Accepting request 833252 from security:netfilter

- Add python3-nftables as a requirement. (forwarded request 833251 from mrostecki) OBS-URL: https://build.opensuse.org/request/show/833252 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=49
2020-09-21 15:07:15 +00:00 · 2020-09-21 15:07:15 +00:00 · af98866ead
commit af98866ead
parent 1d3f684259 dda7c66e07
8 changed files with 88 additions and 43 deletions
--- a/0001-firewall-backend-Switch-default-backend-to-iptables.patch
+++ b/0001-firewall-backend-Switch-default-backend-to-iptables.patch
@ -1,7 +1,8 @@
-diff -burNE firewalld-0.7.4_orig/config/firewalld.conf firewalld-0.7.4/config/firewalld.conf
--- firewalld-0.7.4_orig/config/firewalld.conf	2020-04-03 09:45:04.363964087 +0200
-+++ firewalld-0.7.4/config/firewalld.conf	2020-04-03 09:45:21.495215479 +0200
-@@ -53,9 +53,9 @@
+Index: firewalld-0.8.3/config/firewalld.conf
+===================================================================
+--- firewalld-0.8.3.orig/config/firewalld.conf
+++ firewalld-0.8.3/config/firewalld.conf
+@@ -43,9 +43,9 @@ LogDenied=off
 # FirewallBackend
 # Selects the firewall backend implementation.
 # Choices are:
@ -14,9 +15,10 @@ diff -burNE firewalld-0.7.4_orig/config/firewalld.conf firewalld-0.7.4/config/fi
 
 # FlushAllOnReload
 # Flush all runtime rules on a reload. In previous releases some runtime
-diff -burNE firewalld-0.7.4_orig/doc/xml/firewalld.conf.xml firewalld-0.7.4/doc/xml/firewalld.conf.xml
--- firewalld-0.7.4_orig/doc/xml/firewalld.conf.xml	2020-04-03 09:45:05.071933150 +0200
-+++ firewalld-0.7.4/doc/xml/firewalld.conf.xml	2020-04-03 09:45:21.499215305 +0200
+Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml
+===================================================================
+--- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml
+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml
@@ -149,8 +149,8 @@
             <listitem>
                 <para>
@ -28,13 +30,14 @@ diff -burNE firewalld-0.7.4_orig/doc/xml/firewalld.conf.xml firewalld-0.7.4/doc/
                 firewalld primitives. The only exception is direct and
                 passthrough rules which always use the traditional iptables,
                 ip6tables, and ebtables backends.
-diff -burNE firewalld-0.7.4_orig/src/firewall/config/__init__.py.in firewalld-0.7.4/src/firewall/config/__init__.py.in
--- firewalld-0.7.4_orig/src/firewall/config/__init__.py.in	2020-04-03 09:45:05.367920215 +0200
-+++ firewalld-0.7.4/src/firewall/config/__init__.py.in	2020-04-03 09:45:21.503215130 +0200
-@@ -128,7 +128,7 @@
+Index: firewalld-0.8.3/src/firewall/config/__init__.py.in
+===================================================================
+--- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in
+++ firewalld-0.8.3/src/firewall/config/__init__.py.in
+@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True
 FALLBACK_INDIVIDUAL_CALLS = False
 FALLBACK_LOG_DENIED = "off"
- FALLBACK_AUTOMATIC_HELPERS = "system"
+ FALLBACK_AUTOMATIC_HELPERS = "no"
 -FALLBACK_FIREWALL_BACKEND = "nftables"
 +FALLBACK_FIREWALL_BACKEND = "iptables"
 FALLBACK_FLUSH_ALL_ON_RELOAD = True
--- a/17
+++ b/17
@ -1,17 +0,0 @@
-<services>
-  <service mode="disabled" name="obs_scm">
-    <param name="url">https://github.com/firewalld/firewalld</param>
-    <param name="scm">git</param>
-    <param name="filename">firewalld</param>
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="versionrewrite-pattern">v(.*)</param>
-    <param name="revision">v0.7.5</param>
-    <param name="changesgenerate">enable</param>
-  </service>
-  <service mode="buildtime" name="tar" />
-  <service mode="buildtime" name="recompress">
-    <param name="file">*.tar</param>
-    <param name="compression">xz</param>
-  </service>
-  <service mode="disabled" name="set_version" />
-</services>
--- a/4
+++ b/4
@ -1,4 +0,0 @@
-<servicedata>
-<service name="tar_scm">
-                <param name="url">https://github.com/firewalld/firewalld</param>
-              <param name="changesrevision">7c900054e5293c4c569e3da5def7700045290753</param></service></servicedata>
--- a/firewalld-0.7.5.obscpio
+++ b/firewalld-0.7.5.obscpio
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c6c7b2fdc002b90a30f6d085fdfbbd9068e7c0bb5d2fd9ccc24583c5c256926e
-size 7351309
--- a/firewalld-0.9.0.tar.gz
+++ b/firewalld-0.9.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7cfbf8a33f726151e60c07486af0921fa05cbbab097adf90ec1caef37b49d9a0
+size 2007954
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Wed Sep  9 14:47:20 UTC 2020 - Michał Rostecki <mrostecki@suse.com>
+
+- Add python3-nftables as a requirement.
+
+-------------------------------------------------------------------
+Fri Sep  4 16:10:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
+
+- update to 0.9.0:
+  * New major features
+    * prevention of Zone Drifting
+    * Intra Zone Forwarding
+    * Policy Objects
+  * For a full list of changes, see
+    https://github.com/firewalld/firewalld/compare/v0.8.0...v0.9.0
+
+-------------------------------------------------------------------
+Sun Aug 16 17:09:43 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 0.8.3:
+  * nftables: convert to libnftables JSON interface
+  * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”.
+  * allow custom helpers using standard helper modules (rhbz 1733066)
+  * testsuite is now shipped in the dist tarball
+  * Typo in firewall-config(1)
+  * Fix typo in TFTP service description
+  * doc: README: add note about language translations
+  * fix: rich: source/dest only matching with mark action
+  * feat: AllowZoneDrifting config option
+  * feat: nftables: support AllowZoneDrifting=yes
+  * feat: ipXtables: support AllowZoneDrifting=yes
+  * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting
+  * fix: add logrotate policy
+  * doc: direct: add CAVEATS section
+  * fix: checkIP6: strip leading/trailing square brackets
+  * fix: nftables: remove square brackets from IPv6 addresses
+  * fix: ipXtables: remove square brackets from IPv6 addresses
+  * fix: nftables: ipset types using “port”
+  * fix: nftables: zone dispatch with multidimensional ipsets
+  * fix: ipset: destroy runtime sets on reload/stop
+  * fix: port: support querying sub ranges
+  * fix: source_port: support querying sub ranges
+  * doc: specify accepted characters for object names
+  * fix: doc: address copy/paste mistakes in short/description
+  * fix: configure: atlocal: quote variable values
+  * fix: nftables: allow set intervals with concatenations
+  * doc: clarify –set-target values “default” vs “reject”
+  * fix: update dynamic DCE RPC ports in freeipa-trust service
+  * fix: nftables: ipset: port ranges for non-default protocols
+  * fix(systemd): Conflict with nftables.service
+  * fix(direct): rule in a zone chain
+  * fix(client): addService needs to reduce tuple size
+  * fix(doc): dbus: signatures for zone tuple based APIs
+  * fix(config): bool values in dict based import/export
+  * fix(dbus): service: don’t cleanup config for old set APIs
+  * fix(ipset): flush the set if IndividiualCalls=yes
+  * fix(firewall-offline-cmd): remove instances of “[P]” in help text
+  * fix(rich): source mac with nftables backend
+  * docs: replace occurrences of the term blacklist with denylist
+  * fix: core: rich: Catch ValueError on non-numeric priority values
+  * docs(README): add libxslt for doc generation
+  * fix(cli): add –zone is an invalid option with –direct
+  * fix(cli): add ipset type hash:mac is incompatible with the family parameter
+
 -------------------------------------------------------------------
 Wed Aug 12 13:48:37 UTC 2020 - mrostecki@suse.com

--- a/firewalld.obsinfo
+++ b/firewalld.obsinfo
@ -1,5 +0,0 @@
-name: firewalld
-version: 0.7.5
-mtime: 1593546094
-commit: 7c900054e5293c4c569e3da5def7700045290753
-
--- a/firewalld.spec
+++ b/firewalld.spec
@ -21,13 +21,13 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           firewalld
-Version:        0.7.5
+Version:        0.9.0
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
-Source:         %{name}-%{version}.tar.xz
+Source:         https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
 Patch0:         0001-firewall-backend-Switch-default-backend-to-iptables.patch

 BuildRequires:  autoconf
@ -55,6 +55,7 @@ Requires:       iptables
 Requires:       logrotate
 Requires:       nftables
 Requires:       python3-firewall = %{version}
+Requires:       python3-nftables
 Requires:       sysconfig
 Requires(post): %fillup_prereq
 Suggests:       susefirewall2-to-firewalld
@ -217,11 +218,13 @@ fi
 %dir %{_prefix}/lib/firewalld/services
 %dir %{_prefix}/lib/firewalld/zones
 %dir %{_prefix}/lib/firewalld/helpers
+%dir %{_prefix}/lib/firewalld/policies
 %{_prefix}/lib/firewalld/icmptypes/*.xml
 %{_prefix}/lib/firewalld/ipsets/README
 %{_prefix}/lib/firewalld/services/*.xml
 %{_prefix}/lib/firewalld/zones/*.xml
 %{_prefix}/lib/firewalld/helpers/*.xml
+%{_prefix}/lib/firewalld/policies/*.xml
 %{_datadir}/polkit-1
 %dir %{_datadir}/dbus-1
 %dir %{_datadir}/dbus-1/system.d
@ -236,6 +239,7 @@ fi
 %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones
 %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets
 %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
+%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/policies
 %{_unitdir}/firewalld.service
 %{_fillupdir}/sysconfig.%{name}
 %{_datadir}/dbus-1/system.d/FirewallD.conf