From 4bdddef2331ca00b1851734a5b0ff9389d02d3c0 Mon Sep 17 00:00:00 2001
From: xinghe <xinghe2@h-partners.com>
Date: Thu, 1 Sep 2022 20:21:42 +0800
Subject: [PATCH] fix Community bugs

(cherry picked from commit ba447285bdddb3688f2e3f28e17b9db47da7f82a)
---
 ...k-config-use-the-dictionary-variants.patch | 50 +++++++++++++++
 ...ck-config-fails-if-direct.xml-exists.patch | 38 ++++++++++++
 ...mptype-don-t-alter-ipvs-in-io_object.patch | 61 +++++++++++++++++++
 ...dding-includes-to-a-built-in-service.patch | 47 ++++++++++++++
 ...ned-forward-must-not-default-to-True.patch | 29 +++++++++
 firewalld.spec                                | 18 +++++-
 6 files changed, 242 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-check-config-use-the-dictionary-variants.patch
 create mode 100644 backport-fix-functions-check-config-fails-if-direct.xml-exists.patch
 create mode 100644 backport-fix-fw_icmptype-don-t-alter-ipvs-in-io_object.patch
 create mode 100644 backport-fix-service-adding-includes-to-a-built-in-service.patch
 create mode 100644 backport-fix-zone-combined-forward-must-not-default-to-True.patch

diff --git a/backport-fix-check-config-use-the-dictionary-variants.patch b/backport-fix-check-config-use-the-dictionary-variants.patch
new file mode 100644
index 0000000..d279a89
--- /dev/null
+++ b/backport-fix-check-config-use-the-dictionary-variants.patch
@@ -0,0 +1,50 @@
+From c6da3bb7d14820802811f24cb6f8fb5d6bf77afd Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 19 Jan 2022 15:23:15 -0500
+Subject: [PATCH] fix(check-config): use the dictionary variants
+
+It was possible for newer config fields of an io_object to not be
+checked. That is, the fields covered by check_config(), i.e. the fields
+covered by the tuple based dbus APIs.
+
+Conflict: NA
+Reference: https://github.com/firewalld/firewalld/commit/c6da3bb7d14820802811f24cb6f8fb5d6bf77afd
+
+(cherry picked from commit 3b466b8bf092256dcbd1b541df4924d154ca7386)
+---
+ src/firewall/core/io/functions.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py
+index 35a7eaf8..c357223a 100644
+--- a/src/firewall/core/io/functions.py
++++ b/src/firewall/core/io/functions.py
+@@ -73,7 +73,7 @@ def check_config(fw):
+                         obj = readers[reader]["reader"](file, _dir)
+                         if reader in ["zone", "policy"]:
+                             obj.fw_config = fw_config
+-                        obj.check_config(obj.export_config())
++                        obj.check_config_dict(obj.export_config_dict())
+                         readers[reader]["add"](obj)
+                     except FirewallError as error:
+                         raise FirewallError(error.code, "'%s': %s" % (file, error.msg))
+@@ -83,7 +83,7 @@ def check_config(fw):
+         try:
+             obj = Direct(config.FIREWALLD_DIRECT)
+             obj.read()
+-            obj.check_config(obj.export_config())
++            obj.check_config_dict(obj.export_config_dict())
+         except FirewallError as error:
+             raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg))
+         except Exception as msg:
+@@ -92,7 +92,7 @@ def check_config(fw):
+         try:
+             obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
+             obj.read()
+-            obj.check_config(obj.export_config())
++            obj.check_config_dict(obj.export_config_dict())
+         except FirewallError as error:
+             raise FirewallError(error.code, "'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg))
+         except Exception as msg:
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-fix-functions-check-config-fails-if-direct.xml-exists.patch b/backport-fix-functions-check-config-fails-if-direct.xml-exists.patch
new file mode 100644
index 0000000..cd8fc21
--- /dev/null
+++ b/backport-fix-functions-check-config-fails-if-direct.xml-exists.patch
@@ -0,0 +1,38 @@
+From 1439a47f55ae7d226639237948fb1fab49aa81b4 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 23 Mar 2022 14:55:00 -0400
+Subject: [PATCH] fix(functions): --check-config fails if direct.xml exists
+
+Conflict: NA
+Reference: https://github.com/firewalld/firewalld/commit/1439a47f55ae7d226639237948fb1fab49aa81b4
+
+Fixes: 3b466b8bf092 ("fix(check-config): use the dictionary variants")
+(cherry picked from commit cf9ffb678134dc498c4b08444e17792e340d04a9)
+---
+ src/firewall/core/io/functions.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py
+index c357223a..63e3407d 100644
+--- a/src/firewall/core/io/functions.py
++++ b/src/firewall/core/io/functions.py
+@@ -83,7 +83,7 @@ def check_config(fw):
+         try:
+             obj = Direct(config.FIREWALLD_DIRECT)
+             obj.read()
+-            obj.check_config_dict(obj.export_config_dict())
++            obj.check_config(obj.export_config())
+         except FirewallError as error:
+             raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg))
+         except Exception as msg:
+@@ -92,7 +92,7 @@ def check_config(fw):
+         try:
+             obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
+             obj.read()
+-            obj.check_config_dict(obj.export_config_dict())
++            obj.check_config(obj.export_config())
+         except FirewallError as error:
+             raise FirewallError(error.code, "'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg))
+         except Exception as msg:
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-fix-fw_icmptype-don-t-alter-ipvs-in-io_object.patch b/backport-fix-fw_icmptype-don-t-alter-ipvs-in-io_object.patch
new file mode 100644
index 0000000..3d52413
--- /dev/null
+++ b/backport-fix-fw_icmptype-don-t-alter-ipvs-in-io_object.patch
@@ -0,0 +1,61 @@
+From d276135878615f36c9b0128bd0bb91570b1064f3 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 11 Apr 2022 14:56:08 -0400
+Subject: [PATCH] fix(fw_icmptype): don't alter ipvs in io_object
+
+We should never modify the runtime icmptype object. This caused sanity
+failures on --runtime-to-permanent because the runtime icmptype
+pretended to be ipv4 only, but our configuration (policy
+allow-host-ipv6) used it inside an IPv6 only rich rule.
+
+For users that disable IPv6 then this probably triggered an accidental
+copy of the stock icmptype to a user icmptype, but with the ipv6 family
+dropped.
+
+Conflict: NA
+Reference: https://github.com/firewalld/firewalld/commit/d276135878615f36c9b0128bd0bb91570b1064f3
+(cherry picked from commit 9a9c9041a365fc8e12a3edf342de784cc5419a72)
+---
+ src/firewall/core/fw_icmptype.py | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py
+index a565bb6d..5b75d314 100644
+--- a/src/firewall/core/fw_icmptype.py
++++ b/src/firewall/core/fw_icmptype.py
+@@ -21,7 +21,6 @@
+ 
+ __all__ = [ "FirewallIcmpType" ]
+ 
+-import copy
+ from firewall.core.logger import log
+ from firewall import errors
+ from firewall.errors import FirewallError
+@@ -54,7 +53,6 @@ class FirewallIcmpType(object):
+         orig_ipvs = obj.destination
+         if len(orig_ipvs) == 0:
+             orig_ipvs = [ "ipv4", "ipv6" ]
+-        ipvs = orig_ipvs[:]
+         for ipv in orig_ipvs:
+             if ipv == "ipv4":
+                 if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
+@@ -68,16 +66,7 @@ class FirewallIcmpType(object):
+                 supported_icmps = [ ]
+             if obj.name.lower() not in supported_icmps:
+                 log.info1("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv))
+-                ipvs.remove(ipv)
+-        if len(ipvs) != len(orig_ipvs):
+-            if len(ipvs) < 1:
+-                raise FirewallError(errors.INVALID_ICMPTYPE,
+-                                    "No supported ICMP type.")
+-            new_obj = copy.deepcopy(obj)
+-            new_obj.destination = ipvs
+-            self._icmptypes[obj.name] = new_obj
+-        else:
+-            self._icmptypes[obj.name] = obj
++        self._icmptypes[obj.name] = obj
+ 
+     def remove_icmptype(self, icmptype):
+         self.check_icmptype(icmptype)
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-fix-service-adding-includes-to-a-built-in-service.patch b/backport-fix-service-adding-includes-to-a-built-in-service.patch
new file mode 100644
index 0000000..a545d95
--- /dev/null
+++ b/backport-fix-service-adding-includes-to-a-built-in-service.patch
@@ -0,0 +1,47 @@
+From 598ecacee6438d7a9004162f1f1c7734b985cda3 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 1 Feb 2022 15:16:58 -0500
+Subject: [PATCH] fix(service): adding includes to a built in service
+
+Conflict: NA
+Reference: https://github.com/firewalld/firewalld/commit/598ecacee6438d7a9004162f1f1c7734b985cda3
+
+Fixes: bcdc1e2bf1e7 ("fix: dbus: add missing APIs for service includes")
+(cherry picked from commit 72ef57a1d700055a0fc2de29c63a22dbb69328e3)
+---
+ src/firewall/server/config_service.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/server/config_service.py b/src/firewall/server/config_service.py
+index dae3a4c6..3dcf63fe 100644
+--- a/src/firewall/server/config_service.py
++++ b/src/firewall/server/config_service.py
+@@ -685,7 +685,7 @@ class FirewallDConfigService(DbusServiceObject):
+         log.debug1("%s.setIncludes('%s')", self._log_prefix, includes)
+         self.parent.accessCheck(sender)
+         settings = {"includes": includes[:]}
+-        self.config.set_service_config_dict(self.obj, settings)
++        self.obj = self.config.set_service_config_dict(self.obj, settings)
+         self.Updated(self.obj.name)
+ 
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+@@ -697,7 +697,7 @@ class FirewallDConfigService(DbusServiceObject):
+         self.parent.accessCheck(sender)
+         settings = self.config.get_service_config_dict(self.obj)
+         settings.setdefault("includes", []).append(include)
+-        self.config.set_service_config_dict(self.obj, settings)
++        self.obj = self.config.set_service_config_dict(self.obj, settings)
+         self.Updated(self.obj.name)
+ 
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+@@ -709,7 +709,7 @@ class FirewallDConfigService(DbusServiceObject):
+         self.parent.accessCheck(sender)
+         settings = self.config.get_service_config_dict(self.obj)
+         settings["includes"].remove(include)
+-        self.config.set_service_config_dict(self.obj, settings)
++        self.obj = self.config.set_service_config_dict(self.obj, settings)
+         self.Updated(self.obj.name)
+ 
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-fix-zone-combined-forward-must-not-default-to-True.patch b/backport-fix-zone-combined-forward-must-not-default-to-True.patch
new file mode 100644
index 0000000..2df9626
--- /dev/null
+++ b/backport-fix-zone-combined-forward-must-not-default-to-True.patch
@@ -0,0 +1,29 @@
+From cbe2802ebc62d8a04ceca2329014e835f1536423 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 14 Apr 2022 10:14:30 -0400
+Subject: [PATCH] fix(zone): combined: forward must not default to True
+
+Since we're reading on-disk config, assume forward = False as is done in
+zone_reader().
+
+Conflict: NA
+Reference: https://github.com/firewalld/firewalld/commit/cbe2802ebc62d8a04ceca2329014e835f1536423
+(cherry picked from commit 386a7327736160cb6a2d642325a26043b622a475)
+---
+ src/firewall/core/fw.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 4d0ada35..547167c6 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -519,6 +519,7 @@ class Firewall(object):
+                 combined_zone.check_name(combined_zone.name)
+                 combined_zone.path = path
+                 combined_zone.default = False
++                combined_zone.forward = False # see note in zone_reader()
+             else:
+                 combine = False
+ 
+-- 
+2.23.0
\ No newline at end of file
diff --git a/firewalld.spec b/firewalld.spec
index 7604808..b79ae6f 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,6 +1,6 @@
 Name:      firewalld
 Version:   1.0.2
-Release:   3
+Release:   4
 Summary:   A firewall daemon with D-Bus interface providing a dynamic firewall
 License:   GPLv2+
 URL:       http://www.firewalld.org
@@ -10,6 +10,12 @@ Patch0:    firewalld-0.2.6-MDNS-default.patch
 Patch1:    repair-test-cases.patch
 Patch2:    add-Restart-on-failure-on-firewalld.service.patch
 
+Patch3:    backport-fix-zone-combined-forward-must-not-default-to-True.patch
+Patch4:    backport-fix-fw_icmptype-don-t-alter-ipvs-in-io_object.patch
+Patch5:    backport-fix-check-config-use-the-dictionary-variants.patch
+Patch6:    backport-fix-functions-check-config-fails-if-direct.xml-exists.patch
+Patch7:    backport-fix-service-adding-includes-to-a-built-in-service.patch
+
 BuildArch:     noarch
 BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
 BuildRequires: libxslt iptables ebtables ipset python3-devel
@@ -230,6 +236,16 @@ fi
 %{_datadir}/firewalld/testsuite/python/firewalld_test.py
 
 %changelog
+* Thu Sep 01 2022 xinghe <xinghe2@h-partnres.com> - 1.0.2-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix zone combined forward must not default to True
+       fix fw icmptype don't alter ipvs in io_object
+       fix check config use the dictionary variants
+       fix functions check config fails if direct.xml exists
+       fix service adding includes
+
 * Thu Jun 30 2022 gaihuiying <eaglegai@163.com> - 1.0.2-3
 - Type:bugfix
 - ID:NA
-- 
Gitee