diff --git a/.firewalld.metadata b/.firewalld.metadata new file mode 100644 index 0000000..dbe84f5 --- /dev/null +++ b/.firewalld.metadata @@ -0,0 +1 @@ +5b1dd4910af6623b5e5025b19e24965e30f0d3b6 SOURCES/firewalld-0.4.4.4.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1b5f714 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/firewalld-0.4.4.4.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/firewalld-0.4.4.3-exclude_firewallctl_rhbz#1374799.patch b/SOURCES/firewalld-0.4.4.3-exclude_firewallctl_rhbz#1374799.patch new file mode 100644 index 0000000..f729006 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.3-exclude_firewallctl_rhbz#1374799.patch @@ -0,0 +1,46 @@ +diff -up firewalld-0.4.4.3/doc/man/man1/Makefile.am.exclude_firewallctl_rhbz#1374799 firewalld-0.4.4.3/doc/man/man1/Makefile.am +--- firewalld-0.4.4.3/doc/man/man1/Makefile.am.exclude_firewallctl_rhbz#1374799 2016-12-16 13:35:59.000000000 +0100 ++++ firewalld-0.4.4.3/doc/man/man1/Makefile.am 2017-02-08 19:20:18.109073530 +0100 +@@ -1,3 +1,8 @@ + EXTRA_DIST = $(man_MANS) + +-man_MANS = firewall*.1 ++man_MANS = \ ++ firewall-applet.1 \ ++ firewall-cmd.1 \ ++ firewall-config.1 \ ++ firewalld.1 \ ++ firewall-offline-cmd.1 +diff -up firewalld-0.4.4.3/doc/xml/Makefile.am.exclude_firewallctl_rhbz#1374799 firewalld-0.4.4.3/doc/xml/Makefile.am +--- firewalld-0.4.4.3/doc/xml/Makefile.am.exclude_firewallctl_rhbz#1374799 2016-10-31 10:19:14.000000000 +0100 ++++ firewalld-0.4.4.3/doc/xml/Makefile.am 2017-02-08 19:16:45.904176658 +0100 +@@ -11,7 +11,6 @@ man1_MANS = \ + ../man/man1/firewall-applet.1 \ + ../man/man1/firewall-cmd.1 \ + ../man/man1/firewall-config.1 \ +- ../man/man1/firewallctl.1 \ + ../man/man1/firewalld.1 \ + ../man/man1/firewall-offline-cmd.1 + +diff -up firewalld-0.4.4.3/doc/xml/seealso.xml.exclude_firewallctl_rhbz#1374799 firewalld-0.4.4.3/doc/xml/seealso.xml +--- firewalld-0.4.4.3/doc/xml/seealso.xml.exclude_firewallctl_rhbz#1374799 2016-10-31 10:19:14.000000000 +0100 ++++ firewalld-0.4.4.3/doc/xml/seealso.xml 2017-02-08 19:16:45.904176658 +0100 +@@ -29,7 +29,6 @@ + firewalld1 + firewall-cmd1 + firewall-config1 +- firewallctl1 + firewalld.conf5 + firewalld.direct5 + firewalld.dbus5 +diff -up firewalld-0.4.4.3/src/Makefile.am.exclude_firewallctl_rhbz#1374799 firewalld-0.4.4.3/src/Makefile.am +--- firewalld-0.4.4.3/src/Makefile.am.exclude_firewallctl_rhbz#1374799 2017-02-08 17:51:00.000000000 +0100 ++++ firewalld-0.4.4.3/src/Makefile.am 2017-02-08 19:16:45.904176658 +0100 +@@ -1,6 +1,6 @@ + SUBDIRS = icons + +-dist_bin_SCRIPTS = firewall-applet firewall-cmd firewall-offline-cmd firewall-config firewallctl ++dist_bin_SCRIPTS = firewall-applet firewall-cmd firewall-offline-cmd firewall-config + dist_sbin_SCRIPTS = firewalld + + gladedir = $(pkgdatadir) diff --git a/SOURCES/firewalld-0.4.4.3-qt4_applet.patch b/SOURCES/firewalld-0.4.4.3-qt4_applet.patch new file mode 100644 index 0000000..8cfad1e --- /dev/null +++ b/SOURCES/firewalld-0.4.4.3-qt4_applet.patch @@ -0,0 +1,449 @@ +diff -up firewalld-0.4.4.3/src/firewall-applet.qt4_applet firewalld-0.4.4.3/src/firewall-applet +--- firewalld-0.4.4.3/src/firewall-applet.qt4_applet 2017-01-26 13:07:25.000000000 +0100 ++++ firewalld-0.4.4.3/src/firewall-applet 2017-02-08 19:13:03.196185899 +0100 +@@ -21,14 +21,14 @@ + # + + import sys +-from PyQt5 import QtGui, QtCore, QtWidgets ++from PyQt4 import QtGui, QtCore + + import gi + gi.require_version('Notify', '0.7') + from gi.repository import Notify + + import os +-from dbus.mainloop.pyqt5 import DBusQtMainLoop ++from dbus.mainloop.qt import DBusQtMainLoop + import functools + + from firewall.config import * +@@ -74,20 +74,21 @@ def escape(text): + return text + + def fromUTF8(text): +- if PY2 and QtCore.QT_VERSION < 0x050000: ++ if PY2: + return QtCore.QString.fromUtf8(text) +- return text ++ else: ++ return text + + # ZoneInterfaceEditor ######################################################### + +-class ZoneInterfaceEditor(QtWidgets.QDialog): ++class ZoneInterfaceEditor(QtGui.QDialog): + def __init__(self, fw, interface, zone): + self.fw = fw + self.interface = interface + self.zone = None + self.title = _("Select zone for interface '%s'") % self.interface + +- QtWidgets.QDialog.__init__(self) ++ QtGui.QDialog.__init__(self) + self.create_ui(zone) + + def create_ui(self, zone): +@@ -96,19 +97,19 @@ class ZoneInterfaceEditor(QtWidgets.QDia + + self.resize(100, 50) + +- vbox = QtWidgets.QVBoxLayout() ++ vbox = QtGui.QVBoxLayout() + vbox.setSpacing(6) + +- label = QtWidgets.QLabel(fromUTF8(escape(self.title))) ++ label = QtGui.QLabel(fromUTF8(escape(self.title))) + vbox.addWidget(label) + +- self.combo = QtWidgets.QComboBox() ++ self.combo = QtGui.QComboBox() + self.fill_zone_combo() + vbox.addWidget(self.combo) + +- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok +- | QtWidgets.QDialogButtonBox.Cancel) +- self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok) ++ buttonBox = QtGui.QDialogButtonBox(QtGui.QDialogButtonBox.Ok ++ | QtGui.QDialogButtonBox.Cancel) ++ self.ok_button = buttonBox.button(QtGui.QDialogButtonBox.Ok) + buttonBox.accepted.connect(self.ok) + buttonBox.rejected.connect(self.hide) + vbox.addWidget(buttonBox) +@@ -160,7 +161,7 @@ class ZoneConnectionEditor(ZoneInterface + self.zone = None + self.title = _("Select zone for connection '%s'") % self.connection + +- QtWidgets.QDialog.__init__(self) ++ QtGui.QDialog.__init__(self) + self.create_ui(zone) + + def ok(self): +@@ -169,7 +170,7 @@ class ZoneConnectionEditor(ZoneInterface + nm_set_zone_of_connection(self.get_zone(), self.connection) + except Exception as msg: + text = _("Failed to set zone {zone} for connection {connection}") +- QtWidgets.QMessageBox.warning(None, fromUTF8(escape(self.title)), ++ QtGui.QMessageBox.warning(None, fromUTF8(escape(self.title)), + escape(text.format( + zone=self.get_zone(), + connection=self.connection))) +@@ -184,7 +185,7 @@ class ZoneSourceEditor(ZoneInterfaceEdit + self.zone = None + self.title = _("Select zone for source '%s'") % self.source + +- QtWidgets.QDialog.__init__(self) ++ QtGui.QDialog.__init__(self) + self.create_ui(zone) + + def ok(self): +@@ -193,7 +194,7 @@ class ZoneSourceEditor(ZoneInterfaceEdit + + # ShieldsEditor ######################################################### + +-class ShieldsEditor(QtWidgets.QDialog): ++class ShieldsEditor(QtGui.QDialog): + def __init__(self, fw, settings, shields_up, shields_down): + self.fw = fw + self.settings = settings +@@ -201,63 +202,63 @@ class ShieldsEditor(QtWidgets.QDialog): + self.shields_down = shields_down + self.title = _("Configure Shields Up/Down Zones") + +- QtWidgets.QDialog.__init__(self) ++ QtGui.QDialog.__init__(self) + self.create_ui() + + def create_ui(self): + self.setWindowTitle(fromUTF8(escape(self.title))) + self.rejected.connect(self.hide) + +- vbox = QtWidgets.QVBoxLayout() ++ vbox = QtGui.QVBoxLayout() + vbox.setSpacing(6) + +- label = QtWidgets.QLabel(fromUTF8(escape( ++ label = QtGui.QLabel(fromUTF8(escape( + _("Here you can select the zones used for Shields Up and " + "Shields Down.")))) + label.setWordWrap(True) + vbox.addWidget(label) + +- label = QtWidgets.QLabel(fromUTF8(escape( ++ label = QtGui.QLabel(fromUTF8(escape( + _("This feature is useful for people using the default zones " + "mostly. For users, that are changing zones of connections, it " + "might be of limited use.")))) + label.setWordWrap(True) + vbox.addWidget(label) + +- grid = QtWidgets.QGridLayout() ++ grid = QtGui.QGridLayout() + grid.setSpacing(6) + +- label = QtWidgets.QLabel(fromUTF8(escape(_("Shields Up Zone:")))) ++ label = QtGui.QLabel(fromUTF8(escape(_("Shields Up Zone:")))) + label.setWordWrap(True) + grid.addWidget(label, 0, 0, 1, 1) + +- self.shields_up_combo = QtWidgets.QComboBox() ++ self.shields_up_combo = QtGui.QComboBox() + #self.fill_combo(self.shields_up_combo) + #self.set_shields_up(self.shields_up) + grid.addWidget(self.shields_up_combo, 0, 1, 1, 1) + +- button = QtWidgets.QPushButton(_("Reset To Default")) ++ button = QtGui.QPushButton(_("Reset To Default")) + button.clicked.connect(self.reset_shields_up) + grid.addWidget(button, 0, 2, 1, 1) + +- label = QtWidgets.QLabel(fromUTF8(escape(_("Shields Down Zone:")))) ++ label = QtGui.QLabel(fromUTF8(escape(_("Shields Down Zone:")))) + label.setWordWrap(True) + grid.addWidget(label, 1, 0, 1, 1) + +- self.shields_down_combo = QtWidgets.QComboBox() ++ self.shields_down_combo = QtGui.QComboBox() + #self.fill_combo(self.shields_down_combo) + #self.set_shields_down(self.shields_down) + grid.addWidget(self.shields_down_combo, 1, 1, 1, 1) + +- button = QtWidgets.QPushButton(_("Reset To Default")) ++ button = QtGui.QPushButton(_("Reset To Default")) + button.clicked.connect(self.reset_shields_down) + grid.addWidget(button, 1, 2, 1, 1) + + vbox.addLayout(grid) + +- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok +- | QtWidgets.QDialogButtonBox.Cancel) +- self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok) ++ buttonBox = QtGui.QDialogButtonBox(QtGui.QDialogButtonBox.Ok ++ | QtGui.QDialogButtonBox.Cancel) ++ self.ok_button = buttonBox.button(QtGui.QDialogButtonBox.Ok) + buttonBox.accepted.connect(self.ok) + buttonBox.rejected.connect(self.hide) + vbox.addWidget(buttonBox) +@@ -328,56 +329,56 @@ class ShieldsEditor(QtWidgets.QDialog): + + # AboutDialog ################################################################# + +-class AboutDialog(QtWidgets.QDialog): ++class AboutDialog(QtGui.QDialog): + def __init__(self, name, icon, version, url, copyright, authors, license): +- QtWidgets.QDialog.__init__(self) ++ QtGui.QDialog.__init__(self) + self.setWindowIcon(icon) + self.setWindowTitle(fromUTF8(escape(_("About %s" % name)))) + self.resize(500, 250) + +- vbox = QtWidgets.QVBoxLayout() ++ vbox = QtGui.QVBoxLayout() + vbox.setSpacing(6) + +- hbox = QtWidgets.QHBoxLayout() ++ hbox = QtGui.QHBoxLayout() + hbox.setSpacing(24) + +- label = QtWidgets.QLabel() ++ label = QtGui.QLabel() + label.setPixmap(icon.pixmap(96)) + label.setMinimumSize(96, 96) + label.setMaximumSize(96, 96) + hbox.addWidget(label) + +- vbox2 = QtWidgets.QVBoxLayout() ++ vbox2 = QtGui.QVBoxLayout() + vbox2.setSpacing(3) + +- label = QtWidgets.QLabel(name) ++ label = QtGui.QLabel(name) + font = label.font() + font.setPointSize(font.pointSize()*2) + font.setBold(True) + label.setFont(font) + vbox2.addWidget(label) + +- vbox2.addWidget(QtWidgets.QLabel(version)) ++ vbox2.addWidget(QtGui.QLabel(version)) + +- label = QtWidgets.QLabel("%s" % (url, url)) ++ label = QtGui.QLabel("%s" % (url, url)) + label.setTextFormat(QtCore.Qt.RichText) + label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction) + label.setOpenExternalLinks(True) + + vbox2.addWidget(label) + +- vbox2.addWidget(QtWidgets.QLabel(copyright)) ++ vbox2.addWidget(QtGui.QLabel(copyright)) + + hbox.addLayout(vbox2) + + vbox.addLayout(hbox) + +- tabs = QtWidgets.QTabWidget() ++ tabs = QtGui.QTabWidget() + tabs.setStyleSheet("QTabWidget::tab { padding: 1px 1px 1px 1px; }") + +- tab = QtWidgets.QWidget() +- vbox3 = QtWidgets.QVBoxLayout() +- textedit = QtWidgets.QPlainTextEdit() ++ tab = QtGui.QWidget() ++ vbox3 = QtGui.QVBoxLayout() ++ textedit = QtGui.QPlainTextEdit() + #textedit.setStyleSheet("QPlainTextEdit { border: 0; padding: 0; }") + textedit.setReadOnly(True) + textedit.setPlainText(fromUTF8("\n".join(authors))) +@@ -385,9 +386,9 @@ class AboutDialog(QtWidgets.QDialog): + tab.setLayout(vbox3) + tabs.addTab(tab, fromUTF8(escape(_("Authors")))) + +- tab = QtWidgets.QWidget() +- vbox3 = QtWidgets.QVBoxLayout() +- textedit = QtWidgets.QPlainTextEdit() ++ tab = QtGui.QWidget() ++ vbox3 = QtGui.QVBoxLayout() ++ textedit = QtGui.QPlainTextEdit() + #textedit.setStyleSheet("QPlainTextEdit { border: 0; padding: 0; }") + textedit.setReadOnly(True) + textedit.setPlainText(license) +@@ -397,7 +398,7 @@ class AboutDialog(QtWidgets.QDialog): + + vbox.addWidget(tabs) + +- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close) ++ buttonBox = QtGui.QDialogButtonBox(QtGui.QDialogButtonBox.Close) + buttonBox.rejected.connect(self.hide) + vbox.addWidget(buttonBox) + +@@ -405,7 +406,7 @@ class AboutDialog(QtWidgets.QDialog): + + # TrayApplet ################################################################## + +-class TrayApplet(QtWidgets.QSystemTrayIcon): ++class TrayApplet(QtGui.QSystemTrayIcon): + def __init__(self): + super(TrayApplet, self).__init__() + self.name = _("Firewall Applet") +@@ -452,67 +453,67 @@ class TrayApplet(QtWidgets.QSystemTrayIc + + # urgencies + +- self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon, +- "information": QtWidgets.QSystemTrayIcon.Information, +- "warning": QtWidgets.QSystemTrayIcon.Warning, +- "critical": QtWidgets.QSystemTrayIcon.Critical } ++ self.urgencies = { "noicon": QtGui.QSystemTrayIcon.NoIcon, ++ "information": QtGui.QSystemTrayIcon.Information, ++ "warning": QtGui.QSystemTrayIcon.Warning, ++ "critical": QtGui.QSystemTrayIcon.Critical } + + # actions + +- self.shieldsupAction = QtWidgets.QAction(fromUTF8(escape(_("Shields Up"))), ++ self.shieldsupAction = QtGui.QAction(fromUTF8(escape(_("Shields Up"))), + self) + self.shieldsupAction.setCheckable(True) + self.shieldsupAction.setChecked(False) + self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb) + +- self.notificationsAction = QtWidgets.QAction( ++ self.notificationsAction = QtGui.QAction( + fromUTF8(escape(_("Enable Notifications"))), self) + self.notificationsAction.setCheckable(True) + self.notificationsAction.setChecked(False) + self.notificationsAction.triggered.connect(self.notification_changed_cb) + +- self.settingsAction = QtWidgets.QAction( ++ self.settingsAction = QtGui.QAction( + fromUTF8(escape(_("Edit Firewall Settings..."))), self) + self.settingsAction.triggered.connect(self.configure_cb) + +- self.changeZonesAction = QtWidgets.QAction( ++ self.changeZonesAction = QtGui.QAction( + fromUTF8(escape(_("Change Zones of Connections..."))), self) + self.changeZonesAction.triggered.connect(self.nm_connection_editor) + +- self.shieldsAction = QtWidgets.QAction( ++ self.shieldsAction = QtGui.QAction( + fromUTF8(escape(_("Configure Shields UP/Down Zones..."))), self) + self.shieldsAction.triggered.connect(self.configure_shields) + +- self.panicAction = QtWidgets.QAction( ++ self.panicAction = QtGui.QAction( + fromUTF8(escape(_("Block all network traffic"))), self) + self.panicAction.setCheckable(True) + self.panicAction.setChecked(False) + self.panicAction.triggered.connect(self.panic_mode_cb) + +- self.aboutAction = QtWidgets.QAction(fromUTF8(escape(_("About"))), self) ++ self.aboutAction = QtGui.QAction(fromUTF8(escape(_("About"))), self) + self.aboutAction.triggered.connect(self.about_dialog.exec_) + +- #self.quitAction = QtWidgets.QAction(fromUTF8(escape(_("Quit"))), self, ++ #self.quitAction = QtGui.QAction(fromUTF8(escape(_("Quit"))), self, + # triggered=self.quit) + +- self.connectionsAction = QtWidgets.QWidgetAction(self) +- self.connectionsAction.setDefaultWidget(QtWidgets.QLabel( ++ self.connectionsAction = QtGui.QWidgetAction(self) ++ self.connectionsAction.setDefaultWidget(QtGui.QLabel( + fromUTF8(""+escape(_("Connections"))+" "))) + +- self.interfacesAction = QtWidgets.QWidgetAction(self) +- self.interfacesAction.setDefaultWidget(QtWidgets.QLabel( ++ self.interfacesAction = QtGui.QWidgetAction(self) ++ self.interfacesAction.setDefaultWidget(QtGui.QLabel( + fromUTF8(""+escape(_("Interfaces"))+" "))) + +- self.sourcesAction = QtWidgets.QWidgetAction(self) +- self.sourcesAction.setDefaultWidget(QtWidgets.QLabel( ++ self.sourcesAction = QtGui.QWidgetAction(self) ++ self.sourcesAction.setDefaultWidget(QtGui.QLabel( + fromUTF8(""+escape(_("Sources"))+" "))) + + # init + +- self.left_menu = QtWidgets.QMenu() ++ self.left_menu = QtGui.QMenu() + self.left_menu.setStyleSheet('QMenu { margin: 5px; }') + +- self.right_menu = QtWidgets.QMenu() ++ self.right_menu = QtGui.QMenu() + self.right_menu.addAction(self.shieldsupAction) + self.right_menu.addAction(self.notificationsAction) + self.right_menu.addSeparator() +@@ -631,7 +632,7 @@ class TrayApplet(QtWidgets.QSystemTrayIc + self.setVisible(True) + + def activated_cb(self, reason): +- if reason == QtWidgets.QSystemTrayIcon.Trigger: ++ if reason == QtGui.QSystemTrayIcon.Trigger: + self.left_menu.popup(QtGui.QCursor.pos()) + + def update_active_zones(self): +@@ -679,12 +680,12 @@ class TrayApplet(QtWidgets.QSystemTrayIc + zone = connections[connection][0] + if zone == "": + _binding = _("{entry} (Default Zone: {default_zone})") +- action = QtWidgets.QAction( ++ action = QtGui.QAction( + fromUTF8(escape( + _binding.format(default_zone=self.default_zone, + entry=connection))), self) + else: +- action = QtWidgets.QAction( ++ action = QtGui.QAction( + fromUTF8(escape(binding.format(zone=zone, + entry=connection))), self) + action.triggered.connect(functools.partial( +@@ -697,7 +698,7 @@ class TrayApplet(QtWidgets.QSystemTrayIc + # add other interfaces + for interface in sorted(interfaces): + zone = interfaces[interface] +- action = QtWidgets.QAction( ++ action = QtGui.QAction( + fromUTF8(escape(binding.format(zone=zone, entry=interface))), + self) + action.triggered.connect(functools.partial( +@@ -709,7 +710,7 @@ class TrayApplet(QtWidgets.QSystemTrayIc + + for source in sorted(sources): + zone = sources[source] +- action = QtWidgets.QAction( ++ action = QtGui.QAction( + fromUTF8(escape(binding.format(zone=zone, entry=source))), + self) + action.triggered.connect(functools.partial( +@@ -931,10 +932,10 @@ class TrayApplet(QtWidgets.QSystemTrayIc + os.system("%s &" % NM_CONNECTION_EDITOR) + + def warning(self, text): +- QtWidgets.QMessageBox.warning(None, fromUTF8(escape(self.name)), text) ++ QtGui.QMessageBox.warning(None, fromUTF8(escape(self.name)), text) + + def error(self, text): +- QtWidgets.QMessageBox.critical(None, fromUTF8(escape(self.name)), text) ++ QtGui.QMessageBox.critical(None, fromUTF8(escape(self.name)), text) + + def configure_cb(self, widget): + os.system("firewall-config &") +@@ -970,8 +971,6 @@ class TrayApplet(QtWidgets.QSystemTrayIc + def reloaded(self): + if self.notificationsAction.isChecked(): + self.notify(escape(_("FirewallD has been reloaded."))) +- self.update_active_zones() +- self.update_tooltip() + + def default_zone_changed(self, zone): + self.default_zone = zone +@@ -1118,7 +1117,7 @@ Options: + # reset SIGINT signal to default + signal.signal(signal.SIGINT, signal.SIG_DFL) + +-app = QtWidgets.QApplication(sys.argv) ++app = QtGui.QApplication(sys.argv) + app.setQuitOnLastWindowClosed(False) + + applet = TrayApplet() diff --git a/SOURCES/firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch b/SOURCES/firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch new file mode 100644 index 0000000..36bd3f4 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch @@ -0,0 +1,53 @@ +commit 7a86d66f27a8c657a3cd9fbecdf26d167c2ee92e +Author: Thomas Woerner +Date: Wed Apr 26 15:07:18 2017 +0200 + + firewall-cmd: Fix --{set,get}-{short,description} for zone + + The options --{set,get}-{short,description} have been used on the wrong object + in firewall-cmd which resulted in a back trace. + + Fixes: RHBZ#1445238 + +diff --git a/src/firewall-cmd b/src/firewall-cmd +index 9988a79..1a864b3 100755 +--- a/src/firewall-cmd ++++ b/src/firewall-cmd +@@ -1987,31 +1987,31 @@ if a.permanent: + elif a.list_all_zones: + names = fw.config().getZoneNames() + for zone in sorted(names): +- settings = fw.config().getZoneByName(zone) +- cmd.print_zone_info(zone, settings.getSettings()) ++ settings = fw.config().getZoneByName(zone).getSettings() ++ cmd.print_zone_info(zone, settings) + cmd.print_msg("") + sys.exit(0) + + # set zone description + elif a.set_description: +- settings = fw.config().getZoneByName(zone) ++ settings = fw.config().getZoneByName(zone).getSettings() + settings.setDescription(a.set_description) + fw_zone.update(settings) + + # get zone description + elif a.get_description: +- settings = fw.config().getZoneByName(zone) ++ settings = fw.config().getZoneByName(zone).getSettings() + cmd.print_and_exit(settings.getDescription()) + + # set zone short description + elif a.set_short: +- settings = fw.config().getZoneByName(zone) ++ settings = fw.config().getZoneByName(zone).getSettings() + settings.setShort(a.set_short) + fw_zone.update(settings) + + # get zone short description + elif a.get_short: +- settings = fw.config().getZoneByName(zone) ++ settings = fw.config().getZoneByName(zone).getSettings() + cmd.print_and_exit(settings.getShort()) + + elif a.version: diff --git a/SOURCES/firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch b/SOURCES/firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch new file mode 100644 index 0000000..8749ee6 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch @@ -0,0 +1,23 @@ +commit d3fee3a3b923339fb45d23f60ee0170a5ca25957 +Author: Thomas Woerner +Date: Mon Apr 3 15:06:36 2017 +0200 + + firewall-offline-cmd: Fix --remove-service-from-zone option RHBZ#1438127 + + The wrong option name has been used internally which resulted in the NoneType + object is not iterable error. + +diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd +index b229f39..b1e8a6c 100755 +--- a/src/firewall-offline-cmd ++++ b/src/firewall-offline-cmd +@@ -2076,7 +2076,8 @@ try: + cmd.add_sequence(a.add_service, fw_settings.addService, + fw_settings.queryService, None, "'%s'") + elif a.remove_service_from_zone: +- cmd.remove_sequence(a.remove_service, fw_settings.removeService, ++ cmd.remove_sequence(a.remove_service_from_zone, ++ fw_settings.removeService, + fw_settings.queryService, None, "'%s'") + elif a.query_service: + cmd.query_sequence(a.query_service, fw_settings.queryService, diff --git a/SOURCES/firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch b/SOURCES/firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch new file mode 100644 index 0000000..d9dbc3b --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch @@ -0,0 +1,139 @@ +commit 14bcde4e9b9f8c3638e37705ba57c3fac8e9b80f +Author: Thomas Woerner +Date: Fri Apr 28 18:38:50 2017 +0200 + + Man pages: Mention sctp and dccp protocols for remaining ports, .. + +diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml +index a5b5acd..bf4e7a0 100644 +--- a/doc/xml/firewall-cmd.xml ++++ b/doc/xml/firewall-cmd.xml +@@ -549,7 +549,7 @@ + timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h. + + +- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. ++ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. + + + The option is not combinable with the option. +@@ -639,7 +639,7 @@ + timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h. + + +- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. ++ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. + + + The option is not combinable with the option. +@@ -732,7 +732,7 @@ + timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h. + + +- The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address. ++ The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address. + + + The option is not combinable with the option. +diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml +index d007dbe..e157f67 100644 +--- a/doc/xml/firewall-offline-cmd.xml ++++ b/doc/xml/firewall-offline-cmd.xml +@@ -208,7 +208,7 @@ + Add the port to the default zone. This option can be specified multiple times. + + +- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. ++ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. + + + +@@ -264,7 +264,7 @@ + Add the IPv4 forward port in the default zone. This option can be specified multiple times. + + +- The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is an IP address. ++ The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is an IP address. + + + +@@ -621,7 +621,7 @@ + Add the port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. + + +- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. ++ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. + + + +@@ -748,7 +748,7 @@ + Add the IPv4 forward port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. + + +- The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address. ++ The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address. + + + For IPv6 forward ports, please use the rich language. +@@ -798,7 +798,7 @@ + Add the source port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards. + + +- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. ++ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. + + + +diff --git a/doc/xml/firewalld.service.xml b/doc/xml/firewalld.service.xml +index 2907f83..88b7640 100644 +--- a/doc/xml/firewalld.service.xml ++++ b/doc/xml/firewalld.service.xml +@@ -136,7 +136,7 @@ + protocol="string" + + +- The protocol value can either be , , or . ++ The protocol value can either be tcp, udp, sctp or dccp. + + + +@@ -185,7 +185,7 @@ + protocol="string" + + +- The protocol value can either be , , or . ++ The protocol value can either be tcp, udp, sctp or dccp. + + + +diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml +index 67cd3ef..12e42e2 100644 +--- a/doc/xml/firewalld.zone.xml ++++ b/doc/xml/firewalld.zone.xml +@@ -252,7 +252,7 @@ + protocol="tcp|udp|sctp|dccp" + + +- The protocol can either be tcp, , or . ++ The protocol can either be tcp, udp, sctp or dccp. + + + +@@ -332,7 +332,7 @@ + protocol="tcp|udp|sctp|dccp" + + +- The protocol can either be tcp, , or . ++ The protocol can either be tcp, udp, sctp or dccp. + + + +@@ -385,7 +385,7 @@ + protocol="tcp|udp|sctp|dccp" + + +- The protocol can either be tcp, , or . ++ The protocol can either be tcp, udp, sctp or dccp. + + + diff --git a/SOURCES/firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch b/SOURCES/firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch new file mode 100644 index 0000000..5338467 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch @@ -0,0 +1,185 @@ +commit ded96b82404811d70b9f5e264b44e2834e91e42f +Author: Leon Goldberg +Date: Thu Mar 23 12:22:26 2017 +0200 + + Introducing ovirt's imageio service + +diff --git a/config/services/ovirt-imageio.xml b/config/services/ovirt-imageio.xml +new file mode 100644 +index 0000000..9ba6526 +--- /dev/null ++++ b/config/services/ovirt-imageio.xml +@@ -0,0 +1,6 @@ ++ ++ ++ oVirt Image I/O ++ oVirt Image I/O simplifies the workflow of introducing new oVirt images into the oVirt environment. ++ ++ + +commit 31955ff59636e3ed63289d60ad254a09aa75686e +Author: Leon Goldberg +Date: Tue May 2 16:04:52 2017 +0300 + + Adding ovirt-vmconsole service file + +diff --git a/config/services/ovirt-vmconsole.xml b/config/services/ovirt-vmconsole.xml +new file mode 100644 +index 0000000..2b47448 +--- /dev/null ++++ b/config/services/ovirt-vmconsole.xml +@@ -0,0 +1,7 @@ ++ ++ ++ oVirt VM Console ++ oVirt VM Consoles enables secure access to virtual machine serial console. ++ ++ ++ + +commit ffd82e3e95ed80805c566bb8b5858fdd45f3780f +Author: leongold +Date: Wed May 3 15:30:40 2017 +0300 + + Fixing incorrect port number + +diff --git a/config/services/ovirt-vmconsole.xml b/config/services/ovirt-vmconsole.xml +index 2b47448..ca8ea19 100644 +--- a/config/services/ovirt-vmconsole.xml ++++ b/config/services/ovirt-vmconsole.xml +@@ -2,6 +2,5 @@ + + oVirt VM Console + oVirt VM Consoles enables secure access to virtual machine serial console. +- ++ + +- + +commit 920f54ce5b3651a1ce738cb0b062aa1458c12c8d +Author: Leon Goldberg +Date: Tue May 2 16:04:52 2017 +0300 + + Adding oVirt storage-console service. + +diff --git a/config/services/ovirt-storageconsole.xml b/config/services/ovirt-storageconsole.xml +new file mode 100644 +index 0000000..721a7df +--- /dev/null ++++ b/config/services/ovirt-storageconsole.xml +@@ -0,0 +1,7 @@ ++ ++ ++ oVirt Storage-Console ++ oVirt Storage Console is a web-based storage management platform specially designed to efficiently manage oVirt's storage-defined storage. ++ ++ ++ + +commit 0aa83426e9c337bf21df0d436e7f6cbcd6b72e03 +Author: Leon Goldberg +Date: Wed May 3 14:44:14 2017 +0300 + + Adding ctdb service file. + +diff --git a/config/services/ctdb.xml b/config/services/ctdb.xml +new file mode 100644 +index 0000000..7209082 +--- /dev/null ++++ b/config/services/ctdb.xml +@@ -0,0 +1,7 @@ ++ ++ ++ CTDB ++ CTDB is a cluster implementation of the TDB database used by Samba and other projects to store temporary data. ++ ++ ++ + +commit d774891afe7109fb65c87ac6a3e28a76d132784a +Author: Leon Goldberg +Date: Thu May 4 12:16:53 2017 +0300 + + Adding service file for nrpe. + + Although the port isn't IANA registered to Nagios, it's failry well + known (http://www.speedguide.net/port.php?port=5666). + +diff --git a/config/services/nrpe.xml b/config/services/nrpe.xml +new file mode 100644 +index 0000000..4535d89 +--- /dev/null ++++ b/config/services/nrpe.xml +@@ -0,0 +1,6 @@ ++ ++ ++ NRPE ++ NRPE allows you to execute Nagios plugins on a remote host in as transparent a manner as possible. ++ ++ + +commit b1b63267f1f5af0c71d8ebd7db170bf2e1380c13 +Author: Thomas Woerner +Date: Thu Apr 27 14:52:49 2017 +0200 + + config/Makefile.am: Install new ovirt-imageio service + +diff --git a/config/Makefile.am b/config/Makefile.am +index f05caf6..61ec9a2 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -174,6 +174,7 @@ CONFIG_FILES = \ + services/nfs.xml \ + services/ntp.xml \ + services/openvpn.xml \ ++ services/ovirt-imageio.xml \ + services/pmcd.xml \ + services/pmproxy.xml \ + services/pmwebapis.xml \ + +commit 7e6e41809b3898a1ae9d014dc9be027b25521978 +Author: Thomas Woerner +Date: Wed May 3 17:19:03 2017 +0200 + + config/Makefile.am: New services ctdb, ovirt-storageconsole and ovirt-vmconsole + +diff --git a/config/Makefile.am b/config/Makefile.am +index 61ec9a2..1669a84 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -131,6 +131,7 @@ CONFIG_FILES = \ + services/ceph.xml \ + services/cfengine.xml \ + services/condor-collector.xml \ ++ services/ctdb.xml \ + services/dhcpv6-client.xml \ + services/dhcpv6.xml \ + services/dhcp.xml \ +@@ -175,6 +176,8 @@ CONFIG_FILES = \ + services/ntp.xml \ + services/openvpn.xml \ + services/ovirt-imageio.xml \ ++ services/ovirt-storageconsole.xml \ ++ services/ovirt-vmconsole.xml \ + services/pmcd.xml \ + services/pmproxy.xml \ + services/pmwebapis.xml \ + +commit a75d783101a43a57c6b6619acafa66268e6f822d +Author: Thomas Woerner +Date: Tue May 9 11:29:12 2017 +0200 + + config/Makefile.am: New services nrpe + +diff --git a/config/Makefile.am b/config/Makefile.am +index 1669a84..33cb7da 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -173,6 +173,7 @@ CONFIG_FILES = \ + services/ms-wbt.xml \ + services/mysql.xml \ + services/nfs.xml \ ++ services/nrpe.xml \ + services/ntp.xml \ + services/openvpn.xml \ + services/ovirt-imageio.xml \ diff --git a/SOURCES/firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch b/SOURCES/firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch new file mode 100644 index 0000000..5970c8a --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch @@ -0,0 +1,44 @@ +commit 0c480ec760c3ecaeea325041bdffc6d3d1153d88 +Author: Thomas Woerner +Date: Wed May 17 17:56:39 2017 +0200 + + Rename extension for policy choices (server and desktop) to .policy.choice (RHBZ#1449754) + + This is done at installation time to still use autofoo targets etc. A change in firewall-offline command to fix --policy-server and --policy-desktop options + has been needed for this also. + +diff --git a/config/Makefile.am b/config/Makefile.am +index 33cb7da..bdc5651 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -347,5 +347,7 @@ uninstall-local: $(UNINSTALL_TARGETS) + + install-data-hook: + cd $(DESTDIR)$(polkit1_actiondir) && \ ++ mv org.fedoraproject.FirewallD1.server.policy org.fedoraproject.FirewallD1.server.policy.choice && \ ++ mv org.fedoraproject.FirewallD1.desktop.policy org.fedoraproject.FirewallD1.desktop.policy.choice && \ + rm -f org.fedoraproject.FirewallD1.policy && \ +- $(LN_S) org.fedoraproject.FirewallD1.server.policy org.fedoraproject.FirewallD1.policy ++ $(LN_S) org.fedoraproject.FirewallD1.server.policy.choice org.fedoraproject.FirewallD1.policy +diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd +index b1e8a6c..ebeb1ec 100755 +--- a/src/firewall-offline-cmd ++++ b/src/firewall-offline-cmd +@@ -478,13 +478,13 @@ def pk_symlink(product='server'): + _PK_DIR = '/usr/share/polkit-1/actions/' + _PK_NAME = 'org.fedoraproject.FirewallD1.' + os.chdir(_PK_DIR) +- if os.path.isfile(_PK_NAME+product+'.policy'): ++ if os.path.isfile(_PK_NAME+product+'.policy.choice'): + if os.path.isfile(_PK_NAME+'policy'): + os.remove(_PK_NAME+'policy') +- os.symlink(_PK_NAME+product+'.policy', _PK_NAME+'policy') +- cmd.print_and_exit('symlink '+_PK_DIR+_PK_NAME+product+'.policy -> '+_PK_NAME+'policy') ++ os.symlink(_PK_NAME+product+'.policy.choice', _PK_NAME+'policy') ++ cmd.print_and_exit('symlink '+_PK_DIR+_PK_NAME+product+'.policy.choice -> '+_PK_NAME+'policy') + else: +- cmd.fail('no such file '+_PK_DIR+_PK_NAME+product+'.policy') ++ cmd.fail('no such file '+_PK_DIR+_PK_NAME+product+'.policy.choice') + + # system-config-firewall + def read_sysconfig_args(config_file=SYSTEM_CONFIG_FIREWALL): diff --git a/SOURCES/firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch b/SOURCES/firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch new file mode 100644 index 0000000..55cd89b --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch @@ -0,0 +1,56 @@ +commit 18990db7b05a3d81145b41e7cfe64ebbb958aa1a +Author: Thomas Woerner +Date: Thu Apr 27 13:15:36 2017 +0200 + + firewall.core.ipXtables: Use new wait option for restore commands if available + + The iptables restore commands in the next iptables release will support the + wait option. This is very useful and results in less likely collisions with + iptables commands used by other services or the user. + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 2ae0000..9f051d3 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -157,6 +157,7 @@ class ip4tables(object): + self._command = config.COMMANDS[self.ipv] + self._restore_command = config.COMMANDS["%s-restore" % self.ipv] + self.wait_option = self._detect_wait_option() ++ self.restore_wait_option = self._detect_restore_wait_option() + self.fill_exists() + + def fill_exists(self): +@@ -251,6 +252,8 @@ class ip4tables(object): + log.debug2("%s: %s %s", self.__class__, self._restore_command, + "%s: %d" % (temp_file.name, stat.st_size)) + args = [ ] ++ if self.restore_wait_option: ++ args.append(self.restore_wait_option) + if not flush: + args.append("-n") + +@@ -320,6 +323,24 @@ class ip4tables(object): + + return wait_option + ++ def _detect_restore_wait_option(self): ++ temp_file = tempFile() ++ temp_file.write("#foo") ++ temp_file.close() ++ ++ wait_option = "" ++ ret = runProg(self._restore_command, ["-w"], stdin=temp_file.name) # proposed for iptables-1.6.2 ++ if ret[0] == 0: ++ wait_option = "-w" # wait for xtables lock ++ ret = runProg(self._restore_command, ["--wait=2"], stdin=temp_file.name) # since iptables > 1.4.21 ++ if ret[0] == 0: ++ wait_option = "--wait=2" # wait max 2 seconds ++ log.debug2("%s: %s will be using %s option.", self.__class__, self._restore_command, wait_option) ++ ++ os.unlink(temp_file.name) ++ ++ return wait_option ++ + def flush(self, transaction=None): + tables = self.used_tables() + for table in tables: diff --git a/SOURCES/firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch b/SOURCES/firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch new file mode 100644 index 0000000..6d3912a --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch @@ -0,0 +1,440 @@ +commit 3e0997f5effaec309e03c9c7c639d8243536ad37 +Author: Thomas Woerner +Date: Tue Apr 4 19:03:27 2017 +0200 + + Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules + + This patch adds support to use ports with the protocols sctp and dccp if also + a port id is specified. The use of sctp and dccp is now also allowed in + source-ports, forward-ports, helpers and rich language rules. + + The test suite has been expanded to also test the new combinations. + + This fixes RHBZ#1429808 + +diff --git a/doc/xml/firewalld.helper.xml b/doc/xml/firewalld.helper.xml +index 9de4589..d931e22 100644 +--- a/doc/xml/firewalld.helper.xml ++++ b/doc/xml/firewalld.helper.xml +@@ -69,7 +69,7 @@ + <helper module="nf_conntrack_module" [family="ipv4|ipv6"]> + <short>short</short> + <description>description</description> +- <port portid[-portid]" protocol="tcp|udp"/> ++ <port portid[-portid]" protocol="tcp|udp|sctp|dccp"/> + </helper> + + +@@ -149,7 +149,7 @@ + protocol="string" + + +- The protocol value can either be or . ++ The protocol value can either be , , or . + + + +diff --git a/doc/xml/firewalld.service.xml b/doc/xml/firewalld.service.xml +index 568555f..425f5a9 100644 +--- a/doc/xml/firewalld.service.xml ++++ b/doc/xml/firewalld.service.xml +@@ -136,7 +136,7 @@ + protocol="string" + + +- The protocol value can either be or . ++ The protocol value can either be , , or . + + + +@@ -185,7 +185,7 @@ + protocol="string" + + +- The protocol value can either be or . ++ The protocol value can either be , , or . + + + +diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml +index 80290e7..c3283c0 100644 +--- a/doc/xml/firewalld.zone.xml ++++ b/doc/xml/firewalld.zone.xml +@@ -73,25 +73,25 @@ + [ <interface name="string"/> ] + [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ] + [ <service name="string"/> ] +- [ <port port="portid[-portid]" protocol="tcp|udp"/> ] ++ [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ] + [ <protcol value="protocol"/> ] + [ <icmp-block name="string"/> ] + [ <icmp-block-inversion/> ] + [ <masquerade/> ] +- [ <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ] +- [ <source-port port="portid[-portid]" protocol="tcp|udp"/> ] ++ [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ] ++ [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ] + [ + <rule [family="ipv4|ipv6"]> + [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ] + [ <destination address="address[/mask]" [invert="True"]/> ] + [ + <service name="string"/> | +- <port port="portid[-portid]" protocol="tcp|udp"/> | ++ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> | + <protocol value="protocol"/> | + <icmp-block name="icmptype"/> | + <icmp-type name="icmptype"/> | + <masquerade/> | +- <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/> ++ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> + ] + [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ] + [ <audit> [<limit value="rate/duration"/>] </audit> ] +@@ -249,10 +249,10 @@ + + + +- protocol="tcp|udp" ++ protocol="tcp|udp|sctp|dccp" + + +- The protocol can either be tcp or udp. ++ The protocol can either be tcp, , or . + + + +@@ -329,10 +329,10 @@ + + + +- protocol="tcp|udp" ++ protocol="tcp|udp|sctp|dccp" + + +- The protocol can either be tcp or udp. ++ The protocol can either be tcp, , or . + + + +@@ -382,10 +382,10 @@ + + + +- protocol="tcp|udp" ++ protocol="tcp|udp|sctp|dccp" + + +- The protocol can either be tcp or udp. ++ The protocol can either be tcp, , or . + + + +@@ -407,13 +407,13 @@ + [ <destination address="address[/mask]" [invert="True"]/> ] + [ + <service name="string"/> | +- <port port="portid[-portid]" protocol="tcp|udp"/> | ++ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> | + <protocol value="protocol"/> | + <icmp-block name="icmptype"/> | + <icmp-type name="icmptype"/> | + <masquerade/> | +- <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/> | +- <source-port port="portid[-portid]" protocol="tcp|udp"/> | ++ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> | ++ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> | + ] + [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ] + [ <audit> [<limit value="rate/duration"/>] </audit> ] +diff --git a/src/firewall-config.glade b/src/firewall-config.glade +index 73cee5c..d209a34 100644 +--- a/src/firewall-config.glade ++++ b/src/firewall-config.glade +@@ -1263,6 +1263,8 @@ + + tcp + udp ++ sctp ++ dccp + + + +@@ -9196,6 +9198,8 @@ + + tcp + udp ++ sctp ++ dccp + + + +@@ -9597,6 +9601,7 @@ + - Select - + ah + esp ++ dccp + ddp + icmp + igmp +diff --git a/src/firewall/command.py b/src/firewall/command.py +index e3adde0..e2d032f 100644 +--- a/src/firewall/command.py ++++ b/src/firewall/command.py +@@ -267,9 +267,10 @@ class FirewallCommand(object): + "portid[-portid]%sprotocol" % separator) + if not check_port(port): + raise FirewallError(errors.INVALID_PORT, port) +- if proto not in [ "tcp", "udp" ]: ++ if proto not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, +- "'%s' not in {'tcp'|'udp'}" % proto) ++ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ ++ proto) + return (port, proto) + + def parse_forward_port(self, value): +@@ -301,9 +302,10 @@ class FirewallCommand(object): + + if not check_port(port): + raise FirewallError(errors.INVALID_PORT, port) +- if protocol not in [ "tcp", "udp" ]: ++ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, +- "'%s' not in {'tcp'|'udp'}" % protocol) ++ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ ++ protocol) + if toport and not check_port(toport): + raise FirewallError(errors.INVALID_PORT, toport) + if toaddr and not check_single_address("ipv4", toaddr): +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index f32ec22..8dbe59b 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -989,9 +989,10 @@ class Firewall(object): + def check_tcpudp(self, protocol): + if not protocol: + raise FirewallError(errors.MISSING_PROTOCOL) +- if protocol not in [ "tcp", "udp" ]: ++ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, +- "'%s' not in {'tcp'|'udp'}" % protocol) ++ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ ++ protocol) + + def check_ip(self, ip): + if not functions.checkIP(ip): +diff --git a/src/firewall/core/fw_test.py b/src/firewall/core/fw_test.py +index 62385e6..9516823 100644 +--- a/src/firewall/core/fw_test.py ++++ b/src/firewall/core/fw_test.py +@@ -456,9 +456,10 @@ class Firewall_test(object): + def check_tcpudp(self, protocol): + if not protocol: + raise FirewallError(errors.MISSING_PROTOCOL) +- if not protocol in [ "tcp", "udp" ]: ++ if not protocol in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, +- "'%s' not in {'tcp'|'udp'}" % protocol) ++ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ ++ protocol) + + def check_ip(self, ip): + if not functions.checkIP(ip): +diff --git a/src/firewall/core/io/io_object.py b/src/firewall/core/io/io_object.py +index 3ae180a..139439f 100644 +--- a/src/firewall/core/io/io_object.py ++++ b/src/firewall/core/io/io_object.py +@@ -292,9 +292,10 @@ def check_port(port): + "'%s' is invalid port range" % port) + + def check_tcpudp(protocol): +- if protocol not in [ "tcp", "udp" ]: ++ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, +- "'%s' not from {'tcp'|'udp'}" % protocol) ++ "'%s' not from {'tcp'|'udp'|'sctp'|'dccp'}" % \ ++ protocol) + + def check_protocol(protocol): + if not functions.checkProtocol(protocol): +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index b33009f..3adcb4d 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -576,7 +576,7 @@ class Rich_Rule(object): + elif type(self.element) == Rich_Port: + if not functions.check_port(self.element.port): + raise FirewallError(errors.INVALID_PORT, self.element.port) +- if self.element.protocol not in [ "tcp", "udp" ]: ++ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) + + # protocol +@@ -611,7 +611,7 @@ class Rich_Rule(object): + elif type(self.element) == Rich_ForwardPort: + if not functions.check_port(self.element.port): + raise FirewallError(errors.INVALID_PORT, self.element.port) +- if self.element.protocol not in [ "tcp", "udp" ]: ++ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) + if self.element.to_port == "" and self.element.to_address == "": + raise FirewallError(errors.INVALID_PORT, self.element.to_port) +@@ -631,7 +631,7 @@ class Rich_Rule(object): + elif type(self.element) == Rich_SourcePort: + if not functions.check_port(self.element.port): + raise FirewallError(errors.INVALID_PORT, self.element.port) +- if self.element.protocol not in [ "tcp", "udp" ]: ++ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: + raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) + + # other element and not empty? +diff --git a/src/tests/firewall-cmd_test.sh b/src/tests/firewall-cmd_test.sh +index 653c644..ea076a0 100755 +--- a/src/tests/firewall-cmd_test.sh ++++ b/src/tests/firewall-cmd_test.sh +@@ -339,6 +339,15 @@ assert_good " --query-port=111-222/udp --zone=${default_zone}" + assert_good "--remove-port 111-222/udp" + assert_bad " --query-port=111-222/udp" + ++assert_good " --add-port=5000/sctp" ++assert_good " --query-port=5000/sctp --zone=${default_zone}" ++assert_good "--remove-port 5000/sctp" ++assert_bad " --query-port=5000/sctp" ++assert_good " --add-port=222/dccp" ++assert_good " --query-port=222/dccp --zone=${default_zone}" ++assert_good "--remove-port 222/dccp" ++assert_bad " --query-port=222/dccp" ++ + assert_bad "--permanent --add-port=666" # no protocol + assert_bad "--permanent --add-port=666/dummy" # bad protocol + assert_good "--permanent --add-port=666/tcp" +@@ -348,6 +357,15 @@ assert_good "--permanent --query-port=111-222/udp" + assert_good "--permanent --remove-port 111-222/udp" + assert_bad "--permanent --query-port=111-222/udp" + ++assert_good "--permanent --add-port=5000/sctp" ++assert_good "--permanent --query-port=5000/sctp --zone=${default_zone}" ++assert_good "--permanent --remove-port 5000/sctp" ++assert_bad "--permanent --query-port=5000/sctp" ++assert_good "--permanent --add-port=222/dccp" ++assert_good "--permanent --query-port=222/dccp --zone=${default_zone}" ++assert_good "--permanent --remove-port 222/dccp" ++assert_bad "--permanent --query-port=222/dccp" ++ + assert_good " --add-port=80/tcp --add-port 443-444/udp" + assert_good " --query-port=80/tcp --zone=${default_zone}" + assert_good " --query-port=443-444/udp" +@@ -488,6 +506,10 @@ assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" + assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" + assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" + assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" ++assert_good " --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" ++assert_good " --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" ++assert_good "--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" ++assert_bad " --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" + + assert_bad "--permanent --add-forward-port=666" # no protocol + assert_good "--permanent --add-forward-port=port=11:proto=tcp:toport=22 --zone=${default_zone}" +@@ -499,6 +521,10 @@ assert_good "--permanent --add-forward-port=port=55:proto=tcp:toport=66:toadd + assert_good "--permanent --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7" + assert_good "--permanent --remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" + assert_bad "--permanent --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" ++assert_good "--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" ++assert_good "--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" ++assert_good "--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" ++assert_bad "--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" + + assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200" + assert_good " --query-forward-port=port=100:proto=tcp:toport=200" +@@ -597,6 +623,18 @@ assert_good "--permanent --icmptype=${myicmp} --query-destination=ipv4" + assert_good "--permanent --icmptype=${myicmp} --remove-destination=ipv4" + assert_bad "--permanent --icmptype=${myicmp} --query-destination=ipv4" + ++# test sctp and dccp ports ++assert_good "--permanent --service=${myservice} --add-port=666/sctp" ++assert_good "--permanent --service=${myservice} --remove-port=666/sctp" ++assert_good "--permanent --service=${myservice} --remove-port 666/sctp" ++assert_bad "--permanent --service=${myservice} --query-port=666/sctp" ++assert_good "--permanent --service=${myservice} --add-port=999/dccp" ++assert_good "--permanent --service=${myservice} --remove-port=999/dccp" ++assert_good "--permanent --service=${myservice} --remove-port 999/dccp" ++assert_bad "--permanent --service=${myservice} --query-port=999/dccp" ++assert_good "--permanent --service=${myservice} --add-port=666/sctp" ++assert_good "--permanent --service=${myservice} --add-port=999/dccp" ++ + # add them to zone + assert_good "--permanent --zone=${myzone} --add-service=${myservice}" + assert_good "--permanent --zone=${myzone} --add-icmp-block=${myicmp}" +@@ -906,7 +944,9 @@ good_rules=( + 'rule family="ipv4" source address="192.168.1.0/24" masquerade' + 'rule family="ipv4" destination address="192.168.1.0/24" masquerade' # masquerade & destination + 'rule family="ipv6" masquerade' +- 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"') ++ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"' ++ 'rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"' ++ 'rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"') + + for (( i=0;i<${#good_rules[@]};i++)); do + rule=${good_rules[${i}]} +diff --git a/src/tests/firewall-offline-cmd_test.sh b/src/tests/firewall-offline-cmd_test.sh +index ee7ffcd..f81c853 100755 +--- a/src/tests/firewall-offline-cmd_test.sh ++++ b/src/tests/firewall-offline-cmd_test.sh +@@ -332,6 +332,15 @@ assert_good " --query-port=111-222/udp --zone=${default_zone}" + assert_good "--remove-port 111-222/udp" + assert_bad " --query-port=111-222/udp" + ++assert_good " --add-port=5000/sctp" ++assert_good " --query-port=5000/sctp --zone=${default_zone}" ++assert_good "--remove-port 5000/sctp" ++assert_bad " --query-port=5000/sctp" ++assert_good " --add-port=222/dccp" ++assert_good " --query-port=222/dccp --zone=${default_zone}" ++assert_good "--remove-port 222/dccp" ++assert_bad " --query-port=222/dccp" ++ + assert_good " --add-port=80/tcp --add-port 443-444/udp" + assert_good " --query-port=80/tcp --zone=${default_zone}" + assert_good " --query-port=443-444/udp" +@@ -409,6 +418,10 @@ assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" + assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" + assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" + assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" ++assert_good " --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" ++assert_good " --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" ++assert_good "--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" ++assert_bad " --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" + + assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200" + assert_good " --query-forward-port=port=100:proto=tcp:toport=200" +@@ -494,6 +507,18 @@ assert_good "--icmptype=${myicmp} --query-destination=ipv4" + assert_good "--icmptype=${myicmp} --remove-destination=ipv4" + assert_bad "--icmptype=${myicmp} --query-destination=ipv4" + ++# test sctp and dccp ports ++assert_good "--service=${myservice} --add-port=666/sctp" ++assert_good "--service=${myservice} --remove-port=666/sctp" ++assert_good "--service=${myservice} --remove-port 666/sctp" ++assert_bad "--service=${myservice} --query-port=666/sctp" ++assert_good "--service=${myservice} --add-port=999/dccp" ++assert_good "--service=${myservice} --remove-port=999/dccp" ++assert_good "--service=${myservice} --remove-port 999/dccp" ++assert_bad "--service=${myservice} --query-port=999/dccp" ++assert_good "--service=${myservice} --add-port=666/sctp" ++assert_good "--service=${myservice} --add-port=999/dccp" ++ + # add them to zone + assert_good "--zone=${myzone} --add-service=${myservice}" + assert_good "--zone=${myzone} --add-icmp-block=${myicmp}" +@@ -688,7 +713,9 @@ good_rules=( + 'rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirect" level="info" limit value="4/m"' + 'rule family="ipv4" source address="192.168.1.0/24" masquerade' + 'rule family="ipv6" masquerade' +- 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"') ++ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"' ++ 'rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"' ++ 'rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"') + + for (( i=0;i<${#good_rules[@]};i++)); do + rule=${good_rules[${i}]} diff --git a/SOURCES/firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch b/SOURCES/firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch new file mode 100644 index 0000000..fd91326 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch @@ -0,0 +1,1687 @@ +diff -up firewalld-0.4.4.4/po/ja.po.translation-update-ja_rhbz#1382652 firewalld-0.4.4.4/po/ja.po +--- firewalld-0.4.4.4/po/ja.po.translation-update-ja_rhbz#1382652 2017-03-27 19:17:41.000000000 +0200 ++++ firewalld-0.4.4.4/po/ja.po 2017-05-31 13:34:18.304718865 +0200 +@@ -1,7 +1,7 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. +-# ++# + # Translators: + # Aiko Sasaki , 2014 + # Copyright (C) Red Hat Inc. 2010, 2011 +@@ -10,28 +10,25 @@ + # noriko , 2014 + # noriko , 2014 + # Tomoyuki KATO , 2012-2013 +-# Hajime Taira , 2015. #zanata +-# Aiko Sasaki , 2016. #zanata +-# Hajime Taira , 2016. #zanata +-# Noriko Mizumoto , 2016. #zanata +-# Takuro Nagamoto , 2016. #zanata ++# kmoriguc , 2017. #zanata ++# ljanda , 2017. #zanata + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2016-12-01 12:20+0100\n" +-"PO-Revision-Date: 2016-11-06 08:07-0500\n" +-"Last-Translator: Hajime Taira \n" +-"Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/" +-"language/ja/)\n" +-"Language: ja\n" ++"POT-Creation-Date: 2017-05-17 11:29+0200\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" ++"PO-Revision-Date: 2017-05-22 02:19+0000\n" ++"Last-Translator: kmoriguc \n" ++"Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/" ++"language/ja/)\n" ++"Language: ja\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Zanata 3.9.6\n" ++"X-Generator: Zanata 4.1.1\n" + +-#: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet:411 ++#: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet:412 + msgid "Firewall Applet" + msgstr "ファイアウォールアプレット" + +@@ -48,644 +45,635 @@ msgstr "ファイアウォールの設� + msgid "firewall;network;security;iptables;netfilter;" + msgstr "ファイアウォール;ネットワーク;セキュリティー;iptables;netfilter;" + +-#: ../src/firewall-applet:88 ../src/firewall-config:7926 ++#: ../src/firewall-applet:89 ../src/firewall-config:8028 + #, c-format + msgid "Select zone for interface '%s'" + msgstr "インターフェース '%s' のゾーンを選択する" + +-#: ../src/firewall-applet:128 ../src/firewall-applet:135 +-#: ../src/firewall-applet:141 ../src/firewall-config:2388 +-#: ../src/firewall-config:7971 ../src/firewall-config:7979 +-#: ../src/firewall-config:8011 ../src/firewall-config.glade.h:8 ++#: ../src/firewall-applet:129 ../src/firewall-applet:136 ++#: ../src/firewall-applet:142 ../src/firewall-config:2421 ++#: ../src/firewall-config:8073 ../src/firewall-config:8081 ++#: ../src/firewall-config:8113 ../src/firewall-config.glade.h:8 + msgid "Default Zone" + msgstr "標準ゾーン" + +-#: ../src/firewall-applet:161 ../src/firewall-config:8004 ++#: ../src/firewall-applet:162 ../src/firewall-config:8106 + #, c-format + msgid "Select zone for connection '%s'" + msgstr "接続 '%s' のゾーンを選択する" + +-#: ../src/firewall-applet:171 ../src/firewall-config:3848 ++#: ../src/firewall-applet:172 ../src/firewall-config:3891 + msgid "Failed to set zone {zone} for connection {connection}" + msgstr "接続 {connection} のゾーン {zone} の設定に失敗しました" + +-#: ../src/firewall-applet:185 ++#: ../src/firewall-applet:186 + #, c-format + msgid "Select zone for source '%s'" + msgstr "ソース '%s' のゾーンを選択する" + +-#: ../src/firewall-applet:202 ++#: ../src/firewall-applet:203 + msgid "Configure Shields Up/Down Zones" + msgstr "シールド・アップ/ダウン・ゾーンの設定" + +-#: ../src/firewall-applet:215 ++#: ../src/firewall-applet:216 + msgid "Here you can select the zones used for Shields Up and Shields Down." +-msgstr "" +-"ここからシールド・アップおよびシールド・ダウンに対して使用するゾーンを選択で" +-"きます。" ++msgstr "ここからシールド・アップおよびシールド・ダウンに対して使用するゾーンを選択できます。" + +-#: ../src/firewall-applet:221 ++#: ../src/firewall-applet:222 + msgid "" + "This feature is useful for people using the default zones mostly. For users, " + "that are changing zones of connections, it might be of limited use." +-msgstr "" +-"この機能はたいてい標準のゾーンを使用する人々にとって有用です。接続のゾーンを" +-"変更しているユーザーに対して、限定的に使用できます。" ++msgstr "この機能はたいてい標準のゾーンを使用する人々にとって有用です。接続のゾーンを変更しているユーザーに対して、限定的に使用できます。" + +-#: ../src/firewall-applet:230 ++#: ../src/firewall-applet:231 + msgid "Shields Up Zone:" + msgstr "シールド・アップ・ゾーン:" + +-#: ../src/firewall-applet:239 ../src/firewall-applet:252 ++#: ../src/firewall-applet:240 ../src/firewall-applet:253 + msgid "Reset To Default" + msgstr "デフォルトにリセット" + +-#: ../src/firewall-applet:243 ++#: ../src/firewall-applet:244 + msgid "Shields Down Zone:" + msgstr "シールド・ダウン・ゾーン:" + +-#: ../src/firewall-applet:335 ++#: ../src/firewall-applet:336 + #, c-format + msgid "About %s" + msgstr "%s について" + +-#: ../src/firewall-applet:386 ++#: ../src/firewall-applet:387 + msgid "Authors" + msgstr "作者" + +-#: ../src/firewall-applet:396 ++#: ../src/firewall-applet:397 + msgid "License" + msgstr "ライセンス" + +-#: ../src/firewall-applet:462 ++#: ../src/firewall-applet:463 + msgid "Shields Up" + msgstr "シールド・アップ" + +-#: ../src/firewall-applet:469 ++#: ../src/firewall-applet:470 + msgid "Enable Notifications" + msgstr "通知の有効化" + +-#: ../src/firewall-applet:475 ++#: ../src/firewall-applet:476 + msgid "Edit Firewall Settings..." + msgstr "ファイアウォール設定の編集..." + +-#: ../src/firewall-applet:479 ../src/firewall-config.glade.h:61 ++#: ../src/firewall-applet:480 ../src/firewall-config.glade.h:61 + msgid "Change Zones of Connections..." + msgstr "接続のゾーンの変更..." + +-#: ../src/firewall-applet:483 ++#: ../src/firewall-applet:484 + msgid "Configure Shields UP/Down Zones..." + msgstr "シールド・アップ/ダウン・ゾーンの設定..." + +-#: ../src/firewall-applet:487 ++#: ../src/firewall-applet:488 + msgid "Block all network traffic" + msgstr "すべてのネットワーク・トラフィックのブロック" + +-#: ../src/firewall-applet:492 ++#: ../src/firewall-applet:493 + msgid "About" + msgstr "このアプリケーションについて" + +-#: ../src/firewall-applet:500 ../src/firewall-config:610 +-#: ../src/firewall-config:2330 ../src/firewall-config:2610 +-#: ../src/firewall-config:2636 ++#: ../src/firewall-applet:501 ../src/firewall-config:614 ++#: ../src/firewall-config:2363 ../src/firewall-config:2643 ++#: ../src/firewall-config:2669 + msgid "Connections" + msgstr "接続" + +-#: ../src/firewall-applet:504 ../src/firewall-config:612 +-#: ../src/firewall-config:2417 ../src/firewall-config:2613 +-#: ../src/firewall-config:2638 ../src/firewall-config.glade.h:129 ++#: ../src/firewall-applet:505 ../src/firewall-config:616 ++#: ../src/firewall-config:2450 ../src/firewall-config:2646 ++#: ../src/firewall-config:2671 ../src/firewall-config.glade.h:129 + msgid "Interfaces" + msgstr "インターフェース" + +-#: ../src/firewall-applet:508 ../src/firewall-config:614 +-#: ../src/firewall-config:2448 ../src/firewall-config:2616 +-#: ../src/firewall-config:2640 ../src/firewall-config.glade.h:134 ++#: ../src/firewall-applet:509 ../src/firewall-config:618 ++#: ../src/firewall-config:2481 ../src/firewall-config:2649 ++#: ../src/firewall-config:2673 ../src/firewall-config.glade.h:134 + msgid "Sources" + msgstr "送信元" + +-#: ../src/firewall-applet:584 ../src/firewall-config:2229 ++#: ../src/firewall-applet:585 ../src/firewall-config:2262 + msgid "Authorization failed." + msgstr "認証に失敗しました。" + +-#: ../src/firewall-applet:586 ../src/firewall-config:2232 ++#: ../src/firewall-applet:587 ../src/firewall-config:2265 + msgid "Invalid name" + msgstr "不当な実引数 %s" + +-#: ../src/firewall-applet:590 ../src/firewall-config:2236 ++#: ../src/firewall-applet:591 ../src/firewall-config:2269 + msgid "Name already exists" + msgstr "名前がすでに存在します" + +-#: ../src/firewall-applet:675 ++#: ../src/firewall-applet:676 + msgid "{entry} (Zone: {zone})" + msgstr "{entry} (ゾーン: {zone})" + +-#: ../src/firewall-applet:681 ++#: ../src/firewall-applet:682 + msgid "{entry} (Default Zone: {default_zone})" + msgstr "{entry} (デフォルトゾーン: {default_zone})" + +-#: ../src/firewall-applet:762 ../src/firewall-config:1554 ++#: ../src/firewall-applet:763 ../src/firewall-config:1564 + msgid "Failed to get connections from NetworkManager" + msgstr "NetworkManager からの接続の取得に失敗しました" + +-#: ../src/firewall-applet:774 ../src/firewall-config:1366 ++#: ../src/firewall-applet:775 ../src/firewall-config:1376 + msgid "No NetworkManager imports available" + msgstr "利用可能な NetworkManager インポートがありません" + +-#: ../src/firewall-applet:852 ++#: ../src/firewall-applet:853 + msgid "No connection to firewall daemon" + msgstr "ファイアーウォール・デーモンへの接続がありません。" + +-#: ../src/firewall-applet:860 ../src/firewall-applet:995 ++#: ../src/firewall-applet:861 ../src/firewall-applet:996 + msgid "All network traffic is blocked." + msgstr "すべてのネットワーク通信が遮断されます。" + +-#: ../src/firewall-applet:864 ++#: ../src/firewall-applet:865 + #, c-format + msgid "Default Zone: '%s'" + msgstr "標準ゾーン: '%s'" + +-#: ../src/firewall-applet:870 ++#: ../src/firewall-applet:871 + msgid "" + "Default Zone '{default_zone}' active for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 " +-"'{connection}' に対して有効化" ++"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 '{connection}' に対して有効化" + +-#: ../src/firewall-applet:873 ++#: ../src/firewall-applet:874 + msgid "" +-"Zone '{zone}' active for connection '{connection}' on interface '{interface}'" +-msgstr "" +-"ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対し" +-"て有効化" ++"Zone '{zone}' active for connection '{connection}' on interface " ++"'{interface}'" ++msgstr "ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対して有効化" + +-#: ../src/firewall-applet:885 ++#: ../src/firewall-applet:886 + msgid "Zone '{zone}' active for interface '{interface}'" + msgstr "ゾーン '{zone}' がインターフェース '{interface}' に対して有効化" + +-#: ../src/firewall-applet:893 ++#: ../src/firewall-applet:894 + msgid "Zone '{zone}' active for source {source}" + msgstr "ゾーン '{zone}' を送信元 {source} に対して有効化" + +-#: ../src/firewall-applet:897 ++#: ../src/firewall-applet:898 + msgid "No Active Zones." + msgstr "有効なゾーンがありません。" + +-#: ../src/firewall-applet:955 ++#: ../src/firewall-applet:956 + msgid "Connection to FirewallD established." + msgstr "FirewallD への接続が確立されました。" + +-#: ../src/firewall-applet:967 ++#: ../src/firewall-applet:968 + msgid "Connection to FirewallD lost." + msgstr "FirewallD への接続が失われました。" + +-#: ../src/firewall-applet:972 ++#: ../src/firewall-applet:973 + msgid "FirewallD has been reloaded." + msgstr "FirewallD が再読み込みされました。" + +-#: ../src/firewall-applet:977 ++#: ../src/firewall-applet:978 + #, c-format + msgid "Default zone changed to '%s'." + msgstr "標準のゾーンを '%s' に変更しました。" + +-#: ../src/firewall-applet:996 ++#: ../src/firewall-applet:997 + msgid "Network traffic is not blocked anymore." + msgstr "ネットワーク通信が遮断されなくなります。" + +-#: ../src/firewall-applet:1022 ../src/firewall-applet:1076 ++#: ../src/firewall-applet:1023 ../src/firewall-applet:1077 + msgid "activated" + msgstr "有効化" + +-#: ../src/firewall-applet:1023 ../src/firewall-applet:1077 ++#: ../src/firewall-applet:1024 ../src/firewall-applet:1078 + msgid "deactivated" + msgstr "無効化" + +-#: ../src/firewall-applet:1028 ++#: ../src/firewall-applet:1029 + msgid "" + "Default zone '{default_zone}' {activated_deactivated} for connection " + "'{connection}' on interface '{interface}'" + msgstr "" +-"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 " +-"'{connection}' に対して {activated_deactivated} " ++"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 '{connection}' に対して " ++"{activated_deactivated} " + +-#: ../src/firewall-applet:1033 ++#: ../src/firewall-applet:1034 + msgid "" + "Zone '{zone}' {activated_deactivated} for connection '{connection}' on " + "interface '{interface}'" + msgstr "" +-"ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対し" +-"て {activated_deactivated}" ++"ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対して " ++"{activated_deactivated}" + +-#: ../src/firewall-applet:1038 ++#: ../src/firewall-applet:1039 + msgid "Zone '{zone}' {activated_deactivated} for interface '{interface}'" + msgstr "" +-"インターフェース '{interface}' に対してゾーン '{zone}' を " +-"{activated_deactivated} しました" ++"インターフェース '{interface}' に対してゾーン '{zone}' を {activated_deactivated} しました" + +-#: ../src/firewall-applet:1061 ++#: ../src/firewall-applet:1062 + #, c-format + msgid "Zone '%s' activated for interface '%s'" + msgstr "ゾーン '%s' をインターフェース '%s' に対して有効化しました" + +-#: ../src/firewall-applet:1079 ++#: ../src/firewall-applet:1080 + msgid "Zone '{zone}' {activated_deactivated} for source '{source}'" +-msgstr "" +-"ゾーン '{zone}' を送信元 '{source}' に対して {activated_deactivated} しました" ++msgstr "ゾーン '{zone}' を送信元 '{source}' に対して {activated_deactivated} しました" + +-#: ../src/firewall-applet:1103 ++#: ../src/firewall-applet:1104 + #, c-format + msgid "Zone '%s' activated for source '%s'" + msgstr "ゾーン '%s' を送信元 '%s' に対して有効化しました" + +-#: ../src/firewall-config:85 ++#: ../src/firewall-config:89 + msgid "Connection to firewalld established." + msgstr " firewalld への接続が確立されました。" + +-#: ../src/firewall-config:87 ++#: ../src/firewall-config:91 + msgid "Trying to connect to firewalld, waiting..." + msgstr "firewalld への接続を試行しています。お待ちください..." + +-#: ../src/firewall-config:88 ++#: ../src/firewall-config:92 + msgid "Changes applied." + msgstr "変更を適用しました。" + +-#: ../src/firewall-config:89 ++#: ../src/firewall-config:93 + #, c-format + msgid "Used by network connection '%s'" + msgstr "ネットワーク接続 '%s' により使用中" + +-#: ../src/firewall-config:90 ++#: ../src/firewall-config:94 + #, c-format + msgid "Default zone used by network connection '%s'" + msgstr "ネットワーク接続 '%s' で使用されるデフォルトゾーン" + +-#: ../src/firewall-config:92 ++#: ../src/firewall-config:96 + msgid "enabled" + msgstr "有効" + +-#: ../src/firewall-config:93 ++#: ../src/firewall-config:97 + msgid "disabled" + msgstr "無効" + +-#: ../src/firewall-config:117 ++#: ../src/firewall-config:121 + msgid "Failed to load icons." + msgstr "アイコンの読み込みに失敗しました。" + +-#: ../src/firewall-config:393 ../src/firewall-config:2279 ++#: ../src/firewall-config:397 ../src/firewall-config:2312 + msgid "Runtime" + msgstr "実行時" + +-#: ../src/firewall-config:394 ++#: ../src/firewall-config:398 + msgid "Permanent" + msgstr "永続" + +-#: ../src/firewall-config:473 ../src/firewall-config.glade.h:137 ++#: ../src/firewall-config:477 ../src/firewall-config.glade.h:137 + msgid "Service" + msgstr "サービス" + +-#: ../src/firewall-config:480 ../src/firewall-config:527 +-#: ../src/firewall-config:552 ../src/firewall-config:789 +-#: ../src/firewall-config:977 ../src/firewall-config:1011 ++#: ../src/firewall-config:484 ../src/firewall-config:531 ++#: ../src/firewall-config:556 ../src/firewall-config:798 ++#: ../src/firewall-config:986 ../src/firewall-config:1020 + msgid "Port" + msgstr "ポート" + +-#: ../src/firewall-config:482 ../src/firewall-config:502 +-#: ../src/firewall-config:529 ../src/firewall-config:554 +-#: ../src/firewall-config:791 ../src/firewall-config:979 +-#: ../src/firewall-config:994 ../src/firewall-config:1013 +-#: ../src/firewall-config.glade.h:245 ++#: ../src/firewall-config:486 ../src/firewall-config:506 ++#: ../src/firewall-config:533 ../src/firewall-config:558 ++#: ../src/firewall-config:800 ../src/firewall-config:988 ++#: ../src/firewall-config:1003 ../src/firewall-config:1022 ++#: ../src/firewall-config.glade.h:247 + msgid "Protocol" + msgstr "プロトコル" + +-#: ../src/firewall-config:556 ++#: ../src/firewall-config:560 + msgid "To Port" + msgstr "送信先ポート" + +-#: ../src/firewall-config:558 ++#: ../src/firewall-config:562 + msgid "To Address" + msgstr "送信先アドレス" + +-#: ../src/firewall-config:608 ++#: ../src/firewall-config:612 + msgid "Bindings" + msgstr "バインディング" + +-#: ../src/firewall-config:642 ++#: ../src/firewall-config:647 ../src/firewall-config.glade.h:231 + msgid "Entry" + msgstr "エントリー" + +-#: ../src/firewall-config:764 ++#: ../src/firewall-config:773 + msgid "Icmp Type" + msgstr "ICMP タイプ" + +-#: ../src/firewall-config:808 ++#: ../src/firewall-config:817 + msgid "Family" + msgstr "ファミリー" + +-#: ../src/firewall-config:810 ++#: ../src/firewall-config:819 + msgid "Action" + msgstr "アクション" + +-#: ../src/firewall-config:812 ++#: ../src/firewall-config:821 + msgid "Element" + msgstr "要素" + +-#: ../src/firewall-config:814 ++#: ../src/firewall-config:823 + msgid "Src" + msgstr "送信元" + +-#: ../src/firewall-config:816 ++#: ../src/firewall-config:825 + msgid "Dest" + msgstr "送信先" + +-#: ../src/firewall-config:818 ++#: ../src/firewall-config:827 + msgid "log" + msgstr "ログ" + +-#: ../src/firewall-config:820 ++#: ../src/firewall-config:829 + msgid "Audit" + msgstr "監査" + +-#: ../src/firewall-config:1593 ../src/firewall-config:2751 +-#: ../src/firewall-config:2799 ++#: ../src/firewall-config:1603 ../src/firewall-config:2784 ++#: ../src/firewall-config:2832 + msgid "Warning" + msgstr "警告" + +-#: ../src/firewall-config:1602 ++#: ../src/firewall-config:1612 + msgid "Error" + msgstr "エラー" + +-#: ../src/firewall-config:1995 ../src/firewall-config:3631 ++#: ../src/firewall-config:2018 ../src/firewall-config:3674 + msgid "accept" + msgstr "受信" + +-#: ../src/firewall-config:1997 ../src/firewall-config:3633 +-#: ../src/firewall-config:3781 ++#: ../src/firewall-config:2020 ../src/firewall-config:3676 ++#: ../src/firewall-config:3824 + msgid "reject" + msgstr "拒否" + +-#: ../src/firewall-config:2001 ../src/firewall-config:3638 ++#: ../src/firewall-config:2024 ../src/firewall-config:3681 + msgid "drop" + msgstr "廃棄" + +-#: ../src/firewall-config:2003 ../src/firewall-config:3640 +-#: ../src/firewall-config:3782 ++#: ../src/firewall-config:2026 ../src/firewall-config:3683 ++#: ../src/firewall-config:3825 + msgid "mark" + msgstr "マーク" + +-#: ../src/firewall-config:2006 ../src/firewall-config:2048 +-#: ../src/firewall-config:2053 ++#: ../src/firewall-config:2029 ../src/firewall-config:2073 ++#: ../src/firewall-config:2078 + msgid "limit" + msgstr "制限" + +-#: ../src/firewall-config:2022 ../src/firewall-config:3102 +-#: ../src/firewall-config:3277 ../src/firewall-config:3581 +-#: ../src/firewall-config.glade.h:275 ++#: ../src/firewall-config:2045 ../src/firewall-config:3135 ++#: ../src/firewall-config:3315 ../src/firewall-config:3621 ++#: ../src/firewall-config.glade.h:277 + msgid "service" + msgstr "サービス" + +-#: ../src/firewall-config:2024 ../src/firewall-config:3108 +-#: ../src/firewall-config:3279 ../src/firewall-config:3584 +-#: ../src/firewall-config.glade.h:276 ++#: ../src/firewall-config:2047 ../src/firewall-config:3141 ++#: ../src/firewall-config:3317 ../src/firewall-config:3624 ++#: ../src/firewall-config.glade.h:278 + msgid "port" + msgstr "ポート" + +-#: ../src/firewall-config:2027 ../src/firewall-config:3113 +-#: ../src/firewall-config:3288 ../src/firewall-config:3594 +-#: ../src/firewall-config.glade.h:277 ++#: ../src/firewall-config:2050 ../src/firewall-config:3146 ++#: ../src/firewall-config:3326 ../src/firewall-config:3634 ++#: ../src/firewall-config.glade.h:279 + msgid "protocol" + msgstr "プロトコル" + +-#: ../src/firewall-config:2029 ../src/firewall-config:3118 +-#: ../src/firewall-config:3608 ../src/firewall-config:3794 +-#: ../src/firewall-config.glade.h:281 ++#: ../src/firewall-config:2052 ../src/firewall-config:3151 ++#: ../src/firewall-config:3651 ../src/firewall-config:3837 ++#: ../src/firewall-config.glade.h:284 + msgid "masquerade" + msgstr "マスカレード" + +-#: ../src/firewall-config:2037 ../src/firewall-config:3135 +-#: ../src/firewall-config:3294 ../src/firewall-config:3610 +-#: ../src/firewall-config.glade.h:280 ++#: ../src/firewall-config:2062 ../src/firewall-config:3173 ++#: ../src/firewall-config:3334 ../src/firewall-config:3653 ++#: ../src/firewall-config.glade.h:283 + msgid "source-port" + msgstr "source-port" + +-#: ../src/firewall-config:2046 ++#: ../src/firewall-config:2071 + msgid "level" + msgstr "レベル" + +-#: ../src/firewall-config:2050 ../src/firewall-config:2055 ++#: ../src/firewall-config:2075 ../src/firewall-config:2080 + msgid "yes" + msgstr "はい" + +-#: ../src/firewall-config:2392 ../src/firewall-config:2432 +-#: ../src/firewall-config:2462 ../src/firewall-config.glade.h:88 ++#: ../src/firewall-config:2425 ../src/firewall-config:2465 ++#: ../src/firewall-config:2495 ../src/firewall-config.glade.h:88 + msgid "Zone" + msgstr "ゾーン" + +-#: ../src/firewall-config:2405 ++#: ../src/firewall-config:2438 + #, c-format + msgid "Default Zone: %s" + msgstr "デフォルトゾーン: %s" + +-#: ../src/firewall-config:2412 ../src/firewall-config:2443 +-#: ../src/firewall-config:2473 ++#: ../src/firewall-config:2445 ../src/firewall-config:2476 ++#: ../src/firewall-config:2506 + #, c-format + msgid "Zone: %s" + msgstr "ゾーン: %s" + +-#: ../src/firewall-config:2748 ++#: ../src/firewall-config:2781 + #, c-format + msgid "Zone '%s': Service '%s' is not available." + msgstr "ゾーン '%s': サービス '%s' が利用可能ではありません。" + +-#: ../src/firewall-config:2752 ../src/firewall-config:2800 ++#: ../src/firewall-config:2785 ../src/firewall-config:2833 + #: ../src/firewall-config.glade.h:162 + msgid "Remove" + msgstr "ゾーンの削除" + +-#: ../src/firewall-config:2752 ../src/firewall-config:2800 ++#: ../src/firewall-config:2785 ../src/firewall-config:2833 + msgid "Ignore" + msgstr "無視" + +-#: ../src/firewall-config:2796 ++#: ../src/firewall-config:2829 + #, c-format + msgid "Zone '%s': ICMP type '%s' is not available." + msgstr "ゾーン '%s': ICMP タイプ '%s' が利用可能ではありません。" + +-#: ../src/firewall-config:2951 ++#: ../src/firewall-config:2984 + msgid "Built-in zone, rename not supported." + msgstr "組み込みのゾーンです。名前の変更はできません。" + +-#: ../src/firewall-config:3065 ../src/firewall-config:3556 +-#: ../src/firewall-config.glade.h:261 ++#: ../src/firewall-config:3098 ../src/firewall-config:3596 ++#: ../src/firewall-config.glade.h:263 + msgid "second" + msgstr "秒" + +-#: ../src/firewall-config:3066 ../src/firewall-config:3557 +-#: ../src/firewall-config.glade.h:262 ++#: ../src/firewall-config:3099 ../src/firewall-config:3597 ++#: ../src/firewall-config.glade.h:264 + msgid "minute" + msgstr "分" + +-#: ../src/firewall-config:3067 ../src/firewall-config:3558 +-#: ../src/firewall-config.glade.h:263 ++#: ../src/firewall-config:3100 ../src/firewall-config:3598 ++#: ../src/firewall-config.glade.h:265 + msgid "hour" + msgstr "時間" + +-#: ../src/firewall-config:3068 ../src/firewall-config:3559 +-#: ../src/firewall-config.glade.h:264 ++#: ../src/firewall-config:3101 ../src/firewall-config:3599 ++#: ../src/firewall-config.glade.h:266 + msgid "day" + msgstr "日" + +-#: ../src/firewall-config:3069 ../src/firewall-config:3560 +-#: ../src/firewall-config.glade.h:267 ++#: ../src/firewall-config:3102 ../src/firewall-config:3600 ++#: ../src/firewall-config.glade.h:269 + msgid "emergency" + msgstr "緊急" + +-#: ../src/firewall-config:3070 ../src/firewall-config:3561 +-#: ../src/firewall-config.glade.h:268 ++#: ../src/firewall-config:3103 ../src/firewall-config:3601 ++#: ../src/firewall-config.glade.h:270 + msgid "alert" + msgstr "アラート" + +-#: ../src/firewall-config:3071 ../src/firewall-config:3562 +-#: ../src/firewall-config.glade.h:269 ++#: ../src/firewall-config:3104 ../src/firewall-config:3602 ++#: ../src/firewall-config.glade.h:271 + msgid "critical" + msgstr "クリティカル" + +-#: ../src/firewall-config:3072 ../src/firewall-config:3563 +-#: ../src/firewall-config.glade.h:270 ++#: ../src/firewall-config:3105 ../src/firewall-config:3603 ++#: ../src/firewall-config.glade.h:272 + msgid "error" + msgstr "エラー" + +-#: ../src/firewall-config:3073 ../src/firewall-config:3564 +-#: ../src/firewall-config.glade.h:271 ++#: ../src/firewall-config:3106 ../src/firewall-config:3604 ++#: ../src/firewall-config.glade.h:273 + msgid "warning" + msgstr "警告" + +-#: ../src/firewall-config:3074 ../src/firewall-config:3565 +-#: ../src/firewall-config.glade.h:272 ++#: ../src/firewall-config:3107 ../src/firewall-config:3605 ++#: ../src/firewall-config.glade.h:274 + msgid "notice" + msgstr "注意" + +-#: ../src/firewall-config:3075 ../src/firewall-config:3566 +-#: ../src/firewall-config.glade.h:273 ++#: ../src/firewall-config:3108 ../src/firewall-config:3606 ++#: ../src/firewall-config.glade.h:275 + msgid "info" + msgstr "情報" + +-#: ../src/firewall-config:3076 ../src/firewall-config:3567 +-#: ../src/firewall-config.glade.h:274 ++#: ../src/firewall-config:3109 ../src/firewall-config:3607 ++#: ../src/firewall-config.glade.h:276 + msgid "debug" + msgstr "デバッグ" + +-#: ../src/firewall-config:3121 ../src/firewall-config:3290 +-#: ../src/firewall-config:3597 ../src/firewall-config:3809 +-#: ../src/firewall-config.glade.h:278 ++#: ../src/firewall-config:3154 ../src/firewall-config:3328 ++#: ../src/firewall-config:3637 ../src/firewall-config:3852 ++#: ../src/firewall-config.glade.h:280 + msgid "icmp-block" + msgstr "icmp-block" + +-#: ../src/firewall-config:3126 ../src/firewall-config:3292 +-#: ../src/firewall-config:3600 ../src/firewall-config:3802 +-#: ../src/firewall-config.glade.h:279 ++#: ../src/firewall-config:3159 ../src/firewall-config:3330 ++#: ../src/firewall-config:3640 ../src/firewall-config.glade.h:281 ++msgid "icmp-type" ++msgstr "icmp-type" ++ ++#: ../src/firewall-config:3164 ../src/firewall-config:3332 ++#: ../src/firewall-config:3643 ../src/firewall-config:3845 ++#: ../src/firewall-config.glade.h:282 + msgid "forward-port" + msgstr "forward-port" + +-#: ../src/firewall-config:3269 ../src/firewall-config:3492 +-#: ../src/firewall-config:3516 ../src/firewall-config:3571 +-#: ../src/firewall-config:3698 ../src/firewall-config:3745 ++#: ../src/firewall-config:3307 ../src/firewall-config:3532 ++#: ../src/firewall-config:3556 ../src/firewall-config:3611 ++#: ../src/firewall-config:3741 ../src/firewall-config:3788 + msgid "ipv4" + msgstr "IPv4" + +-#: ../src/firewall-config:3271 ../src/firewall-config:3494 +-#: ../src/firewall-config:3518 ../src/firewall-config:3573 +-#: ../src/firewall-config:3700 ../src/firewall-config:3747 ++#: ../src/firewall-config:3309 ../src/firewall-config:3534 ++#: ../src/firewall-config:3558 ../src/firewall-config:3613 ++#: ../src/firewall-config:3743 ../src/firewall-config:3790 + msgid "ipv6" + msgstr "IPv6" + +-#: ../src/firewall-config:4998 ++#: ../src/firewall-config:5057 + msgid "" +-"Forwarding to another system is only useful if the interface is " +-"masqueraded.\n" ++"Forwarding to another system is only useful if the interface is masqueraded.\n" + "Do you want to masquerade this zone ?" +-msgstr "" +-"他のシステムへの転送は、インターフェースがマスカレードされている場合のみ有用" +-"です。\n" ++msgstr "他のシステムへの転送は、インターフェースがマスカレードされている場合のみ有用です。\n" + "このゾーンをマスカレードしたいですか ?" + +-#: ../src/firewall-config:5361 ++#: ../src/firewall-config:5420 + msgid "Built-in service, rename not supported." + msgstr "組み込みのサービスです。名前の変更はできません。" + +-#: ../src/firewall-config:5570 ++#: ../src/firewall-config:5629 + msgid "Please enter an ipv4 address with the form address[/mask]." + msgstr "IPv4 アドレスを address[/mask] の形式で入力してください。" + +-#: ../src/firewall-config:5571 ++#: ../src/firewall-config:5630 + msgid "The mask can be a network mask or a number." + msgstr "mask は、ネットワークマスクもしくは数字で指定できます。" + +-#: ../src/firewall-config:5573 ++#: ../src/firewall-config:5632 + msgid "Please enter an ipv6 address with the form address[/mask]." + msgstr "IPv6 アドレスを address[/mask] の形式で入力してください。" + +-#: ../src/firewall-config:5574 ++#: ../src/firewall-config:5633 + msgid "The mask is a number." + msgstr "mask は数字で指定します。" + +-#: ../src/firewall-config:5576 ++#: ../src/firewall-config:5635 + msgid "Please enter an ipv4 or ipv6 address with the form address[/mask]." +-msgstr "" +-"IPv4 もしくは IPv6 アドレスを address[/mask] の形式で入力してください。" ++msgstr "IPv4 もしくは IPv6 アドレスを address[/mask] の形式で入力してください。" + +-#: ../src/firewall-config:5577 ++#: ../src/firewall-config:5636 + msgid "" + "The mask can be a network mask or a number for ipv4.\n" + "The mask is a number for ipv6." +-msgstr "" +-"mask は、IPv4 の場合ネットワークマスクが指定できます。IPv6 の場合には数字で指" +-"定してください。" ++msgstr "mask は、IPv4 の場合ネットワークマスクが指定できます。IPv6 の場合には数字で指定してください。" + +-#: ../src/firewall-config:5750 ++#: ../src/firewall-config:5820 + msgid "Built-in ipset, rename not supported." + msgstr "組み込みの IPSet です。名前の変更はできません。" + +-#: ../src/firewall-config:5838 ../src/firewall-config:5920 ++#: ../src/firewall-config:5912 ../src/firewall-config:5994 + msgid "Please select a file" + msgstr "ファイルを選択してください" + +-#: ../src/firewall-config:5845 ../src/firewall-config:5927 ++#: ../src/firewall-config:5919 ../src/firewall-config:6001 + msgid "Text Files" + msgstr "テキストファイル" + +-#: ../src/firewall-config:5850 ../src/firewall-config:5932 ++#: ../src/firewall-config:5924 ../src/firewall-config:6006 + msgid "All Files" + msgstr "全ファイル" + +-#: ../src/firewall-config:6331 ../src/firewall-config:6360 ++#: ../src/firewall-config:6427 ../src/firewall-config:6456 + #: ../src/firewall-config.glade.h:40 + msgid "All" + msgstr "すべて" + +-#: ../src/firewall-config:6331 ../src/firewall-config:6360 ++#: ../src/firewall-config:6427 ../src/firewall-config:6456 + #: ../src/firewall-config.glade.h:41 + msgid "IPv4" + msgstr "IPv4" + +-#: ../src/firewall-config:6332 ../src/firewall-config:6360 ++#: ../src/firewall-config:6428 ../src/firewall-config:6456 + #: ../src/firewall-config.glade.h:42 + msgid "IPv6" + msgstr "IPv6" + +-#: ../src/firewall-config:6337 ++#: ../src/firewall-config:6433 + msgid "Built-in helper, rename not supported." + msgstr "ビルトインヘルパーです。名前の変更はサポートされていません。" + +-#: ../src/firewall-config:6821 ++#: ../src/firewall-config:6923 + msgid "Built-in icmp, rename not supported." + msgstr "組み込みの ICMP です。名前の変更はできません。" + +-#: ../src/firewall-config:7894 ++#: ../src/firewall-config:7996 + #, c-format + msgid "Failed to read file '%s': %s" + msgstr "ファイル '%s' の読み込みに失敗しました: %s" + +-#: ../src/firewall-config:8026 ++#: ../src/firewall-config:8128 + #, c-format + msgid "Select zone for source %s" + msgstr "ソース %s のゾーンを選択する" +@@ -803,9 +791,7 @@ msgstr "送信先" + msgid "" + "If you enable local forwarding, you have to specify a port. This port has to " + "be different to the source port." +-msgstr "" +-"ローカル転送を有効にする場合、ポートを指定する必要があります。これはソース" +-"ポートと異なる必要があります。" ++msgstr "ローカル転送を有効にする場合、ポートを指定する必要があります。これはソースポートと異なる必要があります。" + + #: ../src/firewall-config.glade.h:30 + msgid "Local forwarding" +@@ -913,9 +899,7 @@ msgid "" + "runtime configuration. i.e. all runtime only changes done until reload are " + "lost with reload if they have not been also in permanent configuration." + msgstr "" +-"ファイアウォールルールを再読み込みします。現在の永続的な設定が新しい実行時の" +-"設定になります。つまり、永続的な設定に存在しない、再読み込みするまでに行われ" +-"た実行時の変更はすべて失われます。" ++"ファイアウォールルールを再読み込みします。現在の永続的な設定が新しい実行時の設定になります。つまり、永続的な設定に存在しない、再読み込みするまでに行われた実行時の変更はすべて失われます。" + + #: ../src/firewall-config.glade.h:60 + msgid "Change which zone a network connection belongs to." +@@ -957,9 +941,7 @@ msgstr "パニックモード" + msgid "" + "Lockdown locks firewall configuration so that only applications on lockdown " + "whitelist are able to change it." +-msgstr "" +-"ロックダウンにより、ロックダウン・ホワイトリストにあるアプリケーションのみが" +-"ファイアウォール設定を変更できるようにロックします。" ++msgstr "ロックダウンにより、ロックダウン・ホワイトリストにあるアプリケーションのみがファイアウォール設定を変更できるようにロックします。" + + #: ../src/firewall-config.glade.h:71 + msgid "Lockdown" +@@ -1012,16 +994,12 @@ msgstr "バインディングのゾー� + #: ../src/firewall-config.glade.h:83 + msgid "" + "Hide active runtime bindings of connections, interfaces and sources to zones" +-msgstr "" +-"接続のアクティブなランタイムバインディング、インターフェースおよびソースを" +-"ゾーンに対して非表示にします" ++msgstr "接続のアクティブなランタイムバインディング、インターフェースおよびソースをゾーンに対して非表示にします" + + #: ../src/firewall-config.glade.h:84 + msgid "" + "Show active runtime bindings of connections, interfaces and sources to zones" +-msgstr "" +-"接続のアクティブなランタイムバインディング、インターフェースおよびソースを" +-"ゾーンに対して表示します" ++msgstr "接続のアクティブなランタイムバインディング、インターフェースおよびソースをゾーンに対して表示します" + + #: ../src/firewall-config.glade.h:85 + msgid "Configuration:" +@@ -1033,8 +1011,7 @@ msgid "" + "configuration. Permanent configuration will be active after service or " + "system reload or restart." + msgstr "" +-"現在利用可能な設定。実行時の設定が実際に有効な設定です。永続的な設定は、サー" +-"ビスまたはシステムが再読み込みまたは再起動した後、有効になります。" ++"現在利用可能な設定。実行時の設定が実際に有効な設定です。永続的な設定は、サービスまたはシステムが再読み込みまたは再起動した後、有効になります。" + + #: ../src/firewall-config.glade.h:87 + msgid "" +@@ -1044,11 +1021,9 @@ msgid "" + "filters and rich rules. The zone can be bound to interfaces and source " + "addresses." + msgstr "" +-"firewalld ゾーンではゾーンに結び付けられているネットワーク接続、インター" +-"フェースおよび送信元アドレスの信頼レベルを定義します。サービス、ポート、プロ" +-"トコル、マスカレード、ポートとパケット転送、ICMP フィルター、高度なルールを組" +-"み合わせます。ゾーンはインターフェースや送信元アドレスに結び付けることができ" +-"ます。" ++"firewalld " ++"ゾーンではゾーンに結び付けられているネットワーク接続、インターフェースおよび送信元アドレスの信頼レベルを定義します。サービス、ポート、プロトコル、マスカレード、ポートとパケット転送、ICMP " ++"フィルター、高度なルールを組み合わせます。ゾーンはインターフェースや送信元アドレスに結び付けることができます。" + + #: ../src/firewall-config.glade.h:89 + msgid "Add Zone" +@@ -1072,9 +1047,7 @@ msgid "" + "are accessible from all hosts and networks that can reach the machine from " + "connections, interfaces and sources bound to this zone." + msgstr "" +-"このゾーンで信頼できるサービスを定義することができます。このゾーンに結び付け" +-"られている接続、インターフェース、送信元からこのマシンに到達できるホストや" +-"ネットワークならいずれでも信頼できるサービスへのアクセスが可能になります。" ++"このゾーンで信頼できるサービスを定義することができます。このゾーンに結び付けられている接続、インターフェース、送信元からこのマシンに到達できるホストやネットワークならいずれでも信頼できるサービスへのアクセスが可能になります。" + + #: ../src/firewall-config.glade.h:94 + msgid "Services" +@@ -1084,9 +1057,7 @@ msgstr "サービス" + msgid "" + "Add additional ports or port ranges, which need to be accessible for all " + "hosts or networks that can connect to the machine." +-msgstr "" +-"このマシンに接続できるホストやネットワークがアクセスできなければならないポー" +-"トまたはポート範囲を追加します。" ++msgstr "このマシンに接続できるホストやネットワークがアクセスできなければならないポートまたはポート範囲を追加します。" + + #: ../src/firewall-config.glade.h:96 + msgid "Add Port" +@@ -1106,9 +1077,7 @@ msgstr "ポート" + + #: ../src/firewall-config.glade.h:100 + msgid "Add protocols, which need to be accessible for all hosts or networks." +-msgstr "" +-"すべてのホストやネットワークがアクセスできなければならないプロトコルを追加し" +-"ます。" ++msgstr "すべてのホストやネットワークがアクセスできなければならないプロトコルを追加します。" + + #: ../src/firewall-config.glade.h:101 + msgid "Add Protocol" +@@ -1130,9 +1099,7 @@ msgstr "プロトコル" + msgid "" + "Add additional source ports or port ranges, which need to be accessible for " + "all hosts or networks that can connect to the machine." +-msgstr "" +-"このマシンに接続できるすべてのホストやネットワークがアクセスできなければなら" +-"ないソースポートまたはポート範囲を追加します。" ++msgstr "このマシンに接続できるすべてのホストやネットワークがアクセスできなければならないソースポートまたはポート範囲を追加します。" + + #: ../src/firewall-config.glade.h:106 + msgid "Source Ports" +@@ -1144,10 +1111,8 @@ msgid "" + "network to the internet. Your local network will not be visible and the " + "hosts appear as a single address on the internet. Masquerading is IPv4 only." + msgstr "" +-"マスカレード機能を使用するとローカルネットワークをインターネットに繋げるルー" +-"ターまたはホストをセットアップすることができます。ローカルネットワークはイン" +-"ターネット上からは見えなくなり、インターネット上ではホストが 1 つのアドレスと" +-"して表示されます。マスカレード機能は IPv4 限定です。" ++"マスカレード機能を使用するとローカルネットワークをインターネットに繋げるルーターまたはホストをセットアップすることができます。ローカルネットワークはインターネット上からは見えなくなり、インターネット上ではホストが " ++"1 つのアドレスとして表示されます。マスカレード機能は IPv4 限定です。" + + #: ../src/firewall-config.glade.h:108 + msgid "Masquerade zone" +@@ -1157,9 +1122,7 @@ msgstr "マスカレードゾーン" + msgid "" + "If you enable masquerading, IP forwarding will be enabled for your IPv4 " + "networks." +-msgstr "" +-"マスカレード機能を有効にすると、IPv4 ネットワークで IP フォワーディングが有効" +-"になります。" ++msgstr "マスカレード機能を有効にすると、IPv4 ネットワークで IP フォワーディングが有効になります。" + + #: ../src/firewall-config.glade.h:110 + msgid "Masquerading" +@@ -1172,10 +1135,8 @@ msgid "" + "system is only useful if the interface is masqueraded. Port forwarding is " + "IPv4 only." + msgstr "" +-"ローカルシステム上の任意のポートから別のポートへポート転送、ローカルシステム" +-"から別のシステムへのポート転送を行うためのエントリーを追加します。別のシステ" +-"ムへのポート転送についてはインターフェースがマスカレードされている場合にのみ" +-"有効です。ポート転送は IPv4 限定です。" ++"ローカルシステム上の任意のポートから別のポートへポート転送、ローカルシステムから別のシステムへのポート転送を行うためのエントリーを追加します。別のシステムへのポート転送についてはインターフェースがマスカレードされている場合にのみ有効です。ポート転送は " ++"IPv4 限定です。" + + #: ../src/firewall-config.glade.h:112 + msgid "Add Forward Port" +@@ -1195,27 +1156,24 @@ msgid "" + "messages between networked computers, but additionally for informational " + "messages like ping requests and replies." + msgstr "" +-"ICMP (Internet Control Message Protocol) は、主にネットワーク上の コンピュー" +-"タ間でエラーメッセージを送信するのに使用されますが、更には ping の要求や応答" +-"などの情報メッセージにも使用されます。" ++"ICMP (Internet Control Message Protocol) は、主にネットワーク上の " ++"コンピュータ間でエラーメッセージを送信するのに使用されますが、更には ping の要求や応答などの情報メッセージにも使用されます。" + + #: ../src/firewall-config.glade.h:116 + msgid "" + "Mark the ICMP types in the list, which should be rejected. All other ICMP " + "types are allowed to pass the firewall. The default is no limitation." + msgstr "" +-"一覧内の拒否されるべき ICMP タイプをマークします。 その他すべての ICMP タイプ" +-"はファイアーウォールの通過が許可されます。 デフォルトでは無制限になっていま" +-"す。" ++"一覧内の拒否されるべき ICMP タイプをマークします。 その他すべての ICMP タイプはファイアーウォールの通過が許可されます。 " ++"デフォルトでは無制限になっています。" + + #: ../src/firewall-config.glade.h:117 + msgid "" + "If Invert Filter is enabled, marked ICMP entries are accepted and the others " + "are rejected. In a zone with the target DROP, they are dropped." + msgstr "" +-"反転フィルターが有効にされている場合、マークされた ICMP エントリーは受け入れ" +-"られ、それ以外は拒否されます。ターゲットが DROP のゾーンでは、それらは破棄さ" +-"れます。" ++"反転フィルターが有効にされている場合、マークされた ICMP エントリーは受け入れられ、それ以外は拒否されます。ターゲットが DROP " ++"のゾーンでは、それらは破棄されます。" + + #: ../src/firewall-config.glade.h:118 + msgid "Invert Filter" +@@ -1250,8 +1208,7 @@ msgid "" + "Add entries to bind interfaces to the zone. If the interface will be used by " + "a connection, the zone will be set to the zone specified in the connection." + msgstr "" +-"インターフェースをゾーンに割り当てるための項目を追加します。インターフェース" +-"が接続により使用される場合、ゾーンが接続で指定されたゾーンが設定されます。" ++"インターフェースをゾーンに割り当てるための項目を追加します。インターフェースが接続により使用される場合、ゾーンが接続で指定されたゾーンが設定されます。" + + #: ../src/firewall-config.glade.h:126 + msgid "Add Interface" +@@ -1271,10 +1228,9 @@ msgid "" + "to a MAC source address, but with limitations. Port forwarding and " + "masquerading will not work for MAC source bindings." + msgstr "" +-"ゾーンに送信元アドレスもしくはエリアをバインドするためにエントリーを追加しま" +-"す。送信元の MAC アドレスをバインドすることもできます。しかし、その場合に制約" +-"があります。ポートフォアーディングおよびマスカレーディングには、送信元 MAC ア" +-"ドレスのバインディングは機能しません。" ++"ゾーンに送信元アドレスもしくはエリアをバインドするためにエントリーを追加します。送信元の MAC " ++"アドレスをバインドすることもできます。しかし、その場合に制約があります。ポートフォアーディングおよびマスカレーディングには、送信元 MAC " ++"アドレスのバインディングは機能しません。" + + #: ../src/firewall-config.glade.h:131 + msgid "Add Source" +@@ -1296,9 +1252,7 @@ msgstr "ゾーン" + msgid "" + "A firewalld service is a combination of ports, protocols, modules and " + "destination addresses." +-msgstr "" +-"firewalld サービスとはポートやプロトコル、モジュール、送信先アドレスなどの組" +-"み合わせを指します。" ++msgstr "firewalld サービスとはポートやプロトコル、モジュール、送信先アドレスなどの組み合わせを指します。" + + #: ../src/firewall-config.glade.h:138 + msgid "Add Service" +@@ -1320,9 +1274,7 @@ msgstr "サービスの標準の読み� + msgid "" + "Add additional ports or port ranges, which need to be accessible for all " + "hosts or networks." +-msgstr "" +-"すべてのホストやネットワークからアクセスできることが必要な追加のポートか、" +-"ポートの範囲を追加します。" ++msgstr "すべてのホストやネットワークからアクセスできることが必要な追加のポートか、ポートの範囲を追加します。" + + #: ../src/firewall-config.glade.h:143 + msgid "Edit Entry" +@@ -1336,9 +1288,7 @@ msgstr "エントリーの削除" + msgid "" + "Add additional source ports or port ranges, which need to be accessible for " + "all hosts or networks." +-msgstr "" +-"すべてのホストやネットワークがアクセスできなければならないソースポートまたは" +-"ポート範囲を追加します。" ++msgstr "すべてのホストやネットワークがアクセスできなければならないソースポートまたはポート範囲を追加します。" + + #: ../src/firewall-config.glade.h:146 + msgid "Source Port" +@@ -1357,9 +1307,7 @@ msgid "" + "If you specify destination addresses, the service entry will be limited to " + "the destination address and type. If both entries are empty, there is no " + "limitation." +-msgstr "" +-"送信先アドレスを指定すると、サービスの項目が送信先アドレスとタイプに制限され" +-"ます。どちらの項目も空の場合、制限がありません。" ++msgstr "送信先アドレスを指定すると、サービスの項目が送信先アドレスとタイプに制限されます。どちらの項目も空の場合、制限がありません。" + + #: ../src/firewall-config.glade.h:150 + msgid "IPv4:" +@@ -1373,17 +1321,13 @@ msgstr "IPv6:" + msgid "" + "Services can only be changed in the permanent configuration view. The " + "runtime configuration of services is fixed." +-msgstr "" +-"サービスは永続的な設定の表示画面だけで変更できます。サービスの実行時の設定が" +-"変更されます。" ++msgstr "サービスは永続的な設定の表示画面だけで変更できます。サービスの実行時の設定が変更されます。" + + #: ../src/firewall-config.glade.h:153 + msgid "" + "An IPSet can be used to create white or black lists and is able to store for " + "example IP addresses, port numbers or MAC addresses. " +-msgstr "" +-"IPSet はホワイトリストもしくはブラックリストを作成でき、その中に、IPアドレス" +-"やポート番号、MAC アドレスの情報を格納できます。" ++msgstr "IPSet はホワイトリストもしくはブラックリストを作成でき、その中に、IPアドレスやポート番号、MAC アドレスの情報を格納できます。" + + #: ../src/firewall-config.glade.h:154 + msgid "IPSet" +@@ -1412,17 +1356,16 @@ msgid "" + "added by firewalld. Entries, that have been directly added with the ipset " + "command wil not be listed here." + msgstr "" +-"IPSet エントリーの一覧では、タイムアウトオプションを使用していない IPSet のエ" +-"ントリー、firewalld によって追加されたエントリーのみを確認することができま" +-"す。ipset コマンドを直接実行して追加したエントリーは表示されません。" ++"IPSet エントリーの一覧では、タイムアウトオプションを使用していない IPSet のエントリー、firewalld " ++"によって追加されたエントリーのみを確認することができます。ipset コマンドを直接実行して追加したエントリーは表示されません。" + + #: ../src/firewall-config.glade.h:160 + msgid "" + "This IPSet uses the timeout option, therefore no entries are visible here. " + "The entries should be taken care directly with the ipset command." + msgstr "" +-"この IPSet はタイムアウトオプションを使っています。従って、ここにはエントリー" +-"が表示されません。エントリーは ipset コマンドを直接実行する必要があります。" ++"この IPSet はタイムアウトオプションを使っています。従って、ここにはエントリーが表示されません。エントリーは ipset " ++"コマンドを直接実行する必要があります。" + + #: ../src/firewall-config.glade.h:161 + msgid "Add" +@@ -1442,8 +1385,8 @@ msgid "" + "A firewalld icmptype provides the information for an Internet Control " + "Message Protocol (ICMP) type for firewalld." + msgstr "" +-"firewalld の ICMP タイプは firewalld 用の Internet Control Message Protocol " +-"(ICMP) タイプの情報を提供します。" ++"firewalld の ICMP タイプは firewalld 用の Internet Control Message Protocol (ICMP) " ++"タイプの情報を提供します。" + + #: ../src/firewall-config.glade.h:166 + msgid "Add ICMP Type" +@@ -1463,16 +1406,13 @@ msgstr "ICMP タイプの初期値の読 + + #: ../src/firewall-config.glade.h:170 + msgid "Specify whether this ICMP Type is available for IPv4 and/or IPv6." +-msgstr "" +-"この ICMP タイプが IPv4 と IPv6 に対して利用可能であるかどうかを指定します。" ++msgstr "この ICMP タイプが IPv4 と IPv6 に対して利用可能であるかどうかを指定します。" + + #: ../src/firewall-config.glade.h:171 + msgid "" + "ICMP Types can only be changed in the permanent configuration view. The " + "runtime configuration of ICMP Types is fixed." +-msgstr "" +-"ICMP タイプは永続的な設定の表示画面だけで変更できます。ICMP タイプの実行時の" +-"設定は変更されます。" ++msgstr "ICMP タイプは永続的な設定の表示画面だけで変更できます。ICMP タイプの実行時の設定は変更されます。" + + #: ../src/firewall-config.glade.h:172 + msgid "" +@@ -1481,12 +1421,11 @@ msgid "" + "are using ports that are unrelated to the signaling connection and are " + "therefore blocked by the firewall without the helper." + msgstr "" ++"接続追跡ヘルパーはシグナルおよびデータ転送に異なるフローを使用しているプロトコルが機能するよう支援します。データ転送はシグナル接続とは関連のないポートを使用しているので、ヘルパーがないとファイアウォールでブロックされます。" + + #: ../src/firewall-config.glade.h:173 + msgid "Define ports or port ranges, which are monitored by the helper." +-msgstr "" +-"ポートもしくはポートの範囲を定義し、それをヘルパーによってモニタリングされま" +-"す。" ++msgstr "ポートもしくはポートの範囲を定義し、それをヘルパーによってモニタリングされます。" + + #: ../src/firewall-config.glade.h:174 + msgid "" +@@ -1495,11 +1434,8 @@ msgid "" + "commands, parameters and targets. Direct configuration should be used only " + "as a last resort when it is not possible to use other firewalld features." + msgstr "" +-"ダイレクト設定により、ファイアウォールにより直接アクセスできます。これらのオ" +-"プションは、ユーザーが iptables の基本的な概念、つまりテーブル、チェイン、コ" +-"マンド、パラメーター、ターゲットに関する知識を有していることを前提にしていま" +-"す。ダイレクト設定は、他のファイアウォール機能を使用できない場合に、最終手段" +-"としてのみ使用すべきです。" ++"ダイレクト設定により、ファイアウォールにより直接アクセスできます。これらのオプションは、ユーザーが iptables " ++"の基本的な概念、つまりテーブル、チェイン、コマンド、パラメーター、ターゲットに関する知識を有していることを前提にしています。ダイレクト設定は、他のファイアウォール機能を使用できない場合に、最終手段としてのみ使用すべきです。" + + #: ../src/firewall-config.glade.h:175 + msgid "" +@@ -1507,9 +1443,9 @@ msgid "" + "will be for iptables, with ipv6 for ip6tables and with eb for ethernet " + "bridges (ebtables)." + msgstr "" +-"各オプションの ipv 引数は ipv4, ipv6, eb のどれかである必要があります。ipv4 " +-"を指定すると、iptables が使用されます。ipv6 を指定すると、ip6tables が使用さ" +-"れます。eb を指定すると、イーサネットブリッジ (ebtables) が使用されます。" ++"各オプションの ipv 引数は ipv4, ipv6, eb のどれかである必要があります。ipv4 を指定すると、iptables " ++"が使用されます。ipv6 を指定すると、ip6tables が使用されます。eb を指定すると、イーサネットブリッジ (ebtables) " ++"が使用されます。" + + #: ../src/firewall-config.glade.h:176 + msgid "Additional chains for use with rules." +@@ -1534,9 +1470,7 @@ msgstr "チェイン" + #: ../src/firewall-config.glade.h:181 + msgid "" + "Add a rule with the arguments args to a chain in a table with a priority." +-msgstr "" +-"ルールを args 引数とともに、テーブルにあるチェインに優先度を付けて追加しま" +-"す。" ++msgstr "ルールを args 引数とともに、テーブルにあるチェインに優先度を付けて追加します。" + + #: ../src/firewall-config.glade.h:182 + msgid "" +@@ -1547,11 +1481,8 @@ msgid "" + "after another one, use a low priority for the first and a higher for the " + "following." + msgstr "" +-"優先度はルールの順序をつけるために使用されます。優先度 0 はルールをチェインの" +-"最初に追加します。より高い優先度を持つルールがさらに下に追加されます。同じ優" +-"先度を持つルールは同じレベルになります。これらのルールの順序は固定されず、変" +-"更されるかもしれません。ルールを確実に他のルールの後ろに追加したい場合、最初" +-"に低い優先度を使用し、次により高い優先度を使用します。" ++"優先度はルールの順序をつけるために使用されます。優先度 0 " ++"はルールをチェインの最初に追加します。より高い優先度を持つルールがさらに下に追加されます。同じ優先度を持つルールは同じレベルになります。これらのルールの順序は固定されず、変更されるかもしれません。ルールを確実に他のルールの後ろに追加したい場合、最初に低い優先度を使用し、次により高い優先度を使用します。" + + #: ../src/firewall-config.glade.h:183 + msgid "Add Rule" +@@ -1575,15 +1506,12 @@ msgid "" + "not placed in special chains. All iptables, ip6tables and ebtables options " + "can be used." + msgstr "" +-"パススルールールは直接ファイアウォールに渡されるルールです。特別なチェインに" +-"置かれません。iptables, ip6tables, ebtables のすべてのオプションが使用できま" +-"す。" ++"パススルールールは直接ファイアウォールに渡されるルールです。特別なチェインに置かれません。iptables, ip6tables, ebtables " ++"のすべてのオプションが使用できます。" + + #: ../src/firewall-config.glade.h:188 + msgid "Please be careful with passthrough rules to not damage the firewall." +-msgstr "" +-"パススルールールを追加する場合、ファイアウォールを壊さないよう注意してくださ" +-"い。" ++msgstr "パススルールールを追加する場合、ファイアウォールを壊さないよう注意してください。" + + #: ../src/firewall-config.glade.h:189 + msgid "Add Passthrough" +@@ -1607,10 +1535,9 @@ msgid "" + "firewalld. It limits changes to the firewall. The lockdown whitelist can " + "contain commands, contexts, users and user ids." + msgstr "" +-"ロックダウン機能はユーザーとアプリケーションのポリシーの firewalld 向け軽量" +-"バージョンです。これにより、ファイアウォールへの変更が制限されます。ロックダ" +-"ウン・ホワイトリストは、コマンド、コンテキスト、ユーザーおよびユーザー ID を" +-"含められます。" ++"ロックダウン機能はユーザーとアプリケーションのポリシーの firewalld " ++"向け軽量バージョンです。これにより、ファイアウォールへの変更が制限されます。ロックダウン・ホワイトリストは、コマンド、コンテキスト、ユーザーおよびユーザー " ++"ID を含められます。" + + #: ../src/firewall-config.glade.h:194 + msgid "" +@@ -1618,9 +1545,8 @@ msgid "" + "service. To get the context of a running application use ps -e --" + "context." + msgstr "" +-"コンテキストは実行中のアプリケーションやサービスのセキュリティーコンテキスト" +-"(SELinux コンテキスト)です。実行中のアプリケーションのコンテキストを確認する" +-"には、ps -e --contextコマンドを使用します。" ++"コンテキストは実行中のアプリケーションやサービスのセキュリティーコンテキスト(SELinux " ++"コンテキスト)です。実行中のアプリケーションのコンテキストを確認するには、ps -e --contextコマンドを使用します。" + + #: ../src/firewall-config.glade.h:195 + msgid "Add Context" +@@ -1644,9 +1570,8 @@ msgid "" + "command lines starting with the command will match. If the '*' is not there " + "the absolute command inclusive arguments must match." + msgstr "" +-"ホワイトリストのコマンドがアスタリスク '*' で終わっている場合、そのコマンドか" +-"ら始まるすべてのコマンドラインに一致します。もし '*' がなければ、引数を含め、" +-"コマンドが完全に一致する必要があります。" ++"ホワイトリストのコマンドがアスタリスク '*' で終わっている場合、そのコマンドから始まるすべてのコマンドラインに一致します。もし '*' " ++"がなければ、引数を含め、コマンドが完全に一致する必要があります。" + + #: ../src/firewall-config.glade.h:200 + msgid "Add Command Line" +@@ -1705,20 +1630,20 @@ msgid "User Ids" + msgstr "ユーザー ID" + + #: ../src/firewall-config.glade.h:214 +-msgid "Default Zone:" +-msgstr "標準ゾーン:" +- +-#: ../src/firewall-config.glade.h:215 + msgid "Current default zone of the system." + msgstr "現在のシステムの標準ゾーン。" + +-#: ../src/firewall-config.glade.h:216 ++#: ../src/firewall-config.glade.h:215 + msgctxt "" + "Meaning: Log of denied packets. But this is too long. LogDenied is also the " + "parameter used in firewalld.conf." + msgid "Log Denied:" + msgstr "拒否されたログ:" + ++#: ../src/firewall-config.glade.h:216 ++msgid "Panic Mode:" ++msgstr "パニックモード:" ++ + #: ../src/firewall-config.glade.h:217 + msgctxt "" + "Meaning: Log of denied packets. But this is too long. LogDenied is also the " +@@ -1731,235 +1656,238 @@ msgid "Lockdown:" + msgstr "ロックダウン:" + + #: ../src/firewall-config.glade.h:219 +-msgid "Panic Mode:" +-msgstr "パニックモード:" ++msgid "Default Zone:" ++msgstr "標準ゾーン:" + + #: ../src/firewall-config.glade.h:220 ++msgid "Interface" ++msgstr "インターフェース" ++ ++#: ../src/firewall-config.glade.h:221 + msgid "Base IPSet Settings" + msgstr "基本 IPSet 設定" + +-#: ../src/firewall-config.glade.h:221 ++#: ../src/firewall-config.glade.h:222 + msgid "Please configure base ipset settings:" + msgstr "基本IPSet設定を設定してください:" + +-#: ../src/firewall-config.glade.h:222 ++#: ../src/firewall-config.glade.h:223 + msgid "Type:" + msgstr "タイプ:" + +-#: ../src/firewall-config.glade.h:223 ++#: ../src/firewall-config.glade.h:224 + msgid "Timeout:" + msgstr "タイムアウト:" + +-#: ../src/firewall-config.glade.h:224 ++#: ../src/firewall-config.glade.h:225 + msgid "Hashsize:" + msgstr "ハッシュサイズ:" + +-#: ../src/firewall-config.glade.h:225 ++#: ../src/firewall-config.glade.h:226 + msgid "Maxelem:" + msgstr "最大要素:" + +-#: ../src/firewall-config.glade.h:226 ++#: ../src/firewall-config.glade.h:227 + msgid "Timeout value in seconds" + msgstr "タイムアウトの秒数" + +-#: ../src/firewall-config.glade.h:227 ++#: ../src/firewall-config.glade.h:228 + msgid "Initial hash size, default 1024" + msgstr "ハッシュサイズの初期値、デフォルトは 1024" + +-#: ../src/firewall-config.glade.h:228 ++#: ../src/firewall-config.glade.h:229 + msgid "Max number of elements, default 65536" + msgstr "要素の最大数、デフォルトは 65536" + +-#: ../src/firewall-config.glade.h:229 ++#: ../src/firewall-config.glade.h:230 + msgid "Please select an ipset:" + msgstr "IPSet を選択してください:" + +-#: ../src/firewall-config.glade.h:230 ++#: ../src/firewall-config.glade.h:232 + msgid "Log Denied" + msgstr "拒否されたログ" + +-#: ../src/firewall-config.glade.h:231 ++#: ../src/firewall-config.glade.h:233 + msgid "Please select the log denied value:" + msgstr "拒否されたログの値を選択してください:" + +-#: ../src/firewall-config.glade.h:232 ++#: ../src/firewall-config.glade.h:234 + msgid "Mark" + msgstr "マーク" + +-#: ../src/firewall-config.glade.h:233 ++#: ../src/firewall-config.glade.h:235 + msgid "Please enter a mark with an optional mask." + msgstr "オプションのマスクと共にマークを入力してください。" + +-#: ../src/firewall-config.glade.h:234 ++#: ../src/firewall-config.glade.h:236 + msgid "The mark and the mask fields are both 32 bits wide unsigned numbers." + msgstr "マークとマスクフィールドはどちらも 32 ビットの符号なし数値になります。" + +-#: ../src/firewall-config.glade.h:235 ++#: ../src/firewall-config.glade.h:237 + msgid "Mark:" + msgstr "マーク:" + +-#: ../src/firewall-config.glade.h:236 ++#: ../src/firewall-config.glade.h:238 + msgid "Mask:" + msgstr "マスク:" + +-#: ../src/firewall-config.glade.h:237 ++#: ../src/firewall-config.glade.h:239 + msgid "Please select a netfilter conntrack helper:" + msgstr "netfilter conntrack ヘルパーを選択してください:" + +-#: ../src/firewall-config.glade.h:238 ++#: ../src/firewall-config.glade.h:240 + msgid "- Select -" + msgstr "- 選択 -" + +-#: ../src/firewall-config.glade.h:239 ++#: ../src/firewall-config.glade.h:241 + msgid "Other Module:" + msgstr "その他のモジュール:" + +-#: ../src/firewall-config.glade.h:240 ++#: ../src/firewall-config.glade.h:242 + msgid "Port and Protocol" + msgstr "ポートとプロトコル" + +-#: ../src/firewall-config.glade.h:241 ++#: ../src/firewall-config.glade.h:243 + msgid "Please enter a port and protocol." + msgstr "ポートおよびプロトコルを入力してください。" + +-#: ../src/firewall-config.glade.h:242 ++#: ../src/firewall-config.glade.h:244 + msgid "Direct Rule" + msgstr "ダイレクトルール" + +-#: ../src/firewall-config.glade.h:243 ++#: ../src/firewall-config.glade.h:245 + msgid "Please select ipv and table, chain priority and enter the args." + msgstr "ipv、テーブル、チェイン優先度および引数を入力してください。" + +-#: ../src/firewall-config.glade.h:244 ++#: ../src/firewall-config.glade.h:246 + msgid "Priority:" + msgstr "優先度:" + +-#: ../src/firewall-config.glade.h:246 ++#: ../src/firewall-config.glade.h:248 + msgid "Please enter a protocol." + msgstr "プロトコルを入力してください。" + +-#: ../src/firewall-config.glade.h:247 ++#: ../src/firewall-config.glade.h:249 + msgid "Other Protocol:" + msgstr "他のプロトコル:" + +-#: ../src/firewall-config.glade.h:248 ++#: ../src/firewall-config.glade.h:250 + msgid "Rich Rule" + msgstr "高度なルール" + +-#: ../src/firewall-config.glade.h:249 ++#: ../src/firewall-config.glade.h:251 + msgid "Please enter a rich rule." + msgstr "高度なルールを入力してください。" + +-#: ../src/firewall-config.glade.h:250 ++#: ../src/firewall-config.glade.h:252 + msgid "For host or network white or blacklisting deactivate the element." +-msgstr "" +-"ホワイトリストまたはブラックリストにより、ホストまたはネットワークに対して要" +-"素を非アクティブ化します。" ++msgstr "ホワイトリストまたはブラックリストにより、ホストまたはネットワークに対して要素を非アクティブ化します。" + +-#: ../src/firewall-config.glade.h:251 ++#: ../src/firewall-config.glade.h:253 + msgid "Source:" + msgstr "送信元:" + +-#: ../src/firewall-config.glade.h:252 ++#: ../src/firewall-config.glade.h:254 + msgid "Destination:" + msgstr "送信先:" + +-#: ../src/firewall-config.glade.h:253 ++#: ../src/firewall-config.glade.h:255 + msgid "Log:" + msgstr "ログ:" + +-#: ../src/firewall-config.glade.h:254 ++#: ../src/firewall-config.glade.h:256 + msgid "Audit:" + msgstr "監査:" + +-#: ../src/firewall-config.glade.h:255 ++#: ../src/firewall-config.glade.h:257 + msgid "ipv4 and ipv6" + msgstr "IPv4 と IPv6" + +-#: ../src/firewall-config.glade.h:256 ++#: ../src/firewall-config.glade.h:258 + msgid "inverted" + msgstr "反転" + +-#: ../src/firewall-config.glade.h:257 ++#: ../src/firewall-config.glade.h:259 + msgid "" +-"To enable this Action has to be 'reject' and Family either 'ipv4' or " +-"'ipv6' (not both)." ++"To enable this Action has to be 'reject' and Family either 'ipv4' or 'ipv6' " ++"(not both)." + msgstr "" +-"これを有効にするには、アクションを 'reject' にし、ファミリーを 'ipv4' または " +-"'ipv6' のいずれか (両方ではない) にする必要があります。" ++"これを有効にするには、アクションを 'reject' にし、ファミリーを 'ipv4' または 'ipv6' のいずれか (両方ではない) " ++"にする必要があります。" + +-#: ../src/firewall-config.glade.h:258 ++#: ../src/firewall-config.glade.h:260 + msgid "with Type:" + msgstr "タイプ:" + +-#: ../src/firewall-config.glade.h:259 ++#: ../src/firewall-config.glade.h:261 + msgid "With limit:" + msgstr "有効期限:" + +-#: ../src/firewall-config.glade.h:260 ++#: ../src/firewall-config.glade.h:262 + msgid "/" + msgstr "/" + +-#: ../src/firewall-config.glade.h:265 ++#: ../src/firewall-config.glade.h:267 + msgid "Prefix:" + msgstr "プレフィックス:" + +-#: ../src/firewall-config.glade.h:266 ++#: ../src/firewall-config.glade.h:268 + msgid "Level:" + msgstr "レベル:" + +-#: ../src/firewall-config.glade.h:282 ++#: ../src/firewall-config.glade.h:285 + msgid "Element:" + msgstr "要素:" + +-#: ../src/firewall-config.glade.h:283 ++#: ../src/firewall-config.glade.h:286 + msgid "Action:" + msgstr "アクション:" + +-#: ../src/firewall-config.glade.h:284 ++#: ../src/firewall-config.glade.h:287 + msgid "Base Service Settings" + msgstr "基本サービス設定" + +-#: ../src/firewall-config.glade.h:285 ++#: ../src/firewall-config.glade.h:288 + msgid "Please configure base service settings:" + msgstr "基本サービス設定を設定してください:" + +-#: ../src/firewall-config.glade.h:286 ++#: ../src/firewall-config.glade.h:289 + msgid "Please select a service." + msgstr "サービスを選択してください。" + +-#: ../src/firewall-config.glade.h:287 ++#: ../src/firewall-config.glade.h:290 + msgid "User ID" + msgstr "ユーザー ID" + +-#: ../src/firewall-config.glade.h:288 ++#: ../src/firewall-config.glade.h:291 + msgid "Please enter the user id." + msgstr "ユーザー ID を入力してください。" + +-#: ../src/firewall-config.glade.h:289 ++#: ../src/firewall-config.glade.h:292 + msgid "User name" + msgstr "ユーザー名" + +-#: ../src/firewall-config.glade.h:290 ++#: ../src/firewall-config.glade.h:293 + msgid "Please enter the user name." + msgstr "ユーザー名を入力してください。" + +-#: ../src/firewall-config.glade.h:291 ++#: ../src/firewall-config.glade.h:294 + msgid "label" + msgstr "ラベル" + +-#: ../src/firewall-config.glade.h:292 ++#: ../src/firewall-config.glade.h:295 + msgid "Base Zone Settings" + msgstr "基本ゾーン設定" + +-#: ../src/firewall-config.glade.h:293 ++#: ../src/firewall-config.glade.h:296 + msgid "Please configure base zone settings:" + msgstr "基本ゾーン設定を設定してください:" + +-#: ../src/firewall-config.glade.h:294 ++#: ../src/firewall-config.glade.h:297 + msgid "Default Target" + msgstr "標準ターゲット" + +-#: ../src/firewall-config.glade.h:295 ++#: ../src/firewall-config.glade.h:298 + msgid "Target:" + msgstr "ターゲット:" ++ diff --git a/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch b/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch new file mode 100644 index 0000000..b796d31 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch @@ -0,0 +1,542 @@ +From bc6ba9d59f8070b0e76f127f16ef1cd99da90ffc Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 19 May 2017 15:35:54 +0200 +Subject: [PATCH 5/6] D-Bus interfaces: Fix GetAll for interfaces without + properties (RHBZ#1452017) + +Also: Make D-Bus error messages consistent in all interfaces. +(cherry picked from commit fb44764d1275958401e2e69161d997bfb6e02899) +--- + src/firewall/server/config.py | 115 +++++++++++++++++++-------------- + src/firewall/server/config_helper.py | 15 ++--- + src/firewall/server/config_icmptype.py | 15 ++--- + src/firewall/server/config_ipset.py | 15 ++--- + src/firewall/server/config_service.py | 15 ++--- + src/firewall/server/config_zone.py | 15 ++--- + src/firewall/server/firewalld.py | 71 ++++++++++++++------ + 7 files changed, 152 insertions(+), 109 deletions(-) + +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index 55bfffbebe76..33f72027d048 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -486,8 +486,8 @@ class FirewallDConfig(slip.dbus.service.Object): + "Lockdown", "IPv6_rpfilter", "IndividualCalls", + "LogDenied", "AutomaticHelpers" ]: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % prop) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % prop) + + value = self.config.get_firewalld_conf().get(prop) + +@@ -546,8 +546,8 @@ class FirewallDConfig(slip.dbus.service.Object): + return dbus.String(self._get_property(prop)) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % prop) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % prop) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -558,10 +558,17 @@ class FirewallDConfig(slip.dbus.service.Object): + property_name = dbus_to_python(property_name, str) + log.debug1("config.Get('%s', '%s')", interface_name, property_name) + +- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: ++ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: ++ return self._get_dbus_property(property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, ++ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_dbus_property(property_name) + +@@ -572,16 +579,20 @@ class FirewallDConfig(slip.dbus.service.Object): + interface_name = dbus_to_python(interface_name, str) + log.debug1("config.GetAll('%s')", interface_name) + +- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: ++ ret = { } ++ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: ++ for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", ++ "Lockdown", "IPv6_rpfilter", "IndividualCalls", ++ "LogDenied", "AutomaticHelpers" ]: ++ ret[x] = self._get_property(x) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, ++ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: ++ pass ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + +- ret = { } +- for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", +- "IPv6_rpfilter", "IndividualCalls", "LogDenied", +- "AutomaticHelpers" ]: +- ret[x] = self._get_property(x) + return dbus.Dictionary(ret, signature="sv") + + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) +@@ -595,49 +606,55 @@ class FirewallDConfig(slip.dbus.service.Object): + property_name, new_value) + self.accessCheck(sender) + +- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: +- raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) +- +- if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", +- "IPv6_rpfilter", "IndividualCalls", "LogDenied", +- "AutomaticHelpers" ]: +- if property_name == "MinimalMark": ++ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: ++ if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", ++ "IPv6_rpfilter", "IndividualCalls", ++ "LogDenied", "AutomaticHelpers" ]: ++ if property_name == "MinimalMark": ++ try: ++ int(new_value) ++ except ValueError: ++ raise FirewallError(errors.INVALID_MARK, new_value) + try: +- int(new_value) +- except ValueError: +- raise FirewallError(errors.INVALID_MARK, new_value) +- try: +- new_value = str(new_value) +- except: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ ++ new_value = str(new_value) ++ except: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ ++ (new_value, property_name)) ++ if property_name in [ "CleanupOnExit", "Lockdown", ++ "IPv6_rpfilter", "IndividualCalls" ]: ++ if new_value.lower() not in [ "yes", "no", ++ "true", "false" ]: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ + (new_value, property_name)) +- if property_name in [ "CleanupOnExit", "Lockdown", +- "IPv6_rpfilter", "IndividualCalls" ]: +- if new_value.lower() not in [ "yes", "no", "true", "false" ]: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ ++ if property_name == "LogDenied": ++ if new_value not in config.LOG_DENIED_VALUES: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ + (new_value, property_name)) +- if property_name == "LogDenied": +- if new_value not in config.LOG_DENIED_VALUES: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ ++ if property_name == "AutomaticHelpers": ++ if new_value not in config.AUTOMATIC_HELPERS_VALUES: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ + (new_value, property_name)) +- if property_name == "AutomaticHelpers": +- if new_value not in config.AUTOMATIC_HELPERS_VALUES: +- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ +- (new_value, property_name)) +- self.config.get_firewalld_conf().set(property_name, new_value) +- self.config.get_firewalld_conf().write() +- self.PropertiesChanged(interface_name, +- { property_name: new_value }, [ ]) +- elif property_name in [ "DefaultZone" ]: ++ self.config.get_firewalld_conf().set(property_name, new_value) ++ self.config.get_firewalld_conf().write() ++ self.PropertiesChanged(interface_name, ++ { property_name: new_value }, [ ]) ++ else: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, ++ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.PropertyReadOnly: " +- "Property '%s' is read-only" % property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' does not exist" % property_name) ++ "org.freedesktop.DBus.Error.UnknownInterface: " ++ "Interface '%s' does not exist" % interface_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_helper.py b/src/firewall/server/config_helper.py +index e3683e9b7788..23e30e04ba26 100644 +--- a/src/firewall/server/config_helper.py ++++ b/src/firewall/server/config_helper.py +@@ -92,9 +92,8 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -109,7 +108,7 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -123,7 +122,7 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -144,11 +143,11 @@ class FirewallDConfigHelper(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_icmptype.py b/src/firewall/server/config_icmptype.py +index 9f571ae98128..e1724550d740 100644 +--- a/src/firewall/server/config_icmptype.py ++++ b/src/firewall/server/config_icmptype.py +@@ -92,9 +92,8 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -109,7 +108,7 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -123,7 +122,7 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -144,11 +143,11 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py +index a1613c6933ab..8c647bc29ab9 100644 +--- a/src/firewall/server/config_ipset.py ++++ b/src/firewall/server/config_ipset.py +@@ -93,9 +93,8 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -110,7 +109,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -124,7 +123,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -145,11 +144,11 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_service.py b/src/firewall/server/config_service.py +index 6745e253f88a..47530d319bdb 100644 +--- a/src/firewall/server/config_service.py ++++ b/src/firewall/server/config_service.py +@@ -92,9 +92,8 @@ class FirewallDConfigService(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -109,7 +108,7 @@ class FirewallDConfigService(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -123,7 +122,7 @@ class FirewallDConfigService(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -144,11 +143,11 @@ class FirewallDConfigService(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/config_zone.py b/src/firewall/server/config_zone.py +index 42ec963549d8..f98f700bec59 100644 +--- a/src/firewall/server/config_zone.py ++++ b/src/firewall/server/config_zone.py +@@ -94,9 +94,8 @@ class FirewallDConfigZone(slip.dbus.service.Object): + return dbus.Boolean(self.obj.builtin) + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % \ +- property_name) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -111,7 +110,7 @@ class FirewallDConfigZone(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + return self._get_property(property_name) + +@@ -125,7 +124,7 @@ class FirewallDConfigZone(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + ret = { } + for x in [ "name", "filename", "path", "default", "builtin" ]: +@@ -146,11 +145,11 @@ class FirewallDConfigZone(slip.dbus.service.Object): + if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 2f1f8234ab9c..8c4bd4f0c66a 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -184,8 +184,8 @@ class FirewallD(slip.dbus.service.Object): + + else: + raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' isn't exported (or may not exist)" % prop) ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % prop) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', + out_signature='v') +@@ -196,12 +196,19 @@ class FirewallD(slip.dbus.service.Object): + property_name = dbus_to_python(property_name, str) + log.debug1("Get('%s', '%s')", interface_name, property_name) + +- if interface_name != config.dbus.DBUS_INTERFACE: ++ if interface_name == config.dbus.DBUS_INTERFACE: ++ return self._get_property(property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, ++ config.dbus.DBUS_INTERFACE_DIRECT, ++ config.dbus.DBUS_INTERFACE_POLICIES, ++ config.dbus.DBUS_INTERFACE_IPSET ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) +- +- return self._get_property(property_name) ++ "Interface '%s' does not exist" % interface_name) + + @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', + out_signature='a{sv}') +@@ -210,17 +217,24 @@ class FirewallD(slip.dbus.service.Object): + interface_name = dbus_to_python(interface_name, str) + log.debug1("GetAll('%s')", interface_name) + +- if interface_name != config.dbus.DBUS_INTERFACE: ++ ret = { } ++ if interface_name == config.dbus.DBUS_INTERFACE: ++ for x in [ "version", "interface_version", "state", ++ "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", ++ "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", ++ "nf_conntrack_helpers", "IPv4ICMPTypes", ++ "IPv6ICMPTypes" ]: ++ ret[x] = self._get_property(x) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, ++ config.dbus.DBUS_INTERFACE_DIRECT, ++ config.dbus.DBUS_INTERFACE_POLICIES, ++ config.dbus.DBUS_INTERFACE_IPSET ]: ++ pass ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) ++ "Interface '%s' does not exist" % interface_name) + +- ret = { } +- for x in [ "version", "interface_version", "state", +- "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", +- "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", +- "nf_conntrack_helpers", "IPv4ICMPTypes", "IPv6ICMPTypes" ]: +- ret[x] = self._get_property(x) + return dbus.Dictionary(ret, signature="sv") + + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) +@@ -234,14 +248,31 @@ class FirewallD(slip.dbus.service.Object): + new_value) + self.accessCheck(sender) + +- if interface_name != config.dbus.DBUS_INTERFACE: ++ if interface_name == config.dbus.DBUS_INTERFACE: ++ if property_name in [ "version", "interface_version", "state", ++ "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", ++ "IPSet", "IPSetTypes", ++ "nf_conntrack_helper_setting", ++ "nf_conntrack_helpers", "IPv4ICMPTypes", ++ "IPv6ICMPTypes" ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.PropertyReadOnly: " ++ "Property '%s' is read-only" % property_name) ++ else: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, ++ config.dbus.DBUS_INTERFACE_DIRECT, ++ config.dbus.DBUS_INTERFACE_POLICIES, ++ config.dbus.DBUS_INTERFACE_IPSET ]: ++ raise dbus.exceptions.DBusException( ++ "org.freedesktop.DBus.Error.InvalidArgs: " ++ "Property '%s' does not exist" % property_name) ++ else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.UnknownInterface: " +- "FirewallD does not implement %s" % interface_name) +- +- raise dbus.exceptions.DBusException( +- "org.freedesktop.DBus.Error.AccessDenied: " +- "Property '%s' is not settable" % property_name) ++ "Interface '%s' does not exist" % interface_name) + + @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') + def PropertiesChanged(self, interface_name, changed_properties, +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch new file mode 100644 index 0000000..cbffa21 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch @@ -0,0 +1,50 @@ +From f80a02d760b1810bb5a3021aabb78ed20f5e629d Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 17:56:41 +0200 +Subject: [PATCH 2/6] firewall.core.fw: Get NAT helpers and store them + internally. + +The NAT helpers are stored internally to be able to use them in zones with the +conntrack helpers. + +This is needed for RHBZ#1452681 + +(cherry picked from commit f0109e044e5601fba20d42db24c25e8e8cf804a0) +--- + src/firewall/core/fw.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 8dbe59b6e3b5..4db856c4e17d 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -114,6 +114,7 @@ class Firewall(object): + self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS + self.nf_conntrack_helper_setting = 0 + self.nf_conntrack_helpers = { } ++ self.nf_nat_helpers = { } + + def individual_calls(self): + return self._individual_calls +@@ -203,8 +204,18 @@ class Firewall(object): + log.debug1(" %s: %s", key, ", ".join(values)) + else: + log.debug1("No conntrack helpers supported by the kernel.") ++ ++ self.nf_nat_helpers = functions.get_nf_nat_helpers() ++ if len(self.nf_nat_helpers) > 0: ++ log.debug1("NAT helpers supported by the kernel:") ++ for key,values in self.nf_nat_helpers.items(): ++ log.debug1(" %s: %s", key, ", ".join(values)) ++ else: ++ log.debug1("No NAT helpers supported by the kernel.") ++ + else: + self.nf_conntrack_helpers = { } ++ self.nf_nat_helpers = { } + log.warning("modinfo command is missing, not able to detect conntrack helpers.") + + def _start(self, reload=False, complete_reload=False): +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch new file mode 100644 index 0000000..9635f55 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch @@ -0,0 +1,58 @@ +From 3bcaadbc99a10634d5a7552d7398436ef836f428 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 17:59:10 +0200 +Subject: [PATCH 3/6] firewall.core.fw_zone: Load NAT helpers with conntrack + helpers + +If a conntrack helper is used, then the NAT helper will automatically be loaded +also if there is a matching NAT helper. + +Fixes: RHBZ#1452681 +(cherry picked from commit af59d816c92e0391d118949542eb19bcf8b74580) +--- + src/firewall/core/fw_zone.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 2c99b0cbce8a..3089d12edd1b 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1155,9 +1155,15 @@ class FirewallZone(object): + _rule += [ "-j", "CT", "--helper", helper.name ] + self.__rule_source(rule.source, _rule) + zone_transaction.add_rule(ipv, _rule) ++ nat_module = module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ modules.append(nat_module) + else: + if helper.module not in modules: + modules.append(helper.module) ++ nat_module = helper.module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ modules.append(nat_module) + zone_transaction.add_modules(modules) + + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], +@@ -1624,6 +1630,9 @@ class FirewallZone(object): + modules = [ ] + for helper in helpers: + modules.append(helper.module) ++ nat_module = helper.module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ modules.append(nat_module) + zone_transaction.add_modules(modules) + zone_transaction.add_chain("filter", "INPUT") + +@@ -1641,6 +1650,9 @@ class FirewallZone(object): + raise FirewallError( + errors.INVALID_HELPER, + "'%s' is not available in kernel" % module) ++ nat_module = helper.module.replace("conntrack", "nat") ++ if nat_module in self._fw.nf_nat_helpers: ++ zone_transaction.add_module(nat_module) + if helper.family != "" and helper.family != ipv: + # no support for family ipv, continue + continue +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch new file mode 100644 index 0000000..327e32d --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch @@ -0,0 +1,60 @@ +From 5a864808c03b703fd9073133fd185347703177c7 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 17:50:40 +0200 +Subject: [PATCH 1/6] firewall.functions: New function get_nf_nat_helpers + +This function returns a dict { module: [helper, ..], .. } similar to +get_nf_conntrack_helpers but for NAT helpers only. NAT helpers are not part +of the dict that is returned by get_nf_conntrack_helpers as it only lists +connection tracking helpers. + +This is needed for RHBZ#1452681 + +(cherry picked from commit 577668e9b788e9982e90f331d934aaa8d79cae56) +--- + src/firewall/functions.py | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/functions.py b/src/firewall/functions.py +index 71d39a540754..07e65ab7c7f8 100644 +--- a/src/firewall/functions.py ++++ b/src/firewall/functions.py +@@ -25,7 +25,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName", + "firewalld_is_active", "tempFile", "readfile", "writefile", + "enable_ip_forwarding", "get_nf_conntrack_helper_setting", + "set_nf_conntrack_helper_setting", "get_nf_conntrack_helpers", +- "check_port", "check_address", ++ "get_nf_nat_helpers", "check_port", "check_address", + "check_single_address", "check_mac", "uniqify", "ppid_of_pid", + "max_zone_name_len", "checkUser", "checkUid", "checkCommand", + "checkContext", "joinArgs", "splitArgs", +@@ -351,6 +351,26 @@ def get_nf_conntrack_helpers(): + helpers.setdefault(module, [ ]).append(helper) + return helpers + ++def get_nf_nat_helpers(): ++ kver = os.uname()[2] ++ path = "/lib/modules/%s/kernel/net/netfilter/" % kver ++ helpers = { } ++ if os.path.isdir(path): ++ for filename in sorted(os.listdir(path)): ++ if not filename.startswith("nf_nat_"): ++ continue ++ module = filename.split(".")[0] ++ (status, ret) = runProg(COMMANDS["modinfo"], [ module, ]) ++ if status != 0: ++ continue ++ alias = None ++ for line in ret.split("\n"): ++ if line.startswith("description:") and "NAT helper" in line: ++ helper = module.replace("nf_nat_", "") ++ helper = helper.replace("_", "-") ++ helpers.setdefault(module, [ ]).append(helper) ++ return helpers ++ + def get_nf_conntrack_helper_setting(): + try: + return int(readfile("/proc/sys/net/netfilter/nf_conntrack_helper")[0]) +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch new file mode 100644 index 0000000..950b2b2 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch @@ -0,0 +1,72 @@ +From acc3cfe586947cd2d98d4b8b4303cca127ffc396 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 18:07:03 +0200 +Subject: [PATCH 6/6] firewall.server.firewalld: New property for NAT helpers + supported by the kernel + +The property nf_nat_helpers provides a dict with the nat helpers in a similar +way as nf_conntrack_helpers. + +New description for the property nf_nat_helpers in firewalld.dbus man page. + +Related: RHBZ#1452681 +(cherry picked from commit 34558ad775afd9476c4ec5373b9bc9ee03a195af) +--- + doc/xml/firewalld.dbus.xml | 4 ++++ + src/firewall/server/firewalld.py | 11 +++++++---- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 52b5b3b0f955..92fe5c843dfc 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -467,6 +467,10 @@ + nf_conntrack_helpers - a{sas} - (ro) + The list of conntrack helpers supported by the kernel. + ++ ++ nf_nat_helpers - a{sas} - (ro) ++ The list of nat helpers supported by the kernel. ++ + + interface_version - s - (ro) + firewalld D-Bus interface version string. +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 8c4bd4f0c66a..9c5d463de793 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -182,6 +182,9 @@ class FirewallD(slip.dbus.service.Object): + elif prop == "nf_conntrack_helpers": + return dbus.Dictionary(self.fw.nf_conntrack_helpers, "sas") + ++ elif prop == "nf_nat_helpers": ++ return dbus.Dictionary(self.fw.nf_nat_helpers, "sas") ++ + else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " +@@ -222,8 +225,8 @@ class FirewallD(slip.dbus.service.Object): + for x in [ "version", "interface_version", "state", + "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", + "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", +- "nf_conntrack_helpers", "IPv4ICMPTypes", +- "IPv6ICMPTypes" ]: ++ "nf_conntrack_helpers", "nf_nat_helpers", ++ "IPv4ICMPTypes", "IPv6ICMPTypes" ]: + ret[x] = self._get_property(x) + elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, + config.dbus.DBUS_INTERFACE_DIRECT, +@@ -253,8 +256,8 @@ class FirewallD(slip.dbus.service.Object): + "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", + "IPSet", "IPSetTypes", + "nf_conntrack_helper_setting", +- "nf_conntrack_helpers", "IPv4ICMPTypes", +- "IPv6ICMPTypes" ]: ++ "nf_conntrack_helpers", "nf_nat_helpers", ++ "IPv4ICMPTypes", "IPv6ICMPTypes" ]: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.PropertyReadOnly: " + "Property '%s' is read-only" % property_name) +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch new file mode 100644 index 0000000..5659c40 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch @@ -0,0 +1,35 @@ +From 930e9fae6babcffc6b74823d45d3bbf394e05cc9 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 22 May 2017 18:05:38 +0200 +Subject: [PATCH 4/6] firewalld.dbus: Add missing properties + nf_conntrach_helper_setting and nf_conntrack_helpers + +(cherry picked from commit 89a186db02dd3776dce4105d1266b4863b3b4e8b) +--- + doc/xml/firewalld.dbus.xml | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index de18ab2d514a..52b5b3b0f955 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -459,7 +459,15 @@ + IPv6ICMPTypes - as - (ro) + The list of supported IPv6 ICMP types. + +- ++ ++ nf_conntrach_helper_setting - b - (ro) ++ Kernel nf_conntrack_helper setting. ++ ++ ++ nf_conntrack_helpers - a{sas} - (ro) ++ The list of conntrack helpers supported by the kernel. ++ ++ + interface_version - s - (ro) + firewalld D-Bus interface version string. + +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch b/SOURCES/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch new file mode 100644 index 0000000..db219c1 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch @@ -0,0 +1,28 @@ +From cf50bd0004418abe1294f53b58387a181dfd2b51 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Thu, 8 Jun 2017 17:44:32 +0200 +Subject: [PATCH] firewall.core.fw_zone: Rich-rule ICMP type: Error only for + conflicting family + +Only raise error for an ICMP block in a rich-rule if a family has been +specified and conflicts with the ICMP destination. + +Fixes: RHBZ#1459921 +--- + src/firewall/core/fw_zone.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 4f3f18c0..f47222e4 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1425,6 +1425,9 @@ def __rule_prepare(self, enable, zone, rule, mark_id, zone_transaction): + raise FirewallError(errors.INVALID_RULE, + "IcmpBlock not usable with accept action") + if ict.destination and ipv not in ict.destination: ++ if rule.family is None: ++ # Add for IPv4 or IPv6 depending on ict.destination ++ continue + raise FirewallError( + errors.INVALID_RULE, + "Icmp%s %s not usable with %s" % \ diff --git a/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch b/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch new file mode 100644 index 0000000..b761380 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch @@ -0,0 +1,44 @@ +From 4b8a12785c96c33a77eb59fdd1c088d25978f7d8 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Jul 2017 10:10:19 -0400 +Subject: [PATCH] Add NFSv3 service. + +This is distinct from the NFS service (v4) because it also opens up UDP +ports. + +Fixes: RHBZ#1462088 +(cherry picked from commit a127d697177b78b7f9b766deb978efd95590a2ac) +--- + config/Makefile.am | 1 + + config/services/nfs3.xml | 7 +++++++ + 2 files changed, 8 insertions(+) + create mode 100644 config/services/nfs3.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index bdc5651c154c..1035c9f940a9 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -173,6 +173,7 @@ CONFIG_FILES = \ + services/ms-wbt.xml \ + services/mysql.xml \ + services/nfs.xml \ ++ services/nfs3.xml \ + services/nrpe.xml \ + services/ntp.xml \ + services/openvpn.xml \ +diff --git a/config/services/nfs3.xml b/config/services/nfs3.xml +new file mode 100644 +index 000000000000..4075d48211bd +--- /dev/null ++++ b/config/services/nfs3.xml +@@ -0,0 +1,7 @@ ++ ++ ++ NFS3 ++ The NFS3 protocol is used to share files. You will need to have the NFS tools installed and properly configure your NFS server for this option to be useful. ++ ++ ++ +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch b/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch new file mode 100644 index 0000000..2fd2eeb --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch @@ -0,0 +1,35 @@ +From 34b616a67585d42060ec6be376deb3dd3eb25353 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 6 Sep 2017 10:58:27 -0400 +Subject: [PATCH] Add missing ports to RH-Satellite-6 service + +Fixes: RHBZ#1422149 +--- + config/services/RH-Satellite-6.xml | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/config/services/RH-Satellite-6.xml b/config/services/RH-Satellite-6.xml +index 5462a6e673bb..76f4d97954db 100644 +--- a/config/services/RH-Satellite-6.xml ++++ b/config/services/RH-Satellite-6.xml +@@ -2,11 +2,16 @@ + + Red Hat Satellite 6 + Red Hat Satellite 6 is a systems management server that can be used to configure new systems, subscribe to updates, and maintain installations in distributed environments. ++ ++ ++ + + ++ + + +- ++ + ++ + + +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch b/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch new file mode 100644 index 0000000..241ebf3 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch @@ -0,0 +1,126 @@ +From c41e34a5a8fbda2731aa724e65dcc93aa9ab7b64 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 3 Aug 2017 15:06:57 -0400 +Subject: [PATCH] Reload nf_conntrack sysctls after the module is loaded + +Add a modprobe config file that will cause specified sysctls to be +reloaded after a given module is loaded. This is needed because sysctls +will go away and reappear when modules are unloaded which happens on a +firewalld restart. e.g. nf_conntrack_max. + +Fixes: RHBZ#1462977 +(cherry picked from commit 65434db736fa68a25e1ab417f6c330c03c5eafde) +--- + config/Makefile.am | 22 ++++++++++++++++++++-- + config/firewalld-sysctls.conf.in | 1 + + configure.ac | 1 + + firewalld.spec | 1 + + 4 files changed, 23 insertions(+), 2 deletions(-) + create mode 100644 config/firewalld-sysctls.conf.in + +diff --git a/config/Makefile.am b/config/Makefile.am +index 1035c9f940a9..a66ae05d8122 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -42,6 +42,7 @@ BUILT_SOURCES = \ + $(applet_desktop_DATA) \ + $(polkit1_action_DATA) \ + $(gsettings_SCHEMAS) \ ++ firewalld-sysctls.conf \ + firewalld.service + + @INTLTOOL_DESKTOP_RULE@ +@@ -51,7 +52,7 @@ BUILT_SOURCES = \ + + all: $(desktop_DATA) $(appdata_DATA) $(applet_desktop_DATA) $(polkit1_action_DATA) $(gsettings_SCHEMAS) + +-CLEANFILES = *~ *\# .\#* firewalld.service ++CLEANFILES = *~ *\# .\#* firewalld.service firewalld-sysctls.conf + + DISTCLEANFILES = \ + $(desktop_DATA) \ +@@ -246,6 +247,7 @@ EXTRA_DIST = \ + $(CONFIG_FILES) \ + $(dist_xmlschema_DATA) \ + firewalld.init \ ++ firewalld-sysctls.conf.in \ + firewalld.service.in \ + firewalld.sysconfig \ + macros.firewalld +@@ -253,6 +255,9 @@ EXTRA_DIST = \ + INSTALL_TARGETS = install-config + UNINSTALL_TARGETS = uninstall-config + ++INSTALL_TARGETS += install-modprobe.d ++UNINSTALL_TARGETS += uninstall-modprobe.d ++ + if USE_SYSTEMD + INSTALL_TARGETS += install-service + UNINSTALL_TARGETS += uninstall-service +@@ -275,11 +280,16 @@ edit = sed \ + -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@sbindir[@]|$(sbindir)|g' \ + -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ +- -e 's|@localstatedir[@]|$(localstatedir)|g' ++ -e 's|@localstatedir[@]|$(localstatedir)|g' \ ++ -e 's|@MODPROBE[@]|$(MODPROBE)|g' \ ++ -e 's|@SYSCTL[@]|$(SYSCTL)|g' + + firewalld.service: firewalld.service.in + $(edit) $< >$@ + ++firewalld-sysctls.conf: firewalld-sysctls.conf.in ++ $(edit) $< >$@ ++ + install-sysconfig: + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/sysconfig + $(INSTALL_DATA) $(srcdir)/firewalld.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/firewalld +@@ -312,6 +322,14 @@ uninstall-service: uninstall-sysconfig + rm -f $(DESTDIR)$(SYSTEMD_UNITDIR)/firewalld.service + rmdir $(DESTDIR)$(SYSTEMD_UNITDIR) || : + ++install-modprobe.d: ++ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/modprobe.d ++ $(INSTALL_DATA) firewalld-sysctls.conf $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf ++ ++uninstall-modprobe.d: ++ rm -f $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf ++ rmdir $(DESTDIR)$(sysconfdir)/modprobe.d || : ++ + install-config: + $(MKDIR_P) $(DESTDIR)$(sconfdir) + $(MKDIR_P) $(DESTDIR)$(sconfdir)/icmptypes +diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in +new file mode 100644 +index 000000000000..976027743e8f +--- /dev/null ++++ b/config/firewalld-sysctls.conf.in +@@ -0,0 +1 @@ ++install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system +diff --git a/configure.ac b/configure.ac +index e3525703819d..776e627b0fa0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -33,6 +33,7 @@ AC_PATH_PROG([KILL], [kill], [/usr/bin/kill]) + AC_PATH_PROG([MODINFO], [modinfo], [/sbin/modinfo]) + AC_PATH_PROG([MODPROBE], [modprobe], [/sbin/modprobe]) + AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod]) ++AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl]) + + GLIB_GSETTINGS + +diff --git a/firewalld.spec b/firewalld.spec +index 7f16f38d2932..476f9668d44f 100644 +--- a/firewalld.spec ++++ b/firewalld.spec +@@ -240,6 +240,7 @@ fi + %{_mandir}/man1/firewallctl*.1* + %{_mandir}/man1/firewalld*.1* + %{_mandir}/man5/firewall*.5* ++%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf + + %files -n python-firewall + %attr(0755,root,root) %dir %{python2_sitelib}/firewall +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch b/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch new file mode 100644 index 0000000..a681b93 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch @@ -0,0 +1,46 @@ +From a6f0c40b24ad977d7e32e4fd9cf87b57381f5e83 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 12 Sep 2017 01:13:55 +0200 +Subject: [PATCH 2/5] core: Log unsupported ICMP types as informational only + +iptables-1.4 lacks support for a number of ICMPv6 types. Since this is +not a problem per se, avoid unnecessarily alerting the user with two +warning messages for each of them. Instead, make these informational +messages only so the default configuration does not emit them. + +Fixes: RHBZ#1479951 +Signed-off-by: Phil Sutter +--- + src/firewall/core/fw.py | 2 +- + src/firewall/core/fw_icmptype.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index bc6ffe2dbc238..0dda11d49116a 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -502,7 +502,7 @@ class Firewall(object): + try: + self.icmptype.add_icmptype(obj) + except FirewallError as error: +- log.warning("%s: %s, ignoring for run-time." % \ ++ log.info1("%s: %s, ignoring for run-time." % \ + (obj.name, str(error))) + # add a deep copy to the configuration interface + self.config.add_icmptype(copy.deepcopy(obj)) +diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py +index 5bf1c7fe512c6..afe9f91d6bf6e 100644 +--- a/src/firewall/core/fw_icmptype.py ++++ b/src/firewall/core/fw_icmptype.py +@@ -67,7 +67,7 @@ class FirewallIcmpType(object): + else: + supported_icmps = [ ] + if obj.name.lower() not in supported_icmps: +- log.warning("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) ++ log.info1("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) + ipvs.remove(ipv) + if len(ipvs) != len(orig_ipvs): + if len(ipvs) < 1: +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch new file mode 100644 index 0000000..98856f0 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch @@ -0,0 +1,33 @@ +From 136d2309988f7c379f6439363b53c14404738d7a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 Sep 2017 11:43:41 +0200 +Subject: [PATCH 4/5] doc: firewall-cmd: Document --query-* options return + codes + +The "EXIT CODES" section didn't cover the fact that all --query-* +options return 1 if no error occurred but the query itself was not +successful. + +Fixes: RHBZ#1372716 +Signed-off-by: Phil Sutter +--- + doc/xml/firewall-cmd.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml +index bdb5767634aaa..0b54b0be999c8 100644 +--- a/doc/xml/firewall-cmd.xml ++++ b/doc/xml/firewall-cmd.xml +@@ -2281,6 +2281,9 @@ firewall-cmd --permanent --add-port=443/tcp + + + ++ ++ Note that return codes of --query-* options are special: Successful queries return 0, unsuccessful ones return 1 unless an error occurred in which case the table above applies. ++ + + + &seealso; +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch new file mode 100644 index 0000000..a777411 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch @@ -0,0 +1,45 @@ +From 2243b7f14921a1d8b24c8090d531451e7ab9e0dd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 11 Sep 2017 18:47:21 +0200 +Subject: [PATCH 1/5] doc: firewall-cmd: Document quirk in --reload option + +Contrary to what one might assume, --reload and --complete-reload leave +changes done via the direct interface in place. + +Fixes: RHBZ#1452137 +Signed-off-by: Phil Sutter +--- + doc/xml/firewall-cmd.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml +index bf4e7a0c21a9c..bdb5767634aaa 100644 +--- a/doc/xml/firewall-cmd.xml ++++ b/doc/xml/firewall-cmd.xml +@@ -132,6 +132,11 @@ + i.e. all runtime only changes done until reload are lost with reload + if they have not been also in permanent configuration. + ++ ++ Note: Runtime changes applied via the direct interface are not ++ affected and will therefore stay in place until firewalld daemon ++ is restarted completely. ++ + + + +@@ -141,6 +146,11 @@ + + Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules. + ++ ++ Note: Runtime changes applied via the direct interface are not ++ affected and will therefore stay in place until firewalld daemon ++ is restarted completely. ++ + + + +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch b/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch new file mode 100644 index 0000000..9765e2f --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch @@ -0,0 +1,51 @@ +From 68834a49d9d55bffdc4febeaf23a892011399a63 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 13 Sep 2017 22:03:31 +0200 +Subject: [PATCH 3/5] firewall-cmd: Use colors only if output is a TTY + +Use isatty() method to check whether output is a TTY or not (e.g. +redirected to a file or pipe) before enclosing error messages in TTY +color escape strings. + +While here, simplify things a bit by making print_and_exit() call +print_warning() internally, also adjust commented out code for colored +non-error messages. + +Fixes: RHBZ#1368544 +Signed-off-by: Phil Sutter +--- + src/firewall/command.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/firewall/command.py b/src/firewall/command.py +index 2dc1c509ae556..50bd4bd0f4103 100644 +--- a/src/firewall/command.py ++++ b/src/firewall/command.py +@@ -64,17 +64,19 @@ class FirewallCommand(object): + def print_warning(self, msg=None): + FAIL = '\033[91m' + END = '\033[00m' +- self.print_error_msg(FAIL + msg + END) ++ if sys.stderr.isatty(): ++ msg = FAIL + msg + END ++ self.print_error_msg(msg) + + def print_and_exit(self, msg=None, exit_code=0): + #OK = '\033[92m' +- FAIL = '\033[91m' +- END = '\033[00m' ++ #END = '\033[00m' + if exit_code > 1: +- self.print_error_msg(FAIL + msg + END) ++ self.print_warning(msg) + else: ++ #if sys.stdout.isatty(): ++ # msg = OK + msg + END + self.print_msg(msg) +- #self.print_msg(OK + msg + END) + sys.exit(exit_code) + + def fail(self, msg=None): +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch b/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch new file mode 100644 index 0000000..46ba775 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch @@ -0,0 +1,60 @@ +From 75f06cb4139f6f00dfe952eac84ff31d3db014cb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 Sep 2017 12:05:09 +0200 +Subject: [PATCH 5/5] firewall-offline-cmd: Don't require root for help output + +Allow unprivileged users to retrieve help output. + +Fixes: RHBZ#1445214 +Signed-off-by: Phil Sutter +--- + src/firewall-offline-cmd | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd +index 1b4550830b7bb..fccfb7251c4f5 100755 +--- a/src/firewall-offline-cmd ++++ b/src/firewall-offline-cmd +@@ -43,9 +43,10 @@ from firewall.core.io.helper import helper_reader + from firewall.command import FirewallCommand + + # check for root user +-if os.getuid() != 0: +- sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0]) +- sys.exit(-1) ++def assert_root(): ++ if os.getuid() != 0: ++ sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0]) ++ sys.exit(-1) + + SYSTEM_CONFIG_FIREWALL = config.SYSCONFIGDIR + '/system-config-firewall' + +@@ -775,6 +776,8 @@ if len(sys.argv) > 1 and \ + if a.help: + __usage() + sys.exit(0) ++ else: ++ assert_root() + if a.quiet: + # it makes no sense to use --quiet with these options + a.quiet = False +@@ -809,6 +812,7 @@ elif len(sys.argv) > 1: + args = aux_args[:i+1] # all but not + args.append(joinArgs(aux_args[i+1:])) # add as one arg + else: ++ assert_root() + # migrate configuration from SYSTEM_CONFIG_FIREWALL + args = read_sysconfig_args() + if not args: +@@ -1020,6 +1024,8 @@ if a.help: + __usage() + sys.exit(0) + ++assert_root() ++ + zone = a.zone + fw = Firewall_test() + fw.start() +-- +2.13.1 + diff --git a/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch b/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch new file mode 100644 index 0000000..d1b695c --- /dev/null +++ b/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch @@ -0,0 +1,47 @@ +From 8a8d61822d37639e1d952befc4528c32a3240dc5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Nov 2017 20:56:38 +0100 +Subject: [PATCH] Fix and improve firewalld-sysctls.conf + +The output generated by the call to sysctl apparently messed up kernel +module auto-loading via iptables. To reproduce: + +| # iptables -F INPUT +| # rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack +| # iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes +| iptables: No chain/target/match by that name. + +This is solved by silencing sysctl with '--quiet' parameter. + +Another (potential) issue is that module parameters passed to modprobe +when manually loading nf_conntrack: + +| # modprobe --ignore-install nf_conntrack nf_conntrack_helper=1 +| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper +| Y +| # rmmod nf_conntrack +| # modprobe nf_conntrack nf_conntrack_helper=1 +| * Applying /usr/lib/sysctl.d/00-system.conf ... +| * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... +| * Applying /usr/lib/sysctl.d/50-default.conf ... +| * Applying /etc/sysctl.d/99-sysctl.conf ... +| * Applying /etc/sysctl.conf ... +| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper +| N + +This is fixed by adding $CMDLINE_OPTS as last parameter to the modprobe +call as described in modprobe.conf(5). +--- + config/firewalld-sysctls.conf.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in +index 976027743e8f..945193f13c75 100644 +--- a/config/firewalld-sysctls.conf.in ++++ b/config/firewalld-sysctls.conf.in +@@ -1 +1 @@ +-install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system ++install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack $CMDLINE_OPTS && @SYSCTL@ --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch b/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch new file mode 100644 index 0000000..689b7a6 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch @@ -0,0 +1,71 @@ +From 8ec42cd1041ba342c9f87f51b62f80be278f682b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 21 Nov 2017 16:04:23 -0500 +Subject: [PATCH] firewalld: also reload dbus config interface for global + options + +These options require the firewall to be reloaded, but it was not also +reloading the dbus config interface. The interface objects would end up +pointing to stale cleanup()'d config objects (via firewall.core.fw +reload()). Therefore we also need to reload/refresh the config +interface. + +Fixes: rhbz 1514043 +--- + src/firewall/core/fw.py | 6 ------ + src/firewall/server/firewalld.py | 8 ++++++++ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 0dda11d49116..2a119b1dc4d4 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -1142,9 +1142,6 @@ class Firewall(object): + self._log_denied = value + self._firewalld_conf.set("LogDenied", value) + self._firewalld_conf.write() +- +- # now reload the firewall +- self.reload() + else: + raise FirewallError(errors.ALREADY_SET, value) + +@@ -1163,9 +1160,6 @@ class Firewall(object): + self._automatic_helpers = value + self._firewalld_conf.set("AutomaticHelpers", value) + self._firewalld_conf.write() +- +- # now reload the firewall +- self.reload() + else: + raise FirewallError(errors.ALREADY_SET, value) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 9c5d463de793..fc7422f12261 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -939,6 +939,10 @@ class FirewallD(slip.dbus.service.Object): + self.accessCheck(sender) + self.fw.set_log_denied(value) + self.LogDeniedChanged(value) ++ # must reload the firewall as well ++ self.fw.reload() ++ self.config.reload() ++ self.Reloaded() + + @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') + @dbus_handle_exceptions +@@ -969,6 +973,10 @@ class FirewallD(slip.dbus.service.Object): + self.accessCheck(sender) + self.fw.set_automatic_helpers(value) + self.AutomaticHelpersChanged(value) ++ # must reload the firewall as well ++ self.fw.reload() ++ self.config.reload() ++ self.Reloaded() + + @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') + @dbus_handle_exceptions +-- +2.12.0 + diff --git a/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch b/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch new file mode 100644 index 0000000..947ba42 --- /dev/null +++ b/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch @@ -0,0 +1,28 @@ +From b20345ad5db13cf9a8ca8f5cb036ef526ab6693b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 Dec 2017 13:57:55 -0500 +Subject: [PATCH] services/high-availability: Add port 9929 + +TCP/UDP 9929 is used by boothd and should be opened for +high-availability. + +Resolves: RHBZ 1486143 +--- + config/services/high-availability.xml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/config/services/high-availability.xml b/config/services/high-availability.xml +index 002dd0e4a9d0..b6d14b793250 100644 +--- a/config/services/high-availability.xml ++++ b/config/services/high-availability.xml +@@ -7,5 +7,7 @@ + + + ++ ++ + + +-- +2.12.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec new file mode 100644 index 0000000..233b307 --- /dev/null +++ b/SPECS/firewalld.spec @@ -0,0 +1,1292 @@ +%if (0%{?fedora} >= 13 || 0%{?rhel} > 7) +%global with_python3 1 +%if (0%{?fedora} >= 23 || 0%{?rhel} >= 8) +%global use_python3 1 +%endif +%endif + +Summary: A firewall daemon with D-Bus interface providing a dynamic firewall +Name: firewalld +Version: 0.4.4.4 +Release: 14%{?dist} +URL: http://www.firewalld.org +License: GPLv2+ +Source0: https://github.com/t-woerner/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch1: firewalld-0.4.4.3-qt4_applet.patch +Patch2: firewalld-0.4.4.3-exclude_firewallctl_rhbz#1374799.patch +Patch3: firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch +Patch4: firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch +Patch5: firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch +Patch6: firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch +Patch7: firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch +Patch8: firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch +Patch9: firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch +Patch10: firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch +Patch11: firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch +Patch12: firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch +Patch13: firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch +Patch14: firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch +Patch15: firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch +Patch16: firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch +Patch17: firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch +Patch18: firewalld-0.4.4.6-Add-NFSv3-service.patch +Patch19: firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch +Patch20: firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch +Patch21: firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch +Patch22: firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch +Patch23: firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch +Patch24: firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch +Patch25: firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch +Patch26: firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch +Patch27: firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch +Patch28: firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch + +BuildArch: noarch +BuildRequires: desktop-file-utils +BuildRequires: gettext +BuildRequires: intltool +# glib2-devel is needed for gsettings.m4 +BuildRequires: glib2, glib2-devel +BuildRequires: systemd-units +BuildRequires: docbook-style-xsl +BuildRequires: libxslt +BuildRequires: python2-devel +BuildRequires: iptables, ebtables, ipset +%if 0%{?with_python3} +BuildRequires: python3-devel +%endif #0%{?with_python3} +Requires: iptables, ebtables, ipset +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: firewalld-filesystem = %{version}-%{release} +%if 0%{?use_python3} +Requires: python3-firewall = %{version}-%{release} +%else #0%{?use_python3} +Requires: python-firewall = %{version}-%{release} +%endif #0%{?use_python3} +Conflicts: selinux-policy < 3.13.1-118.el7 +Conflicts: squid < 7:3.5.10-1 +Conflicts: NetworkManager < 1:1.4.0-3.el7 + +%description +firewalld is a firewall service daemon that provides a dynamic customizable +firewall with a D-Bus interface. + +%package -n python-firewall +Summary: Python2 bindings for firewalld +Provides: python2-firewall +Obsoletes: python2-firewall +Requires: dbus-python +Requires: python-slip-dbus +Requires: python-decorator +Requires: pygobject3-base +Conflicts: %{name} < 0.3.14 + +%description -n python-firewall +Python2 bindings for firewalld. + +%if 0%{?with_python3} +%package -n python3-firewall +Summary: Python3 bindings for firewalld +Requires: python3-dbus +Requires: python3-slip-dbus +Requires: python3-decorator +%if (0%{?fedora} >= 23 || 0%{?rhel} >= 8) +Requires: python3-gobject-base +%else +Requires: python3-gobject +%endif +Conflicts: %{name} < 0.3.14 + +%description -n python3-firewall +Python3 bindings for firewalld. +%endif #0%{?with_python3} + +%package -n firewalld-filesystem +Summary: Firewalld directory layout and rpm macros +Conflicts: %{name} < 0.3.13 + +%description -n firewalld-filesystem +This package provides directories and rpm macros which +are required by other packages that add firewalld configuration files. + +%package -n firewall-applet +Summary: Firewall panel applet +Requires: %{name} = %{version}-%{release} +Requires: firewall-config = %{version}-%{release} +Requires: hicolor-icon-theme +%if 0%{?use_python3} +Requires: python3-PyQt4 +Requires: python3-gobject +%else +Requires: PyQt4 +Requires: pygobject3-base +%endif +Requires: libnotify +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-applet +The firewall panel applet provides a status information of firewalld and also +the firewall settings. + +%package -n firewall-config +Summary: Firewall configuration application +Requires: %{name} = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: gtk3 +%if 0%{?use_python3} +Requires: python3-gobject +%else +Requires: pygobject3-base +%endif +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-config +The firewall configuration application provides an configuration interface for +firewalld. + +%prep +%setup -q +%patch1 -p1 -b .qt4_applet +%patch2 -p1 -b .exclude_firewallctl_rhbz#1374799 +%patch3 -p1 -b .support_sctp_and_dccp_rhbz#1429808 +%patch4 -p1 -b .fix_offline_remove_service_from_zone_rhbz#1438127 +%patch5 -p1 -b .fix_get_set_short_description_in_zone_rhbz#1416325 +%patch6 -p1 -b .man_pages_add_sctp_and_dccp_rhbz#1429808 +%patch7 -p1 -b .restore_wait_rhbz#1446162 +# Do not create backup files with -b .ovirt-services_rhbz#1449158 for patch8 +%patch8 -p1 +%patch9 -p1 -b .policy-choice_rhbz#1449754 +%patch10 -p1 -b .translation-update-ja_rhbz#1382652 +%patch11 -p1 -b .ipv6_icmptype_only_rich_rule_fix_rhbz#1459921 +%patch12 -p1 -b .functions-New-function-get_nf_nat_helpers-rhbz#1452681 +%patch13 -p1 -b .core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681 +%patch14 -p1 -b .core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681 +%patch15 -p1 -b .dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681 +%patch16 -p1 -b .D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017 +%patch17 -p1 -b .server.firewalld-New-property-for-NAT-helpe-rhbz#1452681 +# Do not create backup files with -b .Add-NFSv3-service_rhbz#1462088 for patch18 +%patch18 -p1 +%patch19 -p1 -b .Reload-nf_conntrack-sysctls-after-the-module-rhbz#1462977 +# Do not create backup files with -b .Add-missing-ports-to-RH-Satellite-6-service for patch20 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 -b .Fix-and-improve-firewalld-sysctls.conf +%patch27 -p1 -b .firewalld-also-reload-dbus-config-interface-for-glob +%patch28 -p1 +./autogen.sh + +%if 0%{?with_python3} +rm -rf %{py3dir} +cp -a . %{py3dir} +%if 0%{?use_python3} +sed -i -e 's|/usr/bin/python -Es|%{__python3} -Es|' %{py3dir}/fix_python_shebang.sh +sed -i 's|/usr/bin/python|%{__python3}|' %{py3dir}/config/lockdown-whitelist.xml +%endif #0%{?use_python3} +%endif #0%{?with_python3} + +%build +autoreconf --force -v --install --symlink +%configure --enable-sysconfig --enable-rpmmacros +make %{?_smp_mflags} + +%if 0%{?with_python3} +pushd %{py3dir} +autoreconf --force -v --install --symlink +%configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3} +make %{?_smp_mflags} +popd +%endif #0%{?with_python3} + +%install +%if 0%{?use_python3} +make -C src install-nobase_dist_pythonDATA PYTHON=%{__python2} DESTDIR=%{buildroot} +%else +make install PYTHON=%{__python2} DESTDIR=%{buildroot} +%endif #0%{?use_python3} + +%if 0%{?with_python3} +pushd %{py3dir} +%if 0%{?use_python3} +make install PYTHON=%{__python3} DESTDIR=%{buildroot} +%else +make -C src install-nobase_dist_pythonDATA PYTHON=%{__python3} DESTDIR=%{buildroot} +%endif #0%{?use_python3} +popd +%endif #0%{?with_python3} + +desktop-file-install --delete-original \ + --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ + %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +desktop-file-install --delete-original \ + --dir %{buildroot}%{_datadir}/applications \ + %{buildroot}%{_datadir}/applications/firewall-config.desktop + +%find_lang %{name} --all-name + +%post +%systemd_post firewalld.service + +%preun +%systemd_preun firewalld.service + +%postun +%systemd_postun_with_restart firewalld.service + + +%post -n firewall-applet +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +%postun -n firewall-applet +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : +fi + +%posttrans -n firewall-applet +/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : + + +%post -n firewall-config +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +%postun -n firewall-config +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : +fi + +%posttrans -n firewall-config +/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : + +%files -f %{name}.lang +%doc COPYING README +%{_sbindir}/firewalld +%{_bindir}/firewall-cmd +%{_bindir}/firewall-offline-cmd +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/firewall-cmd +%{_prefix}/lib/firewalld/icmptypes/*.xml +%{_prefix}/lib/firewalld/ipsets/README +%{_prefix}/lib/firewalld/services/*.xml +%{_prefix}/lib/firewalld/zones/*.xml +%{_prefix}/lib/firewalld/helpers/*.xml +%{_prefix}/lib/firewalld/xmlschema/check.sh +%{_prefix}/lib/firewalld/xmlschema/*.xsd +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld +%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones +%dir %{_datadir}/firewalld +%dir %{_datadir}/firewalld/tests +%{_datadir}/firewalld/tests +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/sysconfig/firewalld +#%attr(0755,root,root) %{_initrddir}/firewalld +%{_unitdir}/firewalld.service +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy +%{_mandir}/man1/firewall*cmd*.1* +%{_mandir}/man1/firewalld*.1* +%{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf + +%files -n python-firewall +%attr(0755,root,root) %dir %{python2_sitelib}/firewall +%attr(0755,root,root) %dir %{python2_sitelib}/firewall/config +%attr(0755,root,root) %dir %{python2_sitelib}/firewall/core +%attr(0755,root,root) %dir %{python2_sitelib}/firewall/core/io +%attr(0755,root,root) %dir %{python2_sitelib}/firewall/server +%{python2_sitelib}/firewall/*.py* +%{python2_sitelib}/firewall/config/*.py* +%{python2_sitelib}/firewall/core/*.py* +%{python2_sitelib}/firewall/core/io/*.py* +%{python2_sitelib}/firewall/server/*.py* + +%if 0%{?with_python3} +%files -n python3-firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__ +%{python3_sitelib}/firewall/__pycache__/*.py* +%{python3_sitelib}/firewall/*.py* +%{python3_sitelib}/firewall/config/*.py* +%{python3_sitelib}/firewall/config/__pycache__/*.py* +%{python3_sitelib}/firewall/core/*.py* +%{python3_sitelib}/firewall/core/__pycache__/*.py* +%{python3_sitelib}/firewall/core/io/*.py* +%{python3_sitelib}/firewall/core/io/__pycache__/*.py* +%{python3_sitelib}/firewall/server/*.py* +%{python3_sitelib}/firewall/server/__pycache__/*.py* +%endif #0%{?with_python3} + +%files -n firewalld-filesystem +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/helpers +%dir %{_prefix}/lib/firewalld/icmptypes +%dir %{_prefix}/lib/firewalld/ipsets +%dir %{_prefix}/lib/firewalld/services +%dir %{_prefix}/lib/firewalld/zones +%dir %{_prefix}/lib/firewalld/xmlschema +%{_rpmconfigdir}/macros.d/macros.firewalld + +%files -n firewall-applet +%{_bindir}/firewall-applet +%defattr(0644,root,root) +%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +%dir %{_sysconfdir}/firewall +%{_sysconfdir}/firewall/applet.conf +%{_datadir}/icons/hicolor/*/apps/firewall-applet*.* +%{_mandir}/man1/firewall-applet*.1* + +%files -n firewall-config +%{_bindir}/firewall-config +%defattr(0644,root,root) +%{_datadir}/firewalld/firewall-config.glade +%{_datadir}/firewalld/gtk3_chooserbutton.py* +%{_datadir}/firewalld/gtk3_niceexpander.py* +%{_datadir}/applications/firewall-config.desktop +%{_datadir}/appdata/firewall-config.appdata.xml +%{_datadir}/icons/hicolor/*/apps/firewall-config*.* +%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml +%{_mandir}/man1/firewall-config*.1* + +%changelog +* Tue Dec 12 2017 Eric Garver - 0.4.4.4-14 +- services/high-availability: Add port 9929 (RHBZ#1486143) + +* Wed Dec 06 2017 Eric Garver - 0.4.4.4-13 +- firewalld: also reload dbus config interface for global options + (RHBZ#1514043) + +* Wed Dec 06 2017 Eric Garver - 0.4.4.4-12 +- Fix and improve firewalld-sysctls.conf (RHBZ#1516881) + +* Mon Sep 18 2017 Phil Sutter - 0.4.4.4-11 +- core: Log unsupported ICMP types as informational only (RHBZ#1479951) +- doc: firewall-cmd: Document --query-* options return codes (RHBZ#1372716) +- doc: firewall-cmd: Document quirk in --reload option (RHBZ#1452137) +- firewall-cmd: Use colors only if output is a TTY (RHBZ#1368544) +- firewall-offline-cmd: Don't require root for help output (RHBZ#1445214) + +* Wed Sep 06 2017 Eric Garver - 0.4.4.4-10 +- Add missing ports to RH-Satellite-6 service (RHBZ#1422149) + +* Fri Aug 18 2017 Eric Garver - 0.4.4.4-9 +- Reload nf_conntrack sysctls after the module is loaded (RHBZ#1462977) + +* Sun Aug 13 2017 Eric Garver - 0.4.4.4-8 +- Add NFSv3 service (a127d697177b) (RHBZ#1462088) + +* Thu Aug 10 2017 Eric Garver - 0.4.4.4-7 +- firewall.functions: New function get_nf_nat_helpers (RHBZ#1452681) +- firewall.core.fw: Get NAT helpers and store them internally. (RHBZ#1452681) +- firewall.core.fw_zone: Load NAT helpers with conntrack helpers (RHBZ#1452681) +- firewalld.dbus: Add missing properties nf_conntrach_helper_setting and + nf_conntrack_helpers (RHBZ#1452681) +- D-Bus interfaces: Fix GetAll for interfaces without properties (RHBZ#1452017) +- firewall.server.firewalld: New property for NAT helpers supported by the + kernel (RHBZ#1452681) + +* Mon Jun 12 2017 Thomas Woerner - 0.4.4.4-6 +- IPv6 ICMP type only rich-rule fix (cf50bd0) (RHBZ#1459921) + +* Wed May 31 2017 Thomas Woerner - 0.4.4.4-5 +- Translation update for japanese (RHBZ#1382652) + +* Wed May 17 2017 Thomas Woerner - 0.4.4.4-4 +- Add services for oVirt: ovirt-imageio, ovirt-vmconsole, ovirt-storageconsole, + ctbc and nrpe (RHBZ#1449158) +- Fix policy issue with the choice policies by using the .policy.choice + extension (RHBZ#1449754) + +* Wed May 3 2017 Thomas Woerner - 0.4.4.4-3 +- Fix --{set,get}-{short,description} for zones (RHBZ#1416325) +- Man pages: Add sctp and dccp for ports, ... (RHBZ#1429808) +- Add support for new wait option in restore commands (RHBZ#1446162) + +* Wed Apr 5 2017 Thomas Woerner - 0.4.4.4-2 +- Add support for sctp and dccp in ports, source-ports and forward-ports + (RHBZ#1429808) +- Fix firewall-offline-cmd --remove-service-from-zone= option (RHBZ#1438127) + +* Mon Mar 27 2017 Thomas Woerner - 0.4.4.4-1 +- Rebase to firewalld-0.4.4.4 + http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release +- Drop references to fedorahosted.org from spec file and Makefile.am, use + archive from github +- Fix inconsistent ordering of rules in INPUT_ZONE_SOURCE (issue#166) + (RHBZ#1421222) +- Fix ipset overloading from /etc/firewalld/ipsets (RHBZ#1423941) +- Fix permanent rich rules using icmp-type elements (RHBZ#1434763) +- firewall-config: Deactivate edit, remove, .. buttons if there are no items +- Check if ICMP types are supported by kernel before trying to use them + (RHBZ#1401978) +- firewall-config: Show invalid ipset type in the ipset configuration dialog + in a special label (RHBZ#1419058) + +* Fri Feb 10 2017 Thomas Woerner - 0.4.4.3-2 +- Drop ghost flag on policy file again + +* Wed Feb 8 2017 Thomas Woerner - 0.4.4.3-1 +- Rebase to firewalld-0.4.4.3 (RHBZ#1414584) +- Support disabled automatic helper assignment in firewalld (RHBZ#1006225) +- Fix masquerade rules to be created always the same (RHBZ#1374001) +- Properly handle quoted ifcfg file values (RHBZ#1395348) +- Fix extension of ifcfg backup files (RHBZ#1400478) +- Complete icmp types list (RHBZ#1401978) +- Fix LOG rule placement for LogDenied (RHBZ#1402932) +- Show error messages from NM and do not trace back (RHBZ#1405562) +- Support icmp-type usage in rich rules (RHBZ#1409544) +- New service file for freeipa-trust (RHBZ#1411650) +- Fix --{set,get}-{short,description} for ipset in commands (RHBZ#1416325) +- Speed up large ipset file loading and import (RHBZ#1416817) +- Improve support for ipsets in firewalld (RHBZ#1419058) +- ALREADY_ errors should result in warnings and zero exit code (RHBZ#1420457) + +* Wed Feb 8 2017 Thomas Woerner - 0.4.3.2-10 +- Fix LOG rule placement for LogDenied (RHBZ#1402932) + +* Thu Jan 5 2017 Thomas Woerner - 0.4.3.2-9 +- Fix ZONE being blanked in ifcfg on reboot (RHBZ#1381314) + +* Mon Sep 12 2016 Thomas Woerner - 0.4.3.2-8 +- Exclude firewallctl (RHBZ#1374799) + +* Tue Sep 6 2016 Thomas Woerner - 0.4.3.2-7 +- Tolerate ipv6_rpfilter fail (RHBZ#1285769) +- Fix set_rules to copy the rule before extracting the table (RHBZ#1373260) +- Translation update (RHBZ#1273296) +- Conflict with NetworkManager < 1:1.4.0-3.el7 (RHBZ#1366288) + +* Tue Aug 30 2016 Thomas Woerner - 0.4.3.2-6 +- Do not use exit code 254 for {ALREADY,NOT}_ENABLED sequences (RHBZ#1366654) +- Fail with NOT_AUTHORIZED if authorization fails (RHBZ#1368549) +- firewall-cmd: Fix get and set description for permanent zones (RHBZ#1368949) +- Fix loading of service helpers in active zones (RHBZ#1371116) + +* Tue Aug 16 2016 Thomas Woerner - 0.4.3.2-5 +- Print errors and warnings to stderr additional patch (RHBZ#1360894) +- Fixed trace back in firewallctl (RHBZ#1367155) +- Fix client crash if systembus can not be aquired (RHBZ#1367038) +- Make ALREADY_ENABLED a warning (RHBZ#1366654) +- Added conflict to old squid package providing the squid.service file + (RHBZ#1366308) +- Fixed firewall-cmd help typo (RHBZ#1367171) + +* Wed Aug 10 2016 Thomas Woerner - 0.4.3.2-4 +- Fixed firewall-config gettext usage (RHBZ#1361612) +- Fixed ifcfg file reader and writer (RHBZ#1362171) +- Fixed loading ipset entries from file in commands (RHBZ#1365198) +- Added conflicts to old main package to sub packages (RHBZ#1361669) +- Do not show settings of zones etc. without authentication (RHBZ#1357098) +- Fixed CVE-2016-5410 (RHBZ#1359296) + +* Thu Jul 28 2016 Thomas Woerner - 0.4.3.2-3 +- Fix test suite for command change (RHBZ#1360871) +- Fix test suite with stderr usage (RHBZ#1360894) +- Rebuild for wrong docdir without version (RHBZ#1057327#c7) + +* Wed Jul 27 2016 Thomas Woerner - 0.4.3.2-2 +- Updated conflict for selinux-policy (RHBZ#1304723) +- Fixed exit codes in command line clients (RHBZ#1357050) +- Fixed traceback in firewall-cmd without args (RHBZ#1357063) +- Fixed source docs in man pages and help output (RHBZ#1357888) +- Fixed rebuild of changed man pages (RHBZ#1360362) +- Use stderr for errors and warnings in command line tools (RHBZ#1360894) +- Fixed lockdown not denying invalid commands (RHBZ#1360871) + +* Tue Jul 5 2016 Thomas Woerner - 0.4.3.2-1 +- Rebase to 0.4.3.2 +- Fix regression with unavailable optional commands +- All missing backend messages should be warnings +- Individual calls for missing restore commands +- Only one authenticate call for add and remove options and also sequences +- RH-Satellite-6 service now upstream +- Conflict for selinux-policy needed to be updated to newer release + (RHBZ#1304723) + +* Tue Jun 28 2016 Thomas Woerner - 0.4.3.1-1 +- Rebase to 0.4.3.1 +- firewall.command: Fix python3 DBusException message not interable error +- src/Makefile.am: Fix path in firewall-[offline-]cmd_test.sh while installing +- firewallctl: Do not trace back on list command without further arguments +- firewallctl (man1): Added remaining sections zone, service, .. +- firewallctl: Added runtime-to-permanent, interface and source parser, + IndividualCalls setting +- firewall.server.config: Allow to set IndividualCalls property in config + interface +- Fix missing icmp rules for some zones +- runProg: Fix issue with running programs +- firewall-offline-cmd: Fix issues with missing system-config-firewall +- firewall.core.ipXtables: Split up source and dest addresses for transaction +- firewall.server.config: Log error in case of loading malformed files in + watcher +- Install and package the firewallctl man page + +* Wed Jun 22 2016 Thomas Woerner - 0.4.3-3 +- Readding RH-Satellite-6 service + +* Wed Jun 22 2016 Thomas Woerner - 0.4.3-2 +- Fixed typo in Requires(post) + +* Wed Jun 22 2016 Thomas Woerner - 0.4.3-1 +- Rebase to 0.4.3 +- Rebase to the new upstream and new release (RHBZ#1302802) +- New firewallctl command line utility (RHBZ#1147959) +- Adds radius TCP ports (RHBZ#1219717) +- XSD enhancements for conflicting tag specification (RHBZ#1296573) +- Adds port for corosync-qnetd to high-availability service (RHBZ#1347530) + +* Tue May 31 2016 Thomas Woerner - 0.4.2-1 +- Rebase to 0.4.2 +- Allows unspecifying zone binding for interfaces in firewall-config + (RHBZ#1066037) +- Adds improved management of zone binding for interfaces, connections and + sources (RHBZ#1083626) +- Adds commands to showing details of zones, services, .. (RHBZ#1147500) +- Adds a default logging option (RHBZ#1147951) +- Adds quiet option for firewall-offline-cmd (RHBZ#1220467) +- Adds support for zone chain usage in direct rules (RHBZ#1136801, + RHBZ#1336881) +- Adds source port support in zones, services and rich rules (RHBZ#1214770) +- Adds services imap and smtps (RHBZ#1220196) +- Fixes runtime to permanent migration(RHBZ#1237242) +- Fixes removal of destination addresses for services in permanent view in + firewall-config (RHBZ#1278281) +- Fixes firewall-config usage over ssh (RHBZ#1281416) +- Fixes reload disconnects with existing connections (RHBZ#1287449) +- Fixes ICMP packet drops while reloading (RHBZ#1288177) +- Adds option to add a new zone, service, .. from existing file (RHBZ#1292926) +- Adds improved checks for file readers, fixes error reporting of strings + containing illegal characters (RHBZ#1303026) +- Transforms direct.passthrough errors into warnings (RHBZ#1301573) +- Reduced getprotobyname and getservbyname calls for NIS use (RHBZ#1305434) +- Fixes (repeated) firewalld reload by sending SIGHUP signal (RHBZ#1313023) +- Adds After=dbus.service to service file to fix shutdown (RHBZ#1313845) +- Adds ICMP block inversion support (RHBZ#1325335) +- Fixes local traffic issue with masquerading in default zone (RHBZ#1326130) +- Adds destination rich rules without an element (RHBZ#1326462) +- Fixes reload after default zone change to newly introduced zone (RHBZ#1273888) +- Fixes start without ipv6_rpfilter module (RHBZ#1285769) +- Adds log of denied packets option (RHBZ#1322505) + +* Tue Sep 15 2015 Thomas Woerner - 0.3.9-14 +- Fixed file mode of schema configuration file verifier check.sh als in files + (RHBZ#994479) + +* Fri Sep 11 2015 Thomas Woerner - 0.3.9-13 +- Fixed file mode of schema configuration file verifier check.sh (RHBZ#994479) +- Include upstream testsuite in SRPM package (RHBZ#1261502) +- Added missing ports to RH-Satellite-6 mservice (RHBZ#1254531) + +* Mon Jul 6 2015 Thomas Woerner - 0.3.9-12 +- New schema configuration file verifier (RHBZ#994479) +- More information about interface handling with and without NetworkManager + (RHBZ#1122739) (RHBZ#1128563) +- Apply all rich rules for non-default targets (RHBZ#1142741) +- New iscsi service (RHBZ#1150656) +- New rsync service (RHBZ#1150659) +- ipXtables: use -w or -w2 if supported (RHBZ#1161745) +- Do not use ipv6header for protocol matching. (RHBZ#1164605) +- Iptables does not like limit of 1/d (RHBZ#1176813) +- Fix readdition of removed permanent direct settings (RHBZ#1182671) +- Fix bugs found by upstream test suite (RHBZ#1183008) +- Fix polkit auth for query and get passthroughs methods (RHBZ#1183688) +- New vdsm service (RHBZ#1194382) +- New freeipa services (RHBZ#1206490) +- Add missing parts to firewall-offline-cmd man page (RHBZ#1217678) + +* Tue Jan 13 2015 Thomas Woerner - 0.3.9-11 +- added missing upstream commit 265bfe90 for (RHBZ#993650) +- also add log message in the firewall-cmd output (RHBZ#1057095) + +* Mon Oct 20 2014 Thomas Woerner - 0.3.9-10 +- additional upstream commits for (RHBZ#993650) +- additional upstream commits for (RHBZ#1127706) + +* Tue Oct 7 2014 Thomas Woerner - 0.3.9-9 +- added lost runtime passthrough check and reverse patch (RHBZ#993650) + +* Mon Sep 29 2014 Thomas Woerner - 0.3.9-8 +- fixed GUI missing name of active zone (RHBZ#993655) +- recreate man pages at build time (RHBZ#1071303) + - fixes rich language log level (RHBZ#993740) + - fixes typo in firewall-cmd man page (RHBZ#1064401) +- new support to save runtime as permanent (RHBZ#993650) +- new cli --timeout time specifiers support (RHBZ#994044) +- updated translations (RHBZ#1048119) (RHBZ#1083592) +- more descriptive error message in case of mistakes in iptables (RHBZ#1057095) +- use apparent name for default target (RHBZ#1075675) +- simplified firewalld usage on servers by dropping at_console (RHBZ#1097765) +- fixed enable/disable of lockdown (RHBZ#1111573) +- new Satellite 6 service (RHBZ#1135634) +- fixed inconsistent color usage for firewall-cmd messages (RHBZ#1097841) +- fixed missing -Es in lockdown whitelist firewall-config command (RHBZ#1099065) +- unified runtime and permanent D-Bus API (RHBZ#1127706) +- fixed missing update of the connections menu in firewall-config (RHBZ#1120212) +- better docs for interface bindings in firewalld and NetworkManager (RHBZ#1112742) +- firewall-config: Show target REJECT (RHBZ#1058794) +- fixed inconsistent PolicyKit domain usage in main D-Bus interface (RHBZ#1061809) + +* Fri Feb 28 2014 Jiri Popelka - 0.3.9-7 +- firewall-cmd: prevent argparse from parsing iptables options (RHBZ#1070683) + +* Wed Feb 26 2014 Jiri Popelka - 0.3.9-6 +- firewall-offline-cmd: options from 'firewall-cmd --permanent *' (RHBZ#1059800) + +* Sun Feb 23 2014 Thomas Woerner - 0.3.9-5 +- fixed rich language log level (RHBZ#993740) +- firewall-config: use simple tool to change zones for connections (RHBZ#993782) +- translations update (RHBZ#1030330) +- firewall-config: fixed service and icmptype name dulications (RHBZ#1067639) +- allow router advertisements for IPv6 rpfilter (RHBZ#1067652) +- firewall-applet: allow to bind connections to the defaut zone (RHBZ#1068148) + +* Wed Feb 12 2014 Thomas Woerner - 0.3.9-4 +- firewall-config creates unloadable config; port forwarding broken + (RHBZ#1057628) +- Network connection is lost after changing Zones Default Target to DROP + (RHBZ#1057629) +- permanently adding rich rule with audit creates unloadable config XML + (RHBZ#1057684) +- firewalld input_zones has default rule for public zone (RHBZ#1058339) +- firewall-cmd is not able to add and remove zones, services and icmptypes + (RHBZ#1064386) +- firewall-config leaves deleted services shown if they were in use + (RHBZ#1058853) +- firewall-cmd does not allow user to change zone default target (RHBZ#1058791) +- firewall-cmd man page has a typo in --help description (RHBZ#1064401) + +* Fri Jan 17 2014 Thomas Woerner - 0.3.9-3 +- fixed enforcing of trusted, drop and block zones (RHBZ#1054415) + +* Thu Jan 16 2014 Thomas Woerner - 0.3.9-2 +- fixed rich rules (RHBZ#1054270) +- fixed small defects in firewall-cmd and firewall-config (RHBZ#1054289) + +* Wed Jan 15 2014 Thomas Woerner - 0.3.9-1 +- rebase to 0.3.9 version: +- translation updates +- New IPv6_rpfilter setting to enable source address validation (RHBZ#847707) +- Do not mix original and customized zones in case of target changes, + apply only used zones +- firewall-cmd: fix --*_lockdown_whitelist_uid to work with uid 0 +- Don't show main window maximized. (RHBZ#1046811) +- Use rmmod instead of 'modprobe -r' (RHBZ#1031102) +- Deprecate 'enabled' attribute of 'masquerade' element +- firewall-config: new zone was added twice to the list +- firewalld.dbus(5) +- Enable python shebang fix again +- firewall/client: handle_exceptions: Use loop in decorator +- firewall-offline-cmd: Do not mask firewalld service with disabled option +- firewall-config: richRuleDialogActionRejectType Entry -> ComboBox +- Rich_Rule: fix parsing of reject element (RHBZ#1027373) +- Show combined zones in permanent configuration (RHBZ#1002016) +- firewall-cmd(1): document exit code 2 and colored output (RHBZ#1028507) +- firewall-config: fix RHBZ#1028853 + +* Fri Dec 27 2013 Daniel Mach - 0.3.8-2 +- Mass rebuild 2013-12-27 + +* Tue Nov 05 2013 Jiri Popelka - 0.3.8-1 +- fix memory leaks +- New option --debug-gc +- Python3 compatibility +- Better non-ascii support +- several firewall-config & firewall-applet fixes +- New --remove-rules commands for firewall-cmd and removeRules methods for D-Bus +- Fixed FirewallDirect.get_rules to return proper list +- Fixed LastUpdatedOrderedDict.keys() +- Enable rich rule usage in trusted zone (RHBZ#994144) +- New error codes: INVALID_CONTEXT, INVALID_COMMAND, INVALID_USER and INVALID_UID + +* Thu Oct 17 2013 Jiri Popelka - 0.3.7-1 +- Don't fail on missing ip[6]tables/ebtables table. (RHBZ#967376) +- bash-completion: --permanent --direct options +- firewall/core/fw.py: fix checking for iptables & ip6tables (RHBZ#1017087) +- firewall-cmd: use client's exception_handler instead of catching exceptions ourselves +- FirewallClientZoneSettings: fix {add|remove|query}RichRule() +- Extend amanda-client service with 10080/tcp (RHBZ#1016867) +- Simplify Rich_Rule()_lexer() by using functions.splitArgs() +- Fix encoding problems in exception handling (RHBZ#1015941) + +* Fri Oct 04 2013 Jiri Popelka - 0.3.6.2-1 +- firewall-offline-cmd: --forward-port 'toaddr' is optional (RHBZ#1014958) +- firewall-cmd: fix variable name (RHBZ#1015011) + +* Thu Oct 03 2013 Jiri Popelka - 0.3.6.1-1 +- remove superfluous po files from archive + +* Wed Oct 02 2013 Jiri Popelka - 0.3.6-1 +- firewalld.richlanguage.xml: correct log levels (RHBZ#993740) +- firewall-config: Make sure that all zone settings are updated properly on firewalld restart +- Rich_Limit: Allow long representation for duration (RHBZ#994103 +- firewall-config: Show "Changes applied." after changes (RHBZ#993643) +- Use own connection dialog to change zones for NM connections +- Rename service cluster-suite to high-availability (RHBZ#885257) +- Permanent direct support for firewall-config and firewall-cmd +- Try to avoid file descriptor leaking (RHBZ#951900) +- New functions to split and join args properly (honoring quotes) +- firewall-cmd(1): 2 simple examples +- Better IPv6 NAT checking. +- Ship firewalld.direct(5). + +* Mon Sep 30 2013 Jiri Popelka - 0.3.5-1 +- Only use one PK action for configuration (RHBZ#994729) +- firewall-cmd: indicate non-zero exit code with red color +- rich-rule: enable to have log without prefix & log_level & limit +- log-level warn/err -> warning/error (RHBZ#1009436) +- Use policy DROP while reloading, do not reset policy in restart twice +- Add _direct chains to all table and chain combinations +- documentation improvements +- New firewalld.direct(5) man page docbook source +- tests/firewall-cmd_test.sh: make rich language tests work +- Rich_Rule._import_from_string(): improve error messages (RHBZ#994150) +- direct.passthrough wasn't always matching out_signature (RHBZ#967800) +- firewall-config: twist ICMP Type IP address family logic. +- firewall-config: port-forwarding/masquerading dialog (RHBZ#993658) +- firewall-offline-cmd: New --remove-service= option (BZ#969106) +- firewall-config: Options->Lockdown was not changing permanent. +- firewall-config: edit line on doubleclick (RHBZ#993572) +- firewall-config: System Default Zone -> Default Zone (RHBZ#993811) +- New direct D-Bus interface, persistent direct rule handling, enabled passthough +- src/firewall-cmd: Fixed help output to use more visual parameters +- src/firewall-cmd: New usage output, no redirection to man page anymore +- src/firewall/core/rich.py: Fixed forwad port destinations +- src/firewall-offline-cmd: Early enable/disable handling now with mask/unmask +- doc/xml/firewalld.zone.xml: Added more information about masquerade use +- Prefix to log message is optional (RHBZ#998079) +- firewall-cmd: fix --permanent --change-interface (RHBZ#997974) +- Sort zones/interfaces/service/icmptypes on output. +- wbem-https service (RHBZ#996668) +- applet&config: add support for KDE NetworkManager connection editor +- firewall/core/fw_config.py: New method update_lockdown_whitelist +- Added missing file watcher for lockdown whitelist in config D-Bus interface +- firewall/core/watcher: New add_watch_file for lockdown-whitelist and direct +- Make use of IPv6 NAT conditional, based on kernel number (RHBZ#967376) + +* Tue Jul 30 2013 Thomas Woerner 0.3.4-1 +- several rich rule check enhancements and fixes +- firewall-cmd: direct options - check ipv4|ipv6|eb (RHBZ#970505) +- firewall-cmd(1): improve description of direct options (RHBZ#970509) +- several firewall-applet enhancements and fixes +- New README +- several doc and man page fixes +- Service definitions for PCP daemons (RHBZ#972262) +- bash-completion: add lockdown and rich language options +- firewall-cmd: add --permanent --list-all[-zones] +- firewall-cmd: new -q/--quiet option +- firewall-cmd: warn when default zone not active (RHBZ#971843) +- firewall-cmd: check priority in --add-rule (RHBZ#914955) +- add dhcpv6 (for server) service (RHBZ#917866) +- firewall-cmd: add --permanent --get-zone-of-interface/source --change-interface/source +- firewall-cmd: print result (yes/no) of all --query-* commands +- move permanent-getZoneOf{Interface|Source} from firewall-cmd to server +- Check Interfaces/sources when updating permanent zone settings. +- FirewallDConfig: getZoneOfInterface/Source can actually return more zones +- Fixed toaddr check in forward port to only allow single address, no range +- firewall-cmd: various output improvements +- fw_zone: use check_single_address from firewall.functions +- getZoneOfInterface/Source does not need to throw exception +- firewall.functions: Use socket.inet_pton in checkIP, fixed checkIP*nMask +- firewall.core.io.service: Properly check port/proto and destination address +- Install applet desktop file into /etc/xdg/autostart +- Fixed option problem with rich rule destinations (RHBZ#979804) +- Better exception creation in dbus_handle_exceptions() decorator (RHBZ#979790) +- Updated firewall-offline-cmd +- Use priority in add, remove, query and list of direct rules (RHBZ#979509) +- New documentation (man pages are created from docbook sources) +- firewall/core/io/direct.py: use prirority for rule methods, new get_all_ methods +- direct: pass priority also to client.py and firewall-cmd +- applet: New blink and blink-count settings +- firewall.functions: New function ppid_of_pid +- applet: Check for gnome3 and fix it, use new settings, new size-changed cb +- firewall-offline-cmd: Fix use of systemctl in chroot +- firewall-config: use string.ascii_letters instead of string.letters +- dbus_to_python(): handle non-ascii chars in dbus.String. +- Modernize old syntax constructions. +- dict.keys() in Python 3 returns a "view" instead of list +- Use gettext.install() to install _() in builtins namespace. +- Allow non-ascii chars in 'short' and 'description' +- README: More information for "Working With The Source Repository" +- Build environment fixes +- firewalld.spec: Added missing checks for rhel > 6 for pygobject3-base +- firewall-applet: New setting show-inactive +- Don't stop on reload when lockdown already enabled (RHBZ#987403) +- firewall-cmd: --lockdown-on/off did not touch firewalld.conf +- FirewallApplet.gschema.xml: Dropped unused sender-info setting +- doc/firewall-applet.xml: Added information about gsettings +- several debug and log message fixes +- Add chain for sources so they can be checked before interfaces (RHBZ#903222) +- Add dhcp and proxy-dhcp services (RHBZ#986947) +- io/Zone(): don't error on deprecated family attr of source elem +- Limit length of zone file name (to 12 chars) due to Netfilter internals. +- It was not possible to overload a zone with defined source(s). +- DEFAULT_ZONE_TARGET: {chain}_ZONE_{zone} -> {chain}_{zone} +- New runtime getSettings for services and icmptypes, fixed policies callbacks +- functions: New functions checkUser, checkUid and checkCommand +- src/firewall/client: Fixed lockdown-whitelist-updated signal handling +- firewall-cmd(1): move firewalld.richlanguage(5) reference in --*-rich-rule +- Rich rule service: Only add modules for accept action +- firewall/core/rich: Several fixes and enhanced checks +- Fixed reload of direct rules +- firewall/client: New functions to set and get the exception handler +- firewall-config: New and enhanced UI to handle lockdown and rich rules +- zone's immutable attribute is redundant +- Do not allow to set settings in config for immutable zones. +- Ignore deprecated 'immutable' attribute in zone files. +- Eviscerate 'immutable' completely. +- FirewallDirect.query_rule(): fix it +- permanent direct: activate firewall.core.io.direct:Direct reader +- core/io/*: simplify getting of character data +- FirewallDirect.set_config(): allow reloading + +* Thu Jun 20 2013 Jiri Popelka +- Remove migrating to a systemd unit file from a SysV initscript +- Remove pointless "ExclusiveOS" tag + +* Fri Jun 7 2013 Thomas Woerner 0.3.3-2 +- Fixed rich rule check for use in D-Bus + +* Thu Jun 6 2013 Thomas Woerner 0.3.3-1 +- new service files +- relicensed logger.py under GPLv2+ +- firewall-config: sometimes we don't want to use client's exception handler +- When removing Service/IcmpType remove it from zones too (RHBZ#958401) +- firewall-config: work-around masquerade_check_cb() being called more times +- Zone(IO): add interfaces/sources to D-Bus signature +- Added missing UNKNOWN_SOURCE error code +- fw_zone.check_source: Raise INVALID_FAMILY if family is invalid +- New changeZoneOfInterface method, marked changeZone as deprecated +- Fixed firewall-cmd man page entry for --panic-on +- firewall-applet: Fixed possible problems of unescaped strings used for markup +- New support to bind zones to source addresses and ranges (D-BUS, cmd, applet +- Cleanup of unused variables in FirewallD.start +- New firewall/fw_types.py with LastUpdatedOrderedDict +- direct.chains, direct.rules: Using LastUpdatedOrderedDict +- Support splitted zone files +- New reader and writer for stored direct chains and rules +- LockdownWhitelist: fix write(), add get_commands/uids/users/contexts() +- fix service_writer() and icmptype_writer() to put newline at end of file +- firewall-cmd: fix --list-sources +- No need to specify whether source address family is IPv4 or IPv6 +- add getZoneOfSource() to D-Bus interface +- Add tests and bash-completion for the new "source" operations +- Convert all input args in D-Bus methods +- setDefaultZone() was calling accessCheck() *after* the action +- New uniqify() function to remove duplicates from list whilst preserving order +- Zone.combine() merge also services and ports +- config/applet: silence DBusException during start when FirewallD is not running (RHBZ#966518) +- firewall-applet: more fixes to make the address sources family agnostic +- Better defaults for lockdown white list +- Use auth_admin_keep for allow_any and allow_inactive also +- New D-Bus API for lockdown policies +- Use IPv4, IPv6 and BRIDGE for FirewallD properties +- Use rich rule action as audit type +- Prototype of string-only D-Bus interface for rich language +- Fixed wrongly merged source family check in firewall/core/io/zone.py +- handle_cmr: report errors, cleanup modules in error case only, mark handling +- Use audit type from rule action, fixed rule output +- Fixed lockdown whitelist D-Bus handling method names +- New rich rule handling in runtime D-Bus interface +- Added interface, source and rich rule handling (runtime and permanent) +- Fixed dbus_obj in FirewallClientConfigPolicies, added queryLockdown +- Write changes in setLockdownWhitelist +- Fixed typo in policies log message in method calls +- firewall-cmd: Added rich rule, lockdown and lockdown whitelist handling +- Don't check access in query/getLockdownWhitelist*() +- firewall-cmd: Also output masquerade flag in --list-all +- firewall-cmd: argparse is able to convert argument to desired type itself +- firewall-cmd_test.sh: tests for permanent interfaces/sources and lockdown whitelist +- Makefile.am: add missing files +- firewall-cmd_test.sh: tests for rich rules +- Added lockdown, source, interface and rich rule docs to firewall-cmd +- Do not masquerade lo if masquerade is enabled in the default zone (RHBZ#904098) +- Use in metavar for firewall-cmd parser + +* Fri May 10 2013 Jiri Popelka - 0.3.2-2 +- removed unintentional en_US.po from tarball + +* Tue Apr 30 2013 Jiri Popelka - 0.3.2-1 +- Fix signal handling for SIGTERM +- Additional service files (RHBZ#914859) +- Updated po files +- s/persistent/permanent/ (Trac Ticket #7) +- Better behaviour when running without valid DISPLAY (RHBZ#955414) +- client.handle_exceptions(): do not loop forever +- Set Zone.defaults in zone_reader (RHBZ#951747) +- client: do not pass the dbus exception name to handler +- IO_Object_XMLGenerator: make it work with Python 2.7.4 (RHBZ#951741) +- firewall-cmd: do not use deprecated BaseException.message +- client.py: fix handle_exceptions() (RHBZ#951314) +- firewall-config: check zone/service/icmptype name (RHBZ#947820) +- Allow 3121/tcp (pacemaker_remote) in cluster-suite service. (RHBZ#885257) +- firewall-applet: fix default zone hangling in 'shields-up' (RHBZ#947230) +- FirewallError.get_code(): check for unknown error + +* Wed Apr 17 2013 Jiri Popelka - 0.3.1-2 +- Make permanenent changes work with Python 2.7.4 (RHBZ#951741) + +* Thu Mar 28 2013 Thomas Woerner 0.3.1-1 +- Use explicit file lists for make dist +- New rich rule validation check code +- New global check_port and check_address functions +- Allow source white and black listing with the rich rule +- Fix error handling in case of unsupported family in rich rule +- Enable ip_forwarding in masquerade and forward-port +- New functions to read and write simple files using filename and content +- Add --enable-sysconfig to install Fedora-specific sysconfig config file. +- Add chains for security table (RHBZ#927015) +- firewalld.spec: no need to specify --with-systemd-unitdir +- firewalld.service: remove syslog.target and dbus.target +- firewalld.service: replace hard-coded paths +- Move bash-completion to new location. +- Revert "Added configure for new build env" +- Revert "Added Makefile.in files" +- Revert "Added po/Makefile.in.in" +- Revert "Added po/LINGUAS" +- Revert "Added aclocal.m4" +- Amend zone XML Schema + +* Wed Mar 20 2013 Thomas Woerner 0.3.0-1 +- Added rich language support +- Added lockdown feature +- Allow to bind interfaces and sources to zones permanently +- Enabled IPv6 NAT support + masquerading and port/packet forwarding for IPv6 only with rich language +- Handle polkit errors in client class and firewall-config +- Added priority description for --direct --add-rule in firewall-cmd man page +- Add XML Schemas for zones/services/icmptypes XMLs +- Don't keep file descriptors open when forking +- Introduce --nopid option for firewalld +- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782) +- Update cluster-suite service (RHBZ#885257) +- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912) +- Fix interaction problem of changed event of gtk combobox with polkit-kde + by processing all remaining events (RHBZ#915892) +- Stop default zone rules being applied to all zones (RHBZ#912782) +- Firewall.start(): don't call set_default_zone() +- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages +- firewalld-cmd: make --state verbose (RHBZ#886484) +- improve firewalld --help (RHBZ#910492) +- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834) +- Continue loading zone in case of wrong service/port etc. (RHBZ#909466) +- Check also services and icmptypes in Zone() (RHBZ#909466) +- Increase the maximum length of the port forwarding fields from 5 to 11 in + firewall-config +- firewall-cmd: add usage to fail message +- firewall-cmd: redefine usage to point to man page +- firewall-cmd: fix visible problems with arg. parsing +- Use argparse module for parsing command line options and arguments +- firewall-cmd.1: better clarify where to find ACTIONs +- firewall-cmd Bash completion +- firewall-cmd.1: comment --zone= usage and move some options +- Use zone's target only in %s_ZONES chains +- default zone in firewalld.conf was set to public with every restart (#902845) +- man page cleanup +- code cleanup + +* Thu Mar 07 2013 Jiri Popelka - 0.2.12-5 +- Another fix for RHBZ#912782 + +* Wed Feb 20 2013 Jiri Popelka - 0.2.12-4 +- Stop default zone rules being applied to all zones (RHBZ#912782) + +* Wed Feb 13 2013 Fedora Release Engineering - 0.2.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 22 2013 Jiri Popelka - 0.2.12-2 +- Default zone in firewalld.conf was reseted with every restart (RHBZ#902845) +- Add icon cache related scriptlets for firewall-config (RHBZ#902680) +- Fix typo in firewall-config (RHBZ#895812) +- Fix few mistakes in firewall-cmd(1) man page + +* Mon Jan 14 2013 Thomas Woerner 0.2.12-1 +- firewall-cmd: use -V instead of -v for version info (RHBZ#886477) +- firewall-cmd: don't check reload()'s return value (RHBZ#886461) +- actually install firewalld.zones.5 +- firewall-config: treat exceptions when adding new zone/service/icmp + (RHBZ#886602) +- firewalld.spec: Fixed requirements of firewall-config to use gtk2 and + pygobject3 +- Fail gracefully when running in non X environment.(RHBZ#886551) +- offline-cmd: fail gracefully when no s-c-f config +- fix duplicated iptables rules (RHBZ#886515) +- detect errors and duplicates in config file (RHBZ#886581) +- firewall-config: don't make 'Edit Service' and 'Edit ICMP Type' insensitive +- firewalld.spec: fixed requirements, require pygobject3-base +- frewall-applet: Unused code cleanup +- firewall-applet: several usability fixes and enhancements + (RHBZ#886531) (RHBZ#886534) +- firewall/server/server.py: fixed KeyboardInterrupt message (RHBZ#886558) +- Moved fallback zone and minimal_mark to firewall.config.__init__ +- Do not raise ZONE_ALREADY_SET in change_zone if old zone is set again + (RHBZ#886432) +- Make default zone default for all unset connections/interfaces + (RHBZ#888288) (RHBZ#882736) +- firewall-config: Use Gtk.MessageType.WARNING for warning dialog +- firewall-config: Handle unknown services and icmptypes in persistent mode +- firewall-config: Do not load settings more than once +- firewall-config: UI cleanup and fixes (RHBZ#888242) +- firewall-cmd: created alias --change-zone for --change-interface +- firewall-cmd man page updates (RHBZ#806511) +- Merged branch 'build-cleanups' +- dropped call to autogen.sh in build stage, not needed anymore due to + 'build-cleanups' merge + +* Thu Dec 13 2012 Thomas Woerner 0.2.11-2 +- require pygobject3-base instead of pygobject3 (no cairo needed) (RHBZ#874378) +- fixed dependencies of firewall-config to use gtk3 with pygobject3-base and + not pygtk2 + +* Tue Dec 11 2012 Thomas Woerner 0.2.11-1 +- Fixed more _xmlplus (PyXML) incompatibilities to python xml +- Several man page updates +- Fixed error in addForwardPort, removeForwardPort and queryForwardPort +- firewall-cmd: use already existing queryForwardPort() +- Update firewall.cmd man page, use man page as firewall-cmd usage (rhbz#876394) +- firewall-config: Do not force to show labels in the main toolbar +- firewall-config: Dropped "Change default zone" from toolbar +- firewall-config: Added menu entry to change zones of connections +- firewall-applet: Zones can be changed now using nm-connection-editor + (rhbz#876661) +- translation updates: cs, hu, ja + +* Tue Nov 20 2012 Thomas Woerner 0.2.10-1 +- tests/firewalld_config.py: tests for config.service and config.icmptype +- FirewallClientConfigServiceSettings(): destinations are dict not list +- service/zone/icmptype: do not write deprecated name attribute +- New service ntp +- firewall-config: Fixed name of about dialog +- configure.in: Fixed getting of error codes +- Added coding to all pyhton files +- Fixed copyright years +- Beautified file headers +- Force use of pygobject3 in python-slip (RHBZ#874378) +- Log: firewall.server.config_icmptype, firewall.server.config_service and + firewall.server.config_zone: Prepend full path +- Allow ":" in interface names for interface aliases +- Add name argument to Updated and Renamed signal +- Disable IPv4, IPv6 and EB tables if missing - for IPv4/IPv6 only environments +- firewall-config.glade file cleanup +- firewall-config: loadDefaults() can throw exception +- Use toolbars for Add/Edit/Remove/LoadDefaults buttons for zones, services + and icmp types +- New vnc-server service, opens ports for displays :0 to :3 (RHBZ#877035) +- firewall-cmd: Fix typo in help output, allow default zone usage for + permanenent options +- Translation updates: cs, fr, ja, pt_BR and zh_CN + +* Wed Oct 17 2012 Thomas Woerner 0.2.9-1 +- firewall-config: some UI usability changes +- firewall-cmd: New option --list-all-zones, output of --list-all changed, + more option combination checks +- firewall-applet: Replaced NMClient by direct DBUS calls to fix python core + dumps in case of connection activates/deactivates +- Use fallback 'C' locale if current locale isn't supported (RHBZ#860278) +- Add interfaces to zones again after reload +- firewall-cmd: use FirewallClient().connected value +- firewall-cmd: --remove-interface was not working due to a typo +- Do not use restorecon for new and backup files +- Fixed use of properties REJECT and DROP +- firewalld_test.py: check interfaces after reload +- Translation updates +- Renamed firewall-convert-scfw-config to firewall-offline-cmd, used by + anaconda for firewall configuration (e.g. kickstart) +- Fix python shebang to use -Es at installation time for bin_SCRIPTS and + sbin_SCRIPTS and at all times in gtk3_chooserbutton.py +- tests/firewalld_config.py: update test_zones() test case +- Config interface: improve renaming of zones/services/icmp_types +- Move emiting of Added signals closer to source. +- FirewallClient(): config:ServiceAdded signal was wrongly mapped +- Add argument 'name' to Removed signal +- firewall-config: Add callbacks for config:[service|icmp]-[added|removed] +- firewall-config: catch INVALID_X error when removing zone/service/icmp_type +- firewall-config: remove unused code +- Revert "Neutralize _xmlplus instead of conforming it" +- firewall-applet: some UI usability changes +- firewall-cmd: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings + +* Fri Sep 7 2012 Thomas Woerner 0.2.8-1 +- Do not apply old settings to zones after reload +- FirewallClient: Added callback structure for firewalld signals +- New firewall-config with full zone, service and icmptype support +- Added Shields Up/Down configuration dialog to firewall-applet +- Name attribute of main tag deprecated for zones, services and icmptypes, + will be ignored if present +- Fixed wrong references in firewalld man page +- Unregister DBus interfaces after sending out the Removed signal +- Use proper DBus signature in addIcmpType, addService and addZone +- New builtin property for config interfaces +- New test case for Config interface +- spec: use new systemd-rpm macros (rhbz#850110) +- More config file verifications +- Lots of smaller fixes and enhancements + +* Tue Aug 21 2012 Jiri Popelka 0.2.7-2 +- use new systemd-rpm macros (rhbz#850110) + +* Mon Aug 13 2012 Thomas Woerner 0.2.7-1 +- Update of firewall-config +- Some bug fixes + +* Tue Aug 7 2012 Thomas Woerner 0.2.6-1 +- New D-BUS interface for persistent configuration +- Aded support for persistent zone configuration in firewall-cmd +- New Shields Up feature in firewall-applet +- New requirements for python-decorator and pygobject3 +- New firewall-config sub-package +- New firewall-convert-scfw-config config script + +* Fri Apr 20 2012 Thomas Woerner 0.2.5-1 +- Fixed traceback in firewall-cmd for failed or canceled authorization, + return proper error codes, new error codes NOT_RUNNING and NOT_AUTHORIZED +- Enhanced firewalld service file (RHBZ#806868) and (RHBZ#811240) +- Fixed duplicates in zone after reload, enabled timed settings after reload +- Removed conntrack --ctstate INVALID check from default ruleset, because it + results in ICMP problems (RHBZ#806017). +- Update interfaces in default zone after reload (rhbz#804814) +- New man pages for firewalld(1), firewalld.conf(5), firewalld.icmptype(5), + firewalld.service(5) and firewalld.zone(5), updated firewall-cmd man page + (RHBZ#811257) +- Fixed firewall-cmd help output +- Fixed missing icon for firewall-applet (RHBZ#808759) +- Added root user check for firewalld (RHBZ#767654) +- Fixed requirements of firewall-applet sub package (RHBZ#808746) +- Update interfaces in default zone after changing of default zone (RHBZ#804814) +- Start firewalld before NetworkManager (RHBZ#811240) +- Add Type=dbus and BusName to service file (RHBZ#811240) + +* Fri Mar 16 2012 Thomas Woerner 0.2.4-1 +- fixed firewalld.conf save exception if no temporary file can be written to + /etc/firewalld/ + +* Thu Mar 15 2012 Thomas Woerner 0.2.3-1 +- firewall-cmd: several changes and fixes +- code cleanup +- fixed icmp protocol used for ipv6 (rhbz#801182) +- added and fixed some comments +- properly restore zone settings, timeout is always set, check for 0 +- some FirewallError exceptions were actually not raised +- do not REJECT in each zone +- removeInterface() don't require zone +- new tests in firewall-test script +- dbus_to_python() was ignoring certain values +- added functions for the direct interface: chains, rules, passthrough +- fixed inconsistent data after reload +- some fixes for the direct interface: priority positions are bound to ipv, + table and chain +- added support for direct interface in firewall-cmd: +- added isImmutable(zone) to zone D-Bus interface +- renamed policy file +- enhancements for error messages, enables output for direct.passthrough +- added allow_any to firewald policies, using at leas auth_admin for policies +- replaced ENABLE_FAILED, DISABLE_FAILED, ADD_FAILED and REMOVE_FAILED by + COMMAND_FAILED, resorted error codes +- new firewalld configuration setting CleanupOnExit +- enabled polkit again, found a fix for property problem with slip.dbus.service +- added dhcpv6-client to 'public' (the default) and to 'internal' zones. +- fixed missing settings form zone config files in + "firewall-cmd --list=all --zone=" call +- added list functions for services and icmptypes, added --list=services and + --list=icmptypes to firewall-cmd + +* Tue Mar 6 2012 Thomas Woerner 0.2.2-1 +- enabled dhcpv6-client service for zones home and work +- new dhcpv6-client service +- firewall-cmd: query mode returns reversed values +- new zone.changeZone(zone, interface) +- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded + by files in /etc/firewalld (no overload of immutable zones block, drop, + trusted) +- reset MinimalMark in firewalld.cnf to default value +- fixed service destination (addresses not used) +- fix xmlplus to be compatible with the python xml sax parser and python 3 + by adding __contains__ to xml.sax.xmlreader.AttributesImpl +- use icon and glib related post, postun and posttrans scriptes for firewall +- firewall-cmd: fix typo in state +- firewall-cmd: fix usage() +- firewall-cmd: fix interface action description in usage() +- client.py: fix definition of queryInterface() +- client.py: fix typo in getInterfaces() +- firewalld.service: do not fork +- firewall-cmd: fix bug in --list=port and --port action help message +- firewall-cmd: fix bug in --list=service + +* Mon Mar 5 2012 Thomas Woerner +- moved zones, services and icmptypes to /usr/lib/firewalld, can be overloaded + by files in /etc/firewalld (no overload of immutable zones block, drop, + trusted) + +* Tue Feb 21 2012 Thomas Woerner 0.2.1-1 +- added missing firewall.dbus_utils + +* Tue Feb 7 2012 Thomas Woerner 0.2.0-2 +- added glib2-devel to build requires, needed for gsettings.m4 +- added --with-system-unitdir arg to fix installaiton of system file +- added glib-compile-schemas calls for postun and posttrans +- added EXTRA_DIST file lists + +* Mon Feb 6 2012 Thomas Woerner 0.2.0-1 +- version 0.2.0 with new FirewallD1 D-BUS interface +- supports zones with a default zone +- new direct interface as a replacement of the partial virt interface with + additional passthrough functionality +- dropped custom rules, use direct interface instead +- dropped trusted interface funcionality, use trusted zone instead +- using zone, service and icmptype configuration files +- not using any system-config-firewall parts anymore + +* Mon Feb 14 2011 Thomas Woerner 0.1.3-1 +- new version 0.1.3 +- restore all firewall features for reload: panic and virt rules and chains +- string fixes for firewall-cmd man page (by Jiri Popelka) +- fixed firewall-cmd port list (by Jiri Popelka) +- added firewall dbus client connect check to firewall-cmd (by Jiri Popelka) +- translation updates: de, es, gu, it, ja, kn, ml, nl, or, pa, pl, ru, ta, + uk, zh_CN + +* Mon Jan 3 2011 Thomas Woerner 0.1.2-1 +- fixed package according to package review (rhbz#665395): + - non executable scripts: dropped shebang + - using newer GPL license file + - made /etc/dbus-1/system.d/FirewallD.conf config(noreplace) + - added requires(post) and (pre) for chkconfig + +* Mon Jan 3 2011 Thomas Woerner 0.1.1-1 +- new version 0.1.1 +- fixed source path in POTFILES* +- added missing firewall_config.py.in +- added misssing space for spec_ver line +- using firewall_config.VARLOGFILE +- added date to logging output +- also log fatal and error logs to stderr and firewall_config.VARLOGFILE +- make log message for active_firewalld fatal + +* Mon Dec 20 2010 Thomas Woerner 0.1-1 +- initial package (proof of concept implementation)