Accepting request 1137493 from home:msaquib:branches:security:netfilter

- update to 2.1.0:
  * eat(service): add DNS over QUIC (DoQ) Service (5130430)
  * feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types (dd88bbf)
  * feat(fw): add ReloadPolicy option in firewalld.conf (0019371)
  * feat(service): add submission service (tcp 587) (d6a9561)
  * feat(service): Add alvr (3a92358)
  * feat(service): add vrrp (d62fc8d)
  [* Renamed patch 0002-Disable-FlushAllOnReload-option.patch to
     0001-Disable-FlushAllOnReload-option.patch
  [* Renamed patch firewalld-runstatedir.patch to 0002-firewalld-runstatedir.patch]

OBS-URL: https://build.opensuse.org/request/show/1137493
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=158

0001-Disable-FlushAllOnReload-option.patch

@@ -1,57 +1,68 @@
-From b1145d3efc58220f58a4e67189c4ff4a8bd789ce Mon Sep 17 00:00:00 2001
+From 98c87acce02c1963644455933ce7c2d40015d295 Mon Sep 17 00:00:00 2001
-From: Michal Rostecki <mrostecki@opensuse.org>
+From: Mohd Saquib <mohd.saquib@suse.com>
-Date: Mon, 25 Jan 2021 12:58:00 +0100
+Date: Mon, 8 Jan 2024 12:34:35 +0530
-Subject: [PATCH] Disable FlushAllOnReload option
+Subject: [PATCH] Disable FlushAllOnReload option by default
 
 Disabling the FlushAllOnReload option restores the old behavior where
 --reload does not retain interface to zone assignmnets and direct rules.
 We want to keep that behavior in openSUSE and SLE
 
 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
+Signed-off-by: Mohd Saquib <mohd.saquib@suse.com>
+
 ---
- config/firewalld.conf              | 4 ++--
+ config/firewalld.conf              | 8 ++++----
- doc/xml/firewalld.conf.xml         | 2 +-
+ doc/xml/firewalld.conf.xml         | 4 ++--
  src/firewall/config/__init__.py.in | 2 +-
- 3 files changed, 4 insertions(+), 4 deletions(-)
+ 3 files changed, 7 insertions(+), 7 deletions(-)
 
 diff --git a/config/firewalld.conf b/config/firewalld.conf
-index 7c9305e..43663b3 100644
+index 2d1a0cb..af42478 100644
 --- a/config/firewalld.conf
 +++ b/config/firewalld.conf
-@@ -63,8 +63,8 @@ FirewallBackend=nftables
+@@ -61,10 +61,10 @@ FirewallBackend=nftables
+ # FlushAllOnReload
+ # Flush all runtime rules on a reload. In previous releases some runtime
  # configuration was retained during a reload, namely; interface to zone
- # assignment, and direct rules. This was confusing to users. To get the old
+-# assignment, and direct rules. This was confusing to users. To get the old
- # behavior set this to "no".
+-# behavior set this to "no".
 -# Default: yes
 -FlushAllOnReload=yes
++# assignment, and direct rules. This was confusing to users. To override this
++# behavior set this to "yes".
 +# Default: no
 +FlushAllOnReload=no
  
- # RFC3964_IPv4
+ # ReloadPolicy
- # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+ # Policy during reload. By default all traffic except for established
 diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
-index 1b74f70..a45c8df 100644
+index 6bb8069..e226113 100644
 --- a/doc/xml/firewalld.conf.xml
 +++ b/doc/xml/firewalld.conf.xml
-@@ -190,7 +190,7 @@
+@@ -179,8 +179,8 @@
+                 Flush all runtime rules on a reload. In previous releases some
                  runtime configuration was retained during a reload, namely;
                  interface to zone assignment, and direct rules. This was
-                 confusing to users. To get the old behavior set this to "no".
+-                confusing to users. To get the old behavior set this to "no".
 -                Defaults to "yes".
++                confusing to users. To override this behavior set this to "yes".
 +                Defaults to "no".
                  </para>
              </listitem>
          </varlistentry>
 diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
-index 468daf5..5ec116c 100644
+index 12b694e..2c7be57 100644
 --- a/src/firewall/config/__init__.py.in
 +++ b/src/firewall/config/__init__.py.in
-@@ -132,7 +132,7 @@ FALLBACK_INDIVIDUAL_CALLS = False
+@@ -124,7 +124,7 @@ FALLBACK_INDIVIDUAL_CALLS = False
  FALLBACK_LOG_DENIED = "off"
  FALLBACK_AUTOMATIC_HELPERS = "no"
  FALLBACK_FIREWALL_BACKEND = "nftables"
 -FALLBACK_FLUSH_ALL_ON_RELOAD = True
 +FALLBACK_FLUSH_ALL_ON_RELOAD = False
+ FALLBACK_RELOAD_POLICY = "INPUT:DROP,FORWARD:DROP,OUTPUT:DROP"
  FALLBACK_RFC3964_IPV4 = True
  FALLBACK_ALLOW_ZONE_DRIFTING = False
- FALLBACK_NFTABLES_FLOWTABLE = "off"
+-- 
+2.35.3
+

0002-firewalld-runstatedir.patch

@@ -0,0 +1,25 @@
+From 0b9644ab645d69877f3bef50ede50cb30972e2e1 Mon Sep 17 00:00:00 2001
+From: Mohd Saquib <mohd.saquib@suse.com>
+Date: Mon, 8 Jan 2024 12:57:34 +0530
+Subject: [PATCH] Change firewalld pid from /var/run to /run
+
+---
+ src/firewall/config/__init__.py.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 12b694e..3914c90 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -87,7 +87,7 @@ FIREWALLD_LOGFILE = "/var/log/firewalld"
+ 
+ FIREWALLD_LOGTARGET = "@DEFAULT_LOG_TARGET@"
+ 
+-FIREWALLD_PIDFILE = "/var/run/firewalld.pid"
++FIREWALLD_PIDFILE = "/run/firewalld.pid"
+ 
+ FIREWALLD_TEMPDIR = "/run/firewalld"
+ 
+-- 
+2.35.3
+

firewalld-2.0.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cb1999d4de42955c2d0b7cd95ae8f300a0bbad1c7063d034659405cdad4da8e6
-size 1276527

firewalld-2.1.0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:22e3c700c2e4867796e9c22cf929cba4b2c143c8884240cfb9f3ef731366ff71
+size 1310431

firewalld-runstatedir.patch

@@ -1,13 +0,0 @@
-diff --git a/__init__.py.in b/__init__.py.in.new
-index d982384..6452e6d 100644
---- a/src/firewall/config/__init__.py.in
-+++ b/src/firewall/config/__init__.py.in
-@@ -95,7 +95,7 @@ FIREWALLD_LOGFILE = '/var/log/firewalld'
- 
- FIREWALLD_LOGTARGET = '@DEFAULT_LOG_TARGET@'
- 
--FIREWALLD_PIDFILE = "/var/run/firewalld.pid"
-+FIREWALLD_PIDFILE = "/run/firewalld.pid"
- 
- FIREWALLD_TEMPDIR = '/run/firewalld'
- 

firewalld.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Mon Jan  8 07:30:21 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
+
+- update to 2.1.0:
+  * eat(service): add DNS over QUIC (DoQ) Service (5130430)
+  * feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types (dd88bbf)
+  * feat(fw): add ReloadPolicy option in firewalld.conf (0019371)
+  * feat(service): add submission service (tcp 587) (d6a9561)
+  * feat(service): Add alvr (3a92358)
+  * feat(service): add vrrp (d62fc8d)
+  [* Renamed patch 0002-Disable-FlushAllOnReload-option.patch to
+     0001-Disable-FlushAllOnReload-option.patch
+  [* Renamed patch firewalld-runstatedir.patch to 0002-firewalld-runstatedir.patch]
+
 -------------------------------------------------------------------
 Wed Nov 29 07:10:44 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 

firewalld.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package firewalld
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
 %global modprobe_d_files firewalld-sysctls.conf
 
 Name:           firewalld
-Version:        2.0.2
+Version:        2.1.0
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
@@ -35,8 +35,8 @@ Group:          Productivity/Networking/Security
 URL:            https://www.firewalld.org
 Source0:        https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
 Source1:        docker-zone.xml
-Patch0:         0002-Disable-FlushAllOnReload-option.patch
+Patch0:         0001-Disable-FlushAllOnReload-option.patch
-Patch1:         firewalld-runstatedir.patch
+Patch1:         0002-firewalld-runstatedir.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  desktop-file-utils
@@ -285,12 +285,15 @@ fi
 %dir %{_prefix}/lib/firewalld/zones
 %dir %{_prefix}/lib/firewalld/helpers
 %dir %{_prefix}/lib/firewalld/policies
+%dir %{_prefix}/lib/firewalld/xmlschema
 %{_prefix}/lib/firewalld/icmptypes/*.xml
 %{_prefix}/lib/firewalld/ipsets/README.md
 %{_prefix}/lib/firewalld/services/*.xml
 %{_prefix}/lib/firewalld/zones/*.xml
 %{_prefix}/lib/firewalld/helpers/*.xml
 %{_prefix}/lib/firewalld/policies/*.xml
+%{_prefix}/lib/firewalld/xmlschema/check.sh
+%{_prefix}/lib/firewalld/xmlschema/*.xsd
 %{_datadir}/polkit-1
 %dir %{_datadir}/dbus-1
 %dir %{_datadir}/dbus-1/system.d