rpm/firewalld
SHA256
1
0
Fork 0
forked from pool/firewalld
Code Pull Requests Activity

Accepting request 542569 from security:netfilter

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/542569
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=21
This commit is contained in:
Dominique Leuenberger 2017-11-19 10:11:22 +00:00 committed by Git OBS Bridge
commit 592980755a
5 changed files with 227 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
0001-suse-ifcfg-files.patch Normal file
View File

@ -0,0 +1,168 @@
Combined patch for https://github.com/firewalld/firewalld/pull/262
- https://github.com/firewalld/firewalld/commit/593d3158e9147b230f6b2307dabe6b6d294a539f
- https://github.com/firewalld/firewalld/commit/399cf02ffef846281a67421b2c1d1cf818af8f61
- https://github.com/firewalld/firewalld/commit/278938d754b2ede993992987cc6c2418c82b85a0
diff --git a/configure.ac b/configure.ac
index 776e627b..7cd11758 100644
--- a/configure.ac
+++ b/configure.ac
@@ -67,6 +67,11 @@ AC_ARG_WITH([bashcompletiondir],
[BASHCOMPLETIONDIR=$withval], [BASHCOMPLETIONDIR="${datadir}/bash-completion/completions"])
AC_SUBST(BASHCOMPLETIONDIR)
+AC_ARG_WITH([ifcfgdir],
+ AS_HELP_STRING([--with-ifcfgdir=DIR], [The ifcfg configuration directory]),
+ [IFCFGDIR=$withval], [IFCFGDIR="/etc/sysconfig/network-scripts"])
+AC_SUBST(IFCFGDIR)
+
# Extend PATH to include /sbin etc in case we are building as non-root
FW_TOOLS_PATH="$PATH:/usr/local/sbin:/sbin:/usr/sbin"
diff --git a/doc/xml/Makefile.am b/doc/xml/Makefile.am
index db649b61..6df3b8c4 100644
--- a/doc/xml/Makefile.am
+++ b/doc/xml/Makefile.am
@@ -2,7 +2,8 @@ XSLTPROC = xsltproc
EXTRA_DIST = $(HTMLS:../html/%.html=%.xml) \
authors.xml notes.xml seealso.xml errorcodes.xml \
- transform-man.xsl.in transform-html.xsl.in
+ transform-man.xsl.in transform-html.xsl.in \
+ firewalld.xml.in firewall-cmd.xml.in firewallctl.xml.in
man_MANS = $(man1_MANS) $(man5_MANS)
HTMLS = $(man1_MANS:../man/man1/%.1=../html/%.html) $(man5_MANS:../man/man5/%.5=../html/%.html)
@@ -29,7 +30,8 @@ man5_MANS = \
../man/man5/firewalld.zones.5
CLEAN_FILES = *~ errorcodes.xml
-DISTCLEANFILES = $(man_MANS) $(HTMLS) transform-*.xsl
+DISTCLEANFILES = $(man_MANS) $(HTMLS) transform-*.xsl \
+ firewalld.xml firewall-cmd.xml firewallctl.xml
#SGML_CATALOG_FILES
#XSLTPROC_FLAGS = --catalogs --nonet --xinclude
@@ -44,9 +46,9 @@ all: $(man_MANS) $(HTMLS)
clean:
-test -z "$(CLEAN_FILES)" || rm -f $(CLEAN_FILES)
-../man/man1/firewall-cmd.1: errorcodes.xml
+../man/man1/firewall-cmd.1: errorcodes.xml firewall-cmd.xml
-../html/firewall-cmd.html: errorcodes.xml
+../html/firewall-cmd.html: errorcodes.xml firewall-cmd.xml
../man/man1/%.1: %.xml authors.xml notes.xml seealso.xml transform-man.xsl
$(XSLTPROC) -o $@ $(XSLTPROC_MAN_FLAGS) $<
@@ -67,9 +69,16 @@ errorcodes.xml: ../../src/firewall/errors.py
edit = sed \
-e 's|\@PREFIX\@|$(prefix)|' \
-e 's|\@SYSCONFDIR\@|$(sysconfdir)|' \
- -e 's|\@PACKAGE_STRING\@|$(PACKAGE_STRING)|'
+ -e 's|\@PACKAGE_STRING\@|$(PACKAGE_STRING)|' \
+ -e 's|\@IFCFGDIR\@|$(IFCFGDIR)|'
transform-man.xsl: transform-man.xsl.in
$(edit) $< >$@
transform-html.xsl: transform-html.xsl.in
$(edit) $< >$@
+firewall-cmd.xml: firewall-cmd.xml.in
+ $(edit) $< >$@
+firewalld.xml: firewalld.xml.in
+ $(edit) $< >$@
+firewallctl.xml: firewallctl.xml.in
+ $(edit) $< >$@
diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml.in
similarity index 99%
rename from doc/xml/firewall-cmd.xml
rename to doc/xml/firewall-cmd.xml.in
index 0b54b0be..80b1fbe1 100644
--- a/doc/xml/firewall-cmd.xml
+++ b/doc/xml/firewall-cmd.xml.in
@@ -910,7 +910,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
</para>
<para>
As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file) if <replaceable>NM_CONTROLLED=no</replaceable> is not set.
- You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable> file.
+ You should do it only if there's no @IFCFGDIR@/ifcfg-<replaceable>interface</replaceable> file.
If there is such file and you add interface to zone with this <option>--add-interface</option> option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined.
Please also have a look at the <citerefentry><refentrytitle>firewalld</refentrytitle><manvolnum>1</manvolnum></citerefentry> man page in the <replaceable>Concepts</replaceable> section.
For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
diff --git a/doc/xml/firewallctl.xml b/doc/xml/firewallctl.xml.in
similarity index 99%
rename from doc/xml/firewallctl.xml
rename to doc/xml/firewallctl.xml.in
index 30be89f0..1c6d2f22 100644
--- a/doc/xml/firewallctl.xml
+++ b/doc/xml/firewallctl.xml.in
@@ -601,7 +601,7 @@
</para>
<para>
As a end user you don't need to create or change zone bindings of interfaces in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file) if <replaceable>NM_CONTROLLED=no</replaceable> is not set.
- You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable> file.
+ You should do it only if there's no @IFCFGDIR@/ifcfg-<replaceable>interface</replaceable> file.
If there is such file and you add interface to zone with this <option>--add-interface</option> option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined.
Please also have a look at the <citerefentry><refentrytitle>firewalld</refentrytitle><manvolnum>1</manvolnum></citerefentry> man page in the <replaceable>Concepts</replaceable> section.
For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
diff --git a/doc/xml/firewalld.xml b/doc/xml/firewalld.xml.in
similarity index 98%
rename from doc/xml/firewalld.xml
rename to doc/xml/firewalld.xml.in
index f14c3034..de802059 100644
--- a/doc/xml/firewalld.xml
+++ b/doc/xml/firewalld.xml.in
@@ -130,7 +130,7 @@
</para>
<para>
You can add these interfaces to a zone with <command>firewall-cmd [--permanent] --zone=<replaceable>zone</replaceable> --add-interface=<replaceable>interface</replaceable></command>.
- If there is a /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable> file, firewalld tries to change the ZONE=<replaceable>zone</replaceable> setting in this file.
+ If there is a @IFCFGDIR@/ifcfg-<replaceable>interface</replaceable> file, firewalld tries to change the ZONE=<replaceable>zone</replaceable> setting in this file.
</para>
<para>
If firewalld gets reloaded, it will restore the interface bindings that were in place before reloading to keep interface bindings stable in the case of NetworkManager uncontrolled interfaces.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index a389c8bf..9262f075 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -88,7 +88,7 @@ FIREWALLD_DIRECT = ETC_FIREWALLD + '/direct.xml'
LOCKDOWN_WHITELIST = ETC_FIREWALLD + '/lockdown-whitelist.xml'
SYSCONFIGDIR = '/etc/sysconfig'
-IFCFGDIR = SYSCONFIGDIR + '/network-scripts'
+IFCFGDIR = "@IFCFGDIR@"
SYSCTL_CONFIG = '/etc/sysctl.conf'
diff --git a/src/firewall/core/fw_ifcfg.py b/src/firewall/core/fw_ifcfg.py
index 0b049a64..b645ef37 100644
--- a/src/firewall/core/fw_ifcfg.py
+++ b/src/firewall/core/fw_ifcfg.py
@@ -36,13 +36,6 @@ def search_ifcfg_of_interface(interface):
if not os.path.exists(config.IFCFGDIR):
return None
- filename = "%s/ifcfg-%s" % (config.IFCFGDIR, interface)
- if os.path.exists(filename):
- ifcfg_file = ifcfg(filename)
- ifcfg_file.read()
- if ifcfg_file.get("DEVICE") == interface:
- return ifcfg_file
-
for filename in sorted(os.listdir(config.IFCFGDIR)):
if not filename.startswith("ifcfg-"):
continue
@@ -57,6 +50,13 @@ def search_ifcfg_of_interface(interface):
if ifcfg_file.get("DEVICE") == interface:
return ifcfg_file
+ # Wasn't found above, so assume filename matches the device we want
+ filename = "%s/ifcfg-%s" % (config.IFCFGDIR, interface)
+ if os.path.exists(filename):
+ ifcfg_file = ifcfg(filename)
+ ifcfg_file.read()
+ return ifcfg_file
+
return None
def ifcfg_set_zone_of_interface(zone, interface):

3
firewalld-0.4.4.5.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:89419316e829a2cb086142acc4b1aeba45f20ecddf0ca236db5faf8ec8d12601
size 1143500

3
firewalld-0.4.4.6.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a7bf9dd341f3f4c261fa8a8e217160ec815e9dbf32edc25aed44719a2273e94e
size 1153574

44
firewalld.changes
View File

@ -1,3 +1,47 @@
-------------------------------------------------------------------
Thu Nov 16 08:41:27 UTC 2017 - mchandras@suse.de
- Add combined upstream patch to support SUSE ifcfg network files.
* 0001-suse-ifcfg-files.patch (gh#firewalld/firewalld#262, fate#323460)
-------------------------------------------------------------------
Wed Nov 15 12:36:09 UTC 2017 - mchandras@suse.de
- Update to version 0.4.4.6
* firewall.core.fw_config: Fix check for icmp builtin name
* config.services: docker-swarm: fix incorrect attribute
* xmlschema/service.xsd: Fix protocol looking for name instead of value
* Add docker swarm service (gh#firewalld/firewalld#230)
* Adding FirewallD redis service (gh#firewalld/firewalld#248)
* Adding firewalld zabbix server and agent services (gh#firewalld/firewalld#221)
* firewall-offline-cmd: Don't require root for help output
* doc: firewall-cmd: Document --query-* options return codes
* firewall-cmd: Use colors only if output is a TTY
* core: Log unsupported ICMP types as informational only
* add bgp service to predefined services edit to config/Makefile.am
* Add git service
* Add kprop service
* minidlna definitions (gh#firewalld/firewalld#236)
* SpiderOak ONE listens on port 21327 and 21328
* autogen.sh: Allow skipping configure via NOCONFIGURE env var
* Add missing ports to RH-Satellite-6 service
* Reload nf_conntrack sysctls after the module is loaded
* Add NFSv3 service.
* config/Makefile.am: Add murmur service (a95eed1)
* add new service IRC
* firewall.core.prog: Simplify runProg output: Combine stderr and stdout
* firewall.core.fw: Fix possible dict size change in for loop
* firewall.core.fw: Use new firewalld git repo in firewalld organization
* config/firewall-config.appdata.xml.in: Use new firewalld git repo in firewalld organization
* firewall.core.fw_zone: Rich-rule ICMP type: Error only for conflicting family
* firewall.core.rich: Add checks for Rich_Source validation
* Handle also IPv6 with the zone masquerade flag
* Add IPv6 support for forward-ports in zones
* firewall.command: Enable parse_forward_port to work with IPv6 adresses
* firewall.core.fw_zone: Fix IPv6 address in rich rule forward ports
* add Murmur (Mumble server) service
- spec file fixes to avoid rpmlint warnings about duplicate files.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Nov 8 17:25:40 UTC 2017 - mpluskal@suse.com Wed Nov 8 17:25:40 UTC 2017 - mpluskal@suse.com

25
firewalld.spec
View File

@ -17,13 +17,16 @@
Name: firewalld Name: firewalld
Version: 0.4.4.5 Version: 0.4.4.6
Release: 0 Release: 0
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPL-2.0+ License: GPL-2.0+
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Url: http://www.firewalld.org Url: http://www.firewalld.org
Source: https://github.com/t-woerner/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
# PATCH-FIX-UPSTREAM: 0001-suse-ifcfg-files.patch. Combined patch to support ifcfg files on SUSE based on
# https://github.com/firewalld/firewalld/pull/262
Patch: 0001-suse-ifcfg-files.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
@ -32,12 +35,12 @@ BuildRequires: docbook-xsl-stylesheets
# even though it is probably unlikely for paths to change in the future # even though it is probably unlikely for paths to change in the future
BuildRequires: ebtables BuildRequires: ebtables
BuildRequires: gettext BuildRequires: gettext
BuildRequires: ipset
BuildRequires: iptables
BuildRequires: glib2-devel BuildRequires: glib2-devel
BuildRequires: gobject-introspection BuildRequires: gobject-introspection
BuildRequires: hicolor-icon-theme BuildRequires: hicolor-icon-theme
BuildRequires: intltool BuildRequires: intltool
BuildRequires: ipset
BuildRequires: iptables
BuildRequires: libxslt-tools BuildRequires: libxslt-tools
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
@ -87,13 +90,15 @@ firewalld.
%prep %prep
%setup -q %setup -q
%patch -p1
%build %build
export PYTHON="python3" export PYTHON="python3"
./autogen.sh ./autogen.sh
%configure \ %configure \
--enable-sysconfig \ --enable-sysconfig \
--enable-rpmmacros --enable-rpmmacros \
--with-ifcfgdir="/etc/sysconfig/network"
# Normally documentation is shipped but this will ensure that missing # Normally documentation is shipped but this will ensure that missing
# files will be generated. # files will be generated.
@ -184,6 +189,8 @@ fi
%config %{_sysconfdir}/rpm/macros.firewalld %config %{_sysconfdir}/rpm/macros.firewalld
%dir %{_sysconfdir}/dbus-1 %dir %{_sysconfdir}/dbus-1
%dir %{_sysconfdir}/dbus-1/system.d %dir %{_sysconfdir}/dbus-1/system.d
%dir %{_sysconfdir}/modprobe.d
%config(noreplace) %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%dir %{_datadir}/firewalld/tests %dir %{_datadir}/firewalld/tests
%attr(0750,root,root) %{_datadir}/firewalld/tests/*.sh %attr(0750,root,root) %{_datadir}/firewalld/tests/*.sh
%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
@ -198,16 +205,8 @@ fi
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
%attr(0755,root,root) %dir %{python3_sitelib}/firewall %attr(0755,root,root) %dir %{python3_sitelib}/firewall
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server
%{_datadir}/firewalld/__pycache__ %{_datadir}/firewalld/__pycache__
%{python3_sitelib}/firewall/* %{python3_sitelib}/firewall/*
%{python3_sitelib}/firewall/config/*
%{python3_sitelib}/firewall/core/*
%{python3_sitelib}/firewall/core/io/*
%{python3_sitelib}/firewall/server/*
%{_mandir}/man1/firewall*cmd*.1* %{_mandir}/man1/firewall*cmd*.1*
%{_mandir}/man1/firewalld*.1* %{_mandir}/man1/firewalld*.1*
%{_mandir}/man1/firewallctl*.1* %{_mandir}/man1/firewallctl*.1*