Accepting request 622082 from security:netfilter

OBS-URL: https://build.opensuse.org/request/show/622082 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=30
2018-07-25 14:03:15 +00:00 · 2018-07-25 14:03:15 +00:00 · 8fe073a6d2
commit 8fe073a6d2
parent 77aafaaf70 ab9552e518
6 changed files with 37 additions and 338 deletions
--- a/firewalld-0.5.3.tar.gz
+++ b/firewalld-0.5.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ba105de0b6dc75d208cc675718a140973e2eab2f60aa285068b0438331639ebc
-size 1161718
--- a/firewalld-0.6.0.tar.gz
+++ b/firewalld-0.6.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7aaa73dc95857079aa276e29d7d628d0faa7d50f29f5a0b6bae458ee7a5829a2
+size 2266131
--- a/firewalld-add-additional-services.patch
+++ b/firewalld-add-additional-services.patch
@ -1,308 +0,0 @@
-[mchandras]: Backport patch for additional firewalld services which
-don't exist in stable-0.5 branch. This can be removed when
-https://github.com/firewalld/firewalld/pull/313 is accepted
-
-diff --git a/config/Makefile.am b/config/Makefile.am
-index c202d8fe..9c402329 100644
--- a/config/Makefile.am
-+++ b/config/Makefile.am
-@@ -122,6 +122,9 @@ CONFIG_FILES = \
- 	ipsets/README \
- 	services/amanda-client.xml \
- 	services/amanda-k5-client.xml \
-+	services/amqp.xml \
-+	services/amqps.xml \
-+	services/apcupsd.xml \
- 	services/bacula-client.xml \
- 	services/bacula.xml \
- 	services/bgp.xml \
-@@ -137,11 +140,15 @@ CONFIG_FILES = \
- 	services/dhcpv6-client.xml \
- 	services/dhcpv6.xml \
- 	services/dhcp.xml \
-+	services/distcc.xml \
- 	services/dns.xml \
- 	services/docker-registry.xml \
- 	services/docker-swarm.xml \
- 	services/dropbox-lansync.xml \
- 	services/elasticsearch.xml \
-+	services/etcd-client.xml \
-+	services/etcd-server.xml \
-+	services/finger.xml \
- 	services/freeipa-ldaps.xml \
- 	services/freeipa-ldap.xml \
- 	services/freeipa-replication.xml \
-@@ -179,6 +186,8 @@ CONFIG_FILES = \
- 	services/mongodb.xml \
- 	services/mosh.xml \
- 	services/mountd.xml \
-+	services/mqtt.xml \
-+	services/mqtt-tls.xml \
- 	services/mssql.xml \
- 	services/ms-wbt.xml \
- 	services/murmur.xml \
-@@ -188,6 +197,7 @@ CONFIG_FILES = \
- 	services/nmea-0183.xml \
- 	services/nrpe.xml \
- 	services/ntp.xml \
-+	services/nut.xml \
- 	services/openvpn.xml \
- 	services/ovirt-imageio.xml \
- 	services/ovirt-storageconsole.xml \
-@@ -211,11 +221,13 @@ CONFIG_FILES = \
- 	services/rpc-bind.xml \
- 	services/rsh.xml \
- 	services/rsyncd.xml \
-+	services/salt-master.xml \
- 	services/samba-client.xml \
- 	services/samba.xml \
- 	services/sane.xml \
- 	services/sips.xml \
- 	services/sip.xml \
-+	services/slp.xml \
- 	services/smtp-submission.xml \
- 	services/smtps.xml \
- 	services/smtp.xml \
-@@ -224,6 +236,8 @@ CONFIG_FILES = \
- 	services/spideroak-lansync.xml \
- 	services/squid.xml \
- 	services/ssh.xml \
-+	services/svdrp.xml \
-+	services/svn.xml \
- 	services/syncthing.xml \
- 	services/syncthing-gui.xml \
- 	services/synergy.xml \
-@@ -238,7 +252,11 @@ CONFIG_FILES = \
- 	services/upnp-client.xml \
- 	services/vdsm.xml \
- 	services/vnc-server.xml \
-+	services/wbem-http.xml \
- 	services/wbem-https.xml \
-+	services/wsman.xml \
-+	services/wsmans.xml \
-+	services/xdmcp.xml \
- 	services/xmpp-bosh.xml \
- 	services/xmpp-client.xml \
- 	services/xmpp-local.xml \
-diff --git a/config/services/amqp.xml b/config/services/amqp.xml
-new file mode 100644
-index 00000000..b9501d9e
--- /dev/null
-+++ b/config/services/amqp.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>amqp</short>
-+  <description>The Advanced Message Queuing Protocol (AMQP) is an open standard application layer protocol for message-oriented middleware.</description>
-+  <port protocol="tcp" port="5672"/>
-+</service>
-diff --git a/config/services/amqps.xml b/config/services/amqps.xml
-new file mode 100644
-index 00000000..02bdae52
--- /dev/null
-+++ b/config/services/amqps.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>amqps</short>
-+  <description>The Advanced Message Queuing Protocol (AMQP) over SSL is an open standard application layer protocol for message-oriented middleware.</description>
-+  <port protocol="tcp" port="5671"/>
-+</service>
-diff --git a/config/services/apcupsd.xml b/config/services/apcupsd.xml
-new file mode 100644
-index 00000000..fac9955c
--- /dev/null
-+++ b/config/services/apcupsd.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>apcupsd</short>
-+  <description>The American Power Conversion (APC) uninterruptible power supply (UPS) daemon protocol allows to monitor and control APC UPS devices.</description>
-+  <port port="3551" protocol="tcp"/>
-+</service>
-diff --git a/config/services/distcc.xml b/config/services/distcc.xml
-new file mode 100644
-index 00000000..f7b52ec8
--- /dev/null
-+++ b/config/services/distcc.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>distcc</short>
-+  <description>Distcc is a protocol used for distributed compilation.</description>
-+  <port port="3632" protocol="tcp"/>
-+</service>
-diff --git a/config/services/etcd-client.xml b/config/services/etcd-client.xml
-new file mode 100644
-index 00000000..f0fb22af
--- /dev/null
-+++ b/config/services/etcd-client.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>etcd Client</short>
-+  <description>etcd implements a distributed key value store that provides a reliably way to store data across a cluster of machines. This is the client side port.</description>
-+  <port port="2379" protocol="tcp"/>
-+</service>
-diff --git a/config/services/etcd-server.xml b/config/services/etcd-server.xml
-new file mode 100644
-index 00000000..11688818
--- /dev/null
-+++ b/config/services/etcd-server.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>etcd Server</short>
-+  <description>etcd implements a distributed key value store that provides a reliably way to store data across a cluster of machines. This is the server side port.</description>
-+  <port port="2380" protocol="tcp"/>
-+</service>
-diff --git a/config/services/finger.xml b/config/services/finger.xml
-new file mode 100644
-index 00000000..f42895f6
--- /dev/null
-+++ b/config/services/finger.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>finger</short>
-+  <description>Finger is a protocol for obtaining information about users on remote hosts.</description>
-+  <port port="79" protocol="tcp"/>
-+</service>
-diff --git a/config/services/mqtt-tls.xml b/config/services/mqtt-tls.xml
-new file mode 100644
-index 00000000..403455ae
--- /dev/null
-+++ b/config/services/mqtt-tls.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>mqtt-tls</short>
-+  <description>The Message Queuing Telemetry Transport (MQTT) is a machine-to-machine connectivity protocol. This variant of the protocol uses TLS encryption.</description>
-+  <port port="8883" protocol="tcp"/>
-+</service>
-diff --git a/config/services/mqtt.xml b/config/services/mqtt.xml
-new file mode 100644
-index 00000000..ad262cbf
--- /dev/null
-+++ b/config/services/mqtt.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>mqtt</short>
-+  <description>The Message Queuing Telemetry Transport (MQTT) is a machine-to-machine connectivity protocol. This variant of the protocol is unencrypted.</description>
-+  <port port="1883" protocol="tcp"/>
-+</service>
-diff --git a/config/services/nut.xml b/config/services/nut.xml
-new file mode 100644
-index 00000000..6e66d735
--- /dev/null
-+++ b/config/services/nut.xml
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>NUT</short>
-+  <description>Network UPS Tools (NUT) is a protocol that allows to monitor and control power devices like uninterruptible power supplies.</description>
-+  <port port="3493" protocol="tcp"/>
-+  <!-- <port port="3493" protocol="udp"/> according to upstream never really worked over UDP -->
-+</service>
-diff --git a/config/services/salt-master.xml b/config/services/salt-master.xml
-new file mode 100644
-index 00000000..799420e3
--- /dev/null
-+++ b/config/services/salt-master.xml
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>Salt Master</short>
-+  <description>Salt is a protocol used for infrastructure management via a dynamic communication bus. These ports are required on the salt master node.</description>
-+  <port port="4505" protocol="tcp"/>
-+  <port port="4506" protocol="tcp"/>
-+</service>
-diff --git a/config/services/slp.xml b/config/services/slp.xml
-new file mode 100644
-index 00000000..da60c651
--- /dev/null
-+++ b/config/services/slp.xml
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>SLP</short>
-+  <description>The Service Location Protocol (SLP) is used for discovering services in a local network without prior configuration.</description>
-+  <port port="427" protocol="tcp"/>
-+  <port port="427" protocol="udp"/>
-+</service>
-diff --git a/config/services/svdrp.xml b/config/services/svdrp.xml
-new file mode 100644
-index 00000000..4462ebb0
--- /dev/null
-+++ b/config/services/svdrp.xml
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>SVDRP</short>
-+  <description>The Simple Video Disk Recorder Protocol (SVDRP) allows to control video disk recorder functionality.</description>
-+  <port port="6419" protocol="tcp"/>
-+  <port port="6419" protocol="udp"/>
-+</service>
-diff --git a/config/services/svn.xml b/config/services/svn.xml
-new file mode 100644
-index 00000000..bdc6bf94
--- /dev/null
-+++ b/config/services/svn.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>Subversion</short>
-+  <description>The custom, unencrypted protocol used the Subversion Version Control System.</description>
-+  <port port="3690" protocol="tcp"/>
-+</service>
-diff --git a/config/services/wbem-http.xml b/config/services/wbem-http.xml
-new file mode 100644
-index 00000000..4283854e
--- /dev/null
-+++ b/config/services/wbem-http.xml
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>wbem-http</short>
-+  <description>Web-Based Enterprise Management (WBEM) is a set of systems management technologies developed to unify the management of distributed computing environments. This is the unencrypted protocol variant.</description>
-+  <port protocol="tcp" port="5988"/>
-+</service>
-+
-diff --git a/config/services/wsman.xml b/config/services/wsman.xml
-new file mode 100644
-index 00000000..fcb55570
--- /dev/null
-+++ b/config/services/wsman.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>wsman</short>
-+  <description>Web Services for Management (WSMAN) is a protocol for managing PCs, servers, devices, Web services and other applications. This variant of the protocol is unencrypted</description>
-+  <port port="5985" protocol="tcp"/>
-+</service>
-diff --git a/config/services/wsmans.xml b/config/services/wsmans.xml
-new file mode 100644
-index 00000000..8f2971b7
--- /dev/null
-+++ b/config/services/wsmans.xml
-@@ -0,0 +1,6 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>wsmans</short>
-+  <description>Web Services for Management (WSMAN) is a protocol for managing PCs, servers, devices, Web services and other applications. This variant of the protocol uses TLS encryption.</description>
-+  <port port="5986" protocol="tcp"/>
-+</service>
-diff --git a/config/services/xdmcp.xml b/config/services/xdmcp.xml
-new file mode 100644
-index 00000000..5610e053
--- /dev/null
-+++ b/config/services/xdmcp.xml
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="utf-8"?>
-+<service>
-+  <short>XDMCP</short>
-+  <description>The X Display Manager Control Protocol (XDMCP) allows to remotely log in to an X desktop environment from any X Window System compatible client.</description>
-+  <port port="177" protocol="tcp"/>
-+  <port port="177" protocol="udp"/>
-+</service>
--- a/firewalld-po-20180417.tar.xz
+++ b/firewalld-po-20180417.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fe6191a0848e8729c668467c15ecb689451c13bfac3ecce07b44c5ac51868ee1
-size 106232
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Fri Jul  6 15:07:31 UTC 2018 - mchandras@suse.de
+
+- Update to 0.6.0. Some of the changes are:
+  * update translations
+  * firewall-config: Add ipv6-icmp to the protocol dropdown box (#348, bsc#1099698)
+  * core: logger: Remove world-readable bit from logfile (#349, bsc#1098986)
+  * IPv6 rpfilter: explicitly allow neighbor solicitation
+  * nftables backend (default)
+  * Added loads of new services
+  * firewall-cmd: add --check-config option
+  * firewall-offline-cmd: add --check-config option
+  * firewallctl: completely remove all code and references
+  * dbus: expose FirewallBackend
+  * dbus: fix erroneous fallback for AutomaticHelpers
+- Remove patches which have made it upstream
+  * firewalld-add-additional-services.patch
+- spec-cleaner fixes
+
 -------------------------------------------------------------------
 Mon May 14 08:41:27 UTC 2018 - mchandras@suse.de

--- a/firewalld.spec
+++ b/firewalld.spec
@ -18,28 +18,24 @@

 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
-  %define _fillupdir /var/adm/fillup-templates
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
-
 Name:           firewalld
-Version:        0.5.3
+Version:        0.6.0
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
 Source:         https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1:        firewalld-po-20180417.tar.xz
-# PATCH-FIX-SUSE: firewalld-add-additional-services.patch - https://github.com/firewalld/firewalld/pull/313
-Patch0:         firewalld-add-additional-services.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  desktop-file-utils
 BuildRequires:  docbook-xsl-stylesheets
-BuildRequires:  fdupes
 # Adding tools to BuildRequires as well so they can be autodetected
 # even though it is probably unlikely for paths to change in the future
 BuildRequires:  ebtables
+BuildRequires:  fdupes
 BuildRequires:  gettext
 BuildRequires:  glib2-devel
 BuildRequires:  gobject-introspection
@ -48,11 +44,13 @@ BuildRequires:  intltool
 BuildRequires:  ipset
 BuildRequires:  iptables
 BuildRequires:  libxslt-tools
+BuildRequires:  nftables
 BuildRequires:  python3-devel
 BuildRequires:  systemd-rpm-macros
 Requires:       ebtables
 Requires:       ipset
 Requires:       iptables
+Requires:       nftables
 Requires:       python3-firewall = %{version}
 Requires:       sysconfig
 Requires(post): %fillup_prereq
@ -111,21 +109,18 @@ firewalld.
 %lang_package

 %prep
-%setup -q -a1
-%patch0 -p1
+%setup -q

 # bsc#1078223
 rm config/services/high-availability.xml

 %build
-export PYTHON="python3"
-sed -i "s|/usr/bin/python -Es|/usr/bin/python3 -Es|g" fix_python_shebang.sh
-sed -i "s|python|python3|g" config/lockdown-whitelist.xml
+export PYTHON="%{_bindir}/python3"
 ./autogen.sh
 %configure \
  --enable-sysconfig \
  --enable-rpmmacros \
-  --with-ifcfgdir="/etc/sysconfig/network"
+  --with-ifcfgdir="%{_sysconfdir}/network"

 # Normally documentation is shipped but this will ensure that missing
 # files will be generated.
@ -208,12 +203,12 @@ fi
 %{_bindir}/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :

 %files
-%doc COPYING README
+%doc README
+%license COPYING
 %{_sbindir}/firewalld
 %{_sbindir}/rcfirewalld
 %{_bindir}/firewall-cmd
 %{_bindir}/firewall-offline-cmd
-%{_bindir}/firewallctl
 %dir %{_datadir}/bash-completion/completions
 %{_datadir}/bash-completion/completions/firewall-cmd
 %dir %{_libexecdir}/firewalld
@ -222,14 +217,11 @@ fi
 %dir %{_libexecdir}/firewalld/services
 %dir %{_libexecdir}/firewalld/zones
 %dir %{_libexecdir}/firewalld/helpers
-%dir %{_libexecdir}/firewalld/xmlschema
 %{_libexecdir}/firewalld/icmptypes/*.xml
 %{_libexecdir}/firewalld/ipsets/README
 %{_libexecdir}/firewalld/services/*.xml
 %{_libexecdir}/firewalld/zones/*.xml
 %{_libexecdir}/firewalld/helpers/*.xml
-%{_libexecdir}/firewalld/xmlschema/check.sh
-%{_libexecdir}/firewalld/xmlschema/*.xsd
 %{_datadir}/polkit-1
 %dir %{_sysconfdir}/dbus-1
 %dir %{_sysconfdir}/dbus-1/system.d
@ -246,10 +238,9 @@ fi
 %{_unitdir}/firewalld.service
 %{_fillupdir}/sysconfig.%{name}
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
-%{_mandir}/man1/firewall*cmd*.1*
-%{_mandir}/man1/firewalld*.1*
-%{_mandir}/man1/firewallctl*.1*
-%{_mandir}/man5/firewall*.5*
+%{_mandir}/man1/firewall*cmd*.1%{?ext_man}
+%{_mandir}/man1/firewalld*.1%{?ext_man}
+%{_mandir}/man5/firewall*.5%{?ext_man}

 %files -n python3-firewall
 %attr(0755,root,root) %dir %{python3_sitelib}/firewall
@ -282,7 +273,7 @@ fi
 %config(noreplace) %{_sysconfdir}/firewall/applet.conf
 %{_sysconfdir}/xdg/autostart/firewall-applet.desktop
 %{_datadir}/icons/hicolor/*/apps/firewall-applet*.*
-%{_mandir}/man1/firewall-applet*.1*
+%{_mandir}/man1/firewall-applet*.1%{?ext_man}

 %files -n firewall-config
 %dir %{_datadir}/firewalld
@ -295,7 +286,7 @@ fi
 %{_datadir}/appdata/firewall-config.appdata.xml
 %{_datadir}/icons/hicolor/*/apps/firewall-config*.*
 %{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml
-%{_mandir}/man1/firewall-config*.1*
+%{_mandir}/man1/firewall-config*.1%{?ext_man}

 %files lang -f %{name}.lang