From cce6b88f5c7e7b465f5859fc8d7e335e0c1da9b4ad763c76978a0d80fcf5466e Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Fri, 10 Aug 2018 06:32:49 +0000 Subject: [PATCH 1/3] Accepting request 628528 from home:markoschandras:network - Update to 0.6.1. Some of the changes are: * Correct source/destination in rich rule masquerade * Only modify ifcfg files for permanent configuration changes * Fix a backtrace when calling common_reverse_rule() * man firewalld.conf: Show nftables is the default FirewallBackend * firewall-config: fix some untranslated strings that caused a UI bug causing rich rules to not be modify-able (bsc#1096542) * fw_direct: avoid log for untracked passthrough queries * fixed many issues if iptables is actually iptables-nft * Use preferred location for AppData files * ipXtables: fix ICMP block inversion with set-log-denied * fixes ICMP block inversion with set-log-denied with IndividualCalls=yes * nftables: fix set-log-denied if target is not ACCEPT * fw_direct: strip _direct chain suffix if using nftables * NetworkManager integration bugfixes. OBS-URL: https://build.opensuse.org/request/show/628528 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=75 --- firewalld-0.6.0.tar.gz | 3 --- firewalld-0.6.1.tar.gz | 3 +++ firewalld.changes | 20 ++++++++++++++++++++ firewalld.spec | 6 +++--- 4 files changed, 26 insertions(+), 6 deletions(-) delete mode 100644 firewalld-0.6.0.tar.gz create mode 100644 firewalld-0.6.1.tar.gz diff --git a/firewalld-0.6.0.tar.gz b/firewalld-0.6.0.tar.gz deleted file mode 100644 index 4ef3871..0000000 --- a/firewalld-0.6.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7aaa73dc95857079aa276e29d7d628d0faa7d50f29f5a0b6bae458ee7a5829a2 -size 2266131 diff --git a/firewalld-0.6.1.tar.gz b/firewalld-0.6.1.tar.gz new file mode 100644 index 0000000..6779b36 --- /dev/null +++ b/firewalld-0.6.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9fd94f4a5803ec6d1bf4a15f3b90d46fdf0ffa1b5187ff80a470460e3a1a8538 +size 2269294 diff --git a/firewalld.changes b/firewalld.changes index 1e3e5ac..1369fa2 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de + +- Update to 0.6.1. Some of the changes are: + * Correct source/destination in rich rule masquerade + * Only modify ifcfg files for permanent configuration changes + * Fix a backtrace when calling common_reverse_rule() + * man firewalld.conf: Show nftables is the default FirewallBackend + * firewall-config: fix some untranslated strings that caused a UI + bug causing rich rules to not be modify-able (bsc#1096542) + * fw_direct: avoid log for untracked passthrough queries + * fixed many issues if iptables is actually iptables-nft + * Use preferred location for AppData files + * ipXtables: fix ICMP block inversion with set-log-denied + * fixes ICMP block inversion with set-log-denied with + IndividualCalls=yes + * nftables: fix set-log-denied if target is not ACCEPT + * fw_direct: strip _direct chain suffix if using nftables + * NetworkManager integration bugfixes. + ------------------------------------------------------------------- Mon Aug 6 06:14:07 UTC 2018 - mchandras@suse.de diff --git a/firewalld.spec b/firewalld.spec index 35149f6..10f3271 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -21,7 +21,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: firewalld -Version: 0.6.0 +Version: 0.6.1 Release: 0 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPL-2.0-or-later @@ -285,8 +285,8 @@ fi %attr(0755,root,root) %{_datadir}/firewalld/gtk3_chooserbutton.py* %attr(0755,root,root) %{_datadir}/firewalld/gtk3_niceexpander.py* %{_datadir}/applications/firewall-config.desktop -%dir %{_datadir}/appdata -%{_datadir}/appdata/firewall-config.appdata.xml +%dir %{_datadir}/metainfo +%{_datadir}/metainfo/firewall-config.appdata.xml %{_datadir}/icons/hicolor/*/apps/firewall-config*.* %{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml %{_mandir}/man1/firewall-config*.1%{?ext_man} From 664b2c231f90d963c723901b66e6368714bebcf7e6697ffe441de60068146f61 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Mon, 13 Aug 2018 19:17:18 +0000 Subject: [PATCH 2/3] Accepting request 629064 from home:markoschandras:network - Also switch firewall backend fallback to 'iptables' (bsc#1102761) This ensures that existing configuration files will keep working even if FirewallBackend option is missing. OBS-URL: https://build.opensuse.org/request/show/629064 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=76 --- firewalld.changes | 7 +++++++ firewalld.spec | 1 + 2 files changed, 8 insertions(+) diff --git a/firewalld.changes b/firewalld.changes index 1369fa2..ec208aa 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Aug 13 19:08:39 UTC 2018 - mchandras@suse.de + +- Also switch firewall backend fallback to 'iptables' (bsc#1102761) + This ensures that existing configuration files will keep working + even if FirewallBackend option is missing. + ------------------------------------------------------------------- Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de diff --git a/firewalld.spec b/firewalld.spec index 10f3271..04f8320 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -116,6 +116,7 @@ rm config/services/high-availability.xml # bsc#1102761 - switch to iptables as default sed -i "/^FirewallBackend/s/=.*/=iptables/" config/firewalld.conf +sed -i '/^FALLBACK_FIREWALL_BACKEND/s/=.*/= "iptables"/' src/firewall/config/__init__.py.in %build export PYTHON="%{_bindir}/python3" From fb97f07a3eb84e15738fa7a096c1e701d4ae7f12e4649a024cb2c2bd042cebd8 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Mon, 13 Aug 2018 19:34:27 +0000 Subject: [PATCH 3/3] * 0001-firewall-backend-Switch-default-backend-to-iptables.patch OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=77 --- ...d-Switch-default-backend-to-iptables.patch | 59 +++++++++++++++++++ firewalld.changes | 1 + firewalld.spec | 8 +-- 3 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 0001-firewall-backend-Switch-default-backend-to-iptables.patch diff --git a/0001-firewall-backend-Switch-default-backend-to-iptables.patch b/0001-firewall-backend-Switch-default-backend-to-iptables.patch new file mode 100644 index 0000000..de11a7f --- /dev/null +++ b/0001-firewall-backend-Switch-default-backend-to-iptables.patch @@ -0,0 +1,59 @@ +From dbbf60a4bb0c7edc83cd8bae2177d96842ad9034 Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Mon, 13 Aug 2018 22:31:04 +0300 +Subject: [PATCH] firewall: backend: Switch default backend to 'iptables' + +Switch default backend to 'iptables'. Some packages (eg docker) +are not able to work well with nftables right now, so lets stick +with iptables as default backend. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761 +Signed-off-by: Markos Chandras +--- + config/firewalld.conf | 6 +++--- + doc/xml/firewalld.conf.xml | 4 ++-- + src/firewall/config/__init__.py.in | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index b53c0aa5..e6afde19 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -59,6 +59,6 @@ AutomaticHelpers=system + # FirewallBackend + # Selects the firewall backend implementation. + # Choices are: +-# - nftables (default) +-# - iptables (iptables, ip6tables, ebtables and ipset) +-FirewallBackend=nftables ++# - nftables ++# - iptables (default) ++FirewallBackend=iptables +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index df4b9521..fee0d3ca 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -149,8 +149,8 @@ + + + Selects the firewall backend implementation. Possible values +- are; nftables (default), or +- iptables. This applies to all ++ are; nftables, or ++ iptables (default). This applies to all + firewalld primitives. The only exception is direct and + passthrough rules which always use the traditional iptables, + ip6tables, and ebtables backends. +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 955be320..cff7c3fe 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True + FALLBACK_INDIVIDUAL_CALLS = False + FALLBACK_LOG_DENIED = "off" + FALLBACK_AUTOMATIC_HELPERS = "system" +-FALLBACK_FIREWALL_BACKEND = "nftables" ++FALLBACK_FIREWALL_BACKEND = "iptables" +-- +2.16.4 + diff --git a/firewalld.changes b/firewalld.changes index ec208aa..9a2c69a 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -4,6 +4,7 @@ Mon Aug 13 19:08:39 UTC 2018 - mchandras@suse.de - Also switch firewall backend fallback to 'iptables' (bsc#1102761) This ensures that existing configuration files will keep working even if FirewallBackend option is missing. + * 0001-firewall-backend-Switch-default-backend-to-iptables.patch ------------------------------------------------------------------- Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de diff --git a/firewalld.spec b/firewalld.spec index 04f8320..be38768 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -28,6 +28,8 @@ License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.firewalld.org Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761) +Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: desktop-file-utils @@ -110,14 +112,12 @@ firewalld. %prep %setup -q +# bsc#1102761 - switch to iptables as default +%patch0 -p1 # bsc#1078223 rm config/services/high-availability.xml -# bsc#1102761 - switch to iptables as default -sed -i "/^FirewallBackend/s/=.*/=iptables/" config/firewalld.conf -sed -i '/^FALLBACK_FIREWALL_BACKEND/s/=.*/= "iptables"/' src/firewall/config/__init__.py.in - %build export PYTHON="%{_bindir}/python3" ./autogen.sh