix service includes individual APIs * fix: allow custom helpers using standard helper modules * fix: service: usage of helpers with '-' in name * fix: Revert "ebtables: drop support for broute table" * fix: ebtables: don't use tables that aren't available * fix: fw: initialize _rfc3964_ipv4 OBS-URL: https://build.opensuse.org/request/show/736856 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=96 2019-10-10 15:08:15 +02:00			`FALLBACK_INDIVIDUAL_CALLS = False`
			`FALLBACK_LOG_DENIED = "off"`
Accepting request 827072 from home:dirkmueller:branches:security:netfilter - update to 0.8.3: * nftables: convert to libnftables JSON interface * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”. * allow custom helpers using standard helper modules (rhbz 1733066) * testsuite is now shipped in the dist tarball * Typo in firewall-config(1) * Fix typo in TFTP service description * doc: README: add note about language translations * fix: rich: source/dest only matching with mark action * feat: AllowZoneDrifting config option * feat: nftables: support AllowZoneDrifting=yes * feat: ipXtables: support AllowZoneDrifting=yes * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting * fix: add logrotate policy * doc: direct: add CAVEATS section * fix: checkIP6: strip leading/trailing square brackets * fix: nftables: remove square brackets from IPv6 addresses * fix: ipXtables: remove square brackets from IPv6 addresses * fix: nftables: ipset types using “port” * fix: nftables: zone dispatch with multidimensional ipsets * fix: ipset: destroy runtime sets on reload/stop * fix: port: support querying sub ranges * fix: source_port: support querying sub ranges * doc: specify accepted characters for object names * fix: doc: address copy/paste mistakes in short/description * fix: configure: atlocal: quote variable values * fix: nftables: allow set intervals with concatenations * doc: clarify –set-target values “default” vs “reject” * fix: update dynamic DCE RPC ports in freeipa-trust service * fix: nftables: ipset: port ranges for non-default protocols OBS-URL: https://build.opensuse.org/request/show/827072 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=103 2020-08-17 09:45:59 +02:00			`FALLBACK_AUTOMATIC_HELPERS = "no"`
Accepting request 736856 from home:lemmy04:branches:security:netfilter - rebased the original patch from revision 19 - apply patch only on openSUSE < TW, and SLES. - Added a patch to make iptables the default again on openSUSE - Update to version 0.7.2: This is a bug fix only release. * fix: direct: removeRules() was mistakenly removing all rules * fix: guarantee zone source dispatch is sorted by zone name * fix: nftables: fix zone dispatch using ipset sources in nat chains * doc: add --default-config and --system-config * fix: --add-masquerade should only affect ipv4 * fix: nftables: --forward-ports should only affect IPv4 * fix: direct: removeRules() not removing all rules in chain * dbus: service: fix service includes individual APIs * fix: allow custom helpers using standard helper modules * fix: service: usage of helpers with '-' in name * fix: Revert "ebtables: drop support for broute table" * fix: ebtables: don't use tables that aren't available * fix: fw: initialize _rfc3964_ipv4 OBS-URL: https://build.opensuse.org/request/show/736856 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=96 2019-10-10 15:08:15 +02:00			`-FALLBACK_FIREWALL_BACKEND = "nftables"`
			`+FALLBACK_FIREWALL_BACKEND = "iptables"`
			`FALLBACK_FLUSH_ALL_ON_RELOAD = True`
			`FALLBACK_RFC3964_IPV4 = True`
Accepting request 791189 from home:lemmy04:branches:security:netfilter - Update to 0.7.4 This is a bug fix only release. However, it does reintroduce the zone drifting bug as a feature. See #258 and #441. This behavior is disabled by default. * improvement: build: add an option to disable building documentation * Typo in firewall-config(1) * Fix typo in TFTP service description * doc: README: add note about language translations * fix: rich: source/dest only matching with mark action * feat: AllowZoneDrifting config option * feat: nftables: support AllowZoneDrifting=yes * feat: ipXtables: support AllowZoneDrifting=yes * fix: firewall-offline-cmd: Don't print warning about AllowZoneDrifting * fix: add logrotate policy * fix: tests: regenerate testsuite if .../{cli,python}/.at changes doc: direct: add CAVEATS section * fix: checkIP6: strip leading/trailing square brackets * fix: nftables: remove square brackets from IPv6 addresses * fix: ipXtables: remove square brackets from IPv6 addresses * fix: nftables: zone dispatch with multidimensional ipsets * fix: ipset: destroy runtime sets on reload/stop * fix: port: support querying sub ranges * fix: source_port: support querying sub ranges * doc: specify accepted characters for object names * fix: doc: address copy/paste mistakes in short/description * fix: configure: atlocal: quote variable values * fix: nftables: allow set intervals with concatenations * doc: clarify --set-target values "default" vs "reject" OBS-URL: https://build.opensuse.org/request/show/791189 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=101 2020-04-03 14:30:54 +02:00			`FALLBACK_ALLOW_ZONE_DRIFTING = False`