From 3a9b238a0445f53b4b57d8cba7b7662997e7d538 Mon Sep 17 00:00:00 2001 From: Toshaan Bharvani Date: Tue, 26 Dec 2023 11:53:26 +0100 Subject: [PATCH] initial package creation Signed-off-by: Toshaan Bharvani --- ...Add-cockpit-by-default-to-some-zones.patch | 112 +++++++ ...t-atlocal-pass-EBTABLES-to-testsuite.patch | 46 +++ ...ct-avoid-iptables-flush-if-using-nft.patch | 117 ++++++++ ...ct-avoid-iptables-flush-if-using-nft.patch | 176 +++++++++++ SPECS/firewalld.spec | 273 ++++++++++++++++++ 5 files changed, 724 insertions(+) create mode 100644 SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch create mode 100644 SOURCES/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch create mode 100644 SOURCES/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch create mode 100644 SOURCES/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch create mode 100644 SPECS/firewalld.spec diff --git a/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch b/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch new file mode 100644 index 0000000..cc703c8 --- /dev/null +++ b/SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch @@ -0,0 +1,112 @@ +From f3fa74bb2710b0089db4026443ae67c4cabae1e1 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 25 May 2021 13:31:41 -0400 +Subject: [PATCH 1/4] RHEL only: Add cockpit by default to some zones + +Fixes: #1581578 +--- + config/zones/home.xml | 1 + + config/zones/internal.xml | 1 + + config/zones/public.xml | 1 + + config/zones/work.xml | 1 + + src/tests/features/startup_failsafe.at | 1 + + src/tests/functions.at | 20 ++++++++++++++++++++ + 6 files changed, 25 insertions(+) + +diff --git a/config/zones/home.xml b/config/zones/home.xml +index d73c9bdb16b6..33064688367e 100644 +--- a/config/zones/home.xml ++++ b/config/zones/home.xml +@@ -6,5 +6,6 @@ + + + ++ + + +diff --git a/config/zones/internal.xml b/config/zones/internal.xml +index 053c18ccda8b..852b16ad94dd 100644 +--- a/config/zones/internal.xml ++++ b/config/zones/internal.xml +@@ -6,5 +6,6 @@ + + + ++ + + +diff --git a/config/zones/public.xml b/config/zones/public.xml +index 49fc4c20af52..62bc751de448 100644 +--- a/config/zones/public.xml ++++ b/config/zones/public.xml +@@ -4,5 +4,6 @@ + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + ++ + + +diff --git a/config/zones/work.xml b/config/zones/work.xml +index f1a14a9b4682..27b54a7783c4 100644 +--- a/config/zones/work.xml ++++ b/config/zones/work.xml +@@ -4,5 +4,6 @@ + For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + ++ + + +diff --git a/src/tests/features/startup_failsafe.at b/src/tests/features/startup_failsafe.at +index d251d354abfb..5178f40cec46 100644 +--- a/src/tests/features/startup_failsafe.at ++++ b/src/tests/features/startup_failsafe.at +@@ -20,6 +20,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept + tcp dport 443 ct state new,untracked accept + } + } +diff --git a/src/tests/functions.at b/src/tests/functions.at +index aea87c1cb4fc..4ef61a3147a4 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -128,6 +128,14 @@ m4_define([FWD_START_TEST], [ + fi + + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ ++ AT_KEYWORDS(offline) ++ dnl cockpit is added by default downstream, but upstream tests don't expect ++ dnl it. Simply remove it at the start of every test. ++ dnl ++ FWD_OFFLINE_CHECK([--zone home --remove-service-from-zone cockpit], 0, [ignore]) ++ FWD_OFFLINE_CHECK([--zone internal --remove-service-from-zone cockpit], 0, [ignore]) ++ FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore]) ++ FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore]) + ], [ + dnl set the appropriate backend + AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) +@@ -259,6 +267,18 @@ m4_define([FWD_START_TEST], [ + ]) + + FWD_START_FIREWALLD ++ ++ dnl cockpit is added by default downstream, but upstream tests don't expect ++ dnl it. Simply remove it at the start of every test. ++ dnl ++ FWD_CHECK([--permanent --zone home --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([ --zone home --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([--permanent --zone internal --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([ --zone internal --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([--permanent --zone public --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([ --zone public --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([--permanent --zone work --remove-service cockpit], 0, [ignore]) ++ FWD_CHECK([ --zone work --remove-service cockpit], 0, [ignore]) + ]) + ]) + +-- +2.39.1 + diff --git a/SOURCES/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch b/SOURCES/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch new file mode 100644 index 0000000..17f84f8 --- /dev/null +++ b/SOURCES/0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch @@ -0,0 +1,46 @@ +From c1aadce88b0adc4e116254a80f3a7f4634958e01 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 31 Jan 2023 09:24:56 -0500 +Subject: [PATCH 2/4] v1.4.0: test(atlocal): pass EBTABLES to testsuite + +(cherry picked from commit a5adb26a5eebdaa6e978c580d4fb73f7aa06802f) +--- + src/tests/atlocal.in | 1 + + src/tests/functions.at | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/tests/atlocal.in b/src/tests/atlocal.in +index 8c5493ac38df..595a96f0f5c9 100644 +--- a/src/tests/atlocal.in ++++ b/src/tests/atlocal.in +@@ -1,5 +1,6 @@ + export PYTHON="@PYTHON@" + ++export EBTABLES="@EBTABLES@" + export IPTABLES="@IPTABLES@" + export IPTABLES_RESTORE="@IPTABLES_RESTORE@" + export IP6TABLES="@IP6TABLES@" +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 4ef61a3147a4..50fb6bfb4541 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -104,6 +104,7 @@ m4_define([FWD_START_TEST], [ + dnl in atlocal. + dnl + test -z "$PYTHON" && export PYTHON="python3" ++ test -z "$EBTABLES" && export EBTABLES="ebtables" + test -z "$IPTABLES" && export IPTABLES="iptables" + test -z "$IPTABLES_RESTORE" && export IPTABLES_RESTORE="iptables-restore" + test -z "$IP6TABLES" && export IP6TABLES="ip6tables" +@@ -395,7 +396,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl + m4_define([EBTABLES_LIST_RULES], [ + dnl ebtables commit 5f508b76a0ce change list output for inversion. + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +- NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])], ++ NS_CHECK([PIPESTATUS0([$EBTABLES --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])], + [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) + ]) + ]) +-- +2.39.1 + diff --git a/SOURCES/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch b/SOURCES/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch new file mode 100644 index 0000000..2b428d1 --- /dev/null +++ b/SOURCES/0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch @@ -0,0 +1,117 @@ +From fbe4244b3663c3b96c174f6ed8d3d222cc1adcf8 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 30 Jan 2023 16:42:50 -0500 +Subject: [PATCH 3/4] v1.4.0: feat(direct): avoid iptables flush if using + nftables backend + +If FirewallBackend=nftables and there are no direct rules; then we can +avoid flushing iptables at startup and shutdown. This means other +applications can control iptables while firewalld only touches nftables. + +Fixes: #863 +(cherry picked from commit b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87) +--- + src/firewall/core/fw.py | 31 +++++++++++++++++++++++++++---- + src/firewall/core/fw_direct.py | 9 +++++++++ + 2 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 3e1bab575769..6710900839f8 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -469,7 +469,8 @@ class Firewall(object): + def _start_apply_objects(self, reload=False, complete_reload=False): + transaction = FirewallTransaction(self) + +- self.flush(use_transaction=transaction) ++ if not reload: ++ self.flush(use_transaction=transaction) + + # If modules need to be unloaded in complete reload or if there are + # ipsets to get applied, limit the transaction to flush. +@@ -939,7 +940,26 @@ class Firewall(object): + if use_transaction is None: + transaction.execute(True) + +- # flush and policy ++ def may_skip_flush_direct_backends(self): ++ if self.nftables_enabled and not self.direct.has_runtime_configuration(): ++ return True ++ ++ return False ++ ++ def flush_direct_backends(self, use_transaction=None): ++ if use_transaction is None: ++ transaction = FirewallTransaction(self) ++ else: ++ transaction = use_transaction ++ ++ for backend in self.all_backends(): ++ if backend in self.enabled_backends(): ++ continue ++ rules = backend.build_flush_rules() ++ transaction.add_rules(backend, rules) ++ ++ if use_transaction is None: ++ transaction.execute(True) + + def flush(self, use_transaction=None): + if use_transaction is None: +@@ -949,7 +969,10 @@ class Firewall(object): + + log.debug1("Flushing rule set") + +- for backend in self.all_backends(): ++ if not self.may_skip_flush_direct_backends(): ++ self.flush_direct_backends(use_transaction=transaction) ++ ++ for backend in self.enabled_backends(): + rules = backend.build_flush_rules() + transaction.add_rules(backend, rules) + +@@ -1109,7 +1132,7 @@ class Firewall(object): + if not _panic: + self.set_policy("DROP") + +- # stop ++ self.flush() + self.cleanup() + + start_exception = None +diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py +index 508cfa54f7fa..a4cd8a77e773 100644 +--- a/src/firewall/core/fw_direct.py ++++ b/src/firewall/core/fw_direct.py +@@ -219,6 +219,9 @@ class FirewallDirect(object): + else: + transaction = use_transaction + ++ if self._fw.may_skip_flush_direct_backends(): ++ transaction.add_pre(self._fw.flush_direct_backends) ++ + if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset(): + transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend]) + +@@ -268,6 +271,9 @@ class FirewallDirect(object): + else: + transaction = use_transaction + ++ if self._fw.may_skip_flush_direct_backends(): ++ transaction.add_pre(self._fw.flush_direct_backends) ++ + if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset(): + transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend]) + +@@ -353,6 +359,9 @@ class FirewallDirect(object): + else: + transaction = use_transaction + ++ if self._fw.may_skip_flush_direct_backends(): ++ transaction.add_pre(self._fw.flush_direct_backends) ++ + if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset(): + transaction.add_pre(self._fw.ipset.apply_ipsets, [self._fw.ipset_backend]) + +-- +2.39.1 + diff --git a/SOURCES/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch b/SOURCES/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch new file mode 100644 index 0000000..07ebcd6 --- /dev/null +++ b/SOURCES/0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch @@ -0,0 +1,176 @@ +From 5f092d3665463b764b957ef219010e0640babde7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 30 Jan 2023 14:43:18 -0500 +Subject: [PATCH 4/4] v1.4.0: test(direct): avoid iptables flush if using + nftables backend + +Coverage: #863 +(cherry picked from commit dcd0dd3674ea8ef757a1b41f6b53717a45e821aa) +--- + src/tests/features/features.at | 1 + + .../features/iptables_no_flush_on_shutdown.at | 144 ++++++++++++++++++ + 2 files changed, 145 insertions(+) + create mode 100644 src/tests/features/iptables_no_flush_on_shutdown.at + +diff --git a/src/tests/features/features.at b/src/tests/features/features.at +index 96b098de6e82..59725eb9fdf4 100644 +--- a/src/tests/features/features.at ++++ b/src/tests/features/features.at +@@ -18,3 +18,4 @@ m4_include([features/rpfilter.at]) + m4_include([features/zone_combine.at]) + m4_include([features/startup_failsafe.at]) + m4_include([features/ipset.at]) ++m4_include([features/iptables_no_flush_on_shutdown.at]) +diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at +new file mode 100644 +index 000000000000..753a8251f732 +--- /dev/null ++++ b/src/tests/features/iptables_no_flush_on_shutdown.at +@@ -0,0 +1,144 @@ ++m4_if(nftables, FIREWALL_BACKEND, [ ++ ++dnl If FirewallBackend=nftables, and there are no --direct rules, then we can ++dnl avoid flushing iptables on shutdown. We can also avoid a flush on startup ++dnl if there are no permanent direct rules. But we will have to flush on the ++dnl first direct rule added. ++FWD_START_TEST([avoid iptables flush if using nftables]) ++AT_KEYWORDS(direct gh863) ++CHECK_IPTABLES() ++ ++dnl no flush on reload if no direct rules ++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IF_HOST_SUPPORTS_IP6TABLES([ ++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++]) ++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all ::/0 ::/0 ++]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl ++ -j ACCEPT ++]) ++FWD_RELOAD() ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all ::/0 ::/0 ++]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl ++ -j ACCEPT ++]) ++ ++dnl no flush on restart (or stop) if no direct rules ++FWD_RESTART() ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all ::/0 ::/0 ++]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl ++ -j ACCEPT ++]) ++ ++dnl the first runtime direct rule should trigger an iptables flush ++FWD_CHECK([--direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IF_HOST_SUPPORTS_IP6TABLES([ ++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++]) ++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl ++ ACCEPT all ::/0 ::/0 ++]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl ++ -j ACCEPT ++]) ++FWD_RELOAD() ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl ++]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl ++]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl ++]) ++ ++dnl permanent direct rules should trigger a flush at start ++FWD_CHECK([--permanent --direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) ++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IF_HOST_SUPPORTS_IP6TABLES([ ++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++]) ++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++FWD_RELOAD() ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl ++]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl ++]) ++ ++FWD_CHECK([--permanent --direct --remove-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) ++FWD_RELOAD() ++ ++dnl adding a chain should trigger a flush ++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IF_HOST_SUPPORTS_IP6TABLES([ ++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++]) ++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++FWD_CHECK([--direct --add-chain ipv4 filter firewalld_foobar], 0, [ignore]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++FWD_RELOAD() ++ ++dnl adding a chain should trigger a flush ++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++IF_HOST_SUPPORTS_IP6TABLES([ ++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++]) ++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite]) ++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) ++FWD_CHECK([--direct --add-passthrough ipv4 -t filter -I INPUT -j ACCEPT], 0, [ignore]) ++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++ ++FWD_END_TEST() ++ ++]) +-- +2.39.1 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec new file mode 100644 index 0000000..70ccea1 --- /dev/null +++ b/SPECS/firewalld.spec @@ -0,0 +1,273 @@ +Summary: A firewall daemon with D-Bus interface providing a dynamic firewall +Name: firewalld +Version: 1.2.5 +Release: 2%{?dist} +URL: http://www.firewalld.org +License: GPLv2+ +Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz +Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +Patch2: 0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch +Patch3: 0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch +Patch4: 0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch +BuildArch: noarch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: desktop-file-utils +BuildRequires: gettext +BuildRequires: intltool +# glib2-devel is needed for gsettings.m4 +BuildRequires: glib2, glib2-devel +BuildRequires: systemd-units +BuildRequires: docbook-style-xsl +BuildRequires: libxslt +BuildRequires: iptables, ebtables, ipset +BuildRequires: python3-devel +BuildRequires: make +Requires: iptables, ebtables, ipset +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: firewalld-filesystem = %{version}-%{release} +Requires: python3-firewall = %{version}-%{release} +Obsoletes: firewalld-selinux < 0.4.4.2-2 +Conflicts: selinux-policy < 3.14.1-28 +Conflicts: cockpit-ws < 173-2 +Recommends: libcap-ng-python3 + +%description +firewalld is a firewall service daemon that provides a dynamic customizable +firewall with a D-Bus interface. + +%package -n python3-firewall +Summary: Python3 bindings for firewalld + +%{?python_provide:%python_provide python3-firewall} + +Requires: python3-dbus +Requires: python3-gobject-base +Requires: python3-nftables + +%description -n python3-firewall +Python3 bindings for firewalld. + +%package -n firewalld-filesystem +Summary: Firewalld directory layout and rpm macros + +%description -n firewalld-filesystem +This package provides directories and rpm macros which +are required by other packages that add firewalld configuration files. + +%package -n firewall-applet +Summary: Firewall panel applet +Requires: %{name} = %{version}-%{release} +Requires: firewall-config = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: python3-qt5-base +Requires: python3-gobject +Requires: libnotify +Requires: NetworkManager-libnm +Requires: dbus-x11 + +%description -n firewall-applet +The firewall panel applet provides a status information of firewalld and also +the firewall settings. + +%package -n firewall-config +Summary: Firewall configuration application +Requires: %{name} = %{version}-%{release} +Requires: hicolor-icon-theme +Requires: gtk3 +Requires: python3-gobject +Requires: NetworkManager-libnm +Requires: dbus-x11 +Recommends: polkit + +%description -n firewall-config +The firewall configuration application provides an configuration interface for +firewalld. + +%pretrans -p +-- HACK: Old rpm versions had an untracked (%ghost) symlink for +-- /etc/firewalld/firewalld.conf. RPM won't handle replacing the symlink due to +-- "%config(noreplace)". As such, we remove the symlink here before attempting +-- to install the new version which is a real file. Only replace the symlink if +-- the target matches one of the previous package's expected targets. +-- +-- Unfortunately this must be done in pretrans in order to occur before RPM +-- makes decisions about file replacement. +-- +local old_package_symlinks = {"firewalld-standard.conf", "firewalld-server.conf", + "firewalld-workstation.conf"} + +local symlink_target = posix.readlink("%{_sysconfdir}/firewalld/firewalld.conf") +for k,v in ipairs(old_package_symlinks) do + if symlink_target == v then + posix.unlink("%{_sysconfdir}/firewalld/firewalld.conf") + break + end +end + +%prep +%autosetup -p1 + +%build +%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}" +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +desktop-file-install --delete-original \ + --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ + %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +desktop-file-install --delete-original \ + --dir %{buildroot}%{_datadir}/applications \ + %{buildroot}%{_datadir}/applications/firewall-config.desktop + +install -d -m 755 %{buildroot}%{_prefix}/lib/firewalld/zones/ + +# remove unhandle firewalld-test subpackage +rm -rf %{buildroot}%{_datadir}/firewalld/testsuite + +%find_lang %{name} --all-name + +%post +%systemd_post firewalld.service + +%preun +%systemd_preun firewalld.service + +%postun +%systemd_postun_with_restart firewalld.service + +%files -f %{name}.lang +%doc COPYING README.md +%{_sbindir}/firewalld +%{_bindir}/firewall-cmd +%{_bindir}/firewall-offline-cmd +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/firewall-cmd +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_firewalld +%{_prefix}/lib/firewalld/icmptypes/*.xml +%{_prefix}/lib/firewalld/ipsets/README.md +%{_prefix}/lib/firewalld/policies/*.xml +%{_prefix}/lib/firewalld/services/*.xml +%{_prefix}/lib/firewalld/zones/*.xml +%{_prefix}/lib/firewalld/helpers/*.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld +%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/policies +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/sysconfig/firewalld +%{_unitdir}/firewalld.service +%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy +%{_mandir}/man1/firewall*cmd*.1* +%{_mandir}/man1/firewalld*.1* +%{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf +%{_sysconfdir}/logrotate.d/firewalld + +%files -n python3-firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/config/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/core/io/__pycache__ +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server +%attr(0755,root,root) %dir %{python3_sitelib}/firewall/server/__pycache__ +%{python3_sitelib}/firewall/__pycache__/*.py* +%{python3_sitelib}/firewall/*.py* +%{python3_sitelib}/firewall/config/*.py* +%{python3_sitelib}/firewall/config/__pycache__/*.py* +%{python3_sitelib}/firewall/core/*.py* +%{python3_sitelib}/firewall/core/__pycache__/*.py* +%{python3_sitelib}/firewall/core/io/*.py* +%{python3_sitelib}/firewall/core/io/__pycache__/*.py* +%{python3_sitelib}/firewall/server/*.py* +%{python3_sitelib}/firewall/server/__pycache__/*.py* + +%files -n firewalld-filesystem +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/helpers +%dir %{_prefix}/lib/firewalld/icmptypes +%dir %{_prefix}/lib/firewalld/ipsets +%dir %{_prefix}/lib/firewalld/policies +%dir %{_prefix}/lib/firewalld/services +%dir %{_prefix}/lib/firewalld/zones +%{_rpmconfigdir}/macros.d/macros.firewalld + +%files -n firewall-applet +%{_bindir}/firewall-applet +%defattr(0644,root,root) +%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +%dir %{_sysconfdir}/firewall +%{_sysconfdir}/firewall/applet.conf +%{_datadir}/icons/hicolor/*/apps/firewall-applet*.* +%{_mandir}/man1/firewall-applet*.1* + +%files -n firewall-config +%{_bindir}/firewall-config +%defattr(0644,root,root) +%{_datadir}/firewalld/firewall-config.glade +%{_datadir}/firewalld/gtk3_chooserbutton.py* +%{_datadir}/firewalld/gtk3_niceexpander.py* +%{_datadir}/applications/firewall-config.desktop +%{_datadir}/metainfo/firewall-config.appdata.xml +%{_datadir}/icons/hicolor/*/apps/firewall-config*.* +%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml +%{_mandir}/man1/firewall-config*.1* + +%changelog +* Wed Oct 25 2023 Eric Garver - 1.2.5-2 +- bump NVR for release retarget + +* Mon Apr 24 2023 Eric Garver - 1.2.5-1 +- package rebase to v1.2.5 +- feat(direct): avoid iptables flush if using nftables backend + +* Mon Nov 07 2022 Eric Garver - 1.2.1-1 +- package rebase to v1.2.1 + +* Wed Aug 03 2022 Eric Garver - 1.1.1-3 +- fix(runtimeToPermanent): errors for interfaces not in zone + +* Fri Jul 15 2022 Eric Garver - 1.1.1-2 +- test(functions): normalize iptables ipv6-icmp/icmpv6 + +* Mon May 16 2022 Eric Garver - 1.1.1-1 +- package rebase to v1.1.1 + +* Mon Nov 22 2021 Eric Garver - 1.0.0-4 +- fix(firewalld): check capng_apply() return code + +* Mon Nov 22 2021 Eric Garver - 1.0.0-3 +- fix(firewalld): keep linux capability CAP_SYS_MODULE + +* Mon Aug 09 2021 Mohan Boddu - 1.0.0-2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Jul 26 2021 Eric Garver - 1.0.0-1 +- package rebase to v1.0.0 + +* Mon Jun 07 2021 Eric Garver - 1.0.0-0.3.alpha +- remove dead symlink (firewalld.conf) left over from old package versions + before installing new file + +* Tue Jun 01 2021 Eric Garver - 1.0.0-0.2.alpha +- fix missing policy kit symlink + +* Tue May 25 2021 Eric Garver - 1.0.0-0.1.alpha +- package rebase to v1.0.0-alpha