diff --git a/.gitignore b/.gitignore index f651776..1e45a83 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,4 @@ /firewalld-0.5.1.tar.gz /firewalld-0.5.2.tar.gz /firewalld-0.5.3.tar.gz +/firewalld-0.6.0.tar.gz diff --git a/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch b/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch deleted file mode 100644 index f0e3470..0000000 --- a/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 3 Jul 2018 09:12:28 -0400 -Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation - -Some kernel versions (4.16-4.17) have a bug which causes the rpfilter -extension to not match neighbor solicitation frames. This causes the -IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel -versions by explicitly allowing neighbor solicitation. - -Fixes: rhbz 1575431 -(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e) ---- - src/firewall/core/ipXtables.py | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index 437808027155..c2aac90d838c 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -474,16 +474,21 @@ class ip6tables(ip4tables): - - def apply_rpfilter_rules(self, transaction, log_denied=False): - transaction.add_rule(self.ipv, -- [ "-I", "PREROUTING", "1", "-t", "raw", -+ [ "-I", "PREROUTING", "1", "-t", "raw", -+ "-p", "ipv6-icmp", -+ "--icmpv6-type=neighbour-solicitation", -+ "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17 -+ transaction.add_rule(self.ipv, -+ [ "-I", "PREROUTING", "2", "-t", "raw", - "-p", "ipv6-icmp", - "--icmpv6-type=router-advertisement", - "-j", "ACCEPT" ]) # RHBZ#1058505 - transaction.add_rule(self.ipv, -- [ "-I", "PREROUTING", "2", "-t", "raw", -+ [ "-I", "PREROUTING", "3", "-t", "raw", - "-m", "rpfilter", "--invert", "-j", "DROP" ]) - if log_denied != "off": - transaction.add_rule(self.ipv, -- [ "-I", "PREROUTING", "2", "-t", "raw", -+ [ "-I", "PREROUTING", "3", "-t", "raw", - "-m", "rpfilter", "--invert", - "-j", "LOG", - "--log-prefix", "rpfilter_DROP: " ]) --- -2.16.3 - diff --git a/firewalld.spec b/firewalld.spec index 60d280e..135a821 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,18 +1,13 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 0.5.3 -Release: 4%{?dist} +Version: 0.6.0 +Release: 1%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -%if 0%{?fedora} Source1: FedoraServer.xml Source2: FedoraWorkstation.xml -%endif -%if 0%{?fedora} Patch0: firewalld-0.2.6-MDNS-default.patch -Patch1: 0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch -%endif BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -25,33 +20,19 @@ BuildRequires: systemd-units BuildRequires: docbook-style-xsl BuildRequires: libxslt BuildRequires: iptables, ebtables, ipset -BuildRequires: python3-devel +BuildRequires: nftables +BuildRequires: python3-devel Requires: iptables, ebtables, ipset +Requires: nftables >= 0.9.0 +Requires: kernel >= 4.18.0 Requires(post): systemd Requires(preun): systemd Requires(postun): systemd Requires: firewalld-filesystem = %{version}-%{release} Requires: python3-firewall = %{version}-%{release} -%if 0%{?fedora} == 23 -Conflicts: selinux-policy < 3.13.1-158.25 -%endif -%if 0%{?fedora} == 24 -Conflicts: selinux-policy < 3.13.1-191.23 -%endif -%if 0%{?fedora} == 25 -Conflicts: selinux-policy < 3.13.1-225 -%endif -%if 0%{?fedora} > 25 -Conflicts: selinux-policy < 3.13.1-227 -%endif -%if 0%{?rhel} >= 7 -Conflicts: selinux-policy < 3.13.1-89 -Conflicts: squid < 7:3.5.10-1 -%endif -# Obsolete firewalld-selinux-0.4.4.2-1 Obsoletes: firewalld-selinux < 0.4.4.2-2 +Conflicts: selinux-policy < 3.14.1-28 -%if 0%{?fedora} > 21 Provides: variant_config(Server) Provides: variant_config(Workstation) @@ -60,7 +41,6 @@ Obsoletes: firewalld-config-standard <= 0.3.15 Obsoletes: firewalld-config-cloud <= 0.3.15 Obsoletes: firewalld-config-server <= 0.3.15 Obsoletes: firewalld-config-workstation <= 0.3.15 -%endif %description firewalld is a firewall service daemon that provides a dynamic customizable @@ -76,11 +56,7 @@ Obsoletes: python2-firewall < 0.5.2-2 Requires: python3-dbus Requires: python3-slip-dbus Requires: python3-decorator -%if (0%{?fedora} >= 23 || 0%{?rhel} >= 8) Requires: python3-gobject-base -%else -Requires: python3-gobject -%endif %description -n python3-firewall Python3 bindings for firewalld. @@ -97,11 +73,7 @@ Summary: Firewall panel applet Requires: %{name} = %{version}-%{release} Requires: firewall-config = %{version}-%{release} Requires: hicolor-icon-theme -%if 0%{?fedora} >= 26 Requires: python3-qt5-base -%else -Requires: python3-qt5 -%endif Requires: python3-gobject Requires: libnotify Requires: NetworkManager-libnm @@ -127,8 +99,6 @@ firewalld. %prep %autosetup -p1 ./autogen.sh -sed -i -e 's|/usr/bin/python -Es|%{__python3} -Es|' ./fix_python_shebang.sh -sed -i 's|/usr/bin/python|%{__python3}|' ./config/lockdown-whitelist.xml %build %configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3} @@ -145,7 +115,6 @@ desktop-file-install --delete-original \ --dir %{buildroot}%{_datadir}/applications \ %{buildroot}%{_datadir}/applications/firewall-config.desktop -%if 0%{?fedora} > 20 install -d -m 755 %{buildroot}%{_prefix}/lib/firewalld/zones/ install -c -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/zones/FedoraServer.xml install -c -m 644 %{SOURCE2} %{buildroot}%{_prefix}/lib/firewalld/zones/FedoraWorkstation.xml @@ -167,7 +136,6 @@ sed -i 's|^DefaultZone=.*|DefaultZone=FedoraWorkstation|g' \ %{buildroot}%{_sysconfdir}/firewalld/firewalld-workstation.conf rm -f %{buildroot}%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy -%endif %find_lang %{name} --all-name @@ -180,7 +148,6 @@ rm -f %{buildroot}%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.poli %postun %systemd_postun_with_restart firewalld.service -%if 0%{?fedora} > 21 %posttrans # If we don't yet have a symlink or existing file for firewalld.conf, # create it. Note: this will intentionally reset the policykit policy @@ -213,14 +180,12 @@ if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; th ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : esac fi -%endif %files -f %{name}.lang %doc COPYING README %{_sbindir}/firewalld %{_bindir}/firewall-cmd %{_bindir}/firewall-offline-cmd -%{_bindir}/firewallctl %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/firewall-cmd %{_prefix}/lib/firewalld/icmptypes/*.xml @@ -228,18 +193,11 @@ fi %{_prefix}/lib/firewalld/services/*.xml %{_prefix}/lib/firewalld/zones/*.xml %{_prefix}/lib/firewalld/helpers/*.xml -%{_prefix}/lib/firewalld/xmlschema/check.sh -%{_prefix}/lib/firewalld/xmlschema/*.xsd %attr(0750,root,root) %dir %{_sysconfdir}/firewalld -%if 0%{?fedora} > 21 %ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld-server.conf %config(noreplace) %{_sysconfdir}/firewalld/firewalld-workstation.conf -%endif -%if 0%{?rhel} >= 8 -%config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf -%endif %config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes @@ -252,14 +210,8 @@ fi %config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice -%if 0%{?fedora} > 21 %ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy -%endif -%if 0%{?rhel} >= 8 -%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy -%endif %{_mandir}/man1/firewall*cmd*.1* -%{_mandir}/man1/firewallctl*.1* %{_mandir}/man1/firewalld*.1* %{_mandir}/man5/firewall*.5* %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf @@ -293,7 +245,6 @@ fi %dir %{_prefix}/lib/firewalld/ipsets %dir %{_prefix}/lib/firewalld/services %dir %{_prefix}/lib/firewalld/zones -%dir %{_prefix}/lib/firewalld/xmlschema %{_rpmconfigdir}/macros.d/macros.firewalld %files -n firewall-applet @@ -318,6 +269,10 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Thu Jul 19 2018 Eric Garver - 0.6.0-1 +- rebase package to v0.6.0 +- simplify spec file + * Fri Jul 13 2018 Fedora Release Engineering - 0.5.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index f539176..1c734f3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (firewalld-0.5.3.tar.gz) = be6074f1b02d42635c7f03a32372290365229caef91fda72c3c29cf3d2e4232e1901a79ccd27357e0cb69db9fc22730c957d479eefe0070c690fddabdcd0799d +SHA512 (firewalld-0.6.0.tar.gz) = 38f757c9cdfdd3cc2765c94253581f01bad2f9ce279f96add0f4c6517200452ce1e38ed5b08fb2fba34b064cf93de0cdb50e8e10bf42efea0bc34032716dd5b6