diff --git a/backport-fix-nm-release-NM-client-after-a-timeout.patch b/backport-fix-nm-release-NM-client-after-a-timeout.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4c22a95f0db7a06280d602886344354b7e76f2e --- /dev/null +++ b/backport-fix-nm-release-NM-client-after-a-timeout.patch @@ -0,0 +1,61 @@ +From eb76e2a80a43481da7a54ff784edf1c76651db96 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 22 Nov 2023 12:10:09 -0500 +Subject: [PATCH] fix(nm): release NM client after a timeout + +Conflict: NA +Reference: https://github.com/firewalld/firewalld/commit/eb76e2a80a43481da7a54ff784edf1c76651db96 + +libnm will accumulate a bunch of data, e.g. routes, that is irrelevant +to firewalld. To avoid unbound growth in memory we can destroy the +client and reinitialize it when we query NM. + +Fixes: #1232 +--- + src/firewall/core/fw_nm.py | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py +index 0e38dd4..c1f8e1d 100644 +--- a/src/firewall/core/fw_nm.py ++++ b/src/firewall/core/fw_nm.py +@@ -39,6 +39,7 @@ else: + except (ImportError, ValueError, GLib.Error): + _nm_imported = False + _nm_client = None ++_nm_client_timeout = None + + from firewall import errors + from firewall.errors import FirewallError +@@ -61,9 +62,28 @@ def nm_get_client(): + """Returns the NM client object or None if the import of NM failed + @return NM.Client instance if import was successful, None otherwise + """ ++ ++ def _release(): ++ """ ++ Release the client to avoid excess memory usage when libnm pushes ++ irrelevant (to firewalld) updates. ++ """ ++ global _nm_client ++ global _nm_client_timeout ++ _nm_client = None ++ _nm_client_timeout = None ++ + global _nm_client ++ global _nm_client_timeout ++ + if not _nm_client: + _nm_client = NM.Client.new(None) ++ else: ++ # refresh timer ++ GLib.source_remove(_nm_client_timeout) ++ ++ _nm_client_timeout = GLib.timeout_add_seconds(5, _release) ++ + return _nm_client + + def nm_get_zone_of_connection(connection): +-- +2.33.0 + diff --git a/firewalld.spec b/firewalld.spec index cf372db3350f12327eb327983a2dadbfd22f478e..0397899833f37452d2a516f4a03506efb74635f1 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,6 +1,6 @@ Name: firewalld Version: 1.2.6 -Release: 3 +Release: 4 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPLv2+ URL: http://www.firewalld.org @@ -13,13 +13,14 @@ Patch3: 0001-fix-config-Specify-the-translation-encoding-format-a.patch Patch4: backport-chore-nftables-add-delete-table-helper.patch Patch5: backport-fix-nftables-always-flush-main-table-on-start.patch Patch6: backport-fix-service-update-highest-port-number-for-ceph.patch +Patch7: backport-fix-nm-release-NM-client-after-a-timeout.patch BuildArch: noarch BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl BuildRequires: libxslt iptables ebtables ipset python3-devel -Requires: iptables ebtables ipset systemd +Requires: iptables iptables-nft ipset systemd %if %{?openEuler:1}0 Requires: hicolor-icon-theme python3-gobject NetworkManager-libnm dbus-x11 gtk3 %endif @@ -149,6 +150,7 @@ if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; th esac fi +sed -i "s/CleanupModulesOnExit=no/CleanupModulesOnExit=yes/g" %{_sysconfdir}/firewalld/firewalld.conf %files -f %{name}.lang %doc COPYING README.md @@ -234,6 +236,14 @@ fi %{_datadir}/firewalld/testsuite/python/firewalld_test.py %changelog +* Fri Jul 05 2024 zhouyihang - 1.2.6-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Firewall startup is to set CleanupModuleOnxit=yes to unload related ko when stopping firewalld service + To reduce unnecessary loading of ebtables-related kernel modules + fix(nm): release NM client after a timeout + * Mon Apr 29 2024 baiguo - 1.2.6-3 - Type:requirement - ID:NA