From d25120bb6f6285221fc8550aa79779ccb91dd925 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 15 2019 14:37:37 +0000
Subject: import firewalld-0.6.3-2.el7_7.2


---

diff --git a/SOURCES/0040-fix-Revert-ebtables-drop-support-for-broute-table.patch b/SOURCES/0040-fix-Revert-ebtables-drop-support-for-broute-table.patch
new file mode 100644
index 0000000..134e742
--- /dev/null
+++ b/SOURCES/0040-fix-Revert-ebtables-drop-support-for-broute-table.patch
@@ -0,0 +1,56 @@
+From e490ca17f5a61ef8c28ada20fec922acc300640e Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 20 Sep 2019 08:39:05 -0400
+Subject: [PATCH 40/41] fix: Revert "ebtables: drop support for broute table"
+
+This reverts commit 0e78dea21ffb03ea2e51df6158471b9cbd6652c9.
+
+Apparently there _are_ users of this table. Let's revert this change and
+be a little smarter about not attempting to use the table if it's not
+available (ebtables-nft). We'll still fail if the user has direct rules
+for this table, but at least the default ruleset will work.
+
+(cherry picked from commit ca34c9e051807d62371d5e980210f11859cab360)
+(cherry picked from commit b80835f5af8ad5c4c39cc8b78ec5314963926a8f)
+---
+ src/firewall-config.in        | 4 ++++
+ src/firewall/core/ebtables.py | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/firewall-config.in b/src/firewall-config.in
+index c19541b0ce82..91ce89ab72a0 100755
+--- a/src/firewall-config.in
++++ b/src/firewall-config.in
+@@ -7653,6 +7653,8 @@ class FirewallConfig(object):
+             self.directChainDialogTableCombobox.append_text("mangle")
+             self.directChainDialogTableCombobox.append_text("raw")
+             self.directChainDialogTableCombobox.append_text("security")
++        else:
++            self.directChainDialogTableCombobox.append_text("broute")
+ 
+         combobox_select_text(self.directChainDialogTableCombobox, old_table)
+ 
+@@ -7807,6 +7809,8 @@ class FirewallConfig(object):
+             self.directRuleDialogTableCombobox.append_text("mangle")
+             self.directRuleDialogTableCombobox.append_text("raw")
+             self.directRuleDialogTableCombobox.append_text("security")
++        else:
++            self.directRuleDialogTableCombobox.append_text("broute")
+ 
+         combobox_select_text(self.directRuleDialogTableCombobox, old_table)
+ 
+diff --git a/src/firewall/core/ebtables.py b/src/firewall/core/ebtables.py
+index df4c31743cd7..65688571ce31 100644
+--- a/src/firewall/core/ebtables.py
++++ b/src/firewall/core/ebtables.py
+@@ -31,6 +31,7 @@ from firewall.errors import FirewallError, INVALID_IPV
+ import string
+ 
+ BUILT_IN_CHAINS = {
++    "broute": [ "BROUTING" ],
+     "nat": [ "PREROUTING", "POSTROUTING", "OUTPUT" ],
+     "filter": [ "INPUT", "OUTPUT", "FORWARD" ],
+ }
+-- 
+2.20.1
+
diff --git a/SOURCES/0041-fix-ebtables-don-t-use-tables-that-aren-t-available.patch b/SOURCES/0041-fix-ebtables-don-t-use-tables-that-aren-t-available.patch
new file mode 100644
index 0000000..d87fe91
--- /dev/null
+++ b/SOURCES/0041-fix-ebtables-don-t-use-tables-that-aren-t-available.patch
@@ -0,0 +1,36 @@
+From 6a5d8aa720479781b122f999e4a4180c84c39be5 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 20 Sep 2019 08:47:22 -0400
+Subject: [PATCH 41/41] fix: ebtables: don't use tables that aren't available
+
+(cherry picked from commit 53fa559352156ae4c33613e2e45eb5355e1e86b9)
+(cherry picked from commit 3b7dd4993f18c9090f3c307fd40919cc8b2616bc)
+---
+ src/firewall/core/ebtables.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/firewall/core/ebtables.py b/src/firewall/core/ebtables.py
+index 65688571ce31..b17e43dadf20 100644
+--- a/src/firewall/core/ebtables.py
++++ b/src/firewall/core/ebtables.py
+@@ -229,6 +229,8 @@ class ebtables(object):
+     def build_flush_rules(self):
+         rules = []
+         for table in BUILT_IN_CHAINS.keys():
++            if table not in self.get_available_tables():
++                continue
+             # Flush firewall rules: -F
+             # Delete firewall chains: -X
+             # Set counter to zero: -Z
+@@ -239,6 +241,8 @@ class ebtables(object):
+     def build_set_policy_rules(self, policy):
+         rules = []
+         for table in BUILT_IN_CHAINS.keys():
++            if table not in self.get_available_tables():
++                continue
+             for chain in BUILT_IN_CHAINS[table]:
+                 rules.append(["-t", table, "-P", chain, policy])
+         return rules
+-- 
+2.20.1
+
diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec
index 1655a1e..e50f56e 100644
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@@ -8,7 +8,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.6.3
-Release: 2%{?dist}.1
+Release: 2%{?dist}.2
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -51,6 +51,8 @@ Patch36: 0036-fix-tests-functions-ignore-warnings-about-missing-ip.patch
 Patch37: 0037-fix-tests-guard-occurrences-of-IPv6.patch
 Patch38: 0038-fix-tests-update-package.m4-if-makefile-changed.patch
 Patch39: 0039-fix-tests-functions-define-HOST_SUPPORTS_IP6TABLES-v.patch
+Patch40: 0040-fix-Revert-ebtables-drop-support-for-broute-table.patch
+Patch41: 0041-fix-ebtables-don-t-use-tables-that-aren-t-available.patch
 
 BuildArch: noarch
 BuildRequires: desktop-file-utils
@@ -351,6 +353,9 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Mon Sep 30 2019 Eric Garver <egarver@redhat.com> - 0.6.3-2.el7_7.2
+- fix: Revert "ebtables: drop support for broute table"
+
 * Wed Aug 21 2019 Eric Garver <egarver@redhat.com> - 0.6.3-2.el7_7.1
 - backport fix to allow disabling IPv6