From d2da4cedb0b9b5e7bdc344a1b20a8d7adc2e8d6c1e0abc8db14ed99d42f0fcb4 Mon Sep 17 00:00:00 2001 From: Mohd Saquib Date: Mon, 8 Jan 2024 08:29:12 +0000 Subject: [PATCH] Accepting request 1137493 from home:msaquib:branches:security:netfilter - update to 2.1.0: * eat(service): add DNS over QUIC (DoQ) Service (5130430) * feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types (dd88bbf) * feat(fw): add ReloadPolicy option in firewalld.conf (0019371) * feat(service): add submission service (tcp 587) (d6a9561) * feat(service): Add alvr (3a92358) * feat(service): add vrrp (d62fc8d) [* Renamed patch 0002-Disable-FlushAllOnReload-option.patch to 0001-Disable-FlushAllOnReload-option.patch [* Renamed patch firewalld-runstatedir.patch to 0002-firewalld-runstatedir.patch] OBS-URL: https://build.opensuse.org/request/show/1137493 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=158 --- ...0001-Disable-FlushAllOnReload-option.patch | 49 ++++++++++++------- 0002-firewalld-runstatedir.patch | 25 ++++++++++ firewalld-2.0.2.tar.bz2 | 3 -- firewalld-2.1.0.tar.bz2 | 3 ++ firewalld-runstatedir.patch | 13 ----- firewalld.changes | 14 ++++++ firewalld.spec | 11 +++-- 7 files changed, 79 insertions(+), 39 deletions(-) rename 0002-Disable-FlushAllOnReload-option.patch => 0001-Disable-FlushAllOnReload-option.patch (52%) create mode 100644 0002-firewalld-runstatedir.patch delete mode 100644 firewalld-2.0.2.tar.bz2 create mode 100644 firewalld-2.1.0.tar.bz2 delete mode 100644 firewalld-runstatedir.patch diff --git a/0002-Disable-FlushAllOnReload-option.patch b/0001-Disable-FlushAllOnReload-option.patch similarity index 52% rename from 0002-Disable-FlushAllOnReload-option.patch rename to 0001-Disable-FlushAllOnReload-option.patch index 631513f..ff09413 100644 --- a/0002-Disable-FlushAllOnReload-option.patch +++ b/0001-Disable-FlushAllOnReload-option.patch @@ -1,57 +1,68 @@ -From b1145d3efc58220f58a4e67189c4ff4a8bd789ce Mon Sep 17 00:00:00 2001 -From: Michal Rostecki -Date: Mon, 25 Jan 2021 12:58:00 +0100 -Subject: [PATCH] Disable FlushAllOnReload option +From 98c87acce02c1963644455933ce7c2d40015d295 Mon Sep 17 00:00:00 2001 +From: Mohd Saquib +Date: Mon, 8 Jan 2024 12:34:35 +0530 +Subject: [PATCH] Disable FlushAllOnReload option by default Disabling the FlushAllOnReload option restores the old behavior where --reload does not retain interface to zone assignmnets and direct rules. We want to keep that behavior in openSUSE and SLE Signed-off-by: Michal Rostecki +Signed-off-by: Mohd Saquib + --- - config/firewalld.conf | 4 ++-- - doc/xml/firewalld.conf.xml | 2 +- + config/firewalld.conf | 8 ++++---- + doc/xml/firewalld.conf.xml | 4 ++-- src/firewall/config/__init__.py.in | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) + 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf -index 7c9305e..43663b3 100644 +index 2d1a0cb..af42478 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf -@@ -63,8 +63,8 @@ FirewallBackend=nftables +@@ -61,10 +61,10 @@ FirewallBackend=nftables + # FlushAllOnReload + # Flush all runtime rules on a reload. In previous releases some runtime # configuration was retained during a reload, namely; interface to zone - # assignment, and direct rules. This was confusing to users. To get the old - # behavior set this to "no". +-# assignment, and direct rules. This was confusing to users. To get the old +-# behavior set this to "no". -# Default: yes -FlushAllOnReload=yes ++# assignment, and direct rules. This was confusing to users. To override this ++# behavior set this to "yes". +# Default: no +FlushAllOnReload=no - # RFC3964_IPv4 - # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that + # ReloadPolicy + # Policy during reload. By default all traffic except for established diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml -index 1b74f70..a45c8df 100644 +index 6bb8069..e226113 100644 --- a/doc/xml/firewalld.conf.xml +++ b/doc/xml/firewalld.conf.xml -@@ -190,7 +190,7 @@ +@@ -179,8 +179,8 @@ + Flush all runtime rules on a reload. In previous releases some runtime configuration was retained during a reload, namely; interface to zone assignment, and direct rules. This was - confusing to users. To get the old behavior set this to "no". +- confusing to users. To get the old behavior set this to "no". - Defaults to "yes". ++ confusing to users. To override this behavior set this to "yes". + Defaults to "no". diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index 468daf5..5ec116c 100644 +index 12b694e..2c7be57 100644 --- a/src/firewall/config/__init__.py.in +++ b/src/firewall/config/__init__.py.in -@@ -132,7 +132,7 @@ FALLBACK_INDIVIDUAL_CALLS = False +@@ -124,7 +124,7 @@ FALLBACK_INDIVIDUAL_CALLS = False FALLBACK_LOG_DENIED = "off" FALLBACK_AUTOMATIC_HELPERS = "no" FALLBACK_FIREWALL_BACKEND = "nftables" -FALLBACK_FLUSH_ALL_ON_RELOAD = True +FALLBACK_FLUSH_ALL_ON_RELOAD = False + FALLBACK_RELOAD_POLICY = "INPUT:DROP,FORWARD:DROP,OUTPUT:DROP" FALLBACK_RFC3964_IPV4 = True FALLBACK_ALLOW_ZONE_DRIFTING = False - FALLBACK_NFTABLES_FLOWTABLE = "off" +-- +2.35.3 + diff --git a/0002-firewalld-runstatedir.patch b/0002-firewalld-runstatedir.patch new file mode 100644 index 0000000..aa85849 --- /dev/null +++ b/0002-firewalld-runstatedir.patch @@ -0,0 +1,25 @@ +From 0b9644ab645d69877f3bef50ede50cb30972e2e1 Mon Sep 17 00:00:00 2001 +From: Mohd Saquib +Date: Mon, 8 Jan 2024 12:57:34 +0530 +Subject: [PATCH] Change firewalld pid from /var/run to /run + +--- + src/firewall/config/__init__.py.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 12b694e..3914c90 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -87,7 +87,7 @@ FIREWALLD_LOGFILE = "/var/log/firewalld" + + FIREWALLD_LOGTARGET = "@DEFAULT_LOG_TARGET@" + +-FIREWALLD_PIDFILE = "/var/run/firewalld.pid" ++FIREWALLD_PIDFILE = "/run/firewalld.pid" + + FIREWALLD_TEMPDIR = "/run/firewalld" + +-- +2.35.3 + diff --git a/firewalld-2.0.2.tar.bz2 b/firewalld-2.0.2.tar.bz2 deleted file mode 100644 index f72eb40..0000000 --- a/firewalld-2.0.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cb1999d4de42955c2d0b7cd95ae8f300a0bbad1c7063d034659405cdad4da8e6 -size 1276527 diff --git a/firewalld-2.1.0.tar.bz2 b/firewalld-2.1.0.tar.bz2 new file mode 100644 index 0000000..804f16d --- /dev/null +++ b/firewalld-2.1.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:22e3c700c2e4867796e9c22cf929cba4b2c143c8884240cfb9f3ef731366ff71 +size 1310431 diff --git a/firewalld-runstatedir.patch b/firewalld-runstatedir.patch deleted file mode 100644 index 2295cba..0000000 --- a/firewalld-runstatedir.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/__init__.py.in b/__init__.py.in.new -index d982384..6452e6d 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -95,7 +95,7 @@ FIREWALLD_LOGFILE = '/var/log/firewalld' - - FIREWALLD_LOGTARGET = '@DEFAULT_LOG_TARGET@' - --FIREWALLD_PIDFILE = "/var/run/firewalld.pid" -+FIREWALLD_PIDFILE = "/run/firewalld.pid" - - FIREWALLD_TEMPDIR = '/run/firewalld' - diff --git a/firewalld.changes b/firewalld.changes index dfa9f68..a685c9b 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Jan 8 07:30:21 UTC 2024 - Mohd Saquib + +- update to 2.1.0: + * eat(service): add DNS over QUIC (DoQ) Service (5130430) + * feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types (dd88bbf) + * feat(fw): add ReloadPolicy option in firewalld.conf (0019371) + * feat(service): add submission service (tcp 587) (d6a9561) + * feat(service): Add alvr (3a92358) + * feat(service): add vrrp (d62fc8d) + [* Renamed patch 0002-Disable-FlushAllOnReload-option.patch to + 0001-Disable-FlushAllOnReload-option.patch + [* Renamed patch firewalld-runstatedir.patch to 0002-firewalld-runstatedir.patch] + ------------------------------------------------------------------- Wed Nov 29 07:10:44 UTC 2023 - Mohd Saquib diff --git a/firewalld.spec b/firewalld.spec index 98e8469..c4cf08b 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ # # spec file for package firewalld # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ %global modprobe_d_files firewalld-sysctls.conf Name: firewalld -Version: 2.0.2 +Version: 2.1.0 Release: 0 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPL-2.0-or-later @@ -35,8 +35,8 @@ Group: Productivity/Networking/Security URL: https://www.firewalld.org Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 Source1: docker-zone.xml -Patch0: 0002-Disable-FlushAllOnReload-option.patch -Patch1: firewalld-runstatedir.patch +Patch0: 0001-Disable-FlushAllOnReload-option.patch +Patch1: 0002-firewalld-runstatedir.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: desktop-file-utils @@ -285,12 +285,15 @@ fi %dir %{_prefix}/lib/firewalld/zones %dir %{_prefix}/lib/firewalld/helpers %dir %{_prefix}/lib/firewalld/policies +%dir %{_prefix}/lib/firewalld/xmlschema %{_prefix}/lib/firewalld/icmptypes/*.xml %{_prefix}/lib/firewalld/ipsets/README.md %{_prefix}/lib/firewalld/services/*.xml %{_prefix}/lib/firewalld/zones/*.xml %{_prefix}/lib/firewalld/helpers/*.xml %{_prefix}/lib/firewalld/policies/*.xml +%{_prefix}/lib/firewalld/xmlschema/check.sh +%{_prefix}/lib/firewalld/xmlschema/*.xsd %{_datadir}/polkit-1 %dir %{_datadir}/dbus-1 %dir %{_datadir}/dbus-1/system.d