Accepting request 637102 from home:luizluca:branches:security:netfilter

- Add upstream patch to fix rich rules that uses ipset (bsc#1104990) * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch OBS-URL: https://build.opensuse.org/request/show/637102 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=86
2018-09-24 08:57:12 +00:00 · 2018-09-24 08:57:12 +00:00 · cbd861eb95
commit cbd861eb95
parent 97ab3032bb
3 changed files with 50 additions and 0 deletions
--- a/0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
+++ b/0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
@ -0,0 +1,41 @@
+From fa0bce3d45563e28b8beea1cb0ee325f4a82ebf9 Mon Sep 17 00:00:00 2001
+From: Eric Garver <e@erig.me>
+Date: Fri, 21 Sep 2018 15:55:50 -0400
+Subject: [PATCH] fw_zone: expose _ipset_match_flags()
+
+Rename __ipset_match_flags() to _ipset_match_flags() so it may be used
+outside the class. With the iptables backend this fixes rich rules that
+match a source using an ipset.
+
+Fixes: #374
+---
+ src/firewall/core/fw_zone.py   | 2 +-
+ src/firewall/core/ipXtables.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 2d794393..ca90f7fb 100644
+--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
+@@ -1519,7 +1519,7 @@ def _ipset_family(self, name):
+     def __ipset_type(self, name):
+         return self._fw.ipset.get_type(name)
+ 
+-    def __ipset_match_flags(self, name, flag):
+    def _ipset_match_flags(self, name, flag):
+         return ",".join([flag] * self._fw.ipset.get_dimension(name))
+ 
+     def _check_ipset_applied(self, name):
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index 66af2a26..02a518d2 100644
+--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
+@@ -852,7 +852,7 @@ def _rich_rule_source_fragment(self, rich_source):
+             rule_fragment += [ "-m", "set" ]
+             if rich_source.invert:
+                 rule_fragment.append("!")
+-            flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
+            flags = self._fw.zone._ipset_match_flags(rich_source.ipset, "src")
+             rule_fragment += [ "--match-set", rich_source.ipset, flags ]
+ 
+         return rule_fragment
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Sep 21 17:13:32 UTC 2018 - Luiz Angelo Daros de Luca <luizluca@gmail.com>
+
+- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
+  * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
+
 -------------------------------------------------------------------
 Thu Sep 20 07:27:33 UTC 2018 - Markos Chandras <mchandras@suse.de>

--- a/firewalld.spec
+++ b/firewalld.spec
@ -30,6 +30,8 @@ Url:            http://www.firewalld.org
 Source:         https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
 Patch0:         0001-firewall-backend-Switch-default-backend-to-iptables.patch
+# PATCH-FIX-UPSTREAM: 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch (bsc#1104990) 
+Patch1:		0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  desktop-file-utils
@ -113,6 +115,7 @@ firewalld.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1

 # bsc#1078223
 rm config/services/high-availability.xml