Commit Graph

163 Commits

Author SHA256 Message Date
Michał Rostecki
c5f0c6eb45 Accepting request 770094 from home:iznogood:branches:security:netfilter
- No longer recommend -lang: supplements are in use.

OBS-URL: https://build.opensuse.org/request/show/770094
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=99
2020-03-05 12:07:19 +00:00
Dominique Leuenberger
2b73c2f15c Accepting request 751072 from security:netfilter
without shift to nft

OBS-URL: https://build.opensuse.org/request/show/751072
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=44
2019-11-26 15:50:13 +00:00
Michał Rostecki
8a30f7c14c Accepting request 751070 from home:mrostecki:branches:security:netfilter
- Replace incorrect usage of %_libexecdir with %_prefix/lib
- rebased the original patch from revision 19
- Added a patch to make iptables the default again on openSUSE
- Update to version 0.7.2:
This is a bug fix only release.
  * fix: direct: removeRules() was mistakenly removing all rules
  * fix: guarantee zone source dispatch is sorted by zone name
  * fix: nftables: fix zone dispatch using ipset sources in nat chains
  * doc: add --default-config and --system-config
  * fix: --add-masquerade should only affect ipv4
  * fix: nftables: --forward-ports should only affect IPv4
  * fix: direct: removeRules() not removing all rules in chain
  * dbus: service: fix service includes individual APIs
  * fix: allow custom helpers using standard helper modules
  * fix: service: usage of helpers with '-' in name
  * fix: Revert "ebtables: drop support for broute table"
  * fix: ebtables: don't use tables that aren't available
  * fix: fw: initialize _rfc3964_ipv4
- Update to version 0.7.1:
  * Rich Rule Priorities
  * Service Definition Includes - Service definitions can now
    include lines like: <include service="https"/> which will
    include all the ports, etc from the https service.
  * RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
    firewalld.conf is available. It does filtering based on RFC3964
    in regards to IPv4 addresses. This functionality was
    traditionally in network-scripts.
  * FlushAllOnReload - A new option FlushAllOnReload in
    firewalld.conf is available. Older release retained some
    settings (direct rules, interface to zone assignments) during a
    --reload. With the introduction of this configuration option
    that is no longer the case. Old behavior can be restored by
    setting FlushAllOnReload=no.
  * 15 new service definitions
  * fix: firewall-offline-cmd: service: use dict based APIs
  * fix: client: service: use dict based dbus APIs
  * test: dbus: coverage for new service APIs
  * fix: dbus: new dict based APIs for services
  * test: dbus: service API coverage
  * test: functions: add macro DBUS_INTROSPECT
  * test: functions: add CHOMP macro for shell output
  * fix: tests/functions: use gdbus instead of dbus-send
  * fix: dbus: add missing APIs for service includes
- Remove patch for using iptables instead of nftables - we should
  finally switch to nftables and fix its issues properly if they
  occur again:
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Remove patch which was released upstream:
  * 0002-Add-FlushAllOnReload-config-option.patch
- Update to version 0.6.4:
  * chore: update translations
  * treewide: fix over indentation (flake8 E117)
  * test: travis: add another test matrix for omitting ip6tables
  * chore: travis: split test matrix by keywords
  * chore: tests: add AT_KEYWORDS for firewall-offline-cmd
  * improvement: tests: Use AT_KEYWORDS for backends
  * fix: tests: guard occurrences of IPv6
  * fix: tests/functions: ignore warnings about missing ip6tables
  * test: add macro IF_IPV6_SUPPORTED
- Move RPM macros to %_rpmmacrodir.
- Revert last change: the macros DO reference firewall-cmd, but as
  they are expanded during build time of the package, not at
  runtime, the point in time is wrong to require firewalld. The
  consumer of the macro is responsible to ask for the right
  commands to be present at runtime of the scripts
  (boo#1125775#c9).
- Add dependency between firewall-macros and firewalld.
  (boo#1125775)
- Fix --with-ifcfgdir configure parameter. (boo#1124212)
- Add upstream patch to make --reload/--complete-reload forget the
  runtime configuration and always load the permanent one
  (bsc#1121277)
  * 0002-Add-FlushAllOnReload-config-option.patch
- Update to 0.6.3. Some of the changes are:
  * update translations
  * nftables: fix reject statement in "block" zone
  * shell-completion: bash: don't check firewalld state
  * firewalld: fix --runtime-to-permanent if NM not in use.
  * firewall-cmd: sort --list-protocols output
  * firewall-cmd: sort --list-services output
  * command: sort services/protocols in --list-all output
  * services: add audit
  * nftables: fix rich rule log/audit being added to wrong chain
  * nftables: fix destination checks not allowing masks
  * firewall/core/io/*.py: Let SAX handle the encoding of XML files (gh#firewalld/firewalld#395)(bsc#1083361)
  * fw_zone: expose _ipset_match_flags()
  * tests/firewall-cmd: exercise multiple interfaces and zones
  * fw_transaction: On clear zone transaction, must clear fw and other zones
  * Fix translating labels (gh#firewalld/firewalld#392)
- Remove patches which have made it upstream:
  * 0001-Fix-translating-labels-392.patch
  * 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
- Add upstream patch to mark more strings as translatable which is
  required by firewall UI when creating rich rules (bsc#1096542)
  * 0001-Fix-translating-labels-392.patch
- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
  * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
- Update to 0.6.2. Some of the changes are:
  * update translations
  * nftables: fix log-denied with values other than "all" or "off"
  * fw_ipset: raise FirewallError if backend command fails
  * ipset: only use "-exist" on restore
  * fw_ipset: fix duplicate add of ipset entries
  * *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821)
  * ipXtables: increase wait lock to 10s
  * nftables: fix rich rules ports/protocols/source ports not considering ct state
  * ports: allow querying a single added by range
  * fw_zone: do not change rich rule errors into warnings
  * fw_zone: fix services with multiple destination IP versions (bsc#1105899)
  * fw_zone: consider destination for protocols
  * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319)
  * fw: If direct rules fail to apply add a "Direct" label to error msg
  * fw: if startup fails on reload, reapply non-perm config that survives reload
  * nftables: fix rich rule audit log
  * ebtables: replace RETURN policy with explicit RETURN at end of chain
  * direct backends: allow build_chain() to build multiple rules
  * fw: if failure occurs during startup set state to FAILED
  * fw: on restart set policy from same function
  * ebtables: drop support for broute table
- Remove upstream patches
  * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
  * 0001-fw_zone-consider-destination-for-protocols.patch
  * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
  * firewalld-fix-firewalld-config-crash.patch
- Add upstream patch to fix Neighbor Discovery filtering for IPv6 (bsc#1105821)
  * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
- Add upstream patch to fix building rules for multiple IP families (bsc#1105899)
  * 0001-fw_zone-consider-destination-for-protocols.patch
  * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
- Add firewalld-fix-firewalld-config-crash.patch: set
  nm_get_zone_of_connection to return 'None' instead of 'False' for
  automatically generated connections to avoid firewall-config
  crashes. Patch provided by upstream (boo#1106319,
  gh#firewalld/firewalld#370).
- Also switch firewall backend fallback to 'iptables' (bsc#1102761)
  This ensures that existing configuration files will keep working
  even if FirewallBackend option is missing.
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Update to 0.6.1. Some of the changes are:
  * Correct source/destination in rich rule masquerade
  * Only modify ifcfg files for permanent configuration changes
  * Fix a backtrace when calling common_reverse_rule()
  * man firewalld.conf: Show nftables is the default FirewallBackend
  * firewall-config: fix some untranslated strings that caused a UI
    bug causing rich rules to not be modify-able (bsc#1096542)
  * fw_direct: avoid log for untracked passthrough queries
  * fixed many issues if iptables is actually iptables-nft
  * Use preferred location for AppData files
  * ipXtables: fix ICMP block inversion with set-log-denied
  * fixes ICMP block inversion with set-log-denied with
    IndividualCalls=yes
  * nftables: fix set-log-denied if target is not ACCEPT
  * fw_direct: strip _direct chain suffix if using nftables
  * NetworkManager integration bugfixes.
- Switch back to 'iptables' backend as default (bsc#1102761)
- Update to 0.6.0. Some of the changes are:
  * update translations
  * firewall-config: Add ipv6-icmp to the protocol dropdown box (#348, bsc#1099698)
  * core: logger: Remove world-readable bit from logfile (#349, bsc#1098986)
  * IPv6 rpfilter: explicitly allow neighbor solicitation
  * nftables backend (default)
  * Added loads of new services
  * firewall-cmd: add --check-config option
  * firewall-offline-cmd: add --check-config option
  * firewallctl: completely remove all code and references
  * dbus: expose FirewallBackend
  * dbus: fix erroneous fallback for AutomaticHelpers
- Remove patches which have made it upstream
  * firewalld-add-additional-services.patch
- spec-cleaner fixes
- Update to 0.5.3 (bsc#1093120)
  * tests/regression: add test for ipset with timeout
  * ipset: allow adding entries to ipsets with timeout
  * translations: update
  * helpers: load helper module explicitly if no port given
  * helpers: nf_conntrack_proto-* helpers needs name cropped
  * config/Makefile: correct name of proto-gre helper
  * tests/regression: test helper nf_conntrack_proto_gre (#263)
  * functions: get_nf_nat_helpers() should look in other directories too
  * functions: Allow nf_conntrack_proto_* helpers
  * services: Add GRE
  * helpers: Add proto-gre
  * tests/regression: add test to verify ICMP block in forward chain
  * ipXtables: fix ICMP block not being present in FORWARD chain
- Translations update (bsc#1081623).
- Backport upstream patches to add additional services (bsc#1082033)
  * firewalld-add-additional-services.patch
- Update to 0.5.2
  * fix rule deduplication causing accidental removal of rules
  * log failure to parse direct rules xml as an error
  * firewall-config: Break infinite loop when firewalld is not running
  * fix set-log-denied not taking effect
  * po: update translations
- Remove high-availability service. SUSE HA uses the cluster service
  provided by the yast2-cluster package (bsc#1078223)
- Update to 0.5.1
  * ipXtables: fix iptables-restore wait option detection
  * python3: use "foo in dict" not dict.has_key(foo)
  * Fix potential python3 keys() incompatibility in watcher
  * Fixed python3 compatibility
  * ebtables: fix missing default value to set_rule()
  * fw_zone: fix invalid reference to __icmp_block_inversion
  * zones: Correct and defer check_name for combined zones
- Update to 0.5.0
  * firewallctl: mark deprecated (gh#firewalld/firewalld##261)
  * Add nmea-0183 service
  * Add sycthing-gui service
  * Add syncthing service
  * Adding FirewallD jenkins service (gh#firewalld/firewalld#256)
  * services/high-availability: Add port 9929
  * Fix and improve firewalld-sysctls.conf
  * firewalld: also reload dbus config interface for global options
  * Add MongoDB service definition
  * src: firewall: Add support for SUSE ifcfg scripts
  * Add UPnP client service
  * firewalld: Allow specifying log file location
  * firewalld/firewall-offline-cmd: Allow setting system config directories
- Drop obsolete patch
  * 0001-suse-ifcfg-files.patch
- Drop tests installation
- Introduce new python3-firewall and firewall-macros subpackages.
  The first one contains the firewalld python3 bindings and the second
  one contains the RPM macros for firewalld.
- Replace dbus-1-python requires with dbus-1-python3: since
  firewalld was migrated to python3, we also have to require the
  python3 dependencies (boo#1070310).
- Add missing python3-gobject-Gdk dependency (boo#1069952)
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
- Make sure to use python3 everywhere (boo#1068778)
- Add combined upstream patch to support SUSE ifcfg network files.
  * 0001-suse-ifcfg-files.patch (gh#firewalld/firewalld#262, fate#323460)
- Update to version 0.4.4.6
  * firewall.core.fw_config: Fix check for icmp builtin name
  * config.services: docker-swarm: fix incorrect attribute
  * xmlschema/service.xsd: Fix protocol looking for name instead of value
  * Add docker swarm service (gh#firewalld/firewalld#230)
  * Adding FirewallD redis service (gh#firewalld/firewalld#248)
  * Adding firewalld zabbix server and agent services (gh#firewalld/firewalld#221)
  * firewall-offline-cmd: Don't require root for help output
  * doc: firewall-cmd: Document --query-* options return codes
  * firewall-cmd: Use colors only if output is a TTY
  * core: Log unsupported ICMP types as informational only
  * add bgp service to predefined services edit to config/Makefile.am
  * Add git service
  * Add kprop service
  * minidlna definitions (gh#firewalld/firewalld#236)
  * SpiderOak ONE listens on port 21327 and 21328
  * autogen.sh: Allow skipping configure via NOCONFIGURE env var
  * Add missing ports to RH-Satellite-6 service
  * Reload nf_conntrack sysctls after the module is loaded
  * Add NFSv3 service.
  * config/Makefile.am: Add murmur service (a95eed1)
  * add new service IRC
  * firewall.core.prog: Simplify runProg output: Combine stderr and stdout
  * firewall.core.fw: Fix possible dict size change in for loop
  * firewall.core.fw: Use new firewalld git repo in firewalld organization
  * config/firewall-config.appdata.xml.in: Use new firewalld git repo in firewalld organization
  * firewall.core.fw_zone: Rich-rule ICMP type: Error only for conflicting family
  * firewall.core.rich: Add checks for Rich_Source validation
  * Handle also IPv6 with the zone masquerade flag
  * Add IPv6 support for forward-ports in zones
  * firewall.command: Enable parse_forward_port to work with IPv6 adresses
  * firewall.core.fw_zone: Fix IPv6 address in rich rule forward ports
  * add Murmur (Mumble server) service
- spec file fixes to avoid rpmlint warnings about duplicate files.
 
- Switch to python3
- Run spec cleaner
- Move autogen to build section
- Add systemd requirements
- Update to version 0.4.4.5
  * firewall-offline-cmd: Fix --remove-service-from-zone option (rh#1438127)
  * Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules
  * firewall-cmd: Fix --{set,get}-{short,description} for zone
  * firewall.core.ipXtables: Use new wait option for restore commands if available
  * Adding ovirt-vmconsole service file
  * Adding oVirt storage-console service.
  * Adding ctdb service file.
  * Adding service file for nrpe.
  * Rename extension for policy choices (server and desktop) to .policy.choice (rh#1449754)
  * D-Bus interfaces: Fix GetAll for interfaces without properties (rh#1452017)
  * firewall.core.fw_config: Fix wrong variable use in repr output
  * firewall.core.fw_icmptype: Add missing import for copy
  * firewall.core.fw_test: Fix wrong format string in repr
  * firewall.core.io.zone: Fix getattr use on super(Zone)
  * firewall.functions: New function get_nf_nat_helpers
  * firewall.core.fw: Get NAT helpers and store them internally.
  * firewall.core.fw_zone: Load NAT helpers with conntrack helpers
  * firewalld.dbus: Add missing properties nf_conntrach_helper_setting and nf_conntrack_helpers
  * firewall.server.firewalld: New property for NAT helpers supported by the kernel
- Update to version 0.4.4.4
  * Drop references to fedorahosted.org from spec file and Makefile.am
  * firewall-config: Show invalid ipset type in the ipset dialog in the bad label
  * firewall.core.fw: Show icmptypes and ipsets with type errors in permanent env
  * firewall.server.firewalld: Provide information about the supported icmp types
  * firewall.core.fw_icmptype: Add ICMP type only if the type is supported
  * firewall.core.fw: New attributes ip{4,6}tables_supported_icmp_types
  * firewall.core.ipXtables: New method supported_icmp_types
  * firewall-config: Deactivate edit buttons if there are no items
  * firewall.core.io.zone: Fix permanent rich rules using icmp-type (rh#1434594)
  * firewall.core.fw_ipset: get_ipset may not ckeck if set is applied by default
  * firewall.core.fw_transaction: Use LastUpdatedOrderedDict for zone transactions
- Remove upstream patch:
  * 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch 
- Update to version 0.4.4.3
  * New service freeipa-trust (rh#1411650)
  * Complete icmp types for IPv4 and IPv6
  * New h323 helper container
  * Support helper container: h323
  * firewall.server.decorators: ALREADY_ errors should be logged as warnings
  * firewall.command: ALREADY_SET should also result in zero exit code
  * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd
  * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface
  * New checks for ipset entry validation
  * Use ipset dimension for match
  * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list
  * New firewall.core.icmp providing names and types for icmp and icmpv6 values
  * firewall.core.fw_ipset: New methods to get ipset dimension and applied state
  * firewall.errors: New error NOT_APPLIED
  * firewall-cmd man page: Add missing --get-ipset-types
  * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345)
  * firewall.core.prog: Fix addition of the error output in runProg
  * Speed up ipset handling, (re)loading and import from file
  * Support --family option for --new-ipset
  * Handle FirewallError for query sequences in command line tools
  * Fail to alter entries of ipsets with timeout
  * Extended tests for ipset options
  * Return empty list for ipsets using timeouts
  * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186)
  * firewalld.conf man page: New section about AutomaticHelpers
  * firewall-offline-cmd man page: Added -v and -q options, fixed section ids
  * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface
  * firewall.core.fw_zone: Limit masquerading forward rule to new connections
  * firewall-config: Update active zones on reloaded signal
  * firewall-applet: Update active zones and tooltip on reloaded signal
  * firewall.core.fw_zone: Fix missing chain for helper in rich rules using service (rh#1416578)
  * Support icmp-type usage in rich rules (rh#1409544)
  * firewall[-offline]-cmd: Fix --{set,get}-{short,description} for ipset and helper (rh#1416325)
  * firewall.core.ipset: Solve ipset creation issues with -exist and more flag tests
  * Speed up start and restart for ipsets with lots of entries (rh#1416817)
  * Speed up of ipset alteration by adding and removing entries using a file (rh#1416817)
  * Code cleanup and minor bug fixes
  * firewall.core.prog: Fix addition of the error output in runProg
  * New services mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync
  * Translation updates
- Add upstream patch to fix ipset overloading from /etc/firewalld/ipsets (gh#t-woerner/firewalld#206)
  * 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch 
- Update to version 0.4.4.2
  * firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem
  * firewall.core.fw_nm: create NMClient lazily
  * Do not use hard-coded path for modinfo, use autofoo to detect it
  * firewall.core.io.ifcfg: Dropped invalid option warning with bad format string
  * firewall.core.io.ifcfg: Properly handle quoted ifcfg values
  * firewall.core.fw_zone: Do not reset ZONE with ifdown
  * Updated translations from zanata
  * firewall-config: Extra grid at bottom to visualize firewalld settings
- Update to version 0.4.4.1
 * Translation updates form zanata
 * firewallctl: New support for helpers
 * firewallctl: Use sys.excepthook to force exception_handler usage always
 * firewall-config: Use proper source check in sourceDialog
- Update to version 0.4.4
  * firewall-applet: Use PyQt5
  * firewall-config: New nf_conntrack_select dialog, use nf_conntrack_helpers
    D-Bus property
  * New helpers Q.931 and RAS from nf_conntrack_h323
  * firewall.core.fw_zone: Add zone bingings for PREROUTING in the raw table
  * firewall.core.ipXtables: Add PREROUTING default rules for zones in raw
    table
  * New helper configuration files for amanda, ftp, irc, netbios-ns, pptp,
    sane, sip, snmp and tftp
  * firewall-cmd: Fixed --{get,set}-{description,short} for permanent zones
  * firewall.command: Do not use error code 254 for {ALREADY,NOT}_ENABLED
    sequences
  * Misc bug fixes.
  * For the complete list of changes please see:
    https://github.com/t-woerner/firewalld/releases/tag/v0.4.4
- Relax permissions for default installation files. The files in
  /usr/lib/firewalld are the default ones as shipped by the package and
  there is nothing secret in them.
- Update to version 0.4.3.3
  * Fixes CVE-2016-5410 (bsc#992772)
  * Standard error is now used for errors and warnings
  * Several fixes for use in change roots
  * Systemd service file changes
  * Fixed translations in firewall-config
  * Command line clients
  * Fixes infinite event handling loop in firewall-{config,applet} (bsc#992082)
- Update to version 0.4.3.2
  * Fix regression with unavailable optional commands
  * All missing backend messages should be warnings
  * Individual calls for missing restore commands
  * Only one authenticate call for add and remove options and also
    sequences
  * New service RH-Satellite-6
- Update to version 0.4.3.1
  * firewall.command: Fix python3 DBusException message not interable error
  * src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing
  * firewallctl: Do not trace back on list command without further arguments
  * firewallctl (man1): Added remaining sections zone, service, ..
  * firewallctl: Added runtime-to-permanent, interface and source parser, IndividualCalls setting
  * firewall.server.config: Allow to set IndividualCalls property in config interface
  * Fix missing icmp rules for some zones
  * runProg: Fix issue with running programs
  * firewall-offline-cmd: Fix issues with missing system-config-firewall
  * firewall.core.ipXtables: Split up source and dest addresses for transaction
  * firewall.server.config: Log error in case of loading malformed files in watcher
  * Install and package the firewallctl man page
  * Translation updates
- Update to version 0.4.3
  * New firewallctl utility (rh#1147959)
  * doc.xml.seealso: Show firewalld.dbus in See Also sections
  * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (rh#1339251)
  * {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
  * firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
  * firewall-cmd: Dropped duplicate setType call in --new-ipset
  * radius service: Support also tcp ports (RBZ#1219717)
  * xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset sources
  * config.xmlschema.service.xsd: Fix service destination conflicts (rh#1296573)
  * firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
  * firewall.command: Only print summary and description in print_X_info with verbose
  * firewall.command: print_msg should be able to print empty lines
  * firewall-config: No processing of runtime passthroughs signals in permanent
  * Landspace.io fixes and pylint calm downs
  * firewall.core.io.zone: Add zone_reader and zone_writer to all, pylint fixes
  * firewall-config: Fixed titles of command and context dialogs, also entry lenths
  * firewall-config: pylint calm downs
  * firewall.core.fw_zone: Fix use of MAC source in rich rules without ipv limit
  * firewall-config: Use self.active_zoens in conf_zone_added_cb
  * firewall.command: New parse_port, extended parse methods with more checks
  * firewall.command: Fixed parse_port to use the separator in the split call
  * firewall.command: New [de]activate_exception_handler, raise error in parse_X
  * services ha: Allow corosync-qnetd port
  * firewall-applet: Support for kde5-nm-connection-editor
  * tests/firewall-offline-cmd_test.sh: New tests for service and icmptype modifications
  * firewall-offline-cmd: Use FirewallCommand for simplification and sequence options
  * tests/firewall-cmd_test.sh: New tests for service and icmptype modifications
  * firewall-cmd: Fixed set, remove and query destination options for services
  * firewall.core.io.service: Source ports have not been checked in _check_config
  * firewall.core.fw_zone: Method check_source_port is not used, removed
  * firewall.core.base: Added default to ZONE_TARGETS
  * firewall.client: Allow to remove ipv:address pair for service destinations
  * tests/firewall-offline-cmd_test.sh: There is no timeout option in permanent
  * firewall-cmd: Landscape.io fixes, pylint calm downs
  * firewall-cmd: Use FirewallCommand for simplification and sequence options
  * firewall.command: New FirewallCommand for command line client simplification
  * New services: kshell, rsh, ganglia-master, ganglia-client
  * firewalld: Cleanup of unused imports, do not translate some deamon messages
  * firewalld: With fd close interation in runProg, it is not needed here anymore
  * firewall.core.prog: Add fd close iteration to runProg
  * firewall.core.fw_nm: Hide NM typelib import, new nm_get_dbus_interface function
  * firewalld.spec: Require NetworkManager-libnm instead of NetworkManager-glib
  * firewall-config: New add/remove ipset entries from file, remove all entries
  * firewall-applet: Fix tooltip after applet start with connection to firewalld
  * firewall-config: Select new zone, service or icmptype if the view was empty
  * firewalld.spec: Added build requires for iptables, ebtables and ipset
  * Adding nf_conntrack_sip module to the service SIP
  * firewall: core: fw_ifcfg: Quickly return if ifcfg directory does not exist
  * Drop unneeded python shebangs
  * Translation updates
- Remove obsolete patches:
  * 0001-src-firewall-core-Drop-unneeded-python-shebangs.patch
  * 0002-firewall-core-fw_ifcfg-Quickly-return-if-ifcfg-direc.patch
  * 0003-firewall.core.fw_nm-Hide-NM-typelib-import-new-nm_ge.patch
- Add missing %{?_smp_mflags} during install. This will speed up
  the installation phase as well as expose build system's problems
  due to higher level of parallelism.
- Run make during %build to ensure missing documentation is generated.
- spec file cleanups.
- Add upstream patch to prevent unconditional dependencies to the
  NetworkManager typelib (gh#t-woerner/firewalld#119)
  * 0003-firewall.core.fw_nm-Hide-NM-typelib-import-new-nm_ge.patch
- Update to version 0.4.2
  * New module to search for and change ifcfg files for interfaces
    not under control of NM
  * firewall_config: Enhanced messages in status bar
  * firewall-config: New message window as overlay if not connected
  * firewall-config: Fix sentivity of option, view menus and main
    paned if not connected
  * firewall-applet: Quit on SIGINT (Ctrl-C), reduced D-Bus calls,
    some cleanup
  * firewall-[offline]cmd: Show target in zone information
  * D-Bus: Completed masquerade methods in FirewallClientZoneSettings
  * Fixed log-denied rules for icmp-blocks
  * Keep sorting of interfaces, services, icmp-blocks and other
    settings in zones
  * Fixed runtime-to-permanent not to save interfaces under control
    of NM
  * New icmp-block-inversion flag in the zones
  * ICMP type filtering in the zones
  * New services: sip, sips, managesieve
  * rich rules: Allow destination action (rh#1163428)
  * firewall-offline-cmd: New option -q/--quiet
  * firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
  * firewall-[offline-]cmd: Fix option for setting the destination
    address
  * firewall-config: Fixed resizing behaviour
  * New transaction model for speed ups in start, restart, stop and
    other actions
  * firewall-cmd: New options --load{zone,service,ipset,icmptype}-defaults
  * Fixed memory leak in dbus_introspection_add_properties
  * Landscape.io fixes, pylint calm downs
  * New D-Bus getXnames methods to speed up firewall-config and firewall-cmd
  * ebtables-restore: No support for COMMIT command
  * Source port support in services, zones and rich rules
  * firewall-offline-cmd: Added --{add,remove}-entries-from-file for ipsets
  * firewall-config: New active bindings side bar for simple binding changes
  * Reworked NetworkManager module
  * Proper default zone handling for NM connections
  * Try to set zone binding with NM if interface is under control of NM
  * Code cleanup and bug fixes
  * Include test suite in the release and install in /usr/share/firewalld/tests
  * New Travis-CI configuration file
  * Fixed more broken frensh translations
  * Translation updates
- Add upstream patches
  * 0001-src-firewall-core-Drop-unneeded-python-shebangs.patch: Removes
    unneeded python shebangs
  * 0002-firewall-core-fw_ifcfg-Quickly-return-if-ifcfg-direc.patch: Do
    not try to access the network-scripts ifcfg directory.
- Drop rejected patch
  * drop-standard-output-error-systemd.patch
- Minor spec file clean-up
- Avoid runtime dependency on systemd, the macros can all deal with
  its absence.
- Suggest the susefirewall2-to-firewalld package which could assist
  in migrating the SuSEFirewall2 iptables rules to FirewallD.
- Update to version 0.4.1.2
  * Install fw_nm module
  * firewalld: Do not fail if log file could not be opened
  * Make ipsets visible per default in firewall-config
  * Fixed translations with python3
  [changes in 0.4.1.1]
  * Fix for broken frensh translation
  [changes in 0.4.1]
  * Enhancements of ipset handling
  * No cleanup of ipsets using timeouts while reloading
  * Only destroy conflicting ipsets
  * Only use ipset types supported by the system
  * Add and remove several ipset entries in one call using a file
  * Reduce time frame where builtin chains are on policy DROP while reloading
  * Include descriptions in --info-X calls
  * Command line interface support to get and alter descriptions of zones,
  * services, ipsets and icmptypes with permanent option
  * Properly watch changes in combined zones
  * Fix logging in rich rule forward rules
  * Transformed direct.passthrough errors into warnings
  * Rework of import structures
  * Reduced calls to get ids for port and protocol names (rh#1305434)
  * Build and installation fixes by Markos Chandras
  * Provide D-Bus properties in introspection data
  * Fix for flaws found by landscape.io
  * Fix for repeated SUGHUP
  * New NetworkManager module to get and set zones of connections, used in
    firewall-applet and firewall-config
  * configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset)
  * Code cleanups
  * Bug fixes
- Fix drop-standard-output-error-systemd.patch tagging
- Add libxslt-tools build dependency
- Do not recommend a specific version for the lang subpackage
- Move translations to a new subpackage
- Set DISABLE_RESTART_ON_UPDATE to 'yes' instead of '1'. The macros in
  /etc/rpm/macros.systemd only check for the 'yes' value so fix it to
  properly prevent the firewalld service from being restarted during
  updates.
- Drop typelib(NetworkManager), NetworkManager-glib, gtk3
  and libnotify dependencies (see OBS SR#360792)
- firewall-config needs typelib(NetworkManager) to run
- Initial commit. Version 0.4.0
  * drop-standard-output-error-systemd.patch (gh#t-woerner/firewalld/pull/67)

OBS-URL: https://build.opensuse.org/request/show/751070
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=98
2019-11-26 15:41:10 +00:00
Dominique Leuenberger
c5b0e57ccf Accepting request 750645 from security:netfilter
- Replace incorrect usage of %_libexecdir with %_prefix/lib

- rebased the original patch from revision 19
- apply patch only on openSUSE < TW, and SLES.

- Added a patch to make iptables the default again on openSUSE

- Update to version 0.7.2:
This is a bug fix only release.
  * fix: direct: removeRules() was mistakenly removing all rules
  * fix: guarantee zone source dispatch is sorted by zone name
  * fix: nftables: fix zone dispatch using ipset sources in nat chains
  * doc: add --default-config and --system-config
  * fix: --add-masquerade should only affect ipv4
  * fix: nftables: --forward-ports should only affect IPv4
  * fix: direct: removeRules() not removing all rules in chain
  * dbus: service: fix service includes individual APIs
  * fix: allow custom helpers using standard helper modules
  * fix: service: usage of helpers with '-' in name
  * fix: Revert "ebtables: drop support for broute table"
  * fix: ebtables: don't use tables that aren't available
  * fix: fw: initialize _rfc3964_ipv4

- Update to version 0.7.1:
  * Rich Rule Priorities
  * Service Definition Includes - Service definitions can now
    include lines like: <include service="https"/> which will
    include all the ports, etc from the https service.
  * RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
    firewalld.conf is available. It does filtering based on RFC3964

OBS-URL: https://build.opensuse.org/request/show/750645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=43
2019-11-25 10:24:22 +00:00
Michał Rostecki
7706a4507e Accepting request 750617 from home:Pharaoh_Atem:libexecdir
- Replace incorrect usage of %_libexecdir with %_prefix/lib

OBS-URL: https://build.opensuse.org/request/show/750617
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=97
2019-11-24 22:19:32 +00:00
Michał Rostecki
1bd6d8a100 Accepting request 736856 from home:lemmy04:branches:security:netfilter
- rebased the original patch from revision 19
- apply patch only on openSUSE < TW, and SLES.
- Added a patch to make iptables the default again on openSUSE
- Update to version 0.7.2:
This is a bug fix only release.
  * fix: direct: removeRules() was mistakenly removing all rules
  * fix: guarantee zone source dispatch is sorted by zone name
  * fix: nftables: fix zone dispatch using ipset sources in nat chains
  * doc: add --default-config and --system-config
  * fix: --add-masquerade should only affect ipv4
  * fix: nftables: --forward-ports should only affect IPv4
  * fix: direct: removeRules() not removing all rules in chain
  * dbus: service: fix service includes individual APIs
  * fix: allow custom helpers using standard helper modules
  * fix: service: usage of helpers with '-' in name
  * fix: Revert "ebtables: drop support for broute table"
  * fix: ebtables: don't use tables that aren't available
  * fix: fw: initialize _rfc3964_ipv4

OBS-URL: https://build.opensuse.org/request/show/736856
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=96
2019-10-10 13:08:15 +00:00
Michał Rostecki
32c597a355 Accepting request 729405 from home:mrostecki:branches:security:netfilter
- Update to version 0.7.1:
  * Rich Rule Priorities
  * Service Definition Includes - Service definitions can now
    include lines like: <include service="https"/> which will
    include all the ports, etc from the https service.
  * RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
    firewalld.conf is available. It does filtering based on RFC3964
    in regards to IPv4 addresses. This functionality was
    traditionally in network-scripts.
  * FlushAllOnReload - A new option FlushAllOnReload in
    firewalld.conf is available. Older release retained some
    settings (direct rules, interface to zone assignments) during a
    --reload. With the introduction of this configuration option
    that is no longer the case. Old behavior can be restored by
    setting FlushAllOnReload=no.
  * 15 new service definitions
  * fix: firewall-offline-cmd: service: use dict based APIs
  * fix: client: service: use dict based dbus APIs
  * test: dbus: coverage for new service APIs
  * fix: dbus: new dict based APIs for services
  * test: dbus: service API coverage
  * test: functions: add macro DBUS_INTROSPECT
  * test: functions: add CHOMP macro for shell output
  * fix: tests/functions: use gdbus instead of dbus-send
  * fix: dbus: add missing APIs for service includes
- Remove patch for using iptables instead of nftables - we should
  finally switch to nftables and fix its issues properly if they
  occur again:
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Remove patch which was released upstream:
  * 0002-Add-FlushAllOnReload-config-option.patch

OBS-URL: https://build.opensuse.org/request/show/729405
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=95
2019-09-09 10:44:18 +00:00
Michał Rostecki
0c8cbe2651 Accepting request 709239 from home:mrostecki:branches:security:netfilter
- Update to version 0.6.4:
  * chore: update translations
  * treewide: fix over indentation (flake8 E117)
  * test: travis: add another test matrix for omitting ip6tables
  * chore: travis: split test matrix by keywords
  * chore: tests: add AT_KEYWORDS for firewall-offline-cmd
  * improvement: tests: Use AT_KEYWORDS for backends
  * fix: tests: guard occurrences of IPv6
  * fix: tests/functions: ignore warnings about missing ip6tables
  * test: add macro IF_IPV6_SUPPORTED

OBS-URL: https://build.opensuse.org/request/show/709239
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=94
2019-06-11 17:53:06 +00:00
Dominique Leuenberger
cbc0e9a753 Accepting request 701566 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/701566
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=42
2019-05-10 07:10:07 +00:00
Michał Rostecki
f00f72b181 Accepting request 701536 from home:dimstar:Factory
Move RPM macros to %_rpmmacrodir.

OBS-URL: https://build.opensuse.org/request/show/701536
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=93
2019-05-08 12:16:10 +00:00
Dominique Leuenberger
e0d3097e8d Accepting request 689407 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/689407
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=41
2019-04-03 07:23:27 +00:00
Michał Rostecki
c28af1e985 Accepting request 689383 from home:dimstar:Factory
- Revert last change: the macros DO reference firewall-cmd, but as
  they are expanded during build time of the package, not at
  runtime, the point in time is wrong to require firewalld. The
  consumer of the macro is responsible to ask for the right
  commands to be present at runtime of the scripts
  (boo#1125775#c9).

OBS-URL: https://build.opensuse.org/request/show/689383
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=92
2019-03-28 15:58:02 +00:00
Dominique Leuenberger
0a841bccd3 Accepting request 678933 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/678933
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=40
2019-03-26 21:28:43 +00:00
Michał Rostecki
2f13ee734f Accepting request 678932 from home:mrostecki:branches:security:netfilter
- Add dependency between firewall-macros and firewalld.
  (boo#1125775)
- Fix --with-ifcfgdir configure parameter. (boo#1124212)

OBS-URL: https://build.opensuse.org/request/show/678932
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=91
2019-02-25 14:39:31 +00:00
Dominique Leuenberger
9734089aa4 Accepting request 664332 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/664332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=39
2019-01-15 08:13:07 +00:00
Michał Rostecki
c8de569e4f Accepting request 664331 from home:mrostecki
- Add upstream patch to make --reload/--complete-reload forget the
  runtime configuration and always load the permanent one
  (bsc#1121277)
  * 0002-Add-FlushAllOnReload-config-option.patch

OBS-URL: https://build.opensuse.org/request/show/664331
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=90
2019-01-10 10:57:59 +00:00
Dominique Leuenberger
08bb420344 Accepting request 642057 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/642057
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=38
2018-10-18 13:30:16 +00:00
Markos Chandras
1ac089ef0e Accepting request 642050 from home:markoschandras:network
- Update to 0.6.3. Some of the changes are:
  * update translations
  * nftables: fix reject statement in "block" zone
  * shell-completion: bash: don't check firewalld state
  * firewalld: fix --runtime-to-permanent if NM not in use.
  * firewall-cmd: sort --list-protocols output
  * firewall-cmd: sort --list-services output
  * command: sort services/protocols in --list-all output
  * services: add audit
  * nftables: fix rich rule log/audit being added to wrong chain
  * nftables: fix destination checks not allowing masks
  * firewall/core/io/*.py: Let SAX handle the encoding of XML files (gh#firewalld/firewalld#395)(bsc#1083361)
  * fw_zone: expose _ipset_match_flags()
  * tests/firewall-cmd: exercise multiple interfaces and zones
  * fw_transaction: On clear zone transaction, must clear fw and other zones
  * Fix translating labels (gh#firewalld/firewalld#392)
- Remove patches which have made it upstream:
  * 0001-Fix-translating-labels-392.patch
  * 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch

OBS-URL: https://build.opensuse.org/request/show/642050
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=89
2018-10-15 13:09:17 +00:00
Dominique Leuenberger
b4d329838c Accepting request 637406 from security:netfilter
- Add upstream patch to mark more strings as translatable which is
  required by firewall UI when creating rich rules (bsc#1096542)
  * 0001-Fix-translating-labels-392.patch

- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
  * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch

- Update to 0.6.2. Some of the changes are:
  * update translations
  * nftables: fix log-denied with values other than "all" or "off"
  * fw_ipset: raise FirewallError if backend command fails
  * ipset: only use "-exist" on restore
  * fw_ipset: fix duplicate add of ipset entries
  * *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821)
  * ipXtables: increase wait lock to 10s
  * nftables: fix rich rules ports/protocols/source ports not considering ct state
  * ports: allow querying a single added by range
  * fw_zone: do not change rich rule errors into warnings
  * fw_zone: fix services with multiple destination IP versions (bsc#1105899)
  * fw_zone: consider destination for protocols
  * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319)
  * fw: If direct rules fail to apply add a "Direct" label to error msg
  * fw: if startup fails on reload, reapply non-perm config that survives reload
  * nftables: fix rich rule audit log
  * ebtables: replace RETURN policy with explicit RETURN at end of chain
  * direct backends: allow build_chain() to build multiple rules
  * fw: if failure occurs during startup set state to FAILED
  * fw: on restart set policy from same function
  * ebtables: drop support for broute table
- Remove upstream patches

OBS-URL: https://build.opensuse.org/request/show/637406
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=37
2018-10-01 07:06:07 +00:00
Markos Chandras
db69522c97 * 0001-Fix-translating-labels-392.patch
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=88
2018-09-24 09:31:12 +00:00
Markos Chandras
539819b800 - Add upstream patch to mark more strings as translatable which is
required by firewall UI when creating rich rules (bsc#1096542)

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=87
2018-09-24 09:17:44 +00:00
Markos Chandras
cbd861eb95 Accepting request 637102 from home:luizluca:branches:security:netfilter
- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
  * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch

OBS-URL: https://build.opensuse.org/request/show/637102
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=86
2018-09-24 08:57:12 +00:00
Yuchen Lin
eed982fa1b Accepting request 636196 from security:netfilter
- Add upstream patch to fix Neighbor Discovery filtering for IPv6 (bsc#1105821)
  * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
- Add upstream patch to fix building rules for multiple IP families (bsc#1105899)
  * 0001-fw_zone-consider-destination-for-protocols.patch
  * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch

OBS-URL: https://build.opensuse.org/request/show/636196
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=36
2018-09-20 09:38:38 +00:00
Markos Chandras
97ab3032bb Accepting request 636832 from home:markoschandras:network
- Update to 0.6.2. Some of the changes are:
  * update translations
  * nftables: fix log-denied with values other than "all" or "off"
  * fw_ipset: raise FirewallError if backend command fails
  * ipset: only use "-exist" on restore
  * fw_ipset: fix duplicate add of ipset entries
  * *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821)
  * ipXtables: increase wait lock to 10s
  * nftables: fix rich rules ports/protocols/source ports not considering ct state
  * ports: allow querying a single added by range
  * fw_zone: do not change rich rule errors into warnings
  * fw_zone: fix services with multiple destination IP versions (bsc#1105899)
  * fw_zone: consider destination for protocols
  * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319)
  * fw: If direct rules fail to apply add a "Direct" label to error msg
  * fw: if startup fails on reload, reapply non-perm config that survives reload
  * nftables: fix rich rule audit log
  * ebtables: replace RETURN policy with explicit RETURN at end of chain
  * direct backends: allow build_chain() to build multiple rules
  * fw: if failure occurs during startup set state to FAILED
  * fw: on restart set policy from same function
  * ebtables: drop support for broute table
- Remove upstream patches
  * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
  * 0001-fw_zone-consider-destination-for-protocols.patch
  * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
  * firewalld-fix-firewalld-config-crash.patch

OBS-URL: https://build.opensuse.org/request/show/636832
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=85
2018-09-20 09:09:53 +00:00
Markos Chandras
a003a586b1 * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
- Add upstream patch to fix building rules for multiple IP families (bsc#1105899)

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=84
2018-09-17 14:47:40 +00:00
Markos Chandras
d9178e1022 Accepting request 636192 from home:markoschandras:network
- Add upstream patch to fix Neighbor Discovery filtering for IPv6 (bsc#1105821)
  * 0001-nftables-fx-rich-rules-ports-protocols-source-ports.patch
- Add upstream patch to fix building rules for multiple IP families (bsc#1108651)
  * 0001-fw_zone-consider-destination-for-protocols.patch
  * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch

OBS-URL: https://build.opensuse.org/request/show/636192
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=83
2018-09-17 14:33:10 +00:00
Yuchen Lin
c8fc60e4fb Accepting request 633723 from security:netfilter
- Add firewalld-fix-firewalld-config-crash.patch: set
  nm_get_zone_of_connection to return 'None' instead of 'False' for
  automatically generated connections to avoid firewall-config
  crashes. Patch provided by upstream (boo#1106319,
  gh#firewalld/firewalld#370).

OBS-URL: https://build.opensuse.org/request/show/633723
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=35
2018-09-13 10:09:22 +00:00
Markos Chandras
f10082c5b3 - Also switch firewall backend fallback to 'iptables' (bsc#1102761)
This ensures that existing configuration files will keep working
  even if FirewallBackend option is missing.
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=82
2018-09-06 11:19:07 +00:00
Markos Chandras
5b572a40ef Restore package to Factory version
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=81
2018-09-04 07:50:48 +00:00
Markos Chandras
4870327e98 Accepting request 632901 from home:luc14n0:branches:security:netfilter
add firewalld-fix-firewalld-config-crash.patch to fix firewall-config crash

OBS-URL: https://build.opensuse.org/request/show/632901
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=80
2018-09-04 07:28:09 +00:00
Dominique Leuenberger
d868c707b2 Accepting request 631960 from security:netfilter
- Restore nftables as default backend (bsc#1102761). nftables and
  iptables can co-exist but the 'nat' table had a bug which was fixed
  in kernel-4.18.
- Update to 0.6.1. Some of the changes are:
  * Correct source/destination in rich rule masquerade
  * Only modify ifcfg files for permanent configuration changes
  * Fix a backtrace when calling common_reverse_rule()
  * man firewalld.conf: Show nftables is the default FirewallBackend
  * firewall-config: fix some untranslated strings that caused a UI
    bug causing rich rules to not be modify-able (bsc#1096542)
  * fw_direct: avoid log for untracked passthrough queries
  * fixed many issues if iptables is actually iptables-nft
  * Use preferred location for AppData files
  * ipXtables: fix ICMP block inversion with set-log-denied
  * fixes ICMP block inversion with set-log-denied with
    IndividualCalls=yes
  * nftables: fix set-log-denied if target is not ACCEPT
  * fw_direct: strip _direct chain suffix if using nftables
  * NetworkManager integration bugfixes.
- Switch back to 'iptables' backend as default (bsc#1102761)
- Update to 0.6.0. Some of the changes are:
  * update translations
  * firewall-config: Add ipv6-icmp to the protocol dropdown box (#348, bsc#1099698)
  * core: logger: Remove world-readable bit from logfile (#349, bsc#1098986)
  * IPv6 rpfilter: explicitly allow neighbor solicitation
  * nftables backend (default)
  * Added loads of new services
  * firewall-cmd: add --check-config option
  * firewall-offline-cmd: add --check-config option
  * firewallctl: completely remove all code and references
  * dbus: expose FirewallBackend
  * dbus: fix erroneous fallback for AutomaticHelpers
- Remove patches which have made it upstream
  * firewalld-add-additional-services.patch
- spec-cleaner fixes
- Update to 0.5.3 (bsc#1093120)
  * tests/regression: add test for ipset with timeout
  * ipset: allow adding entries to ipsets with timeout
  * translations: update
  * helpers: load helper module explicitly if no port given
  * helpers: nf_conntrack_proto-* helpers needs name cropped
  * config/Makefile: correct name of proto-gre helper
  * tests/regression: test helper nf_conntrack_proto_gre (#263)
  * functions: get_nf_nat_helpers() should look in other directories too
  * functions: Allow nf_conntrack_proto_* helpers
  * services: Add GRE
  * helpers: Add proto-gre
  * tests/regression: add test to verify ICMP block in forward chain
  * ipXtables: fix ICMP block not being present in FORWARD chain
- Translations update (bsc#1081623).
- Backport upstream patches to add additional services (bsc#1082033)
  * firewalld-add-additional-services.patch
- Update to 0.5.2
  * fix rule deduplication causing accidental removal of rules
  * log failure to parse direct rules xml as an error
  * firewall-config: Break infinite loop when firewalld is not running
  * fix set-log-denied not taking effect
  * po: update translations
- Remove high-availability service. SUSE HA uses the cluster service
  provided by the yast2-cluster package (bsc#1078223)
- Update to 0.5.1
  * ipXtables: fix iptables-restore wait option detection
  * python3: use "foo in dict" not dict.has_key(foo)
  * Fix potential python3 keys() incompatibility in watcher
  * Fixed python3 compatibility
  * ebtables: fix missing default value to set_rule()
  * fw_zone: fix invalid reference to __icmp_block_inversion
  * zones: Correct and defer check_name for combined zones
- Update to 0.5.0
  * firewallctl: mark deprecated (gh#firewalld/firewalld##261)
  * Add nmea-0183 service
  * Add sycthing-gui service
  * Add syncthing service
  * Adding FirewallD jenkins service (gh#firewalld/firewalld#256)
  * services/high-availability: Add port 9929
  * Fix and improve firewalld-sysctls.conf
  * firewalld: also reload dbus config interface for global options
  * Add MongoDB service definition
  * src: firewall: Add support for SUSE ifcfg scripts
  * Add UPnP client service
  * firewalld: Allow specifying log file location
  * firewalld/firewall-offline-cmd: Allow setting system config directories
- Drop obsolete patch
  * 0001-suse-ifcfg-files.patch
- Drop tests installation
- Introduce new python3-firewall and firewall-macros subpackages.
  The first one contains the firewalld python3 bindings and the second
  one contains the RPM macros for firewalld.
- Replace dbus-1-python requires with dbus-1-python3: since
  firewalld was migrated to python3, we also have to require the
  python3 dependencies (boo#1070310).
- Add missing python3-gobject-Gdk dependency (boo#1069952)
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (boo#1069468)
- Make sure to use python3 everywhere (boo#1068778)
- Add combined upstream patch to support SUSE ifcfg network files.
  * 0001-suse-ifcfg-files.patch (gh#firewalld/firewalld#262, fate#323460)
- Update to version 0.4.4.6
  * firewall.core.fw_config: Fix check for icmp builtin name
  * config.services: docker-swarm: fix incorrect attribute
  * xmlschema/service.xsd: Fix protocol looking for name instead of value
  * Add docker swarm service (gh#firewalld/firewalld#230)
  * Adding FirewallD redis service (gh#firewalld/firewalld#248)
  * Adding firewalld zabbix server and agent services (gh#firewalld/firewalld#221)
  * firewall-offline-cmd: Don't require root for help output
  * doc: firewall-cmd: Document --query-* options return codes
  * firewall-cmd: Use colors only if output is a TTY
  * core: Log unsupported ICMP types as informational only
  * add bgp service to predefined services edit to config/Makefile.am
  * Add git service
  * Add kprop service
  * minidlna definitions (gh#firewalld/firewalld#236)
  * SpiderOak ONE listens on port 21327 and 21328
  * autogen.sh: Allow skipping configure via NOCONFIGURE env var
  * Add missing ports to RH-Satellite-6 service
  * Reload nf_conntrack sysctls after the module is loaded
  * Add NFSv3 service.
  * config/Makefile.am: Add murmur service (a95eed1)
  * add new service IRC
  * firewall.core.prog: Simplify runProg output: Combine stderr and stdout
  * firewall.core.fw: Fix possible dict size change in for loop
  * firewall.core.fw: Use new firewalld git repo in firewalld organization
  * config/firewall-config.appdata.xml.in: Use new firewalld git repo in firewalld organization
  * firewall.core.fw_zone: Rich-rule ICMP type: Error only for conflicting family
  * firewall.core.rich: Add checks for Rich_Source validation
  * Handle also IPv6 with the zone masquerade flag
  * Add IPv6 support for forward-ports in zones
  * firewall.command: Enable parse_forward_port to work with IPv6 adresses
  * firewall.core.fw_zone: Fix IPv6 address in rich rule forward ports
  * add Murmur (Mumble server) service
- spec file fixes to avoid rpmlint warnings about duplicate files.
 
- Switch to python3
- Run spec cleaner
- Move autogen to build section
- Add systemd requirements
- Update to version 0.4.4.5
  * firewall-offline-cmd: Fix --remove-service-from-zone option (rh#1438127)
  * Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules
  * firewall-cmd: Fix --{set,get}-{short,description} for zone
  * firewall.core.ipXtables: Use new wait option for restore commands if available
  * Adding ovirt-vmconsole service file
  * Adding oVirt storage-console service.
  * Adding ctdb service file.
  * Adding service file for nrpe.
  * Rename extension for policy choices (server and desktop) to .policy.choice (rh#1449754)
  * D-Bus interfaces: Fix GetAll for interfaces without properties (rh#1452017)
  * firewall.core.fw_config: Fix wrong variable use in repr output
  * firewall.core.fw_icmptype: Add missing import for copy
  * firewall.core.fw_test: Fix wrong format string in repr
  * firewall.core.io.zone: Fix getattr use on super(Zone)
  * firewall.functions: New function get_nf_nat_helpers
  * firewall.core.fw: Get NAT helpers and store them internally.
  * firewall.core.fw_zone: Load NAT helpers with conntrack helpers
  * firewalld.dbus: Add missing properties nf_conntrach_helper_setting and nf_conntrack_helpers
  * firewall.server.firewalld: New property for NAT helpers supported by the kernel
- Update to version 0.4.4.4
  * Drop references to fedorahosted.org from spec file and Makefile.am
  * firewall-config: Show invalid ipset type in the ipset dialog in the bad label
  * firewall.core.fw: Show icmptypes and ipsets with type errors in permanent env
  * firewall.server.firewalld: Provide information about the supported icmp types
  * firewall.core.fw_icmptype: Add ICMP type only if the type is supported
  * firewall.core.fw: New attributes ip{4,6}tables_supported_icmp_types
  * firewall.core.ipXtables: New method supported_icmp_types
  * firewall-config: Deactivate edit buttons if there are no items
  * firewall.core.io.zone: Fix permanent rich rules using icmp-type (rh#1434594)
  * firewall.core.fw_ipset: get_ipset may not ckeck if set is applied by default
  * firewall.core.fw_transaction: Use LastUpdatedOrderedDict for zone transactions
- Remove upstream patch:
  * 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch 
- Update to version 0.4.4.3
  * New service freeipa-trust (rh#1411650)
  * Complete icmp types for IPv4 and IPv6
  * New h323 helper container
  * Support helper container: h323
  * firewall.server.decorators: ALREADY_ errors should be logged as warnings
  * firewall.command: ALREADY_SET should also result in zero exit code
  * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd
  * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface
  * New checks for ipset entry validation
  * Use ipset dimension for match
  * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list
  * New firewall.core.icmp providing names and types for icmp and icmpv6 values
  * firewall.core.fw_ipset: New methods to get ipset dimension and applied state
  * firewall.errors: New error NOT_APPLIED
  * firewall-cmd man page: Add missing --get-ipset-types
  * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345)
  * firewall.core.prog: Fix addition of the error output in runProg
  * Speed up ipset handling, (re)loading and import from file
  * Support --family option for --new-ipset
  * Handle FirewallError for query sequences in command line tools
  * Fail to alter entries of ipsets with timeout
  * Extended tests for ipset options
  * Return empty list for ipsets using timeouts
  * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186)
  * firewalld.conf man page: New section about AutomaticHelpers
  * firewall-offline-cmd man page: Added -v and -q options, fixed section ids
  * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface
  * firewall.core.fw_zone: Limit masquerading forward rule to new connections
  * firewall-config: Update active zones on reloaded signal
  * firewall-applet: Update active zones and tooltip on reloaded signal
  * firewall.core.fw_zone: Fix missing chain for helper in rich rules using service (rh#1416578)
  * Support icmp-type usage in rich rules (rh#1409544)
  * firewall[-offline]-cmd: Fix --{set,get}-{short,description} for ipset and helper (rh#1416325)
  * firewall.core.ipset: Solve ipset creation issues with -exist and more flag tests
  * Speed up start and restart for ipsets with lots of entries (rh#1416817)
  * Speed up of ipset alteration by adding and removing entries using a file (rh#1416817)
  * Code cleanup and minor bug fixes
  * firewall.core.prog: Fix addition of the error output in runProg
  * New services mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync
  * Translation updates
- Add upstream patch to fix ipset overloading from /etc/firewalld/ipsets (gh#t-woerner/firewalld#206)
  * 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch 
- Update to version 0.4.4.2
  * firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem
  * firewall.core.fw_nm: create NMClient lazily
  * Do not use hard-coded path for modinfo, use autofoo to detect it
  * firewall.core.io.ifcfg: Dropped invalid option warning with bad format string
  * firewall.core.io.ifcfg: Properly handle quoted ifcfg values
  * firewall.core.fw_zone: Do not reset ZONE with ifdown
  * Updated translations from zanata
  * firewall-config: Extra grid at bottom to visualize firewalld settings
- Update to version 0.4.4.1
 * Translation updates form zanata
 * firewallctl: New support for helpers
 * firewallctl: Use sys.excepthook to force exception_handler usage always
 * firewall-config: Use proper source check in sourceDialog
- Update to version 0.4.4
  * firewall-applet: Use PyQt5
  * firewall-config: New nf_conntrack_select dialog, use nf_conntrack_helpers
    D-Bus property
  * New helpers Q.931 and RAS from nf_conntrack_h323
  * firewall.core.fw_zone: Add zone bingings for PREROUTING in the raw table
  * firewall.core.ipXtables: Add PREROUTING default rules for zones in raw
    table
  * New helper configuration files for amanda, ftp, irc, netbios-ns, pptp,
    sane, sip, snmp and tftp
  * firewall-cmd: Fixed --{get,set}-{description,short} for permanent zones
  * firewall.command: Do not use error code 254 for {ALREADY,NOT}_ENABLED
    sequences
  * Misc bug fixes.
  * For the complete list of changes please see:
    https://github.com/t-woerner/firewalld/releases/tag/v0.4.4
- Relax permissions for default installation files. The files in
  /usr/lib/firewalld are the default ones as shipped by the package and
  there is nothing secret in them.
- Update to version 0.4.3.3
  * Fixes CVE-2016-5410 (bsc#992772)
  * Standard error is now used for errors and warnings
  * Several fixes for use in change roots
  * Systemd service file changes
  * Fixed translations in firewall-config
  * Command line clients
  * Fixes infinite event handling loop in firewall-{config,applet} (bsc#992082)
- Update to version 0.4.3.2
  * Fix regression with unavailable optional commands
  * All missing backend messages should be warnings
  * Individual calls for missing restore commands
  * Only one authenticate call for add and remove options and also
    sequences
  * New service RH-Satellite-6
- Update to version 0.4.3.1
  * firewall.command: Fix python3 DBusException message not interable error
  * src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing
  * firewallctl: Do not trace back on list command without further arguments
  * firewallctl (man1): Added remaining sections zone, service, ..
  * firewallctl: Added runtime-to-permanent, interface and source parser, IndividualCalls setting
  * firewall.server.config: Allow to set IndividualCalls property in config interface
  * Fix missing icmp rules for some zones
  * runProg: Fix issue with running programs
  * firewall-offline-cmd: Fix issues with missing system-config-firewall
  * firewall.core.ipXtables: Split up source and dest addresses for transaction
  * firewall.server.config: Log error in case of loading malformed files in watcher
  * Install and package the firewallctl man page
  * Translation updates
- Update to version 0.4.3
  * New firewallctl utility (rh#1147959)
  * doc.xml.seealso: Show firewalld.dbus in See Also sections
  * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (rh#1339251)
  * {zone,service,ipset,icmptype}_writer: Do not fail on failed backup
  * firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd
  * firewall-cmd: Dropped duplicate setType call in --new-ipset
  * radius service: Support also tcp ports (RBZ#1219717)
  * xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset sources
  * config.xmlschema.service.xsd: Fix service destination conflicts (rh#1296573)
  * firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg
  * firewall.command: Only print summary and description in print_X_info with verbose
  * firewall.command: print_msg should be able to print empty lines
  * firewall-config: No processing of runtime passthroughs signals in permanent
  * Landspace.io fixes and pylint calm downs
  * firewall.core.io.zone: Add zone_reader and zone_writer to all, pylint fixes
  * firewall-config: Fixed titles of command and context dialogs, also entry lenths
  * firewall-config: pylint calm downs
  * firewall.core.fw_zone: Fix use of MAC source in rich rules without ipv limit
  * firewall-config: Use self.active_zoens in conf_zone_added_cb
  * firewall.command: New parse_port, extended parse methods with more checks
  * firewall.command: Fixed parse_port to use the separator in the split call
  * firewall.command: New [de]activate_exception_handler, raise error in parse_X
  * services ha: Allow corosync-qnetd port
  * firewall-applet: Support for kde5-nm-connection-editor
  * tests/firewall-offline-cmd_test.sh: New tests for service and icmptype modifications
  * firewall-offline-cmd: Use FirewallCommand for simplification and sequence options
  * tests/firewall-cmd_test.sh: New tests for service and icmptype modifications
  * firewall-cmd: Fixed set, remove and query destination options for services
  * firewall.core.io.service: Source ports have not been checked in _check_config
  * firewall.core.fw_zone: Method check_source_port is not used, removed
  * firewall.core.base: Added default to ZONE_TARGETS
  * firewall.client: Allow to remove ipv:address pair for service destinations
  * tests/firewall-offline-cmd_test.sh: There is no timeout option in permanent
  * firewall-cmd: Landscape.io fixes, pylint calm downs
  * firewall-cmd: Use FirewallCommand for simplification and sequence options
  * firewall.command: New FirewallCommand for command line client simplification
  * New services: kshell, rsh, ganglia-master, ganglia-client
  * firewalld: Cleanup of unused imports, do not translate some deamon messages
  * firewalld: With fd close interation in runProg, it is not needed here anymore
  * firewall.core.prog: Add fd close iteration to runProg
  * firewall.core.fw_nm: Hide NM typelib import, new nm_get_dbus_interface function
  * firewalld.spec: Require NetworkManager-libnm instead of NetworkManager-glib
  * firewall-config: New add/remove ipset entries from file, remove all entries
  * firewall-applet: Fix tooltip after applet start with connection to firewalld
  * firewall-config: Select new zone, service or icmptype if the view was empty
  * firewalld.spec: Added build requires for iptables, ebtables and ipset
  * Adding nf_conntrack_sip module to the service SIP
  * firewall: core: fw_ifcfg: Quickly return if ifcfg directory does not exist
  * Drop unneeded python shebangs
  * Translation updates
- Remove obsolete patches:
  * 0001-src-firewall-core-Drop-unneeded-python-shebangs.patch
  * 0002-firewall-core-fw_ifcfg-Quickly-return-if-ifcfg-direc.patch
  * 0003-firewall.core.fw_nm-Hide-NM-typelib-import-new-nm_ge.patch
- Add missing %{?_smp_mflags} during install. This will speed up
  the installation phase as well as expose build system's problems
  due to higher level of parallelism.
- Run make during %build to ensure missing documentation is generated.
- spec file cleanups.
- Add upstream patch to prevent unconditional dependencies to the
  NetworkManager typelib (gh#t-woerner/firewalld#119)
  * 0003-firewall.core.fw_nm-Hide-NM-typelib-import-new-nm_ge.patch
- Update to version 0.4.2
  * New module to search for and change ifcfg files for interfaces
    not under control of NM
  * firewall_config: Enhanced messages in status bar
  * firewall-config: New message window as overlay if not connected
  * firewall-config: Fix sentivity of option, view menus and main
    paned if not connected
  * firewall-applet: Quit on SIGINT (Ctrl-C), reduced D-Bus calls,
    some cleanup
  * firewall-[offline]cmd: Show target in zone information
  * D-Bus: Completed masquerade methods in FirewallClientZoneSettings
  * Fixed log-denied rules for icmp-blocks
  * Keep sorting of interfaces, services, icmp-blocks and other
    settings in zones
  * Fixed runtime-to-permanent not to save interfaces under control
    of NM
  * New icmp-block-inversion flag in the zones
  * ICMP type filtering in the zones
  * New services: sip, sips, managesieve
  * rich rules: Allow destination action (rh#1163428)
  * firewall-offline-cmd: New option -q/--quiet
  * firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file
  * firewall-[offline-]cmd: Fix option for setting the destination
    address
  * firewall-config: Fixed resizing behaviour
  * New transaction model for speed ups in start, restart, stop and
    other actions
  * firewall-cmd: New options --load{zone,service,ipset,icmptype}-defaults
  * Fixed memory leak in dbus_introspection_add_properties
  * Landscape.io fixes, pylint calm downs
  * New D-Bus getXnames methods to speed up firewall-config and firewall-cmd
  * ebtables-restore: No support for COMMIT command
  * Source port support in services, zones and rich rules
  * firewall-offline-cmd: Added --{add,remove}-entries-from-file for ipsets
  * firewall-config: New active bindings side bar for simple binding changes
  * Reworked NetworkManager module
  * Proper default zone handling for NM connections
  * Try to set zone binding with NM if interface is under control of NM
  * Code cleanup and bug fixes
  * Include test suite in the release and install in /usr/share/firewalld/tests
  * New Travis-CI configuration file
  * Fixed more broken frensh translations
  * Translation updates
- Add upstream patches
  * 0001-src-firewall-core-Drop-unneeded-python-shebangs.patch: Removes
    unneeded python shebangs
  * 0002-firewall-core-fw_ifcfg-Quickly-return-if-ifcfg-direc.patch: Do
    not try to access the network-scripts ifcfg directory.
- Drop rejected patch
  * drop-standard-output-error-systemd.patch
- Minor spec file clean-up
- Avoid runtime dependency on systemd, the macros can all deal with
  its absence.
- Suggest the susefirewall2-to-firewalld package which could assist
  in migrating the SuSEFirewall2 iptables rules to FirewallD.
- Update to version 0.4.1.2
  * Install fw_nm module
  * firewalld: Do not fail if log file could not be opened
  * Make ipsets visible per default in firewall-config
  * Fixed translations with python3
  [changes in 0.4.1.1]
  * Fix for broken frensh translation
  [changes in 0.4.1]
  * Enhancements of ipset handling
  * No cleanup of ipsets using timeouts while reloading
  * Only destroy conflicting ipsets
  * Only use ipset types supported by the system
  * Add and remove several ipset entries in one call using a file
  * Reduce time frame where builtin chains are on policy DROP while reloading
  * Include descriptions in --info-X calls
  * Command line interface support to get and alter descriptions of zones,
  * services, ipsets and icmptypes with permanent option
  * Properly watch changes in combined zones
  * Fix logging in rich rule forward rules
  * Transformed direct.passthrough errors into warnings
  * Rework of import structures
  * Reduced calls to get ids for port and protocol names (rh#1305434)
  * Build and installation fixes by Markos Chandras
  * Provide D-Bus properties in introspection data
  * Fix for flaws found by landscape.io
  * Fix for repeated SUGHUP
  * New NetworkManager module to get and set zones of connections, used in
    firewall-applet and firewall-config
  * configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset)
  * Code cleanups
  * Bug fixes
- Fix drop-standard-output-error-systemd.patch tagging
- Add libxslt-tools build dependency
- Do not recommend a specific version for the lang subpackage
- Move translations to a new subpackage
- Set DISABLE_RESTART_ON_UPDATE to 'yes' instead of '1'. The macros in
  /etc/rpm/macros.systemd only check for the 'yes' value so fix it to
  properly prevent the firewalld service from being restarted during
  updates.
- Drop typelib(NetworkManager), NetworkManager-glib, gtk3
  and libnotify dependencies (see OBS SR#360792)
- firewall-config needs typelib(NetworkManager) to run
- Initial commit. Version 0.4.0
  * drop-standard-output-error-systemd.patch (gh#t-woerner/firewalld/pull/67)

OBS-URL: https://build.opensuse.org/request/show/631960
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=34
2018-08-28 11:36:09 +00:00
Dominique Leuenberger
4380877127 Accepting request 629404 from security:netfilter
- Restore nftables as default backend (bsc#1102761). nftables and
  iptables can co-exist but the 'nat' table had a bug which was fixed
  in kernel-4.18.

- Update to 0.6.1. Some of the changes are:
  * Correct source/destination in rich rule masquerade
  * Only modify ifcfg files for permanent configuration changes
  * Fix a backtrace when calling common_reverse_rule()
  * man firewalld.conf: Show nftables is the default FirewallBackend
  * firewall-config: fix some untranslated strings that caused a UI
    bug causing rich rules to not be modify-able (bsc#1096542)
  * fw_direct: avoid log for untracked passthrough queries
  * fixed many issues if iptables is actually iptables-nft
  * Use preferred location for AppData files
  * ipXtables: fix ICMP block inversion with set-log-denied
  * fixes ICMP block inversion with set-log-denied with
    IndividualCalls=yes
  * nftables: fix set-log-denied if target is not ACCEPT
  * fw_direct: strip _direct chain suffix if using nftables
  * NetworkManager integration bugfixes.

OBS-URL: https://build.opensuse.org/request/show/629404
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=33
2018-08-17 21:59:50 +00:00
Markos Chandras
5d1fc7f1ee OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=79 2018-08-15 13:36:55 +00:00
Markos Chandras
d850d0365e - Restore nftables as default backend (bsc#1102761). nftables and
iptables can co-exist but the 'nat' table had a bug which was fixed
  in kernel-4.18.

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=78
2018-08-15 13:33:29 +00:00
Markos Chandras
fb97f07a3e * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=77
2018-08-13 19:34:27 +00:00
Markos Chandras
664b2c231f Accepting request 629064 from home:markoschandras:network
- Also switch firewall backend fallback to 'iptables' (bsc#1102761)
  This ensures that existing configuration files will keep working
  even if FirewallBackend option is missing.

OBS-URL: https://build.opensuse.org/request/show/629064
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=76
2018-08-13 19:17:18 +00:00
Markos Chandras
cce6b88f5c Accepting request 628528 from home:markoschandras:network
- Update to 0.6.1. Some of the changes are:
  * Correct source/destination in rich rule masquerade
  * Only modify ifcfg files for permanent configuration changes
  * Fix a backtrace when calling common_reverse_rule()
  * man firewalld.conf: Show nftables is the default FirewallBackend
  * firewall-config: fix some untranslated strings that caused a UI
    bug causing rich rules to not be modify-able (bsc#1096542)
  * fw_direct: avoid log for untracked passthrough queries
  * fixed many issues if iptables is actually iptables-nft
  * Use preferred location for AppData files
  * ipXtables: fix ICMP block inversion with set-log-denied
  * fixes ICMP block inversion with set-log-denied with
    IndividualCalls=yes
  * nftables: fix set-log-denied if target is not ACCEPT
  * fw_direct: strip _direct chain suffix if using nftables
  * NetworkManager integration bugfixes.

OBS-URL: https://build.opensuse.org/request/show/628528
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=75
2018-08-10 06:32:49 +00:00
Dominique Leuenberger
24c2b201fe Accepting request 627580 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/627580
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=32
2018-08-08 12:44:12 +00:00
Markos Chandras
691dc5060e Accepting request 627579 from home:markoschandras:network
- Switch back to 'iptables' backend as default (bsc#1102761)

OBS-URL: https://build.opensuse.org/request/show/627579
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=74
2018-08-06 06:19:33 +00:00
Dominique Leuenberger
eb69777ca4 Revert to previous version - boo#1102761
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=31
2018-07-26 14:46:57 +00:00
Dominique Leuenberger
8fe073a6d2 Accepting request 622082 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/622082
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=30
2018-07-25 14:03:15 +00:00
Markos Chandras
ab9552e518 Accepting request 621850 from home:markoschandras:network
- Update to 0.6.0. Some of the changes are:
  * update translations
  * firewall-config: Add ipv6-icmp to the protocol dropdown box (#348, bsc#1099698)
  * core: logger: Remove world-readable bit from logfile (#349, bsc#1098986)
  * IPv6 rpfilter: explicitly allow neighbor solicitation
  * nftables backend (default)
  * Added loads of new services
  * firewall-cmd: add --check-config option
  * firewall-offline-cmd: add --check-config option
  * firewallctl: completely remove all code and references
  * dbus: expose FirewallBackend
  * dbus: fix erroneous fallback for AutomaticHelpers
- Remove patches which have made it upstream
  * firewalld-add-additional-services.patch
- spec-cleaner fixes

OBS-URL: https://build.opensuse.org/request/show/621850
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=71
2018-07-11 12:45:55 +00:00
Dominique Leuenberger
77aafaaf70 Accepting request 609017 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/609017
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=29
2018-05-23 14:04:58 +00:00
Dominique Leuenberger
d9d9f1843e Accepting request 607015 from security:netfilter
- Update to 0.5.3 (bsc#1093120)
  * tests/regression: add test for ipset with timeout
  * ipset: allow adding entries to ipsets with timeout
  * translations: update
  * helpers: load helper module explicitly if no port given
  * helpers: nf_conntrack_proto-* helpers needs name cropped
  * config/Makefile: correct name of proto-gre helper
  * tests/regression: test helper nf_conntrack_proto_gre (#263)
  * functions: get_nf_nat_helpers() should look in other directories too
  * functions: Allow nf_conntrack_proto_* helpers
  * services: Add GRE
  * helpers: Add proto-gre
  * tests/regression: add test to verify ICMP block in forward chain
  * ipXtables: fix ICMP block not being present in FORWARD chain

OBS-URL: https://build.opensuse.org/request/show/607015
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=28
2018-05-16 09:25:05 +00:00
Markos Chandras
5ef5c9c4cf Accepting request 597838 from home:sbrabec:branches:security:netfilter
- Translations update (bsc#1081623).

OBS-URL: https://build.opensuse.org/request/show/597838
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=69
2018-05-16 07:45:38 +00:00
Markos Chandras
f9dbf587ff - Update to 0.5.3 (bsc#1093120)
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=68
2018-05-14 11:13:07 +00:00
Markos Chandras
dc232b734e Accepting request 606954 from home:markoschandras:network
- Update to 0.5.3
  * tests/regression: add test for ipset with timeout
  * ipset: allow adding entries to ipsets with timeout
  * translations: update
  * helpers: load helper module explicitly if no port given
  * helpers: nf_conntrack_proto-* helpers needs name cropped
  * config/Makefile: correct name of proto-gre helper
  * tests/regression: test helper nf_conntrack_proto_gre (#263)
  * functions: get_nf_nat_helpers() should look in other directories too
  * functions: Allow nf_conntrack_proto_* helpers
  * services: Add GRE
  * helpers: Add proto-gre
  * tests/regression: add test to verify ICMP block in forward chain
  * ipXtables: fix ICMP block not being present in FORWARD chain

OBS-URL: https://build.opensuse.org/request/show/606954
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=67
2018-05-14 10:58:16 +00:00
Dominique Leuenberger
f3aea17fc8 Accepting request 596927 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/596927
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=27
2018-04-22 12:30:22 +00:00
Markos Chandras
e0d9ea19ff Accepting request 595607 from home:markoschandras:network
- Backport upstream patches to add additional services (bsc#1082033)
  * firewalld-add-additional-services.patch

OBS-URL: https://build.opensuse.org/request/show/595607
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=65
2018-04-16 08:13:42 +00:00
Dominique Leuenberger
fee5a9320f Accepting request 586673 from security:netfilter
OBS-URL: https://build.opensuse.org/request/show/586673
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=26
2018-03-19 22:30:50 +00:00