Accepting request 458640 from home:markoschandras:network
- Update to version 0.4.4.3 * New service freeipa-trust (rh#1411650) * Complete icmp types for IPv4 and IPv6 * New h323 helper container * Support helper container: h323 * firewall.server.decorators: ALREADY_ errors should be logged as warnings * firewall.command: ALREADY_SET should also result in zero exit code * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface * New checks for ipset entry validation * Use ipset dimension for match * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list * New firewall.core.icmp providing names and types for icmp and icmpv6 values * firewall.core.fw_ipset: New methods to get ipset dimension and applied state * firewall.errors: New error NOT_APPLIED * firewall-cmd man page: Add missing --get-ipset-types * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345) * firewall.core.prog: Fix addition of the error output in runProg * Speed up ipset handling, (re)loading and import from file * Support --family option for --new-ipset * Handle FirewallError for query sequences in command line tools * Fail to alter entries of ipsets with timeout * Extended tests for ipset options * Return empty list for ipsets using timeouts * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186) * firewalld.conf man page: New section about AutomaticHelpers * firewall-offline-cmd man page: Added -v and -q options, fixed section ids * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface * firewall.core.fw_zone: Limit masquerading forward rule to new connections * firewall-config: Update active zones on reloaded signal OBS-URL: https://build.opensuse.org/request/show/458640 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=38
This commit is contained in:
parent
529e53d9ce
commit
de5a881f0d
@ -0,0 +1,97 @@
|
|||||||
|
From 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Woerner <twoerner@redhat.com>
|
||||||
|
Date: Wed, 15 Feb 2017 11:11:40 +0100
|
||||||
|
Subject: [PATCH] firewall.core.fw_ipset: get_ipset may not ckeck if set is
|
||||||
|
applied by default
|
||||||
|
|
||||||
|
This breaks the ipset overloading from /etc/firewalld/ipsets.
|
||||||
|
Fixes: #206
|
||||||
|
---
|
||||||
|
src/firewall/core/fw_ipset.py | 21 +++++++++++----------
|
||||||
|
1 file changed, 11 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
|
||||||
|
index bbbc8eb9..952d1226 100644
|
||||||
|
--- a/src/firewall/core/fw_ipset.py
|
||||||
|
+++ b/src/firewall/core/fw_ipset.py
|
||||||
|
@@ -55,10 +55,11 @@ class FirewallIPSet(object):
|
||||||
|
def has_ipsets(self):
|
||||||
|
return len(self._ipsets) > 0
|
||||||
|
|
||||||
|
- def get_ipset(self, name):
|
||||||
|
+ def get_ipset(self, name, applied=False):
|
||||||
|
self.check_ipset(name)
|
||||||
|
obj = self._ipsets[name]
|
||||||
|
- self.check_applied_obj(obj)
|
||||||
|
+ if applied:
|
||||||
|
+ self.check_applied_obj(obj)
|
||||||
|
return obj
|
||||||
|
|
||||||
|
def _error2warning(self, f, name, *args):
|
||||||
|
@@ -141,11 +142,11 @@ class FirewallIPSet(object):
|
||||||
|
# TYPE
|
||||||
|
|
||||||
|
def get_type(self, name):
|
||||||
|
- return self.get_ipset(name).type
|
||||||
|
+ return self.get_ipset(name, applied=True).type
|
||||||
|
|
||||||
|
# DIMENSION
|
||||||
|
def get_dimension(self, name):
|
||||||
|
- return len(self.get_ipset(name).type.split(","))
|
||||||
|
+ return len(self.get_ipset(name, applied=True).type.split(","))
|
||||||
|
|
||||||
|
# APPLIED
|
||||||
|
|
||||||
|
@@ -164,7 +165,7 @@ class FirewallIPSet(object):
|
||||||
|
# OPTIONS
|
||||||
|
|
||||||
|
def get_family(self, name):
|
||||||
|
- obj = self.get_ipset(name)
|
||||||
|
+ obj = self.get_ipset(name, applied=True)
|
||||||
|
if "family" in obj.options:
|
||||||
|
if obj.options["family"] == "inet6":
|
||||||
|
return "ipv6"
|
||||||
|
@@ -179,7 +180,7 @@ class FirewallIPSet(object):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def add_entry(self, name, entry):
|
||||||
|
- obj = self.get_ipset(name)
|
||||||
|
+ obj = self.get_ipset(name, applied=True)
|
||||||
|
if "timeout" in obj.options and obj.options["timeout"] != "0":
|
||||||
|
# no entries visible for ipsets with timeout
|
||||||
|
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
|
||||||
|
@@ -201,7 +202,7 @@ class FirewallIPSet(object):
|
||||||
|
obj.entries.append(entry)
|
||||||
|
|
||||||
|
def remove_entry(self, name, entry):
|
||||||
|
- obj = self.get_ipset(name)
|
||||||
|
+ obj = self.get_ipset(name, applied=True)
|
||||||
|
if "timeout" in obj.options and obj.options["timeout"] != "0":
|
||||||
|
# no entries visible for ipsets with timeout
|
||||||
|
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
|
||||||
|
@@ -222,7 +223,7 @@ class FirewallIPSet(object):
|
||||||
|
obj.entries.remove(entry)
|
||||||
|
|
||||||
|
def query_entry(self, name, entry):
|
||||||
|
- obj = self.get_ipset(name)
|
||||||
|
+ obj = self.get_ipset(name, applied=True)
|
||||||
|
if "timeout" in obj.options and obj.options["timeout"] != "0":
|
||||||
|
# no entries visible for ipsets with timeout
|
||||||
|
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
|
||||||
|
@@ -230,11 +231,11 @@ class FirewallIPSet(object):
|
||||||
|
return entry in obj.entries
|
||||||
|
|
||||||
|
def get_entries(self, name):
|
||||||
|
- obj = self.get_ipset(name)
|
||||||
|
+ obj = self.get_ipset(name, applied=True)
|
||||||
|
return obj.entries
|
||||||
|
|
||||||
|
def set_entries(self, name, entries):
|
||||||
|
- obj = self.get_ipset(name)
|
||||||
|
+ obj = self.get_ipset(name, applied=True)
|
||||||
|
if "timeout" in obj.options and obj.options["timeout"] != "0":
|
||||||
|
# no entries visible for ipsets with timeout
|
||||||
|
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:615dcd478d3b8459053811d08970e45e7f44942e2f93e57097e7ce0a5f27ba4a
|
|
||||||
size 707213
|
|
3
firewalld-0.4.4.3.tar.bz2
Normal file
3
firewalld-0.4.4.3.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:4dbd99b0f6a29306dc6c48daba706fe598689e9e077b461c7a592366c6605d07
|
||||||
|
size 713876
|
@ -1,3 +1,49 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 13 16:20:27 UTC 2017 - mchandras@suse.de
|
||||||
|
|
||||||
|
- Update to version 0.4.4.3
|
||||||
|
* New service freeipa-trust (rh#1411650)
|
||||||
|
* Complete icmp types for IPv4 and IPv6
|
||||||
|
* New h323 helper container
|
||||||
|
* Support helper container: h323
|
||||||
|
* firewall.server.decorators: ALREADY_ errors should be logged as warnings
|
||||||
|
* firewall.command: ALREADY_SET should also result in zero exit code
|
||||||
|
* tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd
|
||||||
|
* Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface
|
||||||
|
* New checks for ipset entry validation
|
||||||
|
* Use ipset dimension for match
|
||||||
|
* firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list
|
||||||
|
* New firewall.core.icmp providing names and types for icmp and icmpv6 values
|
||||||
|
* firewall.core.fw_ipset: New methods to get ipset dimension and applied state
|
||||||
|
* firewall.errors: New error NOT_APPLIED
|
||||||
|
* firewall-cmd man page: Add missing --get-ipset-types
|
||||||
|
* firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345)
|
||||||
|
* firewall.core.prog: Fix addition of the error output in runProg
|
||||||
|
* Speed up ipset handling, (re)loading and import from file
|
||||||
|
* Support --family option for --new-ipset
|
||||||
|
* Handle FirewallError for query sequences in command line tools
|
||||||
|
* Fail to alter entries of ipsets with timeout
|
||||||
|
* Extended tests for ipset options
|
||||||
|
* Return empty list for ipsets using timeouts
|
||||||
|
* firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186)
|
||||||
|
* firewalld.conf man page: New section about AutomaticHelpers
|
||||||
|
* firewall-offline-cmd man page: Added -v and -q options, fixed section ids
|
||||||
|
* firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface
|
||||||
|
* firewall.core.fw_zone: Limit masquerading forward rule to new connections
|
||||||
|
* firewall-config: Update active zones on reloaded signal
|
||||||
|
* firewall-applet: Update active zones and tooltip on reloaded signal
|
||||||
|
* firewall.core.fw_zone: Fix missing chain for helper in rich rules using service (rh#1416578)
|
||||||
|
* Support icmp-type usage in rich rules (rh#1409544)
|
||||||
|
* firewall[-offline]-cmd: Fix --{set,get}-{short,description} for ipset and helper (rh#1416325)
|
||||||
|
* firewall.core.ipset: Solve ipset creation issues with -exist and more flag tests
|
||||||
|
* Speed up start and restart for ipsets with lots of entries (rh#1416817)
|
||||||
|
* Speed up of ipset alteration by adding and removing entries using a file (rh#1416817)
|
||||||
|
* Code cleanup and minor bug fixes
|
||||||
|
* firewall.core.prog: Fix addition of the error output in runProg
|
||||||
|
* New services mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync
|
||||||
|
* Translation updates
|
||||||
|
- Add upstream patch to fix ipset overloading from /etc/firewalld/ipsets (gh#t-woerner/firewalld#206)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Dec 5 09:41:03 UTC 2016 - mchandras@suse.de
|
Mon Dec 5 09:41:03 UTC 2016 - mchandras@suse.de
|
||||||
|
|
||||||
@ -92,15 +138,15 @@ Tue Jun 28 14:59:35 UTC 2016 - mchandras@suse.de
|
|||||||
Wed Jun 22 14:15:29 UTC 2016 - mchandras@suse.de
|
Wed Jun 22 14:15:29 UTC 2016 - mchandras@suse.de
|
||||||
|
|
||||||
- Update to version 0.4.3
|
- Update to version 0.4.3
|
||||||
* New firewallctl utility (RHBZ#1147959)
|
* New firewallctl utility (rh#1147959)
|
||||||
* doc.xml.seealso: Show firewalld.dbus in See Also sections
|
* doc.xml.seealso: Show firewalld.dbus in See Also sections
|
||||||
* firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (RHBZ#1339251)
|
* firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (rh#1339251)
|
||||||
* {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
|
* {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
|
||||||
* firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
|
* firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
|
||||||
* firewall-cmd: Dropped duplicate setType call in --new-ipset
|
* firewall-cmd: Dropped duplicate setType call in --new-ipset
|
||||||
* radius service: Support also tcp ports (RBZ#1219717)
|
* radius service: Support also tcp ports (RBZ#1219717)
|
||||||
* xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset sources
|
* xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset sources
|
||||||
* config.xmlschema.service.xsd: Fix service destination conflicts (RHBZ#1296573)
|
* config.xmlschema.service.xsd: Fix service destination conflicts (rh#1296573)
|
||||||
* firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
|
* firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
|
||||||
* firewall.command: Only print summary and description in print_X_info with verbose
|
* firewall.command: Only print summary and description in print_X_info with verbose
|
||||||
* firewall.command: print_msg should be able to print empty lines
|
* firewall.command: print_msg should be able to print empty lines
|
||||||
@ -181,7 +227,7 @@ Tue May 31 08:30:44 UTC 2016 - mchandras@suse.de
|
|||||||
* New icmp-block-inversion flag in the zones
|
* New icmp-block-inversion flag in the zones
|
||||||
* ICMP type filtering in the zones
|
* ICMP type filtering in the zones
|
||||||
* New services: sip, sips, managesieve
|
* New services: sip, sips, managesieve
|
||||||
* rich rules: Allow destination action (RHBZ#1163428)
|
* rich rules: Allow destination action (rh#1163428)
|
||||||
* firewall-offline-cmd: New option -q/--quiet
|
* firewall-offline-cmd: New option -q/--quiet
|
||||||
* firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
|
* firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
|
||||||
* firewall-[offline-]cmd: Fix option for setting the destination
|
* firewall-[offline-]cmd: Fix option for setting the destination
|
||||||
@ -250,7 +296,7 @@ Thu Apr 21 08:15:19 UTC 2016 - mchandras@suse.de
|
|||||||
* Fix logging in rich rule forward rules
|
* Fix logging in rich rule forward rules
|
||||||
* Transformed direct.passthrough errors into warnings
|
* Transformed direct.passthrough errors into warnings
|
||||||
* Rework of import structures
|
* Rework of import structures
|
||||||
* Reduced calls to get ids for port and protocol names (RHBZ#1305434)
|
* Reduced calls to get ids for port and protocol names (rh#1305434)
|
||||||
* Build and installation fixes by Markos Chandras
|
* Build and installation fixes by Markos Chandras
|
||||||
* Provide D-Bus properties in introspection data
|
* Provide D-Bus properties in introspection data
|
||||||
* Fix for flaws found by landscape.io
|
* Fix for flaws found by landscape.io
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package firewalld
|
# spec file for package firewalld
|
||||||
#
|
#
|
||||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -17,13 +17,15 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: firewalld
|
Name: firewalld
|
||||||
Version: 0.4.4.2
|
Version: 0.4.4.3
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
|
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
|
||||||
License: GPL-2.0+
|
License: GPL-2.0+
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Url: http://www.firewalld.org
|
Url: http://www.firewalld.org
|
||||||
Source: https://fedorahosted.org/released/%{name}/%{name}-%{version}.tar.bz2
|
Source: https://fedorahosted.org/released/%{name}/%{name}-%{version}.tar.bz2
|
||||||
|
# PATCH-FIX-UPSTREAM: 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch (gh#t-woerner/firewalld#206)
|
||||||
|
Patch: 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch
|
||||||
BuildRequires: desktop-file-utils
|
BuildRequires: desktop-file-utils
|
||||||
BuildRequires: docbook-xsl-stylesheets
|
BuildRequires: docbook-xsl-stylesheets
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
@ -84,6 +86,7 @@ firewalld.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --enable-sysconfig --enable-rpmmacros
|
%configure --enable-sysconfig --enable-rpmmacros
|
||||||
|
Loading…
Reference in New Issue
Block a user