From e10a797ab8e19f8d6669a319be3faf96ef66d5f3 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Jul 01 2020 20:31:38 +0000 Subject: rebase to v0.7.5 --- diff --git a/.gitignore b/.gitignore index bec8254..0eb2201 100644 --- a/.gitignore +++ b/.gitignore @@ -58,3 +58,4 @@ /firewalld-0.7.2.tar.gz /firewalld-0.7.3.tar.gz /firewalld-0.7.4.tar.gz +/firewalld-0.7.5.tar.gz diff --git a/0001-fedora-patch-to-default-to-iptables-backend.patch b/0001-fedora-patch-to-default-to-iptables-backend.patch deleted file mode 100644 index b19c707..0000000 --- a/0001-fedora-patch-to-default-to-iptables-backend.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 90e72ff95ccc8a0b91d0c450962b1f688b0213c4 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 30 Jan 2020 09:27:56 -0500 -Subject: [PATCH 1/3] fedora patch to default to iptables backend - ---- - config/firewalld.conf | 7 ------- - src/firewall/config/__init__.py.in | 2 +- - src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++ - src/tests/dbus/firewalld.conf.at | 4 ++-- - src/tests/functions.at | 4 ++-- - 5 files changed, 22 insertions(+), 12 deletions(-) - -diff --git a/config/firewalld.conf b/config/firewalld.conf -index ebf8021226b7..634a226be96d 100644 ---- a/config/firewalld.conf -+++ b/config/firewalld.conf -@@ -50,13 +50,6 @@ LogDenied=off - # Default: system - AutomaticHelpers=system - --# FirewallBackend --# Selects the firewall backend implementation. --# Choices are: --# - nftables (default) --# - iptables (iptables, ip6tables, ebtables and ipset) --FirewallBackend=nftables -- - # FlushAllOnReload - # Flush all runtime rules on a reload. In previous releases some runtime - # configuration was retained during a reload, namely; interface to zone -diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in -index 785b9778be15..cb458a102a17 100644 ---- a/src/firewall/config/__init__.py.in -+++ b/src/firewall/config/__init__.py.in -@@ -128,7 +128,7 @@ FALLBACK_IPV6_RPFILTER = True - FALLBACK_INDIVIDUAL_CALLS = False - FALLBACK_LOG_DENIED = "off" - FALLBACK_AUTOMATIC_HELPERS = "system" --FALLBACK_FIREWALL_BACKEND = "nftables" -+FALLBACK_FIREWALL_BACKEND = "iptables" - FALLBACK_FLUSH_ALL_ON_RELOAD = True - FALLBACK_RFC3964_IPV4 = True - FALLBACK_ALLOW_ZONE_DRIFTING = False -diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py -index aec62e3a753c..a2cc9b139c7f 100644 ---- a/src/firewall/core/io/firewalld_conf.py -+++ b/src/firewall/core/io/firewalld_conf.py -@@ -268,6 +268,12 @@ class firewalld_conf(object): - if key not in done: - if (key in self._config and \ - self._config[key] != value): -+ # Only write FirewallBackend if it's not the default. -+ # We will change the default in the future. -+ if key == "FirewallBackend" and \ -+ self._config[key] == config.FALLBACK_FIREWALL_BACKEND: -+ done.append(key) -+ continue - empty = False - temp_file.write(u'%s=%s\n' % - (key, self._config[key])) -@@ -275,6 +281,12 @@ class firewalld_conf(object): - elif key in self._deleted: - modified = True - else: -+ # Only write FirewallBackend if it's not the default. -+ # We will change the default in the future. -+ if key == "FirewallBackend" and \ -+ value == config.FALLBACK_FIREWALL_BACKEND: -+ done.append(key) -+ continue - empty = False - temp_file.write(line+u"\n") - done.append(key) -@@ -288,6 +300,11 @@ class firewalld_conf(object): - continue - if key in ["MinimalMark"]: # omit deprecated from new config - continue -+ # Only write FirewallBackend if it's not the default. -+ # We will change the default in the future. -+ if key == "FirewallBackend" and \ -+ value == config.FALLBACK_FIREWALL_BACKEND: -+ continue - if not empty: - temp_file.write(u"\n") - empty = True -diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at -index fc79f9f02373..fdc18a43c764 100644 ---- a/src/tests/dbus/firewalld.conf.at -+++ b/src/tests/dbus/firewalld.conf.at -@@ -8,7 +8,7 @@ string "AllowZoneDrifting" : variant string "no" - string "AutomaticHelpers" : variant string "system" - string "CleanupOnExit" : variant string "no" - string "DefaultZone" : variant string "public" --string "FirewallBackend" : variant string "nftables" -+string "FirewallBackend" : variant string "iptables" - string "FlushAllOnReload" : variant string "yes" - string "IPv6_rpfilter" : variant string "yes" - string "IndividualCalls" : variant string "no" -@@ -22,7 +22,7 @@ string "AllowZoneDrifting" : variant string "no" - string "AutomaticHelpers" : variant string "system" - string "CleanupOnExit" : variant string "no" - string "DefaultZone" : variant string "public" --string "FirewallBackend" : variant string "nftables" -+string "FirewallBackend" : variant string "iptables" - string "FlushAllOnReload" : variant string "yes" - string "IPv6_rpfilter" : variant string "no" - string "IndividualCalls" : variant string "no" -diff --git a/src/tests/functions.at b/src/tests/functions.at -index b0e75d359124..199e958058cd 100644 ---- a/src/tests/functions.at -+++ b/src/tests/functions.at -@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [ - m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ - AT_KEYWORDS(offline) - ], [ -- m4_define_default([FIREWALL_BACKEND], [nftables]) -+ m4_define_default([FIREWALL_BACKEND], [iptables]) - - AT_KEYWORDS(FIREWALL_BACKEND) - -@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [ - AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) - - dnl set the appropriate backend -- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) -+ AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf]) - - dnl fib matching is pretty new in nftables. Don't use rpfilter on older - dnl kernels. --- -2.23.0 - diff --git a/0002-test-ipset-verify-port-ranges-for-non-default-protoc.patch b/0002-test-ipset-verify-port-ranges-for-non-default-protoc.patch deleted file mode 100644 index a056c72..0000000 --- a/0002-test-ipset-verify-port-ranges-for-non-default-protoc.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7ce45c08af2b867f771b7cab1609f99ae6217054 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 2 Apr 2020 14:38:45 -0400 -Subject: [PATCH 2/3] test: ipset: verify port ranges for non-default protocol - -(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b) ---- - src/tests/cli/firewall-cmd.at | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at -index eb99687fd1d5..10b8a67074b5 100644 ---- a/src/tests/cli/firewall-cmd.at -+++ b/src/tests/cli/firewall-cmd.at -@@ -729,6 +729,7 @@ FWD_START_TEST([ipset]) - dnl multi dimensional set with non default protocol - FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore) - FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore) -+ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore) - FWD_RELOAD - FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore) - FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore) -@@ -738,6 +739,7 @@ FWD_START_TEST([ipset]) - type ipv4_addr . inet_proto . inet_service - flags interval - elements = { 10.10.10.10 . sctp . 1234, -+ 10.10.10.10 . udp . 1000-1002, - 20.20.20.20 . tcp . 8080 } - } - } -@@ -755,6 +757,9 @@ FWD_START_TEST([ipset]) - Type: hash:ip,port - Members: - 10.10.10.10,sctp:1234 -+ 10.10.10.10,udp:1000 -+ 10.10.10.10,udp:1001 -+ 10.10.10.10,udp:1002 - 20.20.20.20,tcp:8080 - ]) - FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore) --- -2.23.0 - diff --git a/0003-test-log-verify-logging-still-works-after-truncate.patch b/0003-test-log-verify-logging-still-works-after-truncate.patch deleted file mode 100644 index df959ce..0000000 --- a/0003-test-log-verify-logging-still-works-after-truncate.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8064932a8d0c8f2c5131c4a398eaa2dd20564177 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 2 Apr 2020 15:21:58 -0400 -Subject: [PATCH 3/3] test: log: verify logging still works after truncate - -The log policy we ship presumes firewalld opens log files in append -mode. This is because the logrotate policy uses "copytruncate". Lets -verify that it actually works as expected. - -(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827) ---- - src/tests/regression/gh599.at | 16 ++++++++++++++++ - src/tests/regression/regression.at | 1 + - 2 files changed, 17 insertions(+) - create mode 100644 src/tests/regression/gh599.at - -diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at -new file mode 100644 -index 000000000000..472f228ba2a9 ---- /dev/null -+++ b/src/tests/regression/gh599.at -@@ -0,0 +1,16 @@ -+FWD_START_TEST([writing to log after copytruncate]) -+AT_KEYWORDS(gh599) -+ -+AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])]) -+AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) -+ -+dnl Verify we continue to write to the log file after it's truncated. That is, -+dnl simulate logrotate's copytruncate. -+NS_CHECK([truncate -s 0 ./firewalld.log]) -+ -+dnl generate some logs, anything will do since we have debug enabled. -+FWD_CHECK([--list-all], 0, [ignore], [ignore]) -+ -+NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) -+ -+FWD_END_TEST -diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at -index 8042c3a27f89..2528ddd3fede 100644 ---- a/src/tests/regression/regression.at -+++ b/src/tests/regression/regression.at -@@ -27,3 +27,4 @@ m4_include([regression/gh509.at]) - m4_include([regression/gh567.at]) - m4_include([regression/rhbz1779835.at]) - m4_include([regression/gh330.at]) -+m4_include([regression/gh599.at]) --- -2.23.0 - diff --git a/firewalld.spec b/firewalld.spec index fc8b498..2d269b4 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,16 +1,13 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 0.7.4 -Release: 2%{?dist} +Version: 0.7.5 +Release: 1%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz Source1: FedoraServer.xml Source2: FedoraWorkstation.xml Patch0: firewalld-0.2.6-MDNS-default.patch -Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch -Patch2: 0002-test-ipset-verify-port-ranges-for-non-default-protoc.patch -Patch3: 0003-test-log-verify-logging-still-works-after-truncate.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -277,6 +274,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Wed Jul 01 2020 Eric Garver - 0.7.5-1 +- rebase package to v0.7.5 + * Wed May 13 2020 Eric Garver - 0.7.4-2 - use python interpreter flags from rpm macros diff --git a/sources b/sources index 305513d..efebd0e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (firewalld-0.7.4.tar.gz) = 78dd6daaee898add7094a4bf863547013d71c819d8e784e1cbc6cb4b64f8a17ccd898f50094c537b0115975aebf1e82c835c1d3cc803ef4a258c95659774a992 +SHA512 (firewalld-0.7.5.tar.gz) = baea59fc1b274b5dafe0b1cfa1b58f008a3acb7a548cbc13d84604592aea21ba39f72cfca0a81e5d14959bb1873187702b8f0e5d4fb69d30d6515586213dc65f