From 7b258f3cda1a787ef9e3e857259507b11afb5f82 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 20 Mar 2013 18:04:20 +0100 Subject: [PATCH] New version 0.3.0 - Added rich language support - Added lockdown feature - Allow to bind interfaces and sources to zones permanently - Enabled IPv6 NAT support masquerading and port/packet forwarding for IPv6 only with rich language - Handle polkit errors in client class and firewall-config - Added priority description for --direct --add-rule in firewall-cmd man page - Add XML Schemas for zones/services/icmptypes XMLs - Don't keep file descriptors open when forking - Introduce --nopid option for firewalld - New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782) - Update cluster-suite service (RHBZ#885257) - firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912) - Fix interaction problem of changed event of gtk combobox with polkit-kde by processing all remaining events (RHBZ#915892) - Stop default zone rules being applied to all zones (RHBZ#912782) - Firewall.start(): don't call set_default_zone() - Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages - firewalld-cmd: make --state verbose (RHBZ#886484) - improve firewalld --help (RHBZ#910492) - firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834) - Continue loading zone in case of wrong service/port etc. (RHBZ#909466) - Check also services and icmptypes in Zone() (RHBZ#909466) - Increase the maximum length of the port forwarding fields from 5 to 11 in firewall-config - firewall-cmd: add usage to fail message - firewall-cmd: redefine usage to point to man page - firewall-cmd: fix visible problems with arg. parsing - Use argparse module for parsing command line options and arguments - firewall-cmd.1: better clarify where to find ACTIONs - firewall-cmd Bash completion - firewall-cmd.1: comment --zone= usage and move some options - Use zone's target only in %s_ZONES chains - default zone in firewalld.conf was set to public with every restart (#902845) - man page cleanup - code cleanup --- .gitignore | 1 + firewalld-0.2.12-bz912782.patch | 32 -------------- firewalld-0.2.12-bz912782_2.patch | 72 ------------------------------- firewalld-0.2.12-conf.patch | 26 ----------- firewalld-0.2.12-gtk.patch | 26 ----------- firewalld.spec | 54 ++++++++++++++++++----- sources | 2 +- 7 files changed, 45 insertions(+), 168 deletions(-) delete mode 100644 firewalld-0.2.12-bz912782.patch delete mode 100644 firewalld-0.2.12-bz912782_2.patch delete mode 100644 firewalld-0.2.12-conf.patch delete mode 100644 firewalld-0.2.12-gtk.patch diff --git a/.gitignore b/.gitignore index 7bb8aa7..8b11de7 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /firewalld-0.2.10.tar.bz2 /firewalld-0.2.11.tar.bz2 /firewalld-0.2.12.tar.bz2 +/firewalld-0.3.0.tar.bz2 diff --git a/firewalld-0.2.12-bz912782.patch b/firewalld-0.2.12-bz912782.patch deleted file mode 100644 index c5d2dbf..0000000 --- a/firewalld-0.2.12-bz912782.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3253df596ab6f5e43d22dff3049600fc0de9c41b Mon Sep 17 00:00:00 2001 -From: Jiri Popelka -Date: Wed, 20 Feb 2013 14:58:40 +0100 -Subject: [PATCH 1/2] Stop default zone rules being applied to all zones - (RHBZ#912782) - -See https://bugzilla.redhat.com/show_bug.cgi?id=912782 -for description. - -Patch from Quentin Armitage ---- - src/firewall/core/fw_zone.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py -index 6d874e5..0fd0267 100644 ---- a/src/firewall/core/fw_zone.py -+++ b/src/firewall/core/fw_zone.py -@@ -272,8 +272,9 @@ class FirewallZone: - if target == "DROP" and table == "nat": - # DROP is not supported in nat table - continue -+ action = "-g" if "_ZONE_" in target else "-j" - rule = [ "%s_ZONES" % src_chain, "-t", table, -- opt, interface, "-j", target ] -+ opt, interface, action, target ] - if enable and not append: - rule.insert(1, "1") - rules.append((ipv, rule)) --- -1.8.1.2 - diff --git a/firewalld-0.2.12-bz912782_2.patch b/firewalld-0.2.12-bz912782_2.patch deleted file mode 100644 index 076a78a..0000000 --- a/firewalld-0.2.12-bz912782_2.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 41a1a4c69448991bb89b22081b29bffe47bfcca1 Mon Sep 17 00:00:00 2001 -From: Jiri Popelka -Date: Wed, 6 Mar 2013 17:21:00 +0100 -Subject: [PATCH] FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains - (RHBZ#912782) - -We need to separate top-level FORWARD_ZONES chain -into these two chains to be able to correctly match -rules for input and output interface, see -https://bugzilla.redhat.com/show_bug.cgi?id=912782#c11 ---- - src/firewall/core/base.py | 4 ++-- - src/firewall/core/fw_zone.py | 2 +- - src/firewall/core/ipXtables.py | 10 ++++++---- - 3 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/src/firewall/core/base.py b/src/firewall/core/base.py -index b89870d..1dcf30b 100644 ---- a/src/firewall/core/base.py -+++ b/src/firewall/core/base.py -@@ -44,8 +44,8 @@ INTERFACE_ZONE_SRC = { - "PREROUTING": "PREROUTING", - "POSTROUTING": "POSTROUTING", - "INPUT": "INPUT", -- "FORWARD_IN": "FORWARD", -- "FORWARD_OUT": "FORWARD", -+ "FORWARD_IN": "FORWARD_IN", -+ "FORWARD_OUT": "FORWARD_OUT", - "OUTPUT": "OUTPUT", - } - -diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py -index 2b0ac8b..c72055e 100644 ---- a/src/firewall/core/fw_zone.py -+++ b/src/firewall/core/fw_zone.py -@@ -264,7 +264,7 @@ class FirewallZone: - target = self._zones[zone].target.format( - chain=SHORTCUTS[chain], zone=zone) - if target in [ "REJECT", "%%REJECT%%" ] and \ -- src_chain not in [ "INPUT", "FORWARD", "OUTPUT" ]: -+ src_chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: - # REJECT is only valid in the INPUT, FORWARD and - # OUTPUT chains, and user-defined chains which are - # only called from those chains -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index d172151..311f9e4 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -83,14 +83,16 @@ DEFAULT_RULES["filter"] = [ - "-I INPUT 6 -j %%REJECT%%", - - "-N FORWARD_direct", -- "-N FORWARD_ZONES", -+ "-N FORWARD_IN_ZONES", -+ "-N FORWARD_OUT_ZONES", - - "-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", - "-I FORWARD 2 -i lo -j ACCEPT", - "-I FORWARD 3 -j FORWARD_direct", -- "-I FORWARD 4 -j FORWARD_ZONES", -- "-I FORWARD 5 -p %%ICMP%% -j ACCEPT", -- "-I FORWARD 6 -j %%REJECT%%", -+ "-I FORWARD 4 -j FORWARD_IN_ZONES", -+ "-I FORWARD 5 -j FORWARD_OUT_ZONES", -+ "-I FORWARD 6 -p %%ICMP%% -j ACCEPT", -+ "-I FORWARD 7 -j %%REJECT%%", - - "-N OUTPUT_direct", - --- -1.8.1.4 - diff --git a/firewalld-0.2.12-conf.patch b/firewalld-0.2.12-conf.patch deleted file mode 100644 index 0a4f4cc..0000000 --- a/firewalld-0.2.12-conf.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0a9017067bd04a1370faa461ceede31316f1caaa Mon Sep 17 00:00:00 2001 -From: Jiri Popelka -Date: Tue, 22 Jan 2013 16:27:56 +0100 -Subject: [PATCH 4/5] default zone in firewalld.conf was set to public with - every restart (#902845) - ---- - src/firewall/core/io/firewalld_conf.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py -index 159df99..911f8bf 100644 ---- a/src/firewall/core/io/firewalld_conf.py -+++ b/src/firewall/core/io/firewalld_conf.py -@@ -37,7 +37,7 @@ class firewalld_conf: - self._deleted = [ ] - - def get(self, key): -- self._config.get(key.strip()) -+ return self._config.get(key.strip()) - - def set(self, key, value): - _key = key.strip() --- -1.8.1 - diff --git a/firewalld-0.2.12-gtk.patch b/firewalld-0.2.12-gtk.patch deleted file mode 100644 index 312fe92..0000000 --- a/firewalld-0.2.12-gtk.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 964bd061f00c9e90935430ba3036b228800cd5ed Mon Sep 17 00:00:00 2001 -From: Jiri Popelka -Date: Wed, 16 Jan 2013 14:17:10 +0100 -Subject: [PATCH 2/5] firewall-config: fix typo gtk -> Gtk - -Fixes: RHBZ#895812 ---- - src/firewall-config | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/firewall-config b/src/firewall-config -index b783268..1f0b5dc 100755 ---- a/src/firewall-config -+++ b/src/firewall-config -@@ -839,7 +839,7 @@ class FirewallConfig(object): - if default_zone in zones: - selection.select_path(zones.index(default_zone)) - else: -- selection.set_mode(gtk.SelectionMode.NONE) -+ selection.set_mode(Gtk.SelectionMode.NONE) - - self.defaultZoneDialog.set_position(Gtk.WindowPosition.CENTER_ON_PARENT) - self.defaultZoneDialog.set_transient_for(self.mainWindow) --- -1.8.1 - diff --git a/firewalld.spec b/firewalld.spec index 93f06c5..ffdd576 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-BUS interface providing a dynamic firewall Name: firewalld -Version: 0.2.12 -Release: 5%{?dist} +Version: 0.3.0 +Release: 1%{?dist} URL: http://fedorahosted.org/firewalld License: GPLv2+ ExclusiveOS: Linux @@ -11,10 +11,6 @@ Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2 %if 0%{?fedora} > 17 Patch0: firewalld-0.2.6-MDNS-default.patch %endif -Patch1: firewalld-0.2.12-conf.patch -Patch2: firewalld-0.2.12-gtk.patch -Patch3: firewalld-0.2.12-bz912782.patch -Patch4: firewalld-0.2.12-bz912782_2.patch BuildRequires: desktop-file-utils BuildRequires: gettext BuildRequires: intltool @@ -80,11 +76,6 @@ firewalld. %patch0 -p1 %endif -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 - %build %configure --with-systemd-unitdir=%{_unitdir} @@ -152,6 +143,8 @@ fi %{_sbindir}/firewalld %{_bindir}/firewall-cmd %{_bindir}/firewall-offline-cmd +%dir %{_sysconfdir}/bash_completion.d +%{_sysconfdir}/bash_completion.d/firewall-cmd-bash-completion.sh %defattr(0640,root,root) %attr(0750,root,root) %dir %{_prefix}/lib/firewalld %attr(0750,root,root) %dir %{_prefix}/lib/firewalld/icmptypes @@ -162,6 +155,7 @@ fi %{_prefix}/lib/firewalld/zones/*.xml %attr(0750,root,root) %dir %{_sysconfdir}/firewalld %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones @@ -200,6 +194,44 @@ fi %{_datadir}/icons/hicolor/*/apps/firewall-config*.* %changelog +* Wed Mar 20 2013 Thomas Woerner 0.3.0-1 +- Added rich language support +- Added lockdown feature +- Allow to bind interfaces and sources to zones permanently +- Enabled IPv6 NAT support + masquerading and port/packet forwarding for IPv6 only with rich language +- Handle polkit errors in client class and firewall-config +- Added priority description for --direct --add-rule in firewall-cmd man page +- Add XML Schemas for zones/services/icmptypes XMLs +- Don't keep file descriptors open when forking +- Introduce --nopid option for firewalld +- New FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains (RHBZ#912782) +- Update cluster-suite service (RHBZ#885257) +- firewall-cmd: rename --enable/disable-panic to --panic-on/off (RHBZ#874912) +- Fix interaction problem of changed event of gtk combobox with polkit-kde + by processing all remaining events (RHBZ#915892) +- Stop default zone rules being applied to all zones (RHBZ#912782) +- Firewall.start(): don't call set_default_zone() +- Add wiki's URL to firewalld(1) and firewall-cmd(1) man pages +- firewalld-cmd: make --state verbose (RHBZ#886484) +- improve firewalld --help (RHBZ#910492) +- firewall-cmd: --add/remove-* can be used multiple times (RHBZ#879834) +- Continue loading zone in case of wrong service/port etc. (RHBZ#909466) +- Check also services and icmptypes in Zone() (RHBZ#909466) +- Increase the maximum length of the port forwarding fields from 5 to 11 in + firewall-config +- firewall-cmd: add usage to fail message +- firewall-cmd: redefine usage to point to man page +- firewall-cmd: fix visible problems with arg. parsing +- Use argparse module for parsing command line options and arguments +- firewall-cmd.1: better clarify where to find ACTIONs +- firewall-cmd Bash completion +- firewall-cmd.1: comment --zone= usage and move some options +- Use zone's target only in %s_ZONES chains +- default zone in firewalld.conf was set to public with every restart (#902845) +- man page cleanup +- code cleanup + * Thu Mar 07 2013 Jiri Popelka - 0.2.12-5 - Another fix for RHBZ#912782 diff --git a/sources b/sources index 47c26fc..e6c39b6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -49abe07b77efade4bbaacfb80da9990c firewalld-0.2.12.tar.bz2 +a6c52df72fd5dcaa8b26dd89edc5e3a9 firewalld-0.3.0.tar.bz2