pool/firewalld
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 750645 from security:netfilter

Browse Source 
- Replace incorrect usage of %_libexecdir with %_prefix/lib

- rebased the original patch from revision 19
- apply patch only on openSUSE < TW, and SLES.

- Added a patch to make iptables the default again on openSUSE

- Update to version 0.7.2:
This is a bug fix only release.
  * fix: direct: removeRules() was mistakenly removing all rules
  * fix: guarantee zone source dispatch is sorted by zone name
  * fix: nftables: fix zone dispatch using ipset sources in nat chains
  * doc: add --default-config and --system-config
  * fix: --add-masquerade should only affect ipv4
  * fix: nftables: --forward-ports should only affect IPv4
  * fix: direct: removeRules() not removing all rules in chain
  * dbus: service: fix service includes individual APIs
  * fix: allow custom helpers using standard helper modules
  * fix: service: usage of helpers with '-' in name
  * fix: Revert "ebtables: drop support for broute table"
  * fix: ebtables: don't use tables that aren't available
  * fix: fw: initialize _rfc3964_ipv4

- Update to version 0.7.1:
  * Rich Rule Priorities
  * Service Definition Includes - Service definitions can now
    include lines like: <include service="https"/> which will
    include all the ports, etc from the https service.
  * RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
    firewalld.conf is available. It does filtering based on RFC3964

OBS-URL: https://build.opensuse.org/request/show/750645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=43
This commit is contained in:
Dominique Leuenberger 2019-11-25 10:24:22 +00:00 committed by Git OBS Bridge
commit c5b0e57ccf
9 changed files with 160 additions and 487 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
0001-firewall-backend-Switch-default-backend-to-iptables.patch
View File

@ -1,25 +1,7 @@
From dbbf60a4bb0c7edc83cd8bae2177d96842ad9034 Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Mon, 13 Aug 2018 22:31:04 +0300
Subject: [PATCH] firewall: backend: Switch default backend to 'iptables'
Switch default backend to 'iptables'. Some packages (eg docker)
are not able to work well with nftables right now, so lets stick
with iptables as default backend.
Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761
Signed-off-by: Markos Chandras <mchandras@suse.de>
---
config/firewalld.conf | 6 +++---
doc/xml/firewalld.conf.xml | 4 ++--
src/firewall/config/__init__.py.in | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa5..e6afde19 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -59,6 +59,6 @@ AutomaticHelpers=system
diff -burNE firewalld-0.7.2_orig/config/firewalld.conf firewalld-0.7.2/config/firewalld.conf
--- firewalld-0.7.2_orig/config/firewalld.conf 2019-10-10 14:29:04.022394133 +0200
+++ firewalld-0.7.2/config/firewalld.conf 2019-10-10 14:30:12.102256167 +0200
@@ -53,9 +53,9 @@
# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
@ -27,12 +9,14 @@ index b53c0aa5..e6afde19 100644
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
+# - nftables
+# - iptables (default)
+# - iptables (iptables, ip6tables, ebtables and ipset) (default)
+FirewallBackend=iptables
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index df4b9521..fee0d3ca 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
diff -burNE firewalld-0.7.2_orig/doc/xml/firewalld.conf.xml firewalld-0.7.2/doc/xml/firewalld.conf.xml
--- firewalld-0.7.2_orig/doc/xml/firewalld.conf.xml 2019-10-10 14:29:04.026394125 +0200
+++ firewalld-0.7.2/doc/xml/firewalld.conf.xml 2019-10-10 14:29:19.766362228 +0200
@@ -149,8 +149,8 @@
<listitem>
<para>
@ -44,16 +28,14 @@ index df4b9521..fee0d3ca 100644
firewalld primitives. The only exception is direct and
passthrough rules which always use the traditional iptables,
ip6tables, and ebtables backends.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be320..cff7c3fe 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
diff -burNE firewalld-0.7.2_orig/src/firewall/config/__init__.py.in firewalld-0.7.2/src/firewall/config/__init__.py.in
--- firewalld-0.7.2_orig/src/firewall/config/__init__.py.in 2019-10-10 14:29:04.030394117 +0200
+++ firewalld-0.7.2/src/firewall/config/__init__.py.in 2019-10-10 14:31:06.522145883 +0200
@@ -129,6 +129,6 @@
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
--
2.16.4
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True

427
0002-Add-FlushAllOnReload-config-option.patch
View File

@ -1,427 +0,0 @@
From 9103e069cb2983dd814d99de04ca1f9a9d37117f Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 16 Oct 2018 10:02:38 -0400
Subject: [PATCH] Add "FlushAllOnReload" config option
Default value is "yes".
Even on --reload some runtime configuration was being retained. This was
a surprise to many users. Lets default to flushing all the runtime
configuration and also introduce a config option to go back the old
behavior of retaining; interface to zone assignments, and direct rules.
This also adjusts a few test cases that depend on the old
FlushAllOnReload=no behavior.
Fixes: suze bz #1109153
Fixes: #409
Closes: #408
---
config/firewalld.conf | 8 +++
doc/xml/firewalld.conf.xml | 13 ++++
doc/xml/firewalld.dbus.xml | 8 +++
src/firewall/config/__init__.py.in | 1 +
src/firewall/core/fw.py | 99 +++++++++++++++-----------
src/firewall/core/io/firewalld_conf.py | 11 ++-
src/firewall/server/config.py | 20 +++++-
src/tests/dbus/firewalld.conf.at | 2 +
src/tests/python/firewalld_direct.py | 6 ++
src/tests/python/firewalld_test.py | 9 ++-
src/tests/regression/rhbz1498923.at | 4 ++
11 files changed, 133 insertions(+), 48 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index e6afde19..bc6a8860 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -62,3 +62,11 @@ AutomaticHelpers=system
# - nftables
# - iptables (default)
FirewallBackend=iptables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+FlushAllOnReload=yes
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index fee0d3ca..f9e02b08 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -158,6 +158,19 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>FlushAllOnReload</option></term>
+ <listitem>
+ <para>
+ Flush all runtime rules on a reload. In previous releases some
+ runtime configuration was retained during a reload, namely;
+ interface to zone assignment, and direct rules. This was
+ confusing to users. To get the old behavior set this to "no".
+ Defaults to "yes".
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 8352f96c..132200f3 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2592,6 +2592,14 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry id="FirewallD1.config.Properties.FlushAllOnReload">
+ <term>FirewallBackend - s - (rw)</term>
+ <listitem>
+ <para>
+ Flush all runtime rules on a reload. Valid options are; yes, no.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter">
<term><parameter>IPv6_rpfilter</parameter> - s - (rw)</term>
<listitem><para>Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.</para></listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index cff7c3fe..e9595e4c 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -130,3 +130,4 @@ FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
FALLBACK_FIREWALL_BACKEND = "iptables"
+FALLBACK_FLUSH_ALL_ON_RELOAD = True
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 9be13a5c..7e6255f7 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -113,6 +113,7 @@ class Firewall(object):
self._log_denied = config.FALLBACK_LOG_DENIED
self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS
self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND
+ self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD
self.nf_conntrack_helper_setting = 0
self.nf_conntrack_helpers = { }
self.nf_nat_helpers = { }
@@ -298,6 +299,15 @@ class Firewall(object):
log.debug1("FirewallBackend is set to '%s'",
self._firewall_backend)
+ if self._firewalld_conf.get("FlushAllOnReload"):
+ value = self._firewalld_conf.get("FlushAllOnReload")
+ if value.lower() in [ "no", "false" ]:
+ self._flush_all_on_reload = False
+ else:
+ self._flush_all_on_reload = True
+ log.debug1("FlushAllOnReload is set to '%s'",
+ self._flush_all_on_reload)
+
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
self._select_firewall_backend(self._firewall_backend)
@@ -963,13 +973,17 @@ class Firewall(object):
def reload(self, stop=False):
_panic = self._panic
- # save zone interfaces
- _zone_interfaces = { }
- for zone in self.zone.get_zones():
- _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"]
- # save direct config
- _direct_config = self.direct.get_runtime_config()
- _old_dz = self.get_default_zone()
+ # must stash this. The value may change after _start()
+ flush_all = self._flush_all_on_reload
+
+ if not flush_all:
+ # save zone interfaces
+ _zone_interfaces = { }
+ for zone in self.zone.get_zones():
+ _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"]
+ # save direct config
+ _direct_config = self.direct.get_runtime_config()
+ _old_dz = self.get_default_zone()
# stop
self.cleanup()
@@ -984,41 +998,42 @@ class Firewall(object):
# etc. We'll re-raise it at the end.
start_exception = e
- # handle interfaces in the default zone and move them to the new
- # default zone if it changed
- _new_dz = self.get_default_zone()
- if _new_dz != _old_dz:
- # if_new_dz has been introduced with the reload, we need to add it
- # https://github.com/firewalld/firewalld/issues/53
- if _new_dz not in _zone_interfaces:
- _zone_interfaces[_new_dz] = { }
- # default zone changed. Move interfaces from old default zone to
- # the new one.
- for iface, settings in list(_zone_interfaces[_old_dz].items()):
- if settings["__default__"]:
- # move only those that were added to default zone
- # (not those that were added to specific zone same as
- # default)
- _zone_interfaces[_new_dz][iface] = \
- _zone_interfaces[_old_dz][iface]
- del _zone_interfaces[_old_dz][iface]
-
- # add interfaces to zones again
- for zone in self.zone.get_zones():
- if zone in _zone_interfaces:
- self.zone.set_settings(zone, { "interfaces":
- _zone_interfaces[zone] })
- del _zone_interfaces[zone]
- else:
- log.info1("New zone '%s'.", zone)
- if len(_zone_interfaces) > 0:
- for zone in list(_zone_interfaces.keys()):
- log.info1("Lost zone '%s', zone interfaces dropped.", zone)
- del _zone_interfaces[zone]
- del _zone_interfaces
-
- # restore direct config
- self.direct.set_config(_direct_config)
+ if not flush_all:
+ # handle interfaces in the default zone and move them to the new
+ # default zone if it changed
+ _new_dz = self.get_default_zone()
+ if _new_dz != _old_dz:
+ # if_new_dz has been introduced with the reload, we need to add it
+ # https://github.com/firewalld/firewalld/issues/53
+ if _new_dz not in _zone_interfaces:
+ _zone_interfaces[_new_dz] = { }
+ # default zone changed. Move interfaces from old default zone to
+ # the new one.
+ for iface, settings in list(_zone_interfaces[_old_dz].items()):
+ if settings["__default__"]:
+ # move only those that were added to default zone
+ # (not those that were added to specific zone same as
+ # default)
+ _zone_interfaces[_new_dz][iface] = \
+ _zone_interfaces[_old_dz][iface]
+ del _zone_interfaces[_old_dz][iface]
+
+ # add interfaces to zones again
+ for zone in self.zone.get_zones():
+ if zone in _zone_interfaces:
+ self.zone.set_settings(zone, { "interfaces":
+ _zone_interfaces[zone] })
+ del _zone_interfaces[zone]
+ else:
+ log.info1("New zone '%s'.", zone)
+ if len(_zone_interfaces) > 0:
+ for zone in list(_zone_interfaces.keys()):
+ log.info1("Lost zone '%s', zone interfaces dropped.", zone)
+ del _zone_interfaces[zone]
+ del _zone_interfaces
+
+ # restore direct config
+ self.direct.set_config(_direct_config)
# enable panic mode again if it has been enabled before or set policy
# to ACCEPT
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad6..953a6d26 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -30,7 +30,7 @@ from firewall.functions import b2u, u2b, PY2
valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
- "AutomaticHelpers", "FirewallBackend" ]
+ "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload" ]
class firewalld_conf(object):
def __init__(self, filename):
@@ -80,6 +80,7 @@ class firewalld_conf(object):
self.set("LogDenied", config.FALLBACK_LOG_DENIED)
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
+ self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
raise
for line in f:
@@ -183,6 +184,14 @@ class firewalld_conf(object):
config.FALLBACK_FIREWALL_BACKEND)
self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND))
+ value = self.get("FlushAllOnReload")
+ if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
+ if value is not None:
+ log.warning("FlushAllOnReload '%s' is not valid, using default "
+ "value %s", value if value else '',
+ config.FALLBACK_FLUSH_ALL_ON_RELOAD)
+ self.set("FlushAllOnReload", str(config.FALLBACK_FLUSH_ALL_ON_RELOAD))
+
# save to self.filename if there are key/value changes
def write(self):
if len(self._config) < 1:
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index dfc562b5..ba04107f 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -106,6 +106,7 @@ class FirewallDConfig(slip.dbus.service.Object):
"LogDenied": "readwrite",
"AutomaticHelpers": "readwrite",
"FirewallBackend": "readwrite",
+ "FlushAllOnReload": "readwrite",
})
@handle_exceptions
@@ -485,7 +486,8 @@ class FirewallDConfig(slip.dbus.service.Object):
def _get_property(self, prop):
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers", "FirewallBackend",
+ "FlushAllOnReload" ]:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
"Property '%s' does not exist" % prop)
@@ -530,6 +532,10 @@ class FirewallDConfig(slip.dbus.service.Object):
if value is None:
value = config.FALLBACK_FIREWALL_BACKEND
return dbus.String(value)
+ elif prop == "FlushAllOnReload":
+ if value is None:
+ value = "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no"
+ return dbus.String(value)
@dbus_handle_exceptions
def _get_dbus_property(self, prop):
@@ -551,6 +557,8 @@ class FirewallDConfig(slip.dbus.service.Object):
return dbus.String(self._get_property(prop))
elif prop == "FirewallBackend":
return dbus.String(self._get_property(prop))
+ elif prop == "FlushAllOnReload":
+ return dbus.String(self._get_property(prop))
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
@@ -590,7 +598,8 @@ class FirewallDConfig(slip.dbus.service.Object):
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers", "FirewallBackend",
+ "FlushAllOnReload" ]:
ret[x] = self._get_property(x)
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -617,7 +626,7 @@ class FirewallDConfig(slip.dbus.service.Object):
if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls",
"LogDenied", "AutomaticHelpers",
- "FirewallBackend" ]:
+ "FirewallBackend", "FlushAllOnReload" ]:
if property_name == "MinimalMark":
try:
int(new_value)
@@ -651,6 +660,11 @@ class FirewallDConfig(slip.dbus.service.Object):
raise FirewallError(errors.INVALID_VALUE,
"'%s' for %s" % \
(new_value, property_name))
+ if property_name == "FlushAllOnReload":
+ if new_value.lower() not in ["yes", "true", "no", "false"]:
+ raise FirewallError(errors.INVALID_VALUE,
+ "'%s' for %s" % \
+ (new_value, property_name))
self.config.get_firewalld_conf().set(property_name, new_value)
self.config.get_firewalld_conf().write()
self.PropertiesChanged(interface_name,
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de..72c61bdc 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -6,6 +6,7 @@ string "AutomaticHelpers" : variant string "system"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
+string "FlushAllOnReload" : variant string "yes"
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
string "IPv6_rpfilter" : variant string "no"],[dnl
string "IPv6_rpfilter" : variant string "yes"])
@@ -30,6 +31,7 @@ _helper([LogDenied], [string:"all"], [variant string "all"])
_helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
_helper([IndividualCalls], [string:"yes"], [variant string "yes"])
_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
+_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
dnl Note: DefaultZone is RO
m4_undefine([_helper])
diff --git a/src/tests/python/firewalld_direct.py b/src/tests/python/firewalld_direct.py
index 4cb84349..28da523d 100755
--- a/src/tests/python/firewalld_direct.py
+++ b/src/tests/python/firewalld_direct.py
@@ -36,10 +36,16 @@ class TestFirewallDInterfaceDirect(unittest.TestCase):
bus = dbus.SystemBus()
dbus_obj = bus.get_object(config.dbus.DBUS_INTERFACE,
config.dbus.DBUS_PATH)
+ dbus_obj_config = bus.get_object(config.dbus.DBUS_INTERFACE,
+ config.dbus.DBUS_PATH_CONFIG)
self.fw = dbus.Interface(dbus_obj,
dbus_interface=config.dbus.DBUS_INTERFACE)
self.fw_direct = dbus.Interface(
dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_DIRECT)
+ self.config_properties = dbus.Interface(dbus_obj_config,
+ dbus_interface='org.freedesktop.DBus.Properties')
+ self.config_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG, "FlushAllOnReload", "no")
+ self.fw.reload()
# always have "direct_foo1" available
self.fw_direct.addChain("ipv4", "filter", "direct_foo1")
diff --git a/src/tests/python/firewalld_test.py b/src/tests/python/firewalld_test.py
index 62c567fc..0d8b4c78 100755
--- a/src/tests/python/firewalld_test.py
+++ b/src/tests/python/firewalld_test.py
@@ -28,8 +28,8 @@ import sys
import time
import unittest
-from firewall.config.dbus import DBUS_PATH, DBUS_INTERFACE, \
- DBUS_INTERFACE_ZONE
+from firewall.config.dbus import DBUS_PATH, DBUS_PATH_CONFIG, DBUS_INTERFACE, \
+ DBUS_INTERFACE_ZONE, DBUS_INTERFACE_CONFIG
from firewall.dbus_utils import dbus_to_python
from pprint import pprint
@@ -43,9 +43,14 @@ class TestFirewallD(unittest.TestCase):
unittest.TestCase.setUp(self)
bus = dbus.SystemBus()
dbus_obj = bus.get_object(DBUS_INTERFACE, DBUS_PATH)
+ dbus_obj_config = bus.get_object(DBUS_INTERFACE, DBUS_PATH_CONFIG)
self.fw = dbus.Interface(dbus_obj, dbus_interface=DBUS_INTERFACE)
self.fw_zone = dbus.Interface(dbus_obj,
dbus_interface=DBUS_INTERFACE_ZONE)
+ self.config_properties = dbus.Interface(dbus_obj_config,
+ dbus_interface='org.freedesktop.DBus.Properties')
+ self.config_properties.Set(DBUS_INTERFACE_CONFIG, "FlushAllOnReload", "no")
+ self.fw.reload()
def test_get_setDefaultZone(self):
old_zone = dbus_to_python(self.fw.getDefaultZone())
diff --git a/src/tests/regression/rhbz1498923.at b/src/tests/regression/rhbz1498923.at
index 9b686781..ed1022fb 100644
--- a/src/tests/regression/rhbz1498923.at
+++ b/src/tests/regression/rhbz1498923.at
@@ -1,4 +1,8 @@
FWD_START_TEST([invalid direct rule causes reload error])
+dnl Below we test retention of some items applicable to FlushAllOnReload=no
+AT_CHECK([sed -i 's/^FlushAllOnReload.*/FlushAllOnReload=no/' ./firewalld.conf])
+FWD_RELOAD
+
FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j ACCEPT])
FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 1 --a-bogus-flag])
--
2.20.1

17
_service Normal file
View File

@ -0,0 +1,17 @@
<services>
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/firewalld/firewalld</param>
<param name="scm">git</param>
<param name="filename">firewalld</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="revision">v0.7.2</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">xz</param>
</service>
<service mode="disabled" name="set_version" />
</services>

4
_servicedata Normal file
View File

@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/firewalld/firewalld</param>
<param name="changesrevision">06de1841cfe41cc8c3c3f7c073aabc1f9f5d0ad0</param></service></servicedata>

3
firewalld-0.6.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:039ad56ea6d6553aadf33243ea5b39802d73519e46a89c80c648b2bd1ec78aeb
size 2294470

3
firewalld-0.7.2.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2804c025b0c9de766c6b270251dae977290069b84667c8a32dddfea9b1ecd9a
size 7193613

86
firewalld.changes
View File

@ -1,3 +1,89 @@
-------------------------------------------------------------------
Sun Nov 24 17:36:31 UTC 2019 - Neal Gompa <ngompa13@gmail.com>
- Replace incorrect usage of %_libexecdir with %_prefix/lib
-------------------------------------------------------------------
Thu Oct 10 12:40:49 UTC 2019 - Mathias Homann <Mathias.Homann@opensuse.org>
- rebased the original patch from revision 19
- apply patch only on openSUSE < TW, and SLES.
-------------------------------------------------------------------
Fri Oct 4 09:44:37 UTC 2019 - Mathias Homann <Mathias.Homann@opensuse.org>
- Added a patch to make iptables the default again on openSUSE
-------------------------------------------------------------------
Fri Oct 4 09:10:54 UTC 2019 - Mathias Homann <Mathias.Homann@opensuse.org>
- Update to version 0.7.2:
This is a bug fix only release.
* fix: direct: removeRules() was mistakenly removing all rules
* fix: guarantee zone source dispatch is sorted by zone name
* fix: nftables: fix zone dispatch using ipset sources in nat chains
* doc: add --default-config and --system-config
* fix: --add-masquerade should only affect ipv4
* fix: nftables: --forward-ports should only affect IPv4
* fix: direct: removeRules() not removing all rules in chain
* dbus: service: fix service includes individual APIs
* fix: allow custom helpers using standard helper modules
* fix: service: usage of helpers with '-' in name
* fix: Revert "ebtables: drop support for broute table"
* fix: ebtables: don't use tables that aren't available
* fix: fw: initialize _rfc3964_ipv4
-------------------------------------------------------------------
Mon Sep 09 09:59:00 UTC 2019 - mrostecki@opensuse.org
- Update to version 0.7.1:
* Rich Rule Priorities
* Service Definition Includes - Service definitions can now
include lines like: <include service="https"/> which will
include all the ports, etc from the https service.
* RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
firewalld.conf is available. It does filtering based on RFC3964
in regards to IPv4 addresses. This functionality was
traditionally in network-scripts.
* FlushAllOnReload - A new option FlushAllOnReload in
firewalld.conf is available. Older release retained some
settings (direct rules, interface to zone assignments) during a
--reload. With the introduction of this configuration option
that is no longer the case. Old behavior can be restored by
setting FlushAllOnReload=no.
* 15 new service definitions
* fix: firewall-offline-cmd: service: use dict based APIs
* fix: client: service: use dict based dbus APIs
* test: dbus: coverage for new service APIs
* fix: dbus: new dict based APIs for services
* test: dbus: service API coverage
* test: functions: add macro DBUS_INTROSPECT
* test: functions: add CHOMP macro for shell output
* fix: tests/functions: use gdbus instead of dbus-send
* fix: dbus: add missing APIs for service includes
- Remove patch for using iptables instead of nftables - we should
finally switch to nftables and fix its issues properly if they
occur again:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Remove patch which was released upstream:
* 0002-Add-FlushAllOnReload-config-option.patch
-------------------------------------------------------------------
Tue Jun 11 16:27:57 UTC 2019 - mrostecki@opensuse.org
- Update to version 0.6.4:
* chore: update translations
* treewide: fix over indentation (flake8 E117)
* test: travis: add another test matrix for omitting ip6tables
* chore: travis: split test matrix by keywords
* chore: tests: add AT_KEYWORDS for firewall-offline-cmd
* improvement: tests: Use AT_KEYWORDS for backends
* fix: tests: guard occurrences of IPv6
* fix: tests/functions: ignore warnings about missing ip6tables
* test: add macro IF_IPV6_SUPPORTED
-------------------------------------------------------------------
Wed May 8 09:39:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>

5
firewalld.obsinfo Normal file
View File

@ -0,0 +1,5 @@
name: firewalld
version: 0.7.2
mtime: 1569950644
commit: 06de1841cfe41cc8c3c3f7c073aabc1f9f5d0ad0

50
firewalld.spec
View File

@ -21,17 +21,15 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: firewalld
Version: 0.6.3
Version: 0.7.2
Release: 0
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Url: http://www.firewalld.org
Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
# PATCH-FIX-SUSE: 0002-Add-FlushAllOnReload-config-option.patch (bsc#1121277)
Patch1: 0002-Add-FlushAllOnReload-config-option.patch
Source: %{name}-%{version}.tar.xz
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: desktop-file-utils
@ -114,12 +112,18 @@ firewalld.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
# bsc#1078223
rm config/services/high-availability.xml
#
# Patch added: opensuse still uses iptables by default,
# so let's make this the default for anything << Tumbleweed
#
%if 0%{?sle_version} > 0 && 0%{?suse_version} < 1550
%patch0 -p1
%endif
%build
export PYTHON="%{_bindir}/python3"
./autogen.sh
@ -213,20 +217,22 @@ fi
%{_bindir}/firewall-offline-cmd
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/firewall-cmd
%dir %{_libexecdir}/firewalld
%dir %{_libexecdir}/firewalld/icmptypes
%dir %{_libexecdir}/firewalld/ipsets
%dir %{_libexecdir}/firewalld/services
%dir %{_libexecdir}/firewalld/zones
%dir %{_libexecdir}/firewalld/helpers
%{_libexecdir}/firewalld/icmptypes/*.xml
%{_libexecdir}/firewalld/ipsets/README
%{_libexecdir}/firewalld/services/*.xml
%{_libexecdir}/firewalld/zones/*.xml
%{_libexecdir}/firewalld/helpers/*.xml
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_firewalld
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/icmptypes
%dir %{_prefix}/lib/firewalld/ipsets
%dir %{_prefix}/lib/firewalld/services
%dir %{_prefix}/lib/firewalld/zones
%dir %{_prefix}/lib/firewalld/helpers
%{_prefix}/lib/firewalld/icmptypes/*.xml
%{_prefix}/lib/firewalld/ipsets/README
%{_prefix}/lib/firewalld/services/*.xml
%{_prefix}/lib/firewalld/zones/*.xml
%{_prefix}/lib/firewalld/helpers/*.xml
%{_datadir}/polkit-1
%dir %{_sysconfdir}/dbus-1
%dir %{_sysconfdir}/dbus-1/system.d
%dir %{_datadir}/dbus-1
%dir %{_datadir}/dbus-1/system.d
%dir %{_sysconfdir}/modprobe.d
%config(noreplace) %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
@ -239,7 +245,7 @@ fi
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
%{_unitdir}/firewalld.service
%{_fillupdir}/sysconfig.%{name}
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
%{_datadir}/dbus-1/system.d/FirewallD.conf
%{_mandir}/man1/firewall*cmd*.1%{?ext_man}
%{_mandir}/man1/firewalld*.1%{?ext_man}
%{_mandir}/man5/firewall*.5%{?ext_man}