From d850d0365eae963cdb648cc7cd1785136cf3a6bc26db8ec2988176bb6538774d Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Wed, 15 Aug 2018 13:33:29 +0000 Subject: [PATCH 1/5] - Restore nftables as default backend (bsc#1102761). nftables and iptables can co-exist but the 'nat' table had a bug which was fixed in kernel-4.18. OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=78 --- ...d-Switch-default-backend-to-iptables.patch | 59 ------------------- firewalld.changes | 9 ++- firewalld.spec | 4 -- 3 files changed, 4 insertions(+), 68 deletions(-) delete mode 100644 0001-firewall-backend-Switch-default-backend-to-iptables.patch diff --git a/0001-firewall-backend-Switch-default-backend-to-iptables.patch b/0001-firewall-backend-Switch-default-backend-to-iptables.patch deleted file mode 100644 index de11a7f..0000000 --- a/0001-firewall-backend-Switch-default-backend-to-iptables.patch +++ /dev/null @@ -1,59 +0,0 @@ -From dbbf60a4bb0c7edc83cd8bae2177d96842ad9034 Mon Sep 17 00:00:00 2001 -From: Markos Chandras -Date: Mon, 13 Aug 2018 22:31:04 +0300 -Subject: [PATCH] firewall: backend: Switch default backend to 'iptables' - -Switch default backend to 'iptables'. Some packages (eg docker) -are not able to work well with nftables right now, so lets stick -with iptables as default backend. - -Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761 -Signed-off-by: Markos Chandras ---- - config/firewalld.conf | 6 +++--- - doc/xml/firewalld.conf.xml | 4 ++-- - src/firewall/config/__init__.py.in | 2 +- - 3 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/config/firewalld.conf b/config/firewalld.conf -index b53c0aa5..e6afde19 100644 ---- a/config/firewalld.conf -+++ b/config/firewalld.conf -@@ -59,6 +59,6 @@ AutomaticHelpers=system - # FirewallBackend - # Selects the firewall backend implementation. - # Choices are: --# - nftables (default) --# - iptables (iptables, ip6tables, ebtables and ipset) --FirewallBackend=nftables -+# - nftables -+# - iptables (default) -+FirewallBackend=iptables -diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml -index df4b9521..fee0d3ca 100644 ---- a/doc/xml/firewalld.conf.xml -+++ b/doc/xml/firewalld.conf.xml -@@ -149,8 +149,8 @@ - - - Selects the firewall backend implementation. Possible values -- are; nftables (default), or -- iptables. This applies to all -+ are; nftables, or -+ iptables (default). This applies to all - firewalld primitives. The only exception is direct and - passthrough rules which always use the traditional iptables, - ip6tables, and ebtables backends. -diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index 955be320..cff7c3fe 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True - FALLBACK_INDIVIDUAL_CALLS = False - FALLBACK_LOG_DENIED = "off" - FALLBACK_AUTOMATIC_HELPERS = "system" --FALLBACK_FIREWALL_BACKEND = "nftables" -+FALLBACK_FIREWALL_BACKEND = "iptables" --- -2.16.4 - diff --git a/firewalld.changes b/firewalld.changes index 9a2c69a..37ddab1 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,10 +1,9 @@ ------------------------------------------------------------------- -Mon Aug 13 19:08:39 UTC 2018 - mchandras@suse.de +Mon Aug 15 13:08:39 UTC 2018 - mchandras@suse.de -- Also switch firewall backend fallback to 'iptables' (bsc#1102761) - This ensures that existing configuration files will keep working - even if FirewallBackend option is missing. - * 0001-firewall-backend-Switch-default-backend-to-iptables.patch +- Restore nftables as default backend (bsc#1102761). nftables and + iptables can co-exist but the 'nat' table had a bug which was fixed + in kernel-4.18. ------------------------------------------------------------------- Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de diff --git a/firewalld.spec b/firewalld.spec index be38768..dcd98bd 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -28,8 +28,6 @@ License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.firewalld.org Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761) -Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: desktop-file-utils @@ -112,8 +110,6 @@ firewalld. %prep %setup -q -# bsc#1102761 - switch to iptables as default -%patch0 -p1 # bsc#1078223 rm config/services/high-availability.xml From 5d1fc7f1eeb19cf30747131418e0a845d07dbb9e86bf2401ca92b881af31e64c Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Wed, 15 Aug 2018 13:36:55 +0000 Subject: [PATCH 2/5] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=79 --- firewalld.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewalld.changes b/firewalld.changes index 37ddab1..662df96 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Mon Aug 15 13:08:39 UTC 2018 - mchandras@suse.de +Wed Aug 15 13:08:39 UTC 2018 - mchandras@suse.de - Restore nftables as default backend (bsc#1102761). nftables and iptables can co-exist but the 'nat' table had a bug which was fixed From 4870327e986c1d9a239876b70636a0dd7d4925e5b715ef73e96f191ca4d68552 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Tue, 4 Sep 2018 07:28:09 +0000 Subject: [PATCH 3/5] Accepting request 632901 from home:luc14n0:branches:security:netfilter add firewalld-fix-firewalld-config-crash.patch to fix firewall-config crash OBS-URL: https://build.opensuse.org/request/show/632901 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=80 --- firewalld-fix-firewalld-config-crash.patch | 44 ++++++++++++++++++++++ firewalld.changes | 9 +++++ firewalld.spec | 3 ++ 3 files changed, 56 insertions(+) create mode 100644 firewalld-fix-firewalld-config-crash.patch diff --git a/firewalld-fix-firewalld-config-crash.patch b/firewalld-fix-firewalld-config-crash.patch new file mode 100644 index 0000000..837eca5 --- /dev/null +++ b/firewalld-fix-firewalld-config-crash.patch @@ -0,0 +1,44 @@ +From a24ab61eabe24656b457273f54133fa99087f2f6 Mon Sep 17 00:00:00 2001 +From: Farenjihn +Date: Fri, 17 Aug 2018 11:58:55 +0200 +Subject: [PATCH] firewall/core/fw_nm: nm_get_zone_of_connection should return + None or empty string instead of False + +(cherry picked from commit 5a59a90f449a8bf836e62e2d9ad486301b1aa2bb) +--- + src/firewall/core/fw_nm.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py +index 97113d95..37282a1a 100644 +--- a/src/firewall/core/fw_nm.py ++++ b/src/firewall/core/fw_nm.py +@@ -75,21 +75,21 @@ def nm_get_zone_of_connection(connection): + + con = nm_get_client().get_connection_by_uuid(connection) + if con is None: +- return False ++ return None + + setting_con = con.get_setting_connection() + if setting_con is None: +- return False ++ return None + + try: + if con.get_flags() & (NM.SettingsConnectionFlags.NM_GENERATED + | NM.SettingsConnectionFlags.NM_VOLATILE): +- return False ++ return "" + except AttributeError: + # Prior to NetworkManager 1.12, we can only guess + # that a connection was generated/volatile. + if con.get_unsaved(): +- return False ++ return "" + + zone = setting_con.get_zone() + if zone is None: +-- +2.18.0 + diff --git a/firewalld.changes b/firewalld.changes index 662df96..52edd0c 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Sep 2 03:50:37 UTC 2018 - luc14n0@linuxmail.org + +- Add firewalld-fix-firewalld-config-crash.patch: set + nm_get_zone_of_connection to return 'None' instead of 'False' for + automatically generated connections to avoid firewall-config + crashes. Patch provided by upstream (boo#1106319, + gh#firewalld/firewalld#370). + ------------------------------------------------------------------- Wed Aug 15 13:08:39 UTC 2018 - mchandras@suse.de diff --git a/firewalld.spec b/firewalld.spec index dcd98bd..637ea60 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -28,6 +28,8 @@ License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.firewalld.org Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# PATCH-FIX-UPSTREAM firewalld-fix-firewalld-config-crash.patch luc14n0@linuxmail.org -- fix firewall-config crash when nm_get_zone_of_connection returns "False" +Patch0: firewalld-fix-firewalld-config-crash.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: desktop-file-utils @@ -110,6 +112,7 @@ firewalld. %prep %setup -q +%patch0 -p1 # bsc#1078223 rm config/services/high-availability.xml From 5b572a40ef2f34d6dbf7215f84c348305644597f93bd8a5bb5eab77bc4f1121d Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Tue, 4 Sep 2018 07:50:48 +0000 Subject: [PATCH 4/5] Restore package to Factory version OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=81 --- ...d-Switch-default-backend-to-iptables.patch | 59 +++++++++++++++++++ firewalld.changes | 7 --- firewalld.spec | 5 +- 3 files changed, 63 insertions(+), 8 deletions(-) create mode 100644 0001-firewall-backend-Switch-default-backend-to-iptables.patch diff --git a/0001-firewall-backend-Switch-default-backend-to-iptables.patch b/0001-firewall-backend-Switch-default-backend-to-iptables.patch new file mode 100644 index 0000000..de11a7f --- /dev/null +++ b/0001-firewall-backend-Switch-default-backend-to-iptables.patch @@ -0,0 +1,59 @@ +From dbbf60a4bb0c7edc83cd8bae2177d96842ad9034 Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Mon, 13 Aug 2018 22:31:04 +0300 +Subject: [PATCH] firewall: backend: Switch default backend to 'iptables' + +Switch default backend to 'iptables'. Some packages (eg docker) +are not able to work well with nftables right now, so lets stick +with iptables as default backend. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761 +Signed-off-by: Markos Chandras +--- + config/firewalld.conf | 6 +++--- + doc/xml/firewalld.conf.xml | 4 ++-- + src/firewall/config/__init__.py.in | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index b53c0aa5..e6afde19 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -59,6 +59,6 @@ AutomaticHelpers=system + # FirewallBackend + # Selects the firewall backend implementation. + # Choices are: +-# - nftables (default) +-# - iptables (iptables, ip6tables, ebtables and ipset) +-FirewallBackend=nftables ++# - nftables ++# - iptables (default) ++FirewallBackend=iptables +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index df4b9521..fee0d3ca 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -149,8 +149,8 @@ + + + Selects the firewall backend implementation. Possible values +- are; nftables (default), or +- iptables. This applies to all ++ are; nftables, or ++ iptables (default). This applies to all + firewalld primitives. The only exception is direct and + passthrough rules which always use the traditional iptables, + ip6tables, and ebtables backends. +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 955be320..cff7c3fe 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True + FALLBACK_INDIVIDUAL_CALLS = False + FALLBACK_LOG_DENIED = "off" + FALLBACK_AUTOMATIC_HELPERS = "system" +-FALLBACK_FIREWALL_BACKEND = "nftables" ++FALLBACK_FIREWALL_BACKEND = "iptables" +-- +2.16.4 + diff --git a/firewalld.changes b/firewalld.changes index 52edd0c..783e4f0 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -7,13 +7,6 @@ Sun Sep 2 03:50:37 UTC 2018 - luc14n0@linuxmail.org crashes. Patch provided by upstream (boo#1106319, gh#firewalld/firewalld#370). -------------------------------------------------------------------- -Wed Aug 15 13:08:39 UTC 2018 - mchandras@suse.de - -- Restore nftables as default backend (bsc#1102761). nftables and - iptables can co-exist but the 'nat' table had a bug which was fixed - in kernel-4.18. - ------------------------------------------------------------------- Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de diff --git a/firewalld.spec b/firewalld.spec index 637ea60..a053d4b 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -28,8 +28,10 @@ License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.firewalld.org Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761) +Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch # PATCH-FIX-UPSTREAM firewalld-fix-firewalld-config-crash.patch luc14n0@linuxmail.org -- fix firewall-config crash when nm_get_zone_of_connection returns "False" -Patch0: firewalld-fix-firewalld-config-crash.patch +Patch1: firewalld-fix-firewalld-config-crash.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: desktop-file-utils @@ -113,6 +115,7 @@ firewalld. %prep %setup -q %patch0 -p1 +%patch1 -p1 # bsc#1078223 rm config/services/high-availability.xml From f10082c5b390f9cac467c57fa2f6ecb6d73e4c6a341a16d244006fdf854fb76d Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Thu, 6 Sep 2018 11:19:07 +0000 Subject: [PATCH 5/5] - Also switch firewall backend fallback to 'iptables' (bsc#1102761) This ensures that existing configuration files will keep working even if FirewallBackend option is missing. * 0001-firewall-backend-Switch-default-backend-to-iptables.patch OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=82 --- firewalld.changes | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/firewalld.changes b/firewalld.changes index 783e4f0..93ed5e1 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -7,6 +7,14 @@ Sun Sep 2 03:50:37 UTC 2018 - luc14n0@linuxmail.org crashes. Patch provided by upstream (boo#1106319, gh#firewalld/firewalld#370). +------------------------------------------------------------------- +Mon Aug 13 19:08:39 UTC 2018 - mchandras@suse.de + +- Also switch firewall backend fallback to 'iptables' (bsc#1102761) + This ensures that existing configuration files will keep working + even if FirewallBackend option is missing. + * 0001-firewall-backend-Switch-default-backend-to-iptables.patch + ------------------------------------------------------------------- Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de