powerel9
/
firewalld
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

initial package creation 

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 11 months ago
commit
3a9b238a04
5 changed files with 724 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 112
      SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
  2. 46
      SOURCES/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
  3. 117
      SOURCES/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
  4. 176
      SOURCES/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
  5. 273
      SPECS/firewalld.spec

112
SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Unescape View File

@ -0,0 +1,112 @@ @@ -0,0 +1,112 @@
From f3fa74bb2710b0089db4026443ae67c4cabae1e1 Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Tue, 25 May 2021 13:31:41 -0400
Subject: [PATCH 1/4] RHEL only: Add cockpit by default to some zones

Fixes: #1581578
---
config/zones/home.xml | 1 +
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/features/startup_failsafe.at | 1 +
src/tests/functions.at | 20 ++++++++++++++++++++
6 files changed, 25 insertions(+)

diff --git a/config/zones/home.xml b/config/zones/home.xml
index d73c9bdb16b6..33064688367e 100644
--- a/config/zones/home.xml
+++ b/config/zones/home.xml
@@ -6,5 +6,6 @@
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/config/zones/internal.xml b/config/zones/internal.xml
index 053c18ccda8b..852b16ad94dd 100644
--- a/config/zones/internal.xml
+++ b/config/zones/internal.xml
@@ -6,5 +6,6 @@
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/config/zones/public.xml b/config/zones/public.xml
index 49fc4c20af52..62bc751de448 100644
--- a/config/zones/public.xml
+++ b/config/zones/public.xml
@@ -4,5 +4,6 @@
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/config/zones/work.xml b/config/zones/work.xml
index f1a14a9b4682..27b54a7783c4 100644
--- a/config/zones/work.xml
+++ b/config/zones/work.xml
@@ -4,5 +4,6 @@
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
<forward/>
</zone>
diff --git a/src/tests/features/startup_failsafe.at b/src/tests/features/startup_failsafe.at
index d251d354abfb..5178f40cec46 100644
--- a/src/tests/features/startup_failsafe.at
+++ b/src/tests/features/startup_failsafe.at
@@ -20,6 +20,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 443 ct state new,untracked accept
}
}
diff --git a/src/tests/functions.at b/src/tests/functions.at
index aea87c1cb4fc..4ef61a3147a4 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -128,6 +128,14 @@ m4_define([FWD_START_TEST], [
fi
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
+ AT_KEYWORDS(offline)
+ dnl cockpit is added by default downstream, but upstream tests don't expect
+ dnl it. Simply remove it at the start of every test.
+ dnl
+ FWD_OFFLINE_CHECK([--zone home --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone internal --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore])
], [
dnl set the appropriate backend
AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
@@ -259,6 +267,18 @@ m4_define([FWD_START_TEST], [
])
FWD_START_FIREWALLD
+
+ dnl cockpit is added by default downstream, but upstream tests don't expect
+ dnl it. Simply remove it at the start of every test.
+ dnl
+ FWD_CHECK([--permanent --zone home --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone home --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone internal --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone internal --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone public --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone public --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone work --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone work --remove-service cockpit], 0, [ignore])
])
])
--
2.39.1

46
SOURCES/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
Unescape View File

@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
From c1aadce88b0adc4e116254a80f3a7f4634958e01 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 31 Jan 2023 09:24:56 -0500
Subject: [PATCH 2/4] v1.4.0: test(atlocal): pass EBTABLES to testsuite

(cherry picked from commit a5adb26a5eebdaa6e978c580d4fb73f7aa06802f)
---
src/tests/atlocal.in | 1 +
src/tests/functions.at | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tests/atlocal.in b/src/tests/atlocal.in
index 8c5493ac38df..595a96f0f5c9 100644
--- a/src/tests/atlocal.in
+++ b/src/tests/atlocal.in
@@ -1,5 +1,6 @@
export PYTHON="@PYTHON@"
+export EBTABLES="@EBTABLES@"
export IPTABLES="@IPTABLES@"
export IPTABLES_RESTORE="@IPTABLES_RESTORE@"
export IP6TABLES="@IP6TABLES@"
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 4ef61a3147a4..50fb6bfb4541 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -104,6 +104,7 @@ m4_define([FWD_START_TEST], [
dnl in atlocal.
dnl
test -z "$PYTHON" && export PYTHON="python3"
+ test -z "$EBTABLES" && export EBTABLES="ebtables"
test -z "$IPTABLES" && export IPTABLES="iptables"
test -z "$IPTABLES_RESTORE" && export IPTABLES_RESTORE="iptables-restore"
test -z "$IP6TABLES" && export IP6TABLES="ip6tables"
@@ -395,7 +396,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
m4_define([EBTABLES_LIST_RULES], [
dnl ebtables commit 5f508b76a0ce change list output for inversion.
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
+ NS_CHECK([PIPESTATUS0([$EBTABLES --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
])
])
--
2.39.1

117
SOURCES/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
Unescape View File

@ -0,0 +1,117 @@ @@ -0,0 +1,117 @@
From fbe4244b3663c3b96c174f6ed8d3d222cc1adcf8 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 30 Jan 2023 16:42:50 -0500
Subject: [PATCH 3/4] v1.4.0: feat(direct): avoid iptables flush if using
nftables backend

If FirewallBackend=nftables and there are no direct rules; then we can
avoid flushing iptables at startup and shutdown. This means other
applications can control iptables while firewalld only touches nftables.

Fixes: #863
(cherry picked from commit b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87)
---
src/firewall/core/fw.py | 31 +++++++++++++++++++++++++++----
src/firewall/core/fw_direct.py | 9 +++++++++
2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 3e1bab575769..6710900839f8 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -469,7 +469,8 @@ class Firewall(object):
def _start_apply_objects(self, reload=False, complete_reload=False):
transaction = FirewallTransaction(self)
- self.flush(use_transaction=transaction)
+ if not reload:
+ self.flush(use_transaction=transaction)
# If modules need to be unloaded in complete reload or if there are
# ipsets to get applied, limit the transaction to flush.
@@ -939,7 +940,26 @@ class Firewall(object):
if use_transaction is None:
transaction.execute(True)
- # flush and policy
+ def may_skip_flush_direct_backends(self):
+ if self.nftables_enabled and not self.direct.has_runtime_configuration():
+ return True
+
+ return False
+
+ def flush_direct_backends(self, use_transaction=None):
+ if use_transaction is None:
+ transaction = FirewallTransaction(self)
+ else:
+ transaction = use_transaction
+
+ for backend in self.all_backends():
+ if backend in self.enabled_backends():
+ continue
+ rules = backend.build_flush_rules()
+ transaction.add_rules(backend, rules)
+
+ if use_transaction is None:
+ transaction.execute(True)
def flush(self, use_transaction=None):
if use_transaction is None:
@@ -949,7 +969,10 @@ class Firewall(object):
log.debug1("Flushing rule set")
- for backend in self.all_backends():
+ if not self.may_skip_flush_direct_backends():
+ self.flush_direct_backends(use_transaction=transaction)
+
+ for backend in self.enabled_backends():
rules = backend.build_flush_rules()
transaction.add_rules(backend, rules)
@@ -1109,7 +1132,7 @@ class Firewall(object):
if not _panic:
self.set_policy("DROP")
- # stop
+ self.flush()
self.cleanup()
start_exception = None
diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
index 508cfa54f7fa..a4cd8a77e773 100644
--- a/src/firewall/core/fw_direct.py
+++ b/src/firewall/core/fw_direct.py
@@ -219,6 +219,9 @@ class FirewallDirect(object):
else:
transaction = use_transaction
+ if self._fw.may_skip_flush_direct_backends():
+ transaction.add_pre(self._fw.flush_direct_backends)
+
if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
@@ -268,6 +271,9 @@ class FirewallDirect(object):
else:
transaction = use_transaction
+ if self._fw.may_skip_flush_direct_backends():
+ transaction.add_pre(self._fw.flush_direct_backends)
+
if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
@@ -353,6 +359,9 @@ class FirewallDirect(object):
else:
transaction = use_transaction
+ if self._fw.may_skip_flush_direct_backends():
+ transaction.add_pre(self._fw.flush_direct_backends)
+
if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend])
--
2.39.1

176
SOURCES/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
Unescape View File

@ -0,0 +1,176 @@ @@ -0,0 +1,176 @@
From 5f092d3665463b764b957ef219010e0640babde7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 30 Jan 2023 14:43:18 -0500
Subject: [PATCH 4/4] v1.4.0: test(direct): avoid iptables flush if using
nftables backend

Coverage: #863
(cherry picked from commit dcd0dd3674ea8ef757a1b41f6b53717a45e821aa)
---
src/tests/features/features.at | 1 +
.../features/iptables_no_flush_on_shutdown.at | 144 ++++++++++++++++++
2 files changed, 145 insertions(+)
create mode 100644 src/tests/features/iptables_no_flush_on_shutdown.at

diff --git a/src/tests/features/features.at b/src/tests/features/features.at
index 96b098de6e82..59725eb9fdf4 100644
--- a/src/tests/features/features.at
+++ b/src/tests/features/features.at
@@ -18,3 +18,4 @@ m4_include([features/rpfilter.at])
m4_include([features/zone_combine.at])
m4_include([features/startup_failsafe.at])
m4_include([features/ipset.at])
+m4_include([features/iptables_no_flush_on_shutdown.at])
diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at
new file mode 100644
index 000000000000..753a8251f732
--- /dev/null
+++ b/src/tests/features/iptables_no_flush_on_shutdown.at
@@ -0,0 +1,144 @@
+m4_if(nftables, FIREWALL_BACKEND, [
+
+dnl If FirewallBackend=nftables, and there are no --direct rules, then we can
+dnl avoid flushing iptables on shutdown. We can also avoid a flush on startup
+dnl if there are no permanent direct rules. But we will have to flush on the
+dnl first direct rule added.
+FWD_START_TEST([avoid iptables flush if using nftables])
+AT_KEYWORDS(direct gh863)
+CHECK_IPTABLES()
+
+dnl no flush on reload if no direct rules
+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IF_HOST_SUPPORTS_IP6TABLES([
+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
+])
+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all ::/0 ::/0
+])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
+ -j ACCEPT
+])
+FWD_RELOAD()
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all ::/0 ::/0
+])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
+ -j ACCEPT
+])
+
+dnl no flush on restart (or stop) if no direct rules
+FWD_RESTART()
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all ::/0 ::/0
+])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
+ -j ACCEPT
+])
+
+dnl the first runtime direct rule should trigger an iptables flush
+FWD_CHECK([--direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+])
+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IF_HOST_SUPPORTS_IP6TABLES([
+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
+])
+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
+ ACCEPT all ::/0 ::/0
+])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
+ -j ACCEPT
+])
+FWD_RELOAD()
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
+])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
+])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+])
+
+dnl permanent direct rules should trigger a flush at start
+FWD_CHECK([--permanent --direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IF_HOST_SUPPORTS_IP6TABLES([
+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
+])
+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+FWD_RELOAD()
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
+])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+])
+
+FWD_CHECK([--permanent --direct --remove-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
+FWD_RELOAD()
+
+dnl adding a chain should trigger a flush
+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IF_HOST_SUPPORTS_IP6TABLES([
+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
+])
+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+FWD_CHECK([--direct --add-chain ipv4 filter firewalld_foobar], 0, [ignore])
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+FWD_RELOAD()
+
+dnl adding a chain should trigger a flush
+NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+IF_HOST_SUPPORTS_IP6TABLES([
+NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
+])
+NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
+NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
+FWD_CHECK([--direct --add-passthrough ipv4 -t filter -I INPUT -j ACCEPT], 0, [ignore])
+IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
+
+FWD_END_TEST()
+
+])
--
2.39.1

273
SPECS/firewalld.spec
Unescape View File

@ -0,0 +1,273 @@ @@ -0,0 +1,273 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 1.2.5
Release: 2%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
Patch3: 0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
Patch4: 0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
BuildArch: noarch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: desktop-file-utils
BuildRequires: gettext
BuildRequires: intltool
# glib2-devel is needed for gsettings.m4
BuildRequires: glib2, glib2-devel
BuildRequires: systemd-units
BuildRequires: docbook-style-xsl
BuildRequires: libxslt
BuildRequires: iptables, ebtables, ipset
BuildRequires: python3-devel
BuildRequires: make
Requires: iptables, ebtables, ipset
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires: firewalld-filesystem = %{version}-%{release}
Requires: python3-firewall = %{version}-%{release}
Obsoletes: firewalld-selinux < 0.4.4.2-2
Conflicts: selinux-policy < 3.14.1-28
Conflicts: cockpit-ws < 173-2
Recommends: libcap-ng-python3

%description
firewalld is a firewall service daemon that provides a dynamic customizable
firewall with a D-Bus interface.

%package -n python3-firewall
Summary: Python3 bindings for firewalld

%{?python_provide:%python_provide python3-firewall}

Requires: python3-dbus
Requires: python3-gobject-base
Requires: python3-nftables

%description -n python3-firewall
Python3 bindings for firewalld.

%package -n firewalld-filesystem
Summary: Firewalld directory layout and rpm macros

%description -n firewalld-filesystem
This package provides directories and rpm macros which
are required by other packages that add firewalld configuration files.

%package -n firewall-applet
Summary: Firewall panel applet
Requires: %{name} = %{version}-%{release}
Requires: firewall-config = %{version}-%{release}
Requires: hicolor-icon-theme
Requires: python3-qt5-base
Requires: python3-gobject
Requires: libnotify
Requires: NetworkManager-libnm
Requires: dbus-x11

%description -n firewall-applet
The firewall panel applet provides a status information of firewalld and also
the firewall settings.

%package -n firewall-config
Summary: Firewall configuration application
Requires: %{name} = %{version}-%{release}
Requires: hicolor-icon-theme
Requires: gtk3
Requires: python3-gobject
Requires: NetworkManager-libnm
Requires: dbus-x11
Recommends: polkit

%description -n firewall-config
The firewall configuration application provides an configuration interface for
firewalld.

%pretrans -p <lua>
-- HACK: Old rpm versions had an untracked (%ghost) symlink for
-- /etc/firewalld/firewalld.conf. RPM won't handle replacing the symlink due to
-- "%config(noreplace)". As such, we remove the symlink here before attempting
-- to install the new version which is a real file. Only replace the symlink if
-- the target matches one of the previous package's expected targets.
--
-- Unfortunately this must be done in pretrans in order to occur before RPM
-- makes decisions about file replacement.
--
local old_package_symlinks = {"firewalld-standard.conf", "firewalld-server.conf",
"firewalld-workstation.conf"}

local symlink_target = posix.readlink("%{_sysconfdir}/firewalld/firewalld.conf")
for k,v in ipairs(old_package_symlinks) do
if symlink_target == v then
posix.unlink("%{_sysconfdir}/firewalld/firewalld.conf")
break
end
end

%prep
%autosetup -p1

%build
%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}"
make %{?_smp_mflags}

%install
make install DESTDIR=%{buildroot}
desktop-file-install --delete-original \
--dir %{buildroot}%{_sysconfdir}/xdg/autostart \
%{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop
desktop-file-install --delete-original \
--dir %{buildroot}%{_datadir}/applications \
%{buildroot}%{_datadir}/applications/firewall-config.desktop

install -d -m 755 %{buildroot}%{_prefix}/lib/firewalld/zones/

# remove unhandle firewalld-test subpackage
rm -rf %{buildroot}%{_datadir}/firewalld/testsuite

%find_lang %{name} --all-name

%post
%systemd_post firewalld.service

%preun
%systemd_preun firewalld.service

%postun
%systemd_postun_with_restart firewalld.service

%files -f %{name}.lang
%doc COPYING README.md
%{_sbindir}/firewalld
%{_bindir}/firewall-cmd
%{_bindir}/firewall-offline-cmd
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/firewall-cmd
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_firewalld
%{_prefix}/lib/firewalld/icmptypes/*.xml
%{_prefix}/lib/firewalld/ipsets/README.md
%{_prefix}/lib/firewalld/policies/*.xml
%{_prefix}/lib/firewalld/services/*.xml
%{_prefix}/lib/firewalld/zones/*.xml
%{_prefix}/lib/firewalld/helpers/*.xml
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld
%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/policies
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones
%defattr(0644,root,root)
%config(noreplace) %{_sysconfdir}/sysconfig/firewalld
%{_unitdir}/firewalld.service
%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
%{_mandir}/man1/firewall*cmd*.1*
%{_mandir}/man1/firewalld*.1*
%{_mandir}/man5/firewall*.5*
%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%{_sysconfdir}/logrotate.d/firewalld

%files -n python3-firewall
%attr(0755,root,root) %dir %{python3_sitelib}/firewall
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server
%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__
%{python3_sitelib}/firewall/__pycache__/*.py*
%{python3_sitelib}/firewall/*.py*
%{python3_sitelib}/firewall/config/*.py*
%{python3_sitelib}/firewall/config/__pycache__/*.py*
%{python3_sitelib}/firewall/core/*.py*
%{python3_sitelib}/firewall/core/__pycache__/*.py*
%{python3_sitelib}/firewall/core/io/*.py*
%{python3_sitelib}/firewall/core/io/__pycache__/*.py*
%{python3_sitelib}/firewall/server/*.py*
%{python3_sitelib}/firewall/server/__pycache__/*.py*

%files -n firewalld-filesystem
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/helpers
%dir %{_prefix}/lib/firewalld/icmptypes
%dir %{_prefix}/lib/firewalld/ipsets
%dir %{_prefix}/lib/firewalld/policies
%dir %{_prefix}/lib/firewalld/services
%dir %{_prefix}/lib/firewalld/zones
%{_rpmconfigdir}/macros.d/macros.firewalld

%files -n firewall-applet
%{_bindir}/firewall-applet
%defattr(0644,root,root)
%{_sysconfdir}/xdg/autostart/firewall-applet.desktop
%dir %{_sysconfdir}/firewall
%{_sysconfdir}/firewall/applet.conf
%{_datadir}/icons/hicolor/*/apps/firewall-applet*.*
%{_mandir}/man1/firewall-applet*.1*

%files -n firewall-config
%{_bindir}/firewall-config
%defattr(0644,root,root)
%{_datadir}/firewalld/firewall-config.glade
%{_datadir}/firewalld/gtk3_chooserbutton.py*
%{_datadir}/firewalld/gtk3_niceexpander.py*
%{_datadir}/applications/firewall-config.desktop
%{_datadir}/metainfo/firewall-config.appdata.xml
%{_datadir}/icons/hicolor/*/apps/firewall-config*.*
%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml
%{_mandir}/man1/firewall-config*.1*

%changelog
* Wed Oct 25 2023 Eric Garver <egarver@redhat.com> - 1.2.5-2
- bump NVR for release retarget

* Mon Apr 24 2023 Eric Garver <egarver@redhat.com> - 1.2.5-1
- package rebase to v1.2.5
- feat(direct): avoid iptables flush if using nftables backend

* Mon Nov 07 2022 Eric Garver <egarver@redhat.com> - 1.2.1-1
- package rebase to v1.2.1

* Wed Aug 03 2022 Eric Garver <egarver@redhat.com> - 1.1.1-3
- fix(runtimeToPermanent): errors for interfaces not in zone

* Fri Jul 15 2022 Eric Garver <egarver@redhat.com> - 1.1.1-2
- test(functions): normalize iptables ipv6-icmp/icmpv6

* Mon May 16 2022 Eric Garver <egarver@redhat.com> - 1.1.1-1
- package rebase to v1.1.1

* Mon Nov 22 2021 Eric Garver <egarver@redhat.com> - 1.0.0-4
- fix(firewalld): check capng_apply() return code

* Mon Nov 22 2021 Eric Garver <egarver@redhat.com> - 1.0.0-3
- fix(firewalld): keep linux capability CAP_SYS_MODULE

* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688

* Mon Jul 26 2021 Eric Garver <egarver@redhat.com> - 1.0.0-1
- package rebase to v1.0.0

* Mon Jun 07 2021 Eric Garver <egarver@redhat.com> - 1.0.0-0.3.alpha
- remove dead symlink (firewalld.conf) left over from old package versions
before installing new file

* Tue Jun 01 2021 Eric Garver <egarver@redhat.com> - 1.0.0-0.2.alpha
- fix missing policy kit symlink

* Tue May 25 2021 Eric Garver <egarver@redhat.com> - 1.0.0-0.1.alpha
- package rebase to v1.0.0-alpha
Write Preview
Loading…
Cancel
Save