diff --git a/.firewalld.metadata b/.firewalld.metadata new file mode 100644 index 0000000..23ab0b0 --- /dev/null +++ b/.firewalld.metadata @@ -0,0 +1 @@ +e558ccbfd8a0e08d9339cf1506d8856d3533ed82 SOURCES/firewalld-0.8.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..14b4503 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/firewalld-0.8.0.tar.gz diff --git a/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch b/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch new file mode 100644 index 0000000..ea33abc --- /dev/null +++ b/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch @@ -0,0 +1,132 @@ +From ff17d85fd863e7be2b4088c92360185aca6693b0 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 7 Nov 2019 08:21:52 -0500 +Subject: [PATCH] fix: CLI: service: also output helpers for service info + +Fixes: 0c07b704f76d ("feat: CLI: add "helper" support for services") +Fixes: rhbz 1769520 +(cherry picked from commit 6bfffe65f55b727afc37a8c1fb4068f6589bb890) +--- + src/firewall/command.py | 2 ++ + src/tests/features/helpers_custom.at | 42 ++++++++++++++++++++++++++- + src/tests/features/service_include.at | 3 ++ + 3 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/command.py b/src/firewall/command.py +index 85e58d731a80..c371dc23584c 100644 +--- a/src/firewall/command.py ++++ b/src/firewall/command.py +@@ -449,6 +449,7 @@ class FirewallCommand(object): + destinations = settings.getDestinations() + short_description = settings.getShort() + includes = settings.getIncludes() ++ helpers = settings.getHelpers() + self.print_msg(service) + if self.verbose: + self.print_msg(" summary: " + short_description) +@@ -464,6 +465,7 @@ class FirewallCommand(object): + " ".join(["%s:%s" % (k, v) + for k, v in destinations.items()])) + self.print_msg(" includes: " + " ".join(sorted(includes))) ++ self.print_msg(" helpers: " + " ".join(sorted(helpers))) + + def print_icmptype_info(self, icmptype, settings): + destinations = settings.getDestinations() +diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at +index c65f067a06ec..4c9024d1e2b8 100644 +--- a/src/tests/features/helpers_custom.at ++++ b/src/tests/features/helpers_custom.at +@@ -1,5 +1,5 @@ + FWD_START_TEST([customer helpers]) +-AT_KEYWORDS(helpers rhbz1733066 gh514) ++AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520) + + FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"]) + FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"]) +@@ -8,7 +8,27 @@ FWD_CHECK([-q --permanent --new-service="ftptest"]) + FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"]) + FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"]) + FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"]) ++FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl ++ftptest ++ ports: 2121/tcp ++ protocols: ++ source-ports: ++ modules: ftptest ++ destination: ++ includes: ++ helpers: ++])]) + FWD_RELOAD ++FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl ++ftptest ++ ports: 2121/tcp ++ protocols: ++ source-ports: ++ modules: ftptest ++ destination: ++ includes: ++ helpers: ++])]) + + FWD_CHECK([-q --add-service=ftptest]) + +@@ -42,7 +62,27 @@ dnl Same thing as above, but with the new "helper" in service. + FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"]) + FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1) + FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"]) ++FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl ++ftptest ++ ports: 2121/tcp ++ protocols: ++ source-ports: ++ modules: ++ destination: ++ includes: ++ helpers: ftptest ++])]) + FWD_RELOAD ++FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl ++ftptest ++ ports: 2121/tcp ++ protocols: ++ source-ports: ++ modules: ++ destination: ++ includes: ++ helpers: ftptest ++])]) + + FWD_CHECK([-q --add-service=ftptest]) + +diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at +index 219d5b42767b..7f02701a9419 100644 +--- a/src/tests/features/service_include.at ++++ b/src/tests/features/service_include.at +@@ -76,6 +76,7 @@ my-service-with-include + modules: + destination: + includes: mdns recursive-service ssdp ++ helpers: + ])]) + FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl + my-service-with-include +@@ -85,6 +86,7 @@ my-service-with-include + modules: + destination: + includes: mdns recursive-service ssdp ++ helpers: + ])]) + + dnl firewall-offline-cmd +@@ -106,6 +108,7 @@ my-service-with-include + modules: + destination: + includes: mdns recursive-service ssdp ++ helpers: + ])]) + + dnl negative test for including service that doesn't exist +-- +2.23.0 + diff --git a/SOURCES/0003-fix-reload-let-NM-interface-assignments-override-per.patch b/SOURCES/0003-fix-reload-let-NM-interface-assignments-override-per.patch new file mode 100644 index 0000000..1adac02 --- /dev/null +++ b/SOURCES/0003-fix-reload-let-NM-interface-assignments-override-per.patch @@ -0,0 +1,32 @@ +From d4866bf76574a436372204583f4194ca01beb265 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 19 Nov 2019 11:34:03 -0500 +Subject: [PATCH 03/37] fix: reload: let NM interface assignments override + permanent config + +Use the change interface call instead of add interface. This lets NM +override the permanent interface assignment. + +Fixes: rhbz 1773809 +(cherry picked from commit a3265daf5b8092878e82fc7840e56bb0b36a43ea) +(cherry picked from commit 48bde3b3343cbdd35af58958467b8e64e10f3821) +--- + src/firewall/core/fw.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 4dc6a4f47aff..050fb9cd976d 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -988,7 +988,7 @@ class Firewall(object): + if nm_bus_name: + for zone in self.zone.get_zones() + [""]: + for interface in nm_get_interfaces_in_zone(zone): +- self.zone.add_interface(zone, interface, sender=nm_bus_name) ++ self.zone.change_zone_of_interface(zone, interface, sender=nm_bus_name) + + self._panic = _panic + if not self._panic: +-- +2.23.0 + diff --git a/SOURCES/0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch b/SOURCES/0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch new file mode 100644 index 0000000..1997db6 --- /dev/null +++ b/SOURCES/0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch @@ -0,0 +1,31 @@ +From e4d104ed8546e457d223dc1472942427241f0e44 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 2 Dec 2019 08:47:47 -0500 +Subject: [PATCH 04/37] fix: dbus/firewall.conf: fix check for AutomaticHelpers + +If nft fib is not available the test was checking for "system", but it +always yields "no". + +Fixes: 6cd756b15685 ("chore: deprecate AutomaticHelpers") +(cherry picked from commit 58c19a06e9b47bc16cc00d2b7d26d5fce6f91a7a) +(cherry picked from commit 3fbeb0d92fa632ecd7174afccd8e5cb71c9adaa6) +--- + src/tests/dbus/firewalld.conf.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index a26be3213d79..06f6df9bdd70 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -17,7 +17,7 @@ string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ])], [ + DBUS_GETALL([config], [config], 0, [dnl +-string "AutomaticHelpers" : variant string "system" ++string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" + string "FirewallBackend" : variant string "nftables" +-- +2.23.0 + diff --git a/SOURCES/0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch b/SOURCES/0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch new file mode 100644 index 0000000..69af3b5 --- /dev/null +++ b/SOURCES/0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch @@ -0,0 +1,38 @@ +From f9dc97f5161eea0900b9e99bb29e8a4d5cda3109 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 2 Dec 2019 09:08:00 -0500 +Subject: [PATCH 05/37] fix: test: CHECK_NAT_COEXISTENCE: only check for kernel + version + +Calling modprobe is problematic inside a container. Just check if the +running kernel is >4.18 as this is when NAT coexistence was fixed. + +(cherry picked from commit 2b7d150d4b15b4b3876df0179cd08aaae33f2e38) +(cherry picked from commit fd54fafb9e43f2e0a396b8c502ef81bc738affeb) +--- + src/tests/functions.at | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index fc53f591b1bf..31d1a3c187e4 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -436,13 +436,8 @@ m4_define([CHECK_NAT_COEXISTENCE], [ + m4_if(nftables, FIREWALL_BACKEND, [ + KERNEL_MAJOR=`uname -r | cut -d. -f1` + KERNEL_MINOR=`uname -r | cut -d. -f2` +- if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 16 || test ${KERNEL_MAJOR} -gt 4; then +- dnl Only check >=4.16 kernels. Previous versions did not explicitly +- dnl deny it, but had undefined behavior. +- AT_SKIP_IF([! modprobe iptable_nat]) +- AT_SKIP_IF([! NS_CMD([nft add table ip foobar])]) +- AT_SKIP_IF([! NS_CMD([nft add chain ip foobar foobar_chain { type nat hook postrouting priority 100 \; }])]) +- NS_CHECK([nft delete table ip foobar]) ++ if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 18 || test ${KERNEL_MAJOR} -gt 4; then ++ : + else + AT_SKIP_IF([true]) + fi +-- +2.23.0 + diff --git a/SOURCES/0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch b/SOURCES/0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch new file mode 100644 index 0000000..ba5a465 --- /dev/null +++ b/SOURCES/0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch @@ -0,0 +1,28 @@ +From 3268ec28df668efcf8fd8fc3017d0768b0c70fe1 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 5 Dec 2019 12:31:06 -0500 +Subject: [PATCH 06/37] fix: test: direct passthrough: no need to check for + dummy module + +(cherry picked from commit 3b9e8565a224937bb6c6b950ae3596abacc14c5d) +(cherry picked from commit 7b2740294a86cca114e8ce3938b5b0ba8f5bd28f) +--- + src/tests/firewall-cmd.at | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at +index 540bdb8b1065..51b367e7a0f0 100644 +--- a/src/tests/firewall-cmd.at ++++ b/src/tests/firewall-cmd.at +@@ -866,8 +866,6 @@ FWD_END_TEST + FWD_START_TEST([direct passthrough]) + AT_KEYWORDS(direct passthrough) + +- AT_CHECK([if ! modprobe dummy; then exit 77; fi]) +- + FWD_CHECK([--direct --passthrough ipv4 --table mangle --append POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill], 0, ignore) + FWD_CHECK([--direct --passthrough ipv4 --table mangle --delete POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill], 0, ignore) + +-- +2.23.0 + diff --git a/SOURCES/0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch b/SOURCES/0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch new file mode 100644 index 0000000..9e58b02 --- /dev/null +++ b/SOURCES/0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch @@ -0,0 +1,32 @@ +From 0c254abccf3553192e13f736351926c5fa45df0b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 9 Dec 2019 16:57:13 -0500 +Subject: [PATCH 07/37] fix: test/functions: FWD_END_TEST: improve grep for + errors/warnings + +Match more specifically so we don't accidentally match a debug log that +also has "ERROR:" or "WARNING:" as is common for modprobes. + +(cherry picked from commit 5f67a78a68a4b5117d7be3402fc9dd639f318a60) +(cherry picked from commit ec0e86677372e994151263a3cb0f1124e2df219b) +--- + src/tests/functions.at | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 31d1a3c187e4..1bed8a4f3a6c 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -150,8 +150,7 @@ m4_define([FWD_END_TEST], [ + if test -n "$1"; then + sed -i $1 ./firewalld.log + fi +- AT_FAIL_IF([grep ERROR ./firewalld.log]) +- AT_FAIL_IF([grep WARNING ./firewalld.log]) ++ AT_FAIL_IF([grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]) + fi + m4_undefine([CURRENT_DBUS_ADDRESS]) + m4_undefine([CURRENT_TEST_NS]) +-- +2.23.0 + diff --git a/SOURCES/0008-test-build-add-support-for-running-in-containers.patch b/SOURCES/0008-test-build-add-support-for-running-in-containers.patch new file mode 100644 index 0000000..0af31d4 --- /dev/null +++ b/SOURCES/0008-test-build-add-support-for-running-in-containers.patch @@ -0,0 +1,75 @@ +From d059664e2de82a2e212fe14f3799450ca4ef5a51 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 27 Nov 2019 13:32:42 -0500 +Subject: [PATCH 08/37] test: build: add support for running in containers + +This is just a dummy target at the moment. + +(cherry picked from commit df13ebc5d8df69b0b0b15c6777c8bb906a67bf5b) +(cherry picked from commit 11c36a3c81987f4e34bf87e99d0800401c24561f) +--- + Makefile.am | 3 +++ + README | 7 +++++++ + configure.ac | 1 + + src/tests/Makefile.am | 4 ++++ + 4 files changed, 15 insertions(+) + +diff --git a/Makefile.am b/Makefile.am +index b3dbce1f2b11..c377d6f63792 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -78,6 +78,9 @@ dist-check: + exit 1; \ + fi + ++check-container: ++ $(MAKE) -C src/tests $@ ++ + update-docs: + $(MAKE) -C doc/xml + +diff --git a/README b/README +index 181d50f301e9..9cb2ef4a15b7 100644 +--- a/README ++++ b/README +@@ -102,6 +102,13 @@ Or just the keywords + |awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \ + |tr ' ' '\n' |sort |uniq + ++There is also a check-container target that will run the testsuite inside ++various podman/docker containers. This is useful for coverage of multiple ++distributions. As a bonus, it allows us to run tests that may be destructive to ++the host (container) such as NetworkManager integration tests. ++ ++ make check-container TESTSUITEFLAGS="-j4" ++ + RPM package + ----------- + +diff --git a/configure.ac b/configure.ac +index 39d6af1f89f1..0758c69d442c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -36,6 +36,7 @@ AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod]) + AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl]) + + AC_CONFIG_TESTDIR([src/tests]) ++AC_PATH_PROGS([PODMAN], [podman docker], [/bin/false]) + + GLIB_GSETTINGS + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 09bf699b81d0..84c076c847b0 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -41,3 +41,7 @@ AUTOTEST = $(AUTOM4TE) --language=autotest + $(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4 + $(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at + mv $@.tmp $@ ++ ++check-container: ++ ++.PHONY: check-container +-- +2.23.0 + diff --git a/SOURCES/0009-test-check-container-add-support-for-debian-sid.patch b/SOURCES/0009-test-check-container-add-support-for-debian-sid.patch new file mode 100644 index 0000000..9569ca5 --- /dev/null +++ b/SOURCES/0009-test-check-container-add-support-for-debian-sid.patch @@ -0,0 +1,43 @@ +From 616ab06147e174ac69b2e1cfff73e4519058676c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 10 Dec 2019 10:18:00 -0500 +Subject: [PATCH 09/37] test: check-container: add support for debian sid + +(cherry picked from commit be2a4c06c7bc7fcf9efc710ffc459b2a24118457) +(cherry picked from commit f7252214a08c33c81bb613514e24af95dc2ed096) +--- + src/tests/Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 84c076c847b0..4939fb818459 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -42,6 +42,23 @@ $(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4 + $(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at + mv $@.tmp $@ + +-check-container: ++check-container-debian-sid: ++ (cd $(abs_top_srcdir) && tar -c . ) | \ ++ $(PODMAN) run -i --rm --privileged debian:sid bash -c \ ++ "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \ ++ apt-get update && \ ++ apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \ ++ xsltproc docbook-xsl docbook-xml iptables ipset ebtables \ ++ nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \ ++ python3-dbus python3-gi python3-slip-dbus python3-nftables \ ++ procps && \ ++ apt-get install -y libnftables-dev && \ ++ ./autogen.sh && \ ++ ./configure PYTHON=/usr/bin/python3 && \ ++ make && \ ++ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" " ++ ++check-container: check-container-debian-sid + + .PHONY: check-container ++.PHONY: check-container-debian-sid +-- +2.23.0 + diff --git a/SOURCES/0010-test-check-container-add-support-for-fedora-rawhide.patch b/SOURCES/0010-test-check-container-add-support-for-fedora-rawhide.patch new file mode 100644 index 0000000..ae5278d --- /dev/null +++ b/SOURCES/0010-test-check-container-add-support-for-fedora-rawhide.patch @@ -0,0 +1,44 @@ +From c9b56988eeee3da0b987adce79536ae4a4f2b6d0 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 10 Dec 2019 10:15:13 -0500 +Subject: [PATCH 10/37] test: check-container: add support for fedora rawhide + +(cherry picked from commit 8168904f2dd1ecdec17638854e7630f2ccc90860) +(cherry picked from commit 25f35e1c400f68f33773d162d84f9a7af8aa9938) +--- + src/tests/Makefile.am | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 4939fb818459..cef17b6eba4b 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -58,7 +58,25 @@ check-container-debian-sid: + make && \ + make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" " + ++check-container-fedora-rawhide: ++ (cd $(abs_top_srcdir) && tar -c . ) | \ ++ $(PODMAN) run -i --rm --privileged fedora:rawhide bash -c \ ++ "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \ ++ dnf -y makecache && \ ++ dnf -y install autoconf automake conntrack-tools desktop-file-utils \ ++ docbook-style-xsl file gettext glib2-devel intltool ipset \ ++ iptables iptables-nft libtool libxml2 libxslt make nftables \ ++ python3-nftables python3-slip-dbus python3-gobject-base \ ++ diffutils procps-ng iproute which dbus-daemon && \ ++ alternatives --set ebtables /usr/sbin/ebtables-nft && \ ++ ./autogen.sh && \ ++ ./configure PYTHON=/usr/bin/python3 && \ ++ make && \ ++ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" " ++ + check-container: check-container-debian-sid ++check-container: check-container-fedora-rawhide + + .PHONY: check-container + .PHONY: check-container-debian-sid ++.PHONY: check-container-fedora-rawhide +-- +2.23.0 + diff --git a/SOURCES/0011-fix-test-leave-cleanup-for-tests-cases.patch b/SOURCES/0011-fix-test-leave-cleanup-for-tests-cases.patch new file mode 100644 index 0000000..5365062 --- /dev/null +++ b/SOURCES/0011-fix-test-leave-cleanup-for-tests-cases.patch @@ -0,0 +1,45 @@ +From 1fff192d3dcc8dfaf1e9f8ef4a5e427772ce23bc Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 16 Dec 2019 15:47:24 -0500 +Subject: [PATCH 11/37] fix: test: leave "cleanup" for tests cases + +Introduce "cleanup_late" for high level stuff not used by test cases. + +(cherry picked from commit ebe4ee52658bb26d976bd2e7149c3ac1a5be65c7) +(cherry picked from commit 6068bb9ae8fca3f87edc194567909b34ee071276) +--- + src/tests/functions.at | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 1bed8a4f3a6c..46bcd369864f 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -89,12 +89,13 @@ m4_define([FWD_START_TEST], [ + + dnl run cleanup commands on test exit + echo "" > cleanup +- trap ". ./cleanup; kill_firewalld" EXIT ++ echo "" > cleanup_late ++ trap ". ./cleanup; kill_firewalld; . ./cleanup_late" EXIT + + dnl create a namespace and dbus-daemon + m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}]) + m4_define([CURRENT_TEST_NS], [fwd-test-${at_group_normalized}]) +- echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup ++ echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup_late + AT_CHECK([ip netns add CURRENT_TEST_NS]) + AT_DATA([./dbus.conf], [ + > ./cleanup ++ echo "kill $DBUS_PID" >> ./cleanup_late + + FWD_START_FIREWALLD + ]) +-- +2.23.0 + diff --git a/SOURCES/0012-test-functions-new-macros-for-starting-stopping-Netw.patch b/SOURCES/0012-test-functions-new-macros-for-starting-stopping-Netw.patch new file mode 100644 index 0000000..a0c03e5 --- /dev/null +++ b/SOURCES/0012-test-functions-new-macros-for-starting-stopping-Netw.patch @@ -0,0 +1,129 @@ +From 8a1ee3a46ca31d36e1b5702971d8f0b6240edc93 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 19 Nov 2019 15:31:28 -0500 +Subject: [PATCH 12/37] test: functions: new macros for starting/stopping + NetworkManager + +(cherry picked from commit fd99d328cf9713445428d4b8c4317377ee494981) +(cherry picked from commit 689c833fc83e2f858792f7f5e979b413421a8e0d) +--- + src/tests/functions.at | 85 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 84 insertions(+), 1 deletion(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 46bcd369864f..f59eef80c348 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -34,6 +34,48 @@ m4_define([FWD_START_FIREWALLD], [ + AT_FAIL_IF([test $up -ne 1]) + ]) + ++m4_define([START_NETWORKMANAGER], [ ++ AT_SKIP_IF([! NS_CMD([which NetworkManager >/dev/null 2>&1])]) ++ AT_SKIP_IF([! NS_CMD([which nmcli >/dev/null 2>&1])]) ++ ++ AT_DATA([./NetworkManager.conf], [dnl ++[[main]] ++plugins= ++ ++[[logging]] ++#level=DEBUG ++#domains=ALL ++]) ++ ++ NM_ARGS="--no-daemon --config ./NetworkManager.conf" ++ NS_CMD([NetworkManager $NM_ARGS &]) ++ if test $? -ne 0; then ++ AT_FAIL_IF([:]) ++ fi ++ echo "$!" > networkmanager.pid ++ ++ dnl Give it some time for the dbus interface to come up ++ up=0 ++ for I in 1 2 3 4 5 6 7 8 9 0; do ++ if NS_CMD([nmcli general status >/dev/null 2>&1]); then ++ up=1 ++ break ++ fi ++ sleep 1 ++ done ++ AT_FAIL_IF([test $up -ne 1]) ++]) ++ ++m4_define([STOP_NETWORKMANAGER], [ ++ pid=$(< networkmanager.pid) ++ kill $pid ++ for I in 1 2 3 4 5 6 7 8 9 0; do ++ ps --pid $pid >/dev/null || { pid=0; break; } ++ sleep 1 ++ done ++ test $pid -eq 0 || { kill -9 $pid; sleep 3; } ++]) ++ + m4_define([FWD_RELOAD], [ + FWD_CHECK([-q --reload], [$1], [$2], [$3]) + FWD_CHECK([-q --state], [$4], [$5], [$6]) +@@ -86,11 +128,16 @@ m4_define([FWD_START_TEST], [ + function kill_firewalld() { + FWD_STOP_FIREWALLD + } ++ function kill_networkmanager() { ++ if test -f networkmanager.pid; then ++ STOP_NETWORKMANAGER ++ fi ++ } + + dnl run cleanup commands on test exit + echo "" > cleanup + echo "" > cleanup_late +- trap ". ./cleanup; kill_firewalld; . ./cleanup_late" EXIT ++ trap ". ./cleanup; kill_firewalld; kill_networkmanager; . ./cleanup_late" EXIT + + dnl create a namespace and dbus-daemon + m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}]) +@@ -130,6 +177,42 @@ m4_define([FWD_START_TEST], [ + send_interface="org.freedesktop.DBus.Properties"/> + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + ]) + DBUS_PID=`NS_CMD([dbus-daemon --address="CURRENT_DBUS_ADDRESS" --print-pid --config-file="./dbus.conf"])` +-- +2.23.0 + diff --git a/SOURCES/0013-test-functions-add-macro-NMCLI_CHECK.patch b/SOURCES/0013-test-functions-add-macro-NMCLI_CHECK.patch new file mode 100644 index 0000000..d6b0d71 --- /dev/null +++ b/SOURCES/0013-test-functions-add-macro-NMCLI_CHECK.patch @@ -0,0 +1,30 @@ +From 520420aa83eda967cdb8b30527886eed5dcec8fe Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 19 Nov 2019 13:14:45 -0500 +Subject: [PATCH 13/37] test: functions: add macro NMCLI_CHECK + +Useful for NetworkManager integration tests. + +(cherry picked from commit 608f00749967ba71b04c4cbb86f5877382aaee07) +(cherry picked from commit ca41c60bde8897d218e1046fab2549278a3105da) +--- + src/tests/functions.at | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index f59eef80c348..e79557350558 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -586,3 +586,9 @@ m4_define([IF_HOST_SUPPORTS_IPV6_RULES], [ + IF_HOST_SUPPORTS_IP6TABLES([$1], [$2]) + ])]) + ]) ++ ++m4_define([NMCLI_CHECK], [ ++ AT_SKIP_IF([! NS_CMD([nmcli connection show >/dev/null 2>&1])]) ++ NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])], ++ [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6]) ++]) +-- +2.23.0 + diff --git a/SOURCES/0014-test-build-support-integration-tests.patch b/SOURCES/0014-test-build-support-integration-tests.patch new file mode 100644 index 0000000..a5b427e --- /dev/null +++ b/SOURCES/0014-test-build-support-integration-tests.patch @@ -0,0 +1,100 @@ +From a49f1e42bc8ac34df7790446e3a421d376c4d216 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 16 Dec 2019 13:11:24 -0500 +Subject: [PATCH 14/37] test: build: support integration tests + +These use the target "check-integration". We use a separate target +because these tests may be destructive to the host. The plan is to run +them from within the "check-container" target. + +(cherry picked from commit ab6c22b8419f5eb333484376ea41d592c809eb2a) +(cherry picked from commit 50c393d5618bf34110b59a3805963444e5f41e3a) +--- + Makefile.am | 4 +++- + src/tests/Makefile.am | 17 ++++++++++++++++- + src/tests/integration/testsuite.at | 11 +++++++++++ + 3 files changed, 30 insertions(+), 2 deletions(-) + create mode 100644 src/tests/integration/testsuite.at + +diff --git a/Makefile.am b/Makefile.am +index c377d6f63792..85da0b5857d2 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -78,9 +78,11 @@ dist-check: + exit 1; \ + fi + +-check-container: ++check-container check-integration installcheck-integration: + $(MAKE) -C src/tests $@ + ++.PHONY: check-container check-integration installcheck-integration ++ + update-docs: + $(MAKE) -C doc/xml + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index cef17b6eba4b..c00c198bf9bb 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -1,12 +1,16 @@ + TESTSUITE = $(srcdir)/testsuite ++TESTSUITE_INTEGRATION = $(srcdir)/integration/testsuite ++ + TESTSUITE_FILES = \ + $(wildcard $(srcdir)/*.at) \ + $(wildcard $(srcdir)/dbus/*.at) \ + $(wildcard $(srcdir)/features/*.at) \ ++ $(wildcard $(srcdir)/integration/*.at) \ + $(wildcard $(srcdir)/regression/*.at) + + EXTRA_DIST = \ + $(TESTSUITE) \ ++ $(TESTSUITE_INTEGRATION) \ + $(TESTSUITE_FILES) \ + $(wildcard $(srcdir)/python/*.py) \ + $(srcdir)/package.m4 \ +@@ -38,7 +42,7 @@ clean-local: + + AUTOM4TE = $(SHELL) $(top_srcdir)/missing --run autom4te + AUTOTEST = $(AUTOM4TE) --language=autotest +-$(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4 ++$(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4 + $(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at + mv $@.tmp $@ + +@@ -80,3 +84,14 @@ check-container: check-container-fedora-rawhide + .PHONY: check-container + .PHONY: check-container-debian-sid + .PHONY: check-container-fedora-rawhide ++ ++check-integration: atconfig atlocal $(TESTSUITE_INTEGRATION) ++ $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) \ ++ AUTOTEST_PATH="src" \ ++ PYTHONPATH="${abs_top_srcdir}/src:${PYTHONPATH}" \ ++ FIREWALLD_DEFAULT_CONFIG="${abs_top_srcdir}/config" ++ ++installcheck-integration: atconfig atlocal $(TESTSUITE_INTEGRATION) ++ $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) ++ ++.PHONY: check-integration installcheck-integration +diff --git a/src/tests/integration/testsuite.at b/src/tests/integration/testsuite.at +new file mode 100644 +index 000000000000..bbaf07a191b9 +--- /dev/null ++++ b/src/tests/integration/testsuite.at +@@ -0,0 +1,11 @@ ++AT_INIT ++AT_COLOR_TESTS ++ ++dnl Override m4_include to avoid warning about inclusion ++dnl ++m4_define([m4_include], [m4_builtin([include], [$1])]) ++ ++m4_include([functions.at]) ++ ++m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ ++]) +-- +2.23.0 + diff --git a/SOURCES/0015-test-integration-NM-zone-overrides-interface-on-relo.patch b/SOURCES/0015-test-integration-NM-zone-overrides-interface-on-relo.patch new file mode 100644 index 0000000..d088771 --- /dev/null +++ b/SOURCES/0015-test-integration-NM-zone-overrides-interface-on-relo.patch @@ -0,0 +1,72 @@ +From f8283f747843e50d6d088bc864ae232744a085d5 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 16 Dec 2019 13:33:08 -0500 +Subject: [PATCH 15/37] test: integration: NM zone overrides interface on + reload + +Coverage for rhbz 1773809 + +(cherry picked from commit ea97fb2bde6fb683b1ba2c41882d6d4f63299255) +(cherry picked from commit 04b8394c0a8344d5225b0716e23dc0558d2fc594) +--- + src/tests/integration/networkmanager.at | 2 ++ + src/tests/integration/rhbz1773809.at | 27 +++++++++++++++++++++++++ + src/tests/integration/testsuite.at | 1 + + 3 files changed, 30 insertions(+) + create mode 100644 src/tests/integration/networkmanager.at + create mode 100644 src/tests/integration/rhbz1773809.at + +diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at +new file mode 100644 +index 000000000000..08cf6d28451a +--- /dev/null ++++ b/src/tests/integration/networkmanager.at +@@ -0,0 +1,2 @@ ++AT_BANNER([NetworkManager (FIREWALL_BACKEND)]) ++m4_include([integration/rhbz1773809.at]) +diff --git a/src/tests/integration/rhbz1773809.at b/src/tests/integration/rhbz1773809.at +new file mode 100644 +index 000000000000..e58a4337c716 +--- /dev/null ++++ b/src/tests/integration/rhbz1773809.at +@@ -0,0 +1,27 @@ ++FWD_START_TEST([NM overrides interface on reload]) ++AT_KEYWORDS(zone reload rhbz1773809) ++ ++START_NETWORKMANAGER ++ ++NMCLI_CHECK([connection add type dummy con-name dummy0 ifname dummy0 ip4 10.0.0.2 gw4 10.0.0.1], 0, [ignore]) ++echo NS_CMD([nmcli connection delete dummy0]) >> ./cleanup ++NMCLI_CHECK([connection show dummy0], 0, [ignore]) ++NMCLI_CHECK([connection up dummy0], 0, [ignore]) ++ ++dnl Use firewall-offline-cmd otherwise the request will be forwarded to ++dnl NetworkManager. ++FWD_OFFLINE_CHECK([-q --zone internal --add-interface dummy0]) ++FWD_RELOAD ++ ++dnl firewall-cmd should forward the request to NetworkManager. ++FWD_CHECK([-q --permanent --zone trusted --change-interface dummy0]) ++NMCLI_CHECK([-f connection.zone connection show dummy0], 0, [dnl ++connection.zone: trusted ++]) ++ ++FWD_RELOAD ++FWD_CHECK([--get-zone-of-interface dummy0], 0, [dnl ++trusted ++]) ++ ++FWD_END_TEST +diff --git a/src/tests/integration/testsuite.at b/src/tests/integration/testsuite.at +index bbaf07a191b9..6c957033bae2 100644 +--- a/src/tests/integration/testsuite.at ++++ b/src/tests/integration/testsuite.at +@@ -8,4 +8,5 @@ m4_define([m4_include], [m4_builtin([include], [$1])]) + m4_include([functions.at]) + + m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ ++ m4_include([integration/networkmanager.at]) + ]) +-- +2.23.0 + diff --git a/SOURCES/0016-test-check-container-also-run-check-integration.patch b/SOURCES/0016-test-check-container-also-run-check-integration.patch new file mode 100644 index 0000000..c3439be --- /dev/null +++ b/SOURCES/0016-test-check-container-also-run-check-integration.patch @@ -0,0 +1,54 @@ +From d411807ff46fa6faf8410d994c2f39520b8fc2dc Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 16 Dec 2019 13:36:12 -0500 +Subject: [PATCH 16/37] test: check-container: also run check-integration + +This ties the integration tests into the "check-container" target. + +NOTE: We force "-j1" because the integration tests must be run serially. +(cherry picked from commit c1c8156e267d3680959d9bc8ac092d829bac6719) +(cherry picked from commit fbfc230ed2c2082d0e55b25e551ebc241f7efdf2) +--- + src/tests/Makefile.am | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index c00c198bf9bb..bf028c7c5389 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -55,12 +55,13 @@ check-container-debian-sid: + xsltproc docbook-xsl docbook-xml iptables ipset ebtables \ + nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \ + python3-dbus python3-gi python3-slip-dbus python3-nftables \ +- procps && \ ++ procps network-manager gir1.2-nm-1.0 && \ + apt-get install -y libnftables-dev && \ + ./autogen.sh && \ + ./configure PYTHON=/usr/bin/python3 && \ + make && \ +- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" " ++ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \ ++ make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" " + + check-container-fedora-rawhide: + (cd $(abs_top_srcdir) && tar -c . ) | \ +@@ -71,12 +72,14 @@ check-container-fedora-rawhide: + docbook-style-xsl file gettext glib2-devel intltool ipset \ + iptables iptables-nft libtool libxml2 libxslt make nftables \ + python3-nftables python3-slip-dbus python3-gobject-base \ +- diffutils procps-ng iproute which dbus-daemon && \ ++ diffutils procps-ng iproute which dbus-daemon \ ++ NetworkManager && \ + alternatives --set ebtables /usr/sbin/ebtables-nft && \ + ./autogen.sh && \ + ./configure PYTHON=/usr/bin/python3 && \ + make && \ +- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" " ++ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \ ++ make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" " + + check-container: check-container-debian-sid + check-container: check-container-fedora-rawhide +-- +2.23.0 + diff --git a/SOURCES/0017-doc-README-add-note-about-integration-tests.patch b/SOURCES/0017-doc-README-add-note-about-integration-tests.patch new file mode 100644 index 0000000..7908321 --- /dev/null +++ b/SOURCES/0017-doc-README-add-note-about-integration-tests.patch @@ -0,0 +1,36 @@ +From 4b8338a4635b8485b2890072e89f16e39e30ab29 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 17 Dec 2019 13:04:22 -0500 +Subject: [PATCH 17/37] doc: README: add note about integration tests + +(cherry picked from commit 18be66cf7e914b128e954c1e97ce29f542ee5fdd) +(cherry picked from commit c3a581d1acc713c2f8a74109e00690c649d4204f) +--- + README | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/README b/README +index 9cb2ef4a15b7..287a3021b633 100644 +--- a/README ++++ b/README +@@ -102,10 +102,15 @@ Or just the keywords + |awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \ + |tr ' ' '\n' |sort |uniq + ++There are integration tests. Currently this includes NetworkManager. These may ++be _destructive_ to the host. Run them in a disposable VM or container. ++ ++ make check-integration ++ + There is also a check-container target that will run the testsuite inside + various podman/docker containers. This is useful for coverage of multiple +-distributions. As a bonus, it allows us to run tests that may be destructive to +-the host (container) such as NetworkManager integration tests. ++distributions. It also runs tests that may be destructive to the host such as ++integration tests. + + make check-container TESTSUITEFLAGS="-j4" + +-- +2.23.0 + diff --git a/SOURCES/0018-chore-update-translations.patch b/SOURCES/0018-chore-update-translations.patch new file mode 100644 index 0000000..1faf653 --- /dev/null +++ b/SOURCES/0018-chore-update-translations.patch @@ -0,0 +1,684 @@ +From 98b36302a635c70a0b986d7f77a310d13fcca259 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 7 Jan 2020 09:22:42 -0500 +Subject: [PATCH 18/37] chore: update translations + +(cherry picked from commit cfe26b5f4febf0c9c8c4935750702f0257b5a7b7) +--- + po/ar.po | 2 +- + po/as.po | 2 +- + po/bg.po | 2 +- + po/bn_IN.po | 2 +- + po/ca.po | 2 +- + po/cs.po | 2 +- + po/da.po | 2 +- + po/de.po | 2 +- + po/el.po | 2 +- + po/en_GB.po | 2 +- + po/en_US.po | 2 +- + po/es.po | 2 +- + po/et.po | 2 +- + po/eu.po | 2 +- + po/fi.po | 2 +- + po/fr.po | 2 +- + po/gl.po | 2 +- + po/gu.po | 2 +- + po/hi.po | 2 +- + po/hu.po | 2 +- + po/ia.po | 2 +- + po/id.po | 2 +- + po/it.po | 2 +- + po/ja.po | 2 +- + po/ka.po | 2 +- + po/kn.po | 2 +- + po/ko.po | 2 +- + po/lt.po | 2 +- + po/ml.po | 2 +- + po/mr.po | 2 +- + po/nl.po | 2 +- + po/or.po | 2 +- + po/pa.po | 2 +- + po/pl.po | 2 +- + po/pt.po | 2 +- + po/pt_BR.po | 2 +- + po/ru.po | 2 +- + po/sk.po | 2 +- + po/sq.po | 2 +- + po/sr.po | 2 +- + po/sr@latin.po | 2 +- + po/sv.po | 2 +- + po/ta.po | 2 +- + po/te.po | 2 +- + po/tr.po | 2 +- + po/uk.po | 2 +- + po/zh_CN.po | 2 +- + po/zh_TW.po | 2 +- + 48 files changed, 48 insertions(+), 48 deletions(-) + +diff --git a/po/ar.po b/po/ar.po +index 7eaed07251dd..8abfdee73473 100644 +--- a/po/ar.po ++++ b/po/ar.po +@@ -17,7 +17,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:20+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Arabic (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/as.po b/po/as.po +index 8fc9f12fb92a..16999c36c1d8 100644 +--- a/po/as.po ++++ b/po/as.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:15+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Assamese (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/bg.po b/po/bg.po +index 4f4a50bac50b..d2df33305874 100644 +--- a/po/bg.po ++++ b/po/bg.po +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:43+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Bulgarian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/bn_IN.po b/po/bn_IN.po +index 3c840080f831..72c8591392de 100644 +--- a/po/bn_IN.po ++++ b/po/bn_IN.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:43+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Bengali (India) (http://www.transifex.com/projects/p/" +diff --git a/po/ca.po b/po/ca.po +index 2802c368224b..d2d8ec80af9c 100644 +--- a/po/ca.po ++++ b/po/ca.po +@@ -19,7 +19,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-08-20 10:43+0000\n" + "Last-Translator: Robert Antoni Buj Gelonch \n" + "Language-Team: Catalan (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/cs.po b/po/cs.po +index 66870f4b7e64..7319d3748f0a 100644 +--- a/po/cs.po ++++ b/po/cs.po +@@ -27,7 +27,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2019-06-14 06:09+0000\n" + "Last-Translator: Pavel Borecki \n" + "Language-Team: Czech (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/da.po b/po/da.po +index 98dfb5b4bebb..978936ce8f5d 100644 +--- a/po/da.po ++++ b/po/da.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-09-20 10:43+0000\n" + "Last-Translator: scootergrisen \n" + "Language-Team: Danish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/de.po b/po/de.po +index a27d39c56547..dd610cfed621 100644 +--- a/po/de.po ++++ b/po/de.po +@@ -40,7 +40,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:22+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: German (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/el.po b/po/el.po +index 5227bfc9bf4f..26d4a55dc0ba 100644 +--- a/po/el.po ++++ b/po/el.po +@@ -16,7 +16,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:27+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Greek (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/en_GB.po b/po/en_GB.po +index b617e4379dd5..d739c60136bd 100644 +--- a/po/en_GB.po ++++ b/po/en_GB.po +@@ -11,7 +11,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:44+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: English (United Kingdom) (http://www.transifex.com/projects/p/" +diff --git a/po/en_US.po b/po/en_US.po +index 8ae2ae5bcd8a..f8e2a767a40e 100644 +--- a/po/en_US.po ++++ b/po/en_US.po +@@ -7,7 +7,7 @@ msgid "" + msgstr "" + "Project-Id-Version: firewalld\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2014-10-15 14:24+0000\n" + "Last-Translator: Jiří Popelka \n" + "Language-Team: English (United States) (http://www.transifex.com/projects/p/" +diff --git a/po/es.po b/po/es.po +index a84b9e05343a..0f228150fd2c 100644 +--- a/po/es.po ++++ b/po/es.po +@@ -31,7 +31,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:22+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Spanish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/et.po b/po/et.po +index 8da6377bdac7..795090f4abde 100644 +--- a/po/et.po ++++ b/po/et.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:21+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Estonian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/eu.po b/po/eu.po +index b8e14e2a1b86..a2fd55d6a404 100644 +--- a/po/eu.po ++++ b/po/eu.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:43+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Basque (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/fi.po b/po/fi.po +index 71ad70257f21..752329c32489 100644 +--- a/po/fi.po ++++ b/po/fi.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-08-19 12:28+0000\n" + "Last-Translator: Jiri Grönroos \n" + "Language-Team: Finnish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/fr.po b/po/fr.po +index d807315b5826..283dfa6d4dfc 100644 +--- a/po/fr.po ++++ b/po/fr.po +@@ -34,7 +34,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:23+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: French (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/gl.po b/po/gl.po +index 47f9b6940401..4845df696886 100644 +--- a/po/gl.po ++++ b/po/gl.po +@@ -9,7 +9,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:45+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Galician (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/gu.po b/po/gu.po +index 8698b52527b8..00d073043ae6 100644 +--- a/po/gu.po ++++ b/po/gu.po +@@ -14,7 +14,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:45+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Gujarati (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/hi.po b/po/hi.po +index 24626fd4b2a3..07520b920e9f 100644 +--- a/po/hi.po ++++ b/po/hi.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:28+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Hindi (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/hu.po b/po/hu.po +index f12170b0247c..8d02f894e92e 100644 +--- a/po/hu.po ++++ b/po/hu.po +@@ -24,7 +24,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:24+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Hungarian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ia.po b/po/ia.po +index d9d26140acd1..59bfc3f3f4b6 100644 +--- a/po/ia.po ++++ b/po/ia.po +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:58+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Interlingua (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/id.po b/po/id.po +index f53a785bdcc1..3304d54878b2 100644 +--- a/po/id.po ++++ b/po/id.po +@@ -3,7 +3,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-05-22 09:00+0000\n" + "Last-Translator: Ferdi Saptanera \n" + "Language-Team: Indonesian\n" +diff --git a/po/it.po b/po/it.po +index 7c2b4c02ed87..6358ba40bd31 100644 +--- a/po/it.po ++++ b/po/it.po +@@ -36,7 +36,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:24+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Italian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ja.po b/po/ja.po +index 340a68a9dfa5..ea830261b855 100644 +--- a/po/ja.po ++++ b/po/ja.po +@@ -22,7 +22,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:25+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ka.po b/po/ka.po +index ca538252795e..864b3c8058c6 100644 +--- a/po/ka.po ++++ b/po/ka.po +@@ -9,7 +9,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:24+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Georgian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/kn.po b/po/kn.po +index a62e59eb5a3e..1826797aa9cd 100644 +--- a/po/kn.po ++++ b/po/kn.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 09:59+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Kannada (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ko.po b/po/ko.po +index c928658f0195..c36161b7163b 100644 +--- a/po/ko.po ++++ b/po/ko.po +@@ -18,7 +18,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:25+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Korean (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/lt.po b/po/lt.po +index bf3b73972c75..07a03e594ae7 100644 +--- a/po/lt.po ++++ b/po/lt.po +@@ -4,7 +4,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2019-05-13 08:05+0000\n" + "Last-Translator: Moo \n" + "Language-Team: Lithuanian\n" +diff --git a/po/ml.po b/po/ml.po +index c265a921804c..93b6b6b63d05 100644 +--- a/po/ml.po ++++ b/po/ml.po +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 10:00+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Malayalam (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/mr.po b/po/mr.po +index 04c29128fe3d..2b7159fdd370 100644 +--- a/po/mr.po ++++ b/po/mr.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 10:00+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Marathi (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/nl.po b/po/nl.po +index ac384020ad3a..351b9906332a 100644 +--- a/po/nl.po ++++ b/po/nl.po +@@ -17,7 +17,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:26+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Dutch (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/or.po b/po/or.po +index 4b846a9f615d..90ffdcb7ca97 100644 +--- a/po/or.po ++++ b/po/or.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:33+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Oriya (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/pa.po b/po/pa.po +index 5a52ff6ccca9..3480e4223dce 100644 +--- a/po/pa.po ++++ b/po/pa.po +@@ -22,7 +22,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2017-11-26 02:37+0000\n" + "Last-Translator: A S Alam \n" + "Language-Team: Panjabi (Punjabi) (http://www.transifex.com/projects/p/" +diff --git a/po/pl.po b/po/pl.po +index 843c883dd05d..83703401460b 100644 +--- a/po/pl.po ++++ b/po/pl.po +@@ -17,7 +17,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:26+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Polish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/pt.po b/po/pt.po +index 27d3e7d44abd..7d5e816e2e7e 100644 +--- a/po/pt.po ++++ b/po/pt.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2019-09-07 12:26+0000\n" + "Last-Translator: Manuela Silva \n" + "Language-Team: Portuguese (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/pt_BR.po b/po/pt_BR.po +index 322fd5f69f3d..c381fa07343f 100644 +--- a/po/pt_BR.po ++++ b/po/pt_BR.po +@@ -34,7 +34,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:27+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Portuguese (Brazil) (http://www.transifex.com/projects/p/" +diff --git a/po/ru.po b/po/ru.po +index e15835624511..38cede8b55e6 100644 +--- a/po/ru.po ++++ b/po/ru.po +@@ -22,7 +22,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:27+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Russian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/sk.po b/po/sk.po +index 23634d087ae3..4d6e67eb05b2 100644 +--- a/po/sk.po ++++ b/po/sk.po +@@ -14,7 +14,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-08-13 06:16+0000\n" + "Last-Translator: feonsu \n" + "Language-Team: Slovak (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/sq.po b/po/sq.po +index 109b4d6e29c5..91c16e57045d 100644 +--- a/po/sq.po ++++ b/po/sq.po +@@ -4,7 +4,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2017-04-20 11:49+0000\n" + "Last-Translator: Sidorela Uku \n" + "Language-Team: Albanian\n" +diff --git a/po/sr.po b/po/sr.po +index d742901dd676..7c45f703a716 100644 +--- a/po/sr.po ++++ b/po/sr.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:42+0000\n" + "Last-Translator: Momcilo Medic \n" + "Language-Team: Serbian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/sr@latin.po b/po/sr@latin.po +index 7045f7510b33..6bde5c3dafb6 100644 +--- a/po/sr@latin.po ++++ b/po/sr@latin.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 10:03+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Serbian (Latin) (http://www.transifex.com/projects/p/" +diff --git a/po/sv.po b/po/sv.po +index d89a7c261fdd..f7e2ee9c9ec7 100644 +--- a/po/sv.po ++++ b/po/sv.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:28+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Swedish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ta.po b/po/ta.po +index a53847a694fb..3370eb155992 100644 +--- a/po/ta.po ++++ b/po/ta.po +@@ -16,7 +16,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2015-02-26 10:04+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Tamil (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/te.po b/po/te.po +index 542b57c404ad..6365c4adf6e3 100644 +--- a/po/te.po ++++ b/po/te.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2016-01-04 12:44+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Telugu (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/tr.po b/po/tr.po +index 29d589174412..404c8687de5e 100644 +--- a/po/tr.po ++++ b/po/tr.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2019-03-08 01:23+0000\n" + "Last-Translator: Serdar Sağlam \n" + "Language-Team: Turkish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/uk.po b/po/uk.po +index 4408f372a319..f237acc315e4 100644 +--- a/po/uk.po ++++ b/po/uk.po +@@ -14,7 +14,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-07-29 04:00+0000\n" + "Last-Translator: Yuri Chornoivan \n" + "Language-Team: Ukrainian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/zh_CN.po b/po/zh_CN.po +index bcb5a75283a4..ee57808023f1 100644 +--- a/po/zh_CN.po ++++ b/po/zh_CN.po +@@ -24,7 +24,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2019-03-10 05:14+0000\n" + "Last-Translator: Pany \n" + "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/" +diff --git a/po/zh_TW.po b/po/zh_TW.po +index 27e8dff208f9..47f1e2c9f55d 100644 +--- a/po/zh_TW.po ++++ b/po/zh_TW.po +@@ -21,7 +21,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2019-11-05 08:47-0500\n" ++"POT-Creation-Date: 2020-01-07 09:22-0500\n" + "PO-Revision-Date: 2018-11-16 08:29+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/" +-- +2.23.0 + diff --git a/SOURCES/0019-doc-README-add-note-about-language-translations.patch b/SOURCES/0019-doc-README-add-note-about-language-translations.patch new file mode 100644 index 0000000..5e72d66 --- /dev/null +++ b/SOURCES/0019-doc-README-add-note-about-language-translations.patch @@ -0,0 +1,32 @@ +From 7b2f75ecf57dd3f46da24db640aec63aac3e703d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Jan 2020 09:15:22 -0500 +Subject: [PATCH 19/37] doc: README: add note about language translations + +(cherry picked from commit 1b829ebb1d79e674b191d7f201787688b8a1d609) +(cherry picked from commit 86b4a2643882e1d70c92859bfdfca24d768102f9) +--- + README | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/README b/README +index 287a3021b633..120543588540 100644 +--- a/README ++++ b/README +@@ -17,6 +17,13 @@ To check out the source repository, you can use: + + This will create a local copy of the repository. + ++Language Translations ++--------------------- ++Firewalld uses GNU gettext for localization support. Translations can be done ++using Fedora's Weblate instance [1]. Translations are periodically merged into ++the main firewalld repository. ++ ++[1] https://translate.stg.fedoraproject.org/projects/firewalld/ + + Working With The Source Repository + ---------------------------------- +-- +2.23.0 + diff --git a/SOURCES/0020-fix-rich-source-dest-only-matching-with-mark-action.patch b/SOURCES/0020-fix-rich-source-dest-only-matching-with-mark-action.patch new file mode 100644 index 0000000..68e105a --- /dev/null +++ b/SOURCES/0020-fix-rich-source-dest-only-matching-with-mark-action.patch @@ -0,0 +1,31 @@ +From b15d3998fc9cbc6fbaa5f54596cf6ae4af80c6b4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 10:41:29 -0500 +Subject: [PATCH 20/37] fix: rich: source/dest only matching with mark action + +We need to make sure the pre-requisite chains exist before generating +the rule for the mark action. + +Fixes: #567 +(cherry picked from commit 4997385a269b2128281f346ba6e049a41767d165) +(cherry picked from commit 16c70554005a2a8dc7947c94f0fcc7cc401de3d0) +--- + src/firewall/core/fw_zone.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index cbb80f09e02f..5cda560a30e1 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1720,6 +1720,8 @@ class FirewallZone(object): + elif rule.element is None: + if enable: + transaction.add_chain(zone, "filter", "INPUT") ++ if enable and type(rule.action) == Rich_Mark: ++ transaction.add_chain(zone, "mangle", "PREROUTING") + + rules = backend.build_zone_rich_source_destination_rules( + enable, zone, rule) +-- +2.23.0 + diff --git a/SOURCES/0021-test-coverage-for-gh-567.patch b/SOURCES/0021-test-coverage-for-gh-567.patch new file mode 100644 index 0000000..0e8d265 --- /dev/null +++ b/SOURCES/0021-test-coverage-for-gh-567.patch @@ -0,0 +1,39 @@ +From ff7fed03e2026b0f3e2959bcb4b71c57b48b33a4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 10:04:47 -0500 +Subject: [PATCH 21/37] test: coverage for gh #567 + +(cherry picked from commit cdf3227ea9e1c14ca47fcd73c42b3c94f78b01a6) +(cherry picked from commit 846363e2ced0b5ec0eecd58574245a4f7a66235c) +--- + src/tests/regression.at | 1 + + src/tests/regression/gh567.at | 8 ++++++++ + 2 files changed, 9 insertions(+) + create mode 100644 src/tests/regression/gh567.at + +diff --git a/src/tests/regression.at b/src/tests/regression.at +index 3bc99543a9b1..4532d730fbe7 100644 +--- a/src/tests/regression.at ++++ b/src/tests/regression.at +@@ -24,3 +24,4 @@ m4_include([regression/rhbz1715977.at]) + m4_include([regression/rhbz1723610.at]) + m4_include([regression/rhbz1734765.at]) + m4_include([regression/gh509.at]) ++m4_include([regression/gh567.at]) +diff --git a/src/tests/regression/gh567.at b/src/tests/regression/gh567.at +new file mode 100644 +index 000000000000..03c3bde4a0fe +--- /dev/null ++++ b/src/tests/regression/gh567.at +@@ -0,0 +1,8 @@ ++FWD_START_TEST([rich rule source w/ mark action]) ++AT_KEYWORDS(gh567 rich ipset) ++ ++FWD_CHECK([-q --permanent --new-ipset=Teste --type=hash:net]) ++FWD_CHECK([-q --permanent --add-rich-rule "rule family=ipv4 source ipset=Teste mark set=2"]) ++FWD_RELOAD ++ ++FWD_END_TEST +-- +2.23.0 + diff --git a/SOURCES/0022-improvement-test-move-regression.at-inside-directory.patch b/SOURCES/0022-improvement-test-move-regression.at-inside-directory.patch new file mode 100644 index 0000000..b545762 --- /dev/null +++ b/SOURCES/0022-improvement-test-move-regression.at-inside-directory.patch @@ -0,0 +1,33 @@ +From e02639f73c9515ce4780b878ed0fc1308b46fc88 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 13:41:21 -0500 +Subject: [PATCH 22/37] improvement: test: move regression.at inside directory + +(cherry picked from commit 97066392d174bafbeaf4fce6d040352e64f1822c) +(cherry picked from commit a340e4767bef62d2ae6d000447ea162bb8dd016b) +--- + src/tests/{ => regression}/regression.at | 0 + src/tests/testsuite.at | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename src/tests/{ => regression}/regression.at (100%) + +diff --git a/src/tests/regression.at b/src/tests/regression/regression.at +similarity index 100% +rename from src/tests/regression.at +rename to src/tests/regression/regression.at +diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at +index b4dc05a59f55..be43c3bd4756 100644 +--- a/src/tests/testsuite.at ++++ b/src/tests/testsuite.at +@@ -12,7 +12,7 @@ m4_include([dbus.at]) + + m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ + m4_include([firewall-cmd.at]) +- m4_include([regression.at]) ++ m4_include([regression/regression.at]) + m4_include([python.at]) + m4_include([features.at]) + ]) +-- +2.23.0 + diff --git a/SOURCES/0023-improvement-test-move-features.at-inside-directory.patch b/SOURCES/0023-improvement-test-move-features.at-inside-directory.patch new file mode 100644 index 0000000..77fbd3f --- /dev/null +++ b/SOURCES/0023-improvement-test-move-features.at-inside-directory.patch @@ -0,0 +1,45 @@ +From 469c9a24f6fb1ae7073a412755201d5a093a46d0 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 13:42:31 -0500 +Subject: [PATCH 23/37] improvement: test: move features.at inside directory + +(cherry picked from commit 87ebf867d4c1f81ecba44346126fcb6a5b4e4e3e) +(cherry picked from commit 04891ae837b317b293f14aaa28c683375afee4a5) +--- + src/tests/{ => features}/features.at | 0 + src/tests/firewall-offline-cmd.at | 2 +- + src/tests/testsuite.at | 2 +- + 3 files changed, 2 insertions(+), 2 deletions(-) + rename src/tests/{ => features}/features.at (100%) + +diff --git a/src/tests/features.at b/src/tests/features/features.at +similarity index 100% +rename from src/tests/features.at +rename to src/tests/features/features.at +diff --git a/src/tests/firewall-offline-cmd.at b/src/tests/firewall-offline-cmd.at +index 0b05ee70ea9f..8cd6b6c5550f 100644 +--- a/src/tests/firewall-offline-cmd.at ++++ b/src/tests/firewall-offline-cmd.at +@@ -9,7 +9,7 @@ dnl !!! DO NOT ADD TESTS HERE !!! + + m4_define([TESTING_FIREWALL_OFFLINE_CMD]) + m4_include([firewall-cmd.at]) +-m4_include([features.at]) ++m4_include([features/features.at]) + + dnl Now begin the tests explicitly for firewall-offline-cmd + dnl +diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at +index be43c3bd4756..364b0ca30e04 100644 +--- a/src/tests/testsuite.at ++++ b/src/tests/testsuite.at +@@ -14,5 +14,5 @@ m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ + m4_include([firewall-cmd.at]) + m4_include([regression/regression.at]) + m4_include([python.at]) +- m4_include([features.at]) ++ m4_include([features/features.at]) + ]) +-- +2.23.0 + diff --git a/SOURCES/0024-improvement-test-move-python.at-inside-directory.patch b/SOURCES/0024-improvement-test-move-python.at-inside-directory.patch new file mode 100644 index 0000000..cdb1e19 --- /dev/null +++ b/SOURCES/0024-improvement-test-move-python.at-inside-directory.patch @@ -0,0 +1,32 @@ +From 318e99e5957fd92d6421350096c0dbc73c18f4ec Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 13:43:32 -0500 +Subject: [PATCH 24/37] improvement: test: move python.at inside directory + +(cherry picked from commit d6dbb79bd0fb470007d958296731e45912470ffe) +(cherry picked from commit 13c4830d4063dc2d76820f2a7db8b77f7427e763) +--- + src/tests/{ => python}/python.at | 0 + src/tests/testsuite.at | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename src/tests/{ => python}/python.at (100%) + +diff --git a/src/tests/python.at b/src/tests/python/python.at +similarity index 100% +rename from src/tests/python.at +rename to src/tests/python/python.at +diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at +index 364b0ca30e04..2a925fd77dd6 100644 +--- a/src/tests/testsuite.at ++++ b/src/tests/testsuite.at +@@ -13,6 +13,6 @@ m4_include([dbus.at]) + m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ + m4_include([firewall-cmd.at]) + m4_include([regression/regression.at]) +- m4_include([python.at]) ++ m4_include([python/python.at]) + m4_include([features/features.at]) + ]) +-- +2.23.0 + diff --git a/SOURCES/0025-improvement-test-move-dbus.at-inside-directory.patch b/SOURCES/0025-improvement-test-move-dbus.at-inside-directory.patch new file mode 100644 index 0000000..89f21e7 --- /dev/null +++ b/SOURCES/0025-improvement-test-move-dbus.at-inside-directory.patch @@ -0,0 +1,33 @@ +From f57c3b19cf5c1ef0b68eab2819f4dafdcbd53b91 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 13:44:22 -0500 +Subject: [PATCH 25/37] improvement: test: move dbus.at inside directory + +(cherry picked from commit 0dfdf43524fc56d396c47198a7d2a4853373ac4c) +(cherry picked from commit 015229ef5c0f97d1664fb5670b4caef6d8242a68) +--- + src/tests/{ => dbus}/dbus.at | 0 + src/tests/testsuite.at | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename src/tests/{ => dbus}/dbus.at (100%) + +diff --git a/src/tests/dbus.at b/src/tests/dbus/dbus.at +similarity index 100% +rename from src/tests/dbus.at +rename to src/tests/dbus/dbus.at +diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at +index 2a925fd77dd6..546b301f1cb2 100644 +--- a/src/tests/testsuite.at ++++ b/src/tests/testsuite.at +@@ -8,7 +8,7 @@ m4_define([m4_include], [m4_builtin([include], [$1])]) + m4_include([functions.at]) + + m4_include([firewall-offline-cmd.at]) +-m4_include([dbus.at]) ++m4_include([dbus/dbus.at]) + + m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ + m4_include([firewall-cmd.at]) +-- +2.23.0 + diff --git a/SOURCES/0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch b/SOURCES/0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch new file mode 100644 index 0000000..1d1ae2e --- /dev/null +++ b/SOURCES/0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch @@ -0,0 +1,57 @@ +From 529c233fca75fc302a86b01251b7c7bf31e188ad Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Jan 2020 13:46:42 -0500 +Subject: [PATCH 26/37] improvement: test: move firewall-cmd.at and + firewall-offline-cmd.at inside directory + +(cherry picked from commit 60197b143b1abf1cae618649fcb4ca595c6fb46d) +(cherry picked from commit 8f6dd39747b00b6cf5b0dfb526b75b4dd7ef9077) +--- + src/tests/{ => cli}/firewall-cmd.at | 0 + src/tests/{ => cli}/firewall-offline-cmd.at | 2 +- + src/tests/testsuite.at | 4 ++-- + 3 files changed, 3 insertions(+), 3 deletions(-) + rename src/tests/{ => cli}/firewall-cmd.at (100%) + rename src/tests/{ => cli}/firewall-offline-cmd.at (98%) + +diff --git a/src/tests/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +similarity index 100% +rename from src/tests/firewall-cmd.at +rename to src/tests/cli/firewall-cmd.at +diff --git a/src/tests/firewall-offline-cmd.at b/src/tests/cli/firewall-offline-cmd.at +similarity index 98% +rename from src/tests/firewall-offline-cmd.at +rename to src/tests/cli/firewall-offline-cmd.at +index 8cd6b6c5550f..e763eeb95839 100644 +--- a/src/tests/firewall-offline-cmd.at ++++ b/src/tests/cli/firewall-offline-cmd.at +@@ -8,7 +8,7 @@ dnl + dnl !!! DO NOT ADD TESTS HERE !!! + + m4_define([TESTING_FIREWALL_OFFLINE_CMD]) +-m4_include([firewall-cmd.at]) ++m4_include([cli/firewall-cmd.at]) + m4_include([features/features.at]) + + dnl Now begin the tests explicitly for firewall-offline-cmd +diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at +index 546b301f1cb2..c48123cea910 100644 +--- a/src/tests/testsuite.at ++++ b/src/tests/testsuite.at +@@ -7,11 +7,11 @@ m4_define([m4_include], [m4_builtin([include], [$1])]) + + m4_include([functions.at]) + +-m4_include([firewall-offline-cmd.at]) ++m4_include([cli/firewall-offline-cmd.at]) + m4_include([dbus/dbus.at]) + + m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [ +- m4_include([firewall-cmd.at]) ++ m4_include([cli/firewall-cmd.at]) + m4_include([regression/regression.at]) + m4_include([python/python.at]) + m4_include([features/features.at]) +-- +2.23.0 + diff --git a/SOURCES/0027-test-enhance-test-for-rhbz1729097.patch b/SOURCES/0027-test-enhance-test-for-rhbz1729097.patch new file mode 100644 index 0000000..45d2b6a --- /dev/null +++ b/SOURCES/0027-test-enhance-test-for-rhbz1729097.patch @@ -0,0 +1,133 @@ +From a698ca94c40b6edf058995f9f2b1fc197a16efe4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 16 Jan 2020 09:02:28 -0500 +Subject: [PATCH 27/37] test: enhance test for rhbz1729097 + +(cherry picked from commit c2b8059559c210e586b03b44eaf189370b976770) +(cherry picked from commit 47368842f5519b43cb02cb4f2cca59b9049e5268) +--- + src/tests/regression/rhbz1715977.at | 107 +++++++++++++++++++++++++++- + 1 file changed, 105 insertions(+), 2 deletions(-) + +diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at +index ce6dd075c2b5..5de9b5679023 100644 +--- a/src/tests/regression/rhbz1715977.at ++++ b/src/tests/regression/rhbz1715977.at +@@ -1,9 +1,112 @@ +-FWD_START_TEST([rich rule destination with service destination]) +-AT_KEYWORDS(rich service rhbz1715977) ++FWD_START_TEST([rich rule source/destination with service destination]) ++AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783) + + FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0]) + FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept']) + FWD_RELOAD ++NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_internal_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept ++ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept ++ udp dport 137 ct helper set "helper-netbios-ns-udp" ++ udp dport 137 ct state new,untracked accept ++ udp dport 138 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept ++ } ++ } ++]) ++IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED ++]) ++IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++]) ++ ++FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept']) ++NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_internal_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept ++ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept ++ udp dport 137 ct helper set "helper-netbios-ns-udp" ++ udp dport 137 ct state new,untracked accept ++ udp dport 138 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept ++ ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept ++ } ++ } ++]) ++IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED ++]) ++IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++]) ++ ++FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept']) ++NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_internal_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept ++ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept ++ udp dport 137 ct helper set "helper-netbios-ns-udp" ++ udp dport 137 ct state new,untracked accept ++ udp dport 138 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept ++ ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept ++ ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept ++ } ++ } ++]) ++IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED ++]) ++IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore]) + FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept']) +-- +2.23.0 + diff --git a/SOURCES/0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch b/SOURCES/0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch new file mode 100644 index 0000000..e1cb455 --- /dev/null +++ b/SOURCES/0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch @@ -0,0 +1,29 @@ +From 77c098b455f8de72118a4ba40c371c1dde905325 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 22 Jan 2020 09:46:52 -0500 +Subject: [PATCH 28/37] fix: test/functions: FWD_END_TEST: grep for + errors/warnings + +Fixes: 5f67a78a68a4 ("fix: test/functions: FWD_END_TEST: improve grep for errors/warnings") +(cherry picked from commit 9f397528f5c7c6a155ba081a2e048ccf14c004b4) +(cherry picked from commit 171d3ce9b1724989b3a98d4cfe58470b36ce3be0) +--- + src/tests/functions.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index e79557350558..cd4e31c7f9d4 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -234,7 +234,7 @@ m4_define([FWD_END_TEST], [ + if test -n "$1"; then + sed -i $1 ./firewalld.log + fi +- AT_FAIL_IF([grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]) ++ AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]]) + fi + m4_undefine([CURRENT_DBUS_ADDRESS]) + m4_undefine([CURRENT_TEST_NS]) +-- +2.23.0 + diff --git a/SOURCES/0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch b/SOURCES/0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch new file mode 100644 index 0000000..93aad59 --- /dev/null +++ b/SOURCES/0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch @@ -0,0 +1,27 @@ +From 207f97c8f8aa0043742521016065f35115e31436 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 22 Jan 2020 08:11:48 -0500 +Subject: [PATCH 29/37] improvement: tests/regression/rhbz1715977: shorten test + name + +Shorten the test name so it fits on 80 columns. + +(cherry picked from commit d7920d34359074be68497da666cefd175e00d5f6) +(cherry picked from commit e63d2f72d68d366ca3e693d8de6cdcc21fcd44e5) +--- + src/tests/regression/rhbz1715977.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at +index 5de9b5679023..b9886e1a0a2b 100644 +--- a/src/tests/regression/rhbz1715977.at ++++ b/src/tests/regression/rhbz1715977.at +@@ -1,4 +1,4 @@ +-FWD_START_TEST([rich rule source/destination with service destination]) ++FWD_START_TEST([rich rule src/dst with service destination]) + AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783) + + FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0]) +-- +2.23.0 + diff --git a/SOURCES/0030-feat-AllowZoneDrifting-config-option.patch b/SOURCES/0030-feat-AllowZoneDrifting-config-option.patch new file mode 100644 index 0000000..6b94eed --- /dev/null +++ b/SOURCES/0030-feat-AllowZoneDrifting-config-option.patch @@ -0,0 +1,292 @@ +From 982024e6775c9a9c78713be82519c729107ca4e2 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 14:13:36 -0500 +Subject: [PATCH 30/37] feat: AllowZoneDrifting config option + +Older versions of firewalld had undocumented behavior known as "zone +drifting". This allowed packets to ingress multiple zones - this is a +violation of zone based firewalls. However, some users rely on this +behavior to have a "catch-all" zone, e.g. the default zone. You can +enable this if you desire such behavior. It's disabled by default for +security reasons. + +Note: If "yes" packets will only drift from source based zones to +interface based zones (including the default zone). Packets never drift +from interface based zones to other interfaces based zones (including +the default zone). + +(cherry picked from commit afadd377b09dc62b340d24bcf891d31f040d1a18) +(cherry picked from commit afbd6c0e82b77ca9b687169d69bf6c2dc17a9317) +--- + config/firewalld.conf | 12 ++++++++++++ + doc/xml/firewalld.conf.xml | 19 +++++++++++++++++++ + doc/xml/firewalld.dbus.xml | 16 ++++++++++++++++ + src/firewall/config/__init__.py.in | 1 + + src/firewall/core/fw.py | 14 ++++++++++++++ + src/firewall/core/io/firewalld_conf.py | 13 +++++++++++-- + src/firewall/server/config.py | 20 +++++++++++++++++--- + src/tests/dbus/firewalld.conf.at | 3 +++ + 8 files changed, 93 insertions(+), 5 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 82ad062b8a66..532f0452212e 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -61,3 +61,15 @@ FlushAllOnReload=yes + # internet. + # Defaults to "yes". + RFC3964_IPv4=yes ++ ++# AllowZoneDrifting ++# Older versions of firewalld had undocumented behavior known as "zone ++# drifting". This allowed packets to ingress multiple zones - this is a ++# violation of zone based firewalls. However, some users rely on this behavior ++# to have a "catch-all" zone, e.g. the default zone. You can enable this if you ++# desire such behavior. It's disabled by default for security reasons. ++# Note: If "yes" packets will only drift from source based zones to interface ++# based zones (including the default zone). Packets never drift from interface ++# based zones to other interfaces based zones (including the default zone). ++# Possible values; "yes", "no". Defaults to "no". ++AllowZoneDrifting=no +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index 6003a6fae855..fcfbfd2b68c1 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -183,6 +183,25 @@ + + + ++ ++ ++ ++ ++ Older versions of firewalld had undocumented behavior known ++ as "zone drifting". This allowed packets to ingress multiple ++ zones - this is a violation of zone based firewalls. However, ++ some users rely on this behavior to have a "catch-all" zone, ++ e.g. the default zone. You can enable this if you desire such ++ behavior. It's disabled by default for security reasons. ++ Note: If "yes" packets will only drift from source based zones ++ to interface based zones (including the default zone). Packets ++ never drift from interface based zones to other interfaces ++ based zones (including the default zone). ++ Valid values; "yes", "no". Defaults to "no". ++ ++ ++ ++ + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 66b0475ec0c8..5d77af976443 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2578,6 +2578,22 @@ + + Properties + ++ ++ AllowZoneDrifting - s - (rw) ++ ++ Older versions of firewalld had undocumented behavior known ++ as "zone drifting". This allowed packets to ingress multiple ++ zones - this is a violation of zone based firewalls. However, ++ some users rely on this behavior to have a "catch-all" zone, ++ e.g. the default zone. You can enable this if you desire such ++ behavior. It's disabled by default for security reasons. ++ Note: If "yes" packets will only drift from source based zones ++ to interface based zones (including the default zone). Packets ++ never drift from interface based zones to other interfaces ++ based zones (including the default zone). ++ Valid values; "yes", "no". Defaults to "no". ++ ++ + + AutomaticHelpers - s - (rw) + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 3274dd430e4e..481eb8de758d 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -130,3 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" + FALLBACK_FIREWALL_BACKEND = "nftables" + FALLBACK_FLUSH_ALL_ON_RELOAD = True + FALLBACK_RFC3964_IPV4 = True ++FALLBACK_ALLOW_ZONE_DRIFTING = False +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 050fb9cd976d..6206ed586988 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -123,6 +123,7 @@ class Firewall(object): + self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND + self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD + self._rfc3964_ipv4 = config.FALLBACK_RFC3964_IPV4 ++ self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING + + def individual_calls(self): + return self._individual_calls +@@ -286,6 +287,19 @@ class Firewall(object): + log.debug1("RFC3964_IPv4 is set to '%s'", + self._rfc3964_ipv4) + ++ if self._firewalld_conf.get("AllowZoneDrifting"): ++ value = self._firewalld_conf.get("AllowZoneDrifting") ++ if value.lower() in [ "no", "false" ]: ++ self._allow_zone_drifting = False ++ else: ++ self._allow_zone_drifting = True ++ log.warning("AllowZoneDrifting is enabled. This is considered " ++ "an insecure configuration option. It will be " ++ "removed in a future release. Please consider " ++ "disabling it now.") ++ log.debug1("AllowZoneDrifting is set to '%s'", ++ self._allow_zone_drifting) ++ + self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) + + self._select_firewall_backend(self._firewall_backend) +diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py +index 9e2205f93d63..7c7092120676 100644 +--- a/src/firewall/core/io/firewalld_conf.py ++++ b/src/firewall/core/io/firewalld_conf.py +@@ -28,10 +28,10 @@ from firewall import config + from firewall.core.logger import log + from firewall.functions import b2u, u2b, PY2 + +-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", ++valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", + "IPv6_rpfilter", "IndividualCalls", "LogDenied", + "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload", +- "RFC3964_IPv4" ] ++ "RFC3964_IPv4", "AllowZoneDrifting" ] + + class firewalld_conf(object): + def __init__(self, filename): +@@ -83,6 +83,7 @@ class firewalld_conf(object): + self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND) + self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no") + self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no") ++ self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no") + raise + + for line in f: +@@ -202,6 +203,14 @@ class firewalld_conf(object): + config.FALLBACK_RFC3964_IPV4) + self.set("RFC3964_IPv4", str(config.FALLBACK_RFC3964_IPV4)) + ++ value = self.get("AllowZoneDrifting") ++ if not value or value.lower() not in [ "yes", "true", "no", "false" ]: ++ if value is not None: ++ log.warning("AllowZoneDrifting '%s' is not valid, using default " ++ "value %s", value if value else '', ++ config.FALLBACK_ALLOW_ZONE_DRIFTING) ++ self.set("AllowZoneDrifting", str(config.FALLBACK_ALLOW_ZONE_DRIFTING)) ++ + # save to self.filename if there are key/value changes + def write(self): + if len(self._config) < 1: +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index 1c35f5663d29..b3e193d7e468 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -107,6 +107,7 @@ class FirewallDConfig(slip.dbus.service.Object): + "FirewallBackend": "readwrite", + "FlushAllOnReload": "readwrite", + "RFC3964_IPv4": "readwrite", ++ "AllowZoneDrifting": "readwrite", + }) + + @handle_exceptions +@@ -487,7 +488,8 @@ class FirewallDConfig(slip.dbus.service.Object): + if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit", + "Lockdown", "IPv6_rpfilter", "IndividualCalls", + "LogDenied", "AutomaticHelpers", "FirewallBackend", +- "FlushAllOnReload", "RFC3964_IPv4" ]: ++ "FlushAllOnReload", "RFC3964_IPv4", ++ "AllowZoneDrifting" ]: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " + "Property '%s' does not exist" % prop) +@@ -540,6 +542,10 @@ class FirewallDConfig(slip.dbus.service.Object): + if value is None: + value = "yes" if config.FALLBACK_RFC3964_IPV4 else "no" + return dbus.String(value) ++ elif prop == "AllowZoneDrifting": ++ if value is None: ++ value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no" ++ return dbus.String(value) + + @dbus_handle_exceptions + def _get_dbus_property(self, prop): +@@ -565,6 +571,8 @@ class FirewallDConfig(slip.dbus.service.Object): + return dbus.String(self._get_property(prop)) + elif prop == "RFC3964_IPv4": + return dbus.String(self._get_property(prop)) ++ elif prop == "AllowZoneDrifting": ++ return dbus.String(self._get_property(prop)) + else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " +@@ -605,7 +613,8 @@ class FirewallDConfig(slip.dbus.service.Object): + for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", + "Lockdown", "IPv6_rpfilter", "IndividualCalls", + "LogDenied", "AutomaticHelpers", "FirewallBackend", +- "FlushAllOnReload", "RFC3964_IPv4" ]: ++ "FlushAllOnReload", "RFC3964_IPv4", ++ "AllowZoneDrifting" ]: + ret[x] = self._get_property(x) + elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, + config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: +@@ -633,7 +642,7 @@ class FirewallDConfig(slip.dbus.service.Object): + "IPv6_rpfilter", "IndividualCalls", + "LogDenied", "AutomaticHelpers", + "FirewallBackend", "FlushAllOnReload", +- "RFC3964_IPv4" ]: ++ "RFC3964_IPv4", "AllowZoneDrifting" ]: + if property_name == "MinimalMark": + try: + int(new_value) +@@ -677,6 +686,11 @@ class FirewallDConfig(slip.dbus.service.Object): + raise FirewallError(errors.INVALID_VALUE, + "'%s' for %s" % \ + (new_value, property_name)) ++ if property_name == "AllowZoneDrifting": ++ if new_value.lower() not in ["yes", "true", "no", "false"]: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ ++ (new_value, property_name)) + + self.config.get_firewalld_conf().set(property_name, new_value) + self.config.get_firewalld_conf().write() +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 06f6df9bdd70..35aead759a9c 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -4,6 +4,7 @@ AT_KEYWORDS(dbus) + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ + DBUS_GETALL([config], [config], 0, [dnl ++string "AllowZoneDrifting" : variant string "no" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -17,6 +18,7 @@ string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ])], [ + DBUS_GETALL([config], [config], 0, [dnl ++string "AllowZoneDrifting" : variant string "no" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -49,6 +51,7 @@ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"]) + _helper([FlushAllOnReload], [string:"no"], [variant string "no"]) + _helper([CleanupOnExit], [string:"yes"], [variant string "yes"]) + _helper([RFC3964_IPv4], [string:"no"], [variant string "no"]) ++_helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"]) + dnl Note: DefaultZone is RO + m4_undefine([_helper]) + +-- +2.23.0 + diff --git a/SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch b/SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..61cc337 --- /dev/null +++ b/SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch @@ -0,0 +1,177 @@ +From 8d480dea4b3fd4ecce20c1569d000cb999dd50f6 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 14:37:31 -0500 +Subject: [PATCH 31/37] feat: nftables: support AllowZoneDrifting=yes + +(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004) +(cherry picked from commit 92c5926bb9e493545f8d949ba00cbf72e4c7f202) +--- + src/firewall/core/nftables.py | 91 ++++++++++++++++++++--------------- + 1 file changed, 52 insertions(+), 39 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index cb8521fb7a5a..c8e893b5dbf6 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -208,8 +208,11 @@ class nftables(object): + + index = zone_source_index_cache[family].index(zone_source) + else: +- index = len(zone_source_index_cache[family]) +- ++ if self._fw._allow_zone_drifting: ++ index = 0 ++ else: ++ index = len(zone_source_index_cache[family]) ++ + _verb_snippet = rule[verb] + del rule[verb] + if index == 0: +@@ -506,13 +509,14 @@ class nftables(object): + "prio": IPTABLES_TO_NFT_HOOK["raw"][chain][1]}}}) + + for chain in ["PREROUTING"]: +- default_rules.append({"add": {"chain": {"family": "inet", +- "table": TABLE_NAME, +- "name": "raw_%s_ZONES" % chain}}}) +- default_rules.append({"add": {"rule": {"family": "inet", +- "table": TABLE_NAME, +- "chain": "raw_%s" % chain, +- "expr": [{"jump": {"target": "raw_%s_ZONES" % chain}}]}}}) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append({"add": {"chain": {"family": "inet", ++ "table": TABLE_NAME, ++ "name": "raw_%s_%s" % (chain, dispatch_suffix)}}}) ++ default_rules.append({"add": {"rule": {"family": "inet", ++ "table": TABLE_NAME, ++ "chain": "raw_%s" % chain, ++ "expr": [{"jump": {"target": "raw_%s_%s" % (chain, dispatch_suffix)}}]}}}) + + for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys(): + default_rules.append({"add": {"chain": {"family": "inet", +@@ -521,13 +525,14 @@ class nftables(object): + "type": "filter", + "hook": "%s" % IPTABLES_TO_NFT_HOOK["mangle"][chain][0], + "prio": IPTABLES_TO_NFT_HOOK["mangle"][chain][1]}}}) +- default_rules.append({"add": {"chain": {"family": "inet", +- "table": TABLE_NAME, +- "name": "mangle_%s_ZONES" % chain}}}) +- default_rules.append({"add": {"rule": {"family": "inet", +- "table": TABLE_NAME, +- "chain": "mangle_%s" % chain, +- "expr": [{"jump": {"target": "mangle_%s_ZONES" % chain}}]}}}) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append({"add": {"chain": {"family": "inet", ++ "table": TABLE_NAME, ++ "name": "mangle_%s_%s" % (chain, dispatch_suffix)}}}) ++ default_rules.append({"add": {"rule": {"family": "inet", ++ "table": TABLE_NAME, ++ "chain": "mangle_%s" % chain, ++ "expr": [{"jump": {"target": "mangle_%s_%s" % (chain, dispatch_suffix)}}]}}}) + + for family in ["ip", "ip6"]: + for chain in IPTABLES_TO_NFT_HOOK["nat"].keys(): +@@ -537,13 +542,15 @@ class nftables(object): + "type": "nat", + "hook": "%s" % IPTABLES_TO_NFT_HOOK["nat"][chain][0], + "prio": IPTABLES_TO_NFT_HOOK["nat"][chain][1]}}}) +- default_rules.append({"add": {"chain": {"family": family, +- "table": TABLE_NAME, +- "name": "nat_%s_ZONES" % chain}}}) +- default_rules.append({"add": {"rule": {"family": family, +- "table": TABLE_NAME, +- "chain": "nat_%s" % chain, +- "expr": [{"jump": {"target": "nat_%s_ZONES" % chain}}]}}}) ++ ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append({"add": {"chain": {"family": family, ++ "table": TABLE_NAME, ++ "name": "nat_%s_%s" % (chain, dispatch_suffix)}}}) ++ default_rules.append({"add": {"rule": {"family": family, ++ "table": TABLE_NAME, ++ "chain": "nat_%s" % chain, ++ "expr": [{"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}]}}}) + + for chain in IPTABLES_TO_NFT_HOOK["filter"].keys(): + default_rules.append({"add": {"chain": {"family": "inet", +@@ -554,9 +561,6 @@ class nftables(object): + "prio": IPTABLES_TO_NFT_HOOK["filter"][chain][1]}}}) + + # filter, INPUT +- default_rules.append({"add": {"chain": {"family": "inet", +- "table": TABLE_NAME, +- "name": "filter_%s_ZONES" % "INPUT"}}}) + default_rules.append({"add": {"rule": {"family": "inet", + "table": TABLE_NAME, + "chain": "filter_%s" % "INPUT", +@@ -578,10 +582,14 @@ class nftables(object): + "op": "==", + "right": "lo"}}, + {"accept": None}]}}}) +- default_rules.append({"add": {"rule": {"family": "inet", +- "table": TABLE_NAME, +- "chain": "filter_%s" % "INPUT", +- "expr": [{"jump": {"target": "filter_%s_ZONES" % "INPUT"}}]}}}) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append({"add": {"chain": {"family": "inet", ++ "table": TABLE_NAME, ++ "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}}) ++ default_rules.append({"add": {"rule": {"family": "inet", ++ "table": TABLE_NAME, ++ "chain": "filter_%s" % "INPUT", ++ "expr": [{"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}]}}}) + if log_denied != "off": + default_rules.append({"add": {"rule": {"family": "inet", + "table": TABLE_NAME, +@@ -610,10 +618,6 @@ class nftables(object): + "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}) + + # filter, FORWARD +- for direction in ["IN", "OUT"]: +- default_rules.append({"add": {"chain": {"family": "inet", +- "table": TABLE_NAME, +- "name": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}}) + default_rules.append({"add": {"rule": {"family": "inet", + "table": TABLE_NAME, + "chain": "filter_%s" % "FORWARD", +@@ -636,10 +640,14 @@ class nftables(object): + "right": "lo"}}, + {"accept": None}]}}}) + for direction in ["IN", "OUT"]: +- default_rules.append({"add": {"rule": {"family": "inet", +- "table": TABLE_NAME, +- "chain": "filter_%s" % "FORWARD", +- "expr": [{"jump": {"target": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}]}}}) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append({"add": {"chain": {"family": "inet", ++ "table": TABLE_NAME, ++ "name": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}}) ++ default_rules.append({"add": {"rule": {"family": "inet", ++ "table": TABLE_NAME, ++ "chain": "filter_%s" % "FORWARD", ++ "expr": [{"jump": {"target": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}]}}}) + if log_denied != "off": + default_rules.append({"add": {"rule": {"family": "inet", + "table": TABLE_NAME, +@@ -778,12 +786,17 @@ class nftables(object): + "OUTPUT": "daddr", + }[chain] + ++ if self._fw._allow_zone_drifting: ++ zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain) ++ else: ++ zone_dispatch_chain = "%s_%s_ZONES" % (table, chain) ++ + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) + action = "goto" + + rule = {"family": family, + "table": TABLE_NAME, +- "chain": "%s_%s_ZONES" % (table, chain), ++ "chain": zone_dispatch_chain, + "expr": [self._rule_addr_fragment(opt, address), + {action: {"target": "%s_%s" % (table, target)}}]} + rule.update(self._zone_source_fragment(zone, address)) +-- +2.23.0 + diff --git a/SOURCES/0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch b/SOURCES/0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..aa51237 --- /dev/null +++ b/SOURCES/0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch @@ -0,0 +1,178 @@ +From e6a56f32e2eced533a8edbc97652de6b436df63a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 16:16:59 -0500 +Subject: [PATCH 32/37] feat: ipXtables: support AllowZoneDrifting=yes + +(cherry picked from commit 1f7b5ffcd40daf2a7f2ef1ec0cccb95080e74fb6) +(cherry picked from commit c6b6ab1c0625bfd906a7783e3924b676b514cf6b) +--- + src/firewall/core/ipXtables.py | 93 +++++++++++++++++++--------------- + 1 file changed, 51 insertions(+), 42 deletions(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 973bf5bbae04..61c307d0e05a 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -323,8 +323,11 @@ class ip4tables(object): + + index = zone_source_index_cache.index(zone_source) + else: +- index = len(zone_source_index_cache) +- ++ if self._fw._allow_zone_drifting: ++ index = 0 ++ else: ++ index = len(zone_source_index_cache) ++ + rule[0] = "-I" + rule.insert(2, "%d" % (index + 1)) + +@@ -666,9 +669,10 @@ class ip4tables(object): + self.our_chains["raw"].add("%s_direct" % chain) + + if chain == "PREROUTING": +- default_rules["raw"].append("-N %s_ZONES" % chain) +- default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain)) +- self.our_chains["raw"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix)) ++ default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) ++ self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + if self.get_available_tables("mangle"): + default_rules["mangle"] = [ ] +@@ -679,9 +683,10 @@ class ip4tables(object): + self.our_chains["mangle"].add("%s_direct" % chain) + + if chain == "PREROUTING": +- default_rules["mangle"].append("-N %s_ZONES" % chain) +- default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain)) +- self.our_chains["mangle"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix)) ++ default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) ++ self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + if self.get_available_tables("nat"): + default_rules["nat"] = [ ] +@@ -692,19 +697,22 @@ class ip4tables(object): + self.our_chains["nat"].add("%s_direct" % chain) + + if chain in [ "PREROUTING", "POSTROUTING" ]: +- default_rules["nat"].append("-N %s_ZONES" % chain) +- default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain)) +- self.our_chains["nat"].update(set(["%s_ZONES" % chain])) +- +- default_rules["filter"] = [ +- "-N INPUT_direct", +- "-N INPUT_ZONES", +- +- "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT", +- "-A INPUT -i lo -j ACCEPT", +- "-A INPUT -j INPUT_direct", +- "-A INPUT -j INPUT_ZONES", +- ] ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix)) ++ default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) ++ self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)])) ++ ++ default_rules["filter"] = [] ++ self.our_chains["filter"] = set() ++ default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT") ++ default_rules["filter"].append("-A INPUT -i lo -j ACCEPT") ++ default_rules["filter"].append("-N INPUT_direct") ++ default_rules["filter"].append("-A INPUT -j INPUT_direct") ++ self.our_chains["filter"].update(set("INPUT_direct")) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix)) ++ default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix)) ++ self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix))) + if log_denied != "off": + default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") + default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP") +@@ -712,17 +720,16 @@ class ip4tables(object): + default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '") + default_rules["filter"].append("-A INPUT -j %%REJECT%%") + +- default_rules["filter"] += [ +- "-N FORWARD_direct", +- "-N FORWARD_IN_ZONES", +- "-N FORWARD_OUT_ZONES", +- +- "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT", +- "-A FORWARD -i lo -j ACCEPT", +- "-A FORWARD -j FORWARD_direct", +- "-A FORWARD -j FORWARD_IN_ZONES", +- "-A FORWARD -j FORWARD_OUT_ZONES", +- ] ++ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT") ++ default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT") ++ default_rules["filter"].append("-N FORWARD_direct") ++ default_rules["filter"].append("-A FORWARD -j FORWARD_direct") ++ self.our_chains["filter"].update(set("FORWARD_direct")) ++ for direction in ["IN", "OUT"]: ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix)) ++ default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix)) ++ self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix))) + if log_denied != "off": + default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") + default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP") +@@ -736,10 +743,7 @@ class ip4tables(object): + "-A OUTPUT -o lo -j ACCEPT", + "-A OUTPUT -j OUTPUT_direct", + ] +- +- self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES", +- "FORWARD_direct", "FORWARD_IN_ZONES", +- "FORWARD_OUT_ZONES", "OUTPUT_direct"]) ++ self.our_chains["filter"].update(set("OUTPUT_direct")) + + final_default_rules = [] + for table in default_rules: +@@ -805,6 +809,11 @@ class ip4tables(object): + "OUTPUT": "-d", + }[chain] + ++ if self._fw._allow_zone_drifting: ++ zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain) ++ else: ++ zone_dispatch_chain = "%s_ZONES" % (chain) ++ + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) + action = "-g" + +@@ -815,8 +824,8 @@ class ip4tables(object): + else: + opt = "src" + flags = ",".join([opt] * self._fw.ipset.get_dimension(name)) +- rule = [ add_del, +- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, ++ rule = [ add_del, zone_dispatch_chain, ++ "%%ZONE_SOURCE%%", zone, + "-t", table, + "-m", "set", "--match-set", name, + flags, action, target ] +@@ -825,14 +834,14 @@ class ip4tables(object): + # outgoing can not be set + if opt == "-d": + return "" +- rule = [ add_del, +- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, ++ rule = [ add_del, zone_dispatch_chain, ++ "%%ZONE_SOURCE%%", zone, + "-t", table, + "-m", "mac", "--mac-source", address.upper(), + action, target ] + else: +- rule = [ add_del, +- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, ++ rule = [ add_del, zone_dispatch_chain, ++ "%%ZONE_SOURCE%%", zone, + "-t", table, + opt, address, action, target ] + return [rule] +-- +2.23.0 + diff --git a/SOURCES/0033-test-verify-AllowZoneDrifting-yes.patch b/SOURCES/0033-test-verify-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..1074b92 --- /dev/null +++ b/SOURCES/0033-test-verify-AllowZoneDrifting-yes.patch @@ -0,0 +1,939 @@ +From 3e3369ef14f4eba22a5c37113ba6d5e19c7ebc24 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 16:49:14 -0500 +Subject: [PATCH 33/37] test: verify AllowZoneDrifting=yes + +Verify the zone dispatch layout. + +(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1) +(cherry picked from commit 8f9ba9bc80f039408992e1b780bca0beab8bd92c) +--- + src/tests/regression/gh258.at | 536 +++++++++++++++++++++++++--- + src/tests/regression/rhbz1734765.at | 180 +++++++++- + 2 files changed, 671 insertions(+), 45 deletions(-) + +diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at +index 4bbea4c25442..d414c611fa26 100644 +--- a/src/tests/regression/gh258.at ++++ b/src/tests/regression/gh258.at +@@ -1,12 +1,15 @@ + FWD_START_TEST([zone dispatch layout]) +-AT_KEYWORDS(zone gh258 gh441 rhbz1713823) ++AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055) + +-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore) ++FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore) + IF_HOST_SUPPORTS_IPV6_RULES([ +-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore) ++FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore) + ]) +-FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore) +-FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore) ++FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore) ++FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore) ++ ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD + + dnl verify layout of zone dispatch + NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl +@@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES { + ip6 saddr dead:beef::/54 goto filter_IN_public +- ip saddr 1.2.3.0/24 goto filter_IN_work ++ ip saddr 1.2.3.0/24 goto filter_IN_trusted ++ iifname "dummy0" goto filter_IN_trusted + iifname "dummy1" goto filter_IN_public +- iifname "dummy0" goto filter_IN_work + goto filter_IN_public + } + } +@@ -50,9 +53,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_IN_ZONES { + ip6 saddr dead:beef::/54 goto filter_FWDI_public +- ip saddr 1.2.3.0/24 goto filter_FWDI_work ++ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted ++ iifname "dummy0" goto filter_FWDI_trusted + iifname "dummy1" goto filter_FWDI_public +- iifname "dummy0" goto filter_FWDI_work + goto filter_FWDI_public + } + } +@@ -61,9 +64,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_OUT_ZONES { + ip6 daddr dead:beef::/54 goto filter_FWDO_public +- ip daddr 1.2.3.0/24 goto filter_FWDO_work ++ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted ++ oifname "dummy0" goto filter_FWDO_trusted + oifname "dummy1" goto filter_FWDO_public +- oifname "dummy0" goto filter_FWDO_work + goto filter_FWDO_public + } + } +@@ -91,9 +94,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain raw_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto raw_PRE_public +- ip saddr 1.2.3.0/24 goto raw_PRE_work ++ ip saddr 1.2.3.0/24 goto raw_PRE_trusted ++ iifname "dummy0" goto raw_PRE_trusted + iifname "dummy1" goto raw_PRE_public +- iifname "dummy0" goto raw_PRE_work + goto raw_PRE_public + } + } +@@ -109,9 +112,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto mangle_PRE_public +- ip saddr 1.2.3.0/24 goto mangle_PRE_work ++ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted ++ iifname "dummy0" goto mangle_PRE_trusted + iifname "dummy1" goto mangle_PRE_public +- iifname "dummy0" goto mangle_PRE_work + goto mangle_PRE_public + } + } +@@ -126,9 +129,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl + NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_PREROUTING_ZONES { +- ip saddr 1.2.3.0/24 goto nat_PRE_work ++ ip saddr 1.2.3.0/24 goto nat_PRE_trusted ++ iifname "dummy0" goto nat_PRE_trusted + iifname "dummy1" goto nat_PRE_public +- iifname "dummy0" goto nat_PRE_work + goto nat_PRE_public + } + } +@@ -143,9 +146,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl + NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES { +- ip daddr 1.2.3.0/24 goto nat_POST_work ++ ip daddr 1.2.3.0/24 goto nat_POST_trusted ++ oifname "dummy0" goto nat_POST_trusted + oifname "dummy1" goto nat_POST_public +- oifname "dummy0" goto nat_POST_work + goto nat_POST_public + } + } +@@ -161,8 +164,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto nat_PRE_public ++ iifname "dummy0" goto nat_PRE_trusted + iifname "dummy1" goto nat_PRE_public +- iifname "dummy0" goto nat_PRE_work + goto nat_PRE_public + } + } +@@ -178,8 +181,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES { + ip6 daddr dead:beef::/54 goto nat_POST_public ++ oifname "dummy0" goto nat_POST_trusted + oifname "dummy1" goto nat_POST_public +- oifname "dummy0" goto nat_POST_work + goto nat_POST_public + } + } +@@ -194,9 +197,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited + ]) + IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, +- [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl +@@ -209,15 +212,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited + ]) + IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, +- [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, +- [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl +@@ -225,9 +228,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, +- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl +@@ -235,9 +238,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, +- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl +@@ -245,9 +248,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, +- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl +@@ -255,9 +258,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, +- [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + +@@ -271,8 +274,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ]) + IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_public all dead:beef::/54 ::/0 [goto] ++ IN_trusted all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] +- IN_work all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl +@@ -287,14 +290,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + ]) + IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, + [[FWDI_public all dead:beef::/54 ::/0 [goto] ++ FWDI_trusted all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] +- FWDI_work all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, + [[FWDO_public all ::/0 dead:beef::/54 [goto] ++ FWDO_trusted all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] +- FWDO_work all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl +@@ -306,8 +309,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] ++ PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +- PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl +@@ -316,8 +319,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] ++ PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +- PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl +@@ -326,8 +329,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] ++ PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +- PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl +@@ -336,9 +339,456 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_public all ::/0 dead:beef::/54 [goto] ++ POST_trusted all ::/0 ::/0 [goto] ++ POST_public all ::/0 ::/0 [goto] ++ POST_public all ::/0 ::/0 [goto] ++]]) ++ ++dnl ########################################################################## ++dnl ########################################################################## ++dnl We also support zone drifting in which source based zones fall through to ++dnl interface based zones (including default zone). ++dnl ########################################################################## ++dnl ########################################################################## ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf]) ++FWD_RELOAD ++ ++NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT { ++ ct state established,related accept ++ ct status dnat accept ++ iifname "lo" accept ++ jump filter_INPUT_ZONES_SOURCE ++ jump filter_INPUT_ZONES ++ ct state invalid drop ++ reject with icmpx type admin-prohibited ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto filter_IN_public ++ ip saddr 1.2.3.0/24 goto filter_IN_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES { ++ iifname "dummy0" goto filter_IN_trusted ++ iifname "dummy1" goto filter_IN_public ++ goto filter_IN_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD { ++ ct state established,related accept ++ ct status dnat accept ++ iifname "lo" accept ++ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable ++ jump filter_FORWARD_IN_ZONES_SOURCE ++ jump filter_FORWARD_IN_ZONES ++ jump filter_FORWARD_OUT_ZONES_SOURCE ++ jump filter_FORWARD_OUT_ZONES ++ ct state invalid drop ++ reject with icmpx type admin-prohibited ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_IN_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto filter_FWDI_public ++ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_IN_ZONES { ++ iifname "dummy0" goto filter_FWDI_trusted ++ iifname "dummy1" goto filter_FWDI_public ++ goto filter_FWDI_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_OUT_ZONES_SOURCE { ++ ip6 daddr dead:beef::/54 goto filter_FWDO_public ++ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_OUT_ZONES { ++ oifname "dummy0" goto filter_FWDO_trusted ++ oifname "dummy1" goto filter_FWDO_public ++ goto filter_FWDO_public ++ } ++ } ++]) ++IF_HOST_SUPPORTS_NFT_FIB([ ++ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING { ++ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept ++ meta nfproto ipv6 fib saddr . iif oif missing drop ++ jump raw_PREROUTING_ZONES_SOURCE ++ jump raw_PREROUTING_ZONES ++ } ++ } ++ ]) ++], [ ++ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING { ++ jump raw_PREROUTING_ZONES_SOURCE ++ jump raw_PREROUTING_ZONES ++ } ++ } ++ ]) ++]) ++NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto raw_PRE_public ++ ip saddr 1.2.3.0/24 goto raw_PRE_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING_ZONES { ++ iifname "dummy0" goto raw_PRE_trusted ++ iifname "dummy1" goto raw_PRE_public ++ goto raw_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl ++ table inet firewalld { ++ chain mangle_PREROUTING { ++ jump mangle_PREROUTING_ZONES_SOURCE ++ jump mangle_PREROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain mangle_PREROUTING_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto mangle_PRE_public ++ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl ++ table inet firewalld { ++ chain mangle_PREROUTING_ZONES { ++ iifname "dummy0" goto mangle_PRE_trusted ++ iifname "dummy1" goto mangle_PRE_public ++ goto mangle_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl ++ table ip firewalld { ++ chain nat_PREROUTING { ++ jump nat_PREROUTING_ZONES_SOURCE ++ jump nat_PREROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_PREROUTING_ZONES_SOURCE { ++ ip saddr 1.2.3.0/24 goto nat_PRE_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl ++ table ip firewalld { ++ chain nat_PREROUTING_ZONES { ++ iifname "dummy0" goto nat_PRE_trusted ++ iifname "dummy1" goto nat_PRE_public ++ goto nat_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING { ++ jump nat_POSTROUTING_ZONES_SOURCE ++ jump nat_POSTROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip daddr 1.2.3.0/24 goto nat_POST_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "dummy0" goto nat_POST_trusted ++ oifname "dummy1" goto nat_POST_public ++ goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl ++ table ip6 firewalld { ++ chain nat_PREROUTING { ++ jump nat_PREROUTING_ZONES_SOURCE ++ jump nat_PREROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_PREROUTING_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto nat_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl ++ table ip6 firewalld { ++ chain nat_PREROUTING_ZONES { ++ iifname "dummy0" goto nat_PRE_trusted ++ iifname "dummy1" goto nat_PRE_public ++ goto nat_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING { ++ jump nat_POSTROUTING_ZONES_SOURCE ++ jump nat_POSTROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip6 daddr dead:beef::/54 goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "dummy0" goto nat_POST_trusted ++ oifname "dummy1" goto nat_POST_public ++ goto nat_POST_public ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ++ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ++]) ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ++ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ++]) ++IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0, ++ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, ++ [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0, ++ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, ++ [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl ++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl ++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl ++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl ++ POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++ ++IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl ++ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT ++ ACCEPT all ::/0 ::/0 ++ INPUT_direct all ::/0 ::/0 ++ INPUT_ZONES_SOURCE all ::/0 ::/0 ++ INPUT_ZONES all ::/0 ::/0 ++ DROP all ::/0 ::/0 ctstate INVALID ++ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited ++]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_trusted all ::/0 ::/0 [goto] ++ IN_public all ::/0 ::/0 [goto] ++ IN_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ++ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT ++ ACCEPT all ::/0 ::/0 ++ FORWARD_direct all ::/0 ::/0 ++ RFC3964_IPv4 all ::/0 ::/0 ++ FORWARD_IN_ZONES_SOURCE all ::/0 ::/0 ++ FORWARD_IN_ZONES all ::/0 ::/0 ++ FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0 ++ FORWARD_OUT_ZONES all ::/0 ::/0 ++ DROP all ::/0 ::/0 ctstate INVALID ++ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited ++]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0, ++ [[FWDI_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, ++ [[FWDI_trusted all ::/0 ::/0 [goto] ++ FWDI_public all ::/0 ::/0 [goto] ++ FWDI_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0, ++ [[FWDO_public all ::/0 dead:beef::/54 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, ++ [[FWDO_trusted all ::/0 ::/0 [goto] ++ FWDO_public all ::/0 ::/0 [goto] ++ FWDO_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 ++ DROP all ::/0 ::/0 rpfilter invert ++ PREROUTING_direct all ::/0 ::/0 ++ PREROUTING_ZONES_SOURCE all ::/0 ::/0 ++ PREROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl ++ PREROUTING_direct all ::/0 ::/0 ++ PREROUTING_ZONES_SOURCE all ::/0 ::/0 ++ PREROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl ++ PREROUTING_direct all ::/0 ::/0 ++ PREROUTING_ZONES_SOURCE all ::/0 ::/0 ++ PREROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl ++ POSTROUTING_direct all ::/0 ::/0 ++ POSTROUTING_ZONES_SOURCE all ::/0 ::/0 ++ POSTROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_public all ::/0 dead:beef::/54 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_trusted all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] +- POST_work all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] + ]]) + +-FWD_END_TEST ++FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d']) +diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at +index 972457e3126e..bb054bdb0361 100644 +--- a/src/tests/regression/rhbz1734765.at ++++ b/src/tests/regression/rhbz1734765.at +@@ -1,9 +1,12 @@ + FWD_START_TEST([zone sources ordered by name]) +-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545) ++AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055) + dnl + dnl Users depend on firewalld ordering source-based zone dispatch by zone name. + dnl + ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + FWD_CHECK([-q --permanent --new-zone=foobar_00]) + FWD_CHECK([-q --permanent --new-zone=foobar_05]) + FWD_CHECK([-q --permanent --new-zone=foobar_02]) +@@ -196,4 +199,177 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + POST_public all ::/0 ::/0 [goto] + ]]) + +-FWD_END_TEST ++dnl ########################################################################## ++dnl ########################################################################## ++dnl We also support zone drifting in which source based zones fall through to ++dnl interface based zones (including default zone). So make sure the zones are ++dnl sorted by name in this mode. ++dnl ########################################################################## ++dnl ########################################################################## ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf]) ++FWD_RELOAD ++ ++FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"]) ++FWD_CHECK([-q --zone=public --add-source="20.20.20.20"]) ++IF_HOST_SUPPORTS_IPV6_RULES([ ++FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"]) ++FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"]) ++FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6]) ++]) ++FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2]) ++ ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES_SOURCE { ++ ip saddr 10.1.1.1 goto filter_IN_foobar_00 ++ ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00 ++ ip saddr 10.1.1.0/24 goto filter_IN_foobar_01 ++ ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01 ++ ip saddr 10.10.10.10 goto filter_IN_foobar_010 ++ ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010 ++ ip saddr @ipsetv4 goto filter_IN_foobar_011 ++ ip6 saddr @ipsetv6 goto filter_IN_foobar_012 ++ ip saddr 10.1.0.0/16 goto filter_IN_foobar_02 ++ ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02 ++ ip saddr 10.2.2.0/24 goto filter_IN_foobar_03 ++ ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03 ++ ip saddr 10.2.0.0/16 goto filter_IN_foobar_04 ++ ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04 ++ ip saddr 10.0.0.0/8 goto filter_IN_foobar_05 ++ ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05 ++ ip saddr 20.20.20.20 goto filter_IN_public ++ ip6 saddr 1234:5678::20:20:20 goto filter_IN_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES { ++ iifname "foobar2" goto filter_IN_foobar_010 ++ iifname "foobar1" goto filter_IN_trusted ++ iifname "foobar0" goto filter_IN_internal ++ goto filter_IN_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip daddr 10.1.1.1 goto nat_POST_foobar_00 ++ ip daddr 10.1.1.0/24 goto nat_POST_foobar_01 ++ ip daddr 10.10.10.10 goto nat_POST_foobar_010 ++ ip daddr @ipsetv4 goto nat_POST_foobar_011 ++ ip daddr 10.1.0.0/16 goto nat_POST_foobar_02 ++ ip daddr 10.2.2.0/24 goto nat_POST_foobar_03 ++ ip daddr 10.2.0.0/16 goto nat_POST_foobar_04 ++ ip daddr 10.0.0.0/8 goto nat_POST_foobar_05 ++ ip daddr 20.20.20.20 goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "foobar2" goto nat_POST_foobar_010 ++ oifname "foobar1" goto nat_POST_trusted ++ oifname "foobar0" goto nat_POST_internal ++ goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00 ++ ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01 ++ ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010 ++ ip6 daddr @ipsetv6 goto nat_POST_foobar_012 ++ ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02 ++ ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03 ++ ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04 ++ ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05 ++ ip6 daddr 1234:5678::20:20:20 goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "foobar2" goto nat_POST_foobar_010 ++ oifname "foobar1" goto nat_POST_trusted ++ oifname "foobar0" goto nat_POST_internal ++ goto nat_POST_public ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto] ++ IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto] ++ IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto] ++ IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src ++ IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto] ++ IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto] ++ IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto] ++ IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto] ++ IN_public all -- 20.20.20.20 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto] ++ IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto] ++ IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto] ++ IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src ++ IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto] ++ IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto] ++ IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto] ++ IN_foobar_05 all 1234:5678::/80 ::/0 [goto] ++ IN_public all 1234:5678::20:20:20 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_foobar_010 all ::/0 ::/0 [goto] ++ IN_trusted all ::/0 ::/0 [goto] ++ IN_internal all ::/0 ::/0 [goto] ++ IN_public all ::/0 ::/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto] ++ POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto] ++ POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto] ++ POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst ++ POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto] ++ POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto] ++ POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto] ++ POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto] ++ POST_public all -- 0.0.0.0/0 20.20.20.20 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto] ++ POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto] ++ POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto] ++ POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst ++ POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto] ++ POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto] ++ POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto] ++ POST_foobar_05 all ::/0 1234:5678::/80 [goto] ++ POST_public all ::/0 1234:5678::20:20:20 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_foobar_010 all ::/0 ::/0 [goto] ++ POST_trusted all ::/0 ::/0 [goto] ++ POST_internal all ::/0 ::/0 [goto] ++ POST_public all ::/0 ::/0 [goto] ++]]) ++ ++FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d']) +-- +2.23.0 + diff --git a/SOURCES/0034-chore-test-retab-some-test-cases.patch b/SOURCES/0034-chore-test-retab-some-test-cases.patch new file mode 100644 index 0000000..af2e7bb --- /dev/null +++ b/SOURCES/0034-chore-test-retab-some-test-cases.patch @@ -0,0 +1,328 @@ +From 9ffa72e5b9b3d36f8a2b52a3dcaac519f7f08b5e Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Jan 2020 10:56:06 -0500 +Subject: [PATCH 34/37] chore: test: retab some test cases + +Replace leading tabs with spaces. + +(cherry picked from commit 890d8a60893a0c3975b792bcbd3a6c65419a8e8c) +(cherry picked from commit 9b2609406c0f20681bc02f98b24091e8f509e26f) +--- + src/tests/features/helpers_custom.at | 120 +++++++++++++-------------- + src/tests/regression/gh453.at | 68 +++++++-------- + src/tests/regression/rhbz1506742.at | 2 +- + src/tests/regression/rhbz1734765.at | 28 +++---- + 4 files changed, 109 insertions(+), 109 deletions(-) + +diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at +index bf673bd70b33..bd4b52cfb1d6 100644 +--- a/src/tests/features/helpers_custom.at ++++ b/src/tests/features/helpers_custom.at +@@ -33,32 +33,32 @@ ftptest + FWD_CHECK([-q --add-service=ftptest]) + + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +- table inet firewalld { +- chain filter_IN_public_allow { +- tcp dport 22 ct state new,untracked accept +- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept +- tcp dport 9090 ct state new,untracked accept +- tcp dport 2121 ct helper set "helper-ftptest-tcp" +- tcp dport 2121 ct state new,untracked accept +- } +- } ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ tcp dport 2121 ct helper set "helper-ftptest-tcp" ++ tcp dport 2121 ct state new,untracked accept ++ } ++ } + ]) + IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp ++ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp ++ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED +- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + + dnl Same thing as above, but with the new "helper" in service. +@@ -90,32 +90,32 @@ ftptest + FWD_CHECK([-q --add-service=ftptest]) + + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +- table inet firewalld { +- chain filter_IN_public_allow { +- tcp dport 22 ct state new,untracked accept +- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept +- tcp dport 9090 ct state new,untracked accept +- tcp dport 2121 ct helper set "helper-ftptest-tcp" +- tcp dport 2121 ct state new,untracked accept +- } +- } ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ tcp dport 2121 ct helper set "helper-ftptest-tcp" ++ tcp dport 2121 ct state new,untracked accept ++ } ++ } + ]) + IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp ++ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp ++ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED +- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + + dnl again, but with both "module" and "helper" +@@ -128,38 +128,38 @@ FWD_RELOAD + FWD_CHECK([-q --add-service=ftptest]) + + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +- table inet firewalld { +- chain filter_IN_public_allow { +- tcp dport 22 ct state new,untracked accept +- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept +- tcp dport 9090 ct state new,untracked accept +- tcp dport 21 ct helper set "helper-ftp-tcp" +- tcp dport 2121 ct helper set "helper-ftptest-tcp" +- tcp dport 2121 ct state new,untracked accept +- tcp dport 21 ct state new,untracked accept +- } +- } ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ tcp dport 21 ct helper set "helper-ftp-tcp" ++ tcp dport 2121 ct helper set "helper-ftptest-tcp" ++ tcp dport 2121 ct state new,untracked accept ++ tcp dport 21 ct state new,untracked accept ++ } ++ } + ]) + IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp +- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp ++ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp ++ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED +- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +- CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp +- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp ++ CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp ++ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED +- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED +- ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) + + FWD_END_TEST +diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at +index 6d820fce840a..61bc90aae673 100644 +--- a/src/tests/regression/gh453.at ++++ b/src/tests/regression/gh453.at +@@ -8,50 +8,50 @@ FWD_CHECK([-q --set-automatic-helpers=no]) + + FWD_CHECK([-q --add-service=ftp]) + NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-ftp-tcp"], 0, [m4_strip([dnl +- ct helper helper-ftp-tcp { +- type "ftp" protocol tcp +- l3proto inet +- } ++ ct helper helper-ftp-tcp { ++ type "ftp" protocol tcp ++ l3proto inet ++ } + ])]) + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +- table inet firewalld { +- chain filter_IN_public_allow { +- tcp dport 22 ct state new,untracked accept +- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept +- tcp dport 9090 ct state new,untracked accept +- tcp dport 21 ct helper set "helper-ftp-tcp" +- tcp dport 21 ct state new,untracked accept +- } +- } ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ tcp dport 21 ct helper set "helper-ftp-tcp" ++ tcp dport 21 ct state new,untracked accept ++ } ++ } + ]) + + FWD_CHECK([-q --add-service=sip]) + NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-tcp"], 0, [m4_strip([dnl +- ct helper helper-sip-tcp { +- type "sip" protocol tcp +- l3proto inet +- } ++ ct helper helper-sip-tcp { ++ type "sip" protocol tcp ++ l3proto inet ++ } + ])]) + NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-udp"], 0, [m4_strip([dnl +- ct helper helper-sip-udp { +- type "sip" protocol udp +- l3proto inet +- } ++ ct helper helper-sip-udp { ++ type "sip" protocol udp ++ l3proto inet ++ } + ])]) + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +- table inet firewalld { +- chain filter_IN_public_allow { +- tcp dport 22 ct state new,untracked accept +- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept +- tcp dport 9090 ct state new,untracked accept +- tcp dport 21 ct helper set "helper-ftp-tcp" +- tcp dport 21 ct state new,untracked accept +- tcp dport 5060 ct helper set "helper-sip-tcp" +- udp dport 5060 ct helper set "helper-sip-udp" +- tcp dport 5060 ct state new,untracked accept +- udp dport 5060 ct state new,untracked accept +- } +- } ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ tcp dport 21 ct helper set "helper-ftp-tcp" ++ tcp dport 21 ct state new,untracked accept ++ tcp dport 5060 ct helper set "helper-sip-tcp" ++ udp dport 5060 ct helper set "helper-sip-udp" ++ tcp dport 5060 ct state new,untracked accept ++ udp dport 5060 ct state new,untracked accept ++ } ++ } + ]) + + FWD_END_TEST +diff --git a/src/tests/regression/rhbz1506742.at b/src/tests/regression/rhbz1506742.at +index 48b224731fbc..2ab4f1a9cef1 100644 +--- a/src/tests/regression/rhbz1506742.at ++++ b/src/tests/regression/rhbz1506742.at +@@ -20,4 +20,4 @@ FWD_CHECK([-q --ipset=foobar --query-entry=1.2.3.4], 32, ignore, ignore) + FWD_CHECK([-q --ipset=foobar --remove-entries-from-file=foobar_entries.txt]) + FWD_END_TEST([-e '/Error: IPSET_WITH_TIMEOUT/d' dnl + -e '/ERROR: IPSET_WITH_TIMEOUT/d' dnl +- -e '/WARNING: NOT_ENABLED/d']) ++ -e '/WARNING: NOT_ENABLED/d']) +diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at +index bb054bdb0361..b5023a058a55 100644 +--- a/src/tests/regression/rhbz1734765.at ++++ b/src/tests/regression/rhbz1734765.at +@@ -44,22 +44,22 @@ FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1]) + FWD_RELOAD + + NFT_LIST_SET([ipsetv4], 0, [dnl +- table inet firewalld { +- set ipsetv4 { +- type ipv4_addr +- flags interval +- elements = { 192.0.2.12 } +- } +- } ++ table inet firewalld { ++ set ipsetv4 { ++ type ipv4_addr ++ flags interval ++ elements = { 192.0.2.12 } ++ } ++ } + ]) + NFT_LIST_SET([ipsetv6], 0, [dnl +- table inet firewalld { +- set ipsetv6 { +- type ipv6_addr +- flags interval +- elements = { ::2 } +- } +- } ++ table inet firewalld { ++ set ipsetv6 { ++ type ipv6_addr ++ flags interval ++ elements = { ::2 } ++ } ++ } + ]) + + FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"]) +-- +2.23.0 + diff --git a/SOURCES/0035-improvement-translations-build-target-to-merge-from-.patch b/SOURCES/0035-improvement-translations-build-target-to-merge-from-.patch new file mode 100644 index 0000000..1cb610f --- /dev/null +++ b/SOURCES/0035-improvement-translations-build-target-to-merge-from-.patch @@ -0,0 +1,43 @@ +From 25c8e71e0acea773b62f4772069b1c8b63257c3e Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 31 Jan 2020 12:24:54 -0500 +Subject: [PATCH 35/37] improvement: translations: build target to merge from + master + +This new target, merge-po, will automatically merge new translations +from the master branch. It's meant to be run only from the stable +branches. + +(cherry picked from commit 8f5998c84dbb35edb477e1a98e274fd43b29bdcd) +(cherry picked from commit 3714754699df142c7ec88182603079286a41ef86) +--- + Makefile.am | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/Makefile.am b/Makefile.am +index 85da0b5857d2..72dc039b5591 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -118,6 +118,19 @@ update-po: + ls $(top_srcdir)/po/*.po | sed 's/.*\/po\///;s/.po//' > $(top_srcdir)/po/LINGUAS + $(MAKE) -C po update-po ${PACKAGE_NAME}.pot + ++# This merges translations from the upstream master branch. ++# It's only meant to be used from the stable branches. Translations ++# contributions are only done against master. ++merge-po: update-po ++ git fetch -q https://github.com/firewalld/firewalld master; \ ++ for po in $(top_srcdir)/po/*.po; do \ ++ mv $${po} $${po}.old; \ ++ git checkout -q FETCH_HEAD $${po}; \ ++ msgcat --use-first -o $${po}.merged $${po} $${po}.old; \ ++ mv $${po}.merged $${po}; \ ++ git add $${po}; \ ++ done ++ + clean-po: + @for cat in `cat ${top_srcdir}/po/LINGUAS`; do \ + msgattrib --translated --no-fuzzy --no-obsolete --force-po --no-location --clear-previous --strict $(top_srcdir)/po/$$cat.po -o $(top_srcdir)/po/$$cat.out; \ +-- +2.23.0 + diff --git a/SOURCES/0036-chore-translation-merge-from-master.patch b/SOURCES/0036-chore-translation-merge-from-master.patch new file mode 100644 index 0000000..b3d2974 --- /dev/null +++ b/SOURCES/0036-chore-translation-merge-from-master.patch @@ -0,0 +1,3990 @@ +From 58f770d38f9052577b27cf75e8968214b9083697 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 31 Jan 2020 13:10:51 -0500 +Subject: [PATCH 36/37] chore: translation: merge from master + +(cherry picked from commit 9cc288c1766cb85088432c1c4aa710c5d89c7441) +--- + po/ar.po | 2 +- + po/as.po | 2 +- + po/bg.po | 2 +- + po/bn_IN.po | 2 +- + po/ca.po | 2 +- + po/cs.po | 43 +++--- + po/da.po | 2 +- + po/de.po | 31 ++-- + po/el.po | 2 +- + po/en_GB.po | 2 +- + po/en_US.po | 259 ++++++++++++-------------------- + po/es.po | 2 +- + po/et.po | 2 +- + po/eu.po | 2 +- + po/fi.po | 2 +- + po/fr.po | 390 ++++++++++++++++++++++++------------------------- + po/gl.po | 2 +- + po/gu.po | 2 +- + po/hi.po | 2 +- + po/hu.po | 2 +- + po/ia.po | 2 +- + po/id.po | 2 +- + po/it.po | 2 +- + po/ja.po | 2 +- + po/ka.po | 2 +- + po/kn.po | 2 +- + po/ko.po | 2 +- + po/lt.po | 2 +- + po/ml.po | 2 +- + po/mr.po | 2 +- + po/nl.po | 2 +- + po/or.po | 2 +- + po/pa.po | 2 +- + po/pl.po | 35 +++-- + po/pt.po | 2 +- + po/pt_BR.po | 2 +- + po/ru.po | 2 +- + po/sk.po | 2 +- + po/sq.po | 2 +- + po/sr.po | 2 +- + po/sr@latin.po | 2 +- + po/sv.po | 2 +- + po/ta.po | 2 +- + po/te.po | 2 +- + po/tr.po | 139 +++++++++--------- + po/uk.po | 43 +++--- + po/zh_CN.po | 124 ++++++++-------- + po/zh_TW.po | 2 +- + 48 files changed, 538 insertions(+), 606 deletions(-) + +diff --git a/po/ar.po b/po/ar.po +index 8abfdee73473..f69422f64c81 100644 +--- a/po/ar.po ++++ b/po/ar.po +@@ -17,7 +17,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:20+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Arabic (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/as.po b/po/as.po +index 16999c36c1d8..c13e1f161e23 100644 +--- a/po/as.po ++++ b/po/as.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:15+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Assamese (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/bg.po b/po/bg.po +index d2df33305874..47e1c262ace4 100644 +--- a/po/bg.po ++++ b/po/bg.po +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:43+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Bulgarian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/bn_IN.po b/po/bn_IN.po +index 72c8591392de..fb44e6118cb8 100644 +--- a/po/bn_IN.po ++++ b/po/bn_IN.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:43+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Bengali (India) (http://www.transifex.com/projects/p/" +diff --git a/po/ca.po b/po/ca.po +index d2d8ec80af9c..a54c8c38899a 100644 +--- a/po/ca.po ++++ b/po/ca.po +@@ -19,7 +19,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-08-20 10:43+0000\n" + "Last-Translator: Robert Antoni Buj Gelonch \n" + "Language-Team: Catalan (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/cs.po b/po/cs.po +index 7319d3748f0a..7f176d8dcd47 100644 +--- a/po/cs.po ++++ b/po/cs.po +@@ -1,7 +1,6 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # Adam Pribyl , 2007-2010 + # zdenek , 2013 +@@ -23,21 +22,23 @@ + # Eric Garver , 2018. #zanata + # Robert Chudý , 2018. #zanata + # Pavel Borecki , 2019. #zanata ++# Eric Garver , 2020. ++# Tomáš Doležal , 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2019-06-14 06:09+0000\n" +-"Last-Translator: Pavel Borecki \n" +-"Language-Team: Czech (http://www.transifex.com/projects/p/firewalld/language/" +-"cs/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-16 16:15+0000\n" ++"Last-Translator: Tomáš Doležal \n" ++"Language-Team: Czech \n" + "Language: cs\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" +-"X-Generator: Zanata 4.6.2\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -96,7 +97,7 @@ msgid "" + "that are changing zones of connections, it might be of limited use." + msgstr "" + "Tato vlastnost je užitečná pro osoby využívající převážně implicitní zóny. " +-"Pro uživatele, kteří mění zóny připojení, může být toto použití omezující. " ++"Pro uživatele, kteří mění zóny připojení, může být toto použití omezující." + + #: ../src/firewall-applet.in:235 + msgid "Shields Up Zone:" +@@ -246,7 +247,7 @@ msgstr "Komunikace s FirewallD ztracena." + + #: ../src/firewall-applet.in:989 + msgid "FirewallD has been reloaded." +-msgstr "FirewallD byl aktualizován" ++msgstr "FirewallD byl aktualizován." + + #: ../src/firewall-applet.in:996 + #, c-format +@@ -405,7 +406,7 @@ msgstr "Cílový port" + + #: ../src/firewall-config.in:566 + msgid "To Address" +-msgstr "Cílová adresa:" ++msgstr "Cílová adresa" + + #: ../src/firewall-config.in:616 + msgid "Bindings" +@@ -808,7 +809,7 @@ msgstr "raw" + + #: ../src/firewall-config.glade.h:17 + msgid "security" +-msgstr "bezpečnost" ++msgstr "security" + + #: ../src/firewall-config.glade.h:18 + msgid "Table:" +@@ -967,7 +968,7 @@ msgid "" + msgstr "" + "Aktualizuje pravidla firewallu. Současná trvalá konfigurace se stane novou " + "běžící konfigurací. Tj. všechny změny provedeny v běžící konfiguraci budou " +-"po této aktualizaci ztraceny, pokud již v trvalé konfiguraci předtím nebyly." ++"po této aktualizaci ztraceny, pokud již v trvalé konfiguraci předtím nebyly." + + #: ../src/firewall-config.glade.h:60 + msgid "Change which zone a network connection belongs to." +@@ -1098,7 +1099,7 @@ msgid "" + "filters and rich rules. The zone can be bound to interfaces and source " + "addresses." + msgstr "" +-" Firewalld zóna definuje úroveň důvěryhodnosti pro připojení k sítim, " ++"Firewalld zóna definuje úroveň důvěryhodnosti pro připojení k sítim, " + "rozhraním a zdrojovým adresám vázaných na zóny. Zóna kombinuje servisy, " + "porty, protokoly, maškarádování, přesměrování portů a paketů, filtrování " + "icmp a bohatá pravidla. Zóna může být vázána na rozhraní a zdrojové adresy." +@@ -1256,7 +1257,7 @@ msgid "" + "types are allowed to pass the firewall. The default is no limitation." + msgstr "" + "Označte v seznamu typy ICMP zpráv, které mají být odmítnuty. Všechny ostatní " +-"ICMP typy budou procházet firewallem. Implicitně jsou zprávy vpouštěny bez " ++"ICMP typy budou procházet firewallem. Implicitně jsou zprávy vpouštěny bez " + "omezení." + + #: ../src/firewall-config.glade.h:118 +@@ -1533,7 +1534,7 @@ msgstr "" + "Pomocník sledování spojení napomáhá ve fungování protokolů, které používají " + "různé toky pro signalizaci a přenosy dat. Přenosy dat využívají porty, které " + "nesouvisí se signalizací spojení, a proto jsou bez pomocníka firewallem " +-"blokovány. " ++"blokovány." + + #: ../src/firewall-config.glade.h:174 + msgid "Define ports or port ranges, which are monitored by the helper." +@@ -1786,11 +1787,11 @@ msgstr "Zadejte název rozhraní:" + + #: ../src/firewall-config.glade.h:223 + msgid "Base IPSet Settings" +-msgstr "Nastavení základního IPSecu" ++msgstr "Nastavení základního IPSetu" + + #: ../src/firewall-config.glade.h:224 + msgid "Please configure base ipset settings:" +-msgstr "Nakonfigurujte prosím základní nastavení IPSecu" ++msgstr "Nakonfigurujte prosím základní nastavení ipsetu:" + + #: ../src/firewall-config.glade.h:225 + msgid "Type:" +@@ -1834,7 +1835,7 @@ msgstr "Záznam zamítnutí" + + #: ../src/firewall-config.glade.h:236 + msgid "Please select the log denied value:" +-msgstr "Vyberte prosím hodnotu záznamu zamítnutí" ++msgstr "Vyberte prosím hodnotu záznamu zamítnutí:" + + #: ../src/firewall-config.glade.h:237 + msgid "Mark" +@@ -1882,7 +1883,7 @@ msgstr "Přímé pravidlo" + + #: ../src/firewall-config.glade.h:248 + msgid "Please select ipv and table, chain priority and enter the args." +-msgstr "Vyberte prosím IPv a tabulku, prioritu řetězu a zadejte argumenty" ++msgstr "Vyberte prosím ipv a tabulku, prioritu řetězu a zadejte argumenty." + + #: ../src/firewall-config.glade.h:249 + msgid "Priority:" +@@ -1902,7 +1903,7 @@ msgstr "Košaté pravidlo" + + #: ../src/firewall-config.glade.h:254 + msgid "Please enter a rich rule." +-msgstr "Zadejte košaté pravidlo" ++msgstr "Zadejte bohaté pravidlo." + + #: ../src/firewall-config.glade.h:255 + msgid "For host or network white or blacklisting deactivate the element." +@@ -2012,7 +2013,7 @@ msgstr "Zadejte nastavení hlavní zóny:" + + #: ../src/firewall-config.glade.h:305 + msgid "Default Target" +-msgstr "Výchozí cíl:" ++msgstr "Výchozí cíl" + + #: ../src/firewall-config.glade.h:306 + msgid "Target:" +diff --git a/po/da.po b/po/da.po +index 978936ce8f5d..7ff29e43ca78 100644 +--- a/po/da.po ++++ b/po/da.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-09-20 10:43+0000\n" + "Last-Translator: scootergrisen \n" + "Language-Team: Danish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/de.po b/po/de.po +index dd610cfed621..a844e8c1f1ae 100644 +--- a/po/de.po ++++ b/po/de.po +@@ -1,7 +1,6 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # Andreas Müller , 2003 + # Bernd Bartmann , 2004 +@@ -36,21 +35,22 @@ + # Roman Spirgi , 2017. #zanata + # Eric Garver , 2018. #zanata + # Fabian Affolter , 2018. #zanata ++# Phil Sutter , 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2018-11-16 08:22+0000\n" +-"Last-Translator: Copied by Zanata \n" +-"Language-Team: German (http://www.transifex.com/projects/p/firewalld/" +-"language/de/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-14 14:02+0000\n" ++"Last-Translator: Phil Sutter \n" ++"Language-Team: German \n" + "Language: de\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Plural-Forms: nplurals=2; plural=(n != 1);\n" +-"X-Generator: Zanata 4.6.2\n" ++"Plural-Forms: nplurals=2; plural=n != 1;\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -84,7 +84,7 @@ msgstr "Standardzone" + #: ../src/firewall-applet.in:166 ../src/firewall-config.in:8067 + #, c-format + msgid "Select zone for connection '%s'" +-msgstr " Zone für Verbindung »%s« auswählen" ++msgstr "Zone für Verbindung »%s« auswählen" + + #: ../src/firewall-applet.in:176 ../src/firewall-config.in:3927 + msgid "Failed to set zone {zone} for connection {connection_name}" +@@ -295,7 +295,7 @@ msgid "" + "Zone '{zone}' {activated_deactivated} for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"'{zone}'-Zone {activated_deactivated} für '{connection}'-Verbindung auf " ++"'{zone}'-Zone {activated_deactivated} für '{connection}'-Verbindung auf " + "'{interface}'-Schnittstelle" + + #: ../src/firewall-applet.in:1057 +@@ -305,7 +305,7 @@ msgstr "'{zone}'-Zone {activated_deactivated} für '{interface}'-Schnittstelle" + #: ../src/firewall-applet.in:1080 + #, c-format + msgid "Zone '%s' activated for interface '%s'" +-msgstr "»%s«-Zone aktiviert für »%s«-Schnittstelle " ++msgstr "»%s«-Zone aktiviert für »%s«-Schnittstelle" + + #: ../src/firewall-applet.in:1097 + msgid "Zone '{zone}' {activated_deactivated} for source '{source}'" +@@ -1527,7 +1527,7 @@ msgid "" + "IPSets can only be created or deleted in the permanent configuration view." + msgstr "" + "IPSets können nur in der dauerhaften Konfigurationsansicht erstellt oder " +-"gelöscht werden. " ++"gelöscht werden." + + #: ../src/firewall-config.glade.h:166 + msgid "" +@@ -1717,7 +1717,7 @@ msgid "" + msgstr "" + "Der Kontext ist der (SELinux-) Sicherheitskontext einer laufenden Anwendung " + "oder eines Dienstes. Um den Kontext einer laufenden Anwendung einzusehen, " +-"verwenden Sie ps -e --context." ++"verwenden Sie ps -e --context." + + #: ../src/firewall-config.glade.h:196 + msgid "Add Context" +@@ -1743,7 +1743,7 @@ msgid "" + msgstr "" + "Falls ein Befehlseintrag der Positivliste mit einem Sternsymbol »*« endet, " + "werden alle Kommandozeilen, die mit dem Befehl beginnen ausgewertet. Falls " +-"das »*«-Symbol nicht vorhanden ist, muss der absolute Befehl inklusive " ++"das »*«-Symbol nicht vorhanden ist, muss der absolute Befehl inklusive " + "Argumenten übereinstimmen." + + #: ../src/firewall-config.glade.h:201 +@@ -1899,7 +1899,8 @@ msgstr "Bitte geben Sie eine Markierung mit optionaler Maske ein" + #: ../src/firewall-config.glade.h:239 + msgid "The mark and the mask fields are both 32 bits wide unsigned numbers." + msgstr "" +-"Beide Felder für Markierung und Maske sind unsignierte Zahlen von 32bits " ++"Die Felder für Markierung und Maske sind beides 32bit-breite, vorzeichenlose " ++"Zahlen." + + #: ../src/firewall-config.glade.h:240 + msgid "Mark:" +diff --git a/po/el.po b/po/el.po +index 26d4a55dc0ba..73097e21878b 100644 +--- a/po/el.po ++++ b/po/el.po +@@ -16,7 +16,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:27+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Greek (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/en_GB.po b/po/en_GB.po +index d739c60136bd..bb19ba17550b 100644 +--- a/po/en_GB.po ++++ b/po/en_GB.po +@@ -11,7 +11,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:44+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: English (United Kingdom) (http://www.transifex.com/projects/p/" +diff --git a/po/en_US.po b/po/en_US.po +index f8e2a767a40e..e6d79b094aeb 100644 +--- a/po/en_US.po ++++ b/po/en_US.po +@@ -1,22 +1,23 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: ++# Eric Garver , 2020. + msgid "" + msgstr "" + "Project-Id-Version: firewalld\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2014-10-15 14:24+0000\n" +-"Last-Translator: Jiří Popelka \n" +-"Language-Team: English (United States) (http://www.transifex.com/projects/p/" +-"firewalld/language/en_US/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-14 14:02+0000\n" ++"Last-Translator: Eric Garver \n" ++"Language-Team: English (United States) \n" + "Language: en_US\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Plural-Forms: nplurals=2; plural=(n != 1);\n" ++"Plural-Forms: nplurals=2; plural=n != 1;\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -53,15 +54,13 @@ msgid "Select zone for connection '%s'" + msgstr "Select zone for connection '%s'" + + #: ../src/firewall-applet.in:176 ../src/firewall-config.in:3927 +-#, fuzzy + msgid "Failed to set zone {zone} for connection {connection_name}" +-msgstr "" +-"Zone '{zone}' active for connection '{connection}' on interface '{interface}'" ++msgstr "Failed to set zone {zone} for connection {connection_name}" + + #: ../src/firewall-applet.in:190 +-#, fuzzy, c-format ++#, c-format + msgid "Select zone for source '%s'" +-msgstr "Select zone for source %s" ++msgstr "Select zone for source '%s'" + + #: ../src/firewall-applet.in:207 + msgid "Configure Shields Up/Down Zones" +@@ -85,7 +84,7 @@ msgstr "Shields Up Zone:" + + #: ../src/firewall-applet.in:244 ../src/firewall-applet.in:257 + msgid "Reset To Default" +-msgstr "" ++msgstr "Reset To Default" + + #: ../src/firewall-applet.in:248 + msgid "Shields Down Zone:" +@@ -94,15 +93,15 @@ msgstr "Shields Down Zone:" + #: ../src/firewall-applet.in:340 + #, c-format + msgid "About %s" +-msgstr "" ++msgstr "About %s" + + #: ../src/firewall-applet.in:391 + msgid "Authors" +-msgstr "" ++msgstr "Authors" + + #: ../src/firewall-applet.in:401 + msgid "License" +-msgstr "" ++msgstr "License" + + #: ../src/firewall-applet.in:470 + msgid "Shields Up" +@@ -130,7 +129,7 @@ msgstr "Block all network traffic" + + #: ../src/firewall-applet.in:500 + msgid "About" +-msgstr "" ++msgstr "About" + + #: ../src/firewall-applet.in:508 ../src/firewall-config.in:618 + #: ../src/firewall-config.in:2389 ../src/firewall-config.in:2670 +@@ -172,11 +171,11 @@ msgstr "" + + #: ../src/firewall-applet.in:778 ../src/firewall-config.in:1574 + msgid "Failed to get connections from NetworkManager" +-msgstr "" ++msgstr "Failed to get connections from NetworkManager" + + #: ../src/firewall-applet.in:790 ../src/firewall-config.in:1386 + msgid "No NetworkManager imports available" +-msgstr "" ++msgstr "No NetworkManager imports available" + + #: ../src/firewall-applet.in:868 + msgid "No connection to firewall daemon" +@@ -192,12 +191,12 @@ msgid "Default Zone: '%s'" + msgstr "Default Zone: '%s'" + + #: ../src/firewall-applet.in:886 +-#, fuzzy + msgid "" + "Default Zone '{default_zone}' active for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"Zone '{zone}' active for connection '{connection}' on interface '{interface}'" ++"Default Zone '{default_zone}' active for connection '{connection}' on " ++"interface '{interface}'" + + #: ../src/firewall-applet.in:889 + msgid "" +@@ -247,13 +246,12 @@ msgid "deactivated" + msgstr "deactivated" + + #: ../src/firewall-applet.in:1047 +-#, fuzzy + msgid "" + "Default zone '{default_zone}' {activated_deactivated} for connection " + "'{connection}' on interface '{interface}'" + msgstr "" +-"Zone '{zone}' {activated_deactivated} for connection '{connection}' on " +-"interface '{interface}'" ++"Default zone '{default_zone}' {activated_deactivated} for connection " ++"'{connection}' on interface '{interface}'" + + #: ../src/firewall-applet.in:1052 + msgid "" +@@ -282,20 +280,20 @@ msgid "Zone '%s' activated for source '%s'" + msgstr "Zone '%s' activated for source '%s'" + + #: ../src/firewall-config.in:89 +-#, fuzzy + msgid "Connection to firewalld established." +-msgstr "Connection to FirewallD established." ++msgstr "Connection to firewalld established." + + #: ../src/firewall-config.in:91 +-#, fuzzy + msgid "Trying to connect to firewalld, waiting..." +-msgstr "No connection to firewall daemon" ++msgstr "Trying to connect to firewalld, waiting..." + + #: ../src/firewall-config.in:93 + msgid "" + "Failed to connect to firewalld. Please make sure that the service has been " + "started correctly and try again." + msgstr "" ++"Failed to connect to firewalld. Please make sure that the service has been " ++"started correctly and try again." + + #: ../src/firewall-config.in:95 + msgid "Changes applied." +@@ -307,9 +305,9 @@ msgid "Used by network connection '%s'" + msgstr "Used by network connection '%s'" + + #: ../src/firewall-config.in:97 +-#, fuzzy, c-format ++#, c-format + msgid "Default zone used by network connection '%s'" +-msgstr "Used by network connection '%s'" ++msgstr "Default zone used by network connection '%s'" + + #: ../src/firewall-config.in:99 + msgid "enabled" +@@ -324,43 +322,36 @@ msgid "Failed to load icons." + msgstr "Failed to load icons." + + #: ../src/firewall-config.in:187 ../src/firewall-config.glade.h:6 +-#, fuzzy + msgid "Context" +-msgstr "Contexts" ++msgstr "Context" + + #: ../src/firewall-config.in:206 ../src/firewall-config.glade.h:4 +-#, fuzzy + msgid "Command line" +-msgstr "Command lines" ++msgstr "Command line" + + #: ../src/firewall-config.in:225 ../src/firewall-config.glade.h:300 + msgid "User name" + msgstr "User name" + + #: ../src/firewall-config.in:244 +-#, fuzzy + msgid "User id" +-msgstr "User ids." ++msgstr "User id" + + #: ../src/firewall-config.in:284 ../src/firewall-config.in:318 +-#, fuzzy + msgid "Table" +-msgstr "Table:" ++msgstr "Table" + + #: ../src/firewall-config.in:286 ../src/firewall-config.in:320 +-#, fuzzy + msgid "Chain" +-msgstr "Chain:" ++msgstr "Chain" + + #: ../src/firewall-config.in:322 ../src/firewall-config.in:824 +-#, fuzzy + msgid "Priority" +-msgstr "Priority:" ++msgstr "Priority" + + #: ../src/firewall-config.in:324 ../src/firewall-config.in:361 +-#, fuzzy + msgid "Args" +-msgstr "Args:" ++msgstr "Args" + + #: ../src/firewall-config.in:401 ../src/firewall-config.in:2338 + msgid "Runtime" +@@ -398,12 +389,11 @@ msgstr "To Address" + + #: ../src/firewall-config.in:616 + msgid "Bindings" +-msgstr "" ++msgstr "Bindings" + + #: ../src/firewall-config.in:651 ../src/firewall-config.glade.h:233 +-#, fuzzy + msgid "Entry" +-msgstr "Add Entry" ++msgstr "Entry" + + #: ../src/firewall-config.in:777 + msgid "Icmp Type" +@@ -438,13 +428,12 @@ msgid "Audit" + msgstr "Audit" + + #: ../src/firewall-config.in:940 ../src/firewall-config.glade.h:221 +-#, fuzzy + msgid "Interface" +-msgstr "Interfaces" ++msgstr "Interface" + + #: ../src/firewall-config.in:942 + msgid "Comment" +-msgstr "" ++msgstr "Comment" + + #: ../src/firewall-config.in:961 ../src/firewall-config.glade.h:27 + msgid "Source" +@@ -479,7 +468,7 @@ msgstr "drop" + #: ../src/firewall-config.in:3718 ../src/firewall-config.in:3860 + #: ../src/firewall-config.glade.h:265 + msgid "mark" +-msgstr "" ++msgstr "mark" + + #: ../src/firewall-config.in:2055 ../src/firewall-config.in:2099 + #: ../src/firewall-config.in:2104 +@@ -520,7 +509,7 @@ msgstr "icmp-block" + #: ../src/firewall-config.in:3360 ../src/firewall-config.in:3675 + #: ../src/firewall-config.glade.h:288 + msgid "icmp-type" +-msgstr "" ++msgstr "icmp-type" + + #: ../src/firewall-config.in:2084 ../src/firewall-config.in:3194 + #: ../src/firewall-config.in:3362 ../src/firewall-config.in:3678 +@@ -531,9 +520,8 @@ msgstr "forward-port" + #: ../src/firewall-config.in:2088 ../src/firewall-config.in:3203 + #: ../src/firewall-config.in:3364 ../src/firewall-config.in:3688 + #: ../src/firewall-config.glade.h:290 +-#, fuzzy + msgid "source-port" +-msgstr "forward-port" ++msgstr "source-port" + + #: ../src/firewall-config.in:2097 + msgid "level" +@@ -549,15 +537,15 @@ msgid "Zone" + msgstr "Zone" + + #: ../src/firewall-config.in:2465 +-#, fuzzy, c-format ++#, c-format + msgid "Default Zone: %s" +-msgstr "Default Zone: '%s'" ++msgstr "Default Zone: %s" + + #: ../src/firewall-config.in:2472 ../src/firewall-config.in:2503 + #: ../src/firewall-config.in:2533 +-#, fuzzy, c-format ++#, c-format + msgid "Zone: %s" +-msgstr "Zones" ++msgstr "Zone: %s" + + #: ../src/firewall-config.in:2808 + #, c-format +@@ -670,23 +658,23 @@ msgstr "Built-in service, rename not supported." + + #: ../src/firewall-config.in:5602 + msgid "Please enter an ipv4 address with the form address[/mask]." +-msgstr "" ++msgstr "Please enter an ipv4 address with the form address[/mask]." + + #: ../src/firewall-config.in:5603 + msgid "The mask can be a network mask or a number." +-msgstr "" ++msgstr "The mask can be a network mask or a number." + + #: ../src/firewall-config.in:5605 + msgid "Please enter an ipv6 address with the form address[/mask]." +-msgstr "" ++msgstr "Please enter an ipv6 address with the form address[/mask]." + + #: ../src/firewall-config.in:5606 + msgid "The mask is a number." +-msgstr "" ++msgstr "The mask is a number." + + #: ../src/firewall-config.in:5608 + msgid "Please enter an ipv4 or ipv6 address with the form address[/mask]." +-msgstr "" ++msgstr "Please enter an ipv4 or ipv6 address with the form address[/mask]." + + #: ../src/firewall-config.in:5609 + msgid "" +@@ -695,19 +683,16 @@ msgid "" + msgstr "" + + #: ../src/firewall-config.in:5793 +-#, fuzzy + msgid "Built-in ipset, rename not supported." +-msgstr "Built-in icmp, rename not supported." ++msgstr "" + + #: ../src/firewall-config.in:5885 ../src/firewall-config.in:5967 +-#, fuzzy + msgid "Please select a file" +-msgstr "Please select an ICMP type" ++msgstr "" + + #: ../src/firewall-config.in:5892 ../src/firewall-config.in:5974 +-#, fuzzy + msgid "Text Files" +-msgstr "ICMP Filter" ++msgstr "" + + #: ../src/firewall-config.in:5897 ../src/firewall-config.in:5979 + msgid "All Files" +@@ -729,18 +714,17 @@ msgid "IPv6" + msgstr "IPv6" + + #: ../src/firewall-config.in:6406 +-#, fuzzy + msgid "Built-in helper, rename not supported." +-msgstr "Built-in icmp, rename not supported." ++msgstr "" + + #: ../src/firewall-config.in:6884 + msgid "Built-in icmp, rename not supported." + msgstr "Built-in icmp, rename not supported." + + #: ../src/firewall-config.in:7956 +-#, fuzzy, c-format ++#, c-format + msgid "Failed to read file '%s': %s" +-msgstr "Failed to load icons." ++msgstr "" + + #: ../src/firewall-config.in:8089 + #, c-format +@@ -757,9 +741,8 @@ msgid "Automatic Helpers" + msgstr "" + + #: ../src/firewall-config.glade.h:3 +-#, fuzzy + msgid "Please select the automatic helpers value:" +-msgstr "Please enter the module name." ++msgstr "" + + #: ../src/firewall-config.glade.h:5 + msgid "Please enter the command line." +@@ -864,14 +847,12 @@ msgid "Forward to another port" + msgstr "Forward to another port" + + #: ../src/firewall-config.glade.h:32 +-#, fuzzy + msgid "Base Helper Settings" +-msgstr "Base Zone Settings" ++msgstr "" + + #: ../src/firewall-config.glade.h:33 +-#, fuzzy + msgid "Please configure base helper settings:" +-msgstr "Please configure base zone settings:" ++msgstr "" + + #: ../src/firewall-config.glade.h:34 + msgid "Bold entries are mandatory, all others are optional." +@@ -898,19 +879,16 @@ msgid "Family:" + msgstr "Family:" + + #: ../src/firewall-config.glade.h:43 +-#, fuzzy + msgid "Module:" +-msgstr "Modules" ++msgstr "" + + #: ../src/firewall-config.glade.h:44 +-#, fuzzy + msgid "Helper" +-msgstr "_Help" ++msgstr "" + + #: ../src/firewall-config.glade.h:45 +-#, fuzzy + msgid "Please select a helper:" +-msgstr "Please select an ICMP type" ++msgstr "" + + #: ../src/firewall-config.glade.h:46 + msgid "Base ICMP Type Settings" +@@ -937,19 +915,16 @@ msgid "Add Entries From File" + msgstr "" + + #: ../src/firewall-config.glade.h:52 +-#, fuzzy + msgid "Remove Selected Entry" +-msgstr "Remove Entry" ++msgstr "" + + #: ../src/firewall-config.glade.h:53 +-#, fuzzy + msgid "Remove All Entries" +-msgstr "Remove Entry" ++msgstr "" + + #: ../src/firewall-config.glade.h:54 +-#, fuzzy + msgid "Remove Entries From File" +-msgstr "Remove Entry" ++msgstr "" + + #: ../src/firewall-config.glade.h:56 + msgid "_File" +@@ -986,9 +961,8 @@ msgid "Change default zone for connections or interfaces." + msgstr "Change default zone for connections or interfaces." + + #: ../src/firewall-config.glade.h:64 +-#, fuzzy + msgid "Change Log Denied" +-msgstr "Change Default Zone" ++msgstr "" + + #: ../src/firewall-config.glade.h:65 + msgid "Change LogDenied value." +@@ -1043,9 +1017,8 @@ msgid "ICMP Types" + msgstr "ICMP Types" + + #: ../src/firewall-config.glade.h:77 +-#, fuzzy + msgid "Helpers" +-msgstr "_Help" ++msgstr "" + + #: ../src/firewall-config.glade.h:78 + msgid "Direct Configuration" +@@ -1064,14 +1037,12 @@ msgid "_Help" + msgstr "_Help" + + #: ../src/firewall-config.glade.h:82 +-#, fuzzy + msgid "Change Zone" +-msgstr "Change Default Zone" ++msgstr "" + + #: ../src/firewall-config.glade.h:83 +-#, fuzzy + msgid "Change zone of binding" +-msgstr "Change Zones of Connections..." ++msgstr "" + + #: ../src/firewall-config.glade.h:84 + msgid "" +@@ -1166,45 +1137,34 @@ msgid "Ports" + msgstr "Ports" + + #: ../src/firewall-config.glade.h:101 +-#, fuzzy + msgid "Add protocols, which need to be accessible for all hosts or networks." + msgstr "" +-"Add additional ports or port ranges, which need to be accessible for all " +-"hosts or networks that can connect to the machine." + + #: ../src/firewall-config.glade.h:102 +-#, fuzzy + msgid "Add Protocol" +-msgstr "Protocol" ++msgstr "" + + #: ../src/firewall-config.glade.h:103 +-#, fuzzy + msgid "Edit Protocol" +-msgstr "Protocol" ++msgstr "" + + #: ../src/firewall-config.glade.h:104 +-#, fuzzy + msgid "Remove Protocol" +-msgstr "Remove Port" ++msgstr "" + + #: ../src/firewall-config.glade.h:105 +-#, fuzzy + msgid "Protocols" +-msgstr "Protocol" ++msgstr "" + + #: ../src/firewall-config.glade.h:106 +-#, fuzzy + msgid "" + "Add additional source ports or port ranges, which need to be accessible for " + "all hosts or networks that can connect to the machine." + msgstr "" +-"Add additional ports or port ranges, which need to be accessible for all " +-"hosts or networks that can connect to the machine." + + #: ../src/firewall-config.glade.h:107 +-#, fuzzy + msgid "Source Ports" +-msgstr "Source" ++msgstr "" + + #: ../src/firewall-config.glade.h:108 + msgid "" +@@ -1281,9 +1241,8 @@ msgid "" + msgstr "" + + #: ../src/firewall-config.glade.h:119 +-#, fuzzy + msgid "Invert Filter" +-msgstr "ICMP Filter" ++msgstr "" + + #: ../src/firewall-config.glade.h:120 + msgid "ICMP Filter" +@@ -1377,13 +1336,10 @@ msgid "Load Service Defaults" + msgstr "Load Service Defaults" + + #: ../src/firewall-config.glade.h:143 +-#, fuzzy + msgid "" + "Add additional ports or port ranges, which need to be accessible for all " + "hosts or networks." + msgstr "" +-"Add additional ports or port ranges, which need to be accessible for all " +-"hosts or networks that can connect to the machine." + + #: ../src/firewall-config.glade.h:144 + msgid "Edit Entry" +@@ -1394,23 +1350,18 @@ msgid "Remove Entry" + msgstr "Remove Entry" + + #: ../src/firewall-config.glade.h:146 +-#, fuzzy + msgid "" + "Add additional source ports or port ranges, which need to be accessible for " + "all hosts or networks." + msgstr "" +-"Add additional ports or port ranges, which need to be accessible for all " +-"hosts or networks that can connect to the machine." + + #: ../src/firewall-config.glade.h:147 +-#, fuzzy + msgid "Source Port" +-msgstr "Source" ++msgstr "" + + #: ../src/firewall-config.glade.h:148 +-#, fuzzy + msgid "Netfilter helper modules are needed for some services." +-msgstr "Netfilter helper modules" ++msgstr "" + + #: ../src/firewall-config.glade.h:149 + msgid "Modules" +@@ -1453,24 +1404,20 @@ msgid "IPSet" + msgstr "" + + #: ../src/firewall-config.glade.h:156 +-#, fuzzy + msgid "Add IPSet" +-msgstr "Add Port" ++msgstr "" + + #: ../src/firewall-config.glade.h:157 +-#, fuzzy + msgid "Edit IPSet" +-msgstr "Edit Port" ++msgstr "" + + #: ../src/firewall-config.glade.h:158 +-#, fuzzy + msgid "Remove IPSet" +-msgstr "Remove Port" ++msgstr "" + + #: ../src/firewall-config.glade.h:159 +-#, fuzzy + msgid "Load IPSet Defaults" +-msgstr "Load Zone Defaults" ++msgstr "" + + #: ../src/firewall-config.glade.h:160 + msgid "" +@@ -1487,21 +1434,17 @@ msgid "" + msgstr "" + + #: ../src/firewall-config.glade.h:162 +-#, fuzzy + msgid "Add" +-msgstr "Address" ++msgstr "" + + #: ../src/firewall-config.glade.h:164 + msgid "Entries" + msgstr "" + + #: ../src/firewall-config.glade.h:165 +-#, fuzzy + msgid "" + "IPSets can only be created or deleted in the permanent configuration view." + msgstr "" +-"Services can only be changed in the permanent configuration view. The " +-"runtime configuration of services is fixed." + + #: ../src/firewall-config.glade.h:166 + msgid "" +@@ -1672,14 +1615,11 @@ msgstr "" + "contain commands, contexts, users and user ids." + + #: ../src/firewall-config.glade.h:195 +-#, fuzzy + msgid "" + "The context is the security (SELinux) context of a running application or " + "service. To get the context of a running application use ps -e --" + "context." + msgstr "" +-"The context is the security (SELinux) context of a running application or " +-"service. To get the context of a running application use ps -e --context." + + #: ../src/firewall-config.glade.h:196 + msgid "Add Context" +@@ -1794,24 +1734,20 @@ msgid "Default Zone:" + msgstr "Default Zone:" + + #: ../src/firewall-config.glade.h:222 +-#, fuzzy + msgid "Please enter an interface name:" +-msgstr "Please enter the user name." ++msgstr "" + + #: ../src/firewall-config.glade.h:223 +-#, fuzzy + msgid "Base IPSet Settings" +-msgstr "Base Zone Settings" ++msgstr "" + + #: ../src/firewall-config.glade.h:224 +-#, fuzzy + msgid "Please configure base ipset settings:" +-msgstr "Please configure base zone settings:" ++msgstr "" + + #: ../src/firewall-config.glade.h:225 +-#, fuzzy + msgid "Type:" +-msgstr "with Type:" ++msgstr "" + + #: ../src/firewall-config.glade.h:226 + msgid "Timeout:" +@@ -1838,32 +1774,28 @@ msgid "Max number of elements, default 65536" + msgstr "" + + #: ../src/firewall-config.glade.h:232 +-#, fuzzy + msgid "Please select an ipset:" +-msgstr "Please select an ICMP type" ++msgstr "" + + #: ../src/firewall-config.glade.h:234 +-#, fuzzy + msgid "Please enter an ipset entry:" +-msgstr "Please select an ICMP type" ++msgstr "" + + #: ../src/firewall-config.glade.h:235 + msgid "Log Denied" + msgstr "" + + #: ../src/firewall-config.glade.h:236 +-#, fuzzy + msgid "Please select the log denied value:" +-msgstr "Please enter the module name." ++msgstr "" + + #: ../src/firewall-config.glade.h:237 + msgid "Mark" + msgstr "" + + #: ../src/firewall-config.glade.h:238 +-#, fuzzy + msgid "Please enter a mark with an optional mask." +-msgstr "Please enter a port and protocol." ++msgstr "" + + #: ../src/firewall-config.glade.h:239 + msgid "The mark and the mask fields are both 32 bits wide unsigned numbers." +@@ -1878,18 +1810,16 @@ msgid "Mask:" + msgstr "" + + #: ../src/firewall-config.glade.h:242 +-#, fuzzy + msgid "Please select a netfilter conntrack helper:" +-msgstr "Please select an ICMP type" ++msgstr "" + + #: ../src/firewall-config.glade.h:243 + msgid "- Select -" + msgstr "" + + #: ../src/firewall-config.glade.h:244 +-#, fuzzy + msgid "Other Module:" +-msgstr "Other Protocol:" ++msgstr "" + + #: ../src/firewall-config.glade.h:245 + msgid "Port and Protocol" +@@ -2004,9 +1934,8 @@ msgid "Please select a service." + msgstr "Please select a service." + + #: ../src/firewall-config.glade.h:297 +-#, fuzzy + msgid "Please enter a source." +-msgstr "Please enter a rich rule." ++msgstr "" + + #: ../src/firewall-config.glade.h:298 + msgid "User ID" +diff --git a/po/es.po b/po/es.po +index 0f228150fd2c..36ee6b5a1210 100644 +--- a/po/es.po ++++ b/po/es.po +@@ -31,7 +31,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:22+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Spanish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/et.po b/po/et.po +index 795090f4abde..4412fcc49323 100644 +--- a/po/et.po ++++ b/po/et.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:21+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Estonian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/eu.po b/po/eu.po +index a2fd55d6a404..1d713dabed7f 100644 +--- a/po/eu.po ++++ b/po/eu.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:43+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Basque (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/fi.po b/po/fi.po +index 752329c32489..03d4dbb385ad 100644 +--- a/po/fi.po ++++ b/po/fi.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-08-19 12:28+0000\n" + "Last-Translator: Jiri Grönroos \n" + "Language-Team: Finnish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/fr.po b/po/fr.po +index 283dfa6d4dfc..5362c514e3c9 100644 +--- a/po/fr.po ++++ b/po/fr.po +@@ -1,7 +1,6 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # <>, 2006 + # Alain PORTAL , 2007 +@@ -30,21 +29,22 @@ + # Laurent Bigonville , 2017. #zanata + # Eric Garver , 2018. #zanata + # Jean-Baptiste Holcroft , 2018. #zanata ++# Julien Humbert , 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2018-11-16 08:23+0000\n" +-"Last-Translator: Copied by Zanata \n" +-"Language-Team: French (http://www.transifex.com/projects/p/firewalld/" +-"language/fr/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-14 14:02+0000\n" ++"Last-Translator: Julien Humbert \n" ++"Language-Team: French \n" + "Language: fr\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Plural-Forms: nplurals=2; plural=(n > 1);\n" +-"X-Generator: Zanata 4.6.2\n" ++"Plural-Forms: nplurals=2; plural=n > 1;\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -66,7 +66,7 @@ msgstr "pare-feu;réseau;sécurité;iptables;netfilter;" + #: ../src/firewall-applet.in:92 ../src/firewall-config.in:7988 + #, c-format + msgid "Select zone for interface '%s'" +-msgstr "Sélectionner la zone pour l'interface « %s »" ++msgstr "Sélectionner la zone pour l’interface « %s »" + + #: ../src/firewall-applet.in:132 ../src/firewall-applet.in:139 + #: ../src/firewall-applet.in:145 ../src/firewall-config.in:2448 +@@ -82,12 +82,12 @@ msgstr "Sélectionner la zone pour la connexion « %s »" + + #: ../src/firewall-applet.in:176 ../src/firewall-config.in:3927 + msgid "Failed to set zone {zone} for connection {connection_name}" +-msgstr "N'a pas pu définir la zône {zone} pour la connexion {connection_name}" ++msgstr "N’a pas pu définir la zone {zone} pour la connexion {connection_name}" + + #: ../src/firewall-applet.in:190 + #, c-format + msgid "Select zone for source '%s'" +-msgstr "Sélectionner la zone pour la source « %s »" ++msgstr "Sélectionner la zone pour la source « %s »" + + #: ../src/firewall-applet.in:207 + msgid "Configure Shields Up/Down Zones" +@@ -108,7 +108,7 @@ msgstr "" + + #: ../src/firewall-applet.in:235 + msgid "Shields Up Zone:" +-msgstr "Zone à protection active :" ++msgstr "Zone à protection active :" + + #: ../src/firewall-applet.in:244 ../src/firewall-applet.in:257 + msgid "Reset To Default" +@@ -116,7 +116,7 @@ msgstr "Réinitialiser aux paramètres par défaut" + + #: ../src/firewall-applet.in:248 + msgid "Shields Down Zone:" +-msgstr "Zone à protection inactive :" ++msgstr "Zone à protection inactive :" + + #: ../src/firewall-applet.in:340 + #, c-format +@@ -141,15 +141,15 @@ msgstr "Activer les notifications" + + #: ../src/firewall-applet.in:483 + msgid "Edit Firewall Settings..." +-msgstr "Modifier les paramètres du pare-feu..." ++msgstr "Modifier les paramètres du pare-feu…" + + #: ../src/firewall-applet.in:487 ../src/firewall-config.glade.h:61 + msgid "Change Zones of Connections..." +-msgstr "Modifier les zones de connexions..." ++msgstr "Modifier les zones de connexions…" + + #: ../src/firewall-applet.in:491 + msgid "Configure Shields UP/Down Zones..." +-msgstr "Configurer des zones à protection active/inactive..." ++msgstr "Configurer des zones à protection active/inactive…" + + #: ../src/firewall-applet.in:495 + msgid "Block all network traffic" +@@ -179,7 +179,7 @@ msgstr "Sources" + + #: ../src/firewall-applet.in:592 ../src/firewall-config.in:2288 + msgid "Authorization failed." +-msgstr "Échec de l'autorisation" ++msgstr "Échec de l’autorisation." + + #: ../src/firewall-applet.in:594 ../src/firewall-config.in:2291 + msgid "Invalid name" +@@ -191,19 +191,19 @@ msgstr "Le nom existe déjà" + + #: ../src/firewall-applet.in:690 + msgid "{entry} (Zone: {zone})" +-msgstr "{entry} (Zone: {zone})" ++msgstr "{entry} (Zone : {zone})" + + #: ../src/firewall-applet.in:697 + msgid "{entry} (Default Zone: {default_zone})" +-msgstr "{entry} (zone par défaut : {default_zone})" ++msgstr "{entry} (zone par défaut : {default_zone})" + + #: ../src/firewall-applet.in:778 ../src/firewall-config.in:1574 + msgid "Failed to get connections from NetworkManager" +-msgstr "N'a pas pu obtenir les connexions du NetworkManager" ++msgstr "N’a pas pu obtenir les connexions de NetworkManager" + + #: ../src/firewall-applet.in:790 ../src/firewall-config.in:1386 + msgid "No NetworkManager imports available" +-msgstr "Aucune importation du NetworkManager n'est disponible" ++msgstr "Aucune importation de NetworkManager n’est disponible" + + #: ../src/firewall-applet.in:868 + msgid "No connection to firewall daemon" +@@ -216,26 +216,26 @@ msgstr "Tout trafic réseau est bloqué." + #: ../src/firewall-applet.in:880 + #, c-format + msgid "Default Zone: '%s'" +-msgstr "Zone par défaut : « %s »" ++msgstr "Zone par défaut : « %s »" + + #: ../src/firewall-applet.in:886 + msgid "" + "Default Zone '{default_zone}' active for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"Zone par défaut '{default_zone}' active pour connexion '{connection}' sur " +-"l'interface '{interface}'" ++"Zone par défaut « {default_zone} » active pour connexion « {connection} » " ++"sur l’interface « {interface} »" + + #: ../src/firewall-applet.in:889 + msgid "" + "Zone '{zone}' active for connection '{connection}' on interface '{interface}'" + msgstr "" +-"Zone « {zone} » active pour la connexion  « {connection} » sur l'interface " ++"Zone « {zone} » active pour la connexion « {connection} » sur l’interface " + "« {interface} »" + + #: ../src/firewall-applet.in:901 + msgid "Zone '{zone}' active for interface '{interface}'" +-msgstr "Zone « {zone} » active pour l'interface « {interface} »" ++msgstr "Zone « {zone} » active pour l’interface « {interface} »" + + #: ../src/firewall-applet.in:909 + msgid "Zone '{zone}' active for source {source}" +@@ -264,7 +264,7 @@ msgstr "La zone par défaut devient « %s »." + + #: ../src/firewall-applet.in:1015 + msgid "Network traffic is not blocked anymore." +-msgstr "Le trafic réseau n'est plus bloqué." ++msgstr "Le trafic réseau n’est plus bloqué." + + #: ../src/firewall-applet.in:1041 ../src/firewall-applet.in:1095 + msgid "activated" +@@ -279,8 +279,8 @@ msgid "" + "Default zone '{default_zone}' {activated_deactivated} for connection " + "'{connection}' on interface '{interface}'" + msgstr "" +-"Zone par défaut '{default_zone}' {activated_deactivated} pour connexion " +-"'{connection}' sur l'interface '{interface}'" ++"Zone par défaut « {default_zone} » {activated_deactivated} pour connexion " ++"« {connection} » sur l’interface « {interface} »" + + #: ../src/firewall-applet.in:1052 + msgid "" +@@ -288,17 +288,17 @@ msgid "" + "interface '{interface}'" + msgstr "" + "Zone « {zone} » {activated_deactivated} pour la connexion « {connection} » " +-"sur l'interface « {interface} »" ++"sur l’interface « {interface} »" + + #: ../src/firewall-applet.in:1057 + msgid "Zone '{zone}' {activated_deactivated} for interface '{interface}'" + msgstr "" +-"Zone « {zone} » {activated_deactivated} pour l'interface « {interface} »" ++"Zone « {zone} » {activated_deactivated} pour l’interface « {interface} »" + + #: ../src/firewall-applet.in:1080 + #, c-format + msgid "Zone '%s' activated for interface '%s'" +-msgstr "La zone « %s » est activée pour l'interface « %s »" ++msgstr "La zone « %s » est activée pour l’interface « %s »" + + #: ../src/firewall-applet.in:1097 + msgid "Zone '{zone}' {activated_deactivated} for source '{source}'" +@@ -311,11 +311,11 @@ msgstr "Zone « %s » activée pour la source « %s »" + + #: ../src/firewall-config.in:89 + msgid "Connection to firewalld established." +-msgstr "La connexion à firewalld est établie." ++msgstr "La connexion à FirewallD est établie." + + #: ../src/firewall-config.in:91 + msgid "Trying to connect to firewalld, waiting..." +-msgstr "Tentative de connexion à firewalld, veuillez patientez..." ++msgstr "Tentative de connexion à FirewallD, veuillez patientez…" + + #: ../src/firewall-config.in:93 + msgid "" +@@ -361,7 +361,7 @@ msgstr "Ligne de commande" + + #: ../src/firewall-config.in:225 ../src/firewall-config.glade.h:300 + msgid "User name" +-msgstr "Nom d'utilisateur" ++msgstr "Nom d’utilisateur" + + #: ../src/firewall-config.in:244 + msgid "User id" +@@ -373,7 +373,7 @@ msgstr "Table" + + #: ../src/firewall-config.in:286 ../src/firewall-config.in:320 + msgid "Chain" +-msgstr "Chaîne" ++msgstr "Chaine" + + #: ../src/firewall-config.in:322 ../src/firewall-config.in:824 + msgid "Priority" +@@ -385,7 +385,7 @@ msgstr "Arguments" + + #: ../src/firewall-config.in:401 ../src/firewall-config.in:2338 + msgid "Runtime" +-msgstr "Temps d'exécution" ++msgstr "Temps d’exécution" + + #: ../src/firewall-config.in:402 + msgid "Permanent" +@@ -415,7 +415,7 @@ msgstr "Vers le port" + + #: ../src/firewall-config.in:566 + msgid "To Address" +-msgstr "Vers l'adresse" ++msgstr "Vers l’adresse" + + #: ../src/firewall-config.in:616 + msgid "Bindings" +@@ -559,7 +559,7 @@ msgstr "level" + + #: ../src/firewall-config.in:2101 ../src/firewall-config.in:2106 + msgid "yes" +-msgstr "yes" ++msgstr "oui" + + #: ../src/firewall-config.in:2452 ../src/firewall-config.in:2492 + #: ../src/firewall-config.in:2522 ../src/firewall-config.glade.h:89 +@@ -569,18 +569,18 @@ msgstr "Zone" + #: ../src/firewall-config.in:2465 + #, c-format + msgid "Default Zone: %s" +-msgstr "Zone par défaut : %s" ++msgstr "Zone par défaut : %s" + + #: ../src/firewall-config.in:2472 ../src/firewall-config.in:2503 + #: ../src/firewall-config.in:2533 + #, c-format + msgid "Zone: %s" +-msgstr "Zone: %s" ++msgstr "Zone : %s" + + #: ../src/firewall-config.in:2808 + #, c-format + msgid "Zone '%s': Service '%s' is not available." +-msgstr "Zone « %s » : le service « %s » n'est pas disponible." ++msgstr "Zone « %s » : le service « %s » n’est pas disponible." + + #: ../src/firewall-config.in:2812 ../src/firewall-config.in:2860 + #: ../src/firewall-config.glade.h:163 +@@ -594,11 +594,11 @@ msgstr "Ignorer" + #: ../src/firewall-config.in:2856 + #, c-format + msgid "Zone '%s': ICMP type '%s' is not available." +-msgstr "Zone « %s » : le type ICMP « %s » n'est pas disponible." ++msgstr "Zone « %s » : le type ICMP « %s » n’est pas disponible." + + #: ../src/firewall-config.in:3011 + msgid "Built-in zone, rename not supported." +-msgstr "Zone intégrée, le renommage n'est pas pris en charge." ++msgstr "Zone intégrée, le renommage n’est pas pris en charge." + + #: ../src/firewall-config.in:3126 ../src/firewall-config.in:3626 + #: ../src/firewall-config.glade.h:270 +@@ -628,7 +628,7 @@ msgstr "emergency" + #: ../src/firewall-config.in:3131 ../src/firewall-config.in:3631 + #: ../src/firewall-config.glade.h:277 + msgid "alert" +-msgstr "alert" ++msgstr "alerte" + + #: ../src/firewall-config.in:3132 ../src/firewall-config.in:3632 + #: ../src/firewall-config.glade.h:278 +@@ -678,34 +678,34 @@ msgid "" + "masqueraded.\n" + "Do you want to masquerade this zone ?" + msgstr "" +-"Rediriger vers un autre système est utile seulement si l'interface est " ++"Rediriger vers un autre système est utile seulement si l’interface est " + "masquée.\n" +-"Voulez-vous masquer cette zone ?" ++"Voulez-vous masquer cette zone ?" + + #: ../src/firewall-config.in:5393 + msgid "Built-in service, rename not supported." +-msgstr "Service intégré, le renommage n'est pas pris en charge." ++msgstr "Service intégré, le renommage n’est pas pris en charge." + + #: ../src/firewall-config.in:5602 + msgid "Please enter an ipv4 address with the form address[/mask]." +-msgstr "Veuillez saisir une adresse ipv4 avec l'adresse du formulaire [/mask]." ++msgstr "Veuillez saisir une adresse ipv4 avec l’adresse du formulaire [/mask]." + + #: ../src/firewall-config.in:5603 + msgid "The mask can be a network mask or a number." +-msgstr "Le masque peut être un masque de réseau ou un numéro" ++msgstr "Le masque peut être un masque de réseau ou un numéro." + + #: ../src/firewall-config.in:5605 + msgid "Please enter an ipv6 address with the form address[/mask]." +-msgstr "Veuillez saisir une adresse ipv6 avec l'adresse du formulaire [/mask]." ++msgstr "Veuillez saisir une adresse ipv6 avec l’adresse du formulaire [/mask]." + + #: ../src/firewall-config.in:5606 + msgid "The mask is a number." +-msgstr "Le masque est un numéro" ++msgstr "Le masque est un numéro." + + #: ../src/firewall-config.in:5608 + msgid "Please enter an ipv4 or ipv6 address with the form address[/mask]." + msgstr "" +-"Veuillez saisir une adresse ipv4 ou ipv6 avec l'adresse du formulaire [/" ++"Veuillez saisir une adresse ipv4 ou ipv6 avec l’adresse du formulaire [/" + "mask]." + + #: ../src/firewall-config.in:5609 +@@ -718,7 +718,7 @@ msgstr "" + + #: ../src/firewall-config.in:5793 + msgid "Built-in ipset, rename not supported." +-msgstr "Ipset intégré, le renommage n'est pas pris en charge." ++msgstr "Ipset intégré, le renommage n’est pas pris en charge." + + #: ../src/firewall-config.in:5885 ../src/firewall-config.in:5967 + msgid "Please select a file" +@@ -749,11 +749,11 @@ msgstr "IPv6" + + #: ../src/firewall-config.in:6406 + msgid "Built-in helper, rename not supported." +-msgstr "Assistant intégré, le renommage n'est pas pris en charge." ++msgstr "Assistant intégré, le renommage n’est pas pris en charge." + + #: ../src/firewall-config.in:6884 + msgid "Built-in icmp, rename not supported." +-msgstr "Icmp intégré, le renommage n'est pas pris en charge." ++msgstr "Icmp intégré, le renommage n’est pas pris en charge." + + #: ../src/firewall-config.in:7956 + #, c-format +@@ -776,7 +776,7 @@ msgstr "Assistants automatiques" + + #: ../src/firewall-config.glade.h:3 + msgid "Please select the automatic helpers value:" +-msgstr "Veuillez sélectionner la valeur des assistants automatiques :" ++msgstr "Veuillez sélectionner la valeur des assistants automatiques :" + + #: ../src/firewall-config.glade.h:5 + msgid "Please enter the command line." +@@ -792,11 +792,11 @@ msgstr "Veuillez sélectionner la zone par défaut dans la liste ci-dessous." + + #: ../src/firewall-config.glade.h:10 + msgid "Direct Chain" +-msgstr "Chaîne directe" ++msgstr "Chaine directe" + + #: ../src/firewall-config.glade.h:11 + msgid "Please select ipv and table and enter the chain name." +-msgstr "Veuillez sélectionner l'ipv et la table, et saisir le nom de chaine." ++msgstr "Veuillez sélectionner l’ipv et la table, et saisir le nom de chaine." + + #: ../src/firewall-config.glade.h:12 + msgid "ipv:" +@@ -808,7 +808,7 @@ msgstr "eb" + + #: ../src/firewall-config.glade.h:14 + msgid "Chain:" +-msgstr "Chaîne :" ++msgstr "Chaine :" + + #: ../src/firewall-config.glade.h:15 + msgid "nat" +@@ -820,7 +820,7 @@ msgstr "raw" + + #: ../src/firewall-config.glade.h:17 + msgid "security" +-msgstr "security" ++msgstr "sécurité" + + #: ../src/firewall-config.glade.h:18 + msgid "Table:" +@@ -832,7 +832,7 @@ msgstr "Règle Passthrough directe" + + #: ../src/firewall-config.glade.h:20 + msgid "Please select ipv and enter the args." +-msgstr "Veuillez sélectionner l'ipv et saisir les arguments." ++msgstr "Veuillez sélectionner l’ipv et saisir les arguments." + + #: ../src/firewall-config.glade.h:21 + msgid "Args:" +@@ -879,15 +879,15 @@ msgstr "Réacheminement local" + + #: ../src/firewall-config.glade.h:31 + msgid "Forward to another port" +-msgstr "Ré-acheminer vers un autre port" ++msgstr "Réacheminer vers un autre port" + + #: ../src/firewall-config.glade.h:32 + msgid "Base Helper Settings" +-msgstr "Paramètres de l'assistant de base" ++msgstr "Paramètres de l’assistant de base" + + #: ../src/firewall-config.glade.h:33 + msgid "Please configure base helper settings:" +-msgstr "Veuillez configurer les paramètres de l'assistant de base :" ++msgstr "Veuillez configurer les paramètres de l’assistant de base :" + + #: ../src/firewall-config.glade.h:34 + msgid "Bold entries are mandatory, all others are optional." +@@ -895,19 +895,19 @@ msgstr "Les entrées en gras sont obligatoires, les autres sont optionnelles." + + #: ../src/firewall-config.glade.h:35 + msgid "Name:" +-msgstr "Nom :" ++msgstr "Nom :" + + #: ../src/firewall-config.glade.h:36 + msgid "Version:" +-msgstr "Version :" ++msgstr "Version :" + + #: ../src/firewall-config.glade.h:37 + msgid "Short:" +-msgstr "Court :" ++msgstr "Court :" + + #: ../src/firewall-config.glade.h:38 + msgid "Description:" +-msgstr "Description :" ++msgstr "Description :" + + #: ../src/firewall-config.glade.h:39 + msgid "Family:" +@@ -915,7 +915,7 @@ msgstr "Famille :" + + #: ../src/firewall-config.glade.h:43 + msgid "Module:" +-msgstr "Module :" ++msgstr "Module :" + + #: ../src/firewall-config.glade.h:44 + msgid "Helper" +@@ -923,7 +923,7 @@ msgstr "Assistant" + + #: ../src/firewall-config.glade.h:45 + msgid "Please select a helper:" +-msgstr "Veuillez sélectionner un assistant :" ++msgstr "Veuillez sélectionner un assistant :" + + #: ../src/firewall-config.glade.h:46 + msgid "Base ICMP Type Settings" +@@ -931,7 +931,7 @@ msgstr "Paramètres de base de type ICMP" + + #: ../src/firewall-config.glade.h:47 + msgid "Please configure base ICMP type settings:" +-msgstr "Veuillez configurer les paramètres de base de type ICMP :" ++msgstr "Veuillez configurer les paramètres de base de type ICMP :" + + #: ../src/firewall-config.glade.h:48 + msgid "ICMP Type" +@@ -951,7 +951,7 @@ msgstr "Ajouter les entrées en provenance du fichier" + + #: ../src/firewall-config.glade.h:52 + msgid "Remove Selected Entry" +-msgstr "Supprimer l'entrée sélectionnée" ++msgstr "Supprimer l’entrée sélectionnée" + + #: ../src/firewall-config.glade.h:53 + msgid "Remove All Entries" +@@ -980,9 +980,9 @@ msgid "" + "lost with reload if they have not been also in permanent configuration." + msgstr "" + "Recharger les règles du pare-feu. La configuration permanente actuelle " +-"deviendra la nouvelle configuration d'exécution. Par exemple toutes les " +-"modifications d'exécution faite avant le rechargement seront perdues si " +-"elles n'ont pas été aussi dans la configuration permanente." ++"deviendra la nouvelle configuration d’exécution. Par exemple toutes les " ++"modifications d’exécution faite avant le rechargement seront perdues si " ++"elles n’ont pas été aussi dans la configuration permanente." + + #: ../src/firewall-config.glade.h:60 + msgid "Change which zone a network connection belongs to." +@@ -1002,15 +1002,15 @@ msgstr "Changer DéniDeLog" + + #: ../src/firewall-config.glade.h:65 + msgid "Change LogDenied value." +-msgstr "Changer la valeur du DéniDeLog" ++msgstr "Changer la valeur du DéniDeLog." + + #: ../src/firewall-config.glade.h:66 + msgid "Configure Automatic Helper Assigment" +-msgstr "Configurer les assignations de l'assistant automatique" ++msgstr "Configurer les assignations de l’assistant automatique" + + #: ../src/firewall-config.glade.h:67 + msgid "Configure Automatic Helper Assignment setting." +-msgstr "Configurer les paramètres d'assignations de l'assistant automatique." ++msgstr "Configurer les paramètres d’assignations de l’assistant automatique." + + #: ../src/firewall-config.glade.h:68 + msgid "Panic mode means that all incoming and outgoing packets are dropped." +@@ -1036,7 +1036,7 @@ msgstr "Verrouillage" + + #: ../src/firewall-config.glade.h:72 + msgid "Make runtime configuration permanent" +-msgstr "Rendre la configuration d'exécution permanente" ++msgstr "Rendre la configuration d’exécution permanente" + + #: ../src/firewall-config.glade.h:73 + msgid "Runtime To Permanent" +@@ -1087,18 +1087,18 @@ msgid "" + "Hide active runtime bindings of connections, interfaces and sources to zones" + msgstr "" + "Cacher les liaisons de runtime actives de connexions, interfaces et sources " +-"à des zones." ++"à des zones" + + #: ../src/firewall-config.glade.h:85 + msgid "" + "Show active runtime bindings of connections, interfaces and sources to zones" + msgstr "" + "Afficher les liaisons de runtime actives de connexions, interfaces et " +-"sources à des zones." ++"sources à des zones" + + #: ../src/firewall-config.glade.h:86 + msgid "Configuration:" +-msgstr "Configuration :" ++msgstr "Configuration :" + + #: ../src/firewall-config.glade.h:87 + msgid "" +@@ -1106,7 +1106,7 @@ msgid "" + "configuration. Permanent configuration will be active after service or " + "system reload or restart." + msgstr "" +-"Configuration visible actuellement. La configuration d'exécution est la " ++"Configuration visible actuellement. La configuration d’exécution est la " + "configuration active en fait. La configuration persistante deviendra active " + "après avoir rechargé ou redémarré le service ou le système." + +@@ -1118,10 +1118,10 @@ msgid "" + "filters and rich rules. The zone can be bound to interfaces and source " + "addresses." + msgstr "" +-"Une zone firewalld définie le niveau de confiance pour les connexions " +-"réseau, les interfaces et les adresses de sources liés à cette zone. La zone " +-"combine les services, ports, protocoles, translation d'adresse, port ou " +-"paquet ré-acheminés, filtres icmp et règles riches. La zone peut être liée " ++"Une zone FirewallD définit le niveau de confiance pour les connexions " ++"réseau, les interfaces et les adresses de sources liées à cette zone. La " ++"zone combine les services, ports, protocoles, translations d’adresse, port " ++"ou paquet réacheminés, filtres ICMP et règles riches. La zone peut être liée " + "aux interfaces et aux adresses de source." + + #: ../src/firewall-config.glade.h:90 +@@ -1149,7 +1149,7 @@ msgstr "" + "Vous pouvez définir ici quels services sont de confiance dans la zone. Les " + "services de confiance sont accessibles depuis tous les hôtes et réseaux qui " + "peuvent accéder à la machine depuis les connexions, interfaces et sources " +-"liés à cette zone." ++"liées à cette zone." + + #: ../src/firewall-config.glade.h:95 + msgid "Services" +@@ -1183,7 +1183,7 @@ msgstr "Ports" + #: ../src/firewall-config.glade.h:101 + msgid "Add protocols, which need to be accessible for all hosts or networks." + msgstr "" +-"Ajoutez des protocoles qu'il faut rendre accessibles à tous les hôtes ou " ++"Ajoutez des protocoles qu’il faut rendre accessibles à tous les hôtes ou " + "réseaux." + + #: ../src/firewall-config.glade.h:102 +@@ -1207,9 +1207,9 @@ msgid "" + "Add additional source ports or port ranges, which need to be accessible for " + "all hosts or networks that can connect to the machine." + msgstr "" +-"Ajouter des ports source ou des plages de ports supplémentaires, qui doivent " +-"être accessibles à tous les hôtes ou réseaux qui peuvent se connecter à la " +-"machine." ++"Ajouter des ports sources ou des plages de ports supplémentaires, qui " ++"doivent être accessibles à tous les hôtes ou réseaux qui peuvent se " ++"connecter à la machine." + + #: ../src/firewall-config.glade.h:107 + msgid "Source Ports" +@@ -1221,26 +1221,26 @@ msgid "" + "network to the internet. Your local network will not be visible and the " + "hosts appear as a single address on the internet. Masquerading is IPv4 only." + msgstr "" +-"La translation d'adresses est très utile si vous configurez un hôte ou un " ++"La translation d’adresses est très utile si vous configurez un hôte ou un " + "routeur qui connecte votre réseau local à Internet. Votre réseau local ne " +-"sera pas visible et vos hôtes apparaîtront sous une adresse unique sur " +-"Internet. La translation d'adresse est une spécificité d'IPv4." ++"sera pas visible et vos hôtes apparaitront sous une adresse unique sur " ++"Internet. La translation d’adresse est une spécificité d’IPv4." + + #: ../src/firewall-config.glade.h:109 + msgid "Masquerade zone" +-msgstr "Zone de translation d'adresse" ++msgstr "Zone de translation d’adresse" + + #: ../src/firewall-config.glade.h:110 + msgid "" + "If you enable masquerading, IP forwarding will be enabled for your IPv4 " + "networks." + msgstr "" +-"Si vous activez la translation d'adresse, la redirection IP sera activée " +-"pour votre réseau IPV4" ++"Si vous activez la translation d’adresse, la redirection IP sera activée " ++"pour votre réseau IPV4." + + #: ../src/firewall-config.glade.h:111 + msgid "Masquerading" +-msgstr "Translation d'adresses" ++msgstr "Translation d’adresses" + + #: ../src/firewall-config.glade.h:112 + msgid "" +@@ -1249,10 +1249,10 @@ msgid "" + "system is only useful if the interface is masqueraded. Port forwarding is " + "IPv4 only." + msgstr "" +-"Ajouter des entrées pour rediriger les ports soit d'un port à un autre sur " ++"Ajouter des entrées pour rediriger les ports soit d’un port à un autre sur " + "le système local, soit du système local vers un autre. Rediriger vers un " +-"autre système n'est utile que si l'interface est masquée. Le redirection de " +-"port est une spécificité d'IPv4." ++"autre système n’est utile que si l’interface est masquée. La redirection de " ++"port est une spécificité d’IPv4." + + #: ../src/firewall-config.glade.h:113 + msgid "Add Forward Port" +@@ -1272,10 +1272,10 @@ msgid "" + "messages between networked computers, but additionally for informational " + "messages like ping requests and replies." + msgstr "" +-"Le protocole de message de contrôle internet (ICMP, pour « Internet Control " ++"Le protocole de message de contrôle Internet (ICMP, pour « Internet Control " + "Message Protocol ») est utilisé essentiellement pour envoyer des messages " +-"d'erreurs vers les ordinateurs d'un réseau, mais également pour envoyer des " +-"messages d'information, comme les requêtes « ping » et leurs réponses." ++"d’erreurs vers les ordinateurs d’un réseau, mais également pour envoyer des " ++"messages d’information, comme les requêtes « ping » et leurs réponses." + + #: ../src/firewall-config.glade.h:117 + msgid "" +@@ -1283,7 +1283,7 @@ msgid "" + "types are allowed to pass the firewall. The default is no limitation." + msgstr "" + "Marquez les types ICMP de la liste qui doivent être rejetés. Tous les autres " +-"types ICMP sont autorisés à traverser le pare-feu. Par défaut, il n'y a " ++"types ICMP sont autorisés à traverser le pare-feu. Par défaut, il n’y a " + "aucune restriction." + + #: ../src/firewall-config.glade.h:118 +@@ -1328,7 +1328,7 @@ msgid "" + "Add entries to bind interfaces to the zone. If the interface will be used by " + "a connection, the zone will be set to the zone specified in the connection." + msgstr "" +-"Ajouter des entrées pour lier des interfaces à la zone. Si l'interface est " ++"Ajouter des entrées pour lier des interfaces à la zone. Si l’interface est " + "utilisée par une connexion, la zone sera définie sur la zone indiquée dans " + "la connexion." + +@@ -1338,11 +1338,11 @@ msgstr "Ajouter une interface" + + #: ../src/firewall-config.glade.h:128 + msgid "Edit Interface" +-msgstr "Quitter l'interface" ++msgstr "Quitter l’interface" + + #: ../src/firewall-config.glade.h:129 + msgid "Remove Interface" +-msgstr "Supprimer l'interface" ++msgstr "Supprimer l’interface" + + #: ../src/firewall-config.glade.h:131 + msgid "" +@@ -1353,7 +1353,7 @@ msgstr "" + "Ajouter des entrées pour lier les adresses ou zones source à la zone. Vous " + "pouvez également les lier à une adresse source MAC mais avec certaines " + "limites. Le transfert et masquage ne fonctionneront pas pour les liaisons " +-"source de MAC." ++"sources de MAC." + + #: ../src/firewall-config.glade.h:132 + msgid "Add Source" +@@ -1376,8 +1376,8 @@ msgid "" + "A firewalld service is a combination of ports, protocols, modules and " + "destination addresses." + msgstr "" +-"Un service firewalld est une combinaison de ports, de protocoles, de modules " +-"et d'adresses de destination." ++"Un service FirewallD est une combinaison de ports, de protocoles, de modules " ++"et d’adresses de destination." + + #: ../src/firewall-config.glade.h:139 + msgid "Add Service" +@@ -1400,7 +1400,7 @@ msgid "" + "Add additional ports or port ranges, which need to be accessible for all " + "hosts or networks." + msgstr "" +-"Ajoutez les ports ou intervalles de ports supplémentaires qu'il faut rendre " ++"Ajoutez les ports ou intervalles de ports supplémentaires qu’il faut rendre " + "accessibles à tous les hôtes ou réseaux." + + #: ../src/firewall-config.glade.h:144 +@@ -1416,7 +1416,7 @@ msgid "" + "Add additional source ports or port ranges, which need to be accessible for " + "all hosts or networks." + msgstr "" +-"Ajoutez les ports source ou intervalles de ports supplémentaires qu'il faut " ++"Ajoutez les ports source ou intervalles de ports supplémentaires qu’il faut " + "rendre accessibles à tous les hôtes ou réseaux." + + #: ../src/firewall-config.glade.h:147 +@@ -1426,7 +1426,7 @@ msgstr "Port source" + #: ../src/firewall-config.glade.h:148 + msgid "Netfilter helper modules are needed for some services." + msgstr "" +-"Les modules d'assistance Netfilter sont nécessaires pour certains services." ++"Les modules d’assistance Netfilter sont nécessaires pour certains services." + + #: ../src/firewall-config.glade.h:149 + msgid "Modules" +@@ -1438,17 +1438,17 @@ msgid "" + "the destination address and type. If both entries are empty, there is no " + "limitation." + msgstr "" +-"Si vous spécifiez une adresse de destination, l'entrée de service sera " +-"limitée au type et à l'adresse de destination. Si ces deux entrées sont " +-"vides, il n'y a pas de limitation." ++"Si vous spécifiez une adresse de destination, l’entrée de service sera " ++"limitée au type et à l’adresse de destination. Si ces deux entrées sont " ++"vides, il n’y a pas de limitation." + + #: ../src/firewall-config.glade.h:151 + msgid "IPv4:" +-msgstr "IPv4 :" ++msgstr "IPv4 :" + + #: ../src/firewall-config.glade.h:152 + msgid "IPv6:" +-msgstr "IPv6 :" ++msgstr "IPv6 :" + + #: ../src/firewall-config.glade.h:153 + msgid "" +@@ -1456,7 +1456,7 @@ msgid "" + "runtime configuration of services is fixed." + msgstr "" + "Les services ne peuvent être modifiés que dans la fenêtre de configuration " +-"permanente. La configuration d'exécution des services est fixé." ++"permanente. La configuration d’exécution des services est fixée." + + #: ../src/firewall-config.glade.h:154 + msgid "" +@@ -1464,7 +1464,7 @@ msgid "" + "example IP addresses, port numbers or MAC addresses. " + msgstr "" + "Un IPSet peut être utilisé pour créer des listes noires ou blanches et peut " +-"stocker des adresses IP, numéros de port ou adresses MAC." ++"stocker des adresses IP, numéros de port ou adresses MAC. " + + #: ../src/firewall-config.glade.h:155 + msgid "IPSet" +@@ -1493,18 +1493,18 @@ msgid "" + "added by firewalld. Entries, that have been directly added with the ipset " + "command wil not be listed here." + msgstr "" +-"Entrées de l'IPSet. Vous ne pourrez voir que des entrées d'ipsets qui " +-"n'utilisent pas l'option timeout et uniquement les entrées qui ont été " +-"ajoutées par firewalld. Les entrées qui ont été ajoutées directement avec la " +-"commande ipset n'apparaissent pas ici." ++"Entrées de l’IPSet. Vous ne pourrez voir que des entrées d’IPSets qui " ++"n’utilisent pas l’option timeout et uniquement les entrées qui ont été " ++"ajoutées par FirewallD. Les entrées qui ont été ajoutées directement avec la " ++"commande IPSet n’apparaissent pas ici." + + #: ../src/firewall-config.glade.h:161 + msgid "" + "This IPSet uses the timeout option, therefore no entries are visible here. " + "The entries should be taken care directly with the ipset command." + msgstr "" +-"Cet IPSet utilise l'option timeout, donc aucune entrée n'est visible ici. " +-"Les entrées doivent être utilisées avec la commande ipset directement." ++"Cet IPSet utilise l’option timeout, donc aucune entrée n’est visible ici. " ++"Les entrées doivent être utilisées avec la commande IPSet directement." + + #: ../src/firewall-config.glade.h:162 + msgid "Add" +@@ -1518,7 +1518,7 @@ msgstr "Entrées" + msgid "" + "IPSets can only be created or deleted in the permanent configuration view." + msgstr "" +-"Les IPSets peuvent uniquement être créés ou supprimés dnas l'affichage de " ++"Les IPSets peuvent uniquement être créés ou supprimés dans l’affichage de " + "configuration permanent." + + #: ../src/firewall-config.glade.h:166 +@@ -1526,20 +1526,20 @@ msgid "" + "A firewalld icmptype provides the information for an Internet Control " + "Message Protocol (ICMP) type for firewalld." + msgstr "" +-"L'icmptype de firewalld fournit les informations pour le type de protocole " +-"de contrôle du réseau internet (ICMP) pour firewalld." ++"L’icmptype de FirewallD fournit les informations pour le type de protocole " ++"de contrôle du réseau Internet (ICMP) pour FirewallD." + + #: ../src/firewall-config.glade.h:167 + msgid "Add ICMP Type" +-msgstr "Ajoute un type d'ICMP" ++msgstr "Ajoute un type d’ICMP" + + #: ../src/firewall-config.glade.h:168 + msgid "Edit ICMP Type" +-msgstr "Modifier le type d'ICMP" ++msgstr "Modifier le type d’ICMP" + + #: ../src/firewall-config.glade.h:169 + msgid "Remove ICMP Type" +-msgstr "Supprimer le type d'ICMP" ++msgstr "Supprimer le type d’ICMP" + + #: ../src/firewall-config.glade.h:170 + msgid "Load ICMP Type Defaults" +@@ -1547,16 +1547,16 @@ msgstr "Charger le type ICMP par défaut" + + #: ../src/firewall-config.glade.h:171 + msgid "Specify whether this ICMP Type is available for IPv4 and/or IPv6." +-msgstr "Précisez si ce type d'ICMP est disponible pour IPv4 et/ou IPv6." ++msgstr "Précisez si ce type d’ICMP est disponible pour IPv4 et/ou IPv6." + + #: ../src/firewall-config.glade.h:172 + msgid "" + "ICMP Types can only be changed in the permanent configuration view. The " + "runtime configuration of ICMP Types is fixed." + msgstr "" +-"Les types d'ICMP ne peuvent être modifiés que dans la fenêtre de " +-"configuration permanente. La configuration en cours d'exécution des types " +-"d'ICMP est fixée." ++"Les types d’ICMP ne peuvent être modifiés que dans la fenêtre de " ++"configuration permanente. La configuration en cours d’exécution des types " ++"d’ICMP est fixée." + + #: ../src/firewall-config.glade.h:173 + msgid "" +@@ -1573,7 +1573,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:174 + msgid "Define ports or port ranges, which are monitored by the helper." +-msgstr "Définir les ports ou plages de port, surveillés par l'assistant." ++msgstr "Définir les ports ou plages de port, surveillés par l’assistant." + + #: ../src/firewall-config.glade.h:175 + msgid "" +@@ -1583,10 +1583,10 @@ msgid "" + "as a last resort when it is not possible to use other firewalld features." + msgstr "" + "La configuration directe donne un accès plus direct au pare-feu. Ces options " +-"exige que l'utilisateur connaisse les concepts de base de iptables, c.a.d " +-"tables chaines, commandes, paramètres et cibles. La configuration directe " +-"devrait être utilisée qu'en dernier ressort, quand il n'est pas possible " +-"d'utiliser les autres fonctionnalités de firewalld." ++"exigent que l’utilisateur connaisse les concepts de base de iptables, c.-à-" ++"d. tables chaines, commandes, paramètres et cibles. La configuration directe " ++"devrait être utilisée qu’en dernier ressort, quand il n’est pas possible " ++"d’utiliser les autres fonctionnalités de FirewallD." + + #: ../src/firewall-config.glade.h:176 + msgid "" +@@ -1594,8 +1594,8 @@ msgid "" + "will be for iptables, with ipv6 for ip6tables and with eb for ethernet " + "bridges (ebtables)." + msgstr "" +-"L'argument ipv de chaque option doit être ipv4 ou ipv6 ou eb. ipv4 pour " +-"iptables, ipv6 pour ip6tables et eb pour une passerelle ethernet (ebtables)." ++"L’argument ipv de chaque option doit être ipv4 ou ipv6 ou eb. ipv4 pour " ++"iptables, ipv6 pour ip6tables et eb pour une passerelle Ethernet (ebtables)." + + #: ../src/firewall-config.glade.h:177 + msgid "Additional chains for use with rules." +@@ -1621,7 +1621,7 @@ msgstr "Chaines" + msgid "" + "Add a rule with the arguments args to a chain in a table with a priority." + msgstr "" +-"Ajoutez une règle avec les arguments « args » à une chaîne dans une table " ++"Ajoutez une règle avec les arguments « args » à une chaine dans une table " + "avec une priorité." + + #: ../src/firewall-config.glade.h:183 +@@ -1636,8 +1636,8 @@ msgstr "" + "La priorité est utilisée pour ordonner les règles. La priorité 0 signifie " + "ajouter la règle en début de chaine, avec une priorité plus élevée la règle " + "sera ajoutée plus bas. Les règles avec le même niveau de priorité sont sur " +-"le même niveau et l'ordre de ces règles n'est pas fixé et peut être modifié. " +-"Si vous voulez être sur qu'une règle est ajoutée après une autre utilisez " ++"le même niveau et l’ordre de ces règles n’est pas fixé et peut être modifié. " ++"Si vous voulez être sûr qu’une règle est ajoutée après une autre, utilisez " + "une priorité basse pour la première et une plus élevée pour les suivantes." + + #: ../src/firewall-config.glade.h:184 +@@ -1663,8 +1663,8 @@ msgid "" + "can be used." + msgstr "" + "Les règles passthrough sont directement répercutées sur le pare-feu et ne " +-"sont pas placé dans les chaînes particulières. Toutes les options iptables, " +-"ip6tables et ebtables peuvent être utilisées." ++"sont pas placées dans les chaines particulières. Toutes les options " ++"iptables, ip6tables et ebtables peuvent être utilisées." + + #: ../src/firewall-config.glade.h:189 + msgid "Please be careful with passthrough rules to not damage the firewall." +@@ -1694,10 +1694,10 @@ msgid "" + "firewalld. It limits changes to the firewall. The lockdown whitelist can " + "contain commands, contexts, users and user ids." + msgstr "" +-"La fonction verrouillage est une version allégé de l'utilisateur et des " +-"politiques d'application pour firewalld. Elle limite les modifications au " ++"La fonction verrouillage est une version allégée de l’utilisateur et des " ++"politiques d’application pour FirewallD. Elle limite les modifications au " + "pare-feu. La liste blanche peut comprendre des commandes, des contextes, des " +-"utilisateurs et des identifiants d'utilisateur." ++"utilisateurs et des identifiants d’utilisateur." + + #: ../src/firewall-config.glade.h:195 + msgid "" +@@ -1705,9 +1705,9 @@ msgid "" + "service. To get the context of a running application use ps -e --" + "context." + msgstr "" +-"Le contexte est le contexte de sécurité (SELinux) d'une application en cours " +-"d'exécution ou d'un service. Pour obtenir le contexte d'une application en " +-"cours d'exécution utilisez ps -e --context." ++"Le contexte est le contexte de sécurité (SELinux) d’une application en cours " ++"d’exécution ou d’un service. Pour obtenir le contexte d’une application en " ++"cours d’exécution utilisez ps -e --context." + + #: ../src/firewall-config.glade.h:196 + msgid "Add Context" +@@ -1731,9 +1731,9 @@ msgid "" + "command lines starting with the command will match. If the '*' is not there " + "the absolute command inclusive arguments must match." + msgstr "" +-"Si une commande de la liste blanche se termine par un astérisque « * », " ++"Si une commande de la liste blanche se termine par un astérisque « * », " + "alors toutes les lignes de commande commençant par cette commande seront " +-"prise en compte. Si « * » est absent alors la commande seule sera prise en " ++"prises en compte. Si « * » est absent alors la commande seule sera prise en " + "compte." + + #: ../src/firewall-config.glade.h:201 +@@ -1746,7 +1746,7 @@ msgstr "Afficher une ligne de commande" + + #: ../src/firewall-config.glade.h:203 + msgid "Remove Command Line" +-msgstr "Supprimerune ligne de commande" ++msgstr "Supprimer une ligne de commande" + + #: ../src/firewall-config.glade.h:204 + msgid "Command lines" +@@ -1754,27 +1754,27 @@ msgstr "Lignes de commande" + + #: ../src/firewall-config.glade.h:205 + msgid "User names." +-msgstr "Noms d'utilisateur" ++msgstr "Noms d’utilisateur" + + #: ../src/firewall-config.glade.h:206 + msgid "Add User Name" +-msgstr "Ajouter un nom d'utilisateur" ++msgstr "Ajouter un nom d’utilisateur" + + #: ../src/firewall-config.glade.h:207 + msgid "Edit User Name" +-msgstr "Modifier un nom d'utilisateur" ++msgstr "Modifier un nom d’utilisateur" + + #: ../src/firewall-config.glade.h:208 + msgid "Remove User Name" +-msgstr "Supprimer un nom d'utilisateur" ++msgstr "Supprimer un nom d’utilisateur" + + #: ../src/firewall-config.glade.h:209 + msgid "User names" +-msgstr "Noms d'utilisateur" ++msgstr "Noms d’utilisateur" + + #: ../src/firewall-config.glade.h:210 + msgid "User ids." +-msgstr "Identifiants d'utilisateur" ++msgstr "Identifiants d’utilisateur" + + #: ../src/firewall-config.glade.h:211 + msgid "Add User Id" +@@ -1790,7 +1790,7 @@ msgstr "Supprimer un identifiant utilisateur" + + #: ../src/firewall-config.glade.h:214 + msgid "User Ids" +-msgstr "Identifiants d'utilisateur" ++msgstr "Identifiants d’utilisateur" + + #: ../src/firewall-config.glade.h:215 + msgid "Current default zone of the system." +@@ -1801,30 +1801,30 @@ msgctxt "" + "Meaning: Log of denied packets. But this is too long. LogDenied is also the " + "parameter used in firewalld.conf." + msgid "Log Denied:" +-msgstr "DéniDeLog :" ++msgstr "DéniDeLog :" + + #: ../src/firewall-config.glade.h:217 + msgid "Panic Mode:" +-msgstr "Mode panique :" ++msgstr "Mode panique :" + + #: ../src/firewall-config.glade.h:218 + msgctxt "" + "Meaning: Log of denied packets. But this is too long. LogDenied is also the " + "parameter used in firewalld.conf." + msgid "Automatic Helpers:" +-msgstr "Assistants automatiques :" ++msgstr "Assistants automatiques :" + + #: ../src/firewall-config.glade.h:219 + msgid "Lockdown:" +-msgstr "Verrouiller :" ++msgstr "Verrouiller :" + + #: ../src/firewall-config.glade.h:220 + msgid "Default Zone:" +-msgstr "Zone par défaut :" ++msgstr "Zone par défaut :" + + #: ../src/firewall-config.glade.h:222 + msgid "Please enter an interface name:" +-msgstr "Veuillez saisir un nom d'interface :" ++msgstr "Veuillez saisir un nom d’interface :" + + #: ../src/firewall-config.glade.h:223 + msgid "Base IPSet Settings" +@@ -1832,7 +1832,7 @@ msgstr "Paramètres IPSet de base" + + #: ../src/firewall-config.glade.h:224 + msgid "Please configure base ipset settings:" +-msgstr "Veuillez configurer les paramètres de l'IPSet de base :" ++msgstr "Veuillez configurer les paramètres de l’IPSet de base :" + + #: ../src/firewall-config.glade.h:225 + msgid "Type:" +@@ -1856,19 +1856,19 @@ msgstr "Valeur du timeout en secondes" + + #: ../src/firewall-config.glade.h:230 + msgid "Initial hash size, default 1024" +-msgstr "Taille du hachage initial, valeur par défaut : 1024" ++msgstr "Taille du hachage initial, valeur par défaut : 1024" + + #: ../src/firewall-config.glade.h:231 + msgid "Max number of elements, default 65536" +-msgstr "Nombre maximal d'éléments, valeur par défaut : 65536" ++msgstr "Nombre maximal d’éléments, valeur par défaut : 65 536" + + #: ../src/firewall-config.glade.h:232 + msgid "Please select an ipset:" +-msgstr "Veuillez sélectionner un IPSet" ++msgstr "Veuillez sélectionner un IPSet :" + + #: ../src/firewall-config.glade.h:234 + msgid "Please enter an ipset entry:" +-msgstr "Veuillez saisir une entrée ipset :" ++msgstr "Veuillez saisir une entrée IPSet :" + + #: ../src/firewall-config.glade.h:235 + msgid "Log Denied" +@@ -1876,7 +1876,7 @@ msgstr "DéniDeLog" + + #: ../src/firewall-config.glade.h:236 + msgid "Please select the log denied value:" +-msgstr "Veuillez sélectionner la valeur du DéniDeLog :" ++msgstr "Veuillez sélectionner la valeur du DéniDeLog :" + + #: ../src/firewall-config.glade.h:237 + msgid "Mark" +@@ -1894,7 +1894,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:240 + msgid "Mark:" +-msgstr "Marque :" ++msgstr "Marque :" + + #: ../src/firewall-config.glade.h:241 + msgid "Mask:" +@@ -1902,7 +1902,7 @@ msgstr "Masque :" + + #: ../src/firewall-config.glade.h:242 + msgid "Please select a netfilter conntrack helper:" +-msgstr "Veuillez sélectionner un assistant conntrack netfilter :" ++msgstr "Veuillez sélectionner un assistant conntrack netfilter :" + + #: ../src/firewall-config.glade.h:243 + msgid "- Select -" +@@ -1910,7 +1910,7 @@ msgstr "- Sélectionner -" + + #: ../src/firewall-config.glade.h:244 + msgid "Other Module:" +-msgstr "Autre module :" ++msgstr "Autre module :" + + #: ../src/firewall-config.glade.h:245 + msgid "Port and Protocol" +@@ -1927,7 +1927,7 @@ msgstr "Règle directe" + #: ../src/firewall-config.glade.h:248 + msgid "Please select ipv and table, chain priority and enter the args." + msgstr "" +-"Veuillez sélectionner l'ipv et la table, la chaine prioritaire et saisissez " ++"Veuillez sélectionner l’ipv et la table, la chaine prioritaire et saisissez " + "las arguments." + + #: ../src/firewall-config.glade.h:249 +@@ -1940,7 +1940,7 @@ msgstr "Veuillez saisir un protocole." + + #: ../src/firewall-config.glade.h:252 + msgid "Other Protocol:" +-msgstr "Autres protocoles :" ++msgstr "Autres protocoles :" + + #: ../src/firewall-config.glade.h:253 + msgid "Rich Rule" +@@ -1953,7 +1953,7 @@ msgstr "Veuillez saisir une règle riche." + #: ../src/firewall-config.glade.h:255 + msgid "For host or network white or blacklisting deactivate the element." + msgstr "" +-"Désactiver l'élément pour un hôte ou un réseau blanc ou sur liste noire." ++"Désactiver l’élément pour un hôte ou un réseau blanc ou sur liste noire." + + #: ../src/firewall-config.glade.h:256 + msgid "Source:" +@@ -1965,7 +1965,7 @@ msgstr "Destination :" + + #: ../src/firewall-config.glade.h:258 + msgid "Log:" +-msgstr "Journal :" ++msgstr "Journal :" + + #: ../src/firewall-config.glade.h:259 + msgid "Audit:" +@@ -1989,11 +1989,11 @@ msgstr "" + + #: ../src/firewall-config.glade.h:267 + msgid "with Type:" +-msgstr "avec le type :" ++msgstr "avec le type :" + + #: ../src/firewall-config.glade.h:268 + msgid "With limit:" +-msgstr "avec la limite :" ++msgstr "avec la limite :" + + #: ../src/firewall-config.glade.h:269 + msgid "/" +@@ -2001,11 +2001,11 @@ msgstr "/" + + #: ../src/firewall-config.glade.h:274 + msgid "Prefix:" +-msgstr "Préfixe :" ++msgstr "Préfixe :" + + #: ../src/firewall-config.glade.h:275 + msgid "Level:" +-msgstr "Niveau :" ++msgstr "Niveau :" + + #: ../src/firewall-config.glade.h:292 + msgid "Element:" +@@ -2021,7 +2021,7 @@ msgstr "Paramètres du service de base" + + #: ../src/firewall-config.glade.h:295 + msgid "Please configure base service settings:" +-msgstr "Veuillez configurer les paramètres du service de base :" ++msgstr "Veuillez configurer les paramètres du service de base :" + + #: ../src/firewall-config.glade.h:296 + msgid "Please select a service." +@@ -2037,11 +2037,11 @@ msgstr "ID utilisateur" + + #: ../src/firewall-config.glade.h:299 + msgid "Please enter the user id." +-msgstr "Veuillez saisir l'ID de l'utilisateur." ++msgstr "Veuillez saisir l’ID de l’utilisateur." + + #: ../src/firewall-config.glade.h:301 + msgid "Please enter the user name." +-msgstr "Veuillez saisir le nom d'utilisateur." ++msgstr "Veuillez saisir le nom d’utilisateur." + + #: ../src/firewall-config.glade.h:302 + msgid "label" +@@ -2053,7 +2053,7 @@ msgstr "Paramètres de la zone de base" + + #: ../src/firewall-config.glade.h:304 + msgid "Please configure base zone settings:" +-msgstr "Veuillez configurer les paramètres de la zone de base :" ++msgstr "Veuillez configurer les paramètres de la zone de base :" + + #: ../src/firewall-config.glade.h:305 + msgid "Default Target" +@@ -2061,4 +2061,4 @@ msgstr "Cible par défaut" + + #: ../src/firewall-config.glade.h:306 + msgid "Target:" +-msgstr "Cible :" ++msgstr "Cible :" +diff --git a/po/gl.po b/po/gl.po +index 4845df696886..a0d05c1f8f88 100644 +--- a/po/gl.po ++++ b/po/gl.po +@@ -9,7 +9,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:45+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Galician (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/gu.po b/po/gu.po +index 00d073043ae6..f3d35b00e6a8 100644 +--- a/po/gu.po ++++ b/po/gu.po +@@ -14,7 +14,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:45+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Gujarati (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/hi.po b/po/hi.po +index 07520b920e9f..9f0dd83a4684 100644 +--- a/po/hi.po ++++ b/po/hi.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:28+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Hindi (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/hu.po b/po/hu.po +index 8d02f894e92e..976cfc949f5b 100644 +--- a/po/hu.po ++++ b/po/hu.po +@@ -24,7 +24,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:24+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Hungarian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ia.po b/po/ia.po +index 59bfc3f3f4b6..87cbb7fd8841 100644 +--- a/po/ia.po ++++ b/po/ia.po +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:58+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Interlingua (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/id.po b/po/id.po +index 3304d54878b2..ed5e711d49f5 100644 +--- a/po/id.po ++++ b/po/id.po +@@ -3,7 +3,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-05-22 09:00+0000\n" + "Last-Translator: Ferdi Saptanera \n" + "Language-Team: Indonesian\n" +diff --git a/po/it.po b/po/it.po +index 6358ba40bd31..9ac550de52fd 100644 +--- a/po/it.po ++++ b/po/it.po +@@ -36,7 +36,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:24+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Italian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ja.po b/po/ja.po +index ea830261b855..5da911b4f5a4 100644 +--- a/po/ja.po ++++ b/po/ja.po +@@ -22,7 +22,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:25+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ka.po b/po/ka.po +index 864b3c8058c6..b98c8e3c539f 100644 +--- a/po/ka.po ++++ b/po/ka.po +@@ -9,7 +9,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:24+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Georgian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/kn.po b/po/kn.po +index 1826797aa9cd..e0ff31f2d9c0 100644 +--- a/po/kn.po ++++ b/po/kn.po +@@ -13,7 +13,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 09:59+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Kannada (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ko.po b/po/ko.po +index c36161b7163b..1c04294dda02 100644 +--- a/po/ko.po ++++ b/po/ko.po +@@ -18,7 +18,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:25+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Korean (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/lt.po b/po/lt.po +index 07a03e594ae7..72046f37d7be 100644 +--- a/po/lt.po ++++ b/po/lt.po +@@ -4,7 +4,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2019-05-13 08:05+0000\n" + "Last-Translator: Moo \n" + "Language-Team: Lithuanian\n" +diff --git a/po/ml.po b/po/ml.po +index 93b6b6b63d05..63905123fe24 100644 +--- a/po/ml.po ++++ b/po/ml.po +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 10:00+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Malayalam (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/mr.po b/po/mr.po +index 2b7159fdd370..8f8cbe1b3b1e 100644 +--- a/po/mr.po ++++ b/po/mr.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 10:00+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Marathi (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/nl.po b/po/nl.po +index 351b9906332a..aa2d110ff6ad 100644 +--- a/po/nl.po ++++ b/po/nl.po +@@ -17,7 +17,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:26+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Dutch (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/or.po b/po/or.po +index 90ffdcb7ca97..23c5a8f44660 100644 +--- a/po/or.po ++++ b/po/or.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:33+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Oriya (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/pa.po b/po/pa.po +index 3480e4223dce..c374424da94e 100644 +--- a/po/pa.po ++++ b/po/pa.po +@@ -22,7 +22,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2017-11-26 02:37+0000\n" + "Last-Translator: A S Alam \n" + "Language-Team: Panjabi (Punjabi) (http://www.transifex.com/projects/p/" +diff --git a/po/pl.po b/po/pl.po +index 83703401460b..e4276dce1d46 100644 +--- a/po/pl.po ++++ b/po/pl.po +@@ -1,34 +1,33 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # Andrzej Olszewski , 2004 +-# Piotr Drąg , 2007,2013-2014 ++# Piotr Drąg , 2007,2013-2014, 2020. + # Tomasz Chrzczonowicz , 2009 + # Tom Berner , 2005 + # Tom Berner , 2004 +-# Piotr Drąg , 2015. #zanata +-# Piotr Drąg , 2016. #zanata +-# Piotr Drąg , 2017. #zanata ++# Piotr Drąg , 2015. #zanata, 2020. ++# Piotr Drąg , 2016. #zanata, 2020. ++# Piotr Drąg , 2017. #zanata, 2020. + # Eric Garver , 2018. #zanata +-# Piotr Drąg , 2018. #zanata ++# Piotr Drąg , 2018. #zanata, 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2018-11-16 08:26+0000\n" +-"Last-Translator: Copied by Zanata \n" +-"Language-Team: Polish (http://www.transifex.com/projects/p/firewalld/" +-"language/pl/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-15 15:28+0000\n" ++"Last-Translator: Piotr Drąg \n" ++"Language-Team: Polish \n" + "Language: pl\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " +-"|| n%100>=20) ? 1 : 2);\n" +-"X-Generator: Zanata 4.6.2\n" ++"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " ++"|| n%100>=20) ? 1 : 2;\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -82,7 +81,7 @@ msgstr "Konfiguracja stref ochrony wysyłania/pobierania" + + #: ../src/firewall-applet.in:220 + msgid "Here you can select the zones used for Shields Up and Shields Down." +-msgstr "Tutaj można wybrać strefy używane do ochrony wysyłania/pobierania" ++msgstr "Tutaj można wybrać strefy używane do ochrony wysyłania/pobierania." + + #: ../src/firewall-applet.in:226 + msgid "" +@@ -267,7 +266,7 @@ msgid "" + "'{connection}' on interface '{interface}'" + msgstr "" + "Domyślna strefa „{default_zone}” została {activated_deactivated} dla " +-"połączenia „{connection}” na interfejsie „{interface}”" ++"połączenia „{connection}” na interfejsie „{interface}”" + + #: ../src/firewall-applet.in:1052 + msgid "" +@@ -275,7 +274,7 @@ msgid "" + "interface '{interface}'" + msgstr "" + "Strefa „{zone}” została {activated_deactivated} dla połączenia " +-"„{connection}” na interfejsie „{interface}”" ++"„{connection}” na interfejsie „{interface}”" + + #: ../src/firewall-applet.in:1057 + msgid "Zone '{zone}' {activated_deactivated} for interface '{interface}'" +@@ -910,7 +909,7 @@ msgstr "Proszę wybrać moduł pomocniczy:" + + #: ../src/firewall-config.glade.h:46 + msgid "Base ICMP Type Settings" +-msgstr "Podstawowe ustawienia typu ICMP." ++msgstr "Podstawowe ustawienia typu ICMP" + + #: ../src/firewall-config.glade.h:47 + msgid "Please configure base ICMP type settings:" +diff --git a/po/pt.po b/po/pt.po +index 7d5e816e2e7e..3062794d6a67 100644 +--- a/po/pt.po ++++ b/po/pt.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2019-09-07 12:26+0000\n" + "Last-Translator: Manuela Silva \n" + "Language-Team: Portuguese (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/pt_BR.po b/po/pt_BR.po +index c381fa07343f..3238c2ca7e4b 100644 +--- a/po/pt_BR.po ++++ b/po/pt_BR.po +@@ -34,7 +34,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:27+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Portuguese (Brazil) (http://www.transifex.com/projects/p/" +diff --git a/po/ru.po b/po/ru.po +index 38cede8b55e6..689d58388b0e 100644 +--- a/po/ru.po ++++ b/po/ru.po +@@ -22,7 +22,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:27+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Russian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/sk.po b/po/sk.po +index 4d6e67eb05b2..9d0cd1af82e3 100644 +--- a/po/sk.po ++++ b/po/sk.po +@@ -14,7 +14,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-08-13 06:16+0000\n" + "Last-Translator: feonsu \n" + "Language-Team: Slovak (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/sq.po b/po/sq.po +index 91c16e57045d..627e28cda46f 100644 +--- a/po/sq.po ++++ b/po/sq.po +@@ -4,7 +4,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2017-04-20 11:49+0000\n" + "Last-Translator: Sidorela Uku \n" + "Language-Team: Albanian\n" +diff --git a/po/sr.po b/po/sr.po +index 7c45f703a716..6aedf084d77b 100644 +--- a/po/sr.po ++++ b/po/sr.po +@@ -12,7 +12,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:42+0000\n" + "Last-Translator: Momcilo Medic \n" + "Language-Team: Serbian (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/sr@latin.po b/po/sr@latin.po +index 6bde5c3dafb6..125b231e9293 100644 +--- a/po/sr@latin.po ++++ b/po/sr@latin.po +@@ -10,7 +10,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 10:03+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Serbian (Latin) (http://www.transifex.com/projects/p/" +diff --git a/po/sv.po b/po/sv.po +index f7e2ee9c9ec7..8cee574a5df0 100644 +--- a/po/sv.po ++++ b/po/sv.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:28+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Swedish (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/ta.po b/po/ta.po +index 3370eb155992..f8922de9edbb 100644 +--- a/po/ta.po ++++ b/po/ta.po +@@ -16,7 +16,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2015-02-26 10:04+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Tamil (http://www.transifex.com/projects/p/firewalld/language/" +diff --git a/po/te.po b/po/te.po +index 6365c4adf6e3..8c25924fcf43 100644 +--- a/po/te.po ++++ b/po/te.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2016-01-04 12:44+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Telugu (http://www.transifex.com/projects/p/firewalld/" +diff --git a/po/tr.po b/po/tr.po +index 404c8687de5e..a5316eb919ed 100644 +--- a/po/tr.po ++++ b/po/tr.po +@@ -1,28 +1,28 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # Automatically generated, 2004 + # Hasan Alp İNAN, 2011 + # Irmak Bıçakçıgil , 2014 + # Onuralp SEZER , 2012 + # Serdar Sağlam , 2019. #zanata ++# Oğuz Ersen , 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2019-03-08 01:23+0000\n" +-"Last-Translator: Serdar Sağlam \n" +-"Language-Team: Turkish (http://www.transifex.com/projects/p/firewalld/" +-"language/tr/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-14 20:29+0000\n" ++"Last-Translator: Oğuz Ersen \n" ++"Language-Team: Turkish \n" + "Language: tr\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Plural-Forms: nplurals=2; plural=(n > 1);\n" +-"X-Generator: Zanata 4.6.2\n" ++"Plural-Forms: nplurals=2; plural=(n>1);\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -39,19 +39,19 @@ msgstr "Güvenlik Duvarı Yapılandırması" + #. Translators: These are searchable keywords for the firewall configuration tool + #: ../config/firewall-config.desktop.in.h:4 + msgid "firewall;network;security;iptables;netfilter;" +-msgstr "" ++msgstr "güvenlik duvarı;ağ;güvenlik;iptables;netfilter;" + + #: ../src/firewall-applet.in:92 ../src/firewall-config.in:7988 + #, c-format + msgid "Select zone for interface '%s'" +-msgstr "Arayüz için bölge seç '%s'" ++msgstr "'%s' arayüzü için bölge seç" + + #: ../src/firewall-applet.in:132 ../src/firewall-applet.in:139 + #: ../src/firewall-applet.in:145 ../src/firewall-config.in:2448 + #: ../src/firewall-config.in:8033 ../src/firewall-config.in:8041 + #: ../src/firewall-config.in:8074 ../src/firewall-config.glade.h:8 + msgid "Default Zone" +-msgstr "Öntanımlı Bölge" ++msgstr "Varsayılan Bölge" + + #: ../src/firewall-applet.in:166 ../src/firewall-config.in:8067 + #, c-format +@@ -60,7 +60,7 @@ msgstr "'%s' bağlantısı için bölge seç" + + #: ../src/firewall-applet.in:176 ../src/firewall-config.in:3927 + msgid "Failed to set zone {zone} for connection {connection_name}" +-msgstr "" ++msgstr "{connection_name} bağlantısı için {zone} bölgesi ayarlanamadı" + + #: ../src/firewall-applet.in:190 + #, c-format +@@ -69,26 +69,26 @@ msgstr "'%s' kaynağı için bölge seç" + + #: ../src/firewall-applet.in:207 + msgid "Configure Shields Up/Down Zones" +-msgstr "Artan/Azalan alanların kalkanlarını yapılandır" ++msgstr "Kalkanlar Aktif/Aktif Değil Bölgeleri Yapılandır" + + #: ../src/firewall-applet.in:220 + msgid "Here you can select the zones used for Shields Up and Shields Down." + msgstr "" +-"Burda seçtiğiniz alan için kalkanları etkin veya kalkanları etkisiz " +-"kılabilirsiniz." ++"Burada Kalkanlar Aktif ve Kalkanlar Aktif Değil için kullanılan bölgeleri " ++"seçebilirsiniz." + + #: ../src/firewall-applet.in:226 + msgid "" + "This feature is useful for people using the default zones mostly. For users, " + "that are changing zones of connections, it might be of limited use." + msgstr "" +-"Bu insanların en çok kullandığı varsayılan alan özelliğidir. Kullanıcılar " +-"için ,\n" +-"alan bağlantı ayarlarını değiştirmek kullanımda sınır getirebilir." ++"Bu özellik çoğunlukla varsayılan bölgeleri kullanan kişiler için " ++"kullanışlıdır. Bağlantı bölgelerini değiştiren kullanıcılar için kullanımı " ++"sınırlı olabilir." + + #: ../src/firewall-applet.in:235 + msgid "Shields Up Zone:" +-msgstr "Alan kalkanı açıldı." ++msgstr "Kalkanlar Aktif Bölge:" + + #: ../src/firewall-applet.in:244 ../src/firewall-applet.in:257 + msgid "Reset To Default" +@@ -96,7 +96,7 @@ msgstr "Öntanımlılara sıfırla" + + #: ../src/firewall-applet.in:248 + msgid "Shields Down Zone:" +-msgstr "Alan kalkanı kapatıldı." ++msgstr "Kalkanlar Aktif Değil Bölge:" + + #: ../src/firewall-applet.in:340 + #, c-format +@@ -113,7 +113,7 @@ msgstr "Lisans" + + #: ../src/firewall-applet.in:470 + msgid "Shields Up" +-msgstr "Kalkanlar açık" ++msgstr "Kalkanlar Aktif" + + #: ../src/firewall-applet.in:477 + msgid "Enable Notifications" +@@ -129,7 +129,7 @@ msgstr "Bağlantı Bölgelerini Değiştir..." + + #: ../src/firewall-applet.in:491 + msgid "Configure Shields UP/Down Zones..." +-msgstr "Artan/Azalan alanların kalkanlarını yapılandır..." ++msgstr "Kalkanlar Aktif/Aktif Değil Bölgeleri Yapılandır..." + + #: ../src/firewall-applet.in:495 + msgid "Block all network traffic" +@@ -159,7 +159,7 @@ msgstr "Kaynaklar" + + #: ../src/firewall-applet.in:592 ../src/firewall-config.in:2288 + msgid "Authorization failed." +-msgstr "Yetkilendirme başarısız" ++msgstr "Yetkilendirme başarısız oldu." + + #: ../src/firewall-applet.in:594 ../src/firewall-config.in:2291 + msgid "Invalid name" +@@ -171,23 +171,23 @@ msgstr "Bu isim zaten kullanılıyor" + + #: ../src/firewall-applet.in:690 + msgid "{entry} (Zone: {zone})" +-msgstr "" ++msgstr "{entry} (Bölge: {zone})" + + #: ../src/firewall-applet.in:697 + msgid "{entry} (Default Zone: {default_zone})" +-msgstr "" ++msgstr "{entry} (Varsayılan Bölge: {default_zone})" + + #: ../src/firewall-applet.in:778 ../src/firewall-config.in:1574 + msgid "Failed to get connections from NetworkManager" +-msgstr "" ++msgstr "NetworkManager'dan bağlantılar alınamadı" + + #: ../src/firewall-applet.in:790 ../src/firewall-config.in:1386 + msgid "No NetworkManager imports available" +-msgstr "" ++msgstr "Hiçbir NetworkManager içe aktarımı mevcut değil" + + #: ../src/firewall-applet.in:868 + msgid "No connection to firewall daemon" +-msgstr "Ateş Duvarı artalan sürecine bağlantı yok" ++msgstr "Güvenlik duvarı arka plan programı ile bağlantı yok" + + #: ../src/firewall-applet.in:876 ../src/firewall-applet.in:1014 + msgid "All network traffic is blocked." +@@ -196,31 +196,34 @@ msgstr "Bütün ağ trafiği bloke edildi." + #: ../src/firewall-applet.in:880 + #, c-format + msgid "Default Zone: '%s'" +-msgstr "" ++msgstr "Varsayılan Bölge: '%s'" + + #: ../src/firewall-applet.in:886 + msgid "" + "Default Zone '{default_zone}' active for connection '{connection}' on " + "interface '{interface}'" + msgstr "" ++"Varsayılan Bölge '{default_zone}', '{interface}' arayüzünde '{connection}' " ++"bağlantısı için etkin" + + #: ../src/firewall-applet.in:889 + msgid "" + "Zone '{zone}' active for connection '{connection}' on interface '{interface}'" + msgstr "" +-"Alanı '{zone}' etkin bağlantısı '{connection}' arayüzünde '{interface}'" ++"'{zone}' bölgesi, '{interface}' arayüzünde '{connection}' bağlantısı için " ++"etkin" + + #: ../src/firewall-applet.in:901 + msgid "Zone '{zone}' active for interface '{interface}'" +-msgstr "Alan '{zone}' arayüz'{interface}' için etkin" ++msgstr "'{zone}' bölgesi '{interface}' arayüzü için etkin" + + #: ../src/firewall-applet.in:909 + msgid "Zone '{zone}' active for source {source}" +-msgstr "" ++msgstr "'{zone}' bölgesi, {source} kaynağı için etkin" + + #: ../src/firewall-applet.in:913 + msgid "No Active Zones." +-msgstr "Aktif alan yok" ++msgstr "Aktif Bölge Yok." + + #: ../src/firewall-applet.in:972 + msgid "Connection to FirewallD established." +@@ -237,7 +240,7 @@ msgstr "FirewallD yeniden yüklendi." + #: ../src/firewall-applet.in:996 + #, c-format + msgid "Default zone changed to '%s'." +-msgstr "Varsayılan alan '%s'. olarak değiştirildi." ++msgstr "Varsayılan bölge '%s' olarak değiştirildi." + + #: ../src/firewall-applet.in:1015 + msgid "Network traffic is not blocked anymore." +@@ -245,11 +248,11 @@ msgstr "Artık Ağ trafği bloke edilmiyor." + + #: ../src/firewall-applet.in:1041 ../src/firewall-applet.in:1095 + msgid "activated" +-msgstr "Aktifleştirildi." ++msgstr "etkinleştirildi" + + #: ../src/firewall-applet.in:1042 ../src/firewall-applet.in:1096 + msgid "deactivated" +-msgstr "Etkisizleştirildi." ++msgstr "devre dışı bırakıldı" + + #: ../src/firewall-applet.in:1047 + msgid "" +@@ -262,17 +265,17 @@ msgid "" + "Zone '{zone}' {activated_deactivated} for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"Alanı '{zone}' {activated_deactivated} bağlantısı için '{connection}' " +-"arayüzde '{interface}'" ++"'{zone}' bölgesi, '{interface}' arayüzünde '{connection}' bağlantısı için " ++"{activated_deactivated}" + + #: ../src/firewall-applet.in:1057 + msgid "Zone '{zone}' {activated_deactivated} for interface '{interface}'" +-msgstr "Alanı '{zone}' {activated_deactivated} arayüzünde '{interface}'" ++msgstr "'{zone}' bölgesi, '{interface}' arayüzü için {activated_deactivated}" + + #: ../src/firewall-applet.in:1080 + #, c-format + msgid "Zone '%s' activated for interface '%s'" +-msgstr "Alan '%s' arayüzü için '%s' etkinleştirildi." ++msgstr "'%s' bölgesi, '%s' arayüzü için etkinleştirildi" + + #: ../src/firewall-applet.in:1097 + msgid "Zone '{zone}' {activated_deactivated} for source '{source}'" +@@ -383,11 +386,11 @@ msgstr "Protocolo" + + #: ../src/firewall-config.in:564 + msgid "To Port" +-msgstr "Porta" ++msgstr "Hedef Port" + + #: ../src/firewall-config.in:566 + msgid "To Address" +-msgstr "Para Endereço:" ++msgstr "Hedef Adres" + + #: ../src/firewall-config.in:616 + msgid "Bindings" +@@ -536,7 +539,7 @@ msgstr "evet" + #: ../src/firewall-config.in:2452 ../src/firewall-config.in:2492 + #: ../src/firewall-config.in:2522 ../src/firewall-config.glade.h:89 + msgid "Zone" +-msgstr "Alan" ++msgstr "Bölge" + + #: ../src/firewall-config.in:2465 + #, c-format +@@ -557,7 +560,7 @@ msgstr "" + #: ../src/firewall-config.in:2812 ../src/firewall-config.in:2860 + #: ../src/firewall-config.glade.h:163 + msgid "Remove" +-msgstr "Alanı sil" ++msgstr "Kaldır" + + #: ../src/firewall-config.in:2812 ../src/firewall-config.in:2860 + msgid "Ignore" +@@ -570,7 +573,7 @@ msgstr "" + + #: ../src/firewall-config.in:3011 + msgid "Built-in zone, rename not supported." +-msgstr "Dahili Alan, Yeniden isimlendirme desteklenmiyor." ++msgstr "Yerleşik bölge, yeniden adlandırma desteklenmiyor." + + #: ../src/firewall-config.in:3126 ../src/firewall-config.in:3626 + #: ../src/firewall-config.glade.h:270 +@@ -860,11 +863,11 @@ msgstr "Kalın girişlerin hepsi zorunludur. Diğer tüm girişler isteğe bağl + + #: ../src/firewall-config.glade.h:35 + msgid "Name:" +-msgstr "İsim" ++msgstr "İsim:" + + #: ../src/firewall-config.glade.h:36 + msgid "Version:" +-msgstr "Sürüm" ++msgstr "Sürüm:" + + #: ../src/firewall-config.glade.h:37 + msgid "Short:" +@@ -872,7 +875,7 @@ msgstr "Kısa:" + + #: ../src/firewall-config.glade.h:38 + msgid "Description:" +-msgstr "Açıklama" ++msgstr "Açıklama:" + + #: ../src/firewall-config.glade.h:39 + msgid "Family:" +@@ -896,7 +899,7 @@ msgstr "Temel ICMP Tip Ayarları" + + #: ../src/firewall-config.glade.h:47 + msgid "Please configure base ICMP type settings:" +-msgstr "Lütfen temel ICMP tipi ayarlarınızı yapılandırınız." ++msgstr "Lütfen temel ICMP türü ayarlarını yapılandırın:" + + #: ../src/firewall-config.glade.h:48 + msgid "ICMP Type" +@@ -951,7 +954,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:62 + msgid "Change Default Zone" +-msgstr "Varsayılan alanı değiştir." ++msgstr "Varsayılan Bölgeyi Değiştir" + + #: ../src/firewall-config.glade.h:63 + msgid "Change default zone for connections or interfaces." +@@ -1073,19 +1076,19 @@ msgstr "" + + #: ../src/firewall-config.glade.h:90 + msgid "Add Zone" +-msgstr "Alan Ekle" ++msgstr "Bölge Ekle" + + #: ../src/firewall-config.glade.h:91 + msgid "Edit Zone" +-msgstr "Alan Değiştir" ++msgstr "Bölge Düzenle" + + #: ../src/firewall-config.glade.h:92 + msgid "Remove Zone" +-msgstr "Alanı sil" ++msgstr "Bölge Kaldır" + + #: ../src/firewall-config.glade.h:93 + msgid "Load Zone Defaults" +-msgstr "Varsayılan Alanı yükle" ++msgstr "Bölge Varsayılanlarını Yükle" + + #: ../src/firewall-config.glade.h:94 + msgid "" +@@ -1110,11 +1113,11 @@ msgstr "Porta" + + #: ../src/firewall-config.glade.h:98 + msgid "Edit Port" +-msgstr "Alan Değiştir" ++msgstr "Port Düzenle" + + #: ../src/firewall-config.glade.h:99 + msgid "Remove Port" +-msgstr "Alanı sil" ++msgstr "Port Kaldır" + + #: ../src/firewall-config.glade.h:100 + msgid "Ports" +@@ -1162,7 +1165,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:109 + msgid "Masquerade zone" +-msgstr "Masquerade alanı" ++msgstr "Bölgeyi maskele" + + #: ../src/firewall-config.glade.h:110 + msgid "" +@@ -1307,7 +1310,7 @@ msgstr "Servis ekle" + + #: ../src/firewall-config.glade.h:140 + msgid "Edit Service" +-msgstr "Servisi değiştir." ++msgstr "Servisi Düzenle" + + #: ../src/firewall-config.glade.h:141 + msgid "Remove Service" +@@ -1361,11 +1364,11 @@ msgstr "" + + #: ../src/firewall-config.glade.h:151 + msgid "IPv4:" +-msgstr "IPv4" ++msgstr "IPv4:" + + #: ../src/firewall-config.glade.h:152 + msgid "IPv6:" +-msgstr "IPv6" ++msgstr "IPv6:" + + #: ../src/firewall-config.glade.h:153 + msgid "" +@@ -1658,7 +1661,7 @@ msgstr "Kullanıcı Kimlikleri" + + #: ../src/firewall-config.glade.h:215 + msgid "Current default zone of the system." +-msgstr "Sistemin varsayılan geçerli alanı" ++msgstr "Sistemin geçerli varsayılan bölgesi." + + #: ../src/firewall-config.glade.h:216 + msgctxt "" +@@ -1684,7 +1687,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:220 + msgid "Default Zone:" +-msgstr "Varsayılan Alan" ++msgstr "Varsayılan Bölge:" + + #: ../src/firewall-config.glade.h:222 + msgid "Please enter an interface name:" +@@ -1780,7 +1783,7 @@ msgstr "Porto e Protocolo" + + #: ../src/firewall-config.glade.h:246 + msgid "Please enter a port and protocol." +-msgstr "Lütfen port ve protkolü giriniz." ++msgstr "Lütfen bir port ve protokol girin." + + #: ../src/firewall-config.glade.h:247 + msgid "Direct Rule" +@@ -1800,7 +1803,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:252 + msgid "Other Protocol:" +-msgstr "Diğer Protokol" ++msgstr "Diğer Protokol:" + + #: ../src/firewall-config.glade.h:253 + msgid "Rich Rule" +@@ -1878,7 +1881,7 @@ msgstr "Temel Servis Ayarları" + + #: ../src/firewall-config.glade.h:295 + msgid "Please configure base service settings:" +-msgstr "Lütfen temel servis ayarlarınızı yapılandırınız." ++msgstr "Lütfen temel servis ayarlarını yapılandırın:" + + #: ../src/firewall-config.glade.h:296 + msgid "Please select a service." +@@ -1906,15 +1909,15 @@ msgstr "etiket" + + #: ../src/firewall-config.glade.h:303 + msgid "Base Zone Settings" +-msgstr "Temel Alan Seçenekleri" ++msgstr "Temel Bölge Ayarları" + + #: ../src/firewall-config.glade.h:304 + msgid "Please configure base zone settings:" +-msgstr "Lütfen temel alan ayarlarnızı yapılandırınız" ++msgstr "Lütfen temel bölge ayarlarını yapılandırın:" + + #: ../src/firewall-config.glade.h:305 + msgid "Default Target" +-msgstr "Varsayılan Hedef:" ++msgstr "Varsayılan Hedef" + + #: ../src/firewall-config.glade.h:306 + msgid "Target:" +diff --git a/po/uk.po b/po/uk.po +index f237acc315e4..829b6ca945a2 100644 +--- a/po/uk.po ++++ b/po/uk.po +@@ -1,31 +1,30 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # Maxim Dubovoy , 2003 +-# Yuri Chornoivan , 2010-2014 +-# Yuri Chornoivan , 2012 +-# Yuri Chornoivan , 2015. #zanata +-# Yuri Chornoivan , 2016. #zanata +-# Yuri Chornoivan , 2017. #zanata +-# Yuri Chornoivan , 2018. #zanata ++# Yuri Chornoivan , 2010-2014, 2020. ++# Yuri Chornoivan , 2012, 2020. ++# Yuri Chornoivan , 2015. #zanata, 2020. ++# Yuri Chornoivan , 2016. #zanata, 2020. ++# Yuri Chornoivan , 2017. #zanata, 2020. ++# Yuri Chornoivan , 2018. #zanata, 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2018-07-29 04:00+0000\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-17 18:15+0000\n" + "Last-Translator: Yuri Chornoivan \n" +-"Language-Team: Ukrainian (http://www.transifex.com/projects/p/firewalld/" +-"language/uk/)\n" ++"Language-Team: Ukrainian \n" + "Language: uk\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +-"X-Generator: Zanata 4.6.2\n" ++"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" ++"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -397,7 +396,7 @@ msgstr "На порт" + + #: ../src/firewall-config.in:566 + msgid "To Address" +-msgstr "На адресу:" ++msgstr "На адресу" + + #: ../src/firewall-config.in:616 + msgid "Bindings" +@@ -670,7 +669,7 @@ msgstr "Вбудована служба, підтримки перейменув + + #: ../src/firewall-config.in:5602 + msgid "Please enter an ipv4 address with the form address[/mask]." +-msgstr "Будь ласка, введіть адресу IPv4 у форматі «адреса[/маска]»" ++msgstr "Будь ласка, введіть адресу IPv4 у форматі «адреса[/маска]»." + + #: ../src/firewall-config.in:5603 + msgid "The mask can be a network mask or a number." +@@ -678,7 +677,7 @@ msgstr "Маску можна вказати у форматі маски мер + + #: ../src/firewall-config.in:5605 + msgid "Please enter an ipv6 address with the form address[/mask]." +-msgstr "Будь ласка, введіть адресу IPv6 у форматі «адреса[/маска]»" ++msgstr "Будь ласка, введіть адресу IPv6 у форматі «адреса[/маска]»." + + #: ../src/firewall-config.in:5606 + msgid "The mask is a number." +@@ -686,7 +685,7 @@ msgstr "Маску слід вказати у форматі числа." + + #: ../src/firewall-config.in:5608 + msgid "Please enter an ipv4 or ipv6 address with the form address[/mask]." +-msgstr "Будь ласка, введіть адресу IPv4 або IPv6 у форматі «адреса[/маска]»" ++msgstr "Будь ласка, введіть адресу IPv4 або IPv6 у форматі «адреса[/маска]»." + + #: ../src/firewall-config.in:5609 + msgid "" +@@ -1325,7 +1324,7 @@ msgid "" + "masquerading will not work for MAC source bindings." + msgstr "" + "Додати записи для прив’язування адрес джерела або областей до зони. Можна " +-"також виконати прив’язування до MAC-адреси джерела, але із обмеженнями. Для " ++"також виконати прив’язування до MAC-адреси джерела, але із обмеженнями. Для " + "прив’язок MAC-джерел не працюватимуть переспрямування портів та маскарад." + + #: ../src/firewall-config.glade.h:132 +@@ -1437,7 +1436,7 @@ msgid "" + msgstr "" + "IPSet може бути використано для створення «білих» або «чорних» списків, у " + "ньому можуть зберігатися, наприклад, IP-адреси, номери портів або MAC-" +-"адреси. " ++"адреси. " + + #: ../src/firewall-config.glade.h:155 + msgid "IPSet" +@@ -1751,7 +1750,7 @@ msgstr "Імена користувачів" + + #: ../src/firewall-config.glade.h:210 + msgid "User ids." +-msgstr "Ід. користувачів" ++msgstr "Ід. користувачів." + + #: ../src/firewall-config.glade.h:211 + msgid "Add User Id" +@@ -1892,7 +1891,7 @@ msgstr "Інший модуль:" + + #: ../src/firewall-config.glade.h:245 + msgid "Port and Protocol" +-msgstr "Порт та протокол:" ++msgstr "Порт та протокол" + + #: ../src/firewall-config.glade.h:246 + msgid "Please enter a port and protocol." +diff --git a/po/zh_CN.po b/po/zh_CN.po +index ee57808023f1..8c5a6d2ef40e 100644 +--- a/po/zh_CN.po ++++ b/po/zh_CN.po +@@ -1,7 +1,6 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# + # Translators: + # Alick Zhao , 2013 + # Christopher Meng , 2012-2013 +@@ -20,21 +19,22 @@ + # Eric Garver , 2018. #zanata + # Qiyu Yan , 2018. #zanata + # Pany , 2019. #zanata ++# Pany , 2020. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" +-"PO-Revision-Date: 2019-03-10 05:14+0000\n" +-"Last-Translator: Pany \n" +-"Language-Team: Chinese (China) (http://www.transifex.com/projects/p/" +-"firewalld/language/zh_CN/)\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" ++"PO-Revision-Date: 2020-01-14 14:02+0000\n" ++"Last-Translator: Pany \n" ++"Language-Team: Chinese (Simplified) \n" + "Language: zh_CN\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Zanata 4.6.2\n" ++"X-Generator: Weblate 3.10.1\n" + + #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:416 + msgid "Firewall Applet" +@@ -51,12 +51,12 @@ msgstr "防火墙配置" + #. Translators: These are searchable keywords for the firewall configuration tool + #: ../config/firewall-config.desktop.in.h:4 + msgid "firewall;network;security;iptables;netfilter;" +-msgstr "firewall;network;security;iptables;netfilter;" ++msgstr "防火墙;网络;安全;iptables;netfilter;" + + #: ../src/firewall-applet.in:92 ../src/firewall-config.in:7988 + #, c-format + msgid "Select zone for interface '%s'" +-msgstr "为接口 '%s' 选择区域" ++msgstr "为网卡 '%s' 选择区域" + + #: ../src/firewall-applet.in:132 ../src/firewall-applet.in:139 + #: ../src/firewall-applet.in:145 ../src/firewall-config.in:2448 +@@ -72,7 +72,7 @@ msgstr "为连接 '%s' 选择区域" + + #: ../src/firewall-applet.in:176 ../src/firewall-config.in:3927 + msgid "Failed to set zone {zone} for connection {connection_name}" +-msgstr "设置 {connection_name} 的区 {zone} 失败" ++msgstr "设置 {connection_name} 的区域 {zone} 失败" + + #: ../src/firewall-applet.in:190 + #, c-format +@@ -85,7 +85,7 @@ msgstr "配置保护开启/关闭区域" + + #: ../src/firewall-applet.in:220 + msgid "Here you can select the zones used for Shields Up and Shields Down." +-msgstr "在这里您可以选择开启保护和关闭保护的区域。" ++msgstr "在这里您可以选择用于开启保护和关闭保护的区域。" + + #: ../src/firewall-applet.in:226 + msgid "" +@@ -134,15 +134,15 @@ msgstr "编辑防火墙设置..." + + #: ../src/firewall-applet.in:487 ../src/firewall-config.glade.h:61 + msgid "Change Zones of Connections..." +-msgstr "更改连接区域…" ++msgstr "更改连接区域……" + + #: ../src/firewall-applet.in:491 + msgid "Configure Shields UP/Down Zones..." +-msgstr "配置保护开启/关闭区域…" ++msgstr "配置保护开启/关闭区域……" + + #: ../src/firewall-applet.in:495 + msgid "Block all network traffic" +-msgstr "阻止所有网络传输" ++msgstr "拦截所有网络传输" + + #: ../src/firewall-applet.in:500 + msgid "About" +@@ -158,7 +158,7 @@ msgstr "连接" + #: ../src/firewall-config.in:2477 ../src/firewall-config.in:2673 + #: ../src/firewall-config.in:2698 ../src/firewall-config.glade.h:130 + msgid "Interfaces" +-msgstr "接口" ++msgstr "网卡" + + #: ../src/firewall-applet.in:516 ../src/firewall-config.in:622 + #: ../src/firewall-config.in:2508 ../src/firewall-config.in:2676 +@@ -184,7 +184,7 @@ msgstr "{entry} (区域:{zone})" + + #: ../src/firewall-applet.in:697 + msgid "{entry} (Default Zone: {default_zone})" +-msgstr "{entry} (默认区:{default_zone})" ++msgstr "{entry} (默认区域:{default_zone})" + + #: ../src/firewall-applet.in:778 ../src/firewall-config.in:1574 + msgid "Failed to get connections from NetworkManager" +@@ -196,11 +196,11 @@ msgstr "没有可用的 NetworkManager 导入" + + #: ../src/firewall-applet.in:868 + msgid "No connection to firewall daemon" +-msgstr "没有到防火墙守护进程的连接" ++msgstr "没有与防火墙守护进程的连接" + + #: ../src/firewall-applet.in:876 ../src/firewall-applet.in:1014 + msgid "All network traffic is blocked." +-msgstr "阻挡所有网络传输。" ++msgstr "拦截所有网络传输。" + + #: ../src/firewall-applet.in:880 + #, c-format +@@ -212,16 +212,16 @@ msgid "" + "Default Zone '{default_zone}' active for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"接口 '{interface}' 上连接 '{connection}' 的活动默认区 '{default_zone}'" ++"网卡 '{interface}' 上的连接 '{connection}' 的活动默认区 '{default_zone}'" + + #: ../src/firewall-applet.in:889 + msgid "" + "Zone '{zone}' active for connection '{connection}' on interface '{interface}'" +-msgstr "在接口 '{interface}' 启用连接 '{connection}' 的区域 '{zone}'" ++msgstr "在网卡 '{interface}' 启用连接 '{connection}' 的区域 '{zone}'" + + #: ../src/firewall-applet.in:901 + msgid "Zone '{zone}' active for interface '{interface}'" +-msgstr "在接口 '{interface}' 启用区域 '{zone}'" ++msgstr "在网卡 '{interface}' 启用区域 '{zone}'" + + #: ../src/firewall-applet.in:909 + msgid "Zone '{zone}' active for source {source}" +@@ -233,24 +233,24 @@ msgstr "没有启用区域。" + + #: ../src/firewall-applet.in:972 + msgid "Connection to FirewallD established." +-msgstr "建立至 FirewallD 的连接。" ++msgstr "已建立与 FirewallD 的连接。" + + #: ../src/firewall-applet.in:984 + msgid "Connection to FirewallD lost." +-msgstr "丢失至 FirewallD 的连接。" ++msgstr "已失去与 FirewallD 的连接。" + + #: ../src/firewall-applet.in:989 + msgid "FirewallD has been reloaded." +-msgstr "FirewallD 已经重载。" ++msgstr "FirewallD 已重新加载。" + + #: ../src/firewall-applet.in:996 + #, c-format + msgid "Default zone changed to '%s'." +-msgstr "默认区域变更至 '%s'。" ++msgstr "默认区域已改为 '%s'。" + + #: ../src/firewall-applet.in:1015 + msgid "Network traffic is not blocked anymore." +-msgstr "不再阻挡网络传输。" ++msgstr "不再拦截网络传输。" + + #: ../src/firewall-applet.in:1041 ../src/firewall-applet.in:1095 + msgid "activated" +@@ -265,7 +265,7 @@ msgid "" + "Default zone '{default_zone}' {activated_deactivated} for connection " + "'{connection}' on interface '{interface}'" + msgstr "" +-"接口 '{interface}' 上连接 '{connection}' 的默认区 " ++"网卡 '{interface}' 上连接 '{connection}' 的默认区 " + "'{default_zone}' {activated_deactivated}" + + #: ../src/firewall-applet.in:1052 +@@ -273,17 +273,17 @@ msgid "" + "Zone '{zone}' {activated_deactivated} for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"在接口 '{interface}' {activated_deactivated} 连接 '{connection}' 的区域 " +-"'{zone}' " ++"在网卡 '{interface}' {activated_deactivated} 连接 '{connection}' 的区域 " ++"'{zone}'" + + #: ../src/firewall-applet.in:1057 + msgid "Zone '{zone}' {activated_deactivated} for interface '{interface}'" +-msgstr "在接口 '{interface}' {activated_deactivated} 区域 '{zone}' " ++msgstr "在网卡 '{interface}' {activated_deactivated} 区域 '{zone}'" + + #: ../src/firewall-applet.in:1080 + #, c-format + msgid "Zone '%s' activated for interface '%s'" +-msgstr "在接口 '%s' 启用区域 '%s'" ++msgstr "在网卡 '%s' 启用区域 '%s'" + + #: ../src/firewall-applet.in:1097 + msgid "Zone '{zone}' {activated_deactivated} for source '{source}'" +@@ -292,7 +292,7 @@ msgstr "在来源 '{source}' {activated_deactivated} 区域 '{zone}'" + #: ../src/firewall-applet.in:1121 + #, c-format + msgid "Zone '%s' activated for source '%s'" +-msgstr "在来源 '%s' 已启用区域 '%s'" ++msgstr "在来源 '%s' 已启用区域 '%s'" + + #: ../src/firewall-config.in:89 + msgid "Connection to firewalld established." +@@ -315,7 +315,7 @@ msgstr "变更已生效。" + #: ../src/firewall-config.in:96 + #, c-format + msgid "Used by network connection '%s'" +-msgstr "被网络连接 '%s' 使用" ++msgstr "被网络连接 '%s' 使用" + + #: ../src/firewall-config.in:97 + #, c-format +@@ -442,7 +442,7 @@ msgstr "审计" + + #: ../src/firewall-config.in:940 ../src/firewall-config.glade.h:221 + msgid "Interface" +-msgstr "接口" ++msgstr "网卡" + + #: ../src/firewall-config.in:942 + msgid "Comment" +@@ -516,7 +516,7 @@ msgstr "伪装" + #: ../src/firewall-config.in:3358 ../src/firewall-config.in:3672 + #: ../src/firewall-config.in:3887 ../src/firewall-config.glade.h:287 + msgid "icmp-block" +-msgstr "ICMP 阻拦" ++msgstr "ICMP 拦截" + + #: ../src/firewall-config.in:2082 ../src/firewall-config.in:3189 + #: ../src/firewall-config.in:3360 ../src/firewall-config.in:3675 +@@ -661,7 +661,7 @@ msgid "" + "masqueraded.\n" + "Do you want to masquerade this zone ?" + msgstr "" +-"转发至其他系统琴在端口伪装时才有用。\n" ++"转发至其他系统仅在网卡伪装时才有用。\n" + "您想要伪装该区域吗?" + + #: ../src/firewall-config.in:5393 +@@ -796,11 +796,11 @@ msgstr "nat" + + #: ../src/firewall-config.glade.h:16 + msgid "raw" +-msgstr "raw" ++msgstr "原始" + + #: ../src/firewall-config.glade.h:17 + msgid "security" +-msgstr "security" ++msgstr "安全性" + + #: ../src/firewall-config.glade.h:18 + msgid "Table:" +@@ -891,7 +891,7 @@ msgstr "产品线:" + + #: ../src/firewall-config.glade.h:43 + msgid "Module:" +-msgstr "模块: " ++msgstr "模块:" + + #: ../src/firewall-config.glade.h:44 + msgid "Helper" +@@ -968,7 +968,7 @@ msgstr "改变默认区域" + + #: ../src/firewall-config.glade.h:63 + msgid "Change default zone for connections or interfaces." +-msgstr "更改连接或接口的默认区域。" ++msgstr "更改连接或网卡的默认区域。" + + #: ../src/firewall-config.glade.h:64 + msgid "Change Log Denied" +@@ -1055,12 +1055,12 @@ msgstr "修改绑定的区" + #: ../src/firewall-config.glade.h:84 + msgid "" + "Hide active runtime bindings of connections, interfaces and sources to zones" +-msgstr "对区隐藏连接、接口和源服务器的 runtime 绑定" ++msgstr "对区域隐藏连接、网卡和源服务器的激活的运行时绑定" + + #: ../src/firewall-config.glade.h:85 + msgid "" + "Show active runtime bindings of connections, interfaces and sources to zones" +-msgstr "对区显示连接、接口和源服务器的 runtime 绑定" ++msgstr "对区域显示连接、网卡和源服务器的激活的运行时绑定" + + #: ../src/firewall-config.glade.h:86 + msgid "Configuration:" +@@ -1083,8 +1083,8 @@ msgid "" + "filters and rich rules. The zone can be bound to interfaces and source " + "addresses." + msgstr "" +-"FirewallD 区域定义了绑定的网络连接、接口以及源地址的可信程度。区域是服务、端" +-"口、协议、IP伪装、端口/报文转发、ICMP过滤以及富规则的组合。区域可以绑定到接口" ++"FirewallD 区域定义了绑定的网络连接、网卡以及源地址的可信程度。区域是服务、端" ++"口、协议、IP伪装、端口/报文转发、ICMP过滤以及富规则的组合。区域可以绑定到网卡" + "以及源地址。" + + #: ../src/firewall-config.glade.h:90 +@@ -1109,8 +1109,8 @@ msgid "" + "are accessible from all hosts and networks that can reach the machine from " + "connections, interfaces and sources bound to this zone." + msgstr "" +-"可以在这里定义区域中哪些服务是可信的。可连接至绑定到这个区域的连接、接口和源" +-"的所有主机和网络及丶可以访问可信服务。" ++"可以在这里定义区域中哪些服务是可信的。可连接至绑定到这个区域的连接、网卡和源" ++"的所有主机和网络及可以访问可信服务。" + + #: ../src/firewall-config.glade.h:95 + msgid "Services" +@@ -1202,8 +1202,7 @@ msgid "" + "IPv4 only." + msgstr "" + "添加条目来转发端口,可以是从本地系统的一个端口到另一个端口,也可以是从本地系" +-"统到另一个系统。转发到另一个系统只在接口是伪装的时候有用。端口转发只适用于 " +-"IPv4。" ++"统到另一个系统。转发到另一个系统只在网卡伪装时有用。端口转发只适用于 IPv4。" + + #: ../src/firewall-config.glade.h:113 + msgid "Add Forward Port" +@@ -1275,20 +1274,20 @@ msgid "" + "Add entries to bind interfaces to the zone. If the interface will be used by " + "a connection, the zone will be set to the zone specified in the connection." + msgstr "" +-"增加入口以将接口加入区域。若接口已经被连接占用,区域将被设定为连接所指定的区" ++"增加入口以将网卡加入区域。若网卡已经被连接占用,区域将被设定为连接所指定的区" + "域。" + + #: ../src/firewall-config.glade.h:127 + msgid "Add Interface" +-msgstr "添加接口" ++msgstr "添加网卡" + + #: ../src/firewall-config.glade.h:128 + msgid "Edit Interface" +-msgstr "编辑接口" ++msgstr "编辑网卡" + + #: ../src/firewall-config.glade.h:129 + msgid "Remove Interface" +-msgstr "移除接口" ++msgstr "移除网卡" + + #: ../src/firewall-config.glade.h:131 + msgid "" +@@ -1397,7 +1396,7 @@ msgid "" + "An IPSet can be used to create white or black lists and is able to store for " + "example IP addresses, port numbers or MAC addresses. " + msgstr "" +-"可使用 IPSet 创建白名单或黑名单,以便保存 IP 地址、端口号或者 MAC 地址。" ++"可使用 IPSet 创建白名单或黑名单,以便保存 IP 地址、端口号或者 MAC 地址。 " + + #: ../src/firewall-config.glade.h:155 + msgid "IPSet" +@@ -1454,7 +1453,7 @@ msgstr "只能在永久配置视图中创建或删除 IPSet。" + msgid "" + "A firewalld icmptype provides the information for an Internet Control " + "Message Protocol (ICMP) type for firewalld." +-msgstr "FirewallD ICMP 类型为 firewallD 提供因特网控制报文协议 (ICMP) 的信息" ++msgstr "FirewallD ICMP 类型为 firewallD 提供因特网控制报文协议 (ICMP) 的信息。" + + #: ../src/firewall-config.glade.h:167 + msgid "Add ICMP Type" +@@ -1492,7 +1491,7 @@ msgid "" + msgstr "" + "正在指派连接跟踪帮助程序,以确保使用不同信号发送和数据传输流程的协议正常工" + "作。数据传输使用的是与信号发送连接不相关的端口,因此若没有该帮助程序将会被防" +-"火墙阻挡。" ++"火墙拦截。" + + #: ../src/firewall-config.glade.h:174 + msgid "Define ports or port ranges, which are monitored by the helper." +@@ -1520,7 +1519,7 @@ msgstr "" + + #: ../src/firewall-config.glade.h:177 + msgid "Additional chains for use with rules." +-msgstr "与规则共同生效的附加链" ++msgstr "与规则共同生效的附加链。" + + #: ../src/firewall-config.glade.h:178 + msgid "Add Chain" +@@ -1724,7 +1723,7 @@ msgstr "自动帮助程序:" + + #: ../src/firewall-config.glade.h:219 + msgid "Lockdown:" +-msgstr "Lockdown:" ++msgstr "锁定:" + + #: ../src/firewall-config.glade.h:220 + msgid "Default Zone:" +@@ -1732,7 +1731,7 @@ msgstr "默认区域:" + + #: ../src/firewall-config.glade.h:222 + msgid "Please enter an interface name:" +-msgstr "请输入接口名称:" ++msgstr "请输入网卡名称:" + + #: ../src/firewall-config.glade.h:223 + msgid "Base IPSet Settings" +@@ -1780,7 +1779,7 @@ msgstr "请输入 ipset 条目:" + + #: ../src/firewall-config.glade.h:235 + msgid "Log Denied" +-msgstr "Log Denied" ++msgstr "已拒绝的日志" + + #: ../src/firewall-config.glade.h:236 + msgid "Please select the log denied value:" +@@ -1816,7 +1815,7 @@ msgstr "- 选择 -" + + #: ../src/firewall-config.glade.h:244 + msgid "Other Module:" +-msgstr "其他模块 : " ++msgstr "其他模块:" + + #: ../src/firewall-config.glade.h:245 + msgid "Port and Protocol" +@@ -1886,7 +1885,8 @@ msgstr "反转" + msgid "" + "To enable this Action has to be 'reject' and Family either 'ipv4' or " + "'ipv6' (not both)." +-msgstr "若启用该项,操作需为'reject'并且家族选择'ipv4'或'ipv6'(但不能同时选择)" ++msgstr "" ++"若启用该项,操作需为'reject'并且家族选择'ipv4'或'ipv6'(但不能同时选择)。" + + #: ../src/firewall-config.glade.h:267 + msgid "with Type:" +@@ -1950,7 +1950,7 @@ msgstr "标签" + + #: ../src/firewall-config.glade.h:303 + msgid "Base Zone Settings" +-msgstr "基本区域设定:" ++msgstr "基本区域设定" + + #: ../src/firewall-config.glade.h:304 + msgid "Please configure base zone settings:" +diff --git a/po/zh_TW.po b/po/zh_TW.po +index 47f1e2c9f55d..63dbbaf4d787 100644 +--- a/po/zh_TW.po ++++ b/po/zh_TW.po +@@ -21,7 +21,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2020-01-07 09:22-0500\n" ++"POT-Creation-Date: 2020-01-13 14:38-0500\n" + "PO-Revision-Date: 2018-11-16 08:29+0000\n" + "Last-Translator: Copied by Zanata \n" + "Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/" +-- +2.23.0 + diff --git a/SOURCES/0037-improvement-check-container-use-docker-build.patch b/SOURCES/0037-improvement-check-container-use-docker-build.patch new file mode 100644 index 0000000..3c32f84 --- /dev/null +++ b/SOURCES/0037-improvement-check-container-use-docker-build.patch @@ -0,0 +1,102 @@ +From e5cf566becc7ffa01e0339e95b20469993af8d2b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 3 Feb 2020 08:38:57 -0500 +Subject: [PATCH 37/39] improvement: check-container: use docker build + +This is so we can have intermediate images and make use of the cache. +Avoids rebuilding the container every time. + +(cherry picked from commit a7fead65d6920c26df5f2a12e53bb8eb5a752ee6) +(cherry picked from commit b79b8a58ffc8ab24d8c0a8e61598452b3407b80f) +--- + src/tests/Makefile.am | 65 ++++++++++++++++++++++--------------------- + 1 file changed, 33 insertions(+), 32 deletions(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index bf028c7c5389..c01ee682c0b2 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -46,47 +46,48 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4 + $(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at + mv $@.tmp $@ + +-check-container-debian-sid: +- (cd $(abs_top_srcdir) && tar -c . ) | \ +- $(PODMAN) run -i --rm --privileged debian:sid bash -c \ +- "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \ +- apt-get update && \ +- apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \ +- xsltproc docbook-xsl docbook-xml iptables ipset ebtables \ +- nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \ +- python3-dbus python3-gi python3-slip-dbus python3-nftables \ +- procps network-manager gir1.2-nm-1.0 && \ +- apt-get install -y libnftables-dev && \ +- ./autogen.sh && \ +- ./configure PYTHON=/usr/bin/python3 && \ +- make && \ +- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \ +- make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" " ++CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide ++ ++check-container-debian-sid-image: check-container-%-image: ++ (cd $(abs_top_srcdir) && { \ ++ echo "FROM debian:sid" && \ ++ echo "RUN apt-get update" && \ ++ echo "RUN apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \ ++ xsltproc docbook-xsl docbook-xml iptables ipset ebtables \ ++ nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \ ++ python3-dbus python3-gi python3-slip-dbus python3-nftables \ ++ procps network-manager gir1.2-nm-1.0" && \ ++ echo "COPY . /tmp/firewalld"; \ ++ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) ++ ++check-container-fedora-rawhide-image: check-container-%-image: ++ (cd $(abs_top_srcdir) && { \ ++ echo "FROM fedora:rawhide" && \ ++ echo "RUN dnf -y makecache" && \ ++ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \ ++ docbook-style-xsl file gettext glib2-devel intltool ipset \ ++ iptables iptables-nft libtool libxml2 libxslt make nftables \ ++ python3-nftables python3-slip-dbus python3-gobject-base \ ++ diffutils procps-ng iproute which dbus-daemon \ ++ NetworkManager" && \ ++ echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \ ++ echo "COPY . /tmp/firewalld"; \ ++ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) + +-check-container-fedora-rawhide: +- (cd $(abs_top_srcdir) && tar -c . ) | \ +- $(PODMAN) run -i --rm --privileged fedora:rawhide bash -c \ +- "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \ +- dnf -y makecache && \ +- dnf -y install autoconf automake conntrack-tools desktop-file-utils \ +- docbook-style-xsl file gettext glib2-devel intltool ipset \ +- iptables iptables-nft libtool libxml2 libxslt make nftables \ +- python3-nftables python3-slip-dbus python3-gobject-base \ +- diffutils procps-ng iproute which dbus-daemon \ +- NetworkManager && \ +- alternatives --set ebtables /usr/sbin/ebtables-nft && \ ++$(CONTAINER_TARGETS): check-container-%: check-container-%-image ++ $(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \ ++ cd /tmp/firewalld && \ + ./autogen.sh && \ + ./configure PYTHON=/usr/bin/python3 && \ + make && \ + make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \ + make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" " ++ $(PODMAN) rmi firewalld-testsuite-$* + +-check-container: check-container-debian-sid +-check-container: check-container-fedora-rawhide ++check-container: $(CONTAINER_TARGETS) + + .PHONY: check-container +-.PHONY: check-container-debian-sid +-.PHONY: check-container-fedora-rawhide ++.PHONY: $(CONTAINER_TARGETS) $(foreach container,$(CONTAINER_TARGETS),$(container)-image) + + check-integration: atconfig atlocal $(TESTSUITE_INTEGRATION) + $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) \ +-- +2.23.0 + diff --git a/SOURCES/0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch b/SOURCES/0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch new file mode 100644 index 0000000..c2579e9 --- /dev/null +++ b/SOURCES/0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch @@ -0,0 +1,39 @@ +From e84f00aee61d5055c2da2c9c1aff683f20b84f56 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Feb 2020 13:12:31 -0500 +Subject: [PATCH 38/39] fix: firewall-offline-cmd: Don't print warning about + AllowZoneDrifting + +If we're called from firewall-offline-cmd, don't log the warning. It's +overly verbose to warn on every invocation. + +Fixes: afadd377b09d ("feat: AllowZoneDrifting config option") +(cherry picked from commit eefcb1a712ffca5e08dcefa6aa17c935c16b835f) +(cherry picked from commit ba1f1a744ca543b4e9359ab26b4b1f9ff70fcb64) +--- + src/firewall/core/fw.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 6206ed586988..ebadd6cce20e 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -293,10 +293,11 @@ class Firewall(object): + self._allow_zone_drifting = False + else: + self._allow_zone_drifting = True +- log.warning("AllowZoneDrifting is enabled. This is considered " +- "an insecure configuration option. It will be " +- "removed in a future release. Please consider " +- "disabling it now.") ++ if not self._offline: ++ log.warning("AllowZoneDrifting is enabled. This is considered " ++ "an insecure configuration option. It will be " ++ "removed in a future release. Please consider " ++ "disabling it now.") + log.debug1("AllowZoneDrifting is set to '%s'", + self._allow_zone_drifting) + +-- +2.23.0 + diff --git a/SOURCES/0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/SOURCES/0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..2636f4f --- /dev/null +++ b/SOURCES/0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch @@ -0,0 +1,147 @@ +From d31326a93b0dc1e203f4696aca4a7c0f8118d2e8 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Feb 2020 09:12:17 -0500 +Subject: [PATCH 39/39] RHEL only: default to AllowZoneDrifting=yes + +--- + config/firewalld.conf | 4 ++-- + doc/xml/firewalld.conf.xml | 2 +- + doc/xml/firewalld.dbus.xml | 2 +- + src/firewall/config/__init__.py.in | 2 +- + src/tests/cli/firewall-cmd.at | 4 ++++ + src/tests/dbus/firewalld.conf.at | 4 ++-- + src/tests/features/rfc3964_ipv4.at | 4 ++++ + src/tests/functions.at | 1 + + src/tests/regression/rhbz1514043.at | 4 ++++ + 9 files changed, 20 insertions(+), 7 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 532f0452212e..f791b2358ab8 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -71,5 +71,5 @@ RFC3964_IPv4=yes + # Note: If "yes" packets will only drift from source based zones to interface + # based zones (including the default zone). Packets never drift from interface + # based zones to other interfaces based zones (including the default zone). +-# Possible values; "yes", "no". Defaults to "no". +-AllowZoneDrifting=no ++# Possible values; "yes", "no". Defaults to "yes". ++AllowZoneDrifting=yes +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index fcfbfd2b68c1..c21ef87813bc 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -197,7 +197,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 5d77af976443..77ad77c01675 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2591,7 +2591,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 481eb8de758d..645c76b66c8d 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" + FALLBACK_FIREWALL_BACKEND = "nftables" + FALLBACK_FLUSH_ALL_ON_RELOAD = True + FALLBACK_RFC3964_IPV4 = True +-FALLBACK_ALLOW_ZONE_DRIFTING = False ++FALLBACK_ALLOW_ZONE_DRIFTING = True +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 51b367e7a0f0..3590cb23d600 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -1054,6 +1054,10 @@ FWD_START_TEST([rich rules priority]) + + CHECK_LOG_AUDIT + ++ dnl Expected test results assume this is set to "no" ++ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++ FWD_RELOAD ++ + dnl Verify generic layout of zone + NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl + table inet firewalld { +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 35aead759a9c..4eefa3286f9f 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus) + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ])], [ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at +index 54f5f756270b..15fef52612cc 100644 +--- a/src/tests/features/rfc3964_ipv4.at ++++ b/src/tests/features/rfc3964_ipv4.at +@@ -1,6 +1,10 @@ + FWD_START_TEST([RFC3964_IPv4]) + AT_KEYWORDS(rfc3964_ipv4) + ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf]) + AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf]) + FWD_RELOAD +diff --git a/src/tests/functions.at b/src/tests/functions.at +index cd4e31c7f9d4..0e28420d7123 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [ + IF_HOST_SUPPORTS_IP6TABLES([], [ + sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log + ]) ++ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log + if test x"$1" != x"ignore"; then + if test -n "$1"; then + sed -i $1 ./firewalld.log +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index 241cf547f7f3..8e4846a078b8 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -1,6 +1,10 @@ + FWD_START_TEST([--set-log-denied does not zero config]) + AT_KEYWORDS(log_denied rhbz1514043) + ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD +-- +2.23.0 + diff --git a/SOURCES/0040-doc-direct-add-CAVEATS-section.patch b/SOURCES/0040-doc-direct-add-CAVEATS-section.patch new file mode 100644 index 0000000..82e69b8 --- /dev/null +++ b/SOURCES/0040-doc-direct-add-CAVEATS-section.patch @@ -0,0 +1,123 @@ +From 8d899360b8cd33962fa0b73cc17d2b8bb7710252 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 19 Feb 2020 09:48:01 -0500 +Subject: [PATCH] doc: direct: add CAVEATS section + +This basically covers issues/questions users have been asking about +direct rules and the nftables backend. + +Fixes: #555 +Fixes: rhbz 1692964 +(cherry picked from commit dbcba0433b9986b6da2172bc9a826836af2be9b0) +(cherry picked from commit 0e826f0681da9917f29f26cfdd881f490a210f31) +--- + doc/xml/firewall-cmd.xml.in | 3 ++ + doc/xml/firewall-offline-cmd.xml | 3 ++ + doc/xml/firewalld.direct.xml | 63 ++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 3562b4cc7fdc..be65d61166c2 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -1810,6 +1810,9 @@ For interfaces that are not under control of NetworkManager, firewalld tries to + + Direct options should be used only as a last resort when it's not possible to use for example =service or ='rule'. + ++ ++ Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in firewalld.direct5. ++ + + The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (iptables8), with ipv6 for IPv6 (ip6tables8) and with eb for ethernet bridges (ebtables8). + +diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml +index eb2fd75e231c..16159748aea0 100644 +--- a/doc/xml/firewall-offline-cmd.xml ++++ b/doc/xml/firewall-offline-cmd.xml +@@ -1784,6 +1784,9 @@ + + Direct options should be used only as a last resort when it's not possible to use for example =service or ='rule'. + ++ ++ Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in firewalld.direct5. ++ + + The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (iptables8), with ipv6 for IPv6 (ip6tables8) and with eb for ethernet bridges (ebtables8). + +diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml +index d4e5cd74d590..de7b5973dd7f 100644 +--- a/doc/xml/firewalld.direct.xml ++++ b/doc/xml/firewalld.direct.xml +@@ -206,6 +206,69 @@ + + + ++ ++ Caveats ++ ++ ++ Depending on the value of FirewallBackend (see firewalld.conf5) direct rules behave differently in some scenarios. ++ ++ ++ Packet accept/drop precedence ++ ++ Due to implementation details of netfilter inside the kernel, if FirewallBackend=nftables is used direct rules that ACCEPT packets don't actually cause the packets to be immediately accepted by the system. Those packets are still be subject to firewalld's nftables ruleset. This basically means there are two independent firewalls and packets must be accepted by both (iptables and nftables). As an aside, this scenario also occurs inside of nftables (again due to netfilter) if there are multiple chains attached to the same hook - it's not as simple as iptables vs nftables. ++ ++ ++ There are a handful of options to workaround the ACCEPT issue: ++ ++ ++ Rich Rules ++ ++ If a rich rule can be used, then they should always be preferred over direct rules. Rich Rules will be converted to the enabled FirewallBackend. See firewalld.richlanguage5. ++ ++ ++ Blanket Accept ++ ++ Users can add an explicit accept to the nftables ruleset. This can be done by adding the interface or source to the trusted zone. ++ ++ ++ This strategy is often employed by things that perform their own filtering such as: libvirt, podman, docker. ++ ++ ++ Warning: This means firewalld will do no filtering on these packets. It must all be done via direct rules or out-of-band iptables rules. ++ ++ ++ Selective Accept ++ ++ Alternatively, enable only the relevant service, port, address, or otherwise in the appropriate zone. ++ ++ ++ Revert to the iptables backend ++ ++ A last resort is to revert to the iptables backend by setting FirewallBackend=iptables. Users should be aware that firewalld development focuses on the nftables backend. ++ ++ ++ ++ ++ ++ For direct rules that DROP packets the packets are immediately dropped regardless of the value of FirewallBackend. As such, there is no special consideration needed. ++ ++ ++ ++ Firewalld guarantees the above ACCEPT/DROP behavior by registering nftables hooks with a lower precedence than iptables hooks. ++ ++ ++ ++ ++ Direct interface precedence ++ ++ With FirewallBackend=iptables firewalld's top-level internal rules apply before direct rules are executed. This includes rules to accept existing connections. In the past this has surprised users. As an example, if a user adds a direct rule to drop traffic on destination port 22 existing SSH sessions would continue to function, but new connections would be denied. ++ ++ ++ With FirewallBackend=nftables direct rules were deliberately given a higher precedence than all other firewalld rules. This includes rules to accept existing connections. ++ ++ ++ ++ + + Example + +-- +2.23.0 + diff --git a/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch b/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch new file mode 100644 index 0000000..e558b49 --- /dev/null +++ b/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch @@ -0,0 +1,319 @@ +From aaba32dd922c84662521754952e5a50198dd8625 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 9 Jul 2018 11:29:33 -0400 +Subject: [PATCH] Add cockpit by default to some zones + +Fixes: #1581578 +--- + config/zones/home.xml | 1 + + config/zones/internal.xml | 1 + + config/zones/public.xml | 1 + + config/zones/work.xml | 1 + + src/tests/features/helpers_custom.at | 9 +++++++++ + src/tests/features/service_include.at | 2 +- + src/tests/firewall-cmd.at | 14 +++++++++++++- + src/tests/regression/gh366.at | 3 +++ + src/tests/regression/gh453.at | 2 ++ + src/tests/regression/rhbz1514043.at | 2 +- + 10 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/config/zones/home.xml b/config/zones/home.xml +index 42b29b2f2d50..8aa8afa0e8aa 100644 +--- a/config/zones/home.xml ++++ b/config/zones/home.xml +@@ -6,4 +6,5 @@ + + + ++ + +diff --git a/config/zones/internal.xml b/config/zones/internal.xml +index e646b48c94e8..40cb7e14424b 100644 +--- a/config/zones/internal.xml ++++ b/config/zones/internal.xml +@@ -6,4 +6,5 @@ + + + ++ + +diff --git a/config/zones/public.xml b/config/zones/public.xml +index 49795d8c9068..617e131a4895 100644 +--- a/config/zones/public.xml ++++ b/config/zones/public.xml +@@ -4,4 +4,5 @@ + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + ++ + +diff --git a/config/zones/work.xml b/config/zones/work.xml +index 6ea5550a40bd..9609ee6f65c2 100644 +--- a/config/zones/work.xml ++++ b/config/zones/work.xml +@@ -4,4 +4,5 @@ + For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + ++ + +diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at +index c65f067a06ec..263185c88724 100644 +--- a/src/tests/features/helpers_custom.at ++++ b/src/tests/features/helpers_custom.at +@@ -17,6 +17,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept + } +@@ -27,6 +28,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +@@ -35,6 +37,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + +@@ -51,6 +54,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept + } +@@ -61,6 +65,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl +@@ -69,6 +74,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ]) + +@@ -86,6 +92,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 ct state new,untracked accept +@@ -99,6 +106,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) +@@ -109,6 +117,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED + ]) +diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at +index 219d5b42767b..0bf59f63b81b 100644 +--- a/src/tests/features/service_include.at ++++ b/src/tests/features/service_include.at +@@ -117,7 +117,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl + + ]) + FWD_CHECK([--zone=public --list-services], 0, [dnl +-dhcpv6-client ssh ++cockpit dhcpv6-client ssh + ]) + FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist]) + FWD_RELOAD +diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at +index 0e0d3938da0a..540bdb8b1065 100644 +--- a/src/tests/firewall-cmd.at ++++ b/src/tests/firewall-cmd.at +@@ -1144,6 +1144,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 1122 ct state new,untracked accept + tcp dport 3333 ct state new,untracked accept + tcp dport 4444 ct state new,untracked accept +@@ -1159,6 +1160,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED +@@ -1173,6 +1175,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED +@@ -1254,6 +1257,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + } + } + ]) +@@ -1357,6 +1361,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl + ]) +@@ -1391,6 +1396,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl + ]) +@@ -1438,6 +1444,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + icmp type echo-request accept + icmpv6 type echo-request accept + } +@@ -1478,6 +1485,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ]) + IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl +@@ -1500,6 +1508,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 + ]) + IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl +@@ -1556,6 +1565,7 @@ FWD_START_TEST([rich rules priority]) + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + } + } + ]) +@@ -1593,6 +1603,7 @@ FWD_START_TEST([rich rules priority]) + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl + ]) +@@ -1613,6 +1624,7 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl + ]) +@@ -1638,7 +1650,7 @@ FWD_START_TEST([rich rules priority]) + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: cockpit dhcpv6-client ssh + ports: + protocols: + masquerade: no +diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at +index 1441a6be53bf..51ff504e6a9d 100644 +--- a/src/tests/regression/gh366.at ++++ b/src/tests/regression/gh366.at +@@ -7,6 +7,7 @@ table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++tcp dport 9090 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + } +@@ -14,11 +15,13 @@ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED + ])]) + +diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at +index f57a79dcf9a2..6d820fce840a 100644 +--- a/src/tests/regression/gh453.at ++++ b/src/tests/regression/gh453.at +@@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 ct state new,untracked accept + } +@@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 ct state new,untracked accept + tcp dport 5060 ct helper set "helper-sip-tcp" +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index efc33e09478b..241cf547f7f3 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD + FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl +-services: dhcpv6-client samba ssh ++services: cockpit dhcpv6-client samba ssh + ]) + + dnl check that log denied actually took effect +-- +2.23.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec new file mode 100644 index 0000000..52c56f0 --- /dev/null +++ b/SPECS/firewalld.spec @@ -0,0 +1,1635 @@ +Summary: A firewall daemon with D-Bus interface providing a dynamic firewall +Name: firewalld +Version: 0.8.0 +Release: 4%{?dist} +URL: http://www.firewalld.org +License: GPLv2+ +Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz +Patch1: RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch +Patch2: 0002-fix-CLI-service-also-output-helpers-for-service-info.patch +Patch3: 0003-fix-reload-let-NM-interface-assignments-override-per.patch +Patch4: 0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch +Patch5: 0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch +Patch6: 0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch +Patch7: 0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch +Patch8: 0008-test-build-add-support-for-running-in-containers.patch +Patch9: 0009-test-check-container-add-support-for-debian-sid.patch +Patch10: 0010-test-check-container-add-support-for-fedora-rawhide.patch +Patch11: 0011-fix-test-leave-cleanup-for-tests-cases.patch +Patch12: 0012-test-functions-new-macros-for-starting-stopping-Netw.patch +Patch13: 0013-test-functions-add-macro-NMCLI_CHECK.patch +Patch14: 0014-test-build-support-integration-tests.patch +Patch15: 0015-test-integration-NM-zone-overrides-interface-on-relo.patch +Patch16: 0016-test-check-container-also-run-check-integration.patch +Patch17: 0017-doc-README-add-note-about-integration-tests.patch +Patch18: 0018-chore-update-translations.patch +Patch19: 0019-doc-README-add-note-about-language-translations.patch +Patch20: 0020-fix-rich-source-dest-only-matching-with-mark-action.patch +Patch21: 0021-test-coverage-for-gh-567.patch +Patch22: 0022-improvement-test-move-regression.at-inside-directory.patch +Patch23: 0023-improvement-test-move-features.at-inside-directory.patch +Patch24: 0024-improvement-test-move-python.at-inside-directory.patch +Patch25: 0025-improvement-test-move-dbus.at-inside-directory.patch +Patch26: 0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch +Patch27: 0027-test-enhance-test-for-rhbz1729097.patch +Patch28: 0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch +Patch29: 0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch +Patch30: 0030-feat-AllowZoneDrifting-config-option.patch +Patch31: 0031-feat-nftables-support-AllowZoneDrifting-yes.patch +Patch32: 0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch +Patch33: 0033-test-verify-AllowZoneDrifting-yes.patch +Patch34: 0034-chore-test-retab-some-test-cases.patch +Patch35: 0035-improvement-translations-build-target-to-merge-from-.patch +Patch36: 0036-chore-translation-merge-from-master.patch +Patch37: 0037-improvement-check-container-use-docker-build.patch +Patch38: 0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch +Patch39: 0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch +Patch40: 0040-doc-direct-add-CAVEATS-section.patch + +BuildArch: noarch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: desktop-file-utils +BuildRequires: gettext +BuildRequires: intltool +# glib2-devel is needed for gsettings.m4 +BuildRequires: glib2, glib2-devel +BuildRequires: systemd-units +BuildRequires: docbook-style-xsl +BuildRequires: libxslt +BuildRequires: iptables, ebtables, ipset +BuildRequires: python3-devel +Requires: iptables, ebtables, ipset +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: firewalld-filesystem = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Conflicts: selinux-policy < 3.14.1-28 +Conflicts: squid < 7:3.5.10-1 +Obsoletes: firewalld-selinux < 0.4.4.2-2 +# bz1581578 +Conflicts: cockpit-ws < 171-2 + +%description +firewalld is a firewall service daemon that provides a dynamic customizable +firewall with a D-Bus interface. + +%package -n python3-firewall +Summary: Python3 bindings for firewalld + +%{?python_provide:%python_provide python3-firewall} + +Obsoletes: python-firewall < 0.5.2-2 +Obsoletes: python2-firewall < 0.5.2-2 +Requires: python3-dbus +Requires: python3-slip-dbus +Requires: python3-decorator +Requires: python3-gobject-base +Requires: python3-nftables + +%description -n python3-firewall +Python3 bindings for firewalld. + +%package -n firewalld-filesystem +Summary: Firewalld directory layout and rpm macros + +%description -n firewalld-filesystem +This package provides directories and rpm macros which +are required by other packages that add firewalld configuration files. + +%package -n firewall-applet +Summary: Firewall panel applet +Requires: %{name} = %{version}-%{release} +Requires: firewall-config = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: python3-qt5-base +Requires: python3-gobject +Requires: libnotify +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-applet +The firewall panel applet provides a status information of firewalld and also +the firewall settings. + +%package -n firewall-config +Summary: Firewall configuration application +Requires: %{name} = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: gtk3 +Requires: python3-gobject +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-config +The firewall configuration application provides an configuration interface for +firewalld. + +%prep +%autosetup -p1 +# must autogen since a patch above touched a Makefile.am +./autogen.sh + +%build +%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}" +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +desktop-file-install --delete-original \ + --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ + %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +desktop-file-install --delete-original \ + --dir %{buildroot}%{_datadir}/applications \ + %{buildroot}%{_datadir}/applications/firewall-config.desktop + +%find_lang %{name} --all-name + +%post +%systemd_post firewalld.service + +%preun +%systemd_preun firewalld.service + +%postun +%systemd_postun_with_restart firewalld.service + +%files -f %{name}.lang +%doc COPYING README +%{_sbindir}/firewalld +%{_bindir}/firewall-cmd +%{_bindir}/firewall-offline-cmd +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/firewall-cmd +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_firewalld +%{_prefix}/lib/firewalld/icmptypes/*.xml +%{_prefix}/lib/firewalld/ipsets/README +%{_prefix}/lib/firewalld/services/*.xml +%{_prefix}/lib/firewalld/zones/*.xml +%{_prefix}/lib/firewalld/helpers/*.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld +%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/sysconfig/firewalld +%{_unitdir}/firewalld.service +%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy +%{_mandir}/man1/firewall*cmd*.1* +%{_mandir}/man1/firewalld*.1* +%{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf + +%files -n python3-firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__ +%{python3_sitelib}/firewall/__pycache__/*.py* +%{python3_sitelib}/firewall/*.py* +%{python3_sitelib}/firewall/config/*.py* +%{python3_sitelib}/firewall/config/__pycache__/*.py* +%{python3_sitelib}/firewall/core/*.py* +%{python3_sitelib}/firewall/core/__pycache__/*.py* +%{python3_sitelib}/firewall/core/io/*.py* +%{python3_sitelib}/firewall/core/io/__pycache__/*.py* +%{python3_sitelib}/firewall/server/*.py* +%{python3_sitelib}/firewall/server/__pycache__/*.py* + +%files -n firewalld-filesystem +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/helpers +%dir %{_prefix}/lib/firewalld/icmptypes +%dir %{_prefix}/lib/firewalld/ipsets +%dir %{_prefix}/lib/firewalld/services +%dir %{_prefix}/lib/firewalld/zones +%{_rpmconfigdir}/macros.d/macros.firewalld + +%files -n firewall-applet +%attr(0755,root,root) %dir %{_sysconfdir}/firewall +%{_bindir}/firewall-applet +%defattr(0644,root,root) +%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +%{_sysconfdir}/firewall/applet.conf +%{_datadir}/icons/hicolor/*/apps/firewall-applet*.* +%{_mandir}/man1/firewall-applet*.1* + +%files -n firewall-config +%{_bindir}/firewall-config +%defattr(0644,root,root) +%{_datadir}/firewalld/firewall-config.glade +%{_datadir}/firewalld/gtk3_chooserbutton.py* +%{_datadir}/firewalld/gtk3_niceexpander.py* +%{_datadir}/applications/firewall-config.desktop +%{_datadir}/metainfo/firewall-config.appdata.xml +%{_datadir}/icons/hicolor/*/apps/firewall-config*.* +%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml +%{_mandir}/man1/firewall-config*.1* + +%changelog +* Thu Feb 27 2020 Eric Garver - 0.8.0-4 +- doc: direct: add CAVEATS section + +* Mon Feb 03 2020 Eric Garver - 0.8.0-3 +- restore zone drifting as a feature + +* Tue Nov 12 2019 Eric Garver - 0.8.0-2 +- fix: CLI: service: also output helpers for service info + +* Tue Nov 05 2019 Eric Garver - 0.8.0-1 +- rebase to v0.8.0 + +* Tue Aug 13 2019 Eric Garver - 0.7.0-5 +- bump nftables version requirements + +* Tue Aug 06 2019 Eric Garver - 0.7.0-4 +- backport patches to sort source-based zone dispatch by zone name + +* Tue Jul 23 2019 Eric Garver - 0.7.0-3 +- backport patch to show service includes in service output +- backport patches to fix dbus API break + +* Thu Jun 13 2019 Eric Garver - 0.7.0-2 +- package rebuild + +* Wed Jun 12 2019 Eric Garver - 0.7.0-1 +- rebase to v0.7.0 + +* Sun Jan 13 2019 Eric Garver - 0.6.3-7 +- backport additional patches for RFC3964_IPv4 filter feature + +* Tue Jan 08 2019 Eric Garver - 0.6.3-6 +- backport nftables support for wildcard interfaces +- backport RFC3964_IPv4 filter feature + +* Tue Dec 18 2018 Eric Garver - 0.6.3-5 +- backport fix for lost NM interfaces in default zone during reload + +* Thu Dec 13 2018 Eric Garver - 0.6.3-4 +- backport recent stable fixes +- backport fix for lost NM interfaces during reload +- backport rich rule priorities +- backport fix for set entries not applied +- update translations + +* Tue Oct 16 2018 Eric Garver - 0.6.3-3 +- backport FlushAllOnReload feature + +* Fri Oct 12 2018 Eric Garver - 0.6.3-2 +- use py3_shbang_opts for lockdown-whitelist +- fix cockpit patch causing test failure + +* Thu Oct 11 2018 Eric Garver - 0.6.3-1 +- rebase package to v0.6.3 +- use py3_shbang_opts for interpreter invocations + +* Mon Sep 10 2018 Eric Garver - 0.6.1-5 +- python3-firewalld can get by with python3-gobject-base +- firewall-config can get by with python3-qt5-base + +* Thu Aug 16 2018 Eric Garver - 0.6.1-4 +- backports for new failed state if startup fails +- backports to use explicit RETURN on user defined ebtables chains +- backports to fix nftables AUDIT log support + +* Tue Aug 14 2018 Eric Garver - 0.6.1-3 +- drop support for ebtables broute table + +* Fri Aug 10 2018 Eric Garver - 0.6.1-2 +- add more ports to high-availability service + +* Thu Aug 09 2018 Eric Garver - 0.6.1-1 +- rebase to v0.6.1 +- fix patch adding cockpit by default, fixes testsuite + +* Mon Jul 09 2018 Eric Garver - 0.6.0-2 +- Use correct conflicts version for cockpit-ws +- Enable cockpit by default in some zones + +* Fri Jul 06 2018 Eric Garver - 0.6.0-1 +- rebase to v0.6.0 + +* Tue May 01 2018 Eric Garver - 0.6.0-0.1.alpha1 +- rebase to v0.6.0-alpha + +* Wed Mar 21 2018 Eric Garver - 0.5.2-3 +- remove fedora-isms and clean up spec file + +* Wed Mar 21 2018 Eric Garver - 0.5.2-2 +- remove python2-firewall subpackage + +* Mon Mar 19 2018 Eric Garver - 0.5.2-1 +- rebase package to v0.5.2 + +* Fri Feb 09 2018 Igor Gnatenko - 0.5.1-2 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Eric Garver - 0.5.1-1 +- rebase package to v0.5.1 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.4.4.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 05 2018 Igor Gnatenko - 0.4.4.5-5 +- Remove obsolete scriptlets + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 0.4.4.5-4 +- Python 2 binary package renamed to python2-firewall + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Mon Jul 31 2017 Thomas Woerner - 0.4.4.5-3 +- Fix spec file for next RHEL versions + +* Wed Jul 26 2017 Fedora Release Engineering - 0.4.4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 9 2017 Thomas Woerner - 0.4.4.5-1 +- Rebase to firewalld-0.4.4.5 + http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release + - Fix build from spec + - Fix –remove-service-from-zone option (RHBZ#1438127) + - Support sctp and dccp in ports, source-ports, forward-ports, helpers and + rich rules (RHBZ#1429808) + - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238) + - firewall.core.ipXtables: Use new wait option for restore commands if + available + - New services for oVirt: + ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe + - Rename extension for policy choices (server and desktop) to .policy.choice + (RHBZ#1449754) + - D-Bus interfaces: Fix GetAll for interfaces without properties + (RHBZ#1452017) + - Load NAT helpers with conntrack helpers (RHBZ#1452681) + - Translation updates +- Additional upstream patches: + - Rich-rule source validation (d69b7cb) + - IPv6 ICMP type only rich-rule fix (cf50bd0) + +* Mon Mar 27 2017 Thomas Woerner - 0.4.4.4-1 +- Rebase to firewalld-0.4.4.4 + http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release +- Drop references to fedorahosted.org from spec file and Makefile.am, use + archive from github +- Fix inconsistent ordering of rules in INPUT_ZONE_SOURCE (issue#166) +- Fix ipset overloading from /etc/firewalld/ipsets +- Fix permanent rich rules using icmp-type elements (RHBZ#1434594) +- firewall-config: Deactivate edit, remove, .. buttons if there are no items +- Check if ICMP types are supported by kernel before trying to use them +- firewall-config: Show invalid ipset type in the ipset configuration dialog + in a special label + +* Tue Feb 21 2017 Thomas Woerner - 0.4.4.3-2 +- Fixed ipset overloading, dropped applied check in get_ipset (issue#206) + +* Fri Feb 10 2017 Thomas Woerner - 0.4.4.3-1 +- Rebase to firewalld-0.4.4.3 + http://www.firewalld.org/2017/02/firewalld-0-4-4-3-release +- Speed up of large file loading +- Support for more ipset types +- Speed up of adding or removing entries for ipsets from files +- Support icmp-type usage in rich rules +- Support for more icmp types +- Support for h323 conntrack helper +- New services +- Code cleanup and several other bug fixes +- Translation updates + +* Fri Feb 10 2017 Fedora Release Engineering - 0.4.4.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Stratakis Charalampos - 0.4.4.2-3 +- Rebuild for Python 3.6 + +* Mon Dec 5 2016 Thomas Woerner - 0.4.4.2-2 +- Dropping firewalld-selinux package again as the required fix made it into + selinux-policy packages for F-23+, updated selinux-policy version conflicts + +* Thu Dec 1 2016 Thomas Woerner - 0.4.4.2-1 +- New firewalld-selinux sub package delivering the SELinux policy module for + firewalld (RHBZ#1396765) (RHBZ#1394625) (RHBZ#1394578) (RHBZ#1394573) + (RHBZ#1394569) +- New firewalld release 0.4.4.2: + - firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem + - firewall.core.fw_nm: create NMClient lazily + - Do not use hard-coded path for modinfo, use autofoo to detect it + - firewall.core.io.ifcfg: Dropped invalid option warning with bad format + string + - firewall.core.io.ifcfg: Properly handle quoted ifcfg values + - firewall.core.fw_zone: Do not reset ZONE with ifdown + - Updated translations from zanata + - firewall-config: Extra grid at bottom to visualize firewalld settings + +* Wed Nov 9 2016 Thomas Woerner - 0.4.4.1-1 +- firewall-config: Use proper source check in sourceDialog (fixes issue#162) +- firewallctl: New support for helpers +- Translation updates + +* Fri Oct 28 2016 Thomas Woerner - 0.4.4-1 +- Fix dist-check +- src/Makefile.am: Install new helper files +- config/Makefile.am: Install helpers +- Merged translations +- Updated translations from zanata +- firewalld.spec: Adapt requires for PyQt5 +- firewall-applet: Fix fromUTF8 for python2 PyQt5 usage +- firewall-applet: Use PyQt5 +- firewall-config: New nf_conntrack_select dialog, use nf_conntrack_helpers D-Bus property +- shell-completion/bash/firewall-cmd: Updates for helpers and also some fixes +- src/tests/firewall-[offline-]cmd_test.sh: New helper tests, adapted module tests for services +- doc/xml/seealso.xml: Add firewalld.helper(5) man page +- doc/xml/seealso.xml: Add firewalld.ipset(5) man page +- Fixed typo in firewalld.ipset(5) man page +- Updated firewalld.dbus(5) man page +- New firewalld.helper(5) man page +- doc/xml/firewall-offline-cmd.xml: Updated firewall-offline-cmd man page +- doc/xml/firewall-cmd.xml: Updated firewall-cmd man page +- firewall-offline-cmd: New support for helpers +- firewall-cmd: New support for helpers +- firewall.command: New check_helper_family, check_module and print_helper_info methods +- firewall.core.fw_test: Add helpers also to offline backend +- firewall.server.config: New AutomaticHelpers property (rw) +- firewall.server.config: Fix an dict size changed error for firewall.conf file changes +- firewall.server.config: Make LogDenied property readwrite to be consistent +- Some renames of nf_conntrack_helper* functions and structures, helpers is a dict +- firewall.core.fw: Properly check helper setting in set_automatic_helpers +- firewall.errors: Add missing BUILTIN_HELPER error code +- No extra interface for helpers needed in runtime, dropped DBUS_INTERFACE_HELPER +- firewall.server.firewalld: Drop unused queryHelper D-Bus method +- New helpers Q.931 and RAS from nf_conntrack_h323 +- firewall.core.io.helper: Allow dots in helper names, remove underscore +- firewall.core.io.firewalld_conf: Fixed typo in FALLBACK_AUTOMATIC_HELPERS +- firewall-[offline-]cmd: Use sys.excepthook to force exception_handler usage always +- firewall.core.fw_config: new_X methods should also check builtins +- firewall.client: Set helper family to "" if None +- firewall.client: Add missing module string to FirewallClientHelperSettings.settings +- config/firewalld.conf: Add possible values description for AutomaticHelpers +- helpers/amanda.xml: Fix typo in helper module +- firewall-config: Added support for helper module setting +- firewall.client: Added support for helper module setting +- firewall.server.config_helper: Added support for helper module setting +- firewall.core.io.service, firewall.server.config_service: Only replace underscore by dash if module start with nf_conntrack_ +- firewall.core.fw_zone: Use helper module instead of a generated name from helper name +- helpers: Added kernel module +- firewall.core.io.helper: Add module to helper +- firewall-cmd: Removed duplicate --get-ipset-types from help output +- firewall.core.fw_zone: Add zone bingings for PREROUTING in the raw table +- firewall.core.ipXtables: Add PREROUTING default rules for zones in raw table +- firewall-config: New support to handle helpers, new dialogs, new helper tab, .. +- config/org.fedoraproject.FirewallConfig.gschema.xml.in: New show-helpers setting +- firewall.client: New helper management for runtime and permanent configuration +- firewall.server.firewalld: New runtime helper management, new nf_conntrack_helper property +- firewall.server.config_service: Fix module name handling (no nf_conntrack_ prefix needed) +- firewall.server.config: New permanent D-Bus helper management +- New firewall.server.config_helper to provide the permanent D-Bus interface for helpers +- firewall.core.fw_zone: Use helpers fw.nf_conntrack_helper for services using helpers +- firewall.core.fw: New helper management, new _automatic_helpers and nf_conntrack_helper settings +- firewall.core.fw_config: Add support for permanent helper handling +- firewall.core.io.service: The module does not need to start with nf_conntrack_ anymore +- firewall.functions: New functions to get and set nf_conntrack_helper kernel setting +- firewall.core.io.firewalld_conf: New support for AutomaticHelpers setting +- firewall.config.dbus: New D-Bus definitions for helpers, new DBUS_INTERFACE_REVISION 12 +- New firewall.core.fw_helper providing FirewallHelper backend +- New firewall.core.helper with HELPER_MAXNAMELEN definition +- config/firewalld.conf: New AutomaticHelpers setting with description +- firewall.config.__init__.py.in: New helpers variables +- firewalld.spec: Add new helpers directory +- config/Makefile.am: Install new helpers +- New helper configuration files for amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp and tftp +- firewall.core.io.helper: New IO handler for netfilter helpers +- firewall.errors: New INVALID_HELPER error code +- firewall.core.io.ifcfg: Use .bak for save files +- firewall-config: Set internal log_denied setting after changing +- firewall.server.config: Copy props before removing items +- doc/xml/firewalld.ipset: Replaced icmptype name remains with ipset +- firewall.core.fw_zone: Fix LOG rule placement for LogDenied +- firewall.command: Use "source-ports" in print_zone_info +- firewall.core.logger: Use syslog.openlog() and syslog.closelog() +- firewall-[offline-]cmd man pages: Document --path-{zone,icmptype,ipset,service} +- firewall-cmd: Enable --path-{zone,icmptype,service} options again +- firewall.core.{ipXtables,ebtables}: Copy rule before extracting items in set_rules +- firewall.core.fw: Do not abort transaction on failed ipv6_rpfilter rules +- config/Makefile.am: Added cfengine, condor-collector and smtp-submission services +- Makefile.am: New dist-check used in the archive target +- src/Makefile.am: Reordered nobase_dist_python_DATA to be sorted +- config/Makefile.am: New CONFIG_FILES variable to contain the config files +- Merge pull request #150 from hspaans/master +- Merge pull request #146 from canvon/bugfix/spelling +- Merge pull request #145 from jcpunk/condor +- Command line tools man pages: New section about sequence options and exit codes +- Creating service file for SMTP-Submission. +- Creating service file for CFEngine. +- Fix typo in documentation: iptables mangle table +- Only use sort on lists of main items, but not for item properties +- firewall.core.io.io_object: import_config should not change ordering of lists +- firewall.core.fw_transaction: Load helper modules in FirewallZoneTransaction +- firewall.command: Fail with NOT_AUTHORIZED if authorization fails (RHBZ#1368549) +- firewall.command: Fix sequence exit code with at least one succeeded item +- Add condor collector service +- firewall-cmd: Fixed --{get,set}-{description,short} for permanent zones +- firewall.command: Do not use error code 254 for {ALREADY,NOT}_ENABLED sequences + +* Tue Aug 16 2016 Thomas Woerner - 0.4.3.3-1 +- Fix CVE-2016-5410: Firewall configuration can be modified by any logged in + user +- firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO +- Update AppData configuration file. +- tests/firewalld_rich.py: Use new import structure and FirewallClient classes +- tests/firewalld_direct.py: Use new import structure +- tests: firewalld_direct: Fix assert to check for True instead of False +- tests: firewalld_config: Fix expected value when querying the zone target +- tests: firewalld_config: Use real nf_conntrack modules +- firewalld.spec: Added comment about make call for %%build +- firewall-config: Use also width_request and height_request with default size +- Updated firewall-config screenshot +- firewall-cmd: Fixed typo in help output (RHBZ#1367171) +- test-suite: Ignore stderr to get default zone also for missing firewalld.conf +- firewall.core.logger: Warnings should be printed to stderr per default +- firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails +- firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired +- firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired +- test-suite: Do not fail on ALREADY_ENABLED --add-destination tests +- firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings +- doc/xml/firewalld.dbus.xml: Removed undefined reference +- doc/xml/transform-html.xsl.in: Fixed references in the document +- doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para +- doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page +- firewall: core: fw_nm: Instantiate the NM client only once +- firewall/core/io/*.py: Do not traceback on a general sax parsing issue +- firewall-offline-cmd: Fix --{add,remove}-entries-from-file +- firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file +- firewall.core.prog: Do not output stderr, but return it in the error case +- firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (RHBZ#1362171) +- config/firewall.service.in: use KillMode=mixed +- config/firewalld.service.in: use network-pre.target +- firewall-config: Add missing gettext.textdomain call to fix translations +- Add UDP to transmission-client.xml service +- tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings +- firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls +- firewall.client: Fix NOT_ENABLED errors in icmptype destination calls +- firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination + calls +- firewall.command: Add the removed FirewallError handling to the action + (a17ce50) +- firewall.command: Do not use query methods for sequences and also single + options +- Add missing information about MAC and ipset sources to man pages and help + output +- firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages +- firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr} +- firewallctl: Fix traceback if not connected to firewalld +- firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked +- firewall.command: Convert errors to string for Python3 +- firewall.command: Get proper firewall error code from D-BusExceptions +- firewall-cmd: Fixed traceback without args +- Add missing service files to Makefile.am +- shell-completion: Add shell completion support for + --{get,set}--{description,short} +- Updated RHEL-7 selinux-policy and squid conflict + +* Tue Jul 19 2016 Fedora Release Engineering - 0.4.3.2-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Mon Jul 4 2016 Thomas Woerner - 0.4.3.2-1 +- Fix regression with unavailable optional commands +- All missing backend messages should be warnings +- Individual calls for missing restore commands +- Only one authenticate call for add and remove options and also sequences +- New service RH-Satellite-6 +- Fixed selinux-policy conflict version for RHEL-7 + +* Wed Jun 29 2016 Thomas Woerner - 0.4.3.1-2 +- Fixed selinux-policy conflict version for Fedora 24 + +* Tue Jun 28 2016 Thomas Woerner - 0.4.3.1-1 +- New firewalld release 0.4.3.1 +- firewall.command: Fix python3 DBusException message not interable error +- src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing +- firewallctl: Do not trace back on list command without further arguments +- firewallctl (man1): Added remaining sections zone, service, .. +- firewallctl: Added runtime-to-permanent, interface and source parser, + IndividualCalls setting +- firewall.server.config: Allow to set IndividualCalls property in config + interface +- Fix missing icmp rules for some zones +- runProg: Fix issue with running programs +- firewall-offline-cmd: Fix issues with missing system-config-firewall +- firewall.core.ipXtables: Split up source and dest addresses for transaction +- firewall.server.config: Log error in case of loading malformed files in + watcher +- Install and package the firewallctl man page +- New firewallctl utility (RHBZ#1147959) +- doc.xml.seealso: Show firewalld.dbus in See Also sections +- firewall.core.fw_config: Create backup on zone, service, ipset and icmptype + removal (RHBZ#1339251) +- {zone,service,ipset,icmptype}_writer: Do not fail on failed backup +- firewall-[offline-]cmd: Fix --new-X-from-file options for files in cwd +- firewall-cmd: Dropped duplicate setType call in --new-ipset +- radius service: Support also tcp ports (RBZ#1219717) +- xmlschemas: Support source-port, protocol, icmp-block-inversion and ipset + sources +- config.xmlschema.service.xsd: Fix service destination conflicts + (RHBZ#1296573) +- firewall-cmd, firewalld man: Information about new NetworkManager and ifcfg +- firewall.command: Only print summary and description in print_X_info with + verbose +- firewall.command: print_msg should be able to print empty lines +- firewall-config: No processing of runtime passthroughs signals in permanent +- Landspace.io fixes and pylint calm downs +- firewall.core.io.zone: Add zone_reader and zone_writer to __all__, pylint + fixes +- firewall-config: Fixed titles of command and context dialogs, also entry + lenths +- firewall-config: pylint calm downs +- firewall.core.fw_zone: Fix use of MAC source in rich rules without ipv limit +- firewall-config: Use self.active_zoens in conf_zone_added_cb +- firewall.command: New parse_port, extended parse methods with more checks +- firewall.command: Fixed parse_port to use the separator in the split call +- firewall.command: New [de]activate_exception_handler, raise error in parse_X +- services ha: Allow corosync-qnetd port +- firewall-applet: Support for kde5-nm-connection-editor +- tests/firewall-offline-cmd_test.sh: New tests for service and icmptype + modifications +- firewall-offline-cmd: Use FirewallCommand for simplification and sequence + options +- tests/firewall-cmd_test.sh: New tests for service and icmptype modifications +- firewall-cmd: Fixed set, remove and query destination options for services +- firewall.core.io.service: Source ports have not been checked in _check_config +- firewall.core.fw_zone: Method check_source_port is not used, removed +- firewall.core.base: Added default to ZONE_TARGETS +- firewall.client: Allow to remove ipv:address pair for service destinations +- tests/firewall-offline-cmd_test.sh: There is no timeout option in permanent +- firewall-cmd: Landscape.io fixes, pylint calm downs +- firewall-cmd: Use FirewallCommand for simplification and sequence options +- firewall.command: New FirewallCommand for command line client simplification +- New services: kshell, rsh, ganglia-master, ganglia-client +- firewalld: Cleanup of unused imports, do not translate some deamon messages +- firewalld: With fd close interation in runProg, it is not needed here anymore +- firewall.core.prog: Add fd close iteration to runProg +- firewall.core.fw_nm: Hide NM typelib import, new nm_get_dbus_interface + function +- firewalld.spec: Require NetworkManager-libnm instead of NetworkManager-glib +- firewall-config: New add/remove ipset entries from file, remove all entries +- firewall-applet: Fix tooltip after applet start with connection to firewalld +- firewall-config: Select new zone, service or icmptype if the view was empty +- firewalld.spec: Added build requires for iptables, ebtables and ipset +- Adding nf_conntrack_sip module to the service SIP +- firewall: core: fw_ifcfg: Quickly return if ifcfg directory does not exist +- Drop unneeded python shebangs +- Translation updates + +* Mon May 30 2016 Thomas Woerner - 0.4.2-1 +- New module to search for and change ifcfg files for interfaces not under + control of NM +- firewall_config: Enhanced messages in status bar +- firewall-config: New message window as overlay if not connected +- firewall-config: Fix sentivity of option, view menus and main paned if not + connected +- firewall-applet: Quit on SIGINT (Ctrl-C), reduced D-Bus calls, some cleanup +- firewall-[offline]cmd: Show target in zone information +- D-Bus: Completed masquerade methods in FirewallClientZoneSettings +- Fixed log-denied rules for icmp-blocks +- Keep sorting of interfaces, services, icmp-blocks and other settings in zones +- Fixed runtime-to-permanent not to save interfaces under control of NM +- New icmp-block-inversion flag in the zones +- ICMP type filtering in the zones +- New services: sip, sips, managesieve +- rich rules: Allow destination action (RHBZ#1163428) +- firewall-offline-cmd: New option -q/--quiet +- firewall-[offline-]cmd: New --add-[zone,service,ipset,icmptype]-from-file +- firewall-[offline-]cmd: Fix option for setting the destination address +- firewall-config: Fixed resizing behaviour +- New transaction model for speed ups in start, restart, stop and other actions +- firewall-cmd: New options --load{zone,service,ipset,icmptype}-defaults +- Fixed memory leak in dbus_introspection_add_properties +- Landscape.io fixes, pylint calm downs +- New D-Bus getXnames methods to speed up firewall-config and firewall-cmd +- ebtables-restore: No support for COMMIT command +- Source port support in services, zones and rich rules +- firewall-offline-cmd: Added --{add,remove}-entries-from-file for ipsets +- firewall-config: New active bindings side bar for simple binding changes +- Reworked NetworkManager module +- Proper default zone handling for NM connections +- Try to set zone binding with NM if interface is under control of NM +- Code cleanup and bug fixes +- Include test suite in the release and install in /usr/share/firewalld/tests +- New Travis-CI configuration file +- Fixed more broken frensh translations +- Translation updates + +* Mon May 9 2016 Thomas Woerner - 0.4.1.2-2 +- Fixed ebtables-restore does not support the COMMIT command issue + +* Wed Apr 20 2016 Thomas Woerner - 0.4.1.2-1 +- Fixed translations with python3 +- Fixed exception for failed NM import, new doc string +- Make ipsets visible per default in firewall-config +- Install new fw_nm module +- Do not fail if log file could not be opened +- Fixed broken fr translation + +* Tue Apr 19 2016 Thomas Woerner - 0.4.1-1 +- Enhancements of ipset handling + - No cleanup of ipsets using timeouts while reloading + - Only destroy conflicting ipsets + - Only use ipset types supported by the system + - Add and remove several ipset entries in one call using a file +- Reduce time frame where builtin chains are on policy DROP while reloading +- Include descriptions in --info-X calls +- Command line interface support to get and alter descriptions of zones, + services, ipsets and icmptypes with permanent option +- Properly watch changes in combined zones +- Fix logging in rich rule forward rules +- Transformed direct.passthrough errors into warnings +- Rework of import structures +- Reduced calls to get ids for port and protocol names (RHBZ#1305434) +- Build and installation fixes by Markos Chandras +- Provide D-Bus properties in introspection data +- Fix for flaws found by landscape.io +- Fix for repeated SUGHUP +- New NetworkManager module to get and set zones of connections, used in + firewall-applet and firewall-config +- configure: Autodetect backend tools ({ip,ip6,eb}tables{,-restore}, ipset) +- Code cleanups +- Bug fixes + +* Mon Feb 22 2016 Jiri Popelka - 0.4.0-4 +- Revert one commit to temporary work-around RHBZ#1309754 + +* Mon Feb 08 2016 Jiri Popelka - 0.4.0-3 +- Make sure tempdir is created even in offline mode. (RHBZ#1305175) + +* Wed Feb 03 2016 Fedora Release Engineering - 0.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Feb 1 2016 Thomas Woerner - 0.4.0-1 +- Version 0.4.0 + - Speed ups + - ipset support + - MAC address support + - Log of denied packets + - Mark action in rich rules + - Enhanced alteration of config files with command line tools + - Use of zone chains in direct interface + - firewall-applet enhancement + - New services: ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio, + smtps, snmptrap, snmp, syslog-tls and syslog + - Several bug fixes + - Code optimizations + +* Tue Nov 10 2015 Fedora Release Engineering - 0.3.14.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Wed Jul 22 2015 Adam Williamson - 0.3.14.2-4 +- bump versions on old config package obsoletes (f21 is on 0.3.14 now) + +* Mon Jul 13 2015 Thomas Woerner - 0.3.14.2-3 +- Require python3-gobject-base for fedora >= 23 and rhel >= 8 (RHBZ#1242076) +- Fix rhel defines: No python3 for rhel-7 + +* Thu Jun 18 2015 Thomas Woerner - 0.3.14.2-2 +- Fixed 'pid_file' referenced before assignment (RHBZ#1233232) + +* Wed Jun 17 2015 Thomas Woerner - 0.3.14.2-1 +- reunification of the firewalld spec files for all Fedora releases +- fix dependencies for -applet and -config: use_python3 is the proper switch + not with_python3 (RHBZ#1232493) +- firewalld.spec: + - fixed requirements for -applet and -config +- man pages: + - adapted firewall-applet man page to new version +- firewall-applet: + - Only honour active connections for zone changes + - Change QSettings path and file names +- firewall-config: + - Only honour active connections for zone changes in the “Change Zones of Connections” menu +- Translations: + - updated translations + - marked translations for “Connections” for review + +* Wed Jun 17 2015 Fedora Release Engineering - 0.3.14.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 16 2015 Stephen Gallagher 0.3.14.1-2 +- Fix issue with missing polkit policy when installing firewalld on + Cloud Edition. + +* Fri Jun 12 2015 Thomas Woerner - 0.3.14.1-1 +- firewall-applet + - do not use isSystemTrayAvailable check to fix KDE5 startup + - dropped gtk applet remain: org.fedoraproject.FirewallApplet.gschema.xml + +* Fri Jun 12 2015 Thomas Woerner - 0.3.14-1 +- renamed python2-firewall to python-firewall +- fixed requirements for GUI parts with Python3 +- dropped upstream merged python3 patch +- firewalld: + - print real zone names in error messages + - iptables 1.4.21 does not accept limits of 1/day, minimum is 2/day now + - rate limit fix for rich rules + - fix readdition of removed permanent direct settings + - adaption of the polkit domains to use PK_ACTION_DIRECT_INFO + - fixed two minor Python3 issues in firewall.core.io.direct + - fixed use of fallback configuration values + - fixed use without firewalld.conf + - firewalld main restructureization + - IPv6_rpfilter now also available as a property on D-Bus in the config interface + - fixed wait option use for ipXtables + - added --concurrent support for ebtables + - richLanguage: allow masquerading with destination + - richLanguage: limit masquerading forward rule to new connections + - ipXtables: No dns lookups in available_tables and _detect_wait_option + - full ebtables support: start, stop, reload, panic mode, direct chains and rules + - fix for reload with direct rules + - fix or flaws found by landscape.io + - pid file handling fixes in case of pid file removal + - fix for client issue in case of a dbus NoReply error +- configuration + - new services: dropbox-lansync, ptp + - new icmptypes: timestamp-request, timestamp-reply +- man pages: + - firewalld.zones(5): fixed typos + - firewalld.conf(5): Fixed wrong reference to firewalld.lockdown-whitelist page +- firewall-applet: + - new version using Qt4 fixing several issues with the Gtk version +- spec file: + - enabled Python3 support: new backends python-firewall and python3-firewall + - some cleanup +- git: + - migrated to github +- translations: + - migrated to zanata +- build environment: + - no need for autoconf-2.69, 2.68 is sufficient + +* Thu May 07 2015 Stephen Gallagher 0.3.13-7 +- Use VARIANT_ID instead of VARIANT for making decisions + +* Thu Apr 16 2015 Stephen Gallagher 0.3.13-6 +- Switch to using $VARIANT directly from /etc/os-release + +* Fri Mar 13 2015 Stephen Gallagher 0.3.13-5 +- Fix bugs with posttrans +- Remove nonexistent fedora-cloud.conf symlink + +* Fri Mar 13 2015 Stephen Gallagher 0.3.13-4 +- Remove per-edition config files +- Decide on default configuration based on /etc/os-release + +* Mon Feb 23 2015 Jiri Popelka - 0.3.13-3 +- use python3 bindings on fedora >=23 + +* Wed Jan 28 2015 Thomas Woerner - 0.3.13-2 +- enable python2 and python3 bindings for fedora >= 20 and rhel >= 7 +- use python3 bindings on fedora >= 22 and rhel >= 8 for firewalld, + firewall-config and firewall-applet + +* Thu Dec 04 2014 Jiri Popelka - 0.3.13-1 +- firewalld: + - ipXtables: use -w or -w2 if supported (RHBZ#1161745, RHBZ#1151067) + - DROP INVALID packets (RHBZ#1169837) + - don't use ipv6header for protocol matching. (RHBZ#1065565) + - removeAllPassthroughs(): remove passthroughs in reverse order (RHBZ#1167100) + - fix config.service.removeDestination() (RHBZ#1164584) +- firewall-config: + - portProtoDialog: other protocol excludes port number/range + - better fix for updating zoneStore also in update_active_zones() + - fix typo in menu +- configuration: + - new services: tinc, vdsm, mosh, iscsi-target, rsyncd + - ship and install XML Schema files. (#8) +- man pages: + - firewalld.dbus, firewalld.direct, firewalld, firewall-cmd +- spec file: + - filesystem subpackage + - make dirs&files in /usr/lib/ world-readable (RHBZ#915988) + +* Tue Oct 14 2014 Jiri Popelka - 0.3.12-1 +- firewalld: + - new runtimeToPermanent and tracked passsthrough support + - make permanent D-Bus interfaces more fine grained like the runtime versions (RHBZ#1127706) + - richLanguage: allow using destination with forward-port + - Rich_Rule.check(): action can't be used with icmp-block/forward-port/masquerade + - fixed Python specific D-Bus exception (RHBZ#1132441) +- firewall-cmd: + - new --runtime-to-permanent to create permanent from runtime configuration + - use new D-Bus methods for permanent changes + - show target REJECT instead of %%REJECT%% (RHBZ#1058794) + - --direct: make fail messages consistent (RHBZ#1141835) +- firewall-config: + - richRuleDialog - OK button tooltip indicates problem + - use new D-Bus methods for permanent changes + - show target REJECT instead of %%REJECT%% (RHBZ#1058794) + - update "Change Zones of Connections" menu on default zone change (RHBZ#11120212) + - fixed rename of zones, services and icmptypes to not create new entry (RBHZ#1131064) +- configuration: + - new service for Squid HTTP proxy server + - new service for Kerberos admin server + - new services for syslog and syslog-tls + - new services for SNMP and SNMP traps + - add Keywords to .desktop to improve software searchability +- docs: + - updated translations + - firewalld.richlanguage: improvements suggested by Rufe Glick + - firewalld.dbus: various improvements + - firewalld.zone: better description of Limit tag + - mention new homepage everywhere + +* Wed Aug 27 2014 Jiri Popelka - 0.3.11-3 +- Quiet systemctl if cups-browsed.service is not installed + +* Mon Aug 25 2014 Jiri Popelka - 0.3.11-2 +- add few Requires to spec (RHBZ#1133167) + +* Wed Aug 20 2014 Jiri Popelka - 0.3.11-1 +- firewalld: + - improve error messages + - check built-in chains in direct chain handling functions (RHBZ#1120619) + - dbus_to_python() check whether input is of expected type (RHBZ#1122018) + - handle negative timeout values (RHBZ#1124476) + - warn when Command/Uid/Use/Context already in lockdown whitelist (RHBZ#1126405) + - make --lockdown-{on,off} work again (RHBZ#1111573) +- firewall-cmd: + - --timeout now accepts time units (RHBZ#994044) +- firewall-config: + - show active (not default) zones in bold (RHBZ#993655) +- configuration: + - remove ipp-client service from all zones (RHBZ#1105639). + - fallbacks for missing values in firewalld.conf + - create missing dirs under /etc if needed + - add -Es to python command in lockdown-whitelist.xml (RHBZ#1099065) +- docs: + - 'direct' methods concern only chains/rules added via 'direct' (RHBZ#1120619) + - --remove-[interface/source] don't need a zone to be specified (RHBZ#1125851) + - various fixes in firewalld.zone(5), firewalld.dbus(5), firewalld.direct(5) +- others: + - rpm macros for easier packaging of e.g. services + +* Tue Jul 22 2014 Thomas Woerner - 0.3.10-5 +- Fixed wrong default zone names for server and workstation (RHBZ#1120296) + +* Tue Jul 8 2014 Thomas Woerner - 0.3.10-4 +- renamed fedora specific zones to FedoraServer and FedoraWorkstation for + zone name limitations (length and allowed chars) + +* Mon Jul 7 2014 Thomas Woerner - 0.3.10-3 +- New support for Fedora per-product configuration settings for Fedora.next + https://fedoraproject.org/wiki/Per-Product_Configuration_Packaging_Draft +- Added Fedora server zone (RHBZ#1110711) +- Added Fedora workstation zone(RHBZ#1113775) + +* Sat Jun 07 2014 Fedora Release Engineering - 0.3.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Jiri Popelka - 0.3.10-1 +- new services: freeipa-*, puppermaster, amanda-k5, synergy, + xmpp-*, tor, privoxy, sane +- do not use at_console in D-Bus policies (RHBZ#1094745) +- apply all rich rules for non-default targets +- AppData file (RHBZ#1094754) +- separate Polkit actions for desktop & server (RHBZ#1091068) +- sanitize missing ip6t_rpfilter (RHBZ#1074427) +- firewall/core/io/*: few improvements (RHBZ#1065738) +- no load failed error for absent direct.xml file +- new DBUS_INTERFACE.getZoneSettings to get all run-time zone settings +- fixed creation and deletion of zones, services and icmptypes over D-Bus signals +- FirewallClientZoneSettings: Set proper default target +- if Python2 then encode strings from sax parser (RHBZ#1059104, RHBZ#1058853) +- firewall-cmd: + - don't colour output of query commands (RHBZ#1097841) + - use "default" instead of {chain}_{zone} (RHBZ#1075675) + - New --get-target and --set-target + - Create and remove permanent zones, services and icmptypes +- firewall-config: + - Adding services and icmptypes resulted in duplicates in UI + - Use left button menu of -applet in Option menu +- firewall-offline-cmd: same functionality as 'firewall-cmd --permanent' +- firewall-applet: ZoneConnectionEditor was missing the Default Zone entry +- bash-completion: getting zones/services/icmps is different with/without --permanent +- firewalld.zone(5): removed superfluous slash (RHBZ#1091575) +- updated translations + +* Wed Feb 05 2014 Jiri Popelka - 0.3.9.3-1 +- Fixed persistent port forwarding (RHBZ#1056154) +- Stop default zone rules being applied to all zones (RHBZ#1057875) +- Enforce trust, block and drop zones in the filter table only (RHBZ#1055190) +- Allow RAs prior to applying IPv6_rpfilter (RHBZ#1058505) +- Fix writing of rule.audit in zone_writer() + +* Fri Jan 17 2014 Jiri Popelka - 0.3.9.2-1 +- fix regression introduced in 0.3.9 (RHBZ#1053932) + +* Thu Jan 16 2014 Jiri Popelka - 0.3.9.1-1 +- fix regressions introduced in 0.3.9 (RHBZ#1054068, RHBZ#1054120) + +* Mon Jan 13 2014 Jiri Popelka - 0.3.9-1 +- translation updates +- New IPv6_rpfilter setting to enable source address validation (RHBZ#847707) +- Do not mix original and customized zones in case of target changes, + apply only used zones +- firewall-cmd: fix --*_lockdown_whitelist_uid to work with uid 0 +- Don't show main window maximized. (RHBZ#1046811) +- Use rmmod instead of 'modprobe -r' (RHBZ#1031102) +- Deprecate 'enabled' attribute of 'masquerade' element +- firewall-config: new zone was added twice to the list +- firewalld.dbus(5) +- Enable python shebang fix again +- firewall/client: handle_exceptions: Use loop in decorator +- firewall-offline-cmd: Do not mask firewalld service with disabled option +- firewall-config: richRuleDialogActionRejectType Entry -> ComboBox +- Rich_Rule: fix parsing of reject element (RHBZ#1027373) +- Show combined zones in permanent configuration (RHBZ#1002016) +- firewall-cmd(1): document exit code 2 and colored output (RHBZ#1028507) +- firewall-config: fix RHBZ#1028853 + +* Tue Nov 05 2013 Jiri Popelka - 0.3.8-1 +- fix memory leaks +- New option --debug-gc +- Python3 compatibility +- Better non-ascii support +- several firewall-config & firewall-applet fixes +- New --remove-rules commands for firewall-cmd and removeRules methods for D-Bus +- Fixed FirewallDirect.get_rules to return proper list +- Fixed LastUpdatedOrderedDict.keys() +- Enable rich rule usage in trusted zone (RHBZ#994144) +- New error codes: INVALID_CONTEXT, INVALID_COMMAND, INVALID_USER and INVALID_UID + +* Thu Oct 17 2013 Jiri Popelka - 0.3.7-1 +- Don't fail on missing ip[6]tables/ebtables table. (RHBZ#967376) +- bash-completion: --permanent --direct options +- firewall/core/fw.py: fix checking for iptables & ip6tables (RHBZ#1017087) +- firewall-cmd: use client's exception_handler instead of catching exceptions ourselves +- FirewallClientZoneSettings: fix {add|remove|query}RichRule() +- Extend amanda-client service with 10080/tcp (RHBZ#1016867) +- Simplify Rich_Rule()_lexer() by using functions.splitArgs() +- Fix encoding problems in exception handling (RHBZ#1015941) + +* Fri Oct 04 2013 Jiri Popelka - 0.3.6.2-1 +- firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958) +- firewall-cmd: fix variable name (RHBZ#1015011) + +* Thu Oct 03 2013 Jiri Popelka - 0.3.6.1-1 +- remove superfluous po files from archive + +* Wed Oct 02 2013 Jiri Popelka - 0.3.6-1 +- firewalld.richlanguage.xml: correct log levels (RHBZ#993740) +- firewall-config: Make sure that all zone settings are updated properly on firewalld restart +- Rich_Limit: Allow long representation for duration (RHBZ#994103 +- firewall-config: Show "Changes applied." after changes (RHBZ#993643) +- Use own connection dialog to change zones for NM connections +- Rename service cluster-suite to high-availability (RHBZ#885257) +- Permanent direct support for firewall-config and firewall-cmd +- Try to avoid file descriptor leaking (RHBZ#951900) +- New functions to split and join args properly (honoring quotes) +- firewall-cmd(1): 2 simple examples +- Better IPv6 NAT checking. +- Ship firewalld.direct(5). + +* Mon Sep 30 2013 Jiri Popelka - 0.3.5-1 +- Only use one PK action for configuration (RHBZ#994729) +- firewall-cmd: indicate non-zero exit code with red color +- rich-rule: enable to have log without prefix & log_level & limit +- log-level warn/err -> warning/error (RHBZ#1009436) +- Use policy DROP while reloading, do not reset policy in restart twice +- Add _direct chains to all table and chain combinations +- documentation improvements +- New firewalld.direct(5) man page docbook source +- tests/firewall-cmd_test.sh: make rich language tests work +- Rich_Rule._import_from_string(): improve error messages (RHBZ#994150) +- direct.passthrough wasn't always matching out_signature (RHBZ#967800) +- firewall-config: twist ICMP Type IP address family logic. +- firewall-config: port-forwarding/masquerading dialog (RHBZ#993658) +- firewall-offline-cmd: New --remove-service= option (BZ#969106) +- firewall-config: Options->Lockdown was not changing permanent. +- firewall-config: edit line on doubleclick (RHBZ#993572) +- firewall-config: System Default Zone -> Default Zone (RHBZ#993811) +- New direct D-Bus interface, persistent direct rule handling, enabled passthough +- src/firewall-cmd: Fixed help output to use more visual parameters +- src/firewall-cmd: New usage output, no redirection to man page anymore +- src/firewall/core/rich.py: Fixed forwad port destinations +- src/firewall-offline-cmd: Early enable/disable handling now with mask/unmask +- doc/xml/firewalld.zone.xml: Added more information about masquerade use +- Prefix to log message is optional (RHBZ#998079) +- firewall-cmd: fix --permanent --change-interface (RHBZ#997974) +- Sort zones/interfaces/service/icmptypes on output. +- wbem-https service (RHBZ#996668) +- applet&config: add support for KDE NetworkManager connection editor +- firewall/core/fw_config.py: New method update_lockdown_whitelist +- Added missing file watcher for lockdown whitelist in config D-Bus interface +- firewall/core/watcher: New add_watch_file for lockdown-whitelist and direct +- Make use of IPv6 NAT conditional, based on kernel number (RHBZ#967376) + +* Tue Jul 30 2013 Thomas Woerner 0.3.4-1 +- several rich rule check enhancements and fixes +- firewall-cmd: direct options - check ipv4|ipv6|eb (RHBZ#970505) +- firewall-cmd(1): improve description of direct options (RHBZ#970509) +- several firewall-applet enhancements and fixes +- New README +- several doc and man page fixes +- Service definitions for PCP daemons (RHBZ#972262) +- bash-completion: add lockdown and rich language options +- firewall-cmd: add --permanent --list-all[-zones] +- firewall-cmd: new -q/--quiet option +- firewall-cmd: warn when default zone not active (RHBZ#971843) +- firewall-cmd: check priority in --add-rule (RHBZ#914955) +- add dhcpv6 (for server) service (RHBZ#917866) +- firewall-cmd: add --permanent --get-zone-of-interface/source --change-interface/source +- firewall-cmd: print result (yes/no) of all --query-* commands +- move permanent-getZoneOf{Interface|Source} from firewall-cmd to server +- Check Interfaces/sources when updating permanent zone settings. +- FirewallDConfig: getZoneOfInterface/Source can actually return more zones +- Fixed toaddr check in forward port to only allow single address, no range +- firewall-cmd: various output improvements +- fw_zone: use check_single_address from firewall.functions +- getZoneOfInterface/Source does not need to throw exception +- firewall.functions: Use socket.inet_pton in checkIP, fixed checkIP*nMask +- firewall.core.io.service: Properly check port/proto and destination address +- Install applet desktop file into /etc/xdg/autostart +- Fixed option problem with rich rule destinations (RHBZ#979804) +- Better exception creation in dbus_handle_exceptions() decorator (RHBZ#979790) +- Updated firewall-offline-cmd +- Use priority in add, remove, query and list of direct rules (RHBZ#979509) +- New documentation (man pages are created from docbook sources) +- firewall/core/io/direct.py: use prirority for rule methods, new get_all_ methods +- direct: pass priority also to client.py and firewall-cmd +- applet: New blink and blink-count settings +- firewall.functions: New function ppid_of_pid +- applet: Check for gnome3 and fix it, use new settings, new size-changed cb +- firewall-offline-cmd: Fix use of systemctl in chroot +- firewall-config: use string.ascii_letters instead of string.letters +- dbus_to_python(): handle non-ascii chars in dbus.String. +- Modernize old syntax constructions. +- dict.keys() in Python 3 returns a "view" instead of list +- Use gettext.install() to install _() in builtins namespace. +- Allow non-ascii chars in 'short' and 'description' +- README: More information for "Working With The Source Repository" +- Build environment fixes +- firewalld.spec: Added missing checks for rhel > 6 for pygobject3-base +- firewall-applet: New setting show-inactive +- Don't stop on reload when lockdown already enabled (RHBZ#987403) +- firewall-cmd: --lockdown-on/off did not touch firewalld.conf +- FirewallApplet.gschema.xml: Dropped unused sender-info setting +- doc/firewall-applet.xml: Added information about gsettings +- several debug and log message fixes +- Add chain for sources so they can be checked before interfaces (RHBZ#903222) +- Add dhcp and proxy-dhcp services (RHBZ#986947) +- io/Zone(): don't error on deprecated family attr of source elem +- Limit length of zone file name (to 12 chars) due to Netfilter internals. +- It was not possible to overload a zone with defined source(s). +- DEFAULT_ZONE_TARGET: {chain}_ZONE_{zone} -> {chain}_{zone} +- New runtime getSettings for services and icmptypes, fixed policies callbacks +- functions: New functions checkUser, checkUid and checkCommand +- src/firewall/client: Fixed lockdown-whitelist-updated signal handling +- firewall-cmd(1): move firewalld.richlanguage(5) reference in --*-rich-rule +- Rich rule service: Only add modules for accept action +- firewall/core/rich: Several fixes and enhanced checks +- Fixed reload of direct rules +- firewall/client: New functions to set and get the exception handler +- firewall-config: New and enhanced UI to handle lockdown and rich rules +- zone's immutable attribute is redundant +- Do not allow to set settings in config for immutable zones. +- Ignore deprecated 'immutable' attribute in zone files. +- Eviscerate 'immutable' completely. +- FirewallDirect.query_rule(): fix it +- permanent direct: activate firewall.core.io.direct:Direct reader +- core/io/*: simplify getting of character data +- FirewallDirect.set_config(): allow reloading + +* Thu Jun 20 2013 Jiri Popelka +- Remove migrating to a systemd unit file from a SysV initscript +- Remove pointless "ExclusiveOS" tag + +* Fri Jun 7 2013 Thomas Woerner 0.3.3-2 +- Fixed rich rule check for use in D-Bus + +* Thu Jun 6 2013 Thomas Woerner 0.3.3-1 +- new service files +- relicensed logger.py under GPLv2+ +- firewall-config: sometimes we don't want to use client's exception handler +- When removing Service/IcmpType remove it from zones too (RHBZ#958401) +- firewall-config: work-around masquerade_check_cb() being called more times +- Zone(IO): add interfaces/sources to D-Bus signature +- Added missing UNKNOWN_SOURCE error code +- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid +- New changeZoneOfInterface method, marked changeZone as deprecated +- Fixed firewall-cmd man page entry for --panic-on +- firewall-applet: Fixed possible problems of unescaped strings used for markup +- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet +- Cleanup of unused variables in FirewallD.start +- New firewall/fw_types.py with LastUpdatedOrderedDict +- direct.chains, direct.rules: Using LastUpdatedOrderedDict +- Support splitted zone files +- New reader and writer for stored direct chains and rules +- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts() +- fix service_writer() and icmptype_writer() to put newline at end of file +- firewall-cmd: fix --list-sources +- No need to specify whether source address family is IPv4 or IPv6 +- add getZoneOfSource() to D-Bus interface +- Add tests and bash-completion for the new "source" operations +- Convert all input args in D-Bus methods +- setDefaultZone() was calling accessCheck() *after* the action +- New uniqify() function to remove duplicates from list whilst preserving order +- Zone.combine() merge also services and ports +- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518) +- firewall-applet: more fixes to make the address sources family agnostic +- Better defaults for lockdown white list +- Use auth_admin_keep for allow_any and allow_inactive also +- New D-Bus API for lockdown policies +- Use IPv4, IPv6 and BRIDGE for FirewallD properties +- Use rich rule action as audit type +- Prototype of string-only D-Bus interface for rich language +- Fixed wrongly merged source family check in firewall/core/io/zone.py +- handle_cmr: report errors, cleanup modules in error case only, mark handling +- Use audit type from rule action, fixed rule output +- Fixed lockdown whitelist D-Bus handling method names +- New rich rule handling in runtime D-Bus interface +- Added interface, source and rich rule handling (runtime and permanent) +- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown +- Write changes in setLockdownWhitelist +- Fixed typo in policies log message in method calls +- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling +- Don't check access in query/getLockdownWhitelist*() +- firewall-cmd: Also output masquerade flag in --list-all +- firewall-cmd: argparse is able to convert argument to desired type itself +- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist +- Makefile.am: add missing files +- firewall-cmd_test.sh: tests for rich rules +- Added lockdown, source, interface and rich rule docs to firewall-cmd +- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098) +- Use in metavar for firewall-cmd parser + +* Fri May 10 2013 Jiri Popelka - 0.3.2-2 +- removed unintentional en_US.po from tarball + +* Tue Apr 30 2013 Jiri Popelka - 0.3.2-1 +- Fix signal handling for SIGTERM +- Additional service files (RHBZ#914859) +- Updated po files +- s/persistent/permanent/ (Trac Ticket #7) +- Better behaviour when running without valid DISPLAY (RHBZ#955414) +- client.handle_exceptions(): do not loop forever +- Set Zone.defaults in zone_reader (RHBZ#951747) +- client: do not pass the dbus exception name to handler +- IO_Object_XMLGenerator: make it work with Python 2.7.4 (RHBZ#951741) +- firewall-cmd: do not use deprecated BaseException.message +- client.py: fix handle_exceptions() (RHBZ#951314) +- firewall-config: check zone/service/icmptype name (RHBZ#947820) +- Allow 3121/tcp (pacemaker_remote) in cluster-suite service. (RHBZ#885257) +- firewall-applet: fix default zone hangling in 'shields-up' (RHBZ#947230) +- FirewallError.get_code(): check for unknown error + +* Wed Apr 17 2013 Jiri Popelka - 0.3.1-2 +- Make permanenent changes work with Python 2.7.4 (RHBZ#951741) + +* Thu Mar 28 2013 Thomas Woerner 0.3.1-1 +- Use explicit file lists for make dist +- New rich rule validation check code +- New global check_port and check_address functions +- Allow source white and black listing with the rich rule +- Fix error handling in case of unsupported family in rich rule +- Enable ip_forwarding in masquerade and forward-port +- New functions to read and write simple files using filename and content +- Add --enable-sysconfig to install Fedora-specific sysconfig config file. +- Add chains for security table (RHBZ#927015) +- firewalld.spec: no need to specify --with-systemd-unitdir +- firewalld.service: remove syslog.target and dbus.target +- firewalld.service: replace hard-coded paths +- Move bash-completion to new location. +- Revert "Added configure for new build env" +- Revert "Added Makefile.in files" +- Revert "Added po/Makefile.in.in" +- Revert "Added po/LINGUAS" +- Revert "Added aclocal.m4" +- Amend zone XML Schema + +* Wed Mar 20 2013 Thomas Woerner 0.3.0-1 +- Added rich language support +- Added lockdown feature +- Allow to bind interfaces and sources to zones permanently +- Enabled IPv6 NAT support + masquerading and port/packet forwarding for IPv6 only with rich language +- Handle polkit errors in client class and firewall-config +- Added priority description for --direct --add-rule in firewall-cmd man page +- Add XML Schemas for zones/services/icmptypes XMLs +- Don't keep file descriptors open when forking +- Introduce --nopid option for firewalld +- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782) +- Update cluster-suite service (RHBZ#885257) +- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912) +- Fix interaction problem of changed event of gtk combobox with polkit-kde + by processing all remaining events (RHBZ#915892) +- Stop default zone rules being applied to all zones (RHBZ#912782) +- Firewall.start(): don't call set_default_zone() +- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages +- firewalld-cmd: make --state verbose (RHBZ#886484) +- improve firewalld --help (RHBZ#910492) +- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834) +- Continue loading zone in case of wrong service/port etc. (RHBZ#909466) +- Check also services and icmptypes in Zone() (RHBZ#909466) +- Increase the maximum length of the port forwarding fields from 5 to 11 in + firewall-config +- firewall-cmd: add usage to fail message +- firewall-cmd: redefine usage to point to man page +- firewall-cmd: fix visible problems with arg. parsing +- Use argparse module for parsing command line options and arguments +- firewall-cmd.1: better clarify where to find ACTIONs +- firewall-cmd Bash completion +- firewall-cmd.1: comment --zone= usage and move some options +- Use zone's target only in %%s_ZONES chains +- default zone in firewalld.conf was set to public with every restart (#902845) +- man page cleanup +- code cleanup + +* Thu Mar 07 2013 Jiri Popelka - 0.2.12-5 +- Another fix for RHBZ#912782 + +* Wed Feb 20 2013 Jiri Popelka - 0.2.12-4 +- Stop default zone rules being applied to all zones (RHBZ#912782) + +* Wed Feb 13 2013 Fedora Release Engineering - 0.2.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 22 2013 Jiri Popelka - 0.2.12-2 +- Default zone in firewalld.conf was reseted with every restart (RHBZ#902845) +- Add icon cache related scriptlets for firewall-config (RHBZ#902680) +- Fix typo in firewall-config (RHBZ#895812) +- Fix few mistakes in firewall-cmd(1) man page + +* Mon Jan 14 2013 Thomas Woerner 0.2.12-1 +- firewall-cmd: use -V instead of -v for version info (RHBZ#886477) +- firewall-cmd: don't check reload()'s return value (RHBZ#886461) +- actually install firewalld.zones.5 +- firewall-config: treat exceptions when adding new zone/service/icmp + (RHBZ#886602) +- firewalld.spec: Fixed requirements of firewall-config to use gtk2 and + pygobject3 +- Fail gracefully when running in non X environment.(RHBZ#886551) +- offline-cmd: fail gracefully when no s-c-f config +- fix duplicated iptables rules (RHBZ#886515) +- detect errors and duplicates in config file (RHBZ#886581) +- firewall-config: don't make 'Edit Service' and 'Edit ICMP Type' insensitive +- firewalld.spec: fixed requirements, require pygobject3-base +- frewall-applet: Unused code cleanup +- firewall-applet: several usability fixes and enhancements + (RHBZ#886531) (RHBZ#886534) +- firewall/server/server.py: fixed KeyboardInterrupt message (RHBZ#886558) +- Moved fallback zone and minimal_mark to firewall.config.__init__ +- Do not raise ZONE_ALREADY_SET in change_zone if old zone is set again + (RHBZ#886432) +- Make default zone default for all unset connections/interfaces + (RHBZ#888288) (RHBZ#882736) +- firewall-config: Use Gtk.MessageType.WARNING for warning dialog +- firewall-config: Handle unknown services and icmptypes in persistent mode +- firewall-config: Do not load settings more than once +- firewall-config: UI cleanup and fixes (RHBZ#888242) +- firewall-cmd: created alias --change-zone for --change-interface +- firewall-cmd man page updates (RHBZ#806511) +- Merged branch 'build-cleanups' +- dropped call to autogen.sh in build stage, not needed anymore due to + 'build-cleanups' merge + +* Thu Dec 13 2012 Thomas Woerner 0.2.11-2 +- require pygobject3-base instead of pygobject3 (no cairo needed) (RHBZ#874378) +- fixed dependencies of firewall-config to use gtk3 with pygobject3-base and + not pygtk2 + +* Tue Dec 11 2012 Thomas Woerner 0.2.11-1 +- Fixed more _xmlplus (PyXML) incompatibilities to python xml +- Several man page updates +- Fixed error in addForwardPort, removeForwardPort and queryForwardPort +- firewall-cmd: use already existing queryForwardPort() +- Update firewall.cmd man page, use man page as firewall-cmd usage (rhbz#876394) +- firewall-config: Do not force to show labels in the main toolbar +- firewall-config: Dropped "Change default zone" from toolbar +- firewall-config: Added menu entry to change zones of connections +- firewall-applet: Zones can be changed now using nm-connection-editor + (rhbz#876661) +- translation updates: cs, hu, ja + +* Tue Nov 20 2012 Thomas Woerner 0.2.10-1 +- tests/firewalld_config.py: tests for config.service and config.icmptype +- FirewallClientConfigServiceSettings(): destinations are dict not list +- service/zone/icmptype: do not write deprecated name attribute +- New service ntp +- firewall-config: Fixed name of about dialog +- configure.in: Fixed getting of error codes +- Added coding to all pyhton files +- Fixed copyright years +- Beautified file headers +- Force use of pygobject3 in python-slip (RHBZ#874378) +- Log: firewall.server.config_icmptype, firewall.server.config_service and + firewall.server.config_zone: Prepend full path +- Allow ":" in interface names for interface aliases +- Add name argument to Updated and Renamed signal +- Disable IPv4, IPv6 and EB tables if missing - for IPv4/IPv6 only environments +- firewall-config.glade file cleanup +- firewall-config: loadDefaults() can throw exception +- Use toolbars for Add/Edit/Remove/LoadDefaults buttons for zones, services + and icmp types +- New vnc-server service, opens ports for displays :0 to :3 (RHBZ#877035) +- firewall-cmd: Fix typo in help output, allow default zone usage for + permanenent options +- Translation updates: cs, fr, ja, pt_BR and zh_CN + +* Wed Oct 17 2012 Thomas Woerner 0.2.9-1 +- firewall-config: some UI usability changes +- firewall-cmd: New option --list-all-zones, output of --list-all changed, + more option combination checks +- firewall-applet: Replaced NMClient by direct DBUS calls to fix python core + dumps in case of connection activates/deactivates +- Use fallback 'C' locale if current locale isn't supported (RHBZ#860278) +- Add interfaces to zones again after reload +- firewall-cmd: use FirewallClient().connected value +- firewall-cmd: --remove-interface was not working due to a typo +- Do not use restorecon for new and backup files +- Fixed use of properties REJECT and DROP +- firewalld_test.py: check interfaces after reload +- Translation updates +- Renamed firewall-convert-scfw-config to firewall-offline-cmd, used by + anaconda for firewall configuration (e.g. kickstart) +- Fix python shebang to use -Es at installation time for bin_SCRIPTS and + sbin_SCRIPTS and at all times in gtk3_chooserbutton.py +- tests/firewalld_config.py: update test_zones() test case +- Config interface: improve renaming of zones/services/icmp_types +- Move emiting of Added signals closer to source. +- FirewallClient(): config:ServiceAdded signal was wrongly mapped +- Add argument 'name' to Removed signal +- firewall-config: Add callbacks for config:[service|icmp]-[added|removed] +- firewall-config: catch INVALID_X error when removing zone/service/icmp_type +- firewall-config: remove unused code +- Revert "Neutralize _xmlplus instead of conforming it" +- firewall-applet: some UI usability changes +- firewall-cmd: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings + +* Fri Sep 7 2012 Thomas Woerner 0.2.8-1 +- Do not apply old settings to zones after reload +- FirewallClient: Added callback structure for firewalld signals +- New firewall-config with full zone, service and icmptype support +- Added Shields Up/Down configuration dialog to firewall-applet +- Name attribute of main tag deprecated for zones, services and icmptypes, + will be ignored if present +- Fixed wrong references in firewalld man page +- Unregister DBus interfaces after sending out the Removed signal +- Use proper DBus signature in addIcmpType, addService and addZone +- New builtin property for config interfaces +- New test case for Config interface +- spec: use new systemd-rpm macros (rhbz#850110) +- More config file verifications +- Lots of smaller fixes and enhancements + +* Tue Aug 21 2012 Jiri Popelka 0.2.7-2 +- use new systemd-rpm macros (rhbz#850110) + +* Mon Aug 13 2012 Thomas Woerner 0.2.7-1 +- Update of firewall-config +- Some bug fixes + +* Tue Aug 7 2012 Thomas Woerner 0.2.6-1 +- New D-BUS interface for persistent configuration +- Aded support for persistent zone configuration in firewall-cmd +- New Shields Up feature in firewall-applet +- New requirements for python-decorator and pygobject3 +- New firewall-config sub-package +- New firewall-convert-scfw-config config script + +* Fri Apr 20 2012 Thomas Woerner 0.2.5-1 +- Fixed traceback in firewall-cmd for failed or canceled authorization, + return proper error codes, new error codes NOT_RUNNING and NOT_AUTHORIZED +- Enhanced firewalld service file (RHBZ#806868) and (RHBZ#811240) +- Fixed duplicates in zone after reload, enabled timed settings after reload +- Removed conntrack --ctstate INVALID check from default ruleset, because it + results in ICMP problems (RHBZ#806017). +- Update interfaces in default zone after reload (rhbz#804814) +- New man pages for firewalld(1), firewalld.conf(5), firewalld.icmptype(5), + firewalld.service(5) and firewalld.zone(5), updated firewall-cmd man page + (RHBZ#811257) +- Fixed firewall-cmd help output +- Fixed missing icon for firewall-applet (RHBZ#808759) +- Added root user check for firewalld (RHBZ#767654) +- Fixed requirements of firewall-applet sub package (RHBZ#808746) +- Update interfaces in default zone after changing of default zone (RHBZ#804814) +- Start firewalld before NetworkManager (RHBZ#811240) +- Add Type=dbus and BusName to service file (RHBZ#811240) + +* Fri Mar 16 2012 Thomas Woerner 0.2.4-1 +- fixed firewalld.conf save exception if no temporary file can be written to + /etc/firewalld/ + +* Thu Mar 15 2012 Thomas Woerner 0.2.3-1 +- firewall-cmd: several changes and fixes +- code cleanup +- fixed icmp protocol used for ipv6 (rhbz#801182) +- added and fixed some comments +- properly restore zone settings, timeout is always set, check for 0 +- some FirewallError exceptions were actually not raised +- do not REJECT in each zone +- removeInterface() don't require zone +- new tests in firewall-test script +- dbus_to_python() was ignoring certain values +- added functions for the direct interface: chains, rules, passthrough +- fixed inconsistent data after reload +- some fixes for the direct interface: priority positions are bound to ipv, + table and chain +- added support for direct interface in firewall-cmd: +- added isImmutable(zone) to zone D-Bus interface +- renamed policy file +- enhancements for error messages, enables output for direct.passthrough +- added allow_any to firewald policies, using at leas auth_admin for policies +- replaced ENABLE_FAILED, DISABLE_FAILED, ADD_FAILED and REMOVE_FAILED by + COMMAND_FAILED, resorted error codes +- new firewalld configuration setting CleanupOnExit +- enabled polkit again, found a fix for property problem with slip.dbus.service +- added dhcpv6-client to 'public' (the default) and to 'internal' zones. +- fixed missing settings form zone config files in + "firewall-cmd --list=all --zone=" call +- added list functions for services and icmptypes, added --list=services and + --list=icmptypes to firewall-cmd + +* Tue Mar 6 2012 Thomas Woerner 0.2.2-1 +- enabled dhcpv6-client service for zones home and work +- new dhcpv6-client service +- firewall-cmd: query mode returns reversed values +- new zone.changeZone(zone, interface) +- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded + by files in /etc/firewalld (no overload of immutable zones block, drop, + trusted) +- reset MinimalMark in firewalld.cnf to default value +- fixed service destination (addresses not used) +- fix xmlplus to be compatible with the python xml sax parser and python 3 + by adding __contains__ to xml.sax.xmlreader.AttributesImpl +- use icon and glib related post, postun and posttrans scriptes for firewall +- firewall-cmd: fix typo in state +- firewall-cmd: fix usage() +- firewall-cmd: fix interface action description in usage() +- client.py: fix definition of queryInterface() +- client.py: fix typo in getInterfaces() +- firewalld.service: do not fork +- firewall-cmd: fix bug in --list=port and --port action help message +- firewall-cmd: fix bug in --list=service + +* Mon Mar 5 2012 Thomas Woerner +- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded + by files in /etc/firewalld (no overload of immutable zones block, drop, + trusted) + +* Tue Feb 21 2012 Thomas Woerner 0.2.1-1 +- added missing firewall.dbus_utils + +* Tue Feb 7 2012 Thomas Woerner 0.2.0-2 +- added glib2-devel to build requires, needed for gsettings.m4 +- added --with-system-unitdir arg to fix installaiton of system file +- added glib-compile-schemas calls for postun and posttrans +- added EXTRA_DIST file lists + +* Mon Feb 6 2012 Thomas Woerner 0.2.0-1 +- version 0.2.0 with new FirewallD1 D-BUS interface +- supports zones with a default zone +- new direct interface as a replacement of the partial virt interface with + additional passthrough functionality +- dropped custom rules, use direct interface instead +- dropped trusted interface funcionality, use trusted zone instead +- using zone, service and icmptype configuration files +- not using any system-config-firewall parts anymore + +* Mon Feb 14 2011 Thomas Woerner 0.1.3-1 +- new version 0.1.3 +- restore all firewall features for reload: panic and virt rules and chains +- string fixes for firewall-cmd man page (by Jiri Popelka) +- fixed firewall-cmd port list (by Jiri Popelka) +- added firewall dbus client connect check to firewall-cmd (by Jiri Popelka) +- translation updates: de, es, gu, it, ja, kn, ml, nl, or, pa, pl, ru, ta, + uk, zh_CN + +* Mon Jan 3 2011 Thomas Woerner 0.1.2-1 +- fixed package according to package review (rhbz#665395): + - non executable scripts: dropped shebang + - using newer GPL license file + - made /etc/dbus-1/system.d/FirewallD.conf config(noreplace) + - added requires(post) and (pre) for chkconfig + +* Mon Jan 3 2011 Thomas Woerner 0.1.1-1 +- new version 0.1.1 +- fixed source path in POTFILES* +- added missing firewall_config.py.in +- added misssing space for spec_ver line +- using firewall_config.VARLOGFILE +- added date to logging output +- also log fatal and error logs to stderr and firewall_config.VARLOGFILE +- make log message for active_firewalld fatal + +* Mon Dec 20 2010 Thomas Woerner 0.1-1 +- initial package (proof of concept implementation)