Backport fix for RHBZ#1466093

http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release
  - Fix build from spec
  - Fix –remove-service-from-zone option (RHBZ#1438127)
  - Support sctp and dccp in ports, source-ports, forward-ports, helpers and
    rich rules (RHBZ#1429808)
  - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238)
  - firewall.core.ipXtables: Use new wait option for restore commands if
    available
  - New services for oVirt:
    ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe
  - Rename extension for policy choices (server and desktop) to .policy.choice
    (RHBZ#1449754)
  - D-Bus interfaces: Fix GetAll for interfaces without properties
    (RHBZ#1452017)
  - Load NAT helpers with conntrack helpers (RHBZ#1452681)
  - Translation updates
- Additional upstream patches:
  - Rich-rule source validation (d69b7cb)
  - IPv6 ICMP type only rich-rule fix (cf50bd0)

.gitignore

@@ -45,3 +45,4 @@
 /firewalld-0.4.4.2.tar.bz2
 /firewalld-selinux-0.4.4.1.tar
 /firewalld-0.4.4.3.tar.bz2
+/firewalld-0.4.4.5.tar.gz

0001-firewall-core-fw_transaction.py-Remove-deduplication.patch

@@ -0,0 +1,34 @@
+From d96999931f66819db3f146f750a4c14997a50c27 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Thu, 1 Feb 2018 16:44:21 +0100
+Subject: [PATCH] firewall/core/fw_transaction.py: Remove deduplication in
+ add_rule
+
+Loading services from permanent configuration containing the same port numbers
+results in deduplication of the rules. This then results in an error if the
+second service gets removed from the zone.
+
+Fixes: RHBZ#1534571
+Closes: #288
+(cherry picked from commit 54835164f610593eedd71f0a7ae62ac5258d2187)
+---
+ src/firewall/core/fw_transaction.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
+index 4e284687..9f167c37 100644
+--- a/src/firewall/core/fw_transaction.py
++++ b/src/firewall/core/fw_transaction.py
+@@ -128,8 +128,7 @@ class SimpleFirewallTransaction(object):
+         self.generous_mode = False
+ 
+     def add_rule(self, ipv, rule):
+-        if ipv not in self.rules or rule not in self.rules[ipv]:
+-            self.rules.setdefault(ipv, [ ]).append(rule)
++        self.rules.setdefault(ipv, [ ]).append(rule)
+ 
+     def query_rule(self, ipv, rule):
+         return ipv in self.rules and rule in self.rules[ipv]
+-- 
+2.14.3
+

firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch

@@ -0,0 +1,28 @@
+From cf50bd0004418abe1294f53b58387a181dfd2b51 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Thu, 8 Jun 2017 17:44:32 +0200
+Subject: [PATCH] firewall.core.fw_zone: Rich-rule ICMP type: Error only for
+ conflicting family
+
+Only raise error for an ICMP block in a rich-rule if a family has been
+specified and conflicts with the ICMP destination.
+
+Fixes: RHBZ#1459921
+---
+ src/firewall/core/fw_zone.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 4f3f18c0..f47222e4 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1425,6 +1425,9 @@ def __rule_prepare(self, enable, zone, rule, mark_id, zone_transaction):
+                     raise FirewallError(errors.INVALID_RULE,
+                                         "IcmpBlock not usable with accept action")
+                 if ict.destination and ipv not in ict.destination:
++                    if rule.family is None:
++                        # Add for IPv4 or IPv6 depending on ict.destination
++                        continue
+                     raise FirewallError(
+                         errors.INVALID_RULE,
+                         "Icmp%s %s not usable with %s" % \

firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch

@@ -0,0 +1,59 @@
+From d69b7cb2724f041f257b90184a64e28a667ee7e9 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Thu, 8 Jun 2017 15:31:11 +0200
+Subject: [PATCH] firewall.core.rich: Add checks for Rich_Source validation
+
+A rich-rule source needs to either contain a IP address, a MAC address or an
+ipset.
+---
+ src/firewall/core/rich.py | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index 3adcb4d9..04791da6 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -46,15 +46,21 @@ def __init__(self, addr, mac, ipset, invert=False):
+         if self.ipset == "":
+             self.ipset = None
+         self.invert = invert
++        if self.addr is None and self.mac is None and self.ipset is None:
++            raise FirewallError(errors.INVALID_RULE,
++                                "no address, mac and ipset")
+ 
+     def __str__(self):
+-        if self.addr:
+-            x = ' address="%s"' % self.addr
+-        elif self.mac:
+-            x = ' mac="%s"' % self.mac
+-        elif self.ipset:
+-            x = ' ipset="%s"' % self.ipset
+-        return 'source%s%s' % (" NOT" if self.invert else "", x)
++        ret = 'source%s ' % (" NOT" if self.invert else "")
++        if self.addr is not None:
++            return ret + 'address="%s"' % self.addr
++        elif self.mac is not None:
++            return ret + 'mac="%s"' % self.mac
++        elif self.ipset is not None:
++            return ret + 'ipset="%s"' % self.ipset
++        else:
++            raise FirewallError(errors.INVALID_RULE,
++                                "no address, mac and ipset")
+ 
+ class Rich_Destination(object):
+     def __init__(self, addr, invert=False):
+@@ -542,10 +548,14 @@ def check(self):
+                     raise FirewallError(errors.INVALID_FAMILY)
+                 if self.source.mac is not None:
+                     raise FirewallError(errors.INVALID_RULE, "address and mac")
++                if self.source.ipset is not None:
++                    raise FirewallError(errors.INVALID_RULE, "address and ipset")
+                 if not functions.check_address(self.family, self.source.addr):
+                     raise FirewallError(errors.INVALID_ADDR, str(self.source.addr))
+ 
+             elif self.source.mac is not None:
++                if self.source.ipset is not None:
++                    raise FirewallError(errors.INVALID_RULE, "mac and ipset")
+                 if not functions.check_mac(self.source.mac):
+                     raise FirewallError(errors.INVALID_MAC, str(self.source.mac))
+ 

firewalld.spec

@@ -7,11 +7,11 @@
 
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
-Version: 0.4.4.3
-Release: 2%{?dist}
+Version: 0.4.4.5
+Release: 4%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
-Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2
+Source0: https://github.com/t-woerner/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 %if 0%{?fedora}
 Source1: FedoraServer.xml
 Source2: FedoraWorkstation.xml
@@ -19,7 +19,10 @@ Source2: FedoraWorkstation.xml
 %if 0%{?fedora}
 Patch0: firewalld-0.2.6-MDNS-default.patch
 %endif
-Patch1: firewalld-0.4.4.3-get_ipset_no_applied_check.patch
+Patch1: firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch
+Patch2: firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch
+# Backported fix for RHBZ#1466093 / RHBZ#1534571
+Patch3: 0001-firewall-core-fw_transaction.py-Remove-deduplication.patch
 BuildArch: noarch
 BuildRequires: desktop-file-utils
 BuildRequires: gettext
@@ -119,7 +122,11 @@ Requires: %{name} = %{version}-%{release}
 Requires: firewall-config = %{version}-%{release}
 Requires: hicolor-icon-theme
 %if 0%{?use_python3}
+%if 0%{?fedora} >= 26
+Requires: python3-qt5-base
+%else
 Requires: python3-qt5
+%endif
 Requires: python3-gobject
 %else
 Requires: python-qt5
@@ -155,7 +162,10 @@ firewalld.
 %if 0%{?fedora}
 %patch0 -p1
 %endif
-%patch1 -p1 -b .get_ipset_no_applied_check
+%patch1 -p1 -b .rich_source_validation-d69b7cb
+%patch2 -p1 -b .ipv6_icmptype_only_rich_rule_fix-cf50bd0
+%patch3 -p1 -b .deduplication-6339c1d7
+./autogen.sh
 
 %if 0%{?with_python3}
 rm -rf %{py3dir}
@@ -170,11 +180,20 @@ sed -i 's|/usr/bin/python|%{__python3}|' %{py3dir}/config/lockdown-whitelist.xml
 %configure --enable-sysconfig --enable-rpmmacros
 # Enable the make line if there are patches affecting man pages to
 # regenerate them
-# make %{?_smp_mflags}
+%if 0%{?use_python3}
+make -C src %{?_smp_mflags}
+%else
+make %{?_smp_mflags}
+%endif
 
 %if 0%{?with_python3}
 pushd %{py3dir}
 %configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3}
+%if 0%{?use_python3}
+make %{?_smp_mflags}
+%else
+make -C src %{?_smp_mflags}
+%endif
 popd
 %endif #0%{?with_python3}
 
@@ -263,11 +282,11 @@ fi
 if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; then
     case "$VARIANT_ID" in
         workstation)
-            ln -sf org.fedoraproject.FirewallD1.desktop.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+            ln -sf org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
             ;;
         *)
             # For all other editions, we'll use the Server polkit policy
-            ln -sf org.fedoraproject.FirewallD1.server.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+            ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
     esac
 fi
 %endif
@@ -323,6 +342,9 @@ fi
 %config(noreplace) %{_sysconfdir}/firewalld/firewalld-server.conf
 %config(noreplace) %{_sysconfdir}/firewalld/firewalld-workstation.conf
 %endif
+%if 0%{?rhel} >= 8
+%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
+%endif
 %config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
 %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
 %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
@@ -336,11 +358,14 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/firewalld
 %{_unitdir}/firewalld.service
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
-%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy
-%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy
+%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
+%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
 %if 0%{?fedora} > 21
 %ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
 %endif
+%if 0%{?rhel} >= 8
+%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+%endif
 %{_mandir}/man1/firewall*cmd*.1*
 %{_mandir}/man1/firewallctl*.1*
 %{_mandir}/man1/firewalld*.1*
@@ -414,6 +439,50 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Sat Apr 21 2018 Adam Williamson <awilliam@redhat.com> - 0.4.4.5-4
+- Backport fix for RHBZ#1466093
+
+* Mon Jul 31 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.5-3
+- Fix spec file for next RHEL versions
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.4.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun  9 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.5-1
+- Rebase to firewalld-0.4.4.5
+  http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release
+  - Fix build from spec
+  - Fix –remove-service-from-zone option (RHBZ#1438127)
+  - Support sctp and dccp in ports, source-ports, forward-ports, helpers and
+    rich rules (RHBZ#1429808)
+  - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238)
+  - firewall.core.ipXtables: Use new wait option for restore commands if
+    available
+  - New services for oVirt:
+    ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe
+  - Rename extension for policy choices (server and desktop) to .policy.choice
+    (RHBZ#1449754)
+  - D-Bus interfaces: Fix GetAll for interfaces without properties
+    (RHBZ#1452017)
+  - Load NAT helpers with conntrack helpers (RHBZ#1452681)
+  - Translation updates
+- Additional upstream patches:
+  - Rich-rule source validation (d69b7cb)
+  - IPv6 ICMP type only rich-rule fix (cf50bd0)
+
+* Mon Mar 27 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.4-1
+- Rebase to firewalld-0.4.4.4
+  http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release
+- Drop references to fedorahosted.org from spec file and Makefile.am, use
+  archive from github
+- Fix inconsistent ordering of rules in INPUT_ZONE_SOURCE (issue#166)
+- Fix ipset overloading from /etc/firewalld/ipsets
+- Fix permanent rich rules using icmp-type elements (RHBZ#1434594)
+- firewall-config: Deactivate edit, remove, .. buttons if there are no items
+- Check if ICMP types are supported by kernel before trying to use them
+- firewall-config: Show invalid ipset type in the ipset configuration dialog
+  in a special label
+
 * Tue Feb 21 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-2
 - Fixed ipset overloading, dropped applied check in get_ipset (issue#206)
 

sources

@@ -1 +1 @@
-SHA512 (firewalld-0.4.4.3.tar.bz2) = 6291af4bfad055574b7edddf024fd94349e30f04b708b4368a83dd12df5be5863d08ad31f7b95e2c395c235d416624366aa8f808159c6154dc5151f578865343
+SHA512 (firewalld-0.4.4.5.tar.gz) = 4e64a383ee62c4b176889158be272831e497e48ca6fbc425f35322ca8acfd1af0c1ff3b8d71759996c0eb6e51a884cd84e74bd6398a0980be3d6e7a4b7f5071d