rpm/firewalld
SHA256
1
0
Fork 0
forked from pool/firewalld
Code Pull Requests Activity

Accepting request 729405 from home:mrostecki:branches:security:netfilter

Browse Source 
- Update to version 0.7.1:
  * Rich Rule Priorities
  * Service Definition Includes - Service definitions can now
    include lines like: <include service="https"/> which will
    include all the ports, etc from the https service.
  * RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
    firewalld.conf is available. It does filtering based on RFC3964
    in regards to IPv4 addresses. This functionality was
    traditionally in network-scripts.
  * FlushAllOnReload - A new option FlushAllOnReload in
    firewalld.conf is available. Older release retained some
    settings (direct rules, interface to zone assignments) during a
    --reload. With the introduction of this configuration option
    that is no longer the case. Old behavior can be restored by
    setting FlushAllOnReload=no.
  * 15 new service definitions
  * fix: firewall-offline-cmd: service: use dict based APIs
  * fix: client: service: use dict based dbus APIs
  * test: dbus: coverage for new service APIs
  * fix: dbus: new dict based APIs for services
  * test: dbus: service API coverage
  * test: functions: add macro DBUS_INTROSPECT
  * test: functions: add CHOMP macro for shell output
  * fix: tests/functions: use gdbus instead of dbus-send
  * fix: dbus: add missing APIs for service includes
- Remove patch for using iptables instead of nftables - we should
  finally switch to nftables and fix its issues properly if they
  occur again:
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Remove patch which was released upstream:
  * 0002-Add-FlushAllOnReload-config-option.patch

OBS-URL: https://build.opensuse.org/request/show/729405
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=95
This commit is contained in:
Michał Rostecki 2019-09-09 10:44:18 +00:00 committed by Git OBS Bridge
parent 0c8cbe2651
commit 32c597a355
9 changed files with 53 additions and 501 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
0001-firewall-backend-Switch-default-backend-to-iptables.patch
View File

@ -1,60 +0,0 @@
From 3456ecc2b0d52a5ed96a44c2013a29893b8f50f6 Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Mon, 13 Aug 2018 22:31:04 +0300
Subject: [PATCH 1/2] firewall: backend: Switch default backend to 'iptables'
Switch default backend to 'iptables'. Some packages (eg docker)
are not able to work well with nftables right now, so lets stick
with iptables as default backend.
Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761
Signed-off-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
---
config/firewalld.conf | 6 +++---
doc/xml/firewalld.conf.xml | 4 ++--
src/firewall/config/__init__.py.in | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa5..15ba6252 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -59,6 +59,6 @@ AutomaticHelpers=system
# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
+# - nftables
+# - iptables (iptables, ip6tables, ebtables and ipset) (default)
+FirewallBackend=iptables
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index df4b9521..fee0d3ca 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -149,8 +149,8 @@
<listitem>
<para>
Selects the firewall backend implementation. Possible values
- are; <replaceable>nftables</replaceable> (default), or
- <replaceable>iptables</replaceable>. This applies to all
+ are; <replaceable>nftables</replaceable>, or
+ <replaceable>iptables</replaceable> (default). This applies to all
firewalld primitives. The only exception is direct and
passthrough rules which always use the traditional iptables,
ip6tables, and ebtables backends.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be320..cff7c3fe 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
--
2.21.0

423
0002-Add-FlushAllOnReload-config-option.patch
View File

@ -1,423 +0,0 @@
From cfb06d41caeea0c65c451b09be8e0aad067f2782 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 16 Oct 2018 10:02:38 -0400
Subject: [PATCH 2/2] Add "FlushAllOnReload" config option
Default value is "yes".
Even on --reload some runtime configuration was being retained. This was
a surprise to many users. Lets default to flushing all the runtime
configuration and also introduce a config option to go back the old
behavior of retaining; interface to zone assignments, and direct rules.
This also adjusts a few test cases that depend on the old
FlushAllOnReload=no behavior.
Fixes: #409
---
config/firewalld.conf | 7 ++
doc/xml/firewalld.conf.xml | 12 ++++
doc/xml/firewalld.dbus.xml | 8 +++
src/firewall/config/__init__.py.in | 1 +
src/firewall/core/fw.py | 99 +++++++++++++++-----------
src/firewall/core/io/firewalld_conf.py | 11 ++-
src/firewall/server/config.py | 20 +++++-
src/tests/dbus/firewalld.conf.at | 2 +
src/tests/python/firewalld_direct.py | 6 ++
src/tests/python/firewalld_test.py | 9 ++-
src/tests/regression/rhbz1498923.at | 4 ++
11 files changed, 131 insertions(+), 48 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 15ba6252..a718d68a 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -62,3 +62,10 @@ AutomaticHelpers=system
# - nftables
# - iptables (iptables, ip6tables, ebtables and ipset) (default)
FirewallBackend=iptables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users.
+# Default: yes
+FlushAllOnReload=yes
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index fee0d3ca..7f353aed 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -158,6 +158,18 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>FlushAllOnReload</option></term>
+ <listitem>
+ <para>
+ Flush all runtime rules on a reload. In previous releases some
+ runtime configuration was retained during a reload, namely;
+ interface to zone assignment, and direct rules. This was
+ confusing to users.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 8352f96c..132200f3 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2592,6 +2592,14 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry id="FirewallD1.config.Properties.FlushAllOnReload">
+ <term>FirewallBackend - s - (rw)</term>
+ <listitem>
+ <para>
+ Flush all runtime rules on a reload. Valid options are; yes, no.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter">
<term><parameter>IPv6_rpfilter</parameter> - s - (rw)</term>
<listitem><para>Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.</para></listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index cff7c3fe..e9595e4c 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -130,3 +130,4 @@ FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
FALLBACK_FIREWALL_BACKEND = "iptables"
+FALLBACK_FLUSH_ALL_ON_RELOAD = True
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index f3ef69e9..b8a93ae0 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -113,6 +113,7 @@ class Firewall(object):
self._log_denied = config.FALLBACK_LOG_DENIED
self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS
self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND
+ self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD
self.nf_conntrack_helper_setting = 0
self.nf_conntrack_helpers = { }
self.nf_nat_helpers = { }
@@ -298,6 +299,15 @@ class Firewall(object):
log.debug1("FirewallBackend is set to '%s'",
self._firewall_backend)
+ if self._firewalld_conf.get("FlushAllOnReload"):
+ value = self._firewalld_conf.get("FlushAllOnReload")
+ if value.lower() in [ "no", "false" ]:
+ self._flush_all_on_reload = False
+ else:
+ self._flush_all_on_reload = True
+ log.debug1("FlushAllOnReload is set to '%s'",
+ self._flush_all_on_reload)
+
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
self._select_firewall_backend(self._firewall_backend)
@@ -962,13 +972,17 @@ class Firewall(object):
def reload(self, stop=False):
_panic = self._panic
- # save zone interfaces
- _zone_interfaces = { }
- for zone in self.zone.get_zones():
- _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"]
- # save direct config
- _direct_config = self.direct.get_runtime_config()
- _old_dz = self.get_default_zone()
+ # must stash this. The value may change after _start()
+ flush_all = self._flush_all_on_reload
+
+ if not flush_all:
+ # save zone interfaces
+ _zone_interfaces = { }
+ for zone in self.zone.get_zones():
+ _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"]
+ # save direct config
+ _direct_config = self.direct.get_runtime_config()
+ _old_dz = self.get_default_zone()
self.set_policy("DROP")
@@ -983,41 +997,42 @@ class Firewall(object):
# etc. We'll re-raise it at the end.
start_exception = e
- # handle interfaces in the default zone and move them to the new
- # default zone if it changed
- _new_dz = self.get_default_zone()
- if _new_dz != _old_dz:
- # if_new_dz has been introduced with the reload, we need to add it
- # https://github.com/firewalld/firewalld/issues/53
- if _new_dz not in _zone_interfaces:
- _zone_interfaces[_new_dz] = { }
- # default zone changed. Move interfaces from old default zone to
- # the new one.
- for iface, settings in list(_zone_interfaces[_old_dz].items()):
- if settings["__default__"]:
- # move only those that were added to default zone
- # (not those that were added to specific zone same as
- # default)
- _zone_interfaces[_new_dz][iface] = \
- _zone_interfaces[_old_dz][iface]
- del _zone_interfaces[_old_dz][iface]
-
- # add interfaces to zones again
- for zone in self.zone.get_zones():
- if zone in _zone_interfaces:
- self.zone.set_settings(zone, { "interfaces":
- _zone_interfaces[zone] })
- del _zone_interfaces[zone]
- else:
- log.info1("New zone '%s'.", zone)
- if len(_zone_interfaces) > 0:
- for zone in list(_zone_interfaces.keys()):
- log.info1("Lost zone '%s', zone interfaces dropped.", zone)
- del _zone_interfaces[zone]
- del _zone_interfaces
-
- # restore direct config
- self.direct.set_config(_direct_config)
+ if not flush_all:
+ # handle interfaces in the default zone and move them to the new
+ # default zone if it changed
+ _new_dz = self.get_default_zone()
+ if _new_dz != _old_dz:
+ # if_new_dz has been introduced with the reload, we need to add it
+ # https://github.com/firewalld/firewalld/issues/53
+ if _new_dz not in _zone_interfaces:
+ _zone_interfaces[_new_dz] = { }
+ # default zone changed. Move interfaces from old default zone to
+ # the new one.
+ for iface, settings in list(_zone_interfaces[_old_dz].items()):
+ if settings["__default__"]:
+ # move only those that were added to default zone
+ # (not those that were added to specific zone same as
+ # default)
+ _zone_interfaces[_new_dz][iface] = \
+ _zone_interfaces[_old_dz][iface]
+ del _zone_interfaces[_old_dz][iface]
+
+ # add interfaces to zones again
+ for zone in self.zone.get_zones():
+ if zone in _zone_interfaces:
+ self.zone.set_settings(zone, { "interfaces":
+ _zone_interfaces[zone] })
+ del _zone_interfaces[zone]
+ else:
+ log.info1("New zone '%s'.", zone)
+ if len(_zone_interfaces) > 0:
+ for zone in list(_zone_interfaces.keys()):
+ log.info1("Lost zone '%s', zone interfaces dropped.", zone)
+ del _zone_interfaces[zone]
+ del _zone_interfaces
+
+ # restore direct config
+ self.direct.set_config(_direct_config)
# enable panic mode again if it has been enabled before or set policy
# to ACCEPT
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad6..953a6d26 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -30,7 +30,7 @@ from firewall.functions import b2u, u2b, PY2
valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
- "AutomaticHelpers", "FirewallBackend" ]
+ "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload" ]
class firewalld_conf(object):
def __init__(self, filename):
@@ -80,6 +80,7 @@ class firewalld_conf(object):
self.set("LogDenied", config.FALLBACK_LOG_DENIED)
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
+ self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
raise
for line in f:
@@ -183,6 +184,14 @@ class firewalld_conf(object):
config.FALLBACK_FIREWALL_BACKEND)
self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND))
+ value = self.get("FlushAllOnReload")
+ if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
+ if value is not None:
+ log.warning("FlushAllOnReload '%s' is not valid, using default "
+ "value %s", value if value else '',
+ config.FALLBACK_FLUSH_ALL_ON_RELOAD)
+ self.set("FlushAllOnReload", str(config.FALLBACK_FLUSH_ALL_ON_RELOAD))
+
# save to self.filename if there are key/value changes
def write(self):
if len(self._config) < 1:
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index dfc562b5..ba04107f 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -106,6 +106,7 @@ class FirewallDConfig(slip.dbus.service.Object):
"LogDenied": "readwrite",
"AutomaticHelpers": "readwrite",
"FirewallBackend": "readwrite",
+ "FlushAllOnReload": "readwrite",
})
@handle_exceptions
@@ -485,7 +486,8 @@ class FirewallDConfig(slip.dbus.service.Object):
def _get_property(self, prop):
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers", "FirewallBackend",
+ "FlushAllOnReload" ]:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
"Property '%s' does not exist" % prop)
@@ -530,6 +532,10 @@ class FirewallDConfig(slip.dbus.service.Object):
if value is None:
value = config.FALLBACK_FIREWALL_BACKEND
return dbus.String(value)
+ elif prop == "FlushAllOnReload":
+ if value is None:
+ value = "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no"
+ return dbus.String(value)
@dbus_handle_exceptions
def _get_dbus_property(self, prop):
@@ -551,6 +557,8 @@ class FirewallDConfig(slip.dbus.service.Object):
return dbus.String(self._get_property(prop))
elif prop == "FirewallBackend":
return dbus.String(self._get_property(prop))
+ elif prop == "FlushAllOnReload":
+ return dbus.String(self._get_property(prop))
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
@@ -590,7 +598,8 @@ class FirewallDConfig(slip.dbus.service.Object):
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers", "FirewallBackend",
+ "FlushAllOnReload" ]:
ret[x] = self._get_property(x)
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -617,7 +626,7 @@ class FirewallDConfig(slip.dbus.service.Object):
if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls",
"LogDenied", "AutomaticHelpers",
- "FirewallBackend" ]:
+ "FirewallBackend", "FlushAllOnReload" ]:
if property_name == "MinimalMark":
try:
int(new_value)
@@ -651,6 +660,11 @@ class FirewallDConfig(slip.dbus.service.Object):
raise FirewallError(errors.INVALID_VALUE,
"'%s' for %s" % \
(new_value, property_name))
+ if property_name == "FlushAllOnReload":
+ if new_value.lower() not in ["yes", "true", "no", "false"]:
+ raise FirewallError(errors.INVALID_VALUE,
+ "'%s' for %s" % \
+ (new_value, property_name))
self.config.get_firewalld_conf().set(property_name, new_value)
self.config.get_firewalld_conf().write()
self.PropertiesChanged(interface_name,
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de..72c61bdc 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -6,6 +6,7 @@ string "AutomaticHelpers" : variant string "system"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
+string "FlushAllOnReload" : variant string "yes"
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
string "IPv6_rpfilter" : variant string "no"],[dnl
string "IPv6_rpfilter" : variant string "yes"])
@@ -30,6 +31,7 @@ _helper([LogDenied], [string:"all"], [variant string "all"])
_helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
_helper([IndividualCalls], [string:"yes"], [variant string "yes"])
_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
+_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
dnl Note: DefaultZone is RO
m4_undefine([_helper])
diff --git a/src/tests/python/firewalld_direct.py b/src/tests/python/firewalld_direct.py
index 4cb84349..28da523d 100755
--- a/src/tests/python/firewalld_direct.py
+++ b/src/tests/python/firewalld_direct.py
@@ -36,10 +36,16 @@ class TestFirewallDInterfaceDirect(unittest.TestCase):
bus = dbus.SystemBus()
dbus_obj = bus.get_object(config.dbus.DBUS_INTERFACE,
config.dbus.DBUS_PATH)
+ dbus_obj_config = bus.get_object(config.dbus.DBUS_INTERFACE,
+ config.dbus.DBUS_PATH_CONFIG)
self.fw = dbus.Interface(dbus_obj,
dbus_interface=config.dbus.DBUS_INTERFACE)
self.fw_direct = dbus.Interface(
dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_DIRECT)
+ self.config_properties = dbus.Interface(dbus_obj_config,
+ dbus_interface='org.freedesktop.DBus.Properties')
+ self.config_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG, "FlushAllOnReload", "no")
+ self.fw.reload()
# always have "direct_foo1" available
self.fw_direct.addChain("ipv4", "filter", "direct_foo1")
diff --git a/src/tests/python/firewalld_test.py b/src/tests/python/firewalld_test.py
index 62c567fc..0d8b4c78 100755
--- a/src/tests/python/firewalld_test.py
+++ b/src/tests/python/firewalld_test.py
@@ -28,8 +28,8 @@ import sys
import time
import unittest
-from firewall.config.dbus import DBUS_PATH, DBUS_INTERFACE, \
- DBUS_INTERFACE_ZONE
+from firewall.config.dbus import DBUS_PATH, DBUS_PATH_CONFIG, DBUS_INTERFACE, \
+ DBUS_INTERFACE_ZONE, DBUS_INTERFACE_CONFIG
from firewall.dbus_utils import dbus_to_python
from pprint import pprint
@@ -43,9 +43,14 @@ class TestFirewallD(unittest.TestCase):
unittest.TestCase.setUp(self)
bus = dbus.SystemBus()
dbus_obj = bus.get_object(DBUS_INTERFACE, DBUS_PATH)
+ dbus_obj_config = bus.get_object(DBUS_INTERFACE, DBUS_PATH_CONFIG)
self.fw = dbus.Interface(dbus_obj, dbus_interface=DBUS_INTERFACE)
self.fw_zone = dbus.Interface(dbus_obj,
dbus_interface=DBUS_INTERFACE_ZONE)
+ self.config_properties = dbus.Interface(dbus_obj_config,
+ dbus_interface='org.freedesktop.DBus.Properties')
+ self.config_properties.Set(DBUS_INTERFACE_CONFIG, "FlushAllOnReload", "no")
+ self.fw.reload()
def test_get_setDefaultZone(self):
old_zone = dbus_to_python(self.fw.getDefaultZone())
diff --git a/src/tests/regression/rhbz1498923.at b/src/tests/regression/rhbz1498923.at
index 9b686781..ed1022fb 100644
--- a/src/tests/regression/rhbz1498923.at
+++ b/src/tests/regression/rhbz1498923.at
@@ -1,4 +1,8 @@
FWD_START_TEST([invalid direct rule causes reload error])
+dnl Below we test retention of some items applicable to FlushAllOnReload=no
+AT_CHECK([sed -i 's/^FlushAllOnReload.*/FlushAllOnReload=no/' ./firewalld.conf])
+FWD_RELOAD
+
FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j ACCEPT])
FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 1 --a-bogus-flag])
--
2.21.0

4
_service
View File

@ -5,7 +5,7 @@
<param name="filename">firewalld</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="revision">v0.6.4</param>
<param name="revision">v0.7.1</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar" />
@ -13,5 +13,5 @@
<param name="file">*.tar</param>
<param name="compression">xz</param>
</service>
<service mode="buildtime" name="set_version" />
<service mode="disabled" name="set_version" />
</services>

4
_servicedata Normal file
View File

@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/firewalld/firewalld</param>
<param name="changesrevision">503cd915c9172903bf2f98466b6e872ba1355f4f</param></service></servicedata>

3
firewalld-0.6.4.obscpio
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:eb388be03b6d924cd5318179fb056f92c5b837c44fadcd764ccf9f628f829dee
size 8130061

3
firewalld-0.7.1.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8b39484792f4b8848c90288c3b86b164ae697c2da0c2cb9d50f70f0faff4265f
size 8258061

35
firewalld.changes
View File

@ -1,3 +1,38 @@
-------------------------------------------------------------------
Mon Sep 09 09:59:00 UTC 2019 - mrostecki@opensuse.org
- Update to version 0.7.1:
* Rich Rule Priorities
* Service Definition Includes - Service definitions can now
include lines like: <include service="https"/> which will
include all the ports, etc from the https service.
* RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in
firewalld.conf is available. It does filtering based on RFC3964
in regards to IPv4 addresses. This functionality was
traditionally in network-scripts.
* FlushAllOnReload - A new option FlushAllOnReload in
firewalld.conf is available. Older release retained some
settings (direct rules, interface to zone assignments) during a
--reload. With the introduction of this configuration option
that is no longer the case. Old behavior can be restored by
setting FlushAllOnReload=no.
* 15 new service definitions
* fix: firewall-offline-cmd: service: use dict based APIs
* fix: client: service: use dict based dbus APIs
* test: dbus: coverage for new service APIs
* fix: dbus: new dict based APIs for services
* test: dbus: service API coverage
* test: functions: add macro DBUS_INTROSPECT
* test: functions: add CHOMP macro for shell output
* fix: tests/functions: use gdbus instead of dbus-send
* fix: dbus: add missing APIs for service includes
- Remove patch for using iptables instead of nftables - we should
finally switch to nftables and fix its issues properly if they
occur again:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Remove patch which was released upstream:
* 0002-Add-FlushAllOnReload-config-option.patch
-------------------------------------------------------------------
Tue Jun 11 16:27:57 UTC 2019 - mrostecki@opensuse.org

6
firewalld.obsinfo
View File

@ -1,5 +1,5 @@
name: firewalld
version: 0.6.4
mtime: 1558120853
commit: ec8deda2faef87e1565ec3cc42ca99ca595c1031
version: 0.7.1
mtime: 1563830196
commit: 503cd915c9172903bf2f98466b6e872ba1355f4f

16
firewalld.spec
View File

@ -21,17 +21,13 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: firewalld
Version: 0.6.4
Version: 0.7.1
Release: 0
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Url: http://www.firewalld.org
Source: %{name}-%{version}.tar.xz
# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
# PATCH-FIX-SUSE: 0002-Add-FlushAllOnReload-config-option.patch (bsc#1121277)
Patch1: 0002-Add-FlushAllOnReload-config-option.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: desktop-file-utils
@ -114,8 +110,6 @@ firewalld.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
# bsc#1078223
rm config/services/high-availability.xml
@ -213,6 +207,8 @@ fi
%{_bindir}/firewall-offline-cmd
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/firewall-cmd
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_firewalld
%dir %{_libexecdir}/firewalld
%dir %{_libexecdir}/firewalld/icmptypes
%dir %{_libexecdir}/firewalld/ipsets
@ -225,8 +221,8 @@ fi
%{_libexecdir}/firewalld/zones/*.xml
%{_libexecdir}/firewalld/helpers/*.xml
%{_datadir}/polkit-1
%dir %{_sysconfdir}/dbus-1
%dir %{_sysconfdir}/dbus-1/system.d
%dir %{_datadir}/dbus-1
%dir %{_datadir}/dbus-1/system.d
%dir %{_sysconfdir}/modprobe.d
%config(noreplace) %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
@ -239,7 +235,7 @@ fi
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
%{_unitdir}/firewalld.service
%{_fillupdir}/sysconfig.%{name}
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
%{_datadir}/dbus-1/system.d/FirewallD.conf
%{_mandir}/man1/firewall*cmd*.1%{?ext_man}
%{_mandir}/man1/firewalld*.1%{?ext_man}
%{_mandir}/man5/firewall*.5%{?ext_man}