Accepting request 847325 from home:mrostecki:branches:security:netfilter

- Remove the patch which enforces usage of iptables instead of
  nftables:
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
  workaround for lack of nftables support in docker. Without that
  additional zone, containers have no Internet connectivity.
  (rhbz#1817022)
- Update to 0.9.1:
  * Bugfixes:
    * docs(firewall-cmd): clarify lockdown whitelist command paths
    * fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
    * fix(policy): zone interface/source changes should affect all using zone

OBS-URL: https://build.opensuse.org/request/show/847325
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=107
This commit is contained in:
Michał Rostecki 2020-11-09 17:48:32 +00:00 committed by Git OBS Bridge
parent 0dea11c5eb
commit e87c42cb75
6 changed files with 32 additions and 51 deletions

View File

@ -1,45 +0,0 @@
Index: firewalld-0.8.3/config/firewalld.conf
===================================================================
--- firewalld-0.8.3.orig/config/firewalld.conf
+++ firewalld-0.8.3/config/firewalld.conf
@@ -43,9 +43,9 @@ LogDenied=off
# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
+# - nftables
+# - iptables (iptables, ip6tables, ebtables and ipset) (default)
+FirewallBackend=iptables
# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml
===================================================================
--- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml
+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml
@@ -149,8 +149,8 @@
<listitem>
<para>
Selects the firewall backend implementation. Possible values
- are; <replaceable>nftables</replaceable> (default), or
- <replaceable>iptables</replaceable>. This applies to all
+ are; <replaceable>nftables</replaceable>, or
+ <replaceable>iptables</replaceable> (default). This applies to all
firewalld primitives. The only exception is direct and
passthrough rules which always use the traditional iptables,
ip6tables, and ebtables backends.
Index: firewalld-0.8.3/src/firewall/config/__init__.py.in
===================================================================
--- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in
+++ firewalld-0.8.3/src/firewall/config/__init__.py.in
@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "no"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
FALLBACK_ALLOW_ZONE_DRIFTING = False

6
docker-zone.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
<short>docker</short>
<description>All network connections are accepted.</description>
<interface name="docker0"/>
</zone>

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7cfbf8a33f726151e60c07486af0921fa05cbbab097adf90ec1caef37b49d9a0
size 2007954

3
firewalld-0.9.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7e3db6ed84919dd10add39cc7a28d97b5a9e27a53aeb73abf8af01ef082b74f9
size 2007880

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Mon Nov 9 09:15:55 UTC 2020 - Michał Rostecki <mrostecki@suse.com>
- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 11 18:05:42 UTC 2020 - Franck Bui <fbui@suse.com> Fri Sep 11 18:05:42 UTC 2020 - Franck Bui <fbui@suse.com>

View File

@ -21,14 +21,14 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: firewalld Name: firewalld
Version: 0.9.0 Version: 0.9.1
Release: 0 Release: 0
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Url: http://www.firewalld.org Url: http://www.firewalld.org
Source: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch Source1: docker-zone.xml
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -151,6 +151,10 @@ rm %{buildroot}%{_sysconfdir}/sysconfig/firewalld
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcfirewalld ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcfirewalld
# add firewalld zone (rhbz#1817022)
install -dp %{buildroot}%{_prefix}/lib/firewalld/zones
install -p -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/zones/docker.xml
%fdupes %{buildroot}%{python3_sitelib} %fdupes %{buildroot}%{python3_sitelib}
%find_lang %{name} --all-name %find_lang %{name} --all-name