diff --git a/SOURCES/0042-fix-rich-rule-destination-with-services.patch b/SOURCES/0042-fix-rich-rule-destination-with-services.patch new file mode 100644 index 0000000..e53b789 --- /dev/null +++ b/SOURCES/0042-fix-rich-rule-destination-with-services.patch @@ -0,0 +1,41 @@ +From 0dc5116a02ca03a3b78f5e5c653ebc783d2cdf2e Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 6 Jun 2019 12:25:08 -0400 +Subject: [PATCH 42/43] fix: rich rule destination with services + +Fixes: rhbz 1715977 +(cherry picked from commit d3bd517c7deb44d42129017b3c471ccdf1c32b57) +(cherry picked from commit 9cd642933d41a983c4cbdef6aa936151e89a05ef) +--- + src/firewall/core/fw_zone.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 31d7d6a168a8..e6eb299dec71 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1575,17 +1575,18 @@ class FirewallZone(object): + if type(rule.element) == Rich_Service: + svc = self._fw.service.get_service(rule.element.name) + +- destinations = [rule.destination] if rule.destination else [None] +- ++ destinations = [] + if len(svc.destination) > 0: + if rule.destination: + # we can not use two destinations at the same time + raise FirewallError(errors.INVALID_RULE, + "Destination conflict with service.") +- destinations = [] + for ipv in ipvs: + if ipv in svc.destination and backend.is_ipv_supported(ipv): + destinations.append(svc.destination[ipv]) ++ else: ++ # dummy for the following for loop ++ destinations.append(None) + + for destination in destinations: + if enable: +-- +2.23.0 + diff --git a/SOURCES/0043-test-coverage-for-rhbz-1715977.patch b/SOURCES/0043-test-coverage-for-rhbz-1715977.patch new file mode 100644 index 0000000..47e150f --- /dev/null +++ b/SOURCES/0043-test-coverage-for-rhbz-1715977.patch @@ -0,0 +1,44 @@ +From db60f004d65078579f67be270427265d65876f4b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 6 Jun 2019 11:51:11 -0400 +Subject: [PATCH 43/43] test: coverage for rhbz 1715977 + +(cherry picked from commit 3fb02f8d6648906bdf089a4734c939c809f85583) +(cherry picked from commit 819e7196c1aa79998b3b094805c51e4caf49a572) +--- + src/tests/regression.at | 1 + + src/tests/regression/rhbz1715977.at | 13 +++++++++++++ + 2 files changed, 14 insertions(+) + create mode 100644 src/tests/regression/rhbz1715977.at + +diff --git a/src/tests/regression.at b/src/tests/regression.at +index 36e10eeb52d5..bbfcb65fe6e9 100644 +--- a/src/tests/regression.at ++++ b/src/tests/regression.at +@@ -16,3 +16,4 @@ m4_include([regression/gh366.at]) + m4_include([regression/rhbz1601610.at]) + m4_include([regression/gh303.at]) + m4_include([regression/gh335.at]) ++m4_include([regression/rhbz1715977.at]) +diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at +new file mode 100644 +index 000000000000..0a05b14f9e3e +--- /dev/null ++++ b/src/tests/regression/rhbz1715977.at +@@ -0,0 +1,13 @@ ++FWD_START_TEST([rich rule destination with service destination]) ++AT_KEYWORDS(rich service rhbz1715977) ++ ++FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0]) ++FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept']) ++FWD_RELOAD ++ ++FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore]) ++FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept']) ++FWD_RELOAD ++FWD_GREP_LOG([WARNING: internal: INVALID_RULE: Destination conflict with service.]) ++ ++FWD_END_TEST([-e '/INVALID_RULE: Destination conflict with service/d']) +-- +2.23.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index e50f56e..8756e09 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -8,7 +8,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.6.3 -Release: 2%{?dist}.2 +Release: 2%{?dist}.3 URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -53,6 +53,8 @@ Patch38: 0038-fix-tests-update-package.m4-if-makefile-changed.patch Patch39: 0039-fix-tests-functions-define-HOST_SUPPORTS_IP6TABLES-v.patch Patch40: 0040-fix-Revert-ebtables-drop-support-for-broute-table.patch Patch41: 0041-fix-ebtables-don-t-use-tables-that-aren-t-available.patch +Patch42: 0042-fix-rich-rule-destination-with-services.patch +Patch43: 0043-test-coverage-for-rhbz-1715977.patch BuildArch: noarch BuildRequires: desktop-file-utils @@ -353,6 +355,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Thu Jan 16 2020 Eric Garver - 0.6.3-2.el7_7.3 +- fix: rich rule destination with services + * Mon Sep 30 2019 Eric Garver - 0.6.3-2.el7_7.2 - fix: Revert "ebtables: drop support for broute table"