Accepting request 847325 from home:mrostecki:branches:security:netfilter

- Remove the patch which enforces usage of iptables instead of nftables: * 0001-firewall-backend-Switch-default-backend-to-iptables.patch - Add firewalld zone for the docker0 interface. This is the workaround for lack of nftables support in docker. Without that additional zone, containers have no Internet connectivity. (rhbz#1817022) - Update to 0.9.1: * Bugfixes: * docs(firewall-cmd): clarify lockdown whitelist command paths * fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active * fix(policy): zone interface/source changes should affect all using zone OBS-URL: https://build.opensuse.org/request/show/847325 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=107
2020-11-09 17:48:32 +00:00 · 2020-11-09 17:48:32 +00:00 · e87c42cb75
commit e87c42cb75
parent 0dea11c5eb
6 changed files with 32 additions and 51 deletions
--- a/0001-firewall-backend-Switch-default-backend-to-iptables.patch
+++ b/0001-firewall-backend-Switch-default-backend-to-iptables.patch
@ -1,45 +0,0 @@
-Index: firewalld-0.8.3/config/firewalld.conf
-===================================================================
--- firewalld-0.8.3.orig/config/firewalld.conf
-+++ firewalld-0.8.3/config/firewalld.conf
-@@ -43,9 +43,9 @@ LogDenied=off
- # FirewallBackend
- # Selects the firewall backend implementation.
- # Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
-+#	- nftables
-+#	- iptables (iptables, ip6tables, ebtables and ipset) (default)
-+FirewallBackend=iptables
- 
- # FlushAllOnReload
- # Flush all runtime rules on a reload. In previous releases some runtime
-Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml
-===================================================================
--- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml
-+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml
-@@ -149,8 +149,8 @@
-             <listitem>
-                 <para>
-                 Selects the firewall backend implementation. Possible values
-                are; <replaceable>nftables</replaceable> (default), or
-                <replaceable>iptables</replaceable>. This applies to all
-+                are; <replaceable>nftables</replaceable>, or
-+                <replaceable>iptables</replaceable> (default). This applies to all
-                 firewalld primitives. The only exception is direct and
-                 passthrough rules which always use the traditional iptables,
-                 ip6tables, and ebtables backends.
-Index: firewalld-0.8.3/src/firewall/config/__init__.py.in
-===================================================================
--- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in
-+++ firewalld-0.8.3/src/firewall/config/__init__.py.in
-@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True
- FALLBACK_INDIVIDUAL_CALLS = False
- FALLBACK_LOG_DENIED = "off"
- FALLBACK_AUTOMATIC_HELPERS = "no"
-FALLBACK_FIREWALL_BACKEND = "nftables"
-+FALLBACK_FIREWALL_BACKEND = "iptables"
- FALLBACK_FLUSH_ALL_ON_RELOAD = True
- FALLBACK_RFC3964_IPV4 = True
- FALLBACK_ALLOW_ZONE_DRIFTING = False
--- a/docker-zone.xml
+++ b/docker-zone.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>docker</short>
+  <description>All network connections are accepted.</description>
+  <interface name="docker0"/>
+</zone>
--- a/firewalld-0.9.0.tar.gz
+++ b/firewalld-0.9.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7cfbf8a33f726151e60c07486af0921fa05cbbab097adf90ec1caef37b49d9a0
-size 2007954
--- a/firewalld-0.9.1.tar.gz
+++ b/firewalld-0.9.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7e3db6ed84919dd10add39cc7a28d97b5a9e27a53aeb73abf8af01ef082b74f9
+size 2007880
--- a/firewalld.changes
+++ b/firewalld.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Nov  9 09:15:55 UTC 2020 - Michał Rostecki <mrostecki@suse.com>
+
+- Remove the patch which enforces usage of iptables instead of
+  nftables:
+  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
+- Add firewalld zone for the docker0 interface. This is the
+  workaround for lack of nftables support in docker. Without that
+  additional zone, containers have no Internet connectivity.
+  (rhbz#1817022)
+- Update to 0.9.1:
+  * Bugfixes:
+    * docs(firewall-cmd): clarify lockdown whitelist command paths
+    * fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
+    * fix(policy): zone interface/source changes should affect all using zone
+
 -------------------------------------------------------------------
 Fri Sep 11 18:05:42 UTC 2020 - Franck Bui <fbui@suse.com>

--- a/firewalld.spec
+++ b/firewalld.spec
@ -21,14 +21,14 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           firewalld
-Version:        0.9.0
+Version:        0.9.1
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
-Source:         https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
-Patch0:         0001-firewall-backend-Switch-default-backend-to-iptables.patch
+Source0:        https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
+Source1:        docker-zone.xml

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -151,6 +151,10 @@ rm %{buildroot}%{_sysconfdir}/sysconfig/firewalld

 ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcfirewalld

+# add firewalld zone (rhbz#1817022)
+install -dp %{buildroot}%{_prefix}/lib/firewalld/zones
+install -p -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/zones/docker.xml
+
 %fdupes %{buildroot}%{python3_sitelib}

 %find_lang %{name} --all-name