From de5a881f0d4711e0c80a4090df32da7486e3d88bf56917bd3671cb2de5fc851f Mon Sep 17 00:00:00 2001
From: Markos Chandras <hwoarang@silverarrow.org>
Date: Fri, 17 Feb 2017 09:46:55 +0000
Subject: [PATCH] Accepting request 458640 from home:markoschandras:network

- Update to version 0.4.4.3
  * New service freeipa-trust (rh#1411650)
  * Complete icmp types for IPv4 and IPv6
  * New h323 helper container
  * Support helper container: h323
  * firewall.server.decorators: ALREADY_ errors should be logged as warnings
  * firewall.command: ALREADY_SET should also result in zero exit code
  * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd
  * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface
  * New checks for ipset entry validation
  * Use ipset dimension for match
  * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list
  * New firewall.core.icmp providing names and types for icmp and icmpv6 values
  * firewall.core.fw_ipset: New methods to get ipset dimension and applied state
  * firewall.errors: New error NOT_APPLIED
  * firewall-cmd man page: Add missing --get-ipset-types
  * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345)
  * firewall.core.prog: Fix addition of the error output in runProg
  * Speed up ipset handling, (re)loading and import from file
  * Support --family option for --new-ipset
  * Handle FirewallError for query sequences in command line tools
  * Fail to alter entries of ipsets with timeout
  * Extended tests for ipset options
  * Return empty list for ipsets using timeouts
  * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186)
  * firewalld.conf man page: New section about AutomaticHelpers
  * firewall-offline-cmd man page: Added -v and -q options, fixed section ids
  * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface
  * firewall.core.fw_zone: Limit masquerading forward rule to new connections
  * firewall-config: Update active zones on reloaded signal

OBS-URL: https://build.opensuse.org/request/show/458640
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=38
---
 ..._ipset-get_ipset-may-not-ckeck-if-se.patch | 97 +++++++++++++++++++
 firewalld-0.4.4.2.tar.bz2                     |  3 -
 firewalld-0.4.4.3.tar.bz2                     |  3 +
 firewalld.changes                             | 56 ++++++++++-
 firewalld.spec                                |  7 +-
 5 files changed, 156 insertions(+), 10 deletions(-)
 create mode 100644 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
 delete mode 100644 firewalld-0.4.4.2.tar.bz2
 create mode 100644 firewalld-0.4.4.3.tar.bz2

diff --git a/0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch b/0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
new file mode 100644
index 0000000..0c892f8
--- /dev/null
+++ b/0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
@@ -0,0 +1,97 @@
+From 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 15 Feb 2017 11:11:40 +0100
+Subject: [PATCH] firewall.core.fw_ipset: get_ipset may not ckeck if set is
+ applied by default
+
+This breaks the ipset overloading from /etc/firewalld/ipsets.
+Fixes: #206
+---
+ src/firewall/core/fw_ipset.py | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
+index bbbc8eb9..952d1226 100644
+--- a/src/firewall/core/fw_ipset.py
++++ b/src/firewall/core/fw_ipset.py
+@@ -55,10 +55,11 @@ class FirewallIPSet(object):
+     def has_ipsets(self):
+         return len(self._ipsets) > 0
+ 
+-    def get_ipset(self, name):
++    def get_ipset(self, name, applied=False):
+         self.check_ipset(name)
+         obj = self._ipsets[name]
+-        self.check_applied_obj(obj)
++        if applied:
++            self.check_applied_obj(obj)
+         return obj
+ 
+     def _error2warning(self, f, name, *args):
+@@ -141,11 +142,11 @@ class FirewallIPSet(object):
+     # TYPE
+ 
+     def get_type(self, name):
+-        return self.get_ipset(name).type
++        return self.get_ipset(name, applied=True).type
+ 
+     # DIMENSION
+     def get_dimension(self, name):
+-        return len(self.get_ipset(name).type.split(","))
++        return len(self.get_ipset(name, applied=True).type.split(","))
+ 
+     # APPLIED
+ 
+@@ -164,7 +165,7 @@ class FirewallIPSet(object):
+     # OPTIONS
+ 
+     def get_family(self, name):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "family" in obj.options:
+             if obj.options["family"] == "inet6":
+                 return "ipv6"
+@@ -179,7 +180,7 @@ class FirewallIPSet(object):
+         pass
+ 
+     def add_entry(self, name, entry):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -201,7 +202,7 @@ class FirewallIPSet(object):
+                 obj.entries.append(entry)
+ 
+     def remove_entry(self, name, entry):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -222,7 +223,7 @@ class FirewallIPSet(object):
+                 obj.entries.remove(entry)
+ 
+     def query_entry(self, name, entry):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+@@ -230,11 +231,11 @@ class FirewallIPSet(object):
+         return entry in obj.entries
+ 
+     def get_entries(self, name):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         return obj.entries
+ 
+     def set_entries(self, name, entries):
+-        obj = self.get_ipset(name)
++        obj = self.get_ipset(name, applied=True)
+         if "timeout" in obj.options and obj.options["timeout"] != "0":
+             # no entries visible for ipsets with timeout
+             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
+-- 
+2.11.0
+
diff --git a/firewalld-0.4.4.2.tar.bz2 b/firewalld-0.4.4.2.tar.bz2
deleted file mode 100644
index f6d1881..0000000
--- a/firewalld-0.4.4.2.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:615dcd478d3b8459053811d08970e45e7f44942e2f93e57097e7ce0a5f27ba4a
-size 707213
diff --git a/firewalld-0.4.4.3.tar.bz2 b/firewalld-0.4.4.3.tar.bz2
new file mode 100644
index 0000000..1d96492
--- /dev/null
+++ b/firewalld-0.4.4.3.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4dbd99b0f6a29306dc6c48daba706fe598689e9e077b461c7a592366c6605d07
+size 713876
diff --git a/firewalld.changes b/firewalld.changes
index c07c779..2ff74d3 100644
--- a/firewalld.changes
+++ b/firewalld.changes
@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Mon Feb 13 16:20:27 UTC 2017 - mchandras@suse.de
+
+- Update to version 0.4.4.3
+  * New service freeipa-trust (rh#1411650)
+  * Complete icmp types for IPv4 and IPv6
+  * New h323 helper container
+  * Support helper container: h323
+  * firewall.server.decorators: ALREADY_ errors should be logged as warnings
+  * firewall.command: ALREADY_SET should also result in zero exit code
+  * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd
+  * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface
+  * New checks for ipset entry validation
+  * Use ipset dimension for match
+  * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list
+  * New firewall.core.icmp providing names and types for icmp and icmpv6 values
+  * firewall.core.fw_ipset: New methods to get ipset dimension and applied state
+  * firewall.errors: New error NOT_APPLIED
+  * firewall-cmd man page: Add missing --get-ipset-types
+  * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345)
+  * firewall.core.prog: Fix addition of the error output in runProg
+  * Speed up ipset handling, (re)loading and import from file
+  * Support --family option for --new-ipset
+  * Handle FirewallError for query sequences in command line tools
+  * Fail to alter entries of ipsets with timeout
+  * Extended tests for ipset options
+  * Return empty list for ipsets using timeouts
+  * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186)
+  * firewalld.conf man page: New section about AutomaticHelpers
+  * firewall-offline-cmd man page: Added -v and -q options, fixed section ids
+  * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface
+  * firewall.core.fw_zone: Limit masquerading forward rule to new connections
+  * firewall-config: Update active zones on reloaded signal
+  * firewall-applet: Update active zones and tooltip on reloaded signal
+  * firewall.core.fw_zone: Fix missing chain for helper in rich rules using service (rh#1416578)
+  * Support icmp-type usage in rich rules (rh#1409544)
+  * firewall[-offline]-cmd: Fix --{set,get}-{short,description} for ipset and helper (rh#1416325)
+  * firewall.core.ipset: Solve ipset creation issues with -exist and more flag tests
+  * Speed up start and restart for ipsets with lots of entries (rh#1416817)
+  * Speed up of ipset alteration by adding and removing entries using a file (rh#1416817)
+  * Code cleanup and minor bug fixes
+  * firewall.core.prog: Fix addition of the error output in runProg
+  * New services mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync
+  * Translation updates
+- Add upstream patch to fix ipset overloading from /etc/firewalld/ipsets (gh#t-woerner/firewalld#206)
+
 -------------------------------------------------------------------
 Mon Dec  5 09:41:03 UTC 2016 - mchandras@suse.de
 
@@ -92,15 +138,15 @@ Tue Jun 28 14:59:35 UTC 2016 - mchandras@suse.de
 Wed Jun 22 14:15:29 UTC 2016 - mchandras@suse.de
 
 - Update to version 0.4.3
-  * New firewallctl utility (RHBZ#1147959)
+  * New firewallctl utility (rh#1147959)
   * doc.xml.seealso: Show firewalld.dbus in See Also sections
-  * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (RHBZ#1339251)
+  * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (rh#1339251)
   * {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
   * firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
   * firewall-cmd: Dropped duplicate setType call in --new-ipset
   * radius service: Support also tcp ports (RBZ#1219717)
   * xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset sources
-  * config.xmlschema.service.xsd: Fix service destination conflicts (RHBZ#1296573)
+  * config.xmlschema.service.xsd: Fix service destination conflicts (rh#1296573)
   * firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
   * firewall.command: Only print summary and description in print_X_info with verbose
   * firewall.command: print_msg should be able to print empty lines
@@ -181,7 +227,7 @@ Tue May 31 08:30:44 UTC 2016 - mchandras@suse.de
   * New icmp-block-inversion flag in the zones
   * ICMP type filtering in the zones
   * New services: sip, sips, managesieve
-  * rich rules: Allow destination action (RHBZ#1163428)
+  * rich rules: Allow destination action (rh#1163428)
   * firewall-offline-cmd: New option -q/--quiet
   * firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
   * firewall-[offline-]cmd: Fix option for setting the destination
@@ -250,7 +296,7 @@ Thu Apr 21 08:15:19 UTC 2016 - mchandras@suse.de
   * Fix logging in rich rule forward rules
   * Transformed direct.passthrough errors into warnings
   * Rework of import structures
-  * Reduced calls to get ids for port and protocol names (RHBZ#1305434)
+  * Reduced calls to get ids for port and protocol names (rh#1305434)
   * Build and installation fixes by Markos Chandras
   * Provide D-Bus properties in introspection data
   * Fix for flaws found by landscape.io
diff --git a/firewalld.spec b/firewalld.spec
index af4a291..45502c6 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package firewalld
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,13 +17,15 @@
 
 
 Name:           firewalld
-Version:        0.4.4.2
+Version:        0.4.4.3
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
 Source:         https://fedorahosted.org/released/%{name}/%{name}-%{version}.tar.bz2
+# PATCH-FIX-UPSTREAM: 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch (gh#t-woerner/firewalld#206)
+Patch:          0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
 BuildRequires:  desktop-file-utils
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gettext
@@ -84,6 +86,7 @@ firewalld.
 
 %prep
 %setup -q
+%patch -p1
 
 %build
 %configure --enable-sysconfig --enable-rpmmacros