Accepting request 458640 from home:markoschandras:network

- Update to version 0.4.4.3 * New service freeipa-trust (rh#1411650) * Complete icmp types for IPv4 and IPv6 * New h323 helper container * Support helper container: h323 * firewall.server.decorators: ALREADY_ errors should be logged as warnings * firewall.command: ALREADY_SET should also result in zero exit code * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface * New checks for ipset entry validation * Use ipset dimension for match * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list * New firewall.core.icmp providing names and types for icmp and icmpv6 values * firewall.core.fw_ipset: New methods to get ipset dimension and applied state * firewall.errors: New error NOT_APPLIED * firewall-cmd man page: Add missing --get-ipset-types * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345) * firewall.core.prog: Fix addition of the error output in runProg * Speed up ipset handling, (re)loading and import from file * Support --family option for --new-ipset * Handle FirewallError for query sequences in command line tools * Fail to alter entries of ipsets with timeout * Extended tests for ipset options * Return empty list for ipsets using timeouts * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186) * firewalld.conf man page: New section about AutomaticHelpers * firewall-offline-cmd man page: Added -v and -q options, fixed section ids * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface * firewall.core.fw_zone: Limit masquerading forward rule to new connections * firewall-config: Update active zones on reloaded signal OBS-URL: https://build.opensuse.org/request/show/458640 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=38
2017-02-17 09:46:55 +00:00 · 2017-02-17 09:46:55 +00:00 · de5a881f0d
commit de5a881f0d
parent 529e53d9ce
5 changed files with 156 additions and 10 deletions
--- a/0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
+++ b/0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
@ -0,0 +1,97 @@
+From 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 15 Feb 2017 11:11:40 +0100
+Subject: [PATCH] firewall.core.fw_ipset: get_ipset may not ckeck if set is
+ applied by default
+
+This breaks the ipset overloading from /etc/firewalld/ipsets.
+Fixes: #206
+---
+ src/firewall/core/fw_ipset.py | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index bbbc8eb9..952d1226 100644
+--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
+@@ -55,10 +55,11 @@ class FirewallIPSet(object):
+     def has_ipsets(self):
+         return len(self._ipsets) > 0
+ 
+-    def get_ipset(self, name):
+    def get_ipset(self, name, applied=False):
+         self.check_ipset(name)
+         obj = self._ipsets[name]
+-        self.check_applied_obj(obj)
+        if applied:
+            self.check_applied_obj(obj)
+         return obj
+ 
+     def _error2warning(self, f, name, *args):
+@@ -141,11 +142,11 @@ class FirewallIPSet(object):
+     # TYPE
+ 
+     def get_type(self, name):
+-        return self.get_ipset(name).type
+        return self.get_ipset(name, applied=True).type
+ 
+     # DIMENSION
+     def get_dimension(self, name):
+-        return len(self.get_ipset(name).type.split(","))
+        return len(self.get_ipset(name, applied=True).type.split(","))
+ 
+     # APPLIED
+ 
+@@ -164,7 +165,7 @@ class FirewallIPSet(object):
+     # OPTIONS
+ 
+     def get_family(self, name):
+-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
+         if "family" in obj.options:
+             if obj.options["family"] == "inet6":
+                 return "ipv6"
+@@ -179,7 +180,7 @@ class FirewallIPSet(object):
+         pass
+ 
+     def add_entry(self, name, entry):
+-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -201,7 +202,7 @@ class FirewallIPSet(object):
+                 obj.entries.append(entry)
+ 
+     def remove_entry(self, name, entry):
+-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -222,7 +223,7 @@ class FirewallIPSet(object):
+                 obj.entries.remove(entry)
+ 
+     def query_entry(self, name, entry):
+-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -230,11 +231,11 @@ class FirewallIPSet(object):
+         return entry in obj.entries
+ 
+     def get_entries(self, name):
+-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
+         return obj.entries
+ 
+     def set_entries(self, name, entries):
+-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+-- 
+2.11.0
+
--- a/firewalld-0.4.4.2.tar.bz2
+++ b/firewalld-0.4.4.2.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:615dcd478d3b8459053811d08970e45e7f44942e2f93e57097e7ce0a5f27ba4a
-size 707213
--- a/firewalld-0.4.4.3.tar.bz2
+++ b/firewalld-0.4.4.3.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4dbd99b0f6a29306dc6c48daba706fe598689e9e077b461c7a592366c6605d07
+size 713876
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Mon Feb 13 16:20:27 UTC 2017 - mchandras@suse.de
+
+- Update to version 0.4.4.3
+  * New service freeipa-trust (rh#1411650)
+  * Complete icmp types for IPv4 and IPv6
+  * New h323 helper container
+  * Support helper container: h323
+  * firewall.server.decorators: ALREADY_ errors should be logged as warnings
+  * firewall.command: ALREADY_SET should also result in zero exit code
+  * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd
+  * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface
+  * New checks for ipset entry validation
+  * Use ipset dimension for match
+  * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list
+  * New firewall.core.icmp providing names and types for icmp and icmpv6 values
+  * firewall.core.fw_ipset: New methods to get ipset dimension and applied state
+  * firewall.errors: New error NOT_APPLIED
+  * firewall-cmd man page: Add missing --get-ipset-types
+  * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345)
+  * firewall.core.prog: Fix addition of the error output in runProg
+  * Speed up ipset handling, (re)loading and import from file
+  * Support --family option for --new-ipset
+  * Handle FirewallError for query sequences in command line tools
+  * Fail to alter entries of ipsets with timeout
+  * Extended tests for ipset options
+  * Return empty list for ipsets using timeouts
+  * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186)
+  * firewalld.conf man page: New section about AutomaticHelpers
+  * firewall-offline-cmd man page: Added -v and -q options, fixed section ids
+  * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface
+  * firewall.core.fw_zone: Limit masquerading forward rule to new connections
+  * firewall-config: Update active zones on reloaded signal
+  * firewall-applet: Update active zones and tooltip on reloaded signal
+  * firewall.core.fw_zone: Fix missing chain for helper in rich rules using service (rh#1416578)
+  * Support icmp-type usage in rich rules (rh#1409544)
+  * firewall[-offline]-cmd: Fix --{set,get}-{short,description} for ipset and helper (rh#1416325)
+  * firewall.core.ipset: Solve ipset creation issues with -exist and more flag tests
+  * Speed up start and restart for ipsets with lots of entries (rh#1416817)
+  * Speed up of ipset alteration by adding and removing entries using a file (rh#1416817)
+  * Code cleanup and minor bug fixes
+  * firewall.core.prog: Fix addition of the error output in runProg
+  * New services mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync
+  * Translation updates
+- Add upstream patch to fix ipset overloading from /etc/firewalld/ipsets (gh#t-woerner/firewalld#206)
+
 -------------------------------------------------------------------
 Mon Dec  5 09:41:03 UTC 2016 - mchandras@suse.de

@ -92,15 +138,15 @@ Tue Jun 28 14:59:35 UTC 2016 - mchandras@suse.de
 Wed Jun 22 14:15:29 UTC 2016 - mchandras@suse.de

 - Update to version 0.4.3
-  * New firewallctl utility (RHBZ#1147959)
+  * New firewallctl utility (rh#1147959)
  * doc.xml.seealso: Show firewalld.dbus in See Also sections
-  * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (RHBZ#1339251)
+  * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (rh#1339251)
  * {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
  * firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
  * firewall-cmd: Dropped duplicate setType call in --new-ipset
  * radius service: Support also tcp ports (RBZ#1219717)
  * xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset sources
-  * config.xmlschema.service.xsd: Fix service destination conflicts (RHBZ#1296573)
+  * config.xmlschema.service.xsd: Fix service destination conflicts (rh#1296573)
  * firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
  * firewall.command: Only print summary and description in print_X_info with verbose
  * firewall.command: print_msg should be able to print empty lines
@ -181,7 +227,7 @@ Tue May 31 08:30:44 UTC 2016 - mchandras@suse.de
  * New icmp-block-inversion flag in the zones
  * ICMP type filtering in the zones
  * New services: sip, sips, managesieve
-  * rich rules: Allow destination action (RHBZ#1163428)
+  * rich rules: Allow destination action (rh#1163428)
  * firewall-offline-cmd: New option -q/--quiet
  * firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
  * firewall-[offline-]cmd: Fix option for setting the destination
@ -250,7 +296,7 @@ Thu Apr 21 08:15:19 UTC 2016 - mchandras@suse.de
  * Fix logging in rich rule forward rules
  * Transformed direct.passthrough errors into warnings
  * Rework of import structures
-  * Reduced calls to get ids for port and protocol names (RHBZ#1305434)
+  * Reduced calls to get ids for port and protocol names (rh#1305434)
  * Build and installation fixes by Markos Chandras
  * Provide D-Bus properties in introspection data
  * Fix for flaws found by landscape.io
--- a/firewalld.spec
+++ b/firewalld.spec
@ -1,7 +1,7 @@
 #
 # spec file for package firewalld
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,13 +17,15 @@


 Name:           firewalld
-Version:        0.4.4.2
+Version:        0.4.4.3
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
 Source:         https://fedorahosted.org/released/%{name}/%{name}-%{version}.tar.bz2
+# PATCH-FIX-UPSTREAM: 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch (gh#t-woerner/firewalld#206)
+Patch:          0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
 BuildRequires:  desktop-file-utils
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gettext
@ -84,6 +86,7 @@ firewalld.

 %prep
 %setup -q
+%patch -p1

 %build
 %configure --enable-sysconfig --enable-rpmmacros