diff --git a/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch b/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch
new file mode 100644
index 0000000..4c1e8c1
--- /dev/null
+++ b/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch
@@ -0,0 +1,29 @@
+From 2a1a55209a95c5463e07cc3eb048d128ab7593ed Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 10 Aug 2020 09:29:05 -0400
+Subject: [PATCH 48/62] test(regression/rhbz1541077): use FWD_OFFLINE_CHECK
+ macro
+
+Fixes: 6e279ef6517a ("test(regression/rhbz1541077): correctly use macros")
+Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter")
+(cherry picked from commit fae16b550ed8b384ee24691e6442b7cbd6b776aa)
+(cherry picked from commit 3efe0f30d4499763aacc573dc634b52ceb11a017)
+---
+ src/tests/regression/rhbz1541077.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
+index 692ca8ecc892..73ad4b49cb3d 100644
+--- a/src/tests/regression/rhbz1541077.at
++++ b/src/tests/regression/rhbz1541077.at
+@@ -4,6 +4,6 @@ AT_KEYWORDS(ipset rhbz1541077)
+ FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+ FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+
+-AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
++FWD_OFFLINE_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+
+ FWD_END_TEST
+--
+2.28.0
+
diff --git a/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch b/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch
new file mode 100644
index 0000000..41f7cb1
--- /dev/null
+++ b/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch
@@ -0,0 +1,30 @@
+From 5326d7a86d6e7413dee343b795a352d8b4e6ab0d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 10 Aug 2020 09:33:22 -0400
+Subject: [PATCH 49/62] test(regression/rhbz1855140.at): avoid IPv6 tests if
+ IPv6 not available
+
+Fixes: 87ec14dddd74 ("test(rich): icmptypes with one family")
+(cherry picked from commit a47819d346fbd0f4d4d382a6a795c76c7f443a3b)
+(cherry picked from commit 1b4fea7277c26026ecbe09f79928c794489424b9)
+---
+ src/tests/regression/rhbz1855140.at | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
+index 8059e29fe71a..cea943e0bf24 100644
+--- a/src/tests/regression/rhbz1855140.at
++++ b/src/tests/regression/rhbz1855140.at
+@@ -2,7 +2,9 @@ FWD_START_TEST([rich rule icmptypes with one family])
+ AT_KEYWORDS(rich icmp rhbz1855140)
+
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
++IF_HOST_SUPPORTS_IPV6_RULES([
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
++])
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+ FWD_RELOAD
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+--
+2.28.0
+
diff --git a/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch b/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch
new file mode 100644
index 0000000..f0d495e
--- /dev/null
+++ b/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch
@@ -0,0 +1,53 @@
+From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 27 Aug 2020 15:30:45 -0400
+Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
+ config
+
+Otherwise we may get runtime errors because the running kernel doesn't
+support the ict. Use the permanent ict definition so we allow the case
+where ip6tables is missing or not available. Explicit usage of an ict
+not supported by the kernel will still fail to apply at runtime
+(iptables complains), but if ip6tables is missing we don't attempt to
+apply the ipv6 rules thus avoiding the issue.
+
+(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
+(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
+---
+ src/firewall/core/fw_zone.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index b9fe1f6aae97..9d8bcf620251 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1526,7 +1526,7 @@ class FirewallZone(object):
+ if rule.family:
+ ipvs = [ rule.family ]
+ elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
+- ict = self._fw.icmptype.get_icmptype(rule.element.name)
++ ict = self._fw.config.get_icmptype(rule.element.name)
+ if ict.destination:
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
+
+@@ -1698,7 +1698,7 @@ class FirewallZone(object):
+ # ICMP BLOCK and ICMP TYPE
+ elif type(rule.element) == Rich_IcmpBlock or \
+ type(rule.element) == Rich_IcmpType:
+- ict = self._fw.icmptype.get_icmptype(rule.element.name)
++ ict = self._fw.config.get_icmptype(rule.element.name)
+
+ if type(rule.element) == Rich_IcmpBlock and \
+ rule.action and type(rule.action) == Rich_Accept:
+@@ -1862,7 +1862,7 @@ class FirewallZone(object):
+ transaction.add_rules(backend, rules)
+
+ def _icmp_block(self, enable, zone, icmp, transaction):
+- ict = self._fw.icmptype.get_icmptype(icmp)
++ ict = self._fw.config.get_icmptype(icmp)
+
+ if enable:
+ transaction.add_chain(zone, "filter", "INPUT")
+--
+2.28.0
+
diff --git a/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch b/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch
new file mode 100644
index 0000000..8d686b1
--- /dev/null
+++ b/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch
@@ -0,0 +1,50 @@
+From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 27 Aug 2020 15:59:13 -0400
+Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually
+ enabled
+
+One scenario is if IPv6 is not available, but we specify an icmp-type
+that is ipv6 only, then we'll still attempt to call the IPv6 backend. We
+should not do that.
+
+(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de)
+(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79)
+---
+ src/firewall/core/fw_zone.py | 5 ++++-
+ src/tests/regression/rhbz1855140.at | 2 --
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 9d8bcf620251..bd026222dce5 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1542,7 +1542,10 @@ class FirewallZone(object):
+ ipvs = [ source_ipv ]
+
+ if not ipvs:
+- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
++ ipvs = ["ipv4", "ipv6"]
++
++ # clamp ipvs to those that are actually enabled.
++ ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)]
+
+ # add an element to object to allow backends to know what ipvs this applies to
+ rule.ipvs = ipvs
+diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
+index cea943e0bf24..8059e29fe71a 100644
+--- a/src/tests/regression/rhbz1855140.at
++++ b/src/tests/regression/rhbz1855140.at
+@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family])
+ AT_KEYWORDS(rich icmp rhbz1855140)
+
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+-IF_HOST_SUPPORTS_IPV6_RULES([
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+-])
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+ FWD_RELOAD
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+--
+2.28.0
+
diff --git a/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch b/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch
new file mode 100644
index 0000000..e60c327
--- /dev/null
+++ b/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch
@@ -0,0 +1,62 @@
+From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 11:44:33 -0400
+Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families
+ don't conflict
+
+Fixes: rhbz 1855140
+(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8)
+(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7)
+---
+ src/firewall/core/fw_zone.py | 6 ++++++
+ src/firewall/core/io/zone.py | 17 ++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index bd026222dce5..129306b6f969 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1703,6 +1703,12 @@ class FirewallZone(object):
+ type(rule.element) == Rich_IcmpType:
+ ict = self._fw.config.get_icmptype(rule.element.name)
+
++ if rule.family and ict.destination and \
++ rule.family not in ict.destination:
++ raise FirewallError(errors.INVALID_ICMPTYPE,
++ "rich rule family '%s' conflicts with icmp type '%s'" % \
++ (rule.family, rule.element.name))
++
+ if type(rule.element) == Rich_IcmpBlock and \
+ rule.action and type(rule.action) == Rich_Accept:
+ # icmp block might have reject or drop action, but not accept
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 68b2a7c9567c..529b92c25b62 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -232,7 +232,22 @@ class Zone(IO_Object):
+ raise FirewallError(errors.INVALID_ADDR, source)
+ elif item == "rules_str":
+ for rule in config:
+- rich.Rich_Rule(rule_str=rule)
++ obj_rich = rich.Rich_Rule(rule_str=rule)
++ if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or
++ isinstance(obj_rich.element, rich.Rich_IcmpType)):
++ existing_icmptypes = self.fw_config.get_icmptypes()
++ if obj_rich.element.name not in existing_icmptypes:
++ raise FirewallError(errors.INVALID_ICMPTYPE,
++ "'%s' not among existing icmp types" % \
++ obj_rich.element.name)
++
++ elif obj_rich.family:
++ ict = self.fw_config.get_icmptype(obj_rich.element.name)
++ if ict.destination and obj_rich.family not in ict.destination:
++ raise FirewallError(errors.INVALID_ICMPTYPE,
++ "rich rule family '%s' conflicts with icmp type '%s'" % \
++ (obj_rich.family, obj_rich.element.name))
++
+
+ def check_name(self, name):
+ super(Zone, self).check_name(name)
+--
+2.28.0
+
diff --git a/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch b/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch
new file mode 100644
index 0000000..e743640
--- /dev/null
+++ b/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch
@@ -0,0 +1,48 @@
+From 08cb6f0c7abca95fa898020bb9f3ba3f4bfbf148 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 13:15:34 -0400
+Subject: [PATCH 53/62] fix(nftables): packet marks with masks
+
+(cherry picked from commit e296b926ae5dc4cbc277b6dd755d045e73ed4411)
+(cherry picked from commit 371efe757f2bde20b4301a78ed3c48ec1d31bf5e)
+---
+ src/firewall/core/fw_zone.py | 2 ++
+ src/firewall/core/nftables.py | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 129306b6f969..6eaed4232405 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1719,6 +1719,8 @@ class FirewallZone(object):
+ if enable:
+ transaction.add_chain(zone, table, "INPUT")
+ transaction.add_chain(zone, table, "FORWARD_IN")
++ if enable and type(rule.action) == Rich_Mark:
++ transaction.add_chain(zone, "mangle", "PREROUTING")
+
+ rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule)
+ transaction.add_rules(backend, rules)
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 0198200b2372..76668a60468f 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1043,8 +1043,13 @@ class nftables(object):
+ zone=zone)
+ table = "mangle"
+ chain = "%s_%s_%s" % (table, target, chain_suffix)
+- rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
+- "value": rich_rule.action.set}}
++ value = rich_rule.action.set.split("/")
++ if len(value) > 1:
++ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
++ "value": {"^": [{"&": [{"meta": {"key": "mark"}}, value[1]]}, value[0]]}}}
++ else:
++ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
++ "value": value[0]}}
+ else:
+ raise FirewallError(INVALID_RULE,
+ "Unknown action %s" % type(rich_rule.action))
+--
+2.28.0
+
diff --git a/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch b/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch
new file mode 100644
index 0000000..e155098
--- /dev/null
+++ b/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch
@@ -0,0 +1,27 @@
+From 603ca9c2dd16f212a8b2fb43a9e9599fe3dd3abf Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 14:22:18 -0400
+Subject: [PATCH 54/62] fix(nftables): icmp types with code == 0
+
+(cherry picked from commit 098e35168d6a15516cc76189a70df8db56bd1b13)
+(cherry picked from commit 8dcfaa607329cd4c2bdaa3b101371a30a04ef858)
+---
+ src/firewall/core/nftables.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 76668a60468f..daa7ace085a2 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -82,7 +82,7 @@ def _icmp_types_fragments(protocol, type, code=None):
+ fragments = [{"match": {"left": {"payload": {"protocol": protocol, "field": "type"}},
+ "op": "==",
+ "right": type}}]
+- if code:
++ if code is not None:
+ fragments.append({"match": {"left": {"payload": {"protocol": protocol, "field": "code"}},
+ "op": "==",
+ "right": code}})
+--
+2.28.0
+
diff --git a/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch b/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch
new file mode 100644
index 0000000..fbfab5b
--- /dev/null
+++ b/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch
@@ -0,0 +1,35 @@
+From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 31 Aug 2020 15:38:34 -0400
+Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for
+ icmp-type w/ mark action
+
+This is a stable only fix. It does not occur on master.
+
+(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808)
+---
+ src/firewall/core/ipXtables.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index b1d6c202fda7..c4535f2e5818 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -1240,8 +1240,13 @@ class ip4tables(object):
+ proto = [ "-p", "ipv6-icmp" ]
+ match = [ "-m", "icmp6", "--icmpv6-type", ict.name ]
+
++ if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark):
++ chains = ["PREROUTING"]
++ else:
++ chains = ["INPUT", "FORWARD_IN"]
++
+ rules = []
+- for chain in ["INPUT", "FORWARD_IN"]:
++ for chain in chains:
+ target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
+ zone=zone)
+ if self._fw.zone.query_icmp_block_inversion(zone):
+--
+2.28.0
+
diff --git a/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch b/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch
new file mode 100644
index 0000000..19d348c
--- /dev/null
+++ b/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch
@@ -0,0 +1,66 @@
+From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 10:48:35 -0400
+Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests
+
+(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4)
+(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c)
+---
+ src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
+index 8059e29fe71a..fbb33a419c56 100644
+--- a/src/tests/regression/rhbz1855140.at
++++ b/src/tests/regression/rhbz1855140.at
+@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140)
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
++FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore)
+ FWD_RELOAD
++NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl
++ table inet firewalld {
++ chain mangle_PRE_public_allow {
++ icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
++ }
++ }
++])
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_public_allow {
+@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ }
+ }
+ ])
++IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
++])
+ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
+ ])
++IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
++ MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86
++])
+ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
+ ])
+
+-FWD_END_TEST
++dnl verify bad icmptypes are rejected
++FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
++FWD_CHECK([ --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
++FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
++IF_HOST_SUPPORTS_IPV6_RULES([
++FWD_CHECK([ --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
++])
++
++FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d'])
+--
+2.28.0
+
diff --git a/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch b/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch
new file mode 100644
index 0000000..8f73132
--- /dev/null
+++ b/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch
@@ -0,0 +1,80 @@
+From 0f94133731fa497b04744fa4a37cfa5fd5e45fab Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 26 Aug 2020 11:38:36 -0400
+Subject: [PATCH 57/62] fix(policy): cache rule_str for rich rules
+
+There are various areas that we use list comprehensions to convert
+Rich_Rule to rule_str. This isn't cheap. Let's just cache the rule_str
+and avoid the cost.
+
+Fixes: rhbz 1871298
+(cherry picked from commit 5402724221a3dddc9c139663d28ababed4057cc6)
+(cherry picked from commit 763b07972fd80e7b2f28b29efe812b92f6dff1d1)
+---
+ src/firewall/core/io/zone.py | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 529b92c25b62..ec81762be100 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -120,6 +120,7 @@ class Zone(IO_Object):
+ self.sources = [ ]
+ self.fw_config = None # to be able to check services and a icmp_blocks
+ self.rules = [ ]
++ self.rules_str = [ ]
+ self.icmp_block_inversion = False
+ self.combined = False
+ self.applied = False
+@@ -141,6 +142,7 @@ class Zone(IO_Object):
+ del self.sources[:]
+ self.fw_config = None # to be able to check services and a icmp_blocks
+ del self.rules[:]
++ del self.rules_str[:]
+ self.icmp_block_inversion = False
+ self.combined = False
+ self.applied = False
+@@ -163,17 +165,13 @@ class Zone(IO_Object):
+ self.interfaces = [u2b_if_py2(i) for i in self.interfaces]
+ self.sources = [u2b_if_py2(s) for s in self.sources]
+ self.rules = [u2b_if_py2(s) for s in self.rules]
+-
+- def __getattr__(self, name):
+- if name == "rules_str":
+- rules_str = [str(rule) for rule in self.rules]
+- return rules_str
+- else:
+- return getattr(super(Zone, self), name)
++ self.rules_str = [u2b_if_py2(s) for s in self.rules_str]
+
+ def __setattr__(self, name, value):
+ if name == "rules_str":
+ self.rules = [rich.Rich_Rule(rule_str=s) for s in value]
++ # must convert back to string to get the canonical string.
++ super(Zone, self).__setattr__(name, [str(s) for s in self.rules])
+ else:
+ super(Zone, self).__setattr__(name, value)
+
+@@ -307,6 +305,7 @@ class Zone(IO_Object):
+ self.source_ports.append(port)
+ for rule in zone.rules:
+ self.rules.append(rule)
++ self.rules_str.append(str(rule))
+ if zone.icmp_block_inversion:
+ self.icmp_block_inversion = True
+
+@@ -687,9 +686,9 @@ class zone_ContentHandler(IO_Object_ContentHandler):
+ except Exception as e:
+ log.warning("%s: %s", e, str(self._rule))
+ else:
+- if str(self._rule) not in \
+- [ str(x) for x in self.item.rules ]:
++ if str(self._rule) not in self.item.rules_str:
+ self.item.rules.append(self._rule)
++ self.item.rules_str.append(str(self._rule))
+ else:
+ log.warning("Rule '%s' already set, ignoring.",
+ str(self._rule))
+--
+2.28.0
+
diff --git a/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch b/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch
new file mode 100644
index 0000000..38e6d81
--- /dev/null
+++ b/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch
@@ -0,0 +1,55 @@
+From ed42b8048e97040802da727f77cad4a1bb5ff42b Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 26 Aug 2020 14:28:45 -0400
+Subject: [PATCH 58/62] test(zone): rich rule parsing bottleneck
+
+Coverage for rhbz 1871298.
+Verify we can parse a large amount of rich rules in a reasonable time.
+
+This test took 3m before the fix and now takes 18s after the fix.
+Considering it "failed" after 45s should give us plenty of headroom.
+
+(cherry picked from commit ece30971412eedb9032b0d87233ca21ef9154830)
+(cherry picked from commit b21f071851ffec6d3a382b6e60eb88dcda7df467)
+---
+ src/tests/regression/regression.at | 1 +
+ src/tests/regression/rhbz1871298.at | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1871298.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index d7b4d56239d1..65540840f50e 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -34,3 +34,4 @@ m4_include([regression/rhbz1689429.at])
+ m4_include([regression/rhbz1483921.at])
+ m4_include([regression/rhbz1541077.at])
+ m4_include([regression/rhbz1855140.at])
++m4_include([regression/rhbz1871298.at])
+diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at
+new file mode 100644
+index 000000000000..0689399d85ec
+--- /dev/null
++++ b/src/tests/regression/rhbz1871298.at
+@@ -0,0 +1,18 @@
++FWD_START_TEST([rich rule parsing bottleneck])
++AT_KEYWORDS(rich offline rhbz1871298)
++
++AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])])
++
++NS_CHECK([mkdir -p ./zones])
++NS_CHECK([echo '<?xml version="1.0" encoding="utf-8"?>' > ./zones/foobar.xml])
++NS_CHECK([echo "<zone>" >> ./zones/foobar.xml])
++NS_CHECK([echo "<short>foobar</short>" >> ./zones/foobar.xml])
++NS_CHECK([sh -c 'for I in $(seq 10000); do echo "<rule family=\"ipv4\"><port protocol=\"tcp\" port=\"$I\" /><accept/></rule>" >> ./zones/foobar.xml; done'])
++NS_CHECK([echo "</zone>" >> ./zones/foobar.xml])
++
++if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
++ FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
++fi
++NS_CHECK([timeout 45 firewall-offline-cmd --system-config ./ $FIREWALL_OFFLINE_CMD_ARGS --check-config], 0, [ignore])
++
++FWD_END_TEST
+--
+2.28.0
+
diff --git a/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch b/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch
new file mode 100644
index 0000000..8a0d031
--- /dev/null
+++ b/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch
@@ -0,0 +1,158 @@
+From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 1 Sep 2020 13:16:23 -0400
+Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if
+ ip6tables not available
+
+We were not filling the runtime ipv6 icmptypes list if the active
+backend was nftables and ip6tables wasn't available. This caused "ipv6"
+to be dropped from the supported ipvs/destinations for the icmptype.
+This also caused runtimeToPermanent to fail because the runtime
+icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy
+the runtime icmptype to permanent because they were different... this
+caused sanity checks on the permanent configuration to fail.
+
+(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9)
+(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647)
+---
+ src/firewall/core/fw.py | 24 ++++++++++++++----------
+ src/firewall/core/fw_icmptype.py | 8 ++++----
+ src/firewall/core/ipXtables.py | 2 +-
+ src/firewall/core/nftables.py | 6 +++---
+ src/firewall/server/firewalld.py | 4 ++--
+ 5 files changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index c767f416f3d2..1df916efb10f 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -76,10 +76,10 @@ class Firewall(object):
+ else:
+ self.ip4tables_backend = ipXtables.ip4tables(self)
+ self.ip4tables_enabled = True
+- self.ip4tables_supported_icmp_types = [ ]
++ self.ipv4_supported_icmp_types = [ ]
+ self.ip6tables_backend = ipXtables.ip6tables(self)
+ self.ip6tables_enabled = True
+- self.ip6tables_supported_icmp_types = [ ]
++ self.ipv6_supported_icmp_types = [ ]
+ self.ebtables_backend = ebtables.ebtables()
+ self.ebtables_enabled = True
+ self.ipset_backend = ipset.ipset()
+@@ -172,11 +172,13 @@ class Firewall(object):
+ log.warning("iptables-restore and iptables are missing, "
+ "disabling IPv4 firewall.")
+ self.ip4tables_enabled = False
+- if self.ip4tables_enabled:
+- self.ip4tables_supported_icmp_types = \
+- self.ip4tables_backend.supported_icmp_types()
++ if self.nftables_enabled:
++ self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4")
+ else:
+- self.ip4tables_supported_icmp_types = [ ]
++ if self.ip4tables_enabled:
++ self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types()
++ else:
++ self.ipv4_supported_icmp_types = [ ]
+ self.ip6tables_backend.fill_exists()
+ if not self.ip6tables_backend.restore_command_exists:
+ if self.ip6tables_backend.command_exists:
+@@ -186,11 +188,13 @@ class Firewall(object):
+ log.warning("ip6tables-restore and ip6tables are missing, "
+ "disabling IPv6 firewall.")
+ self.ip6tables_enabled = False
+- if self.ip6tables_enabled:
+- self.ip6tables_supported_icmp_types = \
+- self.ip6tables_backend.supported_icmp_types()
++ if self.nftables_enabled:
++ self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6")
+ else:
+- self.ip6tables_supported_icmp_types = [ ]
++ if self.ip6tables_enabled:
++ self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types()
++ else:
++ self.ipv6_supported_icmp_types = [ ]
+ self.ebtables_backend.fill_exists()
+ if not self.ebtables_backend.restore_command_exists:
+ if self.ebtables_backend.command_exists:
+diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py
+index afe9f91d6bf6..a565bb6d8733 100644
+--- a/src/firewall/core/fw_icmptype.py
++++ b/src/firewall/core/fw_icmptype.py
+@@ -57,13 +57,13 @@ class FirewallIcmpType(object):
+ ipvs = orig_ipvs[:]
+ for ipv in orig_ipvs:
+ if ipv == "ipv4":
+- if not self._fw.ip4tables_enabled:
++ if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
+ continue
+- supported_icmps = self._fw.ip4tables_supported_icmp_types
++ supported_icmps = self._fw.ipv4_supported_icmp_types
+ elif ipv == "ipv6":
+- if not self._fw.ip6tables_enabled:
++ if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled:
+ continue
+- supported_icmps = self._fw.ip6tables_supported_icmp_types
++ supported_icmps = self._fw.ipv6_supported_icmp_types
+ else:
+ supported_icmps = [ ]
+ if obj.name.lower() not in supported_icmps:
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index c4535f2e5818..450e427c08b5 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -612,7 +612,7 @@ class ip4tables(object):
+ rules.append(["-t", table, "-P", chain, _policy])
+ return rules
+
+- def supported_icmp_types(self):
++ def supported_icmp_types(self, ipv=None):
+ """Return ICMP types that are supported by the iptables/ip6tables command and kernel"""
+ ret = [ ]
+ output = ""
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index daa7ace085a2..0a73c2c2669d 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -480,13 +480,13 @@ class nftables(object):
+
+ return rules
+
+- def supported_icmp_types(self):
++ def supported_icmp_types(self, ipv=None):
+ # nftables supports any icmp_type via arbitrary type/code matching.
+ # We just need a translation for it in ICMP_TYPES_FRAGMENTS.
+ supported = set()
+
+- for ipv in ICMP_TYPES_FRAGMENTS.keys():
+- supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys())
++ for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys():
++ supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys())
+
+ return list(supported)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 10b085d48660..949f577053cc 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object):
+ return dbus.Boolean(self.fw.ip4tables_enabled)
+
+ elif prop == "IPv4ICMPTypes":
+- return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s")
++ return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
+
+ elif prop == "IPv6":
+ return dbus.Boolean(self.fw.ip6tables_enabled)
+@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object):
+ return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
+
+ elif prop == "IPv6ICMPTypes":
+- return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s")
++ return dbus.Array(self.fw.ipv6_supported_icmp_types, "s")
+
+ elif prop == "BRIDGE":
+ return dbus.Boolean(self.fw.ebtables_enabled)
+--
+2.28.0
+
diff --git a/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch b/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch
new file mode 100644
index 0000000..27f1bea
--- /dev/null
+++ b/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch
@@ -0,0 +1,29 @@
+From 8a520d8343ab1567f0f3df39e4fc45dbaf9c6f77 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 24 Sep 2020 15:24:41 -0400
+Subject: [PATCH 60/62] docs(firewall-cmd): clarify lockdown whitelist command
+ paths
+
+Reported-by: D. Hugh Redelmeier <hugh@mimosa.com>
+(cherry picked from commit a7b12b8eb87dd3bd2bb342cf5d74bf089cf3b9a6)
+(cherry picked from commit 7e9b1a02cc7aa12f9c499b2acad584dbabf9a518)
+---
+ doc/xml/firewall-cmd.xml.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index 8bc389acae6c..702c549ab9d9 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -2104,7 +2104,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
+ If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
+ </para>
+ <para>
+- Commands for user root and others is not always the same. Example: As root <command>/bin/firewall-cmd</command> is used, as a normal user <command>/usr/bin/firewall-cmd</command> is be used on Fedora.
++ Command paths for users are not always the same and depends on the users PATH. Some distributions symlink <command>/bin</command> to <command>/usr/bin</command> in which case it depends on the order they appear in the PATH environment variable.
+ </para>
+ <para>
+ The context is the security (SELinux) context of a running application or service. To get the context of a running application use <command>ps -e --context</command>.
+--
+2.28.0
+
diff --git a/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch b/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch
new file mode 100644
index 0000000..7e71c90
--- /dev/null
+++ b/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch
@@ -0,0 +1,39 @@
+From b82e2cf588916624c5f45c10e7c929f24ff84e9a Mon Sep 17 00:00:00 2001
+From: Donald Yandt <10255876+TorontoMedia@users.noreply.github.com>
+Date: Sun, 27 Sep 2020 20:19:35 -0400
+Subject: [PATCH 61/62] docs(dbus): fix invalid method names
+
+Replace invalid method names for both 'queryEntry' and 'queryIPSet'.
+
+Fixes: #693
+(cherry picked from commit 6fc82d2d34b436a1f1921b36930169c965f3ff4b)
+(cherry picked from commit 24fb2b2424107cd88e331b8f8edae0dc1671c504)
+---
+ doc/xml/firewalld.dbus.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index 1625b9d50576..3bf4f53b108d 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -579,7 +579,7 @@
+ </listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.ipset.Methods.queryEntry">
+- <term><methodname>queryService</methodname>(s: ipset, s: entry) → b</term>
++ <term><methodname>queryEntry</methodname>(s: ipset, s: entry) → b</term>
+ <listitem>
+ <para>
+ Return whether <replaceable>entry</replaceable> has been added to <replaceable>ipset</replaceable>.
+@@ -591,7 +591,7 @@
+ </listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.ipset.Methods.queryIPSet">
+- <term><methodname>queryService</methodname>(s: ipset) → b</term>
++ <term><methodname>queryIPSet</methodname>(s: ipset) → b</term>
+ <listitem>
+ <para>
+ Return whether <replaceable>ipset</replaceable> is defined in runtime configuration.
+--
+2.28.0
+
diff --git a/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch b/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch
new file mode 100644
index 0000000..cf91047
--- /dev/null
+++ b/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch
@@ -0,0 +1,27 @@
+From cd158a2880734c5da329e9a5c9c075ba5bceced6 Mon Sep 17 00:00:00 2001
+From: diegoe <diegoe@gnome.org>
+Date: Wed, 21 Oct 2020 21:19:52 -0500
+Subject: [PATCH 62/62] docs(firewall-cmd): small description grammar fix
+
+(cherry picked from commit 9ae97bb2b65fbafa0ed5c0bfd9ebd5945bc6bea9)
+(cherry picked from commit 9b4664fca4d3551dbb758a53b212a5aab043ccd9)
+---
+ doc/xml/firewall-cmd.xml.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index 702c549ab9d9..1789f513d8ee 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -56,7 +56,7 @@
+ <title>Description</title>
+
+ <para>
+- firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
++ firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations.
+ </para>
+
+ <para>
+--
+2.28.0
+
diff --git a/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch b/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch
new file mode 100644
index 0000000..2e00d5b
--- /dev/null
+++ b/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch
@@ -0,0 +1,107 @@
+From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Fri, 13 Nov 2020 10:40:51 -0500
+Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
+ rules
+
+Fixes: rhbz 1596304
+Fixes: #480
+
+(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
+(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
+---
+ src/firewall/core/rich.py | 2 ++
+ src/firewall/functions.py | 9 ++++++++-
+ src/tests/regression/regression.at | 1 +
+ src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
+ 4 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 src/tests/regression/rhbz1596304.at
+
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index 86c0c998a478..03bc194c2b28 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -307,6 +307,8 @@ class Rich_Rule(object):
+ if not rule_str:
+ raise FirewallError(errors.INVALID_RULE, 'empty rule')
+
++ rule_str = functions.stripNonPrintableCharacters(rule_str)
++
+ self.priority = 0
+ self.family = None
+ self.source = None
+diff --git a/src/firewall/functions.py b/src/firewall/functions.py
+index 6af220619f17..d20b702e047e 100644
+--- a/src/firewall/functions.py
++++ b/src/firewall/functions.py
+@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
+ "check_single_address", "check_mac", "uniqify", "ppid_of_pid",
+ "max_zone_name_len", "checkUser", "checkUid", "checkCommand",
+ "checkContext", "joinArgs", "splitArgs",
+- "b2u", "u2b", "u2b_if_py2" ]
++ "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
+
+ import socket
+ import os
+@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
+
+ PY2 = sys.version < '3'
+
++NOPRINT_TRANS_TABLE = {
++ i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
++}
++
+ def getPortID(port):
+ """ Check and Get port id from port string or port id using socket.getservbyname
+
+@@ -226,6 +230,9 @@ def checkIPnMask(ip):
+ return False
+ return True
+
++def stripNonPrintableCharacters(rule_str):
++ return rule_str.translate(NOPRINT_TRANS_TABLE)
++
+ def checkIP6nMask(ip):
+ if "/" in ip:
+ addr = ip[:ip.index("/")]
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 65540840f50e..c1e8620ee700 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
+ m4_include([regression/rhbz1541077.at])
+ m4_include([regression/rhbz1855140.at])
+ m4_include([regression/rhbz1871298.at])
++m4_include([regression/rhbz1596304.at])
+diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
+new file mode 100644
+index 000000000000..98a33934e271
+--- /dev/null
++++ b/src/tests/regression/rhbz1596304.at
+@@ -0,0 +1,23 @@
++FWD_START_TEST([rich rules strip non-printable characters])
++AT_KEYWORDS(rich rhbz1596304)
++
++dnl source address contains a tab character
++FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore)
++FWD_RELOAD
++FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
++ public
++ target: default
++ icmp-block-inversion: no
++ interfaces:
++ sources:
++ services: cockpit dhcpv6-client ssh
++ ports:
++ protocols:
++ masquerade: no
++ forward-ports:
++ source-ports:
++ icmp-blocks:
++ rich rules:
++ rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
++ ])])
++FWD_END_TEST
+--
+2.28.0
+
diff --git a/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch b/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
new file mode 100644
index 0000000..793cc5e
--- /dev/null
+++ b/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
@@ -0,0 +1,38 @@
+From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 8 Jan 2021 13:38:15 -0500
+Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0
+ and C1
+
+Generating the table was taking an unreasonable amount of memory.
+Stripping C0 and C1 should cover most scenarios while limiting memory
+usage.
+
+Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules")
+(cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638)
+(cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3)
+---
+ src/firewall/functions.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/functions.py b/src/firewall/functions.py
+index d20b702e047e..1ea9f4309234 100644
+--- a/src/firewall/functions.py
++++ b/src/firewall/functions.py
+@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
+ PY2 = sys.version < '3'
+
+ NOPRINT_TRANS_TABLE = {
+- i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
++ # Limit to C0 and C1 code points. Building entries for all unicode code
++ # points requires too much memory.
++ # C0 = [0, 31]
++ # C1 = [127, 159]
++ #
++ i: None for i in range(0, 160) if not (i > 31 and i < 127)
+ }
+
+ def getPortID(port):
+--
+2.27.0
+
diff --git a/SOURCES/0067-fix-zone-add-source-with-mac-address.patch b/SOURCES/0067-fix-zone-add-source-with-mac-address.patch
new file mode 100644
index 0000000..b3762c1
--- /dev/null
+++ b/SOURCES/0067-fix-zone-add-source-with-mac-address.patch
@@ -0,0 +1,93 @@
+From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Wed, 18 Nov 2020 13:14:44 -0500
+Subject: [PATCH 67/68] fix(zone): add source with mac address
+
+nftables supports matching the destination MAC, but iptables does not.
+As such, lift the restriction from nftables. For iptables, gracefully
+ignore the scenarios in which we attempt to match destination MAC.
+
+Fixes: #703
+Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources")
+Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
+
+Co-authored-by: Eric Garver <eric@garver.life>
+(cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225)
+(cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0)
+---
+ src/firewall/core/ipXtables.py | 4 ++++
+ src/firewall/core/nftables.py | 2 --
+ src/tests/regression/gh703.at | 23 +++++++++++++++++++++++
+ src/tests/regression/regression.at | 1 +
+ 4 files changed, 28 insertions(+), 2 deletions(-)
+ create mode 100644 src/tests/regression/gh703.at
+
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index 450e427c08b5..b28146edd060 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -814,6 +814,10 @@ class ip4tables(object):
+ else:
+ zone_dispatch_chain = "%s_ZONES" % (chain)
+
++ # iptables can not match destination MAC
++ if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
++ return []
++
+ target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
+ action = "-g"
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 0a73c2c2669d..a0a899dd3eef 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1067,8 +1067,6 @@ class nftables(object):
+ return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert)
+ else:
+ if check_mac(address):
+- if addr_field == "daddr":
+- raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
+ family = "ether"
+ elif check_single_address("ipv4", address):
+ family = "ip"
+diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at
+new file mode 100644
+index 000000000000..af724a7713a7
+--- /dev/null
++++ b/src/tests/regression/gh703.at
+@@ -0,0 +1,23 @@
++FWD_START_TEST([add source with mac address])
++AT_KEYWORDS(gh703)
++
++FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore])
++
++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++ table ip firewalld {
++ chain nat_POSTROUTING_ZONES_SOURCE {
++ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
++ }
++ }
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++ table ip6 firewalld {
++ chain nat_POSTROUTING_ZONES_SOURCE {
++ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
++ }
++ }
++])
++
++dnl NOTE: iptables does _not_ support matching mac destination.
++
++FWD_END_TEST
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index c1e8620ee700..7597a458076c 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at])
+ m4_include([regression/rhbz1855140.at])
+ m4_include([regression/rhbz1871298.at])
+ m4_include([regression/rhbz1596304.at])
++m4_include([regression/gh703.at])
+--
+2.27.0
+
diff --git a/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch b/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch
new file mode 100644
index 0000000..b0d7f92
--- /dev/null
+++ b/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch
@@ -0,0 +1,52 @@
+From 4aa1e421dae3ece1de075ef538f709d6388f8811 Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Wed, 10 Jun 2020 16:14:43 -0400
+Subject: [PATCH 63/64] feat(service): add collectd service Fixes: rhbz 1837368
+
+(cherry picked from commit 8b974e75d9100b17568a55c4962dfe09d34f03dc)
+---
+ config/Makefile.am | 1 +
+ config/services/collectd.xml | 6 ++++++
+ po/POTFILES.in | 1 +
+ 3 files changed, 8 insertions(+)
+ create mode 100644 config/services/collectd.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index 702592e6a685..5f44678841f3 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -134,6 +134,7 @@ CONFIG_FILES = \
+ services/ceph.xml \
+ services/cfengine.xml \
+ services/cockpit.xml \
++ services/collectd.xml \
+ services/condor-collector.xml \
+ services/ctdb.xml \
+ services/dhcpv6-client.xml \
+diff --git a/config/services/collectd.xml b/config/services/collectd.xml
+new file mode 100644
+index 000000000000..fb2483e0e716
+--- /dev/null
++++ b/config/services/collectd.xml
+@@ -0,0 +1,6 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++ <short>Collectd</short>
++ <description>Collectd is a monitoring system that allows metrics to be sent over the network. This rule allows incoming collectd traffic from remote boxes.</description>
++ <port protocol="udp" port="25826"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 918f6f0986ae..92323b03fc17 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -67,6 +67,7 @@ config/services/ceph.xml
+ config/services/cfengine.xml
+ config/services/cockpit.xml
+ config/services/condor-collector.xml
++config/services/collectd.xml
+ config/services/ctdb.xml
+ config/services/dhcpv6-client.xml
+ config/services/dhcpv6.xml
+--
+2.28.0
+
diff --git a/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch b/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
new file mode 100644
index 0000000..85482a5
--- /dev/null
+++ b/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
@@ -0,0 +1,54 @@
+From 7edc99c9aca9c1416a05c117ab65598dc3095c35 Mon Sep 17 00:00:00 2001
+From: Kenneth D'souza <kdsouza@redhat.com>
+Date: Tue, 16 Jun 2020 01:14:52 +0530
+Subject: [PATCH 64/64] feat(service): Add rpc-rquotad.service
+
+Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
+(cherry picked from commit 35e58d6fca6fbf44c34629dc058f3f1f727e7783)
+---
+ config/Makefile.am | 1 +
+ config/services/rquotad.xml | 7 +++++++
+ po/POTFILES.in | 1 +
+ 3 files changed, 9 insertions(+)
+ create mode 100644 config/services/rquotad.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index 5f44678841f3..178c2358b117 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -233,6 +233,7 @@ CONFIG_FILES = \
+ services/redis.xml \
+ services/RH-Satellite-6.xml \
+ services/rpc-bind.xml \
++ services/rquotad.xml \
+ services/rsh.xml \
+ services/rsyncd.xml \
+ services/rtsp.xml \
+diff --git a/config/services/rquotad.xml b/config/services/rquotad.xml
+new file mode 100644
+index 000000000000..adcd233ebd4d
+--- /dev/null
++++ b/config/services/rquotad.xml
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++ <short>rquotad</short>
++ <description>Remote Quota Server Daemon</description>
++ <port protocol="tcp" port="875"/>
++ <port protocol="udp" port="875"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 92323b03fc17..8552b8eca4ab 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -166,6 +166,7 @@ config/services/redis-sentinel.xml
+ config/services/redis.xml
+ config/services/RH-Satellite-6.xml
+ config/services/rpc-bind.xml
++config/services/rquotad.xml
+ config/services/rsh.xml
+ config/services/rsyncd.xml
+ config/services/rtsp.xml
+--
+2.28.0
+
diff --git a/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch b/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch
new file mode 100644
index 0000000..0fa86fe
--- /dev/null
+++ b/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch
@@ -0,0 +1,55 @@
+From 8d0823923302da39bb1f28e55b907db29b03f664 Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Tue, 1 Dec 2020 11:58:19 -0500
+Subject: [PATCH 66/66] feat(service): add galera service Fixes: rhbz1696260
+
+(cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
+---
+ config/Makefile.am | 1 +
+ config/services/galera.xml | 9 +++++++++
+ po/POTFILES.in | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 config/services/galera.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index 178c2358b117..4b849bd54e32 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -156,6 +156,7 @@ CONFIG_FILES = \
+ services/freeipa-replication.xml \
+ services/freeipa-trust.xml \
+ services/ftp.xml \
++ services/galera.xml \
+ services/ganglia-client.xml \
+ services/ganglia-master.xml \
+ services/git.xml \
+diff --git a/config/services/galera.xml b/config/services/galera.xml
+new file mode 100644
+index 000000000000..2305713fbcab
+--- /dev/null
++++ b/config/services/galera.xml
+@@ -0,0 +1,9 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++ <short>Galera</short>
++ <description>MariaDB-Galera Database Server</description>
++ <port protocol="tcp" port="3306"/>
++ <port protocol="tcp" port="4567"/>
++ <port protocol="tcp" port="4568"/>
++ <port protocol="tcp" port="4444"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 8552b8eca4ab..27003c5ce1ef 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -88,6 +88,7 @@ config/services/freeipa-ldap.xml
+ config/services/freeipa-replication.xml
+ config/services/freeipa-trust.xml
+ config/services/ftp.xml
++config/services/galera.xml
+ config/services/ganglia-client.xml
+ config/services/ganglia-master.xml
+ config/services/git.xml
+--
+2.28.0
+
diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec
index 7cf2529..5dbf1cc 100644
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.8.2
-Release: 2%{?dist}
+Release: 6%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@@ -52,6 +52,27 @@ Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch
Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch
Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch
Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch
+Patch48: 0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch
+Patch49: 0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch
+Patch50: 0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch
+Patch51: 0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch
+Patch52: 0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch
+Patch53: 0053-fix-nftables-packet-marks-with-masks.patch
+Patch54: 0054-fix-nftables-icmp-types-with-code-0.patch
+Patch55: 0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch
+Patch56: 0056-test-regression-rhbz1855140-add-negative-tests.patch
+Patch57: 0057-fix-policy-cache-rule_str-for-rich-rules.patch
+Patch58: 0058-test-zone-rich-rule-parsing-bottleneck.patch
+Patch59: 0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch
+Patch60: 0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch
+Patch61: 0061-docs-dbus-fix-invalid-method-names.patch
+Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch
+Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch
+Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
+Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch
+Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
+Patch67: 0067-fix-zone-add-source-with-mac-address.patch
+Patch68: v1.0.0-0068-feat-service-add-galera-service.patch
BuildArch: noarch
BuildRequires: autoconf
@@ -250,6 +271,24 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
+- feat(service): add galera service
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-5
+- fix(zone): add source with mac address
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-4
+- fix(rich): non-printable characters removed from rich
+
+* Mon Oct 26 2020 Eric Garver <egarver@redhat.com> - 0.8.2-3
+- fix(nftables): packet marks with masks
+- fix(nftables): icmp types with code == 0
+- fix(rich icmptype): verify rule and icmptype families
+- fix(zone): cache rule_str for rich rules
+- improvement(service): IPsec: Update description and add TCP port 4500
+- feat(service): add collectd service
+- feat(service): Add rpc-rquotad.service
+
* Tue Aug 04 2020 Eric Garver <egarver@redhat.com> - 0.8.2-2
- fix(cli): add ipset type hash:mac is incompatible with the family parameter
- fix(cli): add --zone is an invalid option with --direct