Accepting request 637406 from security:netfilter

- Add upstream patch to mark more strings as translatable which is
  required by firewall UI when creating rich rules (bsc#1096542)
  * 0001-Fix-translating-labels-392.patch

- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
  * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch

- Update to 0.6.2. Some of the changes are:
  * update translations
  * nftables: fix log-denied with values other than "all" or "off"
  * fw_ipset: raise FirewallError if backend command fails
  * ipset: only use "-exist" on restore
  * fw_ipset: fix duplicate add of ipset entries
  * *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821)
  * ipXtables: increase wait lock to 10s
  * nftables: fix rich rules ports/protocols/source ports not considering ct state
  * ports: allow querying a single added by range
  * fw_zone: do not change rich rule errors into warnings
  * fw_zone: fix services with multiple destination IP versions (bsc#1105899)
  * fw_zone: consider destination for protocols
  * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319)
  * fw: If direct rules fail to apply add a "Direct" label to error msg
  * fw: if startup fails on reload, reapply non-perm config that survives reload
  * nftables: fix rich rule audit log
  * ebtables: replace RETURN policy with explicit RETURN at end of chain
  * direct backends: allow build_chain() to build multiple rules
  * fw: if failure occurs during startup set state to FAILED
  * fw: on restart set policy from same function
  * ebtables: drop support for broute table
- Remove upstream patches

OBS-URL: https://build.opensuse.org/request/show/637406
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=37
This commit is contained in:
Dominique Leuenberger 2018-10-01 07:06:07 +00:00 committed by Git OBS Bridge
commit b4d329838c
10 changed files with 128 additions and 395 deletions

View File

@ -0,0 +1,35 @@
From 15fb48d04e576edb828abf321ae1e765822a4ee3 Mon Sep 17 00:00:00 2001
From: MeggyCal <MeggyCal@users.noreply.github.com>
Date: Thu, 20 Sep 2018 15:37:17 +0200
Subject: [PATCH] Fix translating labels (#392)
Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active.
Fixes: #344
(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f)
---
src/firewall-config.glade | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
index 22bed58a..75c229b4 100644
--- a/src/firewall-config.glade
+++ b/src/firewall-config.glade
@@ -10135,10 +10135,10 @@
<property name="halign">start</property>
<property name="valign">start</property>
<items>
- <item>accept</item>
- <item>reject</item>
- <item>drop</item>
- <item>mark</item>
+ <item translatable="yes">accept</item>
+ <item translatable="yes">reject</item>
+ <item translatable="yes">drop</item>
+ <item translatable="yes">mark</item>
</items>
<signal name="changed" handler="on_richRuleDialog_changed" swapped="no"/>
</object>
--
2.19.0

View File

@ -1,47 +0,0 @@
From e9eede7766610d5b632087783761f93334bdd47e Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 29 Aug 2018 10:19:11 -0400
Subject: [PATCH 1/4] fw_zone: consider destination for protocols
destinations were ignore if protocols were specified. This fixes that.
(cherry picked from commit 8d863e8a1c78cb93cb4823cd1824776dba1d9d34)
---
src/firewall/core/fw_zone.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 7c7653fe..155b8b7f 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1640,7 +1640,7 @@ class FirewallZone(object):
if enable and type(rule.action) == Rich_Mark:
zone_transaction.add_chain("mangle", "PREROUTING")
rules = backend.build_zone_protocol_rules(
- enable, zone, proto, rule)
+ enable, zone, proto, destination, rule)
zone_transaction.add_rules(backend, rules)
# create rules
@@ -1677,7 +1677,7 @@ class FirewallZone(object):
zone_transaction.add_chain("mangle", "PREROUTING")
rules = backend.build_zone_protocol_rules(
- enable, zone, protocol, rule)
+ enable, zone, protocol, None, rule)
zone_transaction.add_rules(backend, rules)
# MASQUERADE
@@ -1852,7 +1852,8 @@ class FirewallZone(object):
zone_transaction.add_rules(backend, rules)
for protocol in svc.protocols:
- rules = backend.build_zone_protocol_rules(enable, zone, protocol)
+ rules = backend.build_zone_protocol_rules(
+ enable, zone, protocol, destination)
zone_transaction.add_rules(backend, rules)
for (port,proto) in svc.source_ports:
--
2.18.0

View File

@ -1,74 +0,0 @@
From 0a5827471610fdbb19a053f7f46c114d4fbdf2a0 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 29 Aug 2018 16:10:20 -0400
Subject: [PATCH] nftables: fix rich rules ports/protocols/source ports not
considering ct state
They were accepting the packets, but were not matching on "ct state new"
as they should have been. In most (all?) cases, this should not have had
a noticeable affect because the existing connections were accepted long
before the _allow rules are hit.
(cherry picked from commit 0dd56eba38a2e0075281fb5a7180ecb9851359e1)
---
src/firewall/core/nftables.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 1ac8b3a8..20296292 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -812,6 +812,7 @@ class nftables(object):
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rule_fragment += [proto, "dport", "%s" % portStr(port, "-")]
+ rule_fragment += ["ct", "state", "new"]
rules = []
if rich_rule:
@@ -821,7 +822,7 @@ class nftables(object):
else:
rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
"%s_%s_allow" % (table, target)] +
- rule_fragment + ["ct", "state", "new", "accept"])
+ rule_fragment + ["accept"])
return rules
@@ -844,6 +845,7 @@ class nftables(object):
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rule_fragment = ["meta", "l4proto", protocol]
+ rule_fragment += ["ct", "state", "new"]
rules = []
if rich_rule:
@@ -853,7 +855,7 @@ class nftables(object):
else:
rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
"filter_%s_allow" % (target)] +
- rule_fragment + ["ct", "state", "new", "accept"])
+ rule_fragment + ["accept"])
return rules
@@ -876,6 +878,7 @@ class nftables(object):
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rule_fragment += [proto, "sport", "%s" % portStr(port, "-")]
+ rule_fragment += ["ct", "state", "new"]
rules = []
if rich_rule:
@@ -885,7 +888,7 @@ class nftables(object):
else:
rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
"%s_%s_allow" % (table, target)] +
- rule_fragment + ["ct", "state", "new", "accept"])
+ rule_fragment + ["accept"])
return rules
--
2.18.0

View File

@ -0,0 +1,41 @@
From fa0bce3d45563e28b8beea1cb0ee325f4a82ebf9 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 21 Sep 2018 15:55:50 -0400
Subject: [PATCH] fw_zone: expose _ipset_match_flags()
Rename __ipset_match_flags() to _ipset_match_flags() so it may be used
outside the class. With the iptables backend this fixes rich rules that
match a source using an ipset.
Fixes: #374
---
src/firewall/core/fw_zone.py | 2 +-
src/firewall/core/ipXtables.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 2d794393..ca90f7fb 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1519,7 +1519,7 @@ def _ipset_family(self, name):
def __ipset_type(self, name):
return self._fw.ipset.get_type(name)
- def __ipset_match_flags(self, name, flag):
+ def _ipset_match_flags(self, name, flag):
return ",".join([flag] * self._fw.ipset.get_dimension(name))
def _check_ipset_applied(self, name):
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 66af2a26..02a518d2 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -852,7 +852,7 @@ def _rich_rule_source_fragment(self, rich_source):
rule_fragment += [ "-m", "set" ]
if rich_source.invert:
rule_fragment.append("!")
- flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
+ flags = self._fw.zone._ipset_match_flags(rich_source.ipset, "src")
rule_fragment += [ "--match-set", rich_source.ipset, flags ]
return rule_fragment

View File

@ -1,216 +0,0 @@
From d9f46f02dd90bc6630f6e5462e67bc5341bdcade Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 29 Aug 2018 10:10:18 -0400
Subject: [PATCH 2/4] fw_zone: fix services with multiple destination IP
versions
Only one of the IP versions was being added to the backend. Make sure we
consider both.
Fixes: #366
Fixes: 929b1d2ab988 ("fw_zone: push service rule generation into backends")
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
(cherry picked from commit 4aa13cc1377143e59a7f89bbbd9c4b01a9b8896a)
---
src/firewall/core/fw_zone.py | 170 +++++++++++++++++------------------
1 file changed, 82 insertions(+), 88 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 155b8b7f..75ea6018 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1572,84 +1572,82 @@ class FirewallZone(object):
if type(rule.element) == Rich_Service:
svc = self._fw.service.get_service(rule.element.name)
- destination = rule.destination if rule.destination else None
+ destinations = [rule.destination] if rule.destination else [None]
+
if len(svc.destination) > 0:
+ if rule.destination:
+ # we can not use two destinations at the same time
+ raise FirewallError(errors.INVALID_RULE,
+ "Destination conflict with service.")
+ destinations = []
for ipv in ipvs:
- if ipv in svc.destination:
- if not backend.is_ipv_supported(ipv):
- # destination is set, only use if it contains ipv
- raise FirewallError(errors.INVALID_RULE,
- "Service %s is not usable with %s" %
- (rule.element.name, backend.name))
- elif svc.destination[ipv] != "" and rule.destination:
- # we can not use two destinations at the same time
- raise FirewallError(errors.INVALID_RULE,
- "Destination conflict with service.")
- destination = svc.destination[ipv]
-
- if enable:
- zone_transaction.add_chain("filter", "INPUT")
- if self._fw.nf_conntrack_helper_setting == 0:
- zone_transaction.add_chain("raw", "PREROUTING")
+ if ipv in svc.destination and backend.is_ipv_supported(ipv):
+ destinations.append(svc.destination[ipv])
- if type(rule.action) == Rich_Accept:
- # only load modules for accept action
- helpers = self.get_helpers_for_service_modules(svc.modules,
- enable)
-
- modules = [ ]
- for helper in helpers:
- module = helper.module
+ for destination in destinations:
+ if enable:
+ zone_transaction.add_chain("filter", "INPUT")
if self._fw.nf_conntrack_helper_setting == 0:
- if helper.name not in \
- self._fw.nf_conntrack_helpers[module]:
- raise FirewallError(
- errors.INVALID_HELPER,
- "'%s' not available in kernel" % module)
- nat_module = module.replace("conntrack", "nat")
- if nat_module in self._fw.nf_nat_helpers:
- modules.append(nat_module)
- if helper.family != "" and not backend.is_ipv_supported(helper.family):
- # no support for family ipv, continue
- continue
- if len(helper.ports) < 1:
- modules.append(module)
- else:
- for (port,proto) in helper.ports:
- rules = backend.build_zone_helper_ports_rules(
- enable, zone, proto, port,
- destination, helper.name)
- zone_transaction.add_rules(backend, rules)
- else:
- if helper.module not in modules:
- modules.append(helper.module)
- nat_module = helper.module.replace("conntrack", "nat")
+ zone_transaction.add_chain("raw", "PREROUTING")
+
+ if type(rule.action) == Rich_Accept:
+ # only load modules for accept action
+ helpers = self.get_helpers_for_service_modules(svc.modules,
+ enable)
+
+ modules = [ ]
+ for helper in helpers:
+ module = helper.module
+ if self._fw.nf_conntrack_helper_setting == 0:
+ if helper.name not in \
+ self._fw.nf_conntrack_helpers[module]:
+ raise FirewallError(
+ errors.INVALID_HELPER,
+ "'%s' not available in kernel" % module)
+ nat_module = module.replace("conntrack", "nat")
if nat_module in self._fw.nf_nat_helpers:
modules.append(nat_module)
- zone_transaction.add_modules(modules)
-
- # create rules
- for (port,proto) in svc.ports:
- if enable and type(rule.action) == Rich_Mark:
- zone_transaction.add_chain("mangle", "PREROUTING")
- rules = backend.build_zone_ports_rules(
- enable, zone, proto, port, destination, rule)
- zone_transaction.add_rules(backend, rules)
-
- for proto in svc.protocols:
- if enable and type(rule.action) == Rich_Mark:
- zone_transaction.add_chain("mangle", "PREROUTING")
- rules = backend.build_zone_protocol_rules(
- enable, zone, proto, destination, rule)
- zone_transaction.add_rules(backend, rules)
-
- # create rules
- for (port,proto) in svc.source_ports:
- if enable and type(rule.action) == Rich_Mark:
- zone_transaction.add_chain("mangle", "PREROUTING")
- rules = backend.build_zone_source_ports_rules(
- enable, zone, proto, port, destination, rule)
- zone_transaction.add_rules(backend, rules)
+ if helper.family != "" and not backend.is_ipv_supported(helper.family):
+ # no support for family ipv, continue
+ continue
+ if len(helper.ports) < 1:
+ modules.append(module)
+ else:
+ for (port,proto) in helper.ports:
+ rules = backend.build_zone_helper_ports_rules(
+ enable, zone, proto, port,
+ destination, helper.name)
+ zone_transaction.add_rules(backend, rules)
+ else:
+ if helper.module not in modules:
+ modules.append(helper.module)
+ nat_module = helper.module.replace("conntrack", "nat")
+ if nat_module in self._fw.nf_nat_helpers:
+ modules.append(nat_module)
+ zone_transaction.add_modules(modules)
+
+ # create rules
+ for (port,proto) in svc.ports:
+ if enable and type(rule.action) == Rich_Mark:
+ zone_transaction.add_chain("mangle", "PREROUTING")
+ rules = backend.build_zone_ports_rules(
+ enable, zone, proto, port, destination, rule)
+ zone_transaction.add_rules(backend, rules)
+
+ for proto in svc.protocols:
+ if enable and type(rule.action) == Rich_Mark:
+ zone_transaction.add_chain("mangle", "PREROUTING")
+ rules = backend.build_zone_protocol_rules(
+ enable, zone, proto, destination, rule)
+ zone_transaction.add_rules(backend, rules)
+
+ # create rules
+ for (port,proto) in svc.source_ports:
+ if enable and type(rule.action) == Rich_Mark:
+ zone_transaction.add_chain("mangle", "PREROUTING")
+ rules = backend.build_zone_source_ports_rules(
+ enable, zone, proto, port, destination, rule)
+ zone_transaction.add_rules(backend, rules)
# PORT
elif type(rule.element) == Rich_Port:
@@ -1805,24 +1803,20 @@ class FirewallZone(object):
zone_transaction.add_modules(modules)
zone_transaction.add_chain("filter", "INPUT")
- for backend in self._fw.enabled_backends():
- if not backend.zones_supported:
- continue
- skip_backend = False
-
- destination = None
+ # build a list of (backend, destination). The destination may be ipv4,
+ # ipv6 or None
+ #
+ backends_ipv = []
+ for ipv in ["ipv4", "ipv6"]:
+ backend = self._fw.get_backend_by_ipv(ipv)
if len(svc.destination) > 0:
- for ipv in ["ipv4", "ipv6"]:
- if ipv in svc.destination:
- if not backend.is_ipv_supported(ipv):
- # destination is set, only use if it contains ipv
- skip_backend = True
- break
- destination = svc.destination[ipv]
-
- if skip_backend:
- continue
+ if ipv in svc.destination:
+ backends_ipv.append((backend, svc.destination[ipv]))
+ else:
+ if (backend, None) not in backends_ipv:
+ backends_ipv.append((backend, None))
+ for (backend,destination) in backends_ipv:
if self._fw.nf_conntrack_helper_setting == 0:
for helper in helpers:
module = helper.module
--
2.18.0

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9fd94f4a5803ec6d1bf4a15f3b90d46fdf0ffa1b5187ff80a470460e3a1a8538
size 2269294

3
firewalld-0.6.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:76ef7ed41caf67204dc80e1f2640176a481c72cadc30488492b22e45b3757c54
size 2273831

View File

@ -1,44 +0,0 @@
From a24ab61eabe24656b457273f54133fa99087f2f6 Mon Sep 17 00:00:00 2001
From: Farenjihn <farenjihn@gmail.com>
Date: Fri, 17 Aug 2018 11:58:55 +0200
Subject: [PATCH] firewall/core/fw_nm: nm_get_zone_of_connection should return
None or empty string instead of False
(cherry picked from commit 5a59a90f449a8bf836e62e2d9ad486301b1aa2bb)
---
src/firewall/core/fw_nm.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
index 97113d95..37282a1a 100644
--- a/src/firewall/core/fw_nm.py
+++ b/src/firewall/core/fw_nm.py
@@ -75,21 +75,21 @@ def nm_get_zone_of_connection(connection):
con = nm_get_client().get_connection_by_uuid(connection)
if con is None:
- return False
+ return None
setting_con = con.get_setting_connection()
if setting_con is None:
- return False
+ return None
try:
if con.get_flags() & (NM.SettingsConnectionFlags.NM_GENERATED
| NM.SettingsConnectionFlags.NM_VOLATILE):
- return False
+ return ""
except AttributeError:
# Prior to NetworkManager 1.12, we can only guess
# that a connection was generated/volatile.
if con.get_unsaved():
- return False
+ return ""
zone = setting_con.get_zone()
if zone is None:
--
2.18.0

View File

@ -1,3 +1,47 @@
-------------------------------------------------------------------
Mon Sep 24 09:05:52 UTC 2018 - Markos Chandras <mchandras@suse.de>
- Add upstream patch to mark more strings as translatable which is
required by firewall UI when creating rich rules (bsc#1096542)
* 0001-Fix-translating-labels-392.patch
-------------------------------------------------------------------
Fri Sep 21 17:13:32 UTC 2018 - Luiz Angelo Daros de Luca <luizluca@gmail.com>
- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
* 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
-------------------------------------------------------------------
Thu Sep 20 07:27:33 UTC 2018 - Markos Chandras <mchandras@suse.de>
- Update to 0.6.2. Some of the changes are:
* update translations
* nftables: fix log-denied with values other than "all" or "off"
* fw_ipset: raise FirewallError if backend command fails
* ipset: only use "-exist" on restore
* fw_ipset: fix duplicate add of ipset entries
* *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821)
* ipXtables: increase wait lock to 10s
* nftables: fix rich rules ports/protocols/source ports not considering ct state
* ports: allow querying a single added by range
* fw_zone: do not change rich rule errors into warnings
* fw_zone: fix services with multiple destination IP versions (bsc#1105899)
* fw_zone: consider destination for protocols
* firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319)
* fw: If direct rules fail to apply add a "Direct" label to error msg
* fw: if startup fails on reload, reapply non-perm config that survives reload
* nftables: fix rich rule audit log
* ebtables: replace RETURN policy with explicit RETURN at end of chain
* direct backends: allow build_chain() to build multiple rules
* fw: if failure occurs during startup set state to FAILED
* fw: on restart set policy from same function
* ebtables: drop support for broute table
- Remove upstream patches
* 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
* 0001-fw_zone-consider-destination-for-protocols.patch
* 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
* firewalld-fix-firewalld-config-crash.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Sep 17 14:28:19 UTC 2018 - Markos Chandras <mchandras@suse.de> Mon Sep 17 14:28:19 UTC 2018 - Markos Chandras <mchandras@suse.de>

View File

@ -21,7 +21,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: firewalld Name: firewalld
Version: 0.6.1 Version: 0.6.2
Release: 0 Release: 0
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPL-2.0-or-later License: GPL-2.0-or-later
@ -30,14 +30,10 @@ Url: http://www.firewalld.org
Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761) # PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
# PATCH-FIX-UPSTREAM firewalld-fix-firewalld-config-crash.patch luc14n0@linuxmail.org -- fix firewall-config crash when nm_get_zone_of_connection returns "False" # PATCH-FIX-UPSTREAM: 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch (bsc#1104990)
Patch1: firewalld-fix-firewalld-config-crash.patch Patch1: 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
# PATCH-FIX-UPSTREAM 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch (bsc#1105821) # PATCH-FIX-UPSTREAM: 0001-Fix-translating-labels-392.patch (bsc#1096542)
Patch2: 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch Patch2: 0001-Fix-translating-labels-392.patch
# PATCH-FIX-UPSTRΕΑΜ 0001-fw_zone-consider-destination-for-protocols.patch
Patch3: 0001-fw_zone-consider-destination-for-protocols.patch
# PATCH-FIX-UPSTREAM 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch (bsc#1108651)
Patch4: 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
@ -123,8 +119,6 @@ firewalld.
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1
# bsc#1078223 # bsc#1078223
rm config/services/high-availability.xml rm config/services/high-availability.xml