From 0c8cbe2651300491a632056fd7232a4f8c6f53d7011d2cb8ff17fa1809867404 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Rostecki?= Date: Tue, 11 Jun 2019 17:53:06 +0000 Subject: [PATCH] Accepting request 709239 from home:mrostecki:branches:security:netfilter - Update to version 0.6.4: * chore: update translations * treewide: fix over indentation (flake8 E117) * test: travis: add another test matrix for omitting ip6tables * chore: travis: split test matrix by keywords * chore: tests: add AT_KEYWORDS for firewall-offline-cmd * improvement: tests: Use AT_KEYWORDS for backends * fix: tests: guard occurrences of IPv6 * fix: tests/functions: ignore warnings about missing ip6tables * test: add macro IF_IPV6_SUPPORTED OBS-URL: https://build.opensuse.org/request/show/709239 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=94 --- ...d-Switch-default-backend-to-iptables.patch | 11 ++--- 0002-Add-FlushAllOnReload-config-option.patch | 40 +++++++++---------- _service | 17 ++++++++ firewalld-0.6.3.tar.gz | 3 -- firewalld-0.6.4.obscpio | 3 ++ firewalld.changes | 14 +++++++ firewalld.obsinfo | 5 +++ firewalld.spec | 4 +- 8 files changed, 65 insertions(+), 32 deletions(-) create mode 100644 _service delete mode 100644 firewalld-0.6.3.tar.gz create mode 100644 firewalld-0.6.4.obscpio create mode 100644 firewalld.obsinfo diff --git a/0001-firewall-backend-Switch-default-backend-to-iptables.patch b/0001-firewall-backend-Switch-default-backend-to-iptables.patch index de11a7f..3fc1258 100644 --- a/0001-firewall-backend-Switch-default-backend-to-iptables.patch +++ b/0001-firewall-backend-Switch-default-backend-to-iptables.patch @@ -1,7 +1,7 @@ -From dbbf60a4bb0c7edc83cd8bae2177d96842ad9034 Mon Sep 17 00:00:00 2001 +From 3456ecc2b0d52a5ed96a44c2013a29893b8f50f6 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Mon, 13 Aug 2018 22:31:04 +0300 -Subject: [PATCH] firewall: backend: Switch default backend to 'iptables' +Subject: [PATCH 1/2] firewall: backend: Switch default backend to 'iptables' Switch default backend to 'iptables'. Some packages (eg docker) are not able to work well with nftables right now, so lets stick @@ -9,6 +9,7 @@ with iptables as default backend. Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761 Signed-off-by: Markos Chandras +Signed-off-by: Michal Rostecki --- config/firewalld.conf | 6 +++--- doc/xml/firewalld.conf.xml | 4 ++-- @@ -16,7 +17,7 @@ Signed-off-by: Markos Chandras 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf -index b53c0aa5..e6afde19 100644 +index b53c0aa5..15ba6252 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf @@ -59,6 +59,6 @@ AutomaticHelpers=system @@ -27,7 +28,7 @@ index b53c0aa5..e6afde19 100644 -# - iptables (iptables, ip6tables, ebtables and ipset) -FirewallBackend=nftables +# - nftables -+# - iptables (default) ++# - iptables (iptables, ip6tables, ebtables and ipset) (default) +FirewallBackend=iptables diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml index df4b9521..fee0d3ca 100644 @@ -55,5 +56,5 @@ index 955be320..cff7c3fe 100644 -FALLBACK_FIREWALL_BACKEND = "nftables" +FALLBACK_FIREWALL_BACKEND = "iptables" -- -2.16.4 +2.21.0 diff --git a/0002-Add-FlushAllOnReload-config-option.patch b/0002-Add-FlushAllOnReload-config-option.patch index 53a66bc..0abbc7b 100644 --- a/0002-Add-FlushAllOnReload-config-option.patch +++ b/0002-Add-FlushAllOnReload-config-option.patch @@ -1,7 +1,7 @@ -From 9103e069cb2983dd814d99de04ca1f9a9d37117f Mon Sep 17 00:00:00 2001 +From cfb06d41caeea0c65c451b09be8e0aad067f2782 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 16 Oct 2018 10:02:38 -0400 -Subject: [PATCH] Add "FlushAllOnReload" config option +Subject: [PATCH 2/2] Add "FlushAllOnReload" config option Default value is "yes". @@ -13,12 +13,10 @@ behavior of retaining; interface to zone assignments, and direct rules. This also adjusts a few test cases that depend on the old FlushAllOnReload=no behavior. -Fixes: suze bz #1109153 Fixes: #409 -Closes: #408 --- - config/firewalld.conf | 8 +++ - doc/xml/firewalld.conf.xml | 13 ++++ + config/firewalld.conf | 7 ++ + doc/xml/firewalld.conf.xml | 12 ++++ doc/xml/firewalld.dbus.xml | 8 +++ src/firewall/config/__init__.py.in | 1 + src/firewall/core/fw.py | 99 +++++++++++++++----------- @@ -28,29 +26,28 @@ Closes: #408 src/tests/python/firewalld_direct.py | 6 ++ src/tests/python/firewalld_test.py | 9 ++- src/tests/regression/rhbz1498923.at | 4 ++ - 11 files changed, 133 insertions(+), 48 deletions(-) + 11 files changed, 131 insertions(+), 48 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf -index e6afde19..bc6a8860 100644 +index 15ba6252..a718d68a 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf -@@ -62,3 +62,11 @@ AutomaticHelpers=system +@@ -62,3 +62,10 @@ AutomaticHelpers=system # - nftables - # - iptables (default) + # - iptables (iptables, ip6tables, ebtables and ipset) (default) FirewallBackend=iptables + +# FlushAllOnReload +# Flush all runtime rules on a reload. In previous releases some runtime +# configuration was retained during a reload, namely; interface to zone -+# assignment, and direct rules. This was confusing to users. To get the old -+# behavior set this to "no". ++# assignment, and direct rules. This was confusing to users. +# Default: yes +FlushAllOnReload=yes diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml -index fee0d3ca..f9e02b08 100644 +index fee0d3ca..7f353aed 100644 --- a/doc/xml/firewalld.conf.xml +++ b/doc/xml/firewalld.conf.xml -@@ -158,6 +158,19 @@ +@@ -158,6 +158,18 @@ @@ -61,8 +58,7 @@ index fee0d3ca..f9e02b08 100644 + Flush all runtime rules on a reload. In previous releases some + runtime configuration was retained during a reload, namely; + interface to zone assignment, and direct rules. This was -+ confusing to users. To get the old behavior set this to "no". -+ Defaults to "yes". ++ confusing to users. + + + @@ -99,7 +95,7 @@ index cff7c3fe..e9595e4c 100644 FALLBACK_FIREWALL_BACKEND = "iptables" +FALLBACK_FLUSH_ALL_ON_RELOAD = True diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index 9be13a5c..7e6255f7 100644 +index f3ef69e9..b8a93ae0 100644 --- a/src/firewall/core/fw.py +++ b/src/firewall/core/fw.py @@ -113,6 +113,7 @@ class Firewall(object): @@ -126,7 +122,7 @@ index 9be13a5c..7e6255f7 100644 self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) self._select_firewall_backend(self._firewall_backend) -@@ -963,13 +973,17 @@ class Firewall(object): +@@ -962,13 +972,17 @@ class Firewall(object): def reload(self, stop=False): _panic = self._panic @@ -149,9 +145,9 @@ index 9be13a5c..7e6255f7 100644 + _direct_config = self.direct.get_runtime_config() + _old_dz = self.get_default_zone() - # stop - self.cleanup() -@@ -984,41 +998,42 @@ class Firewall(object): + self.set_policy("DROP") + +@@ -983,41 +997,42 @@ class Firewall(object): # etc. We'll re-raise it at the end. start_exception = e @@ -423,5 +419,5 @@ index 9b686781..ed1022fb 100644 FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 1 --a-bogus-flag]) -- -2.20.1 +2.21.0 diff --git a/_service b/_service new file mode 100644 index 0000000..e05a316 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/firewalld/firewalld + git + firewalld + @PARENT_TAG@ + v(.*) + v0.6.4 + enable + + + + *.tar + xz + + + diff --git a/firewalld-0.6.3.tar.gz b/firewalld-0.6.3.tar.gz deleted file mode 100644 index 58da301..0000000 --- a/firewalld-0.6.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:039ad56ea6d6553aadf33243ea5b39802d73519e46a89c80c648b2bd1ec78aeb -size 2294470 diff --git a/firewalld-0.6.4.obscpio b/firewalld-0.6.4.obscpio new file mode 100644 index 0000000..bb8233a --- /dev/null +++ b/firewalld-0.6.4.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb388be03b6d924cd5318179fb056f92c5b837c44fadcd764ccf9f628f829dee +size 8130061 diff --git a/firewalld.changes b/firewalld.changes index 994f47e..4c20fbf 100644 --- a/firewalld.changes +++ b/firewalld.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Jun 11 16:27:57 UTC 2019 - mrostecki@opensuse.org + +- Update to version 0.6.4: + * chore: update translations + * treewide: fix over indentation (flake8 E117) + * test: travis: add another test matrix for omitting ip6tables + * chore: travis: split test matrix by keywords + * chore: tests: add AT_KEYWORDS for firewall-offline-cmd + * improvement: tests: Use AT_KEYWORDS for backends + * fix: tests: guard occurrences of IPv6 + * fix: tests/functions: ignore warnings about missing ip6tables + * test: add macro IF_IPV6_SUPPORTED + ------------------------------------------------------------------- Wed May 8 09:39:08 UTC 2019 - Dominique Leuenberger diff --git a/firewalld.obsinfo b/firewalld.obsinfo new file mode 100644 index 0000000..fd7928c --- /dev/null +++ b/firewalld.obsinfo @@ -0,0 +1,5 @@ +name: firewalld +version: 0.6.4 +mtime: 1558120853 +commit: ec8deda2faef87e1565ec3cc42ca99ca595c1031 + diff --git a/firewalld.spec b/firewalld.spec index 59dba7a..bcc0cc0 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -21,13 +21,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: firewalld -Version: 0.6.3 +Version: 0.6.4 Release: 0 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.firewalld.org -Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source: %{name}-%{version}.tar.xz # PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761) Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch # PATCH-FIX-SUSE: 0002-Add-FlushAllOnReload-config-option.patch (bsc#1121277)