Accepting request 866985 from security:netfilter

- Update to 0.9.3 (jsc#SLE-17336): nftables (jsc#SLE-16300): (rhbz#1817022, jsc#SLE-16300) (forwarded request 866984 from mrostecki) OBS-URL: https://build.opensuse.org/request/show/866985 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=55
2021-02-01 12:25:19 +00:00 · 2021-02-01 12:25:19 +00:00 · 9d471d09b3
commit 9d471d09b3
parent 0a323e9ee8 a50f2805cc
5 changed files with 84 additions and 7 deletions
--- a/0002-Disable-FlushAllOnReload-option.patch
+++ b/0002-Disable-FlushAllOnReload-option.patch
@ -0,0 +1,59 @@
 From b1145d3efc58220f58a4e67189c4ff4a8bd789ce Mon Sep 17 00:00:00 2001
 From: Michal Rostecki <mrostecki@opensuse.org>
 Date: Mon, 25 Jan 2021 12:58:00 +0100
 Subject: [PATCH] Disable FlushAllOnReload option
 Disabling the FlushAllOnReload option restores the old behavior where
 --reload does not retain interface to zone assignmnets and direct rules.
 We want to keep that behavior in openSUSE and SLE
 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
 ---
 config/firewalld.conf              | 4 ++--
 doc/xml/firewalld.conf.xml         | 2 +-
 src/firewall/config/__init__.py.in | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/config/firewalld.conf b/config/firewalld.conf
 index 532f0452..e789f2a7 100644
 --- a/config/firewalld.conf
 +++ b/config/firewalld.conf
@@ -52,8 +52,8 @@ FirewallBackend=nftables
 # configuration was retained during a reload, namely; interface to zone
 # assignment, and direct rules. This was confusing to users. To get the old
 # behavior set this to "no".
 -# Default: yes
 -FlushAllOnReload=yes
 +# Default: no
 +FlushAllOnReload=no
 # RFC3964_IPv4
 # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
 diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
 index fcfbfd2b..8415ba3e 100644
 --- a/doc/xml/firewalld.conf.xml
 +++ b/doc/xml/firewalld.conf.xml
@@ -166,7 +166,7 @@
                 runtime configuration was retained during a reload, namely;
                 interface to zone assignment, and direct rules. This was
                 confusing to users. To get the old behavior set this to "no".
 -                Defaults to "yes".
 +                Defaults to "no".
                 </para>
             </listitem>
         </varlistentry>
 diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
 index e875e849..df6f449b 100644
 --- a/src/firewall/config/__init__.py.in
 +++ b/src/firewall/config/__init__.py.in
@@ -131,6 +131,6 @@ FALLBACK_INDIVIDUAL_CALLS = False
 FALLBACK_LOG_DENIED = "off"
 FALLBACK_AUTOMATIC_HELPERS = "no"
 FALLBACK_FIREWALL_BACKEND = "nftables"
 -FALLBACK_FLUSH_ALL_ON_RELOAD = True
 +FALLBACK_FLUSH_ALL_ON_RELOAD = False
 FALLBACK_RFC3964_IPV4 = True
 FALLBACK_ALLOW_ZONE_DRIFTING = False
 -- 
 2.30.0
--- a/firewalld-0.9.1.tar.gz
+++ b/firewalld-0.9.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:7e3db6ed84919dd10add39cc7a28d97b5a9e27a53aeb73abf8af01ef082b74f9
 size 2007880
--- a/firewalld-0.9.3.tar.gz
+++ b/firewalld-0.9.3.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5998894db976d77996ca0a6b700a2f4125b9f283465fb255da9bddfb1640cb27
 size 1993006
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,21 @@
 -------------------------------------------------------------------
 Tue Jan 26 16:33:10 UTC 2021 - Michał Rostecki <mrostecki@suse.com>
 - Disable FlushAllOnReload option to not retain interface to zone
  assignments and direct rules when using --reload option.
  * 0002-Disable-FlushAllOnReload-option.patch
 -------------------------------------------------------------------
 Mon Jan 25 11:29:37 UTC 2021 - Michał Rostecki <mrostecki@suse.com>
 - Update to 0.9.3 (jsc#SLE-17336):
  * docs(dbus): fix invalid method names
  * fix(forward): iptables: ipset used as zone source
  * fix(rich): non-printable characters removed from rich rules
  * docs(firewall-cmd): small description grammar fix
  * fix(rich): limit table to strip non-printables to C0 and C1
  * fix(zone): add source with mac address
 -------------------------------------------------------------------
 Thu Jan 14 09:52:26 UTC 2021 - Robert Frohl <rfrohl@suse.com>
@ -7,12 +25,12 @@ Thu Jan 14 09:52:26 UTC 2021 - Robert Frohl <rfrohl@suse.com>
 Mon Nov  9 09:15:55 UTC 2020 - Michał Rostecki <mrostecki@suse.com>
 - Remove the patch which enforces usage of iptables instead of
-  nftables:
+  nftables (jsc#SLE-16300):
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
 - Add firewalld zone for the docker0 interface. This is the
  workaround for lack of nftables support in docker. Without that
  additional zone, containers have no Internet connectivity.
-  (rhbz#1817022)
+  (rhbz#1817022, jsc#SLE-16300)
 - Update to 0.9.1:
  * Bugfixes:
    * docs(firewall-cmd): clarify lockdown whitelist command paths
--- a/firewalld.spec
+++ b/firewalld.spec
@ -21,7 +21,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           firewalld
-Version:        0.9.1
+Version:        0.9.3
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
@ -29,7 +29,7 @@ Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
 Source0:        https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
 Source1:        docker-zone.xml
-
+Patch0:         0002-Disable-FlushAllOnReload-option.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  desktop-file-utils