diff --git a/0001-Fix-translating-labels-392.patch b/0001-Fix-translating-labels-392.patch deleted file mode 100644 index 1eb06cc8f0db6433aadc16a8bc94b6e301036b27..0000000000000000000000000000000000000000 --- a/0001-Fix-translating-labels-392.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5494006021e83f27195dc902c3c9fd024e71dc3b Mon Sep 17 00:00:00 2001 -From: MeggyCal -Date: Thu, 20 Sep 2018 15:37:17 +0200 -Subject: [PATCH] Fix translating labels (#392) - -Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active. - -Fixes: #344 -(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f) ---- - src/firewall-config.glade | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/firewall-config.glade b/src/firewall-config.glade -index 22bed58aafaf..75c229b408fd 100644 ---- a/src/firewall-config.glade -+++ b/src/firewall-config.glade -@@ -10135,10 +10135,10 @@ - start - start - -- accept -- reject -- drop -- mark -+ accept -+ reject -+ drop -+ mark - - - --- -2.18.0 - diff --git a/0001-fedora-patch-to-default-to-iptables-backend.patch b/0001-fedora-patch-to-default-to-iptables-backend.patch index d33324d353b22222446e08697ed212595c8286cb..252ec978192175df743a12b55c0d5cfb5446ef3b 100644 --- a/0001-fedora-patch-to-default-to-iptables-backend.patch +++ b/0001-fedora-patch-to-default-to-iptables-backend.patch @@ -5,42 +5,34 @@ Subject: [PATCH] fedora patch to default to iptables backend --- config/firewalld.conf | 7 ------- - src/firewall/config/__init__.py.in | 2 +- src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++ src/tests/dbus/firewalld.conf.at | 2 +- src/tests/functions.at | 4 ++-- - 5 files changed, 21 insertions(+), 11 deletions(-) + 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf -index b53c0aa50c53..63df409bf567 100644 +index 532f045..0f64a56 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf -@@ -55,10 +55,3 @@ LogDenied=off - # will be used. Possible values are: yes, no and system. - # Default: system - AutomaticHelpers=system -- +@@ -40,13 +40,6 @@ IndividualCalls=no + # Default: off + LogDenied=off + -# FirewallBackend -# Selects the firewall backend implementation. -# Choices are: -# - nftables (default) -# - iptables (iptables, ip6tables, ebtables and ipset) -FirewallBackend=nftables -diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index 955be32077e1..cff7c3fe9025 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True - FALLBACK_INDIVIDUAL_CALLS = False - FALLBACK_LOG_DENIED = "off" - FALLBACK_AUTOMATIC_HELPERS = "system" --FALLBACK_FIREWALL_BACKEND = "nftables" -+FALLBACK_FIREWALL_BACKEND = "iptables" +- + # FlushAllOnReload + # Flush all runtime rules on a reload. In previous releases some runtime + # configuration was retained during a reload, namely; interface to zone diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py -index 4d57bad693c1..6264f45a1913 100644 +index 7c70921..4e83d6e 100644 --- a/src/firewall/core/io/firewalld_conf.py +++ b/src/firewall/core/io/firewalld_conf.py -@@ -240,6 +240,12 @@ class firewalld_conf(object): +@@ -268,6 +268,12 @@ class firewalld_conf(object): if key not in done: if (key in self._config and \ self._config[key] != value): @@ -53,7 +45,7 @@ index 4d57bad693c1..6264f45a1913 100644 empty = False temp_file.write(u'%s=%s\n' % (key, self._config[key])) -@@ -247,6 +253,12 @@ class firewalld_conf(object): +@@ -275,6 +281,12 @@ class firewalld_conf(object): elif key in self._deleted: modified = True else: @@ -66,7 +58,7 @@ index 4d57bad693c1..6264f45a1913 100644 empty = False temp_file.write(line+u"\n") done.append(key) -@@ -258,6 +270,11 @@ class firewalld_conf(object): +@@ -286,6 +298,11 @@ class firewalld_conf(object): for (key,value) in self._config.items(): if key in done: continue @@ -75,34 +67,36 @@ index 4d57bad693c1..6264f45a1913 100644 + if key == "FirewallBackend" and \ + value == config.FALLBACK_FIREWALL_BACKEND: + continue + if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config + continue if not empty: - temp_file.write(u"\n") - empty = True diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at -index 473210de10af..44e649111ffb 100644 +index cc15318..374312b 100644 --- a/src/tests/dbus/firewalld.conf.at +++ b/src/tests/dbus/firewalld.conf.at -@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl - string "AutomaticHelpers" : variant string "system" +@@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no" + string "AutomaticHelpers" : variant string "no" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" -string "FirewallBackend" : variant string "nftables" +string "FirewallBackend" : variant string "iptables" - m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl - string "IPv6_rpfilter" : variant string "no"],[dnl - string "IPv6_rpfilter" : variant string "yes"]) + string "FlushAllOnReload" : variant string "yes" + string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"]) + string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"]) diff --git a/src/tests/functions.at b/src/tests/functions.at -index 3b79a9f31305..dd7b43d9dac6 100644 +index 582fdcc..5a1aad1 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at -@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [ - fi - - m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ + AT_KEYWORDS(offline) + ], [ - m4_define_default([FIREWALL_BACKEND], [nftables]) + m4_define_default([FIREWALL_BACKEND], [iptables]) - dnl don't unload modules or bother cleaning up, the namespace will be deleted + AT_KEYWORDS(FIREWALL_BACKEND) + +@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [ AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) dnl set the appropriate backend @@ -112,5 +106,5 @@ index 3b79a9f31305..dd7b43d9dac6 100644 dnl fib matching is pretty new in nftables. Don't use rpfilter on older dnl kernels. -- -2.18.0 +1.8.3.1 diff --git a/0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch b/0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch deleted file mode 100644 index c0373ef17d026b0b33bc0d1546a9ec3147ad64c0..0000000000000000000000000000000000000000 --- a/0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 2e53fab83ac844c1d2fb2781116ad47b8900ab85 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Fri, 21 Sep 2018 11:02:18 -0400 -Subject: [PATCH 1/2] fw_transaction: On clear zone transaction, must clear fw - and other zones - -Just like FirewallZoneTransaction.execute() that was spawned from a -FirewallTransaction must call FirewallTransaction.exectue() we should -also make sure the same is done for clear(). Otherwise we can end up -with a partially cleared transaction. This gets really hairy if the -FirewallTransaction contains many instances of FirewallZoneTransaction -which is common during startup with non-default configuration. - -Fixes: #374 ---- - src/firewall/core/fw_transaction.py | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py -index f169e4a923dd..ad204c1991cf 100644 ---- a/src/firewall/core/fw_transaction.py -+++ b/src/firewall/core/fw_transaction.py -@@ -231,9 +231,19 @@ class FirewallZoneTransaction(SimpleFirewallTransaction): - self.modules = [ ] # [ module,.. ] - - def clear(self): -- super(FirewallZoneTransaction, self).clear() -- del self.chains[:] -- del self.modules[:] -+ # calling clear on a zone_transaction that was spawned from a -+ # FirewallTransaction needs to clear the fw_transaction and all the -+ # other zones otherwise we end up with a partially cleared transaction. -+ if self.fw_transaction: -+ super(FirewallTransaction, self.fw_transaction).clear() -+ for zone in self.fw_transaction.zone_transactions.keys(): -+ super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear() -+ del self.fw_transaction.zone_transactions[zone].chains[:] -+ del self.fw_transaction.zone_transactions[zone].modules[:] -+ else: -+ super(FirewallZoneTransaction, self).clear() -+ del self.chains[:] -+ del self.modules[:] - - def prepare(self, enable, rules=None, modules=None): - log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "...")) --- -2.18.0 - diff --git a/firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch b/firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch deleted file mode 100644 index 0aed67cb93d2361574cc73db9ae4ab65a5ff2e54..0000000000000000000000000000000000000000 --- a/firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 7cdd8027d13677185b301f849d42957e635ffa67 Mon Sep 17 00:00:00 2001 -From: StefanBruens -Date: Tue, 25 Sep 2018 21:56:36 +0200 -Subject: [PATCH 006/127] firewall/core/io/*.py: Let SAX handle the encoding of - XML files (#395) - -SAX is able to determine the encoding of XML files itself if the file -contains a correct "encoding" pseudo attribute, e.g.: - - -For this to work, the file stream has to be opened in binary mode, and -the parser has to read the stream using a SAX InputStream, which -autodetects the encoding. - -Fixes: #303 ---- - src/firewall/core/io/direct.py | 6 ++++-- - src/firewall/core/io/helper.py | 6 ++++-- - src/firewall/core/io/icmptype.py | 6 ++++-- - src/firewall/core/io/ipset.py | 6 ++++-- - src/firewall/core/io/service.py | 6 ++++-- - src/firewall/core/io/zone.py | 6 ++++-- - 6 files changed, 24 insertions(+), 12 deletions(-) - -diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py -index 07e159da..b0c2cb52 100644 ---- a/src/firewall/core/io/direct.py -+++ b/src/firewall/core/io/direct.py -@@ -360,9 +360,11 @@ class Direct(IO_Object): - handler = direct_ContentHandler(self) - parser = sax.make_parser() - parser.setContentHandler(handler) -- with open(self.filename, "r") as f: -+ with open(self.filename, "rb") as f: -+ source = sax.InputSource(None) -+ source.setByteStream(f) - try: -- parser.parse(f) -+ parser.parse(source) - except sax.SAXParseException as msg: - raise FirewallError(errors.INVALID_TYPE, - "Not a valid file: %s" % \ -diff --git a/src/firewall/core/io/helper.py b/src/firewall/core/io/helper.py -index 4a2420dd..a5c81b9f 100644 ---- a/src/firewall/core/io/helper.py -+++ b/src/firewall/core/io/helper.py -@@ -156,9 +156,11 @@ def helper_reader(filename, path): - parser = sax.make_parser() - parser.setContentHandler(handler) - name = "%s/%s" % (path, filename) -- with open(name, "r") as f: -+ with open(name, "rb") as f: -+ source = sax.InputSource(None) -+ source.setByteStream(f) - try: -- parser.parse(f) -+ parser.parse(source) - except sax.SAXParseException as msg: - raise FirewallError(errors.INVALID_HELPER, - "not a valid helper file: %s" % \ -diff --git a/src/firewall/core/io/icmptype.py b/src/firewall/core/io/icmptype.py -index 91b48867..32103c59 100644 ---- a/src/firewall/core/io/icmptype.py -+++ b/src/firewall/core/io/icmptype.py -@@ -121,9 +121,11 @@ def icmptype_reader(filename, path): - parser = sax.make_parser() - parser.setContentHandler(handler) - name = "%s/%s" % (path, filename) -- with open(name, "r") as f: -+ with open(name, "rb") as f: -+ source = sax.InputSource(None) -+ source.setByteStream(f) - try: -- parser.parse(f) -+ parser.parse(source) - except sax.SAXParseException as msg: - raise FirewallError(errors.INVALID_ICMPTYPE, - "not a valid icmptype file: %s" % \ -diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py -index 0670677b..8cc6a1f9 100644 ---- a/src/firewall/core/io/ipset.py -+++ b/src/firewall/core/io/ipset.py -@@ -390,9 +390,11 @@ def ipset_reader(filename, path): - parser = sax.make_parser() - parser.setContentHandler(handler) - name = "%s/%s" % (path, filename) -- with open(name, "r") as f: -+ with open(name, "rb") as f: -+ source = sax.InputSource(None) -+ source.setByteStream(f) - try: -- parser.parse(f) -+ parser.parse(source) - except sax.SAXParseException as msg: - raise FirewallError(errors.INVALID_IPSET, - "not a valid ipset file: %s" % \ -diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py -index c04d612e..487d5ba3 100644 ---- a/src/firewall/core/io/service.py -+++ b/src/firewall/core/io/service.py -@@ -219,9 +219,11 @@ def service_reader(filename, path): - parser = sax.make_parser() - parser.setContentHandler(handler) - name = "%s/%s" % (path, filename) -- with open(name, "r") as f: -+ with open(name, "rb") as f: -+ source = sax.InputSource(None) -+ source.setByteStream(f) - try: -- parser.parse(f) -+ parser.parse(source) - except sax.SAXParseException as msg: - raise FirewallError(errors.INVALID_SERVICE, - "not a valid service file: %s" % \ -diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py -index c048c867..05368e9c 100644 ---- a/src/firewall/core/io/zone.py -+++ b/src/firewall/core/io/zone.py -@@ -696,9 +696,11 @@ def zone_reader(filename, path, no_check_name=False): - parser = sax.make_parser() - parser.setContentHandler(handler) - name = "%s/%s" % (path, filename) -- with open(name, "r") as f: -+ with open(name, "rb") as f: -+ source = sax.InputSource(None) -+ source.setByteStream(f) - try: -- parser.parse(f) -+ parser.parse(source) - except sax.SAXParseException as msg: - raise FirewallError(errors.INVALID_ZONE, - "not a valid zone file: %s" % \ --- -2.19.1 - diff --git a/firewalld-0.6.2.tar.gz b/firewalld-0.6.2.tar.gz deleted file mode 100644 index 7fcfbace68132e473f82cab335c58f469b300883..0000000000000000000000000000000000000000 Binary files a/firewalld-0.6.2.tar.gz and /dev/null differ diff --git a/firewalld-0.8.3.tar.gz b/firewalld-0.8.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..10da022f156d915c21cbb41e42e39faff150fa7b Binary files /dev/null and b/firewalld-0.8.3.tar.gz differ diff --git a/firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch b/firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch deleted file mode 100644 index a287851a258f409b26b38eeb7960d675bf68de14..0000000000000000000000000000000000000000 --- a/firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 17adfe4137cfd1c1734ff1b77304f70e163313fa Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 9 Oct 2018 14:55:21 -0400 -Subject: [PATCH 018/127] firewalld: fix --runtime-to-permanent if NM not in - use. - -Due to scope "settings" was not defined. - -Fixes: #404 -Fixes: e7c00a4063ff ("ifcfg: Modify ZONE= on permanent config changes") ---- - src/firewall/server/firewalld.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py -index 6810b68c..bc04f2d0 100644 ---- a/src/firewall/server/firewalld.py -+++ b/src/firewall/server/firewalld.py -@@ -441,8 +441,8 @@ class FirewallD(slip.dbus.service.Object): - nm_bus_name = nm_get_bus_name() - for name in self.fw.zone.get_zones(): - conf = self.getZoneSettings(name) -+ settings = FirewallClientZoneSettings(conf) - if nm_bus_name is not None: -- settings = FirewallClientZoneSettings(conf) - changed = False - for interface in settings.getInterfaces(): - if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name: --- -2.19.1 - diff --git a/firewalld.spec b/firewalld.spec index 17ead6c7b9b1e01778c9fa91e11d7c091f8b8b11..ff54acc3db6353e93b2974545167a7a6a14ae6dc 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,42 +1,26 @@ Name: firewalld -Version: 0.6.2 -Release: 4 +Version: 0.8.3 +Release: 1 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPLv2+ URL: http://www.firewalld.org Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz #backport from gnome -Patch0: firewalld-0.2.6-MDNS-default.patch +Patch0: firewalld-0.2.6-MDNS-default.patch #backport from Eric Garver -Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch -#Patch2,3 backport from upstream -Patch2: 0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch -Patch3: 0001-Fix-translating-labels-392.patch - -Patch6000: firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch -Patch6001: nftables-fix-destination-checks-not-allowing-masks.patch -Patch6002: firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch -Patch6003: nftables-fix-reject-statement-in-block-zone.patch -Patch6004: ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch -Patch6005: rich-rules-fix-mark-action.patch -Patch6006: nftables-fix-panic-mode-not-filtering-output-packets.patch -Patch6007: fw_zone-fix-rich-rule-masquerading.patch -Patch6008: fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch -Patch6009: nftables-fix-rich-rule-masquerade.patch -Patch6010: nftables-fix-ipv6-rich-rule-forward-ports.patch -Patch6011: ipset-fix-set-apply-if-IndividualCalls-yes.patch -Patch6012: fix-issue-457.patch - -Patch9000: repair-test-cases.patch +Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch + +Patch2: repair-test-cases.patch BuildArch: noarch BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl -BuildRequires: libxslt iptables ebtables ipset nftables python3-devel +BuildRequires: libxslt iptables ebtables ipset python3-devel Requires: iptables ebtables ipset systemd hicolor-icon-theme python3-gobject NetworkManager-libnm dbus-x11 gtk3 -Requires: nftables >= 0.9.0 kernel >= 4.18.0 python3-firewall = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Suggests: iptables-nft Obsoletes: firewalld-selinux < 0.4.4.2-2 Conflicts: selinux-policy < 3.14.1-28 @@ -163,6 +147,7 @@ fi %{_bindir}/firewall-cmd %{_bindir}/firewall-offline-cmd %{_datadir}/bash-completion/completions/firewall-cmd +%{_datadir}/zsh/site-functions/_firewalld %{_prefix}/lib/firewalld/* %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ %config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf @@ -176,12 +161,12 @@ fi %defattr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/firewalld %{_unitdir}/firewalld.service -%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf +%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice %ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf - +%{_sysconfdir}/logrotate.d/firewalld %{_rpmconfigdir}/macros.d/macros.firewalld #we don't need applet @@ -211,6 +196,12 @@ fi %changelog +* Wed Apr 29 2020 zhouyihang - 0.8.3-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update firewalld version to 0.8.3 + * Wed Jan 15 2020 zhangrui - 0.6.2-4 - create firewalld.conf file diff --git a/fix-issue-457.patch b/fix-issue-457.patch deleted file mode 100644 index 967163d31785bc0bb0c68de125cc512c5b3baaa4..0000000000000000000000000000000000000000 --- a/fix-issue-457.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 7da05eff467244f0da6a4e7c1370dd6c7605e9f4 Mon Sep 17 00:00:00 2001 -From: Daniel Nicolai -Date: Mon, 11 Feb 2019 12:16:31 +0100 -Subject: [PATCH 102/127] fix issue #457 - -I found out I did not set a value for invert when adding the rich rule via firewall-cmd. Then I got the error as mentioned in issue #457 because the invert attribute was given a default value None. I corrected it here so that it gets the default value False. This fixed the issue for me. ---- - src/firewall/core/rich.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py -index 91f53fd9..dacaeb9c 100644 ---- a/src/firewall/core/rich.py -+++ b/src/firewall/core/rich.py -@@ -394,7 +394,7 @@ class Rich_Rule(object): - elif element in ['not', 'NOT']: - attrs['invert'] = True - else: -- self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert')) -+ self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False)) - in_elements.pop() # source - attrs.clear() - index = index -1 # return token to input --- -2.19.1 - diff --git a/fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch b/fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch deleted file mode 100644 index 62d742d86b6d2e81bb7143ec386e235467521995..0000000000000000000000000000000000000000 --- a/fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 2210822a2450a7b9ed853593c3d88aca1c43c2fc Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 5 Dec 2018 16:29:49 -0500 -Subject: [PATCH 048/127] fw_zone: fix IPv6 rich rule forward-port without - toaddr - -Using a rich rule with family=ipv6 and no toaddr specified was silently -not applying any rules. ---- - src/firewall/core/fw_zone.py | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py -index 816fa503..db90c32b 100644 ---- a/src/firewall/core/fw_zone.py -+++ b/src/firewall/core/fw_zone.py -@@ -1702,17 +1702,10 @@ class FirewallZone(object): - for ipv in ipvs: - if backend.is_ipv_supported(ipv): - self.check_forward_port(ipv, port, protocol, toport, toaddr) -- -- if check_single_address("ipv6", toaddr): -- ipv = "ipv6" -- else: -- ipv = "ipv4" -- -- if not backend.is_ipv_supported(ipv): -- continue -+ if enable: -+ zone_transaction.add_post(enable_ip_forwarding, ipv) - - if enable: -- zone_transaction.add_post(enable_ip_forwarding, ipv) - mark_id = self._fw.new_mark() - - filter_chain = "INPUT" if not toaddr else "FORWARD_IN" --- -2.19.1 - diff --git a/fw_zone-fix-rich-rule-masquerading.patch b/fw_zone-fix-rich-rule-masquerading.patch deleted file mode 100644 index 37dd5e6dcd32e7066e7030162bf572d3ee0c7694..0000000000000000000000000000000000000000 --- a/fw_zone-fix-rich-rule-masquerading.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 14acf26afe09ff9092bebbfc7ffe718b1758c573 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 5 Dec 2018 13:09:28 -0500 -Subject: [PATCH 047/127] fw_zone: fix rich rule masquerading - -We weren't passing the rich rule to the backend so filtering on -source/destination would not work. ---- - src/firewall/core/fw_zone.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py -index ca90f7fb..816fa503 100644 ---- a/src/firewall/core/fw_zone.py -+++ b/src/firewall/core/fw_zone.py -@@ -1690,7 +1690,7 @@ class FirewallZone(object): - if backend.is_ipv_supported(ipv): - zone_transaction.add_post(enable_ip_forwarding, ipv) - -- rules = backend.build_zone_masquerade_rules(enable, zone) -+ rules = backend.build_zone_masquerade_rules(enable, zone, rule) - zone_transaction.add_rules(backend, rules) - - # FORWARD PORT --- -2.19.1 - diff --git a/ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch b/ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch deleted file mode 100644 index 333eb29183746a13fac5397b4165eb0f96b59a25..0000000000000000000000000000000000000000 --- a/ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 93824072768f989991a11069ac75f1cd3d56ae34 Mon Sep 17 00:00:00 2001 -From: Federico Cuello -Date: Sat, 20 Oct 2018 15:47:28 +0200 -Subject: [PATCH 023/127] ipXtables/nftables: Fix "object has no attribute - '_log_denied'" - -This fixes nftables and ipXtables (when IndividualCalls=yes), -as _log_denied is not an attribute of the class but a param. ---- - src/firewall/core/ipXtables.py | 3 +-- - src/firewall/core/nftables.py | 2 +- - 2 files changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index 02a518d2..11aebec6 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -492,8 +492,7 @@ class ip4tables(object): - if log_denied == "off": - return "" - if log_denied in [ "unicast", "broadcast", "multicast" ]: -- rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", -- self._log_denied ] -+ rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ] - else: - rule.pop(i) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 3c871069..cd05b2c3 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -290,7 +290,7 @@ class nftables(object): - if log_denied == "off": - return "" - if log_denied in ["unicast", "broadcast", "multicast"]: -- rule[i:i+1] = ["pkttype", self._log_denied] -+ rule[i:i+1] = ["pkttype", log_denied] - else: - rule.pop(i) - --- -2.19.1 - diff --git a/ipset-fix-set-apply-if-IndividualCalls-yes.patch b/ipset-fix-set-apply-if-IndividualCalls-yes.patch deleted file mode 100644 index 8f8a027b6e573d39b8bae8b583d359ad217923d0..0000000000000000000000000000000000000000 --- a/ipset-fix-set-apply-if-IndividualCalls-yes.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 4157393136bbaff53e812029376b2a0a5113cedb Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 11 Dec 2018 11:32:54 -0500 -Subject: [PATCH 070/127] ipset: fix set apply if IndividualCalls=yes - -Fixes: rhbz 1644834 -Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall") ---- - src/firewall/core/fw_ipset.py | 2 +- - src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++ - 2 files changed, 44 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py -index b06a60d0..54ace39e 100644 ---- a/src/firewall/core/fw_ipset.py -+++ b/src/firewall/core/fw_ipset.py -@@ -125,7 +125,7 @@ class FirewallIPSet(object): - raise FirewallError(errors.COMMAND_FAILED, msg) - else: - obj.applied = True -- if "timeout" not in obj.options or \ -+ if "timeout" in obj.options and \ - obj.options["timeout"] != "0": - # no entries visible for ipsets with timeout - continue -diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at -index 0676bb82..5ba0cee4 100644 ---- a/src/tests/regression/rhbz1601610.at -+++ b/src/tests/regression/rhbz1601610.at -@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22]) - FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [ - ]) - -+dnl rhbz 1644834 -+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16]) -+FWD_CHECK([-q --runtime-to-permanent]) -+FWD_RELOAD -+m4_if(nftables, FIREWALL_BACKEND, [ -+NFT_LIST_SET([foobar], 0, [dnl -+table inet firewalld { -+set foobar { -+type ipv4_addr -+flags interval -+elements = { 10.1.0.0/16, 10.2.0.0/22 } -+} -+} -+])], [ -+IPSET_LIST_SET([foobar], 0, [dnl -+Name: foobar -+Type: hash:net -+Members: -+10.1.0.0/16 -+10.2.0.0/22 -+])]) -+ -+dnl rhbz 1644834, again with IndividualCalls=yes -+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf]) -+FWD_RELOAD -+m4_if(nftables, FIREWALL_BACKEND, [ -+NFT_LIST_SET([foobar], 0, [dnl -+table inet firewalld { -+set foobar { -+type ipv4_addr -+flags interval -+elements = { 10.1.0.0/16, 10.2.0.0/22 } -+} -+} -+])], [ -+IPSET_LIST_SET([foobar], 0, [dnl -+Name: foobar -+Type: hash:net -+Members: -+10.1.0.0/16 -+10.2.0.0/22 -+])]) -+ - FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl - -e '/ERROR: COMMAND_FAILED:.*element.*exists/d']) --- -2.19.1 - diff --git a/nftables-fix-destination-checks-not-allowing-masks.patch b/nftables-fix-destination-checks-not-allowing-masks.patch deleted file mode 100644 index 2841198c85ebffa13a1912954588f736fe93741f..0000000000000000000000000000000000000000 --- a/nftables-fix-destination-checks-not-allowing-masks.patch +++ /dev/null @@ -1,63 +0,0 @@ -From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 27 Sep 2018 08:52:22 -0400 -Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks - -Some destination checks were using check_single_address() which make it -impossible to use a mask. This was discovered in issue #399. ---- - src/firewall/core/nftables.py | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 811f4e71..64191d1f 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -753,7 +753,7 @@ class nftables(object): - return [] - - rule_fragment = [] -- if check_single_address("ipv4", rich_dest.addr): -+ if check_address("ipv4", rich_dest.addr): - rule_fragment += ["ip"] - else: - rule_fragment += ["ip6"] -@@ -803,7 +803,7 @@ class nftables(object): - if rich_rule: - rule_fragment += self._rich_rule_family_fragment(rich_rule.family) - if destination: -- if check_single_address("ipv4", destination): -+ if check_address("ipv4", destination): - rule_fragment += ["ip"] - else: - rule_fragment += ["ip6"] -@@ -835,7 +835,7 @@ class nftables(object): - if rich_rule: - rule_fragment += self._rich_rule_family_fragment(rich_rule.family) - if destination: -- if check_single_address("ipv4", destination): -+ if check_address("ipv4", destination): - rule_fragment += ["ip"] - else: - rule_fragment += ["ip6"] -@@ -869,7 +869,7 @@ class nftables(object): - if rich_rule: - rule_fragment += self._rich_rule_family_fragment(rich_rule.family) - if destination: -- if check_single_address("ipv4", destination): -+ if check_address("ipv4", destination): - rule_fragment += ["ip"] - else: - rule_fragment += ["ip6"] -@@ -900,7 +900,7 @@ class nftables(object): - rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, - "raw_%s_allow" % (target), proto] - if destination: -- if check_single_address("ipv4", destination): -+ if check_address("ipv4", destination): - rule += ["ip"] - else: - rule += ["ip6"] --- -2.19.1 - diff --git a/nftables-fix-ipv6-rich-rule-forward-ports.patch b/nftables-fix-ipv6-rich-rule-forward-ports.patch deleted file mode 100644 index 882242d6db26750d2efdb63426ec0d1060abc6be..0000000000000000000000000000000000000000 --- a/nftables-fix-ipv6-rich-rule-forward-ports.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 628657cdafa7ba3217fb031c748f5a7d32924c90 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 5 Dec 2018 19:11:06 -0500 -Subject: [PATCH 050/127] nftables: fix ipv6 rich rule forward-ports - -The were mistakenly being added to the ipv4 nat tables as well. - -Fixes: #422 -Fixes: b630abd8e901 ("backend: introduce nftables support") ---- - src/firewall/core/nftables.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 00a02ad1..a1cb2c47 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -980,7 +980,7 @@ class nftables(object): - or toaddr and check_single_address("ipv6", toaddr)): - rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, - protocol, mark_fragment, toaddr, toport, "ip6")) -- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4" -+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4" - or toaddr and check_single_address("ipv4", toaddr)): - rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, - protocol, mark_fragment, toaddr, toport, "ip")) --- -2.19.1 - diff --git a/nftables-fix-panic-mode-not-filtering-output-packets.patch b/nftables-fix-panic-mode-not-filtering-output-packets.patch deleted file mode 100644 index 2bddc473008eaa92910d23693cd64d3b083a2b42..0000000000000000000000000000000000000000 --- a/nftables-fix-panic-mode-not-filtering-output-packets.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 2f5608b4897ff99afbb1c2425a94df035031c1a2 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Mon, 3 Dec 2018 12:40:41 -0500 -Subject: [PATCH 043/127] nftables: fix panic mode not filtering output packets - -This simplifies policy in the nftables backend by filtering only on the -prerouting and output hooks. The others hooks are unnecessary since -we're using a higher precedence. - -Also fixes an issue when re-enabling panic mode multiple times. Due to -rule de-duplication the policy drop rule was not being re-added. - -Fixes: rhbz 1579740 -Fixes: a0f683dfef2c ("nftables: fix policy") ---- - src/firewall/core/nftables.py | 36 +++++++++-------------------------- - 1 file changed, 9 insertions(+), 27 deletions(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 69236a96..44cd4f9e 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -314,38 +314,20 @@ class nftables(object): - # packets while initially starting and for panic mode. As such, using - # hooks with a higher priority than our base chains is sufficient. - # -- table_chains = [] -- for table in list(IPTABLES_TO_NFT_HOOK.keys()): -- for chain in IPTABLES_TO_NFT_HOOK[table]: -- table_chains.append((table, chain)) -- - table_name = TABLE_NAME + "_" + "policy_drop" - -- def _policy_drop_helper(table, chain, family, rules): -- _chain = "%s_%s" % (table, chain) -- _hook = IPTABLES_TO_NFT_HOOK[table][chain][0] -- # add hooks with priority -1, only contain drop rule -- _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1 -- _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \ -- (family, table_name, _chain, _hook, _priority) -- rules.append(splitArgs(_add_chain)) -- rules.append(["add", "rule", family, table_name, _chain, "drop"]) -- - rules = [] - if policy == "DROP": -- for family in ["inet", "ip", "ip6"]: -- rules.append(["add", "table", family, table_name]) -- -- for table,chain in table_chains: -- if table == "nat": -- # nat requires two families -- for family in ["ip", "ip6"]: -- _policy_drop_helper(table, chain, family, rules) -- else: -- _policy_drop_helper(table, chain, "inet", rules) -+ rules.append(["add", "table", "inet", table_name]) -+ -+ # To drop everything we need to use the "raw" priority. These occur -+ # before conntrack, mangle, nat, etc -+ for hook in ["prerouting", "output"]: -+ _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \ -+ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1) -+ rules.append(splitArgs(_add_chain)) - elif policy == "ACCEPT": -- for family in ["inet", "ip", "ip6"]: -- rules.append(["delete", "table", family, table_name]) -+ rules.append(["delete", "table", "inet", table_name]) - else: - FirewallError(UNKNOWN_ERROR, "not implemented") - --- -2.19.1 - diff --git a/nftables-fix-reject-statement-in-block-zone.patch b/nftables-fix-reject-statement-in-block-zone.patch deleted file mode 100644 index ab0ad8ff0376c64d2e4d158500fa80dc6570ecfe..0000000000000000000000000000000000000000 --- a/nftables-fix-reject-statement-in-block-zone.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 11 Oct 2018 11:58:22 -0400 -Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone - -Also add test coverage. - -Fixes: #406 ---- - src/firewall/core/nftables.py | 3 ++- - src/tests/firewall-cmd.at | 2 ++ - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 8a305539..3c871069 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -619,7 +619,8 @@ class nftables(object): - target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \ - chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]: - rules.append(["add", "rule", family, "%s" % TABLE_NAME, -- "%s_%s" % (table, _zone), target.lower()]) -+ "%s_%s" % (table, _zone), -+ target.lower() if target != "%%REJECT%%" else "%%REJECT%%"]) - - return rules - -diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at -index ef45110c..b7ec3816 100644 ---- a/src/tests/firewall-cmd.at -+++ b/src/tests/firewall-cmd.at -@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces]) - FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore) - FWD_CHECK([--get-zone-of-interface=dummy], 0, [public - ]) -+ FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore) -+ FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore) - - FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore) - FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz --- -2.19.1 - diff --git a/nftables-fix-rich-rule-masquerade.patch b/nftables-fix-rich-rule-masquerade.patch deleted file mode 100644 index 960d90d5c2902c3de86b45b5a8beccc9fbf243d0..0000000000000000000000000000000000000000 --- a/nftables-fix-rich-rule-masquerade.patch +++ /dev/null @@ -1,38 +0,0 @@ -From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 5 Dec 2018 17:16:30 -0500 -Subject: [PATCH 049/127] nftables: fix rich rule masquerade - ---- - src/firewall/core/nftables.py | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index 44cd4f9e..00a02ad1 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -900,7 +900,6 @@ class nftables(object): - - rule_fragment = [] - if rich_rule: -- rule_fragment += self._rich_rule_family_fragment(rich_rule.family) - rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) - rule_fragment += self._rich_rule_source_fragment(rich_rule.source) - -@@ -912,10 +911,10 @@ class nftables(object): - # nat tables needs to use ip/ip6 family - rules = [] - if rich_rule and (rich_rule.family and rich_rule.family == "ipv6" -- or rich_rule.source and check_address("ipv6", rich_rule.source)): -+ or rich_rule.source and check_address("ipv6", rich_rule.source.addr)): - rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule)) -- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4" -- or rich_rule.source and check_address("ipv4", rich_rule.source)): -+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4" -+ or rich_rule.source and check_address("ipv4", rich_rule.source.addr)): - rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule)) - else: - rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule)) --- -2.19.1 - diff --git a/repair-test-cases.patch b/repair-test-cases.patch index 321d8eb940a9a95083101ecad751597dcefe84fa..5b23d1c99ac2c9a6f997a92e2513f4f46df9c357 100644 --- a/repair-test-cases.patch +++ b/repair-test-cases.patch @@ -1,52 +1,38 @@ -From a43ae627eeb4f99bb15ed737fd58f0ec15d55dea Mon Sep 17 00:00:00 2001 -From: yanghua -Date: Mon, 6 May 2019 16:28:01 +0800 -Subject: [PATCH] Repair test cases gh366 rhbz1514043 rhbz1601610 +From 9904b48fdce1e28b122d8f64961d2dda81d4c546 Mon Sep 17 00:00:00 2001 +From: sherlock2010 <15151851377@163.com> +Date: Wed, 29 Jul 2020 17:29:59 +0800 +Subject: [PATCH 3/3] third commit --- - src/tests/functions.at | 2 +- src/tests/regression/gh366.at | 1 + src/tests/regression/rhbz1514043.at | 2 +- - 3 files changed, 3 insertions(+), 2 deletions(-) + 2 files changed, 2 insertions(+), 1 deletion(-) -diff --git a/src/tests/functions.at b/src/tests/functions.at -index d1f3429..243724f 100644 ---- a/src/tests/functions.at -+++ b/src/tests/functions.at -@@ -244,7 +244,7 @@ m4_define([NFT_LIST_RULES], [ - m4_define([IPSET_LIST_SET], [ - NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl - grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl -- awk 'NR <= 4; NR > 4 {print | "sort"}'], -+ awk 'NR <= 3; NR > 3 {print | "sort"}'], - [$2], [$3], [$4], [$5], [$6]) - ]) - diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at -index dd6963f..46307cf 100644 +index 1441a6b..be33ed7 100644 --- a/src/tests/regression/gh366.at +++ b/src/tests/regression/gh366.at @@ -22,6 +22,7 @@ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED - ])])]) + ])]) +FWD_CHECK([-q --zone=public --remove-service=mdns]) FWD_CHECK([-q --zone=public --add-service=mdns]) check_firewall_backend_output FWD_CHECK([-q --zone=public --remove-service=mdns]) diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at -index 4831460..077c007 100644 +index efc33e0..694a198 100644 --- a/src/tests/regression/rhbz1514043.at +++ b/src/tests/regression/rhbz1514043.at -@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all]) +@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all]) FWD_CHECK([-q --permanent --zone=public --add-service=samba]) FWD_RELOAD FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl --services: ssh dhcpv6-client samba +-services: dhcpv6-client samba ssh +services: ssh mdns dhcpv6-client samba ]) + dnl check that log denied actually took effect - m4_if(iptables, FIREWALL_BACKEND, [ -- -2.19.1 +1.8.3.1 diff --git a/rich-rules-fix-mark-action.patch b/rich-rules-fix-mark-action.patch deleted file mode 100644 index 3c978f741bca668ad947d7895d6f6d816fe9ea57..0000000000000000000000000000000000000000 --- a/rich-rules-fix-mark-action.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 5d36e0f55887c6204e07bd8095ead1ce2d535ddb Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Fri, 2 Nov 2018 14:10:38 -0400 -Subject: [PATCH 025/127] rich rules: fix mark action - -They were being placed in the wrong (and nonexistent) chain. Also add -test coverage for the "mark" action. - -Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend") -Tested-by: Felix Kaechele ---- - src/firewall/core/ipXtables.py | 4 ++-- - src/firewall/core/nftables.py | 4 ++-- - src/tests/firewall-cmd.at | 1 + - 3 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index 11aebec6..b98ba522 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -807,10 +807,10 @@ class ip4tables(object): - chain = "%s_deny" % target - rule_action = [ "-j", "DROP" ] - elif type(rich_rule.action) == Rich_Mark: -- chain = "%s_allow" % target -- table = "mangle" - target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], - zone=zone) -+ table = "mangle" -+ chain = "%s_allow" % target - rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ] - else: - raise FirewallError(INVALID_RULE, -diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py -index cd05b2c3..69236a96 100644 ---- a/src/firewall/core/nftables.py -+++ b/src/firewall/core/nftables.py -@@ -723,10 +723,10 @@ class nftables(object): - chain = "%s_%s_deny" % (table, target) - rule_action = ["drop"] - elif type(rich_rule.action) == Rich_Mark: -- table = "mangle" -- chain = "%s_%s_allow" % (table, target) - target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], - zone=zone) -+ table = "mangle" -+ chain = "%s_%s_allow" % (table, target) - rule_action = ["meta", "mark", "set", rich_rule.action.set] - else: - raise FirewallError(INVALID_RULE, -diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at -index b7ec3816..f31c8955 100644 ---- a/src/tests/firewall-cmd.at -+++ b/src/tests/firewall-cmd.at -@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good]) - rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"]) - rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) - rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) -+ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"]) - FWD_END_TEST - FWD_START_TEST([rich rules audit]) - CHECK_LOG_AUDIT --- -2.19.1 -