diff --git a/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch b/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch new file mode 100644 index 0000000..b796d31 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch @@ -0,0 +1,542 @@ +From bc6ba9d59f8070b0e76f127f16ef1cd99da90ffc Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 19 May 2017 15:35:54 +0200 +Subject: [PATCH 5/6] D-Bus interfaces: Fix GetAll for interfaces without + properties (RHBZ#1452017) + +Also: Make D-Bus error messages consistent in all interfaces. +(cherry picked from commit fb44764d1275958401e2e69161d997bfb6e02899) +--- + src/firewall/server/config.py | 115 +++++++++++++++++++-------------- + src/firewall/server/config_helper.py | 15 ++--- + src/firewall/server/config_icmptype.py | 15 ++--- + src/firewall/server/config_ipset.py | 15 ++--- + src/firewall/server/config_service.py | 15 ++--- + src/firewall/server/config_zone.py | 15 ++--- + src/firewall/server/firewalld.py | 71 ++++++++++++++------ + 7 files changed, 152 insertions(+), 109 deletions(-) + +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index 55bfffbebe76..33f72027d048 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -486,8 +486,8 @@ class FirewallDConfig(slip.dbus.service.Object): + "Lockdown", "IPv6_rpfilter", "IndividualCalls", + "LogDenied", "AutomaticHelpers" ]: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % prop) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % prop) + + value = self.config.get_firewalld_conf().get(prop) + +@@ -546,8 +546,8 @@ class FirewallDConfig(slip.dbus.service.Object): + return dbus.String(self._get_property(prop)) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % prop) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % prop) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -558,10 +558,17 @@ class FirewallDConfig(slip.dbus.service.Object): + property_name = dbus_to_python(property_name, str) + log.debug1("config.Get('%s', '%s')", interface_name, property_name) + +- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: ++ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: ++ return self._get_dbus_property(property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, ++ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_dbus_property(property_name) + +@@ -572,16 +579,20 @@ class FirewallDConfig(slip.dbus.service.Object): + interface_name = dbus_to_python(interface_name, str) + log.debug1("config.GetAll('%s')", interface_name) + +- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: ++ ret = { } ++ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: ++ for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", ++ "Lockdown", "IPv6_rpfilter", "IndividualCalls", ++ "LogDenied", "AutomaticHelpers" ]: ++ ret[x] = self._get_property(x) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, ++ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: ++ pass ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + +- ret = { } +- for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", +- "IPv6_rpfilter", "IndividualCalls", "LogDenied", +- "AutomaticHelpers" ]: +- ret[x] = self._get_property(x) + return dbus.Dictionary(ret, signature="sv") + + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) +@@ -595,49 +606,55 @@ class FirewallDConfig(slip.dbus.service.Object): + property_name, new_value) + self.accessCheck(sender) + +- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: +- raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) +- +- if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", +- "IPv6_rpfilter", "IndividualCalls", "LogDenied", +- "AutomaticHelpers" ]: +- if property_name == "MinimalMark": ++ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: ++ if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", ++ "IPv6_rpfilter", "IndividualCalls", ++ "LogDenied", "AutomaticHelpers" ]: ++ if property_name == "MinimalMark": ++ try: ++ int(new_value) ++ except ValueError: ++ raise FirewallError(errors.INVALID_MARK, new_value) + try: +- int(new_value) +- except ValueError: +- raise FirewallError(errors.INVALID_MARK, new_value) +- try: +- new_value = str(new_value) +- except: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ ++ new_value = str(new_value) ++ except: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ ++ (new_value, property_name)) ++ if property_name in [ "CleanupOnExit", "Lockdown", ++ "IPv6_rpfilter", "IndividualCalls" ]: ++ if new_value.lower() not in [ "yes", "no", ++ "true", "false" ]: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ + (new_value, property_name)) +- if property_name in [ "CleanupOnExit", "Lockdown", +- "IPv6_rpfilter", "IndividualCalls" ]: +- if new_value.lower() not in [ "yes", "no", "true", "false" ]: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ ++ if property_name == "LogDenied": ++ if new_value not in config.LOG_DENIED_VALUES: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ + (new_value, property_name)) +- if property_name == "LogDenied": +- if new_value not in config.LOG_DENIED_VALUES: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ ++ if property_name == "AutomaticHelpers": ++ if new_value not in config.AUTOMATIC_HELPERS_VALUES: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ + (new_value, property_name)) +- if property_name == "AutomaticHelpers": +- if new_value not in config.AUTOMATIC_HELPERS_VALUES: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ +- (new_value, property_name)) +- self.config.get_firewalld_conf().set(property_name, new_value) +- self.config.get_firewalld_conf().write() +- self.PropertiesChanged(interface_name, +- { property_name: new_value }, [ ]) +- elif property_name in [ "DefaultZone" ]: ++ self.config.get_firewalld_conf().set(property_name, new_value) ++ self.config.get_firewalld_conf().write() ++ self.PropertiesChanged(interface_name, ++ { property_name: new_value }, [ ]) ++ else: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, ++ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.PropertyReadOnly: " +- "Property '%s' is read-only" % property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' does not exist" % property_name) ++ "org.freedesktop.DBus.Error.UnknownInterface: " ++ "Interface '%s' does not exist" % interface_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_helper.py b/src/firewall/server/config_helper.py +index e3683e9b7788..23e30e04ba26 100644 +--- a/src/firewall/server/config_helper.py ++++ b/src/firewall/server/config_helper.py +@@ -92,9 +92,8 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -109,7 +108,7 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -123,7 +122,7 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -144,11 +143,11 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_icmptype.py b/src/firewall/server/config_icmptype.py +index 9f571ae98128..e1724550d740 100644 +--- a/src/firewall/server/config_icmptype.py ++++ b/src/firewall/server/config_icmptype.py +@@ -92,9 +92,8 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -109,7 +108,7 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -123,7 +122,7 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -144,11 +143,11 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py +index a1613c6933ab..8c647bc29ab9 100644 +--- a/src/firewall/server/config_ipset.py ++++ b/src/firewall/server/config_ipset.py +@@ -93,9 +93,8 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -110,7 +109,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -124,7 +123,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -145,11 +144,11 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_service.py b/src/firewall/server/config_service.py +index 6745e253f88a..47530d319bdb 100644 +--- a/src/firewall/server/config_service.py ++++ b/src/firewall/server/config_service.py +@@ -92,9 +92,8 @@ class FirewallDConfigService(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -109,7 +108,7 @@ class FirewallDConfigService(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -123,7 +122,7 @@ class FirewallDConfigService(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -144,11 +143,11 @@ class FirewallDConfigService(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_zone.py b/src/firewall/server/config_zone.py +index 42ec963549d8..f98f700bec59 100644 +--- a/src/firewall/server/config_zone.py ++++ b/src/firewall/server/config_zone.py +@@ -94,9 +94,8 @@ class FirewallDConfigZone(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -111,7 +110,7 @@ class FirewallDConfigZone(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -125,7 +124,7 @@ class FirewallDConfigZone(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -146,11 +145,11 @@ class FirewallDConfigZone(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 2f1f8234ab9c..8c4bd4f0c66a 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -184,8 +184,8 @@ class FirewallD(slip.dbus.service.Object): + + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % prop) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % prop) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -196,12 +196,19 @@ class FirewallD(slip.dbus.service.Object): + property_name = dbus_to_python(property_name, str) + log.debug1("Get('%s', '%s')", interface_name, property_name) + +- if interface_name != config.dbus.DBUS_INTERFACE: ++ if interface_name == config.dbus.DBUS_INTERFACE: ++ return self._get_property(property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, ++ config.dbus.DBUS_INTERFACE_DIRECT, ++ config.dbus.DBUS_INTERFACE_POLICIES, ++ config.dbus.DBUS_INTERFACE_IPSET ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) +- +- return self._get_property(property_name) ++ "Interface '%s' does not exist" % interface_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', + out_signature='a{sv}') +@@ -210,17 +217,24 @@ class FirewallD(slip.dbus.service.Object): + interface_name = dbus_to_python(interface_name, str) + log.debug1("GetAll('%s')", interface_name) + +- if interface_name != config.dbus.DBUS_INTERFACE: ++ ret = { } ++ if interface_name == config.dbus.DBUS_INTERFACE: ++ for x in [ "version", "interface_version", "state", ++ "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", ++ "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", ++ "nf_conntrack_helpers", "IPv4ICMPTypes", ++ "IPv6ICMPTypes" ]: ++ ret[x] = self._get_property(x) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, ++ config.dbus.DBUS_INTERFACE_DIRECT, ++ config.dbus.DBUS_INTERFACE_POLICIES, ++ config.dbus.DBUS_INTERFACE_IPSET ]: ++ pass ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + +- ret = { } +- for x in [ "version", "interface_version", "state", +- "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", +- "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", +- "nf_conntrack_helpers", "IPv4ICMPTypes", "IPv6ICMPTypes" ]: +- ret[x] = self._get_property(x) + return dbus.Dictionary(ret, signature="sv") + + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) +@@ -234,14 +248,31 @@ class FirewallD(slip.dbus.service.Object): + new_value) + self.accessCheck(sender) + +- if interface_name != config.dbus.DBUS_INTERFACE: ++ if interface_name == config.dbus.DBUS_INTERFACE: ++ if property_name in [ "version", "interface_version", "state", ++ "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", ++ "IPSet", "IPSetTypes", ++ "nf_conntrack_helper_setting", ++ "nf_conntrack_helpers", "IPv4ICMPTypes", ++ "IPv6ICMPTypes" ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) ++ else: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, ++ config.dbus.DBUS_INTERFACE_DIRECT, ++ config.dbus.DBUS_INTERFACE_POLICIES, ++ config.dbus.DBUS_INTERFACE_IPSET ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) +- +- raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "Interface '%s' does not exist" % interface_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch new file mode 100644 index 0000000..cbffa21 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch @@ -0,0 +1,50 @@ +From f80a02d760b1810bb5a3021aabb78ed20f5e629d Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 17:56:41 +0200 +Subject: [PATCH 2/6] firewall.core.fw: Get NAT helpers and store them + internally. + +The NAT helpers are stored internally to be able to use them in zones with the +conntrack helpers. + +This is needed for RHBZ#1452681 + +(cherry picked from commit f0109e044e5601fba20d42db24c25e8e8cf804a0) +--- + src/firewall/core/fw.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 8dbe59b6e3b5..4db856c4e17d 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -114,6 +114,7 @@ class Firewall(object): + self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS + self.nf_conntrack_helper_setting = 0 + self.nf_conntrack_helpers = { } ++ self.nf_nat_helpers = { } + + def individual_calls(self): + return self._individual_calls +@@ -203,8 +204,18 @@ class Firewall(object): + log.debug1(" %s: %s", key, ", ".join(values)) + else: + log.debug1("No conntrack helpers supported by the kernel.") ++ ++ self.nf_nat_helpers = functions.get_nf_nat_helpers() ++ if len(self.nf_nat_helpers) > 0: ++ log.debug1("NAT helpers supported by the kernel:") ++ for key,values in self.nf_nat_helpers.items(): ++ log.debug1(" %s: %s", key, ", ".join(values)) ++ else: ++ log.debug1("No NAT helpers supported by the kernel.") ++ + else: + self.nf_conntrack_helpers = { } ++ self.nf_nat_helpers = { } + log.warning("modinfo command is missing, not able to detect conntrack helpers.") + + def _start(self, reload=False, complete_reload=False): +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch new file mode 100644 index 0000000..9635f55 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch @@ -0,0 +1,58 @@ +From 3bcaadbc99a10634d5a7552d7398436ef836f428 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 17:59:10 +0200 +Subject: [PATCH 3/6] firewall.core.fw_zone: Load NAT helpers with conntrack + helpers + +If a conntrack helper is used, then the NAT helper will automatically be loaded +also if there is a matching NAT helper. + +Fixes: RHBZ#1452681 +(cherry picked from commit af59d816c92e0391d118949542eb19bcf8b74580) +--- + src/firewall/core/fw_zone.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 2c99b0cbce8a..3089d12edd1b 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1155,9 +1155,15 @@ class FirewallZone(object): + _rule += [ "-j", "CT", "--helper", helper.name ] + self.__rule_source(rule.source, _rule) + zone_transaction.add_rule(ipv, _rule) ++ nat_module = module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ modules.append(nat_module) + else: + if helper.module not in modules: + modules.append(helper.module) ++ nat_module = helper.module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ modules.append(nat_module) + zone_transaction.add_modules(modules) + + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], +@@ -1624,6 +1630,9 @@ class FirewallZone(object): + modules = [ ] + for helper in helpers: + modules.append(helper.module) ++ nat_module = helper.module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ modules.append(nat_module) + zone_transaction.add_modules(modules) + zone_transaction.add_chain("filter", "INPUT") + +@@ -1641,6 +1650,9 @@ class FirewallZone(object): + raise FirewallError( + errors.INVALID_HELPER, + "'%s' is not available in kernel" % module) ++ nat_module = helper.module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ zone_transaction.add_module(nat_module) + if helper.family != "" and helper.family != ipv: + # no support for family ipv, continue + continue +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch new file mode 100644 index 0000000..327e32d --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch @@ -0,0 +1,60 @@ +From 5a864808c03b703fd9073133fd185347703177c7 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 17:50:40 +0200 +Subject: [PATCH 1/6] firewall.functions: New function get_nf_nat_helpers + +This function returns a dict { module: [helper, ..], .. } similar to +get_nf_conntrack_helpers but for NAT helpers only. NAT helpers are not part +of the dict that is returned by get_nf_conntrack_helpers as it only lists +connection tracking helpers. + +This is needed for RHBZ#1452681 + +(cherry picked from commit 577668e9b788e9982e90f331d934aaa8d79cae56) +--- + src/firewall/functions.py | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/functions.py b/src/firewall/functions.py +index 71d39a540754..07e65ab7c7f8 100644 +--- a/src/firewall/functions.py ++++ b/src/firewall/functions.py +@@ -25,7 +25,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName", + "firewalld_is_active", "tempFile", "readfile", "writefile", + "enable_ip_forwarding", "get_nf_conntrack_helper_setting", + "set_nf_conntrack_helper_setting", "get_nf_conntrack_helpers", +- "check_port", "check_address", ++ "get_nf_nat_helpers", "check_port", "check_address", + "check_single_address", "check_mac", "uniqify", "ppid_of_pid", + "max_zone_name_len", "checkUser", "checkUid", "checkCommand", + "checkContext", "joinArgs", "splitArgs", +@@ -351,6 +351,26 @@ def get_nf_conntrack_helpers(): + helpers.setdefault(module, [ ]).append(helper) + return helpers + ++def get_nf_nat_helpers(): ++ kver = os.uname()[2] ++ path = "/lib/modules/%s/kernel/net/netfilter/" % kver ++ helpers = { } ++ if os.path.isdir(path): ++ for filename in sorted(os.listdir(path)): ++ if not filename.startswith("nf_nat_"): ++ continue ++ module = filename.split(".")[0] ++ (status, ret) = runProg(COMMANDS["modinfo"], [ module, ]) ++ if status != 0: ++ continue ++ alias = None ++ for line in ret.split("\n"): ++ if line.startswith("description:") and "NAT helper" in line: ++ helper = module.replace("nf_nat_", "") ++ helper = helper.replace("_", "-") ++ helpers.setdefault(module, [ ]).append(helper) ++ return helpers ++ + def get_nf_conntrack_helper_setting(): + try: + return int(readfile("/proc/sys/net/netfilter/nf_conntrack_helper")[0]) +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch new file mode 100644 index 0000000..950b2b2 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch @@ -0,0 +1,72 @@ +From acc3cfe586947cd2d98d4b8b4303cca127ffc396 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 18:07:03 +0200 +Subject: [PATCH 6/6] firewall.server.firewalld: New property for NAT helpers + supported by the kernel + +The property nf_nat_helpers provides a dict with the nat helpers in a similar +way as nf_conntrack_helpers. + +New description for the property nf_nat_helpers in firewalld.dbus man page. + +Related: RHBZ#1452681 +(cherry picked from commit 34558ad775afd9476c4ec5373b9bc9ee03a195af) +--- + doc/xml/firewalld.dbus.xml | 4 ++++ + src/firewall/server/firewalld.py | 11 +++++++---- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 52b5b3b0f955..92fe5c843dfc 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -467,6 +467,10 @@ + nf_conntrack_helpers - a{sas} - (ro) + The list of conntrack helpers supported by the kernel. + ++ ++ nf_nat_helpers - a{sas} - (ro) ++ The list of nat helpers supported by the kernel. ++ + + interface_version - s - (ro) + firewalld D-Bus interface version string. +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 8c4bd4f0c66a..9c5d463de793 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -182,6 +182,9 @@ class FirewallD(slip.dbus.service.Object): + elif prop == "nf_conntrack_helpers": + return dbus.Dictionary(self.fw.nf_conntrack_helpers, "sas") + ++ elif prop == "nf_nat_helpers": ++ return dbus.Dictionary(self.fw.nf_nat_helpers, "sas") ++ + else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " +@@ -222,8 +225,8 @@ class FirewallD(slip.dbus.service.Object): + for x in [ "version", "interface_version", "state", + "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", + "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", +- "nf_conntrack_helpers", "IPv4ICMPTypes", +- "IPv6ICMPTypes" ]: ++ "nf_conntrack_helpers", "nf_nat_helpers", ++ "IPv4ICMPTypes", "IPv6ICMPTypes" ]: + ret[x] = self._get_property(x) + elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, + config.dbus.DBUS_INTERFACE_DIRECT, +@@ -253,8 +256,8 @@ class FirewallD(slip.dbus.service.Object): + "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", + "IPSet", "IPSetTypes", + "nf_conntrack_helper_setting", +- "nf_conntrack_helpers", "IPv4ICMPTypes", +- "IPv6ICMPTypes" ]: ++ "nf_conntrack_helpers", "nf_nat_helpers", ++ "IPv4ICMPTypes", "IPv6ICMPTypes" ]: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.PropertyReadOnly: " + "Property '%s' is read-only" % property_name) +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch new file mode 100644 index 0000000..5659c40 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch @@ -0,0 +1,35 @@ +From 930e9fae6babcffc6b74823d45d3bbf394e05cc9 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 18:05:38 +0200 +Subject: [PATCH 4/6] firewalld.dbus: Add missing properties + nf_conntrach_helper_setting and nf_conntrack_helpers + +(cherry picked from commit 89a186db02dd3776dce4105d1266b4863b3b4e8b) +--- + doc/xml/firewalld.dbus.xml | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index de18ab2d514a..52b5b3b0f955 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -459,7 +459,15 @@ + IPv6ICMPTypes - as - (ro) + The list of supported IPv6 ICMP types. + +- ++ ++ nf_conntrach_helper_setting - b - (ro) ++ Kernel nf_conntrack_helper setting. ++ ++ ++ nf_conntrack_helpers - a{sas} - (ro) ++ The list of conntrack helpers supported by the kernel. ++ ++ + interface_version - s - (ro) + firewalld D-Bus interface version string. + +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch b/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch new file mode 100644 index 0000000..b761380 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch @@ -0,0 +1,44 @@ +From 4b8a12785c96c33a77eb59fdd1c088d25978f7d8 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Jul 2017 10:10:19 -0400 +Subject: [PATCH] Add NFSv3 service. + +This is distinct from the NFS service (v4) because it also opens up UDP +ports. + +Fixes: RHBZ#1462088 +(cherry picked from commit a127d697177b78b7f9b766deb978efd95590a2ac) +--- + config/Makefile.am | 1 + + config/services/nfs3.xml | 7 +++++++ + 2 files changed, 8 insertions(+) + create mode 100644 config/services/nfs3.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index bdc5651c154c..1035c9f940a9 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -173,6 +173,7 @@ CONFIG_FILES = \ + services/ms-wbt.xml \ + services/mysql.xml \ + services/nfs.xml \ ++ services/nfs3.xml \ + services/nrpe.xml \ + services/ntp.xml \ + services/openvpn.xml \ +diff --git a/config/services/nfs3.xml b/config/services/nfs3.xml +new file mode 100644 +index 000000000000..4075d48211bd +--- /dev/null ++++ b/config/services/nfs3.xml +@@ -0,0 +1,7 @@ ++ ++ ++ NFS3 ++ The NFS3 protocol is used to share files. You will need to have the NFS tools installed and properly configure your NFS server for this option to be useful. ++ ++ ++ +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch b/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch new file mode 100644 index 0000000..2fd2eeb --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch @@ -0,0 +1,35 @@ +From 34b616a67585d42060ec6be376deb3dd3eb25353 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 6 Sep 2017 10:58:27 -0400 +Subject: [PATCH] Add missing ports to RH-Satellite-6 service + +Fixes: RHBZ#1422149 +--- + config/services/RH-Satellite-6.xml | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/config/services/RH-Satellite-6.xml b/config/services/RH-Satellite-6.xml +index 5462a6e673bb..76f4d97954db 100644 +--- a/config/services/RH-Satellite-6.xml ++++ b/config/services/RH-Satellite-6.xml +@@ -2,11 +2,16 @@ + + Red Hat Satellite 6 + Red Hat Satellite 6 is a systems management server that can be used to configure new systems, subscribe to updates, and maintain installations in distributed environments. ++ ++ ++ + + ++ + + +- ++ + ++ + + +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch b/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch new file mode 100644 index 0000000..241ebf3 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch @@ -0,0 +1,126 @@ +From c41e34a5a8fbda2731aa724e65dcc93aa9ab7b64 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 3 Aug 2017 15:06:57 -0400 +Subject: [PATCH] Reload nf_conntrack sysctls after the module is loaded + +Add a modprobe config file that will cause specified sysctls to be +reloaded after a given module is loaded. This is needed because sysctls +will go away and reappear when modules are unloaded which happens on a +firewalld restart. e.g. nf_conntrack_max. + +Fixes: RHBZ#1462977 +(cherry picked from commit 65434db736fa68a25e1ab417f6c330c03c5eafde) +--- + config/Makefile.am | 22 ++++++++++++++++++++-- + config/firewalld-sysctls.conf.in | 1 + + configure.ac | 1 + + firewalld.spec | 1 + + 4 files changed, 23 insertions(+), 2 deletions(-) + create mode 100644 config/firewalld-sysctls.conf.in + +diff --git a/config/Makefile.am b/config/Makefile.am +index 1035c9f940a9..a66ae05d8122 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -42,6 +42,7 @@ BUILT_SOURCES = \ + $(applet_desktop_DATA) \ + $(polkit1_action_DATA) \ + $(gsettings_SCHEMAS) \ ++ firewalld-sysctls.conf \ + firewalld.service + + @INTLTOOL_DESKTOP_RULE@ +@@ -51,7 +52,7 @@ BUILT_SOURCES = \ + + all: $(desktop_DATA) $(appdata_DATA) $(applet_desktop_DATA) $(polkit1_action_DATA) $(gsettings_SCHEMAS) + +-CLEANFILES = *~ *\# .\#* firewalld.service ++CLEANFILES = *~ *\# .\#* firewalld.service firewalld-sysctls.conf + + DISTCLEANFILES = \ + $(desktop_DATA) \ +@@ -246,6 +247,7 @@ EXTRA_DIST = \ + $(CONFIG_FILES) \ + $(dist_xmlschema_DATA) \ + firewalld.init \ ++ firewalld-sysctls.conf.in \ + firewalld.service.in \ + firewalld.sysconfig \ + macros.firewalld +@@ -253,6 +255,9 @@ EXTRA_DIST = \ + INSTALL_TARGETS = install-config + UNINSTALL_TARGETS = uninstall-config + ++INSTALL_TARGETS += install-modprobe.d ++UNINSTALL_TARGETS += uninstall-modprobe.d ++ + if USE_SYSTEMD + INSTALL_TARGETS += install-service + UNINSTALL_TARGETS += uninstall-service +@@ -275,11 +280,16 @@ edit = sed \ + -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@sbindir[@]|$(sbindir)|g' \ + -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ +- -e 's|@localstatedir[@]|$(localstatedir)|g' ++ -e 's|@localstatedir[@]|$(localstatedir)|g' \ ++ -e 's|@MODPROBE[@]|$(MODPROBE)|g' \ ++ -e 's|@SYSCTL[@]|$(SYSCTL)|g' + + firewalld.service: firewalld.service.in + $(edit) $< >$@ + ++firewalld-sysctls.conf: firewalld-sysctls.conf.in ++ $(edit) $< >$@ ++ + install-sysconfig: + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/sysconfig + $(INSTALL_DATA) $(srcdir)/firewalld.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/firewalld +@@ -312,6 +322,14 @@ uninstall-service: uninstall-sysconfig + rm -f $(DESTDIR)$(SYSTEMD_UNITDIR)/firewalld.service + rmdir $(DESTDIR)$(SYSTEMD_UNITDIR) || : + ++install-modprobe.d: ++ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/modprobe.d ++ $(INSTALL_DATA) firewalld-sysctls.conf $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf ++ ++uninstall-modprobe.d: ++ rm -f $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf ++ rmdir $(DESTDIR)$(sysconfdir)/modprobe.d || : ++ + install-config: + $(MKDIR_P) $(DESTDIR)$(sconfdir) + $(MKDIR_P) $(DESTDIR)$(sconfdir)/icmptypes +diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in +new file mode 100644 +index 000000000000..976027743e8f +--- /dev/null ++++ b/config/firewalld-sysctls.conf.in +@@ -0,0 +1 @@ ++install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system +diff --git a/configure.ac b/configure.ac +index e3525703819d..776e627b0fa0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -33,6 +33,7 @@ AC_PATH_PROG([KILL], [kill], [/usr/bin/kill]) + AC_PATH_PROG([MODINFO], [modinfo], [/sbin/modinfo]) + AC_PATH_PROG([MODPROBE], [modprobe], [/sbin/modprobe]) + AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod]) ++AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl]) + + GLIB_GSETTINGS + +diff --git a/firewalld.spec b/firewalld.spec +index 7f16f38d2932..476f9668d44f 100644 +--- a/firewalld.spec ++++ b/firewalld.spec +@@ -240,6 +240,7 @@ fi + %{_mandir}/man1/firewallctl*.1* + %{_mandir}/man1/firewalld*.1* + %{_mandir}/man5/firewall*.5* ++%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf + + %files -n python-firewall + %attr(0755,root,root) %dir %{python2_sitelib}/firewall +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch b/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch new file mode 100644 index 0000000..a681b93 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch @@ -0,0 +1,46 @@ +From a6f0c40b24ad977d7e32e4fd9cf87b57381f5e83 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 12 Sep 2017 01:13:55 +0200 +Subject: [PATCH 2/5] core: Log unsupported ICMP types as informational only + +iptables-1.4 lacks support for a number of ICMPv6 types. Since this is +not a problem per se, avoid unnecessarily alerting the user with two +warning messages for each of them. Instead, make these informational +messages only so the default configuration does not emit them. + +Fixes: RHBZ#1479951 +Signed-off-by: Phil Sutter +--- + src/firewall/core/fw.py | 2 +- + src/firewall/core/fw_icmptype.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index bc6ffe2dbc238..0dda11d49116a 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -502,7 +502,7 @@ class Firewall(object): + try: + self.icmptype.add_icmptype(obj) + except FirewallError as error: +- log.warning("%s: %s, ignoring for run-time." % \ ++ log.info1("%s: %s, ignoring for run-time." % \ + (obj.name, str(error))) + # add a deep copy to the configuration interface + self.config.add_icmptype(copy.deepcopy(obj)) +diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py +index 5bf1c7fe512c6..afe9f91d6bf6e 100644 +--- a/src/firewall/core/fw_icmptype.py ++++ b/src/firewall/core/fw_icmptype.py +@@ -67,7 +67,7 @@ class FirewallIcmpType(object): + else: + supported_icmps = [ ] + if obj.name.lower() not in supported_icmps: +- log.warning("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) ++ log.info1("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) + ipvs.remove(ipv) + if len(ipvs) != len(orig_ipvs): + if len(ipvs) < 1: +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch new file mode 100644 index 0000000..98856f0 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch @@ -0,0 +1,33 @@ +From 136d2309988f7c379f6439363b53c14404738d7a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 Sep 2017 11:43:41 +0200 +Subject: [PATCH 4/5] doc: firewall-cmd: Document --query-* options return + codes + +The "EXIT CODES" section didn't cover the fact that all --query-* +options return 1 if no error occurred but the query itself was not +successful. + +Fixes: RHBZ#1372716 +Signed-off-by: Phil Sutter +--- + doc/xml/firewall-cmd.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml +index bdb5767634aaa..0b54b0be999c8 100644 +--- a/doc/xml/firewall-cmd.xml ++++ b/doc/xml/firewall-cmd.xml +@@ -2281,6 +2281,9 @@ firewall-cmd --permanent --add-port=443/tcp + + + ++ ++ Note that return codes of --query-* options are special: Successful queries return 0, unsuccessful ones return 1 unless an error occurred in which case the table above applies. ++ + + + &seealso; +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch new file mode 100644 index 0000000..a777411 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch @@ -0,0 +1,45 @@ +From 2243b7f14921a1d8b24c8090d531451e7ab9e0dd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 11 Sep 2017 18:47:21 +0200 +Subject: [PATCH 1/5] doc: firewall-cmd: Document quirk in --reload option + +Contrary to what one might assume, --reload and --complete-reload leave +changes done via the direct interface in place. + +Fixes: RHBZ#1452137 +Signed-off-by: Phil Sutter +--- + doc/xml/firewall-cmd.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml +index bf4e7a0c21a9c..bdb5767634aaa 100644 +--- a/doc/xml/firewall-cmd.xml ++++ b/doc/xml/firewall-cmd.xml +@@ -132,6 +132,11 @@ + i.e. all runtime only changes done until reload are lost with reload + if they have not been also in permanent configuration. + ++ ++ Note: Runtime changes applied via the direct interface are not ++ affected and will therefore stay in place until firewalld daemon ++ is restarted completely. ++ + + + +@@ -141,6 +146,11 @@ + + Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules. + ++ ++ Note: Runtime changes applied via the direct interface are not ++ affected and will therefore stay in place until firewalld daemon ++ is restarted completely. ++ + + + +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch b/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch new file mode 100644 index 0000000..9765e2f --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch @@ -0,0 +1,51 @@ +From 68834a49d9d55bffdc4febeaf23a892011399a63 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 13 Sep 2017 22:03:31 +0200 +Subject: [PATCH 3/5] firewall-cmd: Use colors only if output is a TTY + +Use isatty() method to check whether output is a TTY or not (e.g. +redirected to a file or pipe) before enclosing error messages in TTY +color escape strings. + +While here, simplify things a bit by making print_and_exit() call +print_warning() internally, also adjust commented out code for colored +non-error messages. + +Fixes: RHBZ#1368544 +Signed-off-by: Phil Sutter +--- + src/firewall/command.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/firewall/command.py b/src/firewall/command.py +index 2dc1c509ae556..50bd4bd0f4103 100644 +--- a/src/firewall/command.py ++++ b/src/firewall/command.py +@@ -64,17 +64,19 @@ class FirewallCommand(object): + def print_warning(self, msg=None): + FAIL = '\033[91m' + END = '\033[00m' +- self.print_error_msg(FAIL + msg + END) ++ if sys.stderr.isatty(): ++ msg = FAIL + msg + END ++ self.print_error_msg(msg) + + def print_and_exit(self, msg=None, exit_code=0): + #OK = '\033[92m' +- FAIL = '\033[91m' +- END = '\033[00m' ++ #END = '\033[00m' + if exit_code > 1: +- self.print_error_msg(FAIL + msg + END) ++ self.print_warning(msg) + else: ++ #if sys.stdout.isatty(): ++ # msg = OK + msg + END + self.print_msg(msg) +- #self.print_msg(OK + msg + END) + sys.exit(exit_code) + + def fail(self, msg=None): +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch b/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch new file mode 100644 index 0000000..46ba775 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch @@ -0,0 +1,60 @@ +From 75f06cb4139f6f00dfe952eac84ff31d3db014cb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 Sep 2017 12:05:09 +0200 +Subject: [PATCH 5/5] firewall-offline-cmd: Don't require root for help output + +Allow unprivileged users to retrieve help output. + +Fixes: RHBZ#1445214 +Signed-off-by: Phil Sutter +--- + src/firewall-offline-cmd | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd +index 1b4550830b7bb..fccfb7251c4f5 100755 +--- a/src/firewall-offline-cmd ++++ b/src/firewall-offline-cmd +@@ -43,9 +43,10 @@ from firewall.core.io.helper import helper_reader + from firewall.command import FirewallCommand + + # check for root user +-if os.getuid() != 0: +- sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0]) +- sys.exit(-1) ++def assert_root(): ++ if os.getuid() != 0: ++ sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0]) ++ sys.exit(-1) + + SYSTEM_CONFIG_FIREWALL = config.SYSCONFIGDIR + '/system-config-firewall' + +@@ -775,6 +776,8 @@ if len(sys.argv) > 1 and \ + if a.help: + __usage() + sys.exit(0) ++ else: ++ assert_root() + if a.quiet: + # it makes no sense to use --quiet with these options + a.quiet = False +@@ -809,6 +812,7 @@ elif len(sys.argv) > 1: + args = aux_args[:i+1] # all but not + args.append(joinArgs(aux_args[i+1:])) # add as one arg + else: ++ assert_root() + # migrate configuration from SYSTEM_CONFIG_FIREWALL + args = read_sysconfig_args() + if not args: +@@ -1020,6 +1024,8 @@ if a.help: + __usage() + sys.exit(0) + ++assert_root() ++ + zone = a.zone + fw = Firewall_test() + fw.start() +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch b/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch new file mode 100644 index 0000000..d1b695c --- /dev/null +++ b/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch @@ -0,0 +1,47 @@ +From 8a8d61822d37639e1d952befc4528c32a3240dc5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Nov 2017 20:56:38 +0100 +Subject: [PATCH] Fix and improve firewalld-sysctls.conf + +The output generated by the call to sysctl apparently messed up kernel +module auto-loading via iptables. To reproduce: + +| # iptables -F INPUT +| # rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack +| # iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes +| iptables: No chain/target/match by that name. + +This is solved by silencing sysctl with '--quiet' parameter. + +Another (potential) issue is that module parameters passed to modprobe +when manually loading nf_conntrack: + +| # modprobe --ignore-install nf_conntrack nf_conntrack_helper=1 +| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper +| Y +| # rmmod nf_conntrack +| # modprobe nf_conntrack nf_conntrack_helper=1 +| * Applying /usr/lib/sysctl.d/00-system.conf ... +| * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... +| * Applying /usr/lib/sysctl.d/50-default.conf ... +| * Applying /etc/sysctl.d/99-sysctl.conf ... +| * Applying /etc/sysctl.conf ... +| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper +| N + +This is fixed by adding $CMDLINE_OPTS as last parameter to the modprobe +call as described in modprobe.conf(5). +--- + config/firewalld-sysctls.conf.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in +index 976027743e8f..945193f13c75 100644 +--- a/config/firewalld-sysctls.conf.in ++++ b/config/firewalld-sysctls.conf.in +@@ -1 +1 @@ +-install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system ++install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack $CMDLINE_OPTS && @SYSCTL@ --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch b/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch new file mode 100644 index 0000000..689b7a6 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch @@ -0,0 +1,71 @@ +From 8ec42cd1041ba342c9f87f51b62f80be278f682b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 21 Nov 2017 16:04:23 -0500 +Subject: [PATCH] firewalld: also reload dbus config interface for global + options + +These options require the firewall to be reloaded, but it was not also +reloading the dbus config interface. The interface objects would end up +pointing to stale cleanup()'d config objects (via firewall.core.fw +reload()). Therefore we also need to reload/refresh the config +interface. + +Fixes: rhbz 1514043 +--- + src/firewall/core/fw.py | 6 ------ + src/firewall/server/firewalld.py | 8 ++++++++ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 0dda11d49116..2a119b1dc4d4 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -1142,9 +1142,6 @@ class Firewall(object): + self._log_denied = value + self._firewalld_conf.set("LogDenied", value) + self._firewalld_conf.write() +- +- # now reload the firewall +- self.reload() + else: + raise FirewallError(errors.ALREADY_SET, value) + +@@ -1163,9 +1160,6 @@ class Firewall(object): + self._automatic_helpers = value + self._firewalld_conf.set("AutomaticHelpers", value) + self._firewalld_conf.write() +- +- # now reload the firewall +- self.reload() + else: + raise FirewallError(errors.ALREADY_SET, value) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 9c5d463de793..fc7422f12261 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -939,6 +939,10 @@ class FirewallD(slip.dbus.service.Object): + self.accessCheck(sender) + self.fw.set_log_denied(value) + self.LogDeniedChanged(value) ++ # must reload the firewall as well ++ self.fw.reload() ++ self.config.reload() ++ self.Reloaded() + + @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') + @dbus_handle_exceptions +@@ -969,6 +973,10 @@ class FirewallD(slip.dbus.service.Object): + self.accessCheck(sender) + self.fw.set_automatic_helpers(value) + self.AutomaticHelpersChanged(value) ++ # must reload the firewall as well ++ self.fw.reload() ++ self.config.reload() ++ self.Reloaded() + + @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') + @dbus_handle_exceptions +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch b/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch new file mode 100644 index 0000000..947ba42 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch @@ -0,0 +1,28 @@ +From b20345ad5db13cf9a8ca8f5cb036ef526ab6693b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 Dec 2017 13:57:55 -0500 +Subject: [PATCH] services/high-availability: Add port 9929 + +TCP/UDP 9929 is used by boothd and should be opened for +high-availability. + +Resolves: RHBZ 1486143 +--- + config/services/high-availability.xml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/config/services/high-availability.xml b/config/services/high-availability.xml +index 002dd0e4a9d0..b6d14b793250 100644 +--- a/config/services/high-availability.xml ++++ b/config/services/high-availability.xml +@@ -7,5 +7,7 @@ + + + ++ ++ + + +-- +2.12.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 77dc5b1..233b307 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -8,7 +8,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.4.4.4 -Release: 6%{?dist} +Release: 14%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/t-woerner/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -23,6 +23,23 @@ Patch8: firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch Patch9: firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch Patch10: firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch Patch11: firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch +Patch12: firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch +Patch13: firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch +Patch14: firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch +Patch15: firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch +Patch16: firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch +Patch17: firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch +Patch18: firewalld-0.4.4.6-Add-NFSv3-service.patch +Patch19: firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch +Patch20: firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch +Patch21: firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch +Patch22: firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch +Patch23: firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch +Patch24: firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch +Patch25: firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch +Patch26: firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch +Patch27: firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch +Patch28: firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch BuildArch: noarch BuildRequires: desktop-file-utils @@ -145,6 +162,25 @@ firewalld. %patch9 -p1 -b .policy-choice_rhbz#1449754 %patch10 -p1 -b .translation-update-ja_rhbz#1382652 %patch11 -p1 -b .ipv6_icmptype_only_rich_rule_fix_rhbz#1459921 +%patch12 -p1 -b .functions-New-function-get_nf_nat_helpers-rhbz#1452681 +%patch13 -p1 -b .core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681 +%patch14 -p1 -b .core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681 +%patch15 -p1 -b .dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681 +%patch16 -p1 -b .D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017 +%patch17 -p1 -b .server.firewalld-New-property-for-NAT-helpe-rhbz#1452681 +# Do not create backup files with -b .Add-NFSv3-service_rhbz#1462088 for patch18 +%patch18 -p1 +%patch19 -p1 -b .Reload-nf_conntrack-sysctls-after-the-module-rhbz#1462977 +# Do not create backup files with -b .Add-missing-ports-to-RH-Satellite-6-service for patch20 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 -b .Fix-and-improve-firewalld-sysctls.conf +%patch27 -p1 -b .firewalld-also-reload-dbus-config-interface-for-glob +%patch28 -p1 ./autogen.sh %if 0%{?with_python3} @@ -270,6 +306,7 @@ fi %{_mandir}/man1/firewall*cmd*.1* %{_mandir}/man1/firewalld*.1* %{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf %files -n python-firewall %attr(0755,root,root) %dir %{python2_sitelib}/firewall @@ -339,6 +376,42 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Dec 12 2017 Eric Garver - 0.4.4.4-14 +- services/high-availability: Add port 9929 (RHBZ#1486143) + +* Wed Dec 06 2017 Eric Garver - 0.4.4.4-13 +- firewalld: also reload dbus config interface for global options + (RHBZ#1514043) + +* Wed Dec 06 2017 Eric Garver - 0.4.4.4-12 +- Fix and improve firewalld-sysctls.conf (RHBZ#1516881) + +* Mon Sep 18 2017 Phil Sutter - 0.4.4.4-11 +- core: Log unsupported ICMP types as informational only (RHBZ#1479951) +- doc: firewall-cmd: Document --query-* options return codes (RHBZ#1372716) +- doc: firewall-cmd: Document quirk in --reload option (RHBZ#1452137) +- firewall-cmd: Use colors only if output is a TTY (RHBZ#1368544) +- firewall-offline-cmd: Don't require root for help output (RHBZ#1445214) + +* Wed Sep 06 2017 Eric Garver - 0.4.4.4-10 +- Add missing ports to RH-Satellite-6 service (RHBZ#1422149) + +* Fri Aug 18 2017 Eric Garver - 0.4.4.4-9 +- Reload nf_conntrack sysctls after the module is loaded (RHBZ#1462977) + +* Sun Aug 13 2017 Eric Garver - 0.4.4.4-8 +- Add NFSv3 service (a127d697177b) (RHBZ#1462088) + +* Thu Aug 10 2017 Eric Garver - 0.4.4.4-7 +- firewall.functions: New function get_nf_nat_helpers (RHBZ#1452681) +- firewall.core.fw: Get NAT helpers and store them internally. (RHBZ#1452681) +- firewall.core.fw_zone: Load NAT helpers with conntrack helpers (RHBZ#1452681) +- firewalld.dbus: Add missing properties nf_conntrach_helper_setting and + nf_conntrack_helpers (RHBZ#1452681) +- D-Bus interfaces: Fix GetAll for interfaces without properties (RHBZ#1452017) +- firewall.server.firewalld: New property for NAT helpers supported by the + kernel (RHBZ#1452681) + * Mon Jun 12 2017 Thomas Woerner - 0.4.4.4-6 - IPv6 ICMP type only rich-rule fix (cf50bd0) (RHBZ#1459921)