Accepting request 827072 from home:dirkmueller:branches:security:netfilter

- update to 0.8.3: * nftables: convert to libnftables JSON interface * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”. * allow custom helpers using standard helper modules (rhbz 1733066) * testsuite is now shipped in the dist tarball * Typo in firewall-config(1) * Fix typo in TFTP service description * doc: README: add note about language translations * fix: rich: source/dest only matching with mark action * feat: AllowZoneDrifting config option * feat: nftables: support AllowZoneDrifting=yes * feat: ipXtables: support AllowZoneDrifting=yes * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting * fix: add logrotate policy * doc: direct: add CAVEATS section * fix: checkIP6: strip leading/trailing square brackets * fix: nftables: remove square brackets from IPv6 addresses * fix: ipXtables: remove square brackets from IPv6 addresses * fix: nftables: ipset types using “port” * fix: nftables: zone dispatch with multidimensional ipsets * fix: ipset: destroy runtime sets on reload/stop * fix: port: support querying sub ranges * fix: source_port: support querying sub ranges * doc: specify accepted characters for object names * fix: doc: address copy/paste mistakes in short/description * fix: configure: atlocal: quote variable values * fix: nftables: allow set intervals with concatenations * doc: clarify –set-target values “default” vs “reject” * fix: update dynamic DCE RPC ports in freeipa-trust service * fix: nftables: ipset: port ranges for non-default protocols OBS-URL: https://build.opensuse.org/request/show/827072 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=103
2020-08-17 07:45:59 +00:00
parent 20a544565d
commit d6d990908d
8 changed files with 68 additions and 43 deletions
--- a/0001-firewall-backend-Switch-default-backend-to-iptables.patch
+++ b/0001-firewall-backend-Switch-default-backend-to-iptables.patch
@@ -1,7 +1,8 @@
-diff -burNE firewalld-0.7.4_orig/config/firewalld.conf firewalld-0.7.4/config/firewalld.conf
--- firewalld-0.7.4_orig/config/firewalld.conf	2020-04-03 09:45:04.363964087 +0200
-+++ firewalld-0.7.4/config/firewalld.conf	2020-04-03 09:45:21.495215479 +0200
-@@ -53,9 +53,9 @@
+Index: firewalld-0.8.3/config/firewalld.conf
+===================================================================
+--- firewalld-0.8.3.orig/config/firewalld.conf
+++ firewalld-0.8.3/config/firewalld.conf
+@@ -43,9 +43,9 @@ LogDenied=off
 # FirewallBackend
 # Selects the firewall backend implementation.
 # Choices are:
@@ -14,9 +15,10 @@ diff -burNE firewalld-0.7.4_orig/config/firewalld.conf firewalld-0.7.4/config/fi
 
 # FlushAllOnReload
 # Flush all runtime rules on a reload. In previous releases some runtime
-diff -burNE firewalld-0.7.4_orig/doc/xml/firewalld.conf.xml firewalld-0.7.4/doc/xml/firewalld.conf.xml
--- firewalld-0.7.4_orig/doc/xml/firewalld.conf.xml	2020-04-03 09:45:05.071933150 +0200
-+++ firewalld-0.7.4/doc/xml/firewalld.conf.xml	2020-04-03 09:45:21.499215305 +0200
+Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml
+===================================================================
+--- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml
+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml
@@ -149,8 +149,8 @@
             <listitem>
                 <para>
@@ -28,13 +30,14 @@ diff -burNE firewalld-0.7.4_orig/doc/xml/firewalld.conf.xml firewalld-0.7.4/doc/
                 firewalld primitives. The only exception is direct and
                 passthrough rules which always use the traditional iptables,
                 ip6tables, and ebtables backends.
-diff -burNE firewalld-0.7.4_orig/src/firewall/config/__init__.py.in firewalld-0.7.4/src/firewall/config/__init__.py.in
--- firewalld-0.7.4_orig/src/firewall/config/__init__.py.in	2020-04-03 09:45:05.367920215 +0200
-+++ firewalld-0.7.4/src/firewall/config/__init__.py.in	2020-04-03 09:45:21.503215130 +0200
-@@ -128,7 +128,7 @@
+Index: firewalld-0.8.3/src/firewall/config/__init__.py.in
+===================================================================
+--- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in
+++ firewalld-0.8.3/src/firewall/config/__init__.py.in
+@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True
 FALLBACK_INDIVIDUAL_CALLS = False
 FALLBACK_LOG_DENIED = "off"
- FALLBACK_AUTOMATIC_HELPERS = "system"
+ FALLBACK_AUTOMATIC_HELPERS = "no"
 -FALLBACK_FIREWALL_BACKEND = "nftables"
 +FALLBACK_FIREWALL_BACKEND = "iptables"
 FALLBACK_FLUSH_ALL_ON_RELOAD = True
--- a/17
+++ b/17
@@ -1,17 +0,0 @@
-<services>
-  <service mode="disabled" name="obs_scm">
-    <param name="url">https://github.com/firewalld/firewalld</param>
-    <param name="scm">git</param>
-    <param name="filename">firewalld</param>
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="versionrewrite-pattern">v(.*)</param>
-    <param name="revision">v0.7.5</param>
-    <param name="changesgenerate">enable</param>
-  </service>
-  <service mode="buildtime" name="tar" />
-  <service mode="buildtime" name="recompress">
-    <param name="file">*.tar</param>
-    <param name="compression">xz</param>
-  </service>
-  <service mode="disabled" name="set_version" />
-</services>
--- a/4
+++ b/4
@@ -1,4 +0,0 @@
-<servicedata>
-<service name="tar_scm">
-                <param name="url">https://github.com/firewalld/firewalld</param>
-              <param name="changesrevision">7c900054e5293c4c569e3da5def7700045290753</param></service></servicedata>
--- a/firewalld-0.7.5.obscpio
+++ b/firewalld-0.7.5.obscpio
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c6c7b2fdc002b90a30f6d085fdfbbd9068e7c0bb5d2fd9ccc24583c5c256926e
-size 7351309
--- a/firewalld-0.8.3.tar.gz
+++ b/firewalld-0.8.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ecb16d82c2825ccfb8f109e543c0492cf6ea8c43e2d0f59901bddcead037dc6
+size 1772443
--- a/firewalld.changes
+++ b/firewalld.changes
@@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Sun Aug 16 17:09:43 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 0.8.3:
+  * nftables: convert to libnftables JSON interface
+  * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”.
+  * allow custom helpers using standard helper modules (rhbz 1733066)
+  * testsuite is now shipped in the dist tarball
+  * Typo in firewall-config(1)
+  * Fix typo in TFTP service description
+  * doc: README: add note about language translations
+  * fix: rich: source/dest only matching with mark action
+  * feat: AllowZoneDrifting config option
+  * feat: nftables: support AllowZoneDrifting=yes
+  * feat: ipXtables: support AllowZoneDrifting=yes
+  * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting
+  * fix: add logrotate policy
+  * doc: direct: add CAVEATS section
+  * fix: checkIP6: strip leading/trailing square brackets
+  * fix: nftables: remove square brackets from IPv6 addresses
+  * fix: ipXtables: remove square brackets from IPv6 addresses
+  * fix: nftables: ipset types using “port”
+  * fix: nftables: zone dispatch with multidimensional ipsets
+  * fix: ipset: destroy runtime sets on reload/stop
+  * fix: port: support querying sub ranges
+  * fix: source_port: support querying sub ranges
+  * doc: specify accepted characters for object names
+  * fix: doc: address copy/paste mistakes in short/description
+  * fix: configure: atlocal: quote variable values
+  * fix: nftables: allow set intervals with concatenations
+  * doc: clarify –set-target values “default” vs “reject”
+  * fix: update dynamic DCE RPC ports in freeipa-trust service
+  * fix: nftables: ipset: port ranges for non-default protocols
+  * fix(systemd): Conflict with nftables.service
+  * fix(direct): rule in a zone chain
+  * fix(client): addService needs to reduce tuple size
+  * fix(doc): dbus: signatures for zone tuple based APIs
+  * fix(config): bool values in dict based import/export
+  * fix(dbus): service: don’t cleanup config for old set APIs
+  * fix(ipset): flush the set if IndividiualCalls=yes
+  * fix(firewall-offline-cmd): remove instances of “[P]” in help text
+  * fix(rich): source mac with nftables backend
+  * docs: replace occurrences of the term blacklist with denylist
+  * fix: core: rich: Catch ValueError on non-numeric priority values
+  * docs(README): add libxslt for doc generation
+  * fix(cli): add –zone is an invalid option with –direct
+  * fix(cli): add ipset type hash:mac is incompatible with the family parameter
+
 -------------------------------------------------------------------
 Wed Aug 12 13:48:37 UTC 2020 - mrostecki@suse.com

--- a/firewalld.obsinfo
+++ b/firewalld.obsinfo
@@ -1,5 +0,0 @@
-name: firewalld
-version: 0.7.5
-mtime: 1593546094
-commit: 7c900054e5293c4c569e3da5def7700045290753
-
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -21,13 +21,13 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           firewalld
-Version:        0.7.5
+Version:        0.8.3
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
-Source:         %{name}-%{version}.tar.xz
+Source:         https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
 Patch0:         0001-firewall-backend-Switch-default-backend-to-iptables.patch

 BuildRequires:  autoconf