Accepting request 866985 from security:netfilter

- Update to 0.9.3 (jsc#SLE-17336): nftables (jsc#SLE-16300): (rhbz#1817022, jsc#SLE-16300) (forwarded request 866984 from mrostecki) OBS-URL: https://build.opensuse.org/request/show/866985 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=55
2021-02-01 12:25:19 +00:00 · 2021-02-01 12:25:19 +00:00 · 9d471d09b3
commit 9d471d09b3
parent 0a323e9ee8 a50f2805cc
5 changed files with 84 additions and 7 deletions
--- a/0002-Disable-FlushAllOnReload-option.patch
+++ b/0002-Disable-FlushAllOnReload-option.patch
@ -0,0 +1,59 @@
+From b1145d3efc58220f58a4e67189c4ff4a8bd789ce Mon Sep 17 00:00:00 2001
+From: Michal Rostecki <mrostecki@opensuse.org>
+Date: Mon, 25 Jan 2021 12:58:00 +0100
+Subject: [PATCH] Disable FlushAllOnReload option
+
+Disabling the FlushAllOnReload option restores the old behavior where
+--reload does not retain interface to zone assignmnets and direct rules.
+We want to keep that behavior in openSUSE and SLE
+
+Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
+---
+ config/firewalld.conf              | 4 ++--
+ doc/xml/firewalld.conf.xml         | 2 +-
+ src/firewall/config/__init__.py.in | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/config/firewalld.conf b/config/firewalld.conf
+index 532f0452..e789f2a7 100644
+--- a/config/firewalld.conf
+++ b/config/firewalld.conf
+@@ -52,8 +52,8 @@ FirewallBackend=nftables
+ # configuration was retained during a reload, namely; interface to zone
+ # assignment, and direct rules. This was confusing to users. To get the old
+ # behavior set this to "no".
+-# Default: yes
+-FlushAllOnReload=yes
+# Default: no
+FlushAllOnReload=no
+ 
+ # RFC3964_IPv4
+ # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
+index fcfbfd2b..8415ba3e 100644
+--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
+@@ -166,7 +166,7 @@
+                 runtime configuration was retained during a reload, namely;
+                 interface to zone assignment, and direct rules. This was
+                 confusing to users. To get the old behavior set this to "no".
+-                Defaults to "yes".
+                Defaults to "no".
+                 </para>
+             </listitem>
+         </varlistentry>
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index e875e849..df6f449b 100644
+--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
+@@ -131,6 +131,6 @@ FALLBACK_INDIVIDUAL_CALLS = False
+ FALLBACK_LOG_DENIED = "off"
+ FALLBACK_AUTOMATIC_HELPERS = "no"
+ FALLBACK_FIREWALL_BACKEND = "nftables"
+-FALLBACK_FLUSH_ALL_ON_RELOAD = True
+FALLBACK_FLUSH_ALL_ON_RELOAD = False
+ FALLBACK_RFC3964_IPV4 = True
+ FALLBACK_ALLOW_ZONE_DRIFTING = False
+-- 
+2.30.0
+
--- a/firewalld-0.9.1.tar.gz
+++ b/firewalld-0.9.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7e3db6ed84919dd10add39cc7a28d97b5a9e27a53aeb73abf8af01ef082b74f9
-size 2007880
--- a/firewalld-0.9.3.tar.gz
+++ b/firewalld-0.9.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5998894db976d77996ca0a6b700a2f4125b9f283465fb255da9bddfb1640cb27
+size 1993006
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jan 26 16:33:10 UTC 2021 - Michał Rostecki <mrostecki@suse.com>
+
+- Disable FlushAllOnReload option to not retain interface to zone
+  assignments and direct rules when using --reload option.
+  * 0002-Disable-FlushAllOnReload-option.patch
+
+-------------------------------------------------------------------
+Mon Jan 25 11:29:37 UTC 2021 - Michał Rostecki <mrostecki@suse.com>
+
+- Update to 0.9.3 (jsc#SLE-17336):
+  * docs(dbus): fix invalid method names
+  * fix(forward): iptables: ipset used as zone source
+  * fix(rich): non-printable characters removed from rich rules
+  * docs(firewall-cmd): small description grammar fix
+  * fix(rich): limit table to strip non-printables to C0 and C1
+  * fix(zone): add source with mac address
+
 -------------------------------------------------------------------
 Thu Jan 14 09:52:26 UTC 2021 - Robert Frohl <rfrohl@suse.com>

@ -7,12 +25,12 @@ Thu Jan 14 09:52:26 UTC 2021 - Robert Frohl <rfrohl@suse.com>
 Mon Nov  9 09:15:55 UTC 2020 - Michał Rostecki <mrostecki@suse.com>

 - Remove the patch which enforces usage of iptables instead of
-  nftables:
+  nftables (jsc#SLE-16300):
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
 - Add firewalld zone for the docker0 interface. This is the
  workaround for lack of nftables support in docker. Without that
  additional zone, containers have no Internet connectivity.
-  (rhbz#1817022)
+  (rhbz#1817022, jsc#SLE-16300)
 - Update to 0.9.1:
  * Bugfixes:
    * docs(firewall-cmd): clarify lockdown whitelist command paths
--- a/firewalld.spec
+++ b/firewalld.spec
@ -21,7 +21,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           firewalld
-Version:        0.9.1
+Version:        0.9.3
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
@ -29,7 +29,7 @@ Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
 Source0:        https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
 Source1:        docker-zone.xml
-
+Patch0:         0002-Disable-FlushAllOnReload-option.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  desktop-file-utils