From e3f8630f2c5475f8961be87d62a728c6b3db6e66 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 05:14:40 +0000 Subject: import firewalld-0.5.3-5.el7 --- diff --git a/.firewalld.metadata b/.firewalld.metadata index dbe84f5..5b0eb9a 100644 --- a/.firewalld.metadata +++ b/.firewalld.metadata @@ -1 +1 @@ -5b1dd4910af6623b5e5025b19e24965e30f0d3b6 SOURCES/firewalld-0.4.4.4.tar.gz +9533e2c4c9d9e16463aa8103521ef4d85df41a37 SOURCES/firewalld-0.5.3.tar.gz diff --git a/.gitignore b/.gitignore index 1b5f714..a4f7f5d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/firewalld-0.4.4.4.tar.gz +SOURCES/firewalld-0.5.3.tar.gz diff --git a/SOURCES/0001-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch b/SOURCES/0001-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch new file mode 100644 index 0000000..2cd1f74 --- /dev/null +++ b/SOURCES/0001-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch @@ -0,0 +1,117 @@ +From 5f41f061390876f4c43c2306911d9b3482aed396 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 16 Jul 2018 17:42:34 +0200 +Subject: [PATCH 1/3] firewall.core.fw_nm: avoid iterating NM devices, + connections + +NetworkManager has an API to do the lookups. + +(cherry picked from commit 65f92930a5d049404dac780c15eebe2d788e6285) +--- + src/firewall/core/fw_nm.py | 70 ++++++++++++++++++---------------------------- + 1 file changed, 27 insertions(+), 43 deletions(-) + +diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py +index f75733fe65f6..76901cee2adf 100644 +--- a/src/firewall/core/fw_nm.py ++++ b/src/firewall/core/fw_nm.py +@@ -73,22 +73,18 @@ def nm_get_zone_of_connection(connection): + """ + check_nm_imported() + +- active_connections = nm_get_client().get_active_connections() ++ con = nm_get_client().get_connection_by_id(connection) ++ if con is None: ++ return False + +- for active_con in active_connections: +- if active_con.get_id() == connection: +- con = active_con.get_connection() +- if con is None: +- continue +- setting_con = con.get_setting_connection() +- if setting_con is None: +- continue +- zone = setting_con.get_zone() +- if zone is None: +- zone = "" +- return zone ++ setting_con = con.get_setting_connection() ++ if setting_con is None: ++ return False + +- return None ++ zone = setting_con.get_zone() ++ if zone is None: ++ zone = "" ++ return zone + + def nm_set_zone_of_connection(zone, connection): + """Set the zone for a connection +@@ -98,24 +94,18 @@ def nm_set_zone_of_connection(zone, connection): + """ + check_nm_imported() + +- active_connections = nm_get_client().get_active_connections() +- +- for active_con in active_connections: +- con = active_con.get_connection() +- if con is None: +- continue ++ con = nm_get_client().get_connection_by_id(connection) ++ if con is None: ++ return False + +- if active_con.get_id() == connection: +- setting_con = con.get_setting_connection() +- if setting_con is None: +- continue +- if zone == "": +- zone = None +- setting_con.set_property("zone", zone) +- con.commit_changes(True, None) +- return True ++ setting_con = con.get_setting_connection() ++ if setting_con is None: ++ return False + +- return False ++ if zone == "": ++ zone = None ++ setting_con.set_property("zone", zone) ++ return con.commit_changes(True, None) + + def nm_get_connections(connections, connections_uuid): + """Get active connections from NM +@@ -150,21 +140,15 @@ def nm_get_connection_of_interface(interface): + """ + check_nm_imported() + +- active_connections = nm_get_client().get_active_connections() +- +- for active_con in active_connections: +- # ignore vpn devices for now +- if active_con.get_vpn(): +- continue +- +- devices = active_con.get_devices() +- +- for dev in devices: +- if dev.get_iface() == interface: +- return active_con.get_id() ++ device = nm_get_client().get_device_by_iface(interface) ++ if device is None: ++ return None + ++ active_con = device.get_active_connection() ++ if active_con is None: ++ return None + +- return None ++ return active_con.get_id() + + def nm_get_bus_name(): + if not _nm_imported: +-- +2.16.3 + diff --git a/SOURCES/0001-fw-if-startup-fails-on-reload-reapply-non-perm-confi.patch b/SOURCES/0001-fw-if-startup-fails-on-reload-reapply-non-perm-confi.patch new file mode 100644 index 0000000..f6024da --- /dev/null +++ b/SOURCES/0001-fw-if-startup-fails-on-reload-reapply-non-perm-confi.patch @@ -0,0 +1,190 @@ +From 17470fa9deac4aa15ecf75b9c811c093bc44c019 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 17 Aug 2018 12:26:53 -0400 +Subject: [PATCH 1/2] fw: if startup fails on reload, reapply non-perm config + that survives reload + +Even if startup fails we should still re-assign the non-permanent +interfaces to zones and non-permanent direct rules. + +Fixes: rhbz 1498923 +(cherry picked from commit 2796edc1691f52c3655991c0be814a617cb26910) +--- + src/firewall/core/fw.py | 121 +++++++++++++++------------- + src/tests/regression/rhbz1498923.at | 17 ++++ + 2 files changed, 80 insertions(+), 58 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 5b706d6d3e80..9079f1bbc6a4 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -910,70 +910,75 @@ class Firewall(object): + def reload(self, stop=False): + _panic = self._panic + +- try: +- # save zone interfaces +- _zone_interfaces = { } +- for zone in self.zone.get_zones(): +- _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"] +- # save direct config +- _direct_config = self.direct.get_runtime_config() +- _old_dz = self.get_default_zone() +- +- # stop +- self.cleanup() ++ # save zone interfaces ++ _zone_interfaces = { } ++ for zone in self.zone.get_zones(): ++ _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"] ++ # save direct config ++ _direct_config = self.direct.get_runtime_config() ++ _old_dz = self.get_default_zone() ++ ++ # stop ++ self.cleanup() + +- self.set_policy("DROP") ++ self.set_policy("DROP") + ++ start_exception = None ++ try: + self._start(reload=True, complete_reload=stop) +- +- # handle interfaces in the default zone and move them to the new +- # default zone if it changed +- _new_dz = self.get_default_zone() +- if _new_dz != _old_dz: +- # if_new_dz has been introduced with the reload, we need to add it +- # https://github.com/firewalld/firewalld/issues/53 +- if _new_dz not in _zone_interfaces: +- _zone_interfaces[_new_dz] = { } +- # default zone changed. Move interfaces from old default zone to +- # the new one. +- for iface, settings in list(_zone_interfaces[_old_dz].items()): +- if settings["__default__"]: +- # move only those that were added to default zone +- # (not those that were added to specific zone same as +- # default) +- _zone_interfaces[_new_dz][iface] = \ +- _zone_interfaces[_old_dz][iface] +- del _zone_interfaces[_old_dz][iface] +- +- # add interfaces to zones again +- for zone in self.zone.get_zones(): +- if zone in _zone_interfaces: +- self.zone.set_settings(zone, { "interfaces": +- _zone_interfaces[zone] }) +- del _zone_interfaces[zone] +- else: +- log.info1("New zone '%s'.", zone) +- if len(_zone_interfaces) > 0: +- for zone in list(_zone_interfaces.keys()): +- log.info1("Lost zone '%s', zone interfaces dropped.", zone) +- del _zone_interfaces[zone] +- del _zone_interfaces +- +- # restore direct config +- self.direct.set_config(_direct_config) +- +- # enable panic mode again if it has been enabled before or set policy +- # to ACCEPT +- if _panic: +- self.enable_panic_mode() ++ except Exception as e: ++ # save the exception for later, but continue restoring interfaces, ++ # etc. We'll re-raise it at the end. ++ start_exception = e ++ ++ # handle interfaces in the default zone and move them to the new ++ # default zone if it changed ++ _new_dz = self.get_default_zone() ++ if _new_dz != _old_dz: ++ # if_new_dz has been introduced with the reload, we need to add it ++ # https://github.com/firewalld/firewalld/issues/53 ++ if _new_dz not in _zone_interfaces: ++ _zone_interfaces[_new_dz] = { } ++ # default zone changed. Move interfaces from old default zone to ++ # the new one. ++ for iface, settings in list(_zone_interfaces[_old_dz].items()): ++ if settings["__default__"]: ++ # move only those that were added to default zone ++ # (not those that were added to specific zone same as ++ # default) ++ _zone_interfaces[_new_dz][iface] = \ ++ _zone_interfaces[_old_dz][iface] ++ del _zone_interfaces[_old_dz][iface] ++ ++ # add interfaces to zones again ++ for zone in self.zone.get_zones(): ++ if zone in _zone_interfaces: ++ self.zone.set_settings(zone, { "interfaces": ++ _zone_interfaces[zone] }) ++ del _zone_interfaces[zone] + else: +- self.set_policy("ACCEPT") ++ log.info1("New zone '%s'.", zone) ++ if len(_zone_interfaces) > 0: ++ for zone in list(_zone_interfaces.keys()): ++ log.info1("Lost zone '%s', zone interfaces dropped.", zone) ++ del _zone_interfaces[zone] ++ del _zone_interfaces ++ ++ # restore direct config ++ self.direct.set_config(_direct_config) ++ ++ # enable panic mode again if it has been enabled before or set policy ++ # to ACCEPT ++ if _panic: ++ self.enable_panic_mode() ++ else: ++ self.set_policy("ACCEPT") + +- self._state = "RUNNING" +- except Exception: ++ if start_exception: + self._state = "FAILED" +- self.set_policy("ACCEPT") +- raise ++ raise start_exception ++ else: ++ self._state = "RUNNING" + + # STATE + +diff --git a/src/tests/regression/rhbz1498923.at b/src/tests/regression/rhbz1498923.at +index bb0d841db2a7..9b68678180ef 100644 +--- a/src/tests/regression/rhbz1498923.at ++++ b/src/tests/regression/rhbz1498923.at +@@ -1,11 +1,28 @@ + FWD_START_TEST([invalid direct rule causes reload error]) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j ACCEPT]) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 1 --a-bogus-flag]) ++ ++dnl add some non-permanent things that should persist a reload ++FWD_CHECK([-q --zone=public --add-interface=foobar0]) ++FWD_CHECK([-q --direct --direct --add-rule ipv4 filter FORWARD 0 -p tcp -j ACCEPT]) ++ + FWD_RELOAD(13, [ignore], [ignore], 251) + FWD_CHECK([--state], 251, [ignore], [failed + ]) + ++dnl verify the non-permanent stuff we set above remained ++FWD_CHECK([--get-zone-of-interface=foobar0], 0, [dnl ++public ++]) ++FWD_CHECK([-q --direct --direct --query-rule ipv4 filter FORWARD 0 -p tcp -j ACCEPT]) ++ + dnl now remove the bad rule and reload successfully + FWD_CHECK([-q --permanent --direct --remove-rule ipv4 filter INPUT 1 --a-bogus-flag]) + FWD_RELOAD ++ ++dnl verify the non-permanent stuff we set above remained ++FWD_CHECK([--get-zone-of-interface=foobar0], 0, [dnl ++public ++]) ++FWD_CHECK([-q --direct --direct --query-rule ipv4 filter FORWARD 0 -p tcp -j ACCEPT]) + FWD_END_TEST([-e '/.*a-bogus-flag.*/d']) +-- +2.18.0 + diff --git a/SOURCES/0001-ipset-check-type-when-parsing-ipset-definition.patch b/SOURCES/0001-ipset-check-type-when-parsing-ipset-definition.patch new file mode 100644 index 0000000..cf6dc6b --- /dev/null +++ b/SOURCES/0001-ipset-check-type-when-parsing-ipset-definition.patch @@ -0,0 +1,26 @@ +From 26e35f61bb856aa482f84f50521f924d4a6c12b1 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 24 May 2018 16:30:13 -0400 +Subject: [PATCH 1/5] ipset: check type when parsing ipset definition + +(cherry picked from commit ebe0cb93c3f38a5d9af267407769eb187940c62f) +--- + src/firewall/core/io/ipset.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py +index f291d15e0033..0670677b4206 100644 +--- a/src/firewall/core/io/ipset.py ++++ b/src/firewall/core/io/ipset.py +@@ -320,6 +320,8 @@ class ipset_ContentHandler(IO_Object_ContentHandler): + self.item.parser_check_element_attrs(name, attrs) + if name == "ipset": + if "type" in attrs: ++ if attrs["type"] not in IPSET_TYPES: ++ raise FirewallError(errors.INVALID_TYPE, "%s" % attrs["type"]) + self.item.type = attrs["type"] + if "version" in attrs: + self.item.version = attrs["version"] +-- +2.16.3 + diff --git a/SOURCES/0001-tests-functions-check-state-after-a-reload.patch b/SOURCES/0001-tests-functions-check-state-after-a-reload.patch new file mode 100644 index 0000000..efa63af --- /dev/null +++ b/SOURCES/0001-tests-functions-check-state-after-a-reload.patch @@ -0,0 +1,28 @@ +From 83f7000d753f6e4c688ca91badc4d73bcf37929f Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 Aug 2018 14:39:25 -0400 +Subject: [PATCH 1/4] tests/functions: check state after a reload + +To make sure firewalld doesn't get stuck during a reload we should check +the state as well. + +(cherry picked from commit 8b3591c3f238156911bb63dd5622168d21a9ae78) +--- + src/tests/functions.at | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index d9b1ce401bb0..02464f3c22df 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -55,6 +55,7 @@ m4_define([FWD_START_FIREWALLD], [ + + m4_define([FWD_RELOAD], [ + FWD_CHECK([-q --reload], [$1], [$2], [$3]) ++ FWD_CHECK([-q --state], [$4], [$5], [$6]) + ]) + + m4_define([FWD_RESTART], [ +-- +2.18.0 + diff --git a/SOURCES/0002-firewall-core-io-functions-add-check_config.patch b/SOURCES/0002-firewall-core-io-functions-add-check_config.patch new file mode 100644 index 0000000..9797bd7 --- /dev/null +++ b/SOURCES/0002-firewall-core-io-functions-add-check_config.patch @@ -0,0 +1,132 @@ +From 2342548148763cca0579da98ed0a682d22beb49d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 1 Jun 2018 09:37:34 -0400 +Subject: [PATCH 2/5] firewall/core/io/functions: add check_config() + +This is a utility function to run checks on all the configuration files. + +(cherry picked from commit 4164148b88f1882eabde4eeb4cc9a45506aff0fa) +--- + po/POTFILES.in | 1 + + src/Makefile.am | 1 + + src/firewall/core/io/functions.py | 84 +++++++++++++++++++++++++++++++++++++++ + 3 files changed, 86 insertions(+) + create mode 100644 src/firewall/core/io/functions.py + +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 12cdbf2c6929..2332f8acc4eb 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -70,6 +70,7 @@ src/firewall/core/prog.py + src/firewall/core/watcher.py + src/firewall/core/io/__init__.py + src/firewall/core/io/firewalld_conf.py ++src/firewall/core/io/functions.py + src/firewall/core/io/icmptype.py + src/firewall/core/io/io_object.py + src/firewall/core/io/service.py +diff --git a/src/Makefile.am b/src/Makefile.am +index b249c2e5fd46..b44ae0c1eca4 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -34,6 +34,7 @@ nobase_dist_python_DATA = \ + firewall/core/__init__.py \ + firewall/core/io/direct.py \ + firewall/core/io/firewalld_conf.py \ ++ firewall/core/io/functions.py \ + firewall/core/io/helper.py \ + firewall/core/io/icmptype.py \ + firewall/core/io/ifcfg.py \ +diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py +new file mode 100644 +index 000000000000..7509a5390e12 +--- /dev/null ++++ b/src/firewall/core/io/functions.py +@@ -0,0 +1,84 @@ ++# -*- coding: utf-8 -*- ++# ++# Copyright (C) 2018 Red Hat, Inc. ++# ++# Authors: ++# Eric Garver ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++import os ++ ++from firewall import config ++from firewall.errors import FirewallError ++ ++from firewall.core.io.zone import zone_reader ++from firewall.core.io.service import service_reader ++from firewall.core.io.ipset import ipset_reader ++from firewall.core.io.icmptype import icmptype_reader ++from firewall.core.io.helper import helper_reader ++from firewall.core.io.direct import Direct ++from firewall.core.io.lockdown_whitelist import LockdownWhitelist ++from firewall.core.io.firewalld_conf import firewalld_conf ++ ++def check_config(fw=None): ++ readers = { ++ "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]), ++ "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]), ++ "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]), ++ "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]), ++ "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]), ++ } ++ for reader in readers.keys(): ++ for dir in readers[reader][1]: ++ if not os.path.isdir(dir): ++ continue ++ for file in sorted(os.listdir(dir)): ++ if file.endswith(".xml"): ++ try: ++ obj = readers[reader][0](file, dir) ++ if fw and reader == "zone": ++ obj.fw_config = fw.config ++ obj.check_config(obj.export_config()) ++ except FirewallError as error: ++ raise FirewallError(error.code, "'%s': %s" % (file, error.msg)) ++ except Exception as msg: ++ raise Exception("'%s': %s" % (file, msg)) ++ if os.path.isfile(config.FIREWALLD_DIRECT): ++ try: ++ obj = Direct(config.FIREWALLD_DIRECT) ++ obj.read() ++ obj.check_config(obj.export_config()) ++ except FirewallError as error: ++ raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg)) ++ except Exception as msg: ++ raise Exception("'%s': %s" % (config.FIREWALLD_DIRECT, msg)) ++ if os.path.isfile(config.LOCKDOWN_WHITELIST): ++ try: ++ obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST) ++ obj.read() ++ obj.check_config(obj.export_config()) ++ except FirewallError as error: ++ raise FirewallError(error.code, "'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg)) ++ except Exception as msg: ++ raise Exception("'%s': %s" % (config.LOCKDOWN_WHITELIST, msg)) ++ if os.path.isfile(config.FIREWALLD_CONF): ++ try: ++ obj = firewalld_conf(config.FIREWALLD_CONF) ++ obj.read() ++ except FirewallError as error: ++ raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_CONF, error.msg)) ++ except Exception as msg: ++ raise Exception("'%s': %s" % (config.FIREWALLD_CONF, msg)) +-- +2.16.3 + diff --git a/SOURCES/0002-firewall.core.fw_nm-identify-the-connections-by-uuid.patch b/SOURCES/0002-firewall.core.fw_nm-identify-the-connections-by-uuid.patch new file mode 100644 index 0000000..1cee69c --- /dev/null +++ b/SOURCES/0002-firewall.core.fw_nm-identify-the-connections-by-uuid.patch @@ -0,0 +1,352 @@ +From 0ce07e30014a8ee6b2a8a4909c313f207d9c9b31 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 16 Jul 2018 17:43:04 +0200 +Subject: [PATCH 2/3] firewall.core.fw_nm: identify the connections by uuid + +...as opposed by id. Uuid is guarranteed to be uniquie, while the id is +provided merely for convenience without any guarrantees. + +(cherry picked from commit 624039964bd16e5e0e8ffb73e708d3d0c40e89d3) +--- + src/firewall-applet | 38 ++++++++++++++++++++------------------ + src/firewall-config | 45 +++++++++++++++++++++++++-------------------- + src/firewall/core/fw_nm.py | 16 ++++++++-------- + 3 files changed, 53 insertions(+), 46 deletions(-) + +diff --git a/src/firewall-applet b/src/firewall-applet +index 3dc149c32755..86aaccab9f88 100755 +--- a/src/firewall-applet ++++ b/src/firewall-applet +@@ -155,11 +155,12 @@ class ZoneInterfaceEditor(QtGui.QDialog): + # ZoneConnectionEditor ######################################################## + + class ZoneConnectionEditor(ZoneInterfaceEditor): +- def __init__(self, fw, connection, zone): ++ def __init__(self, fw, connection, connection_name, zone): + self.fw = fw + self.connection = connection ++ self.connection_name = connection_name + self.zone = None +- self.title = _("Select zone for connection '%s'") % self.connection ++ self.title = _("Select zone for connection '%s'") % self.connection_name + + QtGui.QDialog.__init__(self) + self.create_ui(zone) +@@ -168,12 +169,12 @@ class ZoneConnectionEditor(ZoneInterfaceEditor): + # apply changes + try: + nm_set_zone_of_connection(self.get_zone(), self.connection) +- except Exception as msg: +- text = _("Failed to set zone {zone} for connection {connection}") ++ except Exception: ++ text = _("Failed to set zone {zone} for connection {connection_name}") + QtGui.QMessageBox.warning(None, fromUTF8(escape(self.title)), + escape(text.format( + zone=self.get_zone(), +- connection=self.connection))) ++ connection_name=self.connection_name))) + self.hide() + + # ZoneSourceEditor ############################################################ +@@ -428,7 +429,7 @@ class TrayApplet(QtGui.QSystemTrayIcon): + + self.active_zones = { } + self.connections = { } +- self.connections_uuid = { } ++ self.connections_name = { } + self.default_zone = None + self.zone_connection_editors = { } + self.zone_interface_editors = { } +@@ -666,30 +667,31 @@ class TrayApplet(QtGui.QSystemTrayIcon): + # NM controlled connections + for interface in self.connections: + connection = self.connections[interface] +- if connection not in self.connections_uuid: +- uuid = None ++ if connection not in self.connections_name: ++ connection_name = None + else: +- uuid = self.connections_uuid[connection] ++ connection_name = self.connections_name[connection] + zone = nm_get_zone_of_connection(connection) +- connections[connection] = [ zone, uuid ] ++ connections[connection] = [ zone, connection_name ] + + binding = _("{entry} (Zone: {zone})") + + # add NM controlled bindings + for connection in sorted(connections): + zone = connections[connection][0] ++ connection_name = connections[connection][1] + if zone == "": + _binding = _("{entry} (Default Zone: {default_zone})") + action = QtGui.QAction( + fromUTF8(escape( + _binding.format(default_zone=self.default_zone, +- entry=connection))), self) ++ entry=connection_name))), self) + else: + action = QtGui.QAction( + fromUTF8(escape(binding.format(zone=zone, +- entry=connection))), self) ++ entry=connection_name))), self) + action.triggered.connect(functools.partial( +- self.zone_connection_editor, connection, zone)) ++ self.zone_connection_editor, connection, connection_name, zone)) + self.left_menu.addAction(action) + + # add interfaces entry +@@ -729,13 +731,13 @@ class TrayApplet(QtGui.QSystemTrayIcon): + editor.raise_() + editor.show() + +- def zone_connection_editor(self, connection, zone): ++ def zone_connection_editor(self, connection, connection_name, zone): + if connection in self.zone_connection_editors: + self.zone_connection_editors[connection].set_zone(zone) + self.zone_connection_editors[connection].show() + return self.zone_connection_editors[connection].raise_() + +- editor = ZoneConnectionEditor(self.fw, connection, zone) ++ editor = ZoneConnectionEditor(self.fw, connection, connection_name, zone) + self.zone_connection_editors[connection] = editor + editor.show() + editor.raise_() +@@ -755,15 +757,15 @@ class TrayApplet(QtGui.QSystemTrayIcon): + + def nm_signal_receiver(self, *args, **kwargs): + self.connections.clear() +- self.connections_uuid.clear() ++ self.connections_name.clear() + + # do not use NMClient could result in python core dump + + if nm_is_imported(): + text = _("Failed to get connections from NetworkManager") + try: +- nm_get_connections(self.connections, self.connections_uuid) +- except Exception as msg: ++ nm_get_connections(self.connections, self.connections_name) ++ except Exception: + self.notify(escape(text), urgency=Notify.Urgency.CRITICAL) + if text not in self.tooltip_messages: + self.tooltip_messages.append(text) +diff --git a/src/firewall-config b/src/firewall-config +index 02bffabf457c..223c0ff6d27d 100755 +--- a/src/firewall-config ++++ b/src/firewall-config +@@ -1368,7 +1368,7 @@ class FirewallConfig(object): + # connect + + self.connections = { } +- self.connections_uuid = { } ++ self.connections_name = { } + + if nm_is_imported(): + self.fw.bus.add_signal_receiver( +@@ -1428,11 +1428,11 @@ class FirewallConfig(object): + self.fw.changeZoneOfInterface(editor.get_zone(), interface) + del self.zone_interface_editors[interface] + +- def change_zone_connection_editor(self, item, connection, zone): ++ def change_zone_connection_editor(self, item, connection, connection_name, zone): + if connection in self.zone_connection_editors: + return self.zone_connection_editors[connection].present() + +- editor = ZoneConnectionEditor(self.fw, connection, zone) ++ editor = ZoneConnectionEditor(self.fw, connection, connection_name, zone) + editor.set_icon(self.icon) + editor.set_position(Gtk.WindowPosition.CENTER_ON_PARENT) + editor.set_transient_for(self.mainWindow) +@@ -1557,14 +1557,14 @@ class FirewallConfig(object): + self.update_active_zones() + + self.connections.clear() +- self.connections_uuid.clear() ++ self.connections_name.clear() + + # do not use NMClient could result in python core dump + + if nm_is_imported(): + try: +- nm_get_connections(self.connections, self.connections_uuid) +- except Exception as msg: ++ nm_get_connections(self.connections, self.connections_name) ++ except Exception: + text = _("Failed to get connections from NetworkManager") + self._warning(text) + +@@ -1572,12 +1572,14 @@ class FirewallConfig(object): + while iter: + interface = self.interfaceStore.get_value(iter, 0) + if interface in self.connections: +- zone = nm_get_zone_of_connection(self.connections[interface]) ++ connection = self.connections[interface] ++ connection_name = self.connections_name[connection] ++ zone = nm_get_zone_of_connection(connection) + if zone == "": + comment = self.default_zone_used_by_label % \ +- self.connections[interface] ++ connection_name + else: +- comment = self.used_by_label % self.connections[interface] ++ comment = self.used_by_label % connection_name + self.interfaceStore.set_value(iter, 1, comment) + iter = self.interfaceStore.iter_next(iter) + self.change_interface_selection_cb(self.interfaceView.get_selection()) +@@ -2427,37 +2429,38 @@ class FirewallConfig(object): + # add NM controlled entries + for connection in sorted(connections): + [ zone, _interfaces ] = connections[connection] ++ connection_name = self.connections_name[connection] + + item = Gtk.MenuItem.new() + hbox = Gtk.Box(orientation=Gtk.Orientation.HORIZONTAL, spacing=6) + label = Gtk.Label() + if zone == "": + label.set_markup("%s (%s)\n%s: %s" % \ +- (connection, ",".join(_interfaces), ++ (connection_name, ",".join(_interfaces), + escape(_("Default Zone")), self.default_zone)) + else: + label.set_markup("%s (%s)\n%s: %s" % \ +- (connection, ",".join(_interfaces), ++ (connection_name, ",".join(_interfaces), + escape(_("Zone")), zone)) + label.set_alignment(0, 0.5) + label.set_padding(12, 0) + hbox.pack_start(label, True, True, 0) + item.add(hbox) +- item.connect("activate", self.change_zone_connection_editor, connection, zone) ++ item.connect("activate", self.change_zone_connection_editor, connection, connection_name, zone) + self.left_menu.append(item) + + if zone == "": + self.bindingsStore.append( + self.connectionsIter, + [ "%s (%s)\n%s" % ( +- connection, ",".join(_interfaces), ++ connection_name, ",".join(_interfaces), + _("Default Zone: %s") % self.default_zone), + connection, zone ]) + else: + self.bindingsStore.append( + self.connectionsIter, + [ "%s (%s)\n%s" % ( +- connection, ",".join(_interfaces), ++ connection_name, ",".join(_interfaces), + _("Zone: %s") % zone), + connection, zone ]) + +@@ -2683,7 +2686,7 @@ class FirewallConfig(object): + zone = self.bindingsStore.get_value(iter, 2) + + if self.bindingsStore.get_value(parent_iter, 0) == _("Connections"): +- self.change_zone_connection_editor(None, item, zone) ++ self.change_zone_connection_editor(None, item, self.connections_name[item], zone) + elif self.bindingsStore.get_value(parent_iter, 0) == _("Interfaces"): + self.change_zone_interface_editor(None, item, zone) + elif self.bindingsStore.get_value(parent_iter, 0) == _("Sources"): +@@ -3894,9 +3897,10 @@ class FirewallConfig(object): + interface = self.interfaceStore.get_value(iter, 0) + if interface in self.connections: + connection = self.connections[interface] ++ connection_name = self.connections_name[connection] + if selected_zone == self.default_zone: + selected_zone = nm_get_zone_of_connection(connection) +- editor = ZoneConnectionEditor(self.fw, connection, selected_zone) ++ editor = ZoneConnectionEditor(self.fw, connection, connection_name, selected_zone) + editor.set_icon(self.icon) + editor.set_position(Gtk.WindowPosition.CENTER_ON_PARENT) + editor.set_transient_for(self.mainWindow) +@@ -3905,9 +3909,9 @@ class FirewallConfig(object): + result = editor.run() + except Exception: + text = _("Failed to set zone {zone} " +- "for connection {connection}") ++ "for connection {connection_name}") + self._warning(text.format(zone=editor.get_zone(), +- connection=editor.connection)) ++ connection_name=editor.connection_name)) + editor.hide() + else: + self.add_edit_interface(False) +@@ -8115,11 +8119,12 @@ class ZoneInterfaceEditor(Gtk.Dialog): + self.fw.changeZoneOfInterface(self.get_zone(), self.interface) + + class ZoneConnectionEditor(ZoneInterfaceEditor): +- def __init__(self, fw, connection, zone): ++ def __init__(self, fw, connection, connection_name, zone): + self.fw = fw + self.connection = connection ++ self.connection_name = connection_name + self.zone = None +- self.title = _("Select zone for connection '%s'") % self.connection ++ self.title = _("Select zone for connection '%s'") % self.connection_name + + Gtk.Dialog.__init__(self, self.title) + self.create_ui(zone) +diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py +index 76901cee2adf..d21cc25feb8b 100644 +--- a/src/firewall/core/fw_nm.py ++++ b/src/firewall/core/fw_nm.py +@@ -73,7 +73,7 @@ def nm_get_zone_of_connection(connection): + """ + check_nm_imported() + +- con = nm_get_client().get_connection_by_id(connection) ++ con = nm_get_client().get_connection_by_uuid(connection) + if con is None: + return False + +@@ -94,7 +94,7 @@ def nm_set_zone_of_connection(zone, connection): + """ + check_nm_imported() + +- con = nm_get_client().get_connection_by_id(connection) ++ con = nm_get_client().get_connection_by_uuid(connection) + if con is None: + return False + +@@ -107,14 +107,14 @@ def nm_set_zone_of_connection(zone, connection): + setting_con.set_property("zone", zone) + return con.commit_changes(True, None) + +-def nm_get_connections(connections, connections_uuid): ++def nm_get_connections(connections, connections_name): + """Get active connections from NM + @param connections return dict +- @param connections_uuid return dict ++ @param connections_name return dict + """ + + connections.clear() +- connections_uuid.clear() ++ connections_name.clear() + + check_nm_imported() + +@@ -129,9 +129,9 @@ def nm_get_connections(connections, connections_uuid): + uuid = active_con.get_uuid() + devices = active_con.get_devices() + +- connections_uuid[name] = uuid ++ connections_name[uuid] = name + for dev in devices: +- connections[dev.get_iface()] = name ++ connections[dev.get_iface()] = uuid + + def nm_get_connection_of_interface(interface): + """Get connection from NM that is using the interface +@@ -148,7 +148,7 @@ def nm_get_connection_of_interface(interface): + if active_con is None: + return None + +- return active_con.get_id() ++ return active_con.get_uuid() + + def nm_get_bus_name(): + if not _nm_imported: +-- +2.16.3 + diff --git a/SOURCES/0002-fw-If-direct-rules-fail-to-apply-add-a-Direct-label-.patch b/SOURCES/0002-fw-If-direct-rules-fail-to-apply-add-a-Direct-label-.patch new file mode 100644 index 0000000..e0da5dd --- /dev/null +++ b/SOURCES/0002-fw-If-direct-rules-fail-to-apply-add-a-Direct-label-.patch @@ -0,0 +1,40 @@ +From efdecad74ac18d93b62a6f9ba3792904bb976b3b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 17 Aug 2018 13:26:18 -0400 +Subject: [PATCH 2/2] fw: If direct rules fail to apply add a "Direct" label to + error msg + +Since they're free form it's easy to write a bad rule. This will at +least let user know where to look. + +(cherry picked from commit db2d72e32579d14b5f03c6f06a9e6f38b00717cd) +--- + src/firewall/core/fw.py | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 9079f1bbc6a4..21f5fc680c10 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -440,9 +440,15 @@ class Firewall(object): + log.debug1("Applying direct chains rules and passthrough rules") + self.direct.apply_direct(transaction) + +- # Execute transaction +- transaction.execute(True) +- transaction.clear() ++ # since direct rules are easy to make syntax errors lets highlight ++ # the cause if the transaction fails. ++ try: ++ transaction.execute(True) ++ transaction.clear() ++ except FirewallError as e: ++ raise FirewallError(e.code, "Direct: %s" % (e.msg if e.msg else "")) ++ except Exception: ++ raise + + del transaction + +-- +2.18.0 + diff --git a/SOURCES/0002-fw-on-restart-set-policy-from-same-function.patch b/SOURCES/0002-fw-on-restart-set-policy-from-same-function.patch new file mode 100644 index 0000000..c9f53bf --- /dev/null +++ b/SOURCES/0002-fw-on-restart-set-policy-from-same-function.patch @@ -0,0 +1,45 @@ +From aac434a339ec9d261bdba70eaf649bcd8820af51 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 Aug 2018 16:02:11 -0400 +Subject: [PATCH 2/4] fw: on restart set policy from same function + +Toggle the DROP/ACCEPT policy from the same function. Doing it in +various areas is error prone. + +(cherry picked from commit d3acaac62106b10945c7ac400140b5d0f2c4264d) +--- + src/firewall/core/fw.py | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index e99201d0363d..1ff36f18cd99 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -391,14 +391,11 @@ class Firewall(object): + # Start transaction + transaction = FirewallTransaction(self) + +- if reload: +- self.set_policy("DROP", use_transaction=transaction) +- + # flush rules + self.flush(use_transaction=transaction) + + # If modules need to be unloaded in complete reload or if there are +- # ipsets to get applied, limit the transaction to set_policy and flush. ++ # ipsets to get applied, limit the transaction to flush. + # + # Future optimization for the ipset case in reload: The transaction + # only needs to be split here if there are conflicting ipset types in +@@ -919,6 +916,8 @@ class Firewall(object): + # stop + self.cleanup() + ++ self.set_policy("DROP") ++ + # start + self._start(reload=True, complete_reload=stop) + +-- +2.18.0 + diff --git a/SOURCES/0003-firewall-offline-cmd-add-check-config-option.patch b/SOURCES/0003-firewall-offline-cmd-add-check-config-option.patch new file mode 100644 index 0000000..ae34915 --- /dev/null +++ b/SOURCES/0003-firewall-offline-cmd-add-check-config-option.patch @@ -0,0 +1,68 @@ +From 9b8de9ce33e671a89ea8fd0b6e9c391c0b779726 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 23 May 2018 14:35:10 -0400 +Subject: [PATCH 3/5] firewall-offline-cmd: add --check-config option + +(cherry picked from commit 749e64b74cff231585667417b37ff4f60af65dc0) +--- + src/firewall-offline-cmd | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd +index 7f7c10739f77..13ecfadf4080 100755 +--- a/src/firewall-offline-cmd ++++ b/src/firewall-offline-cmd +@@ -35,6 +35,7 @@ from firewall.errors import FirewallError + from firewall import config + from firewall.core.fw_test import Firewall_test + from firewall.functions import joinArgs, splitArgs ++from firewall.core.io.functions import check_config + from firewall.core.io.zone import zone_reader + from firewall.core.io.service import service_reader + from firewall.core.io.ipset import ipset_reader +@@ -62,6 +63,7 @@ General Options + -q, --quiet Do not print status messages + --system-config Path to firewalld system configuration + --default-config Path to firewalld default configuration ++ --check-config Check system and default configuration + + Lokkit Compatibility Options + --migrate-system-config-firewall= +@@ -532,6 +534,7 @@ parser_group_lokkit.add_argument("--block-icmp", metavar="", action='a + + parser.add_argument("--system-config", metavar="path") + parser.add_argument("--default-config", metavar="path") ++parser.add_argument("--check-config", action="store_true") + + parser_group_standalone = parser.add_mutually_exclusive_group() + parser_group_standalone.add_argument("-h", "--help", +@@ -970,7 +973,8 @@ cmd.set_verbose(a.verbose) + if not (options_standalone or options_ipset or \ + options_lokkit or \ + options_icmptype or options_service or options_helper or \ +- options_permanent or options_direct or options_desc_xml_file): ++ options_permanent or options_direct or options_desc_xml_file or \ ++ a.check_config): + cmd.fail(parser.format_usage() + "No option specified.") + + if options_lokkit and (options_standalone or \ +@@ -1035,6 +1039,16 @@ if a.system_config: + config.set_system_config_paths(a.system_config) + if a.default_config: + config.set_default_config_paths(a.default_config) ++if a.check_config: ++ try: ++ fw = Firewall_test() ++ fw.start() ++ check_config(fw) ++ except FirewallError as error: ++ cmd.print_and_exit("Configuration error: %s" % error, error.code) ++ except Exception as msg: ++ cmd.fail("Configuration error: %s" % msg) ++ sys.exit(0) + + zone = a.zone + fw = Firewall_test() +-- +2.16.3 + diff --git a/SOURCES/0003-firewall.core.fw_nm-ignore-generated-connections.patch b/SOURCES/0003-firewall.core.fw_nm-ignore-generated-connections.patch new file mode 100644 index 0000000..f62eb60 --- /dev/null +++ b/SOURCES/0003-firewall.core.fw_nm-ignore-generated-connections.patch @@ -0,0 +1,37 @@ +From a3e6d2c48a1535b56bc5f28094818f10f93bf352 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 16 Jul 2018 17:43:25 +0200 +Subject: [PATCH 3/3] firewall.core.fw_nm: ignore generated connections + +If a connection is generated by NetworkManager, changing it persists it and +makes the device managed by NetworkManager. + +(cherry picked from commit a102dde5d9430d503767cbface3e3b610134bdb6) +--- + src/firewall/core/fw_nm.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py +index d21cc25feb8b..0ed19248a79f 100644 +--- a/src/firewall/core/fw_nm.py ++++ b/src/firewall/core/fw_nm.py +@@ -148,6 +148,16 @@ def nm_get_connection_of_interface(interface): + if active_con is None: + return None + ++ try: ++ con = active_con.get_connection() ++ if con.get_flags() & NM.SettingsConnectionFlags.NM_GENERATED: ++ return None ++ except AttributeError: ++ # Prior to NetworkManager 1.12, we can only guess ++ # that a connection was generated. ++ if con.get_unsaved(): ++ return None ++ + return active_con.get_uuid() + + def nm_get_bus_name(): +-- +2.16.3 + diff --git a/SOURCES/0003-fw-if-failure-occurs-during-startup-set-state-to-FAI.patch b/SOURCES/0003-fw-if-failure-occurs-during-startup-set-state-to-FAI.patch new file mode 100644 index 0000000..3ea8f9f --- /dev/null +++ b/SOURCES/0003-fw-if-failure-occurs-during-startup-set-state-to-FAI.patch @@ -0,0 +1,244 @@ +From 9e4bf24e1e0a5d54398d2220f0a5217eff0704a7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 Aug 2018 16:53:46 -0400 +Subject: [PATCH 3/4] fw: if failure occurs during startup set state to FAILED + +Previously if a failure occurred at startup firewalld would get stuck in +INIT state and the policy would remain as "DROP". This commit changes +that behavior and introduces a new state "FAILED", which means a failure +occurred and we're running in a failed state. Policy is set to "ACCEPT" +so as to hopefully prevent locking out an admin. + +(cherry picked from commit f475bd2293b7ba01ad4b56b68bef1b61d01526f0) +--- + doc/xml/firewall-cmd.xml.in | 2 +- + doc/xml/firewalld.dbus.xml | 2 +- + src/firewall-cmd | 2 + + src/firewall/core/fw.py | 131 +++++++++++++++------------- + src/firewall/errors.py | 1 + + src/tests/regression/rhbz1498923.at | 8 +- + 6 files changed, 83 insertions(+), 63 deletions(-) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 32c89591db86..c2606553e549 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -118,7 +118,7 @@ + + + +- Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, NOT_RUNNING otherwise (see ). This will also print the state to STDOUT. ++ Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if failure occurred on startup, NOT_RUNNING otherwise. See . This will also print the state to STDOUT. + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index acdbb5fd6e00..ec82d4cad077 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -488,7 +488,7 @@ + + + state - s - (ro) +- firewalld state. This can be either INIT or RUNNING. In INIT state, firewalld is starting up and initializing. ++ firewalld state. This can be either INIT, FAILED, or RUNNING. In INIT state, firewalld is starting up and initializing. In FAILED state, firewalld completely started but experienced a failure. + + + version - s - (ro) +diff --git a/src/firewall-cmd b/src/firewall-cmd +index b80115564e1b..12e18bb88a54 100755 +--- a/src/firewall-cmd ++++ b/src/firewall-cmd +@@ -2022,6 +2022,8 @@ elif a.state: + state = fw.get_property("state") + if state == "RUNNING": + cmd.print_and_exit ("running") ++ elif state == "FAILED": ++ cmd.print_and_exit("failed", errors.RUNNING_BUT_FAILED) + else: + cmd.print_and_exit ("not running", errors.NOT_RUNNING) + elif a.get_log_denied: +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index 1ff36f18cd99..5b706d6d3e80 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -451,11 +451,16 @@ class Firewall(object): + tm2 = time.time() + log.debug2("Flushing and applying took %f seconds" % (tm2 - tm1)) + +- self._state = "RUNNING" +- + def start(self): +- self._start() +- self.set_policy("ACCEPT") ++ try: ++ self._start() ++ except Exception: ++ self._state = "FAILED" ++ self.set_policy("ACCEPT") ++ raise ++ else: ++ self._state = "RUNNING" ++ self.set_policy("ACCEPT") + + def _loader(self, path, reader_type, combine=False): + # combine: several zone files are getting combined into one obj +@@ -905,64 +910,70 @@ class Firewall(object): + def reload(self, stop=False): + _panic = self._panic + +- # save zone interfaces +- _zone_interfaces = { } +- for zone in self.zone.get_zones(): +- _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"] +- # save direct config +- _direct_config = self.direct.get_runtime_config() +- _old_dz = self.get_default_zone() +- +- # stop +- self.cleanup() +- +- self.set_policy("DROP") +- +- # start +- self._start(reload=True, complete_reload=stop) +- +- # handle interfaces in the default zone and move them to the new +- # default zone if it changed +- _new_dz = self.get_default_zone() +- if _new_dz != _old_dz: +- # if_new_dz has been introduced with the reload, we need to add it +- # https://github.com/firewalld/firewalld/issues/53 +- if _new_dz not in _zone_interfaces: +- _zone_interfaces[_new_dz] = { } +- # default zone changed. Move interfaces from old default zone to +- # the new one. +- for iface, settings in list(_zone_interfaces[_old_dz].items()): +- if settings["__default__"]: +- # move only those that were added to default zone +- # (not those that were added to specific zone same as +- # default) +- _zone_interfaces[_new_dz][iface] = \ +- _zone_interfaces[_old_dz][iface] +- del _zone_interfaces[_old_dz][iface] +- +- # add interfaces to zones again +- for zone in self.zone.get_zones(): +- if zone in _zone_interfaces: +- self.zone.set_settings(zone, { "interfaces": +- _zone_interfaces[zone] }) +- del _zone_interfaces[zone] ++ try: ++ # save zone interfaces ++ _zone_interfaces = { } ++ for zone in self.zone.get_zones(): ++ _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"] ++ # save direct config ++ _direct_config = self.direct.get_runtime_config() ++ _old_dz = self.get_default_zone() ++ ++ # stop ++ self.cleanup() ++ ++ self.set_policy("DROP") ++ ++ self._start(reload=True, complete_reload=stop) ++ ++ # handle interfaces in the default zone and move them to the new ++ # default zone if it changed ++ _new_dz = self.get_default_zone() ++ if _new_dz != _old_dz: ++ # if_new_dz has been introduced with the reload, we need to add it ++ # https://github.com/firewalld/firewalld/issues/53 ++ if _new_dz not in _zone_interfaces: ++ _zone_interfaces[_new_dz] = { } ++ # default zone changed. Move interfaces from old default zone to ++ # the new one. ++ for iface, settings in list(_zone_interfaces[_old_dz].items()): ++ if settings["__default__"]: ++ # move only those that were added to default zone ++ # (not those that were added to specific zone same as ++ # default) ++ _zone_interfaces[_new_dz][iface] = \ ++ _zone_interfaces[_old_dz][iface] ++ del _zone_interfaces[_old_dz][iface] ++ ++ # add interfaces to zones again ++ for zone in self.zone.get_zones(): ++ if zone in _zone_interfaces: ++ self.zone.set_settings(zone, { "interfaces": ++ _zone_interfaces[zone] }) ++ del _zone_interfaces[zone] ++ else: ++ log.info1("New zone '%s'.", zone) ++ if len(_zone_interfaces) > 0: ++ for zone in list(_zone_interfaces.keys()): ++ log.info1("Lost zone '%s', zone interfaces dropped.", zone) ++ del _zone_interfaces[zone] ++ del _zone_interfaces ++ ++ # restore direct config ++ self.direct.set_config(_direct_config) ++ ++ # enable panic mode again if it has been enabled before or set policy ++ # to ACCEPT ++ if _panic: ++ self.enable_panic_mode() + else: +- log.info1("New zone '%s'.", zone) +- if len(_zone_interfaces) > 0: +- for zone in list(_zone_interfaces.keys()): +- log.info1("Lost zone '%s', zone interfaces dropped.", zone) +- del _zone_interfaces[zone] +- del _zone_interfaces +- +- # restore direct config +- self.direct.set_config(_direct_config) +- +- # enable panic mode again if it has been enabled before or set policy +- # to ACCEPT +- if _panic: +- self.enable_panic_mode() +- else: ++ self.set_policy("ACCEPT") ++ ++ self._state = "RUNNING" ++ except Exception: ++ self._state = "FAILED" + self.set_policy("ACCEPT") ++ raise + + # STATE + +diff --git a/src/firewall/errors.py b/src/firewall/errors.py +index 1cd604884c99..63d007191ffa 100644 +--- a/src/firewall/errors.py ++++ b/src/firewall/errors.py +@@ -97,6 +97,7 @@ MISSING_NAME = 205 + MISSING_SETTING = 206 + MISSING_FAMILY = 207 + ++RUNNING_BUT_FAILED = 251 + NOT_RUNNING = 252 + NOT_AUTHORIZED = 253 + UNKNOWN_ERROR = 254 +diff --git a/src/tests/regression/rhbz1498923.at b/src/tests/regression/rhbz1498923.at +index 505a523d5cc4..bb0d841db2a7 100644 +--- a/src/tests/regression/rhbz1498923.at ++++ b/src/tests/regression/rhbz1498923.at +@@ -1,5 +1,11 @@ + FWD_START_TEST([invalid direct rule causes reload error]) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j ACCEPT]) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 1 --a-bogus-flag]) +-FWD_RELOAD(13, [ignore], [ignore]) ++FWD_RELOAD(13, [ignore], [ignore], 251) ++FWD_CHECK([--state], 251, [ignore], [failed ++]) ++ ++dnl now remove the bad rule and reload successfully ++FWD_CHECK([-q --permanent --direct --remove-rule ipv4 filter INPUT 1 --a-bogus-flag]) ++FWD_RELOAD + FWD_END_TEST([-e '/.*a-bogus-flag.*/d']) +-- +2.18.0 + diff --git a/SOURCES/0004-firewall-cmd-add-check-config-option.patch b/SOURCES/0004-firewall-cmd-add-check-config-option.patch new file mode 100644 index 0000000..d2f0b5c --- /dev/null +++ b/SOURCES/0004-firewall-cmd-add-check-config-option.patch @@ -0,0 +1,122 @@ +From c37c84f095d820cbd137a285e263075472934502 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 31 May 2018 14:15:57 -0400 +Subject: [PATCH 4/5] firewall-cmd: add --check-config option + +Fixes: rhbz 1477771 +(cherry picked from commit b071536beb7ef2c91adb79c7769a265fc74ab15f) +--- + doc/xml/firewalld.dbus.xml | 11 +++++++++++ + src/firewall-cmd | 6 +++++- + src/firewall/client.py | 5 +++++ + src/firewall/server/firewalld.py | 11 +++++++++++ + 4 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index f02edb173f6e..acdbb5fd6e00 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -347,6 +347,17 @@ + + + ++ ++ checkPermanentConfig() → Nothing ++ ++ ++ Run checks on the permanent configuration. This is most useful if changes were made manually to configuration files. ++ ++ ++ Possible errors: any ++ ++ ++ + + setDefaultZone(s: zone) → Nothing + +diff --git a/src/firewall-cmd b/src/firewall-cmd +index 1a864b32e819..b80115564e1b 100755 +--- a/src/firewall-cmd ++++ b/src/firewall-cmd +@@ -59,6 +59,7 @@ Status Options + --complete-reload Reload firewall and lose state information + --runtime-to-permanent + Create permanent from runtime configuration ++ --check-config Check permanent configuration for errors + + Log Denied Options + --get-log-denied Print the log denied value +@@ -484,6 +485,7 @@ parser_group_standalone.add_argument("--reload", action="store_true") + parser_group_standalone.add_argument("--complete-reload", action="store_true") + parser_group_standalone.add_argument("--runtime-to-permanent", + action="store_true") ++parser_group_standalone.add_argument("--check-config", action="store_true") + parser_group_standalone.add_argument("--get-ipset-types", action="store_true") + parser_group_standalone.add_argument("--get-log-denied", action="store_true") + parser_group_standalone.add_argument("--set-log-denied", metavar="") +@@ -750,7 +752,7 @@ options_standalone = a.help or a.version or \ + a.get_default_zone or a.set_default_zone or \ + a.get_active_zones or a.get_ipset_types or \ + a.get_log_denied or a.set_log_denied or \ +- a.get_automatic_helpers or a.set_automatic_helpers ++ a.get_automatic_helpers or a.set_automatic_helpers or a.check_config + + options_desc_xml_file = a.set_description or a.get_description or \ + a.set_short or a.get_short +@@ -2039,6 +2041,8 @@ elif a.complete_reload: + fw.complete_reload() + elif a.runtime_to_permanent: + fw.runtimeToPermanent() ++elif a.check_config: ++ fw.checkPermanentConfig() + elif a.direct: + if a.passthrough: + if len(a.passthrough) < 2: +diff --git a/src/firewall/client.py b/src/firewall/client.py +index f90bbd78eb73..da45ceb5b964 100644 +--- a/src/firewall/client.py ++++ b/src/firewall/client.py +@@ -2760,6 +2760,11 @@ class FirewallClient(object): + def runtimeToPermanent(self): + self.fw.runtimeToPermanent() + ++ @slip.dbus.polkit.enable_proxy ++ @handle_exceptions ++ def checkPermanentConfig(self): ++ self.fw.checkPermanentConfig() ++ + @slip.dbus.polkit.enable_proxy + @handle_exceptions + def get_property(self, prop): +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index fc7422f12261..2cecc4771cb0 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -42,6 +42,7 @@ from firewall.dbus_utils import dbus_to_python, \ + command_of_sender, context_of_sender, uid_of_sender, user_of_uid, \ + dbus_introspection_prepare_properties, \ + dbus_introspection_add_properties ++from firewall.core.io.functions import check_config + from firewall.core.io.zone import Zone + from firewall.core.io.ipset import IPSet + from firewall.core.io.service import Service +@@ -336,6 +337,16 @@ class FirewallD(slip.dbus.service.Object): + def Reloaded(self): + log.debug1("Reloaded()") + ++ @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) ++ @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', ++ out_signature='') ++ @dbus_handle_exceptions ++ def checkPermanentConfig(self, sender=None): # pylint: disable=W0613 ++ """Check permanent configuration ++ """ ++ log.debug1("checkPermanentConfig()") ++ check_config(self.fw) ++ + # runtime to permanent + + @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) +-- +2.16.3 + diff --git a/SOURCES/0005-tests-firewall-cmd-exercise-check-config.patch b/SOURCES/0005-tests-firewall-cmd-exercise-check-config.patch new file mode 100644 index 0000000..7be4cdb --- /dev/null +++ b/SOURCES/0005-tests-firewall-cmd-exercise-check-config.patch @@ -0,0 +1,416 @@ +From b388398d8c4b9859fba9b45371239bd2e5d6bfd4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 24 May 2018 16:30:41 -0400 +Subject: [PATCH 5/5] tests/firewall-cmd: exercise --check-config + +This exercises the --check-config option for both firewall-cmd and +firewall-offline-cmd. + +We also remove the explicit check in config/Makefile as it's now part of +the normal testsuite. + +(cherry picked from commit c2bd43e71018ca4e43141ca93fab352e344f4a30) +--- + src/tests/firewall-cmd.at | 374 ++++++++++++++++++++++++++++++++++++++++++++++ + src/tests/functions.at | 3 + + 2 files changed, 377 insertions(+) + +diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at +index 7364e9770d27..92cade844b9e 100644 +--- a/src/tests/firewall-cmd.at ++++ b/src/tests/firewall-cmd.at +@@ -840,3 +840,377 @@ FWD_END_TEST([-e '/ERROR: INVALID_RULE:/d' dnl + -e '/ERROR: INVALID_LOG_LEVEL: eror/d' dnl + -e '/ERROR: MISSING_FAMILY/d' dnl + -e '/ERROR: INVALID_LIMIT: 1\/2m/d']) ++ ++FWD_START_TEST([config validation]) ++ dnl default config ++ FWD_CHECK([--check-config], 0, ignore) ++ ++ dnl The rest of these are negative test cases. ++ ++ dnl firewalld.conf ++ AT_CHECK([cp ./firewalld.conf ./firewalld.conf.orig]) ++ AT_CHECK([echo "SomeBogusField=yes" >> ./firewalld.conf]) ++ FWD_CHECK([--check-config], 0, ignore, [dnl ++m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl ++ERROR: Invalid option: 'SomeBogusField=yes' ++ERROR: Invalid option: 'SomeBogusField=yes' ++])]) ++ AT_CHECK([cp ./firewalld.conf.orig ./firewalld.conf]) ++ ++ dnl direct ++ AT_DATA([./direct.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 111, ignore, ignore) ++ ++ AT_DATA([./direct.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ AT_CHECK([rm ./direct.xml]) ++ ++ dnl lockdown-whitelist ++ AT_DATA([./lockdown-whitelist.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./lockdown-whitelist.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./lockdown-whitelist.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ AT_CHECK([rm ./lockdown-whitelist.xml]) ++ ++ dnl ipset ++ AT_CHECK([mkdir -p ./ipsets]) ++ AT_DATA([./ipsets/foobar.xml], [dnl ++ ++ ++ 12:34:56:78:90 ++ ++]) ++ FWD_CHECK([--check-config], 0, ignore, [dnl ++m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl ++WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90', ignoring. ++WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90', ignoring. ++])]) ++ ++ AT_DATA([./ipsets/foobar.xml], [dnl ++ ++ ++ 12:34:56:78:90:ab ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./ipsets/foobar.xml], [dnl ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 119, ignore, ignore) ++ AT_CHECK([rm ./ipsets/foobar.xml]) ++ ++ dnl helpers ++ AT_CHECK([mkdir -p ./helpers]) ++ AT_DATA([./helpers/foobar.xml], [dnl ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./helpers/foobar.xml], [dnl ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 111, ignore, ignore) ++ ++ AT_DATA([./helpers/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 103, ignore, ignore) ++ AT_CHECK([rm ./helpers/foobar.xml]) ++ ++ dnl icmptype ++ AT_CHECK([mkdir -p ./icmptypes]) ++ AT_DATA([./icmptypes/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./icmptypes/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ AT_CHECK([rm ./icmptypes/foobar.xml]) ++ ++ dnl services ++ AT_CHECK([mkdir -p ./services]) ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 103, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 103, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 102, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 102, ignore, ignore) ++ ++ AT_DATA([./services/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ AT_CHECK([rm ./services/foobar.xml]) ++ ++ dnl zones ++ AT_CHECK([mkdir -p ./zones]) ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++]) ++ FWD_CHECK([--check-config], 112, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 101, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 103, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 0, ignore, [dnl ++m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl ++WARNING: Invalid source: No address no ipset. ++WARNING: Invalid source: No address no ipset. ++])]) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++ ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 0, ignore, [dnl ++m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl ++WARNING: INVALID_LIMIT: none: rule family="ipv4" source address="10.0.0.1/24" accept limit value="none" ++WARNING: INVALID_LIMIT: none: rule family="ipv4" source address="10.0.0.1/24" accept limit value="none" ++])]) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 0, ignore, [dnl ++m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl ++WARNING: Invalid rule: Invalid log level ++WARNING: Invalid rule: Invalid log level ++])]) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 28, ignore, ignore) ++ ++ AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ ++ ++ ++ ++ ++]) ++ FWD_CHECK([--check-config], 0, ignore, [dnl ++m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl ++WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept ++WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept ++])]) ++ AT_CHECK([rm ./zones/foobar.xml]) ++ ++FWD_END_TEST([-e '/ERROR:/d'dnl ++ -e '/WARNING:/d']) +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 7bd66d5c74fe..d9b1ce401bb0 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -122,6 +122,9 @@ m4_define([FWD_CHECK], [ + m4_if(-1, m4_index([$1], [-default-zone]), [], [ + m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD]) + ]) ++ m4_if(-1, m4_index([$1], [--check-config]), [], [ ++ m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD]) ++ ]) + ], [ + m4_if(-1, m4_index([$1], [--timeout]), [ + m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD]) +-- +2.16.3 + diff --git a/SOURCES/firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch b/SOURCES/firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch deleted file mode 100644 index 36bd3f4..0000000 --- a/SOURCES/firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch +++ /dev/null @@ -1,53 +0,0 @@ -commit 7a86d66f27a8c657a3cd9fbecdf26d167c2ee92e -Author: Thomas Woerner -Date: Wed Apr 26 15:07:18 2017 +0200 - - firewall-cmd: Fix --{set,get}-{short,description} for zone - - The options --{set,get}-{short,description} have been used on the wrong object - in firewall-cmd which resulted in a back trace. - - Fixes: RHBZ#1445238 - -diff --git a/src/firewall-cmd b/src/firewall-cmd -index 9988a79..1a864b3 100755 ---- a/src/firewall-cmd -+++ b/src/firewall-cmd -@@ -1987,31 +1987,31 @@ if a.permanent: - elif a.list_all_zones: - names = fw.config().getZoneNames() - for zone in sorted(names): -- settings = fw.config().getZoneByName(zone) -- cmd.print_zone_info(zone, settings.getSettings()) -+ settings = fw.config().getZoneByName(zone).getSettings() -+ cmd.print_zone_info(zone, settings) - cmd.print_msg("") - sys.exit(0) - - # set zone description - elif a.set_description: -- settings = fw.config().getZoneByName(zone) -+ settings = fw.config().getZoneByName(zone).getSettings() - settings.setDescription(a.set_description) - fw_zone.update(settings) - - # get zone description - elif a.get_description: -- settings = fw.config().getZoneByName(zone) -+ settings = fw.config().getZoneByName(zone).getSettings() - cmd.print_and_exit(settings.getDescription()) - - # set zone short description - elif a.set_short: -- settings = fw.config().getZoneByName(zone) -+ settings = fw.config().getZoneByName(zone).getSettings() - settings.setShort(a.set_short) - fw_zone.update(settings) - - # get zone short description - elif a.get_short: -- settings = fw.config().getZoneByName(zone) -+ settings = fw.config().getZoneByName(zone).getSettings() - cmd.print_and_exit(settings.getShort()) - - elif a.version: diff --git a/SOURCES/firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch b/SOURCES/firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch deleted file mode 100644 index 8749ee6..0000000 --- a/SOURCES/firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch +++ /dev/null @@ -1,23 +0,0 @@ -commit d3fee3a3b923339fb45d23f60ee0170a5ca25957 -Author: Thomas Woerner -Date: Mon Apr 3 15:06:36 2017 +0200 - - firewall-offline-cmd: Fix --remove-service-from-zone option RHBZ#1438127 - - The wrong option name has been used internally which resulted in the NoneType - object is not iterable error. - -diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd -index b229f39..b1e8a6c 100755 ---- a/src/firewall-offline-cmd -+++ b/src/firewall-offline-cmd -@@ -2076,7 +2076,8 @@ try: - cmd.add_sequence(a.add_service, fw_settings.addService, - fw_settings.queryService, None, "'%s'") - elif a.remove_service_from_zone: -- cmd.remove_sequence(a.remove_service, fw_settings.removeService, -+ cmd.remove_sequence(a.remove_service_from_zone, -+ fw_settings.removeService, - fw_settings.queryService, None, "'%s'") - elif a.query_service: - cmd.query_sequence(a.query_service, fw_settings.queryService, diff --git a/SOURCES/firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch b/SOURCES/firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch deleted file mode 100644 index d9dbc3b..0000000 --- a/SOURCES/firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch +++ /dev/null @@ -1,139 +0,0 @@ -commit 14bcde4e9b9f8c3638e37705ba57c3fac8e9b80f -Author: Thomas Woerner -Date: Fri Apr 28 18:38:50 2017 +0200 - - Man pages: Mention sctp and dccp protocols for remaining ports, .. - -diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml -index a5b5acd..bf4e7a0 100644 ---- a/doc/xml/firewall-cmd.xml -+++ b/doc/xml/firewall-cmd.xml -@@ -549,7 +549,7 @@ - timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h. - - -- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. -+ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. - - - The option is not combinable with the option. -@@ -639,7 +639,7 @@ - timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h. - - -- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. -+ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. - - - The option is not combinable with the option. -@@ -732,7 +732,7 @@ - timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h. - - -- The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address. -+ The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address. - - - The option is not combinable with the option. -diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml -index d007dbe..e157f67 100644 ---- a/doc/xml/firewall-offline-cmd.xml -+++ b/doc/xml/firewall-offline-cmd.xml -@@ -208,7 +208,7 @@ - Add the port to the default zone. This option can be specified multiple times. - - -- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. -+ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. - - - -@@ -264,7 +264,7 @@ - Add the IPv4 forward port in the default zone. This option can be specified multiple times. - - -- The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is an IP address. -+ The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is an IP address. - - - -@@ -621,7 +621,7 @@ - Add the port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. - - -- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. -+ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. - - - -@@ -748,7 +748,7 @@ - Add the IPv4 forward port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. - - -- The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address. -+ The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address. - - - For IPv6 forward ports, please use the rich language. -@@ -798,7 +798,7 @@ - Add the source port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards. - - -- The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp. -+ The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. - - - -diff --git a/doc/xml/firewalld.service.xml b/doc/xml/firewalld.service.xml -index 2907f83..88b7640 100644 ---- a/doc/xml/firewalld.service.xml -+++ b/doc/xml/firewalld.service.xml -@@ -136,7 +136,7 @@ - protocol="string" - - -- The protocol value can either be , , or . -+ The protocol value can either be tcp, udp, sctp or dccp. - - - -@@ -185,7 +185,7 @@ - protocol="string" - - -- The protocol value can either be , , or . -+ The protocol value can either be tcp, udp, sctp or dccp. - - - -diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml -index 67cd3ef..12e42e2 100644 ---- a/doc/xml/firewalld.zone.xml -+++ b/doc/xml/firewalld.zone.xml -@@ -252,7 +252,7 @@ - protocol="tcp|udp|sctp|dccp" - - -- The protocol can either be tcp, , or . -+ The protocol can either be tcp, udp, sctp or dccp. - - - -@@ -332,7 +332,7 @@ - protocol="tcp|udp|sctp|dccp" - - -- The protocol can either be tcp, , or . -+ The protocol can either be tcp, udp, sctp or dccp. - - - -@@ -385,7 +385,7 @@ - protocol="tcp|udp|sctp|dccp" - - -- The protocol can either be tcp, , or . -+ The protocol can either be tcp, udp, sctp or dccp. - - - diff --git a/SOURCES/firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch b/SOURCES/firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch deleted file mode 100644 index 5338467..0000000 --- a/SOURCES/firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch +++ /dev/null @@ -1,185 +0,0 @@ -commit ded96b82404811d70b9f5e264b44e2834e91e42f -Author: Leon Goldberg -Date: Thu Mar 23 12:22:26 2017 +0200 - - Introducing ovirt's imageio service - -diff --git a/config/services/ovirt-imageio.xml b/config/services/ovirt-imageio.xml -new file mode 100644 -index 0000000..9ba6526 ---- /dev/null -+++ b/config/services/ovirt-imageio.xml -@@ -0,0 +1,6 @@ -+ -+ -+ oVirt Image I/O -+ oVirt Image I/O simplifies the workflow of introducing new oVirt images into the oVirt environment. -+ -+ - -commit 31955ff59636e3ed63289d60ad254a09aa75686e -Author: Leon Goldberg -Date: Tue May 2 16:04:52 2017 +0300 - - Adding ovirt-vmconsole service file - -diff --git a/config/services/ovirt-vmconsole.xml b/config/services/ovirt-vmconsole.xml -new file mode 100644 -index 0000000..2b47448 ---- /dev/null -+++ b/config/services/ovirt-vmconsole.xml -@@ -0,0 +1,7 @@ -+ -+ -+ oVirt VM Console -+ oVirt VM Consoles enables secure access to virtual machine serial console. -+ -+ -+ - -commit ffd82e3e95ed80805c566bb8b5858fdd45f3780f -Author: leongold -Date: Wed May 3 15:30:40 2017 +0300 - - Fixing incorrect port number - -diff --git a/config/services/ovirt-vmconsole.xml b/config/services/ovirt-vmconsole.xml -index 2b47448..ca8ea19 100644 ---- a/config/services/ovirt-vmconsole.xml -+++ b/config/services/ovirt-vmconsole.xml -@@ -2,6 +2,5 @@ - - oVirt VM Console - oVirt VM Consoles enables secure access to virtual machine serial console. -- -+ - -- - -commit 920f54ce5b3651a1ce738cb0b062aa1458c12c8d -Author: Leon Goldberg -Date: Tue May 2 16:04:52 2017 +0300 - - Adding oVirt storage-console service. - -diff --git a/config/services/ovirt-storageconsole.xml b/config/services/ovirt-storageconsole.xml -new file mode 100644 -index 0000000..721a7df ---- /dev/null -+++ b/config/services/ovirt-storageconsole.xml -@@ -0,0 +1,7 @@ -+ -+ -+ oVirt Storage-Console -+ oVirt Storage Console is a web-based storage management platform specially designed to efficiently manage oVirt's storage-defined storage. -+ -+ -+ - -commit 0aa83426e9c337bf21df0d436e7f6cbcd6b72e03 -Author: Leon Goldberg -Date: Wed May 3 14:44:14 2017 +0300 - - Adding ctdb service file. - -diff --git a/config/services/ctdb.xml b/config/services/ctdb.xml -new file mode 100644 -index 0000000..7209082 ---- /dev/null -+++ b/config/services/ctdb.xml -@@ -0,0 +1,7 @@ -+ -+ -+ CTDB -+ CTDB is a cluster implementation of the TDB database used by Samba and other projects to store temporary data. -+ -+ -+ - -commit d774891afe7109fb65c87ac6a3e28a76d132784a -Author: Leon Goldberg -Date: Thu May 4 12:16:53 2017 +0300 - - Adding service file for nrpe. - - Although the port isn't IANA registered to Nagios, it's failry well - known (http://www.speedguide.net/port.php?port=5666). - -diff --git a/config/services/nrpe.xml b/config/services/nrpe.xml -new file mode 100644 -index 0000000..4535d89 ---- /dev/null -+++ b/config/services/nrpe.xml -@@ -0,0 +1,6 @@ -+ -+ -+ NRPE -+ NRPE allows you to execute Nagios plugins on a remote host in as transparent a manner as possible. -+ -+ - -commit b1b63267f1f5af0c71d8ebd7db170bf2e1380c13 -Author: Thomas Woerner -Date: Thu Apr 27 14:52:49 2017 +0200 - - config/Makefile.am: Install new ovirt-imageio service - -diff --git a/config/Makefile.am b/config/Makefile.am -index f05caf6..61ec9a2 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -174,6 +174,7 @@ CONFIG_FILES = \ - services/nfs.xml \ - services/ntp.xml \ - services/openvpn.xml \ -+ services/ovirt-imageio.xml \ - services/pmcd.xml \ - services/pmproxy.xml \ - services/pmwebapis.xml \ - -commit 7e6e41809b3898a1ae9d014dc9be027b25521978 -Author: Thomas Woerner -Date: Wed May 3 17:19:03 2017 +0200 - - config/Makefile.am: New services ctdb, ovirt-storageconsole and ovirt-vmconsole - -diff --git a/config/Makefile.am b/config/Makefile.am -index 61ec9a2..1669a84 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -131,6 +131,7 @@ CONFIG_FILES = \ - services/ceph.xml \ - services/cfengine.xml \ - services/condor-collector.xml \ -+ services/ctdb.xml \ - services/dhcpv6-client.xml \ - services/dhcpv6.xml \ - services/dhcp.xml \ -@@ -175,6 +176,8 @@ CONFIG_FILES = \ - services/ntp.xml \ - services/openvpn.xml \ - services/ovirt-imageio.xml \ -+ services/ovirt-storageconsole.xml \ -+ services/ovirt-vmconsole.xml \ - services/pmcd.xml \ - services/pmproxy.xml \ - services/pmwebapis.xml \ - -commit a75d783101a43a57c6b6619acafa66268e6f822d -Author: Thomas Woerner -Date: Tue May 9 11:29:12 2017 +0200 - - config/Makefile.am: New services nrpe - -diff --git a/config/Makefile.am b/config/Makefile.am -index 1669a84..33cb7da 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -173,6 +173,7 @@ CONFIG_FILES = \ - services/ms-wbt.xml \ - services/mysql.xml \ - services/nfs.xml \ -+ services/nrpe.xml \ - services/ntp.xml \ - services/openvpn.xml \ - services/ovirt-imageio.xml \ diff --git a/SOURCES/firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch b/SOURCES/firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch deleted file mode 100644 index 5970c8a..0000000 --- a/SOURCES/firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 0c480ec760c3ecaeea325041bdffc6d3d1153d88 -Author: Thomas Woerner -Date: Wed May 17 17:56:39 2017 +0200 - - Rename extension for policy choices (server and desktop) to .policy.choice (RHBZ#1449754) - - This is done at installation time to still use autofoo targets etc. A change in firewall-offline command to fix --policy-server and --policy-desktop options - has been needed for this also. - -diff --git a/config/Makefile.am b/config/Makefile.am -index 33cb7da..bdc5651 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -347,5 +347,7 @@ uninstall-local: $(UNINSTALL_TARGETS) - - install-data-hook: - cd $(DESTDIR)$(polkit1_actiondir) && \ -+ mv org.fedoraproject.FirewallD1.server.policy org.fedoraproject.FirewallD1.server.policy.choice && \ -+ mv org.fedoraproject.FirewallD1.desktop.policy org.fedoraproject.FirewallD1.desktop.policy.choice && \ - rm -f org.fedoraproject.FirewallD1.policy && \ -- $(LN_S) org.fedoraproject.FirewallD1.server.policy org.fedoraproject.FirewallD1.policy -+ $(LN_S) org.fedoraproject.FirewallD1.server.policy.choice org.fedoraproject.FirewallD1.policy -diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd -index b1e8a6c..ebeb1ec 100755 ---- a/src/firewall-offline-cmd -+++ b/src/firewall-offline-cmd -@@ -478,13 +478,13 @@ def pk_symlink(product='server'): - _PK_DIR = '/usr/share/polkit-1/actions/' - _PK_NAME = 'org.fedoraproject.FirewallD1.' - os.chdir(_PK_DIR) -- if os.path.isfile(_PK_NAME+product+'.policy'): -+ if os.path.isfile(_PK_NAME+product+'.policy.choice'): - if os.path.isfile(_PK_NAME+'policy'): - os.remove(_PK_NAME+'policy') -- os.symlink(_PK_NAME+product+'.policy', _PK_NAME+'policy') -- cmd.print_and_exit('symlink '+_PK_DIR+_PK_NAME+product+'.policy -> '+_PK_NAME+'policy') -+ os.symlink(_PK_NAME+product+'.policy.choice', _PK_NAME+'policy') -+ cmd.print_and_exit('symlink '+_PK_DIR+_PK_NAME+product+'.policy.choice -> '+_PK_NAME+'policy') - else: -- cmd.fail('no such file '+_PK_DIR+_PK_NAME+product+'.policy') -+ cmd.fail('no such file '+_PK_DIR+_PK_NAME+product+'.policy.choice') - - # system-config-firewall - def read_sysconfig_args(config_file=SYSTEM_CONFIG_FIREWALL): diff --git a/SOURCES/firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch b/SOURCES/firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch deleted file mode 100644 index 55cd89b..0000000 --- a/SOURCES/firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit 18990db7b05a3d81145b41e7cfe64ebbb958aa1a -Author: Thomas Woerner -Date: Thu Apr 27 13:15:36 2017 +0200 - - firewall.core.ipXtables: Use new wait option for restore commands if available - - The iptables restore commands in the next iptables release will support the - wait option. This is very useful and results in less likely collisions with - iptables commands used by other services or the user. - -diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py -index 2ae0000..9f051d3 100644 ---- a/src/firewall/core/ipXtables.py -+++ b/src/firewall/core/ipXtables.py -@@ -157,6 +157,7 @@ class ip4tables(object): - self._command = config.COMMANDS[self.ipv] - self._restore_command = config.COMMANDS["%s-restore" % self.ipv] - self.wait_option = self._detect_wait_option() -+ self.restore_wait_option = self._detect_restore_wait_option() - self.fill_exists() - - def fill_exists(self): -@@ -251,6 +252,8 @@ class ip4tables(object): - log.debug2("%s: %s %s", self.__class__, self._restore_command, - "%s: %d" % (temp_file.name, stat.st_size)) - args = [ ] -+ if self.restore_wait_option: -+ args.append(self.restore_wait_option) - if not flush: - args.append("-n") - -@@ -320,6 +323,24 @@ class ip4tables(object): - - return wait_option - -+ def _detect_restore_wait_option(self): -+ temp_file = tempFile() -+ temp_file.write("#foo") -+ temp_file.close() -+ -+ wait_option = "" -+ ret = runProg(self._restore_command, ["-w"], stdin=temp_file.name) # proposed for iptables-1.6.2 -+ if ret[0] == 0: -+ wait_option = "-w" # wait for xtables lock -+ ret = runProg(self._restore_command, ["--wait=2"], stdin=temp_file.name) # since iptables > 1.4.21 -+ if ret[0] == 0: -+ wait_option = "--wait=2" # wait max 2 seconds -+ log.debug2("%s: %s will be using %s option.", self.__class__, self._restore_command, wait_option) -+ -+ os.unlink(temp_file.name) -+ -+ return wait_option -+ - def flush(self, transaction=None): - tables = self.used_tables() - for table in tables: diff --git a/SOURCES/firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch b/SOURCES/firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch deleted file mode 100644 index 6d3912a..0000000 --- a/SOURCES/firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch +++ /dev/null @@ -1,440 +0,0 @@ -commit 3e0997f5effaec309e03c9c7c639d8243536ad37 -Author: Thomas Woerner -Date: Tue Apr 4 19:03:27 2017 +0200 - - Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules - - This patch adds support to use ports with the protocols sctp and dccp if also - a port id is specified. The use of sctp and dccp is now also allowed in - source-ports, forward-ports, helpers and rich language rules. - - The test suite has been expanded to also test the new combinations. - - This fixes RHBZ#1429808 - -diff --git a/doc/xml/firewalld.helper.xml b/doc/xml/firewalld.helper.xml -index 9de4589..d931e22 100644 ---- a/doc/xml/firewalld.helper.xml -+++ b/doc/xml/firewalld.helper.xml -@@ -69,7 +69,7 @@ - <helper module="nf_conntrack_module" [family="ipv4|ipv6"]> - <short>short</short> - <description>description</description> -- <port portid[-portid]" protocol="tcp|udp"/> -+ <port portid[-portid]" protocol="tcp|udp|sctp|dccp"/> - </helper> - - -@@ -149,7 +149,7 @@ - protocol="string" - - -- The protocol value can either be or . -+ The protocol value can either be , , or . - - - -diff --git a/doc/xml/firewalld.service.xml b/doc/xml/firewalld.service.xml -index 568555f..425f5a9 100644 ---- a/doc/xml/firewalld.service.xml -+++ b/doc/xml/firewalld.service.xml -@@ -136,7 +136,7 @@ - protocol="string" - - -- The protocol value can either be or . -+ The protocol value can either be , , or . - - - -@@ -185,7 +185,7 @@ - protocol="string" - - -- The protocol value can either be or . -+ The protocol value can either be , , or . - - - -diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml -index 80290e7..c3283c0 100644 ---- a/doc/xml/firewalld.zone.xml -+++ b/doc/xml/firewalld.zone.xml -@@ -73,25 +73,25 @@ - [ <interface name="string"/> ] - [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ] - [ <service name="string"/> ] -- [ <port port="portid[-portid]" protocol="tcp|udp"/> ] -+ [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ] - [ <protcol value="protocol"/> ] - [ <icmp-block name="string"/> ] - [ <icmp-block-inversion/> ] - [ <masquerade/> ] -- [ <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ] -- [ <source-port port="portid[-portid]" protocol="tcp|udp"/> ] -+ [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ] -+ [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ] - [ - <rule [family="ipv4|ipv6"]> - [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ] - [ <destination address="address[/mask]" [invert="True"]/> ] - [ - <service name="string"/> | -- <port port="portid[-portid]" protocol="tcp|udp"/> | -+ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> | - <protocol value="protocol"/> | - <icmp-block name="icmptype"/> | - <icmp-type name="icmptype"/> | - <masquerade/> | -- <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/> -+ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> - ] - [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ] - [ <audit> [<limit value="rate/duration"/>] </audit> ] -@@ -249,10 +249,10 @@ - - - -- protocol="tcp|udp" -+ protocol="tcp|udp|sctp|dccp" - - -- The protocol can either be tcp or udp. -+ The protocol can either be tcp, , or . - - - -@@ -329,10 +329,10 @@ - - - -- protocol="tcp|udp" -+ protocol="tcp|udp|sctp|dccp" - - -- The protocol can either be tcp or udp. -+ The protocol can either be tcp, , or . - - - -@@ -382,10 +382,10 @@ - - - -- protocol="tcp|udp" -+ protocol="tcp|udp|sctp|dccp" - - -- The protocol can either be tcp or udp. -+ The protocol can either be tcp, , or . - - - -@@ -407,13 +407,13 @@ - [ <destination address="address[/mask]" [invert="True"]/> ] - [ - <service name="string"/> | -- <port port="portid[-portid]" protocol="tcp|udp"/> | -+ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> | - <protocol value="protocol"/> | - <icmp-block name="icmptype"/> | - <icmp-type name="icmptype"/> | - <masquerade/> | -- <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/> | -- <source-port port="portid[-portid]" protocol="tcp|udp"/> | -+ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> | -+ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> | - ] - [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ] - [ <audit> [<limit value="rate/duration"/>] </audit> ] -diff --git a/src/firewall-config.glade b/src/firewall-config.glade -index 73cee5c..d209a34 100644 ---- a/src/firewall-config.glade -+++ b/src/firewall-config.glade -@@ -1263,6 +1263,8 @@ - - tcp - udp -+ sctp -+ dccp - - - -@@ -9196,6 +9198,8 @@ - - tcp - udp -+ sctp -+ dccp - - - -@@ -9597,6 +9601,7 @@ - - Select - - ah - esp -+ dccp - ddp - icmp - igmp -diff --git a/src/firewall/command.py b/src/firewall/command.py -index e3adde0..e2d032f 100644 ---- a/src/firewall/command.py -+++ b/src/firewall/command.py -@@ -267,9 +267,10 @@ class FirewallCommand(object): - "portid[-portid]%sprotocol" % separator) - if not check_port(port): - raise FirewallError(errors.INVALID_PORT, port) -- if proto not in [ "tcp", "udp" ]: -+ if proto not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, -- "'%s' not in {'tcp'|'udp'}" % proto) -+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ -+ proto) - return (port, proto) - - def parse_forward_port(self, value): -@@ -301,9 +302,10 @@ class FirewallCommand(object): - - if not check_port(port): - raise FirewallError(errors.INVALID_PORT, port) -- if protocol not in [ "tcp", "udp" ]: -+ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, -- "'%s' not in {'tcp'|'udp'}" % protocol) -+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ -+ protocol) - if toport and not check_port(toport): - raise FirewallError(errors.INVALID_PORT, toport) - if toaddr and not check_single_address("ipv4", toaddr): -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index f32ec22..8dbe59b 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -989,9 +989,10 @@ class Firewall(object): - def check_tcpudp(self, protocol): - if not protocol: - raise FirewallError(errors.MISSING_PROTOCOL) -- if protocol not in [ "tcp", "udp" ]: -+ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, -- "'%s' not in {'tcp'|'udp'}" % protocol) -+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ -+ protocol) - - def check_ip(self, ip): - if not functions.checkIP(ip): -diff --git a/src/firewall/core/fw_test.py b/src/firewall/core/fw_test.py -index 62385e6..9516823 100644 ---- a/src/firewall/core/fw_test.py -+++ b/src/firewall/core/fw_test.py -@@ -456,9 +456,10 @@ class Firewall_test(object): - def check_tcpudp(self, protocol): - if not protocol: - raise FirewallError(errors.MISSING_PROTOCOL) -- if not protocol in [ "tcp", "udp" ]: -+ if not protocol in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, -- "'%s' not in {'tcp'|'udp'}" % protocol) -+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ -+ protocol) - - def check_ip(self, ip): - if not functions.checkIP(ip): -diff --git a/src/firewall/core/io/io_object.py b/src/firewall/core/io/io_object.py -index 3ae180a..139439f 100644 ---- a/src/firewall/core/io/io_object.py -+++ b/src/firewall/core/io/io_object.py -@@ -292,9 +292,10 @@ def check_port(port): - "'%s' is invalid port range" % port) - - def check_tcpudp(protocol): -- if protocol not in [ "tcp", "udp" ]: -+ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, -- "'%s' not from {'tcp'|'udp'}" % protocol) -+ "'%s' not from {'tcp'|'udp'|'sctp'|'dccp'}" % \ -+ protocol) - - def check_protocol(protocol): - if not functions.checkProtocol(protocol): -diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py -index b33009f..3adcb4d 100644 ---- a/src/firewall/core/rich.py -+++ b/src/firewall/core/rich.py -@@ -576,7 +576,7 @@ class Rich_Rule(object): - elif type(self.element) == Rich_Port: - if not functions.check_port(self.element.port): - raise FirewallError(errors.INVALID_PORT, self.element.port) -- if self.element.protocol not in [ "tcp", "udp" ]: -+ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) - - # protocol -@@ -611,7 +611,7 @@ class Rich_Rule(object): - elif type(self.element) == Rich_ForwardPort: - if not functions.check_port(self.element.port): - raise FirewallError(errors.INVALID_PORT, self.element.port) -- if self.element.protocol not in [ "tcp", "udp" ]: -+ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) - if self.element.to_port == "" and self.element.to_address == "": - raise FirewallError(errors.INVALID_PORT, self.element.to_port) -@@ -631,7 +631,7 @@ class Rich_Rule(object): - elif type(self.element) == Rich_SourcePort: - if not functions.check_port(self.element.port): - raise FirewallError(errors.INVALID_PORT, self.element.port) -- if self.element.protocol not in [ "tcp", "udp" ]: -+ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: - raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) - - # other element and not empty? -diff --git a/src/tests/firewall-cmd_test.sh b/src/tests/firewall-cmd_test.sh -index 653c644..ea076a0 100755 ---- a/src/tests/firewall-cmd_test.sh -+++ b/src/tests/firewall-cmd_test.sh -@@ -339,6 +339,15 @@ assert_good " --query-port=111-222/udp --zone=${default_zone}" - assert_good "--remove-port 111-222/udp" - assert_bad " --query-port=111-222/udp" - -+assert_good " --add-port=5000/sctp" -+assert_good " --query-port=5000/sctp --zone=${default_zone}" -+assert_good "--remove-port 5000/sctp" -+assert_bad " --query-port=5000/sctp" -+assert_good " --add-port=222/dccp" -+assert_good " --query-port=222/dccp --zone=${default_zone}" -+assert_good "--remove-port 222/dccp" -+assert_bad " --query-port=222/dccp" -+ - assert_bad "--permanent --add-port=666" # no protocol - assert_bad "--permanent --add-port=666/dummy" # bad protocol - assert_good "--permanent --add-port=666/tcp" -@@ -348,6 +357,15 @@ assert_good "--permanent --query-port=111-222/udp" - assert_good "--permanent --remove-port 111-222/udp" - assert_bad "--permanent --query-port=111-222/udp" - -+assert_good "--permanent --add-port=5000/sctp" -+assert_good "--permanent --query-port=5000/sctp --zone=${default_zone}" -+assert_good "--permanent --remove-port 5000/sctp" -+assert_bad "--permanent --query-port=5000/sctp" -+assert_good "--permanent --add-port=222/dccp" -+assert_good "--permanent --query-port=222/dccp --zone=${default_zone}" -+assert_good "--permanent --remove-port 222/dccp" -+assert_bad "--permanent --query-port=222/dccp" -+ - assert_good " --add-port=80/tcp --add-port 443-444/udp" - assert_good " --query-port=80/tcp --zone=${default_zone}" - assert_good " --query-port=443-444/udp" -@@ -488,6 +506,10 @@ assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" - assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" - assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" - assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" -+assert_good " --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" -+assert_good " --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" -+assert_good "--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" -+assert_bad " --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" - - assert_bad "--permanent --add-forward-port=666" # no protocol - assert_good "--permanent --add-forward-port=port=11:proto=tcp:toport=22 --zone=${default_zone}" -@@ -499,6 +521,10 @@ assert_good "--permanent --add-forward-port=port=55:proto=tcp:toport=66:toadd - assert_good "--permanent --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7" - assert_good "--permanent --remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" - assert_bad "--permanent --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" -+assert_good "--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" -+assert_good "--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" -+assert_good "--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" -+assert_bad "--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" - - assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200" - assert_good " --query-forward-port=port=100:proto=tcp:toport=200" -@@ -597,6 +623,18 @@ assert_good "--permanent --icmptype=${myicmp} --query-destination=ipv4" - assert_good "--permanent --icmptype=${myicmp} --remove-destination=ipv4" - assert_bad "--permanent --icmptype=${myicmp} --query-destination=ipv4" - -+# test sctp and dccp ports -+assert_good "--permanent --service=${myservice} --add-port=666/sctp" -+assert_good "--permanent --service=${myservice} --remove-port=666/sctp" -+assert_good "--permanent --service=${myservice} --remove-port 666/sctp" -+assert_bad "--permanent --service=${myservice} --query-port=666/sctp" -+assert_good "--permanent --service=${myservice} --add-port=999/dccp" -+assert_good "--permanent --service=${myservice} --remove-port=999/dccp" -+assert_good "--permanent --service=${myservice} --remove-port 999/dccp" -+assert_bad "--permanent --service=${myservice} --query-port=999/dccp" -+assert_good "--permanent --service=${myservice} --add-port=666/sctp" -+assert_good "--permanent --service=${myservice} --add-port=999/dccp" -+ - # add them to zone - assert_good "--permanent --zone=${myzone} --add-service=${myservice}" - assert_good "--permanent --zone=${myzone} --add-icmp-block=${myicmp}" -@@ -906,7 +944,9 @@ good_rules=( - 'rule family="ipv4" source address="192.168.1.0/24" masquerade' - 'rule family="ipv4" destination address="192.168.1.0/24" masquerade' # masquerade & destination - 'rule family="ipv6" masquerade' -- 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"') -+ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"' -+ 'rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"' -+ 'rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"') - - for (( i=0;i<${#good_rules[@]};i++)); do - rule=${good_rules[${i}]} -diff --git a/src/tests/firewall-offline-cmd_test.sh b/src/tests/firewall-offline-cmd_test.sh -index ee7ffcd..f81c853 100755 ---- a/src/tests/firewall-offline-cmd_test.sh -+++ b/src/tests/firewall-offline-cmd_test.sh -@@ -332,6 +332,15 @@ assert_good " --query-port=111-222/udp --zone=${default_zone}" - assert_good "--remove-port 111-222/udp" - assert_bad " --query-port=111-222/udp" - -+assert_good " --add-port=5000/sctp" -+assert_good " --query-port=5000/sctp --zone=${default_zone}" -+assert_good "--remove-port 5000/sctp" -+assert_bad " --query-port=5000/sctp" -+assert_good " --add-port=222/dccp" -+assert_good " --query-port=222/dccp --zone=${default_zone}" -+assert_good "--remove-port 222/dccp" -+assert_bad " --query-port=222/dccp" -+ - assert_good " --add-port=80/tcp --add-port 443-444/udp" - assert_good " --query-port=80/tcp --zone=${default_zone}" - assert_good " --query-port=443-444/udp" -@@ -409,6 +418,10 @@ assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" - assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" - assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" - assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7" -+assert_good " --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" -+assert_good " --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}" -+assert_good "--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" -+assert_bad " --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7" - - assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200" - assert_good " --query-forward-port=port=100:proto=tcp:toport=200" -@@ -494,6 +507,18 @@ assert_good "--icmptype=${myicmp} --query-destination=ipv4" - assert_good "--icmptype=${myicmp} --remove-destination=ipv4" - assert_bad "--icmptype=${myicmp} --query-destination=ipv4" - -+# test sctp and dccp ports -+assert_good "--service=${myservice} --add-port=666/sctp" -+assert_good "--service=${myservice} --remove-port=666/sctp" -+assert_good "--service=${myservice} --remove-port 666/sctp" -+assert_bad "--service=${myservice} --query-port=666/sctp" -+assert_good "--service=${myservice} --add-port=999/dccp" -+assert_good "--service=${myservice} --remove-port=999/dccp" -+assert_good "--service=${myservice} --remove-port 999/dccp" -+assert_bad "--service=${myservice} --query-port=999/dccp" -+assert_good "--service=${myservice} --add-port=666/sctp" -+assert_good "--service=${myservice} --add-port=999/dccp" -+ - # add them to zone - assert_good "--zone=${myzone} --add-service=${myservice}" - assert_good "--zone=${myzone} --add-icmp-block=${myicmp}" -@@ -688,7 +713,9 @@ good_rules=( - 'rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirect" level="info" limit value="4/m"' - 'rule family="ipv4" source address="192.168.1.0/24" masquerade' - 'rule family="ipv6" masquerade' -- 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"') -+ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"' -+ 'rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"' -+ 'rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"') - - for (( i=0;i<${#good_rules[@]};i++)); do - rule=${good_rules[${i}]} diff --git a/SOURCES/firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch b/SOURCES/firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch deleted file mode 100644 index fd91326..0000000 --- a/SOURCES/firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch +++ /dev/null @@ -1,1687 +0,0 @@ -diff -up firewalld-0.4.4.4/po/ja.po.translation-update-ja_rhbz#1382652 firewalld-0.4.4.4/po/ja.po ---- firewalld-0.4.4.4/po/ja.po.translation-update-ja_rhbz#1382652 2017-03-27 19:17:41.000000000 +0200 -+++ firewalld-0.4.4.4/po/ja.po 2017-05-31 13:34:18.304718865 +0200 -@@ -1,7 +1,7 @@ - # SOME DESCRIPTIVE TITLE. - # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER - # This file is distributed under the same license as the PACKAGE package. --# -+# - # Translators: - # Aiko Sasaki , 2014 - # Copyright (C) Red Hat Inc. 2010, 2011 -@@ -10,28 +10,25 @@ - # noriko , 2014 - # noriko , 2014 - # Tomoyuki KATO , 2012-2013 --# Hajime Taira , 2015. #zanata --# Aiko Sasaki , 2016. #zanata --# Hajime Taira , 2016. #zanata --# Noriko Mizumoto , 2016. #zanata --# Takuro Nagamoto , 2016. #zanata -+# kmoriguc , 2017. #zanata -+# ljanda , 2017. #zanata - msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: \n" --"POT-Creation-Date: 2016-12-01 12:20+0100\n" --"PO-Revision-Date: 2016-11-06 08:07-0500\n" --"Last-Translator: Hajime Taira \n" --"Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/" --"language/ja/)\n" --"Language: ja\n" -+"POT-Creation-Date: 2017-05-17 11:29+0200\n" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" -+"PO-Revision-Date: 2017-05-22 02:19+0000\n" -+"Last-Translator: kmoriguc \n" -+"Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/" -+"language/ja/)\n" -+"Language: ja\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Zanata 3.9.6\n" -+"X-Generator: Zanata 4.1.1\n" - --#: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet:411 -+#: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet:412 - msgid "Firewall Applet" - msgstr "ファイアウォールアプレット" - -@@ -48,644 +45,635 @@ msgstr "ファイアウォールの設� - msgid "firewall;network;security;iptables;netfilter;" - msgstr "ファイアウォール;ネットワーク;セキュリティー;iptables;netfilter;" - --#: ../src/firewall-applet:88 ../src/firewall-config:7926 -+#: ../src/firewall-applet:89 ../src/firewall-config:8028 - #, c-format - msgid "Select zone for interface '%s'" - msgstr "インターフェース '%s' のゾーンを選択する" - --#: ../src/firewall-applet:128 ../src/firewall-applet:135 --#: ../src/firewall-applet:141 ../src/firewall-config:2388 --#: ../src/firewall-config:7971 ../src/firewall-config:7979 --#: ../src/firewall-config:8011 ../src/firewall-config.glade.h:8 -+#: ../src/firewall-applet:129 ../src/firewall-applet:136 -+#: ../src/firewall-applet:142 ../src/firewall-config:2421 -+#: ../src/firewall-config:8073 ../src/firewall-config:8081 -+#: ../src/firewall-config:8113 ../src/firewall-config.glade.h:8 - msgid "Default Zone" - msgstr "標準ゾーン" - --#: ../src/firewall-applet:161 ../src/firewall-config:8004 -+#: ../src/firewall-applet:162 ../src/firewall-config:8106 - #, c-format - msgid "Select zone for connection '%s'" - msgstr "接続 '%s' のゾーンを選択する" - --#: ../src/firewall-applet:171 ../src/firewall-config:3848 -+#: ../src/firewall-applet:172 ../src/firewall-config:3891 - msgid "Failed to set zone {zone} for connection {connection}" - msgstr "接続 {connection} のゾーン {zone} の設定に失敗しました" - --#: ../src/firewall-applet:185 -+#: ../src/firewall-applet:186 - #, c-format - msgid "Select zone for source '%s'" - msgstr "ソース '%s' のゾーンを選択する" - --#: ../src/firewall-applet:202 -+#: ../src/firewall-applet:203 - msgid "Configure Shields Up/Down Zones" - msgstr "シールド・アップ/ダウン・ゾーンの設定" - --#: ../src/firewall-applet:215 -+#: ../src/firewall-applet:216 - msgid "Here you can select the zones used for Shields Up and Shields Down." --msgstr "" --"ここからシールド・アップおよびシールド・ダウンに対して使用するゾーンを選択で" --"きます。" -+msgstr "ここからシールド・アップおよびシールド・ダウンに対して使用するゾーンを選択できます。" - --#: ../src/firewall-applet:221 -+#: ../src/firewall-applet:222 - msgid "" - "This feature is useful for people using the default zones mostly. For users, " - "that are changing zones of connections, it might be of limited use." --msgstr "" --"この機能はたいてい標準のゾーンを使用する人々にとって有用です。接続のゾーンを" --"変更しているユーザーに対して、限定的に使用できます。" -+msgstr "この機能はたいてい標準のゾーンを使用する人々にとって有用です。接続のゾーンを変更しているユーザーに対して、限定的に使用できます。" - --#: ../src/firewall-applet:230 -+#: ../src/firewall-applet:231 - msgid "Shields Up Zone:" - msgstr "シールド・アップ・ゾーン:" - --#: ../src/firewall-applet:239 ../src/firewall-applet:252 -+#: ../src/firewall-applet:240 ../src/firewall-applet:253 - msgid "Reset To Default" - msgstr "デフォルトにリセット" - --#: ../src/firewall-applet:243 -+#: ../src/firewall-applet:244 - msgid "Shields Down Zone:" - msgstr "シールド・ダウン・ゾーン:" - --#: ../src/firewall-applet:335 -+#: ../src/firewall-applet:336 - #, c-format - msgid "About %s" - msgstr "%s について" - --#: ../src/firewall-applet:386 -+#: ../src/firewall-applet:387 - msgid "Authors" - msgstr "作者" - --#: ../src/firewall-applet:396 -+#: ../src/firewall-applet:397 - msgid "License" - msgstr "ライセンス" - --#: ../src/firewall-applet:462 -+#: ../src/firewall-applet:463 - msgid "Shields Up" - msgstr "シールド・アップ" - --#: ../src/firewall-applet:469 -+#: ../src/firewall-applet:470 - msgid "Enable Notifications" - msgstr "通知の有効化" - --#: ../src/firewall-applet:475 -+#: ../src/firewall-applet:476 - msgid "Edit Firewall Settings..." - msgstr "ファイアウォール設定の編集..." - --#: ../src/firewall-applet:479 ../src/firewall-config.glade.h:61 -+#: ../src/firewall-applet:480 ../src/firewall-config.glade.h:61 - msgid "Change Zones of Connections..." - msgstr "接続のゾーンの変更..." - --#: ../src/firewall-applet:483 -+#: ../src/firewall-applet:484 - msgid "Configure Shields UP/Down Zones..." - msgstr "シールド・アップ/ダウン・ゾーンの設定..." - --#: ../src/firewall-applet:487 -+#: ../src/firewall-applet:488 - msgid "Block all network traffic" - msgstr "すべてのネットワーク・トラフィックのブロック" - --#: ../src/firewall-applet:492 -+#: ../src/firewall-applet:493 - msgid "About" - msgstr "このアプリケーションについて" - --#: ../src/firewall-applet:500 ../src/firewall-config:610 --#: ../src/firewall-config:2330 ../src/firewall-config:2610 --#: ../src/firewall-config:2636 -+#: ../src/firewall-applet:501 ../src/firewall-config:614 -+#: ../src/firewall-config:2363 ../src/firewall-config:2643 -+#: ../src/firewall-config:2669 - msgid "Connections" - msgstr "接続" - --#: ../src/firewall-applet:504 ../src/firewall-config:612 --#: ../src/firewall-config:2417 ../src/firewall-config:2613 --#: ../src/firewall-config:2638 ../src/firewall-config.glade.h:129 -+#: ../src/firewall-applet:505 ../src/firewall-config:616 -+#: ../src/firewall-config:2450 ../src/firewall-config:2646 -+#: ../src/firewall-config:2671 ../src/firewall-config.glade.h:129 - msgid "Interfaces" - msgstr "インターフェース" - --#: ../src/firewall-applet:508 ../src/firewall-config:614 --#: ../src/firewall-config:2448 ../src/firewall-config:2616 --#: ../src/firewall-config:2640 ../src/firewall-config.glade.h:134 -+#: ../src/firewall-applet:509 ../src/firewall-config:618 -+#: ../src/firewall-config:2481 ../src/firewall-config:2649 -+#: ../src/firewall-config:2673 ../src/firewall-config.glade.h:134 - msgid "Sources" - msgstr "送信元" - --#: ../src/firewall-applet:584 ../src/firewall-config:2229 -+#: ../src/firewall-applet:585 ../src/firewall-config:2262 - msgid "Authorization failed." - msgstr "認証に失敗しました。" - --#: ../src/firewall-applet:586 ../src/firewall-config:2232 -+#: ../src/firewall-applet:587 ../src/firewall-config:2265 - msgid "Invalid name" - msgstr "不当な実引数 %s" - --#: ../src/firewall-applet:590 ../src/firewall-config:2236 -+#: ../src/firewall-applet:591 ../src/firewall-config:2269 - msgid "Name already exists" - msgstr "名前がすでに存在します" - --#: ../src/firewall-applet:675 -+#: ../src/firewall-applet:676 - msgid "{entry} (Zone: {zone})" - msgstr "{entry} (ゾーン: {zone})" - --#: ../src/firewall-applet:681 -+#: ../src/firewall-applet:682 - msgid "{entry} (Default Zone: {default_zone})" - msgstr "{entry} (デフォルトゾーン: {default_zone})" - --#: ../src/firewall-applet:762 ../src/firewall-config:1554 -+#: ../src/firewall-applet:763 ../src/firewall-config:1564 - msgid "Failed to get connections from NetworkManager" - msgstr "NetworkManager からの接続の取得に失敗しました" - --#: ../src/firewall-applet:774 ../src/firewall-config:1366 -+#: ../src/firewall-applet:775 ../src/firewall-config:1376 - msgid "No NetworkManager imports available" - msgstr "利用可能な NetworkManager インポートがありません" - --#: ../src/firewall-applet:852 -+#: ../src/firewall-applet:853 - msgid "No connection to firewall daemon" - msgstr "ファイアーウォール・デーモンへの接続がありません。" - --#: ../src/firewall-applet:860 ../src/firewall-applet:995 -+#: ../src/firewall-applet:861 ../src/firewall-applet:996 - msgid "All network traffic is blocked." - msgstr "すべてのネットワーク通信が遮断されます。" - --#: ../src/firewall-applet:864 -+#: ../src/firewall-applet:865 - #, c-format - msgid "Default Zone: '%s'" - msgstr "標準ゾーン: '%s'" - --#: ../src/firewall-applet:870 -+#: ../src/firewall-applet:871 - msgid "" - "Default Zone '{default_zone}' active for connection '{connection}' on " - "interface '{interface}'" - msgstr "" --"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 " --"'{connection}' に対して有効化" -+"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 '{connection}' に対して有効化" - --#: ../src/firewall-applet:873 -+#: ../src/firewall-applet:874 - msgid "" --"Zone '{zone}' active for connection '{connection}' on interface '{interface}'" --msgstr "" --"ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対し" --"て有効化" -+"Zone '{zone}' active for connection '{connection}' on interface " -+"'{interface}'" -+msgstr "ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対して有効化" - --#: ../src/firewall-applet:885 -+#: ../src/firewall-applet:886 - msgid "Zone '{zone}' active for interface '{interface}'" - msgstr "ゾーン '{zone}' がインターフェース '{interface}' に対して有効化" - --#: ../src/firewall-applet:893 -+#: ../src/firewall-applet:894 - msgid "Zone '{zone}' active for source {source}" - msgstr "ゾーン '{zone}' を送信元 {source} に対して有効化" - --#: ../src/firewall-applet:897 -+#: ../src/firewall-applet:898 - msgid "No Active Zones." - msgstr "有効なゾーンがありません。" - --#: ../src/firewall-applet:955 -+#: ../src/firewall-applet:956 - msgid "Connection to FirewallD established." - msgstr "FirewallD への接続が確立されました。" - --#: ../src/firewall-applet:967 -+#: ../src/firewall-applet:968 - msgid "Connection to FirewallD lost." - msgstr "FirewallD への接続が失われました。" - --#: ../src/firewall-applet:972 -+#: ../src/firewall-applet:973 - msgid "FirewallD has been reloaded." - msgstr "FirewallD が再読み込みされました。" - --#: ../src/firewall-applet:977 -+#: ../src/firewall-applet:978 - #, c-format - msgid "Default zone changed to '%s'." - msgstr "標準のゾーンを '%s' に変更しました。" - --#: ../src/firewall-applet:996 -+#: ../src/firewall-applet:997 - msgid "Network traffic is not blocked anymore." - msgstr "ネットワーク通信が遮断されなくなります。" - --#: ../src/firewall-applet:1022 ../src/firewall-applet:1076 -+#: ../src/firewall-applet:1023 ../src/firewall-applet:1077 - msgid "activated" - msgstr "有効化" - --#: ../src/firewall-applet:1023 ../src/firewall-applet:1077 -+#: ../src/firewall-applet:1024 ../src/firewall-applet:1078 - msgid "deactivated" - msgstr "無効化" - --#: ../src/firewall-applet:1028 -+#: ../src/firewall-applet:1029 - msgid "" - "Default zone '{default_zone}' {activated_deactivated} for connection " - "'{connection}' on interface '{interface}'" - msgstr "" --"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 " --"'{connection}' に対して {activated_deactivated} " -+"デフォルトゾーン '{default_zone}' がインターフェース '{interface}' の接続 '{connection}' に対して " -+"{activated_deactivated} " - --#: ../src/firewall-applet:1033 -+#: ../src/firewall-applet:1034 - msgid "" - "Zone '{zone}' {activated_deactivated} for connection '{connection}' on " - "interface '{interface}'" - msgstr "" --"ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対し" --"て {activated_deactivated}" -+"ゾーン '{zone}' がインターフェース '{interface}' の接続 '{connection}' に対して " -+"{activated_deactivated}" - --#: ../src/firewall-applet:1038 -+#: ../src/firewall-applet:1039 - msgid "Zone '{zone}' {activated_deactivated} for interface '{interface}'" - msgstr "" --"インターフェース '{interface}' に対してゾーン '{zone}' を " --"{activated_deactivated} しました" -+"インターフェース '{interface}' に対してゾーン '{zone}' を {activated_deactivated} しました" - --#: ../src/firewall-applet:1061 -+#: ../src/firewall-applet:1062 - #, c-format - msgid "Zone '%s' activated for interface '%s'" - msgstr "ゾーン '%s' をインターフェース '%s' に対して有効化しました" - --#: ../src/firewall-applet:1079 -+#: ../src/firewall-applet:1080 - msgid "Zone '{zone}' {activated_deactivated} for source '{source}'" --msgstr "" --"ゾーン '{zone}' を送信元 '{source}' に対して {activated_deactivated} しました" -+msgstr "ゾーン '{zone}' を送信元 '{source}' に対して {activated_deactivated} しました" - --#: ../src/firewall-applet:1103 -+#: ../src/firewall-applet:1104 - #, c-format - msgid "Zone '%s' activated for source '%s'" - msgstr "ゾーン '%s' を送信元 '%s' に対して有効化しました" - --#: ../src/firewall-config:85 -+#: ../src/firewall-config:89 - msgid "Connection to firewalld established." - msgstr " firewalld への接続が確立されました。" - --#: ../src/firewall-config:87 -+#: ../src/firewall-config:91 - msgid "Trying to connect to firewalld, waiting..." - msgstr "firewalld への接続を試行しています。お待ちください..." - --#: ../src/firewall-config:88 -+#: ../src/firewall-config:92 - msgid "Changes applied." - msgstr "変更を適用しました。" - --#: ../src/firewall-config:89 -+#: ../src/firewall-config:93 - #, c-format - msgid "Used by network connection '%s'" - msgstr "ネットワーク接続 '%s' により使用中" - --#: ../src/firewall-config:90 -+#: ../src/firewall-config:94 - #, c-format - msgid "Default zone used by network connection '%s'" - msgstr "ネットワーク接続 '%s' で使用されるデフォルトゾーン" - --#: ../src/firewall-config:92 -+#: ../src/firewall-config:96 - msgid "enabled" - msgstr "有効" - --#: ../src/firewall-config:93 -+#: ../src/firewall-config:97 - msgid "disabled" - msgstr "無効" - --#: ../src/firewall-config:117 -+#: ../src/firewall-config:121 - msgid "Failed to load icons." - msgstr "アイコンの読み込みに失敗しました。" - --#: ../src/firewall-config:393 ../src/firewall-config:2279 -+#: ../src/firewall-config:397 ../src/firewall-config:2312 - msgid "Runtime" - msgstr "実行時" - --#: ../src/firewall-config:394 -+#: ../src/firewall-config:398 - msgid "Permanent" - msgstr "永続" - --#: ../src/firewall-config:473 ../src/firewall-config.glade.h:137 -+#: ../src/firewall-config:477 ../src/firewall-config.glade.h:137 - msgid "Service" - msgstr "サービス" - --#: ../src/firewall-config:480 ../src/firewall-config:527 --#: ../src/firewall-config:552 ../src/firewall-config:789 --#: ../src/firewall-config:977 ../src/firewall-config:1011 -+#: ../src/firewall-config:484 ../src/firewall-config:531 -+#: ../src/firewall-config:556 ../src/firewall-config:798 -+#: ../src/firewall-config:986 ../src/firewall-config:1020 - msgid "Port" - msgstr "ポート" - --#: ../src/firewall-config:482 ../src/firewall-config:502 --#: ../src/firewall-config:529 ../src/firewall-config:554 --#: ../src/firewall-config:791 ../src/firewall-config:979 --#: ../src/firewall-config:994 ../src/firewall-config:1013 --#: ../src/firewall-config.glade.h:245 -+#: ../src/firewall-config:486 ../src/firewall-config:506 -+#: ../src/firewall-config:533 ../src/firewall-config:558 -+#: ../src/firewall-config:800 ../src/firewall-config:988 -+#: ../src/firewall-config:1003 ../src/firewall-config:1022 -+#: ../src/firewall-config.glade.h:247 - msgid "Protocol" - msgstr "プロトコル" - --#: ../src/firewall-config:556 -+#: ../src/firewall-config:560 - msgid "To Port" - msgstr "送信先ポート" - --#: ../src/firewall-config:558 -+#: ../src/firewall-config:562 - msgid "To Address" - msgstr "送信先アドレス" - --#: ../src/firewall-config:608 -+#: ../src/firewall-config:612 - msgid "Bindings" - msgstr "バインディング" - --#: ../src/firewall-config:642 -+#: ../src/firewall-config:647 ../src/firewall-config.glade.h:231 - msgid "Entry" - msgstr "エントリー" - --#: ../src/firewall-config:764 -+#: ../src/firewall-config:773 - msgid "Icmp Type" - msgstr "ICMP タイプ" - --#: ../src/firewall-config:808 -+#: ../src/firewall-config:817 - msgid "Family" - msgstr "ファミリー" - --#: ../src/firewall-config:810 -+#: ../src/firewall-config:819 - msgid "Action" - msgstr "アクション" - --#: ../src/firewall-config:812 -+#: ../src/firewall-config:821 - msgid "Element" - msgstr "要素" - --#: ../src/firewall-config:814 -+#: ../src/firewall-config:823 - msgid "Src" - msgstr "送信元" - --#: ../src/firewall-config:816 -+#: ../src/firewall-config:825 - msgid "Dest" - msgstr "送信先" - --#: ../src/firewall-config:818 -+#: ../src/firewall-config:827 - msgid "log" - msgstr "ログ" - --#: ../src/firewall-config:820 -+#: ../src/firewall-config:829 - msgid "Audit" - msgstr "監査" - --#: ../src/firewall-config:1593 ../src/firewall-config:2751 --#: ../src/firewall-config:2799 -+#: ../src/firewall-config:1603 ../src/firewall-config:2784 -+#: ../src/firewall-config:2832 - msgid "Warning" - msgstr "警告" - --#: ../src/firewall-config:1602 -+#: ../src/firewall-config:1612 - msgid "Error" - msgstr "エラー" - --#: ../src/firewall-config:1995 ../src/firewall-config:3631 -+#: ../src/firewall-config:2018 ../src/firewall-config:3674 - msgid "accept" - msgstr "受信" - --#: ../src/firewall-config:1997 ../src/firewall-config:3633 --#: ../src/firewall-config:3781 -+#: ../src/firewall-config:2020 ../src/firewall-config:3676 -+#: ../src/firewall-config:3824 - msgid "reject" - msgstr "拒否" - --#: ../src/firewall-config:2001 ../src/firewall-config:3638 -+#: ../src/firewall-config:2024 ../src/firewall-config:3681 - msgid "drop" - msgstr "廃棄" - --#: ../src/firewall-config:2003 ../src/firewall-config:3640 --#: ../src/firewall-config:3782 -+#: ../src/firewall-config:2026 ../src/firewall-config:3683 -+#: ../src/firewall-config:3825 - msgid "mark" - msgstr "マーク" - --#: ../src/firewall-config:2006 ../src/firewall-config:2048 --#: ../src/firewall-config:2053 -+#: ../src/firewall-config:2029 ../src/firewall-config:2073 -+#: ../src/firewall-config:2078 - msgid "limit" - msgstr "制限" - --#: ../src/firewall-config:2022 ../src/firewall-config:3102 --#: ../src/firewall-config:3277 ../src/firewall-config:3581 --#: ../src/firewall-config.glade.h:275 -+#: ../src/firewall-config:2045 ../src/firewall-config:3135 -+#: ../src/firewall-config:3315 ../src/firewall-config:3621 -+#: ../src/firewall-config.glade.h:277 - msgid "service" - msgstr "サービス" - --#: ../src/firewall-config:2024 ../src/firewall-config:3108 --#: ../src/firewall-config:3279 ../src/firewall-config:3584 --#: ../src/firewall-config.glade.h:276 -+#: ../src/firewall-config:2047 ../src/firewall-config:3141 -+#: ../src/firewall-config:3317 ../src/firewall-config:3624 -+#: ../src/firewall-config.glade.h:278 - msgid "port" - msgstr "ポート" - --#: ../src/firewall-config:2027 ../src/firewall-config:3113 --#: ../src/firewall-config:3288 ../src/firewall-config:3594 --#: ../src/firewall-config.glade.h:277 -+#: ../src/firewall-config:2050 ../src/firewall-config:3146 -+#: ../src/firewall-config:3326 ../src/firewall-config:3634 -+#: ../src/firewall-config.glade.h:279 - msgid "protocol" - msgstr "プロトコル" - --#: ../src/firewall-config:2029 ../src/firewall-config:3118 --#: ../src/firewall-config:3608 ../src/firewall-config:3794 --#: ../src/firewall-config.glade.h:281 -+#: ../src/firewall-config:2052 ../src/firewall-config:3151 -+#: ../src/firewall-config:3651 ../src/firewall-config:3837 -+#: ../src/firewall-config.glade.h:284 - msgid "masquerade" - msgstr "マスカレード" - --#: ../src/firewall-config:2037 ../src/firewall-config:3135 --#: ../src/firewall-config:3294 ../src/firewall-config:3610 --#: ../src/firewall-config.glade.h:280 -+#: ../src/firewall-config:2062 ../src/firewall-config:3173 -+#: ../src/firewall-config:3334 ../src/firewall-config:3653 -+#: ../src/firewall-config.glade.h:283 - msgid "source-port" - msgstr "source-port" - --#: ../src/firewall-config:2046 -+#: ../src/firewall-config:2071 - msgid "level" - msgstr "レベル" - --#: ../src/firewall-config:2050 ../src/firewall-config:2055 -+#: ../src/firewall-config:2075 ../src/firewall-config:2080 - msgid "yes" - msgstr "はい" - --#: ../src/firewall-config:2392 ../src/firewall-config:2432 --#: ../src/firewall-config:2462 ../src/firewall-config.glade.h:88 -+#: ../src/firewall-config:2425 ../src/firewall-config:2465 -+#: ../src/firewall-config:2495 ../src/firewall-config.glade.h:88 - msgid "Zone" - msgstr "ゾーン" - --#: ../src/firewall-config:2405 -+#: ../src/firewall-config:2438 - #, c-format - msgid "Default Zone: %s" - msgstr "デフォルトゾーン: %s" - --#: ../src/firewall-config:2412 ../src/firewall-config:2443 --#: ../src/firewall-config:2473 -+#: ../src/firewall-config:2445 ../src/firewall-config:2476 -+#: ../src/firewall-config:2506 - #, c-format - msgid "Zone: %s" - msgstr "ゾーン: %s" - --#: ../src/firewall-config:2748 -+#: ../src/firewall-config:2781 - #, c-format - msgid "Zone '%s': Service '%s' is not available." - msgstr "ゾーン '%s': サービス '%s' が利用可能ではありません。" - --#: ../src/firewall-config:2752 ../src/firewall-config:2800 -+#: ../src/firewall-config:2785 ../src/firewall-config:2833 - #: ../src/firewall-config.glade.h:162 - msgid "Remove" - msgstr "ゾーンの削除" - --#: ../src/firewall-config:2752 ../src/firewall-config:2800 -+#: ../src/firewall-config:2785 ../src/firewall-config:2833 - msgid "Ignore" - msgstr "無視" - --#: ../src/firewall-config:2796 -+#: ../src/firewall-config:2829 - #, c-format - msgid "Zone '%s': ICMP type '%s' is not available." - msgstr "ゾーン '%s': ICMP タイプ '%s' が利用可能ではありません。" - --#: ../src/firewall-config:2951 -+#: ../src/firewall-config:2984 - msgid "Built-in zone, rename not supported." - msgstr "組み込みのゾーンです。名前の変更はできません。" - --#: ../src/firewall-config:3065 ../src/firewall-config:3556 --#: ../src/firewall-config.glade.h:261 -+#: ../src/firewall-config:3098 ../src/firewall-config:3596 -+#: ../src/firewall-config.glade.h:263 - msgid "second" - msgstr "秒" - --#: ../src/firewall-config:3066 ../src/firewall-config:3557 --#: ../src/firewall-config.glade.h:262 -+#: ../src/firewall-config:3099 ../src/firewall-config:3597 -+#: ../src/firewall-config.glade.h:264 - msgid "minute" - msgstr "分" - --#: ../src/firewall-config:3067 ../src/firewall-config:3558 --#: ../src/firewall-config.glade.h:263 -+#: ../src/firewall-config:3100 ../src/firewall-config:3598 -+#: ../src/firewall-config.glade.h:265 - msgid "hour" - msgstr "時間" - --#: ../src/firewall-config:3068 ../src/firewall-config:3559 --#: ../src/firewall-config.glade.h:264 -+#: ../src/firewall-config:3101 ../src/firewall-config:3599 -+#: ../src/firewall-config.glade.h:266 - msgid "day" - msgstr "日" - --#: ../src/firewall-config:3069 ../src/firewall-config:3560 --#: ../src/firewall-config.glade.h:267 -+#: ../src/firewall-config:3102 ../src/firewall-config:3600 -+#: ../src/firewall-config.glade.h:269 - msgid "emergency" - msgstr "緊急" - --#: ../src/firewall-config:3070 ../src/firewall-config:3561 --#: ../src/firewall-config.glade.h:268 -+#: ../src/firewall-config:3103 ../src/firewall-config:3601 -+#: ../src/firewall-config.glade.h:270 - msgid "alert" - msgstr "アラート" - --#: ../src/firewall-config:3071 ../src/firewall-config:3562 --#: ../src/firewall-config.glade.h:269 -+#: ../src/firewall-config:3104 ../src/firewall-config:3602 -+#: ../src/firewall-config.glade.h:271 - msgid "critical" - msgstr "クリティカル" - --#: ../src/firewall-config:3072 ../src/firewall-config:3563 --#: ../src/firewall-config.glade.h:270 -+#: ../src/firewall-config:3105 ../src/firewall-config:3603 -+#: ../src/firewall-config.glade.h:272 - msgid "error" - msgstr "エラー" - --#: ../src/firewall-config:3073 ../src/firewall-config:3564 --#: ../src/firewall-config.glade.h:271 -+#: ../src/firewall-config:3106 ../src/firewall-config:3604 -+#: ../src/firewall-config.glade.h:273 - msgid "warning" - msgstr "警告" - --#: ../src/firewall-config:3074 ../src/firewall-config:3565 --#: ../src/firewall-config.glade.h:272 -+#: ../src/firewall-config:3107 ../src/firewall-config:3605 -+#: ../src/firewall-config.glade.h:274 - msgid "notice" - msgstr "注意" - --#: ../src/firewall-config:3075 ../src/firewall-config:3566 --#: ../src/firewall-config.glade.h:273 -+#: ../src/firewall-config:3108 ../src/firewall-config:3606 -+#: ../src/firewall-config.glade.h:275 - msgid "info" - msgstr "情報" - --#: ../src/firewall-config:3076 ../src/firewall-config:3567 --#: ../src/firewall-config.glade.h:274 -+#: ../src/firewall-config:3109 ../src/firewall-config:3607 -+#: ../src/firewall-config.glade.h:276 - msgid "debug" - msgstr "デバッグ" - --#: ../src/firewall-config:3121 ../src/firewall-config:3290 --#: ../src/firewall-config:3597 ../src/firewall-config:3809 --#: ../src/firewall-config.glade.h:278 -+#: ../src/firewall-config:3154 ../src/firewall-config:3328 -+#: ../src/firewall-config:3637 ../src/firewall-config:3852 -+#: ../src/firewall-config.glade.h:280 - msgid "icmp-block" - msgstr "icmp-block" - --#: ../src/firewall-config:3126 ../src/firewall-config:3292 --#: ../src/firewall-config:3600 ../src/firewall-config:3802 --#: ../src/firewall-config.glade.h:279 -+#: ../src/firewall-config:3159 ../src/firewall-config:3330 -+#: ../src/firewall-config:3640 ../src/firewall-config.glade.h:281 -+msgid "icmp-type" -+msgstr "icmp-type" -+ -+#: ../src/firewall-config:3164 ../src/firewall-config:3332 -+#: ../src/firewall-config:3643 ../src/firewall-config:3845 -+#: ../src/firewall-config.glade.h:282 - msgid "forward-port" - msgstr "forward-port" - --#: ../src/firewall-config:3269 ../src/firewall-config:3492 --#: ../src/firewall-config:3516 ../src/firewall-config:3571 --#: ../src/firewall-config:3698 ../src/firewall-config:3745 -+#: ../src/firewall-config:3307 ../src/firewall-config:3532 -+#: ../src/firewall-config:3556 ../src/firewall-config:3611 -+#: ../src/firewall-config:3741 ../src/firewall-config:3788 - msgid "ipv4" - msgstr "IPv4" - --#: ../src/firewall-config:3271 ../src/firewall-config:3494 --#: ../src/firewall-config:3518 ../src/firewall-config:3573 --#: ../src/firewall-config:3700 ../src/firewall-config:3747 -+#: ../src/firewall-config:3309 ../src/firewall-config:3534 -+#: ../src/firewall-config:3558 ../src/firewall-config:3613 -+#: ../src/firewall-config:3743 ../src/firewall-config:3790 - msgid "ipv6" - msgstr "IPv6" - --#: ../src/firewall-config:4998 -+#: ../src/firewall-config:5057 - msgid "" --"Forwarding to another system is only useful if the interface is " --"masqueraded.\n" -+"Forwarding to another system is only useful if the interface is masqueraded.\n" - "Do you want to masquerade this zone ?" --msgstr "" --"他のシステムへの転送は、インターフェースがマスカレードされている場合のみ有用" --"です。\n" -+msgstr "他のシステムへの転送は、インターフェースがマスカレードされている場合のみ有用です。\n" - "このゾーンをマスカレードしたいですか ?" - --#: ../src/firewall-config:5361 -+#: ../src/firewall-config:5420 - msgid "Built-in service, rename not supported." - msgstr "組み込みのサービスです。名前の変更はできません。" - --#: ../src/firewall-config:5570 -+#: ../src/firewall-config:5629 - msgid "Please enter an ipv4 address with the form address[/mask]." - msgstr "IPv4 アドレスを address[/mask] の形式で入力してください。" - --#: ../src/firewall-config:5571 -+#: ../src/firewall-config:5630 - msgid "The mask can be a network mask or a number." - msgstr "mask は、ネットワークマスクもしくは数字で指定できます。" - --#: ../src/firewall-config:5573 -+#: ../src/firewall-config:5632 - msgid "Please enter an ipv6 address with the form address[/mask]." - msgstr "IPv6 アドレスを address[/mask] の形式で入力してください。" - --#: ../src/firewall-config:5574 -+#: ../src/firewall-config:5633 - msgid "The mask is a number." - msgstr "mask は数字で指定します。" - --#: ../src/firewall-config:5576 -+#: ../src/firewall-config:5635 - msgid "Please enter an ipv4 or ipv6 address with the form address[/mask]." --msgstr "" --"IPv4 もしくは IPv6 アドレスを address[/mask] の形式で入力してください。" -+msgstr "IPv4 もしくは IPv6 アドレスを address[/mask] の形式で入力してください。" - --#: ../src/firewall-config:5577 -+#: ../src/firewall-config:5636 - msgid "" - "The mask can be a network mask or a number for ipv4.\n" - "The mask is a number for ipv6." --msgstr "" --"mask は、IPv4 の場合ネットワークマスクが指定できます。IPv6 の場合には数字で指" --"定してください。" -+msgstr "mask は、IPv4 の場合ネットワークマスクが指定できます。IPv6 の場合には数字で指定してください。" - --#: ../src/firewall-config:5750 -+#: ../src/firewall-config:5820 - msgid "Built-in ipset, rename not supported." - msgstr "組み込みの IPSet です。名前の変更はできません。" - --#: ../src/firewall-config:5838 ../src/firewall-config:5920 -+#: ../src/firewall-config:5912 ../src/firewall-config:5994 - msgid "Please select a file" - msgstr "ファイルを選択してください" - --#: ../src/firewall-config:5845 ../src/firewall-config:5927 -+#: ../src/firewall-config:5919 ../src/firewall-config:6001 - msgid "Text Files" - msgstr "テキストファイル" - --#: ../src/firewall-config:5850 ../src/firewall-config:5932 -+#: ../src/firewall-config:5924 ../src/firewall-config:6006 - msgid "All Files" - msgstr "全ファイル" - --#: ../src/firewall-config:6331 ../src/firewall-config:6360 -+#: ../src/firewall-config:6427 ../src/firewall-config:6456 - #: ../src/firewall-config.glade.h:40 - msgid "All" - msgstr "すべて" - --#: ../src/firewall-config:6331 ../src/firewall-config:6360 -+#: ../src/firewall-config:6427 ../src/firewall-config:6456 - #: ../src/firewall-config.glade.h:41 - msgid "IPv4" - msgstr "IPv4" - --#: ../src/firewall-config:6332 ../src/firewall-config:6360 -+#: ../src/firewall-config:6428 ../src/firewall-config:6456 - #: ../src/firewall-config.glade.h:42 - msgid "IPv6" - msgstr "IPv6" - --#: ../src/firewall-config:6337 -+#: ../src/firewall-config:6433 - msgid "Built-in helper, rename not supported." - msgstr "ビルトインヘルパーです。名前の変更はサポートされていません。" - --#: ../src/firewall-config:6821 -+#: ../src/firewall-config:6923 - msgid "Built-in icmp, rename not supported." - msgstr "組み込みの ICMP です。名前の変更はできません。" - --#: ../src/firewall-config:7894 -+#: ../src/firewall-config:7996 - #, c-format - msgid "Failed to read file '%s': %s" - msgstr "ファイル '%s' の読み込みに失敗しました: %s" - --#: ../src/firewall-config:8026 -+#: ../src/firewall-config:8128 - #, c-format - msgid "Select zone for source %s" - msgstr "ソース %s のゾーンを選択する" -@@ -803,9 +791,7 @@ msgstr "送信先" - msgid "" - "If you enable local forwarding, you have to specify a port. This port has to " - "be different to the source port." --msgstr "" --"ローカル転送を有効にする場合、ポートを指定する必要があります。これはソース" --"ポートと異なる必要があります。" -+msgstr "ローカル転送を有効にする場合、ポートを指定する必要があります。これはソースポートと異なる必要があります。" - - #: ../src/firewall-config.glade.h:30 - msgid "Local forwarding" -@@ -913,9 +899,7 @@ msgid "" - "runtime configuration. i.e. all runtime only changes done until reload are " - "lost with reload if they have not been also in permanent configuration." - msgstr "" --"ファイアウォールルールを再読み込みします。現在の永続的な設定が新しい実行時の" --"設定になります。つまり、永続的な設定に存在しない、再読み込みするまでに行われ" --"た実行時の変更はすべて失われます。" -+"ファイアウォールルールを再読み込みします。現在の永続的な設定が新しい実行時の設定になります。つまり、永続的な設定に存在しない、再読み込みするまでに行われた実行時の変更はすべて失われます。" - - #: ../src/firewall-config.glade.h:60 - msgid "Change which zone a network connection belongs to." -@@ -957,9 +941,7 @@ msgstr "パニックモード" - msgid "" - "Lockdown locks firewall configuration so that only applications on lockdown " - "whitelist are able to change it." --msgstr "" --"ロックダウンにより、ロックダウン・ホワイトリストにあるアプリケーションのみが" --"ファイアウォール設定を変更できるようにロックします。" -+msgstr "ロックダウンにより、ロックダウン・ホワイトリストにあるアプリケーションのみがファイアウォール設定を変更できるようにロックします。" - - #: ../src/firewall-config.glade.h:71 - msgid "Lockdown" -@@ -1012,16 +994,12 @@ msgstr "バインディングのゾー� - #: ../src/firewall-config.glade.h:83 - msgid "" - "Hide active runtime bindings of connections, interfaces and sources to zones" --msgstr "" --"接続のアクティブなランタイムバインディング、インターフェースおよびソースを" --"ゾーンに対して非表示にします" -+msgstr "接続のアクティブなランタイムバインディング、インターフェースおよびソースをゾーンに対して非表示にします" - - #: ../src/firewall-config.glade.h:84 - msgid "" - "Show active runtime bindings of connections, interfaces and sources to zones" --msgstr "" --"接続のアクティブなランタイムバインディング、インターフェースおよびソースを" --"ゾーンに対して表示します" -+msgstr "接続のアクティブなランタイムバインディング、インターフェースおよびソースをゾーンに対して表示します" - - #: ../src/firewall-config.glade.h:85 - msgid "Configuration:" -@@ -1033,8 +1011,7 @@ msgid "" - "configuration. Permanent configuration will be active after service or " - "system reload or restart." - msgstr "" --"現在利用可能な設定。実行時の設定が実際に有効な設定です。永続的な設定は、サー" --"ビスまたはシステムが再読み込みまたは再起動した後、有効になります。" -+"現在利用可能な設定。実行時の設定が実際に有効な設定です。永続的な設定は、サービスまたはシステムが再読み込みまたは再起動した後、有効になります。" - - #: ../src/firewall-config.glade.h:87 - msgid "" -@@ -1044,11 +1021,9 @@ msgid "" - "filters and rich rules. The zone can be bound to interfaces and source " - "addresses." - msgstr "" --"firewalld ゾーンではゾーンに結び付けられているネットワーク接続、インター" --"フェースおよび送信元アドレスの信頼レベルを定義します。サービス、ポート、プロ" --"トコル、マスカレード、ポートとパケット転送、ICMP フィルター、高度なルールを組" --"み合わせます。ゾーンはインターフェースや送信元アドレスに結び付けることができ" --"ます。" -+"firewalld " -+"ゾーンではゾーンに結び付けられているネットワーク接続、インターフェースおよび送信元アドレスの信頼レベルを定義します。サービス、ポート、プロトコル、マスカレード、ポートとパケット転送、ICMP " -+"フィルター、高度なルールを組み合わせます。ゾーンはインターフェースや送信元アドレスに結び付けることができます。" - - #: ../src/firewall-config.glade.h:89 - msgid "Add Zone" -@@ -1072,9 +1047,7 @@ msgid "" - "are accessible from all hosts and networks that can reach the machine from " - "connections, interfaces and sources bound to this zone." - msgstr "" --"このゾーンで信頼できるサービスを定義することができます。このゾーンに結び付け" --"られている接続、インターフェース、送信元からこのマシンに到達できるホストや" --"ネットワークならいずれでも信頼できるサービスへのアクセスが可能になります。" -+"このゾーンで信頼できるサービスを定義することができます。このゾーンに結び付けられている接続、インターフェース、送信元からこのマシンに到達できるホストやネットワークならいずれでも信頼できるサービスへのアクセスが可能になります。" - - #: ../src/firewall-config.glade.h:94 - msgid "Services" -@@ -1084,9 +1057,7 @@ msgstr "サービス" - msgid "" - "Add additional ports or port ranges, which need to be accessible for all " - "hosts or networks that can connect to the machine." --msgstr "" --"このマシンに接続できるホストやネットワークがアクセスできなければならないポー" --"トまたはポート範囲を追加します。" -+msgstr "このマシンに接続できるホストやネットワークがアクセスできなければならないポートまたはポート範囲を追加します。" - - #: ../src/firewall-config.glade.h:96 - msgid "Add Port" -@@ -1106,9 +1077,7 @@ msgstr "ポート" - - #: ../src/firewall-config.glade.h:100 - msgid "Add protocols, which need to be accessible for all hosts or networks." --msgstr "" --"すべてのホストやネットワークがアクセスできなければならないプロトコルを追加し" --"ます。" -+msgstr "すべてのホストやネットワークがアクセスできなければならないプロトコルを追加します。" - - #: ../src/firewall-config.glade.h:101 - msgid "Add Protocol" -@@ -1130,9 +1099,7 @@ msgstr "プロトコル" - msgid "" - "Add additional source ports or port ranges, which need to be accessible for " - "all hosts or networks that can connect to the machine." --msgstr "" --"このマシンに接続できるすべてのホストやネットワークがアクセスできなければなら" --"ないソースポートまたはポート範囲を追加します。" -+msgstr "このマシンに接続できるすべてのホストやネットワークがアクセスできなければならないソースポートまたはポート範囲を追加します。" - - #: ../src/firewall-config.glade.h:106 - msgid "Source Ports" -@@ -1144,10 +1111,8 @@ msgid "" - "network to the internet. Your local network will not be visible and the " - "hosts appear as a single address on the internet. Masquerading is IPv4 only." - msgstr "" --"マスカレード機能を使用するとローカルネットワークをインターネットに繋げるルー" --"ターまたはホストをセットアップすることができます。ローカルネットワークはイン" --"ターネット上からは見えなくなり、インターネット上ではホストが 1 つのアドレスと" --"して表示されます。マスカレード機能は IPv4 限定です。" -+"マスカレード機能を使用するとローカルネットワークをインターネットに繋げるルーターまたはホストをセットアップすることができます。ローカルネットワークはインターネット上からは見えなくなり、インターネット上ではホストが " -+"1 つのアドレスとして表示されます。マスカレード機能は IPv4 限定です。" - - #: ../src/firewall-config.glade.h:108 - msgid "Masquerade zone" -@@ -1157,9 +1122,7 @@ msgstr "マスカレードゾーン" - msgid "" - "If you enable masquerading, IP forwarding will be enabled for your IPv4 " - "networks." --msgstr "" --"マスカレード機能を有効にすると、IPv4 ネットワークで IP フォワーディングが有効" --"になります。" -+msgstr "マスカレード機能を有効にすると、IPv4 ネットワークで IP フォワーディングが有効になります。" - - #: ../src/firewall-config.glade.h:110 - msgid "Masquerading" -@@ -1172,10 +1135,8 @@ msgid "" - "system is only useful if the interface is masqueraded. Port forwarding is " - "IPv4 only." - msgstr "" --"ローカルシステム上の任意のポートから別のポートへポート転送、ローカルシステム" --"から別のシステムへのポート転送を行うためのエントリーを追加します。別のシステ" --"ムへのポート転送についてはインターフェースがマスカレードされている場合にのみ" --"有効です。ポート転送は IPv4 限定です。" -+"ローカルシステム上の任意のポートから別のポートへポート転送、ローカルシステムから別のシステムへのポート転送を行うためのエントリーを追加します。別のシステムへのポート転送についてはインターフェースがマスカレードされている場合にのみ有効です。ポート転送は " -+"IPv4 限定です。" - - #: ../src/firewall-config.glade.h:112 - msgid "Add Forward Port" -@@ -1195,27 +1156,24 @@ msgid "" - "messages between networked computers, but additionally for informational " - "messages like ping requests and replies." - msgstr "" --"ICMP (Internet Control Message Protocol) は、主にネットワーク上の コンピュー" --"タ間でエラーメッセージを送信するのに使用されますが、更には ping の要求や応答" --"などの情報メッセージにも使用されます。" -+"ICMP (Internet Control Message Protocol) は、主にネットワーク上の " -+"コンピュータ間でエラーメッセージを送信するのに使用されますが、更には ping の要求や応答などの情報メッセージにも使用されます。" - - #: ../src/firewall-config.glade.h:116 - msgid "" - "Mark the ICMP types in the list, which should be rejected. All other ICMP " - "types are allowed to pass the firewall. The default is no limitation." - msgstr "" --"一覧内の拒否されるべき ICMP タイプをマークします。 その他すべての ICMP タイプ" --"はファイアーウォールの通過が許可されます。 デフォルトでは無制限になっていま" --"す。" -+"一覧内の拒否されるべき ICMP タイプをマークします。 その他すべての ICMP タイプはファイアーウォールの通過が許可されます。 " -+"デフォルトでは無制限になっています。" - - #: ../src/firewall-config.glade.h:117 - msgid "" - "If Invert Filter is enabled, marked ICMP entries are accepted and the others " - "are rejected. In a zone with the target DROP, they are dropped." - msgstr "" --"反転フィルターが有効にされている場合、マークされた ICMP エントリーは受け入れ" --"られ、それ以外は拒否されます。ターゲットが DROP のゾーンでは、それらは破棄さ" --"れます。" -+"反転フィルターが有効にされている場合、マークされた ICMP エントリーは受け入れられ、それ以外は拒否されます。ターゲットが DROP " -+"のゾーンでは、それらは破棄されます。" - - #: ../src/firewall-config.glade.h:118 - msgid "Invert Filter" -@@ -1250,8 +1208,7 @@ msgid "" - "Add entries to bind interfaces to the zone. If the interface will be used by " - "a connection, the zone will be set to the zone specified in the connection." - msgstr "" --"インターフェースをゾーンに割り当てるための項目を追加します。インターフェース" --"が接続により使用される場合、ゾーンが接続で指定されたゾーンが設定されます。" -+"インターフェースをゾーンに割り当てるための項目を追加します。インターフェースが接続により使用される場合、ゾーンが接続で指定されたゾーンが設定されます。" - - #: ../src/firewall-config.glade.h:126 - msgid "Add Interface" -@@ -1271,10 +1228,9 @@ msgid "" - "to a MAC source address, but with limitations. Port forwarding and " - "masquerading will not work for MAC source bindings." - msgstr "" --"ゾーンに送信元アドレスもしくはエリアをバインドするためにエントリーを追加しま" --"す。送信元の MAC アドレスをバインドすることもできます。しかし、その場合に制約" --"があります。ポートフォアーディングおよびマスカレーディングには、送信元 MAC ア" --"ドレスのバインディングは機能しません。" -+"ゾーンに送信元アドレスもしくはエリアをバインドするためにエントリーを追加します。送信元の MAC " -+"アドレスをバインドすることもできます。しかし、その場合に制約があります。ポートフォアーディングおよびマスカレーディングには、送信元 MAC " -+"アドレスのバインディングは機能しません。" - - #: ../src/firewall-config.glade.h:131 - msgid "Add Source" -@@ -1296,9 +1252,7 @@ msgstr "ゾーン" - msgid "" - "A firewalld service is a combination of ports, protocols, modules and " - "destination addresses." --msgstr "" --"firewalld サービスとはポートやプロトコル、モジュール、送信先アドレスなどの組" --"み合わせを指します。" -+msgstr "firewalld サービスとはポートやプロトコル、モジュール、送信先アドレスなどの組み合わせを指します。" - - #: ../src/firewall-config.glade.h:138 - msgid "Add Service" -@@ -1320,9 +1274,7 @@ msgstr "サービスの標準の読み� - msgid "" - "Add additional ports or port ranges, which need to be accessible for all " - "hosts or networks." --msgstr "" --"すべてのホストやネットワークからアクセスできることが必要な追加のポートか、" --"ポートの範囲を追加します。" -+msgstr "すべてのホストやネットワークからアクセスできることが必要な追加のポートか、ポートの範囲を追加します。" - - #: ../src/firewall-config.glade.h:143 - msgid "Edit Entry" -@@ -1336,9 +1288,7 @@ msgstr "エントリーの削除" - msgid "" - "Add additional source ports or port ranges, which need to be accessible for " - "all hosts or networks." --msgstr "" --"すべてのホストやネットワークがアクセスできなければならないソースポートまたは" --"ポート範囲を追加します。" -+msgstr "すべてのホストやネットワークがアクセスできなければならないソースポートまたはポート範囲を追加します。" - - #: ../src/firewall-config.glade.h:146 - msgid "Source Port" -@@ -1357,9 +1307,7 @@ msgid "" - "If you specify destination addresses, the service entry will be limited to " - "the destination address and type. If both entries are empty, there is no " - "limitation." --msgstr "" --"送信先アドレスを指定すると、サービスの項目が送信先アドレスとタイプに制限され" --"ます。どちらの項目も空の場合、制限がありません。" -+msgstr "送信先アドレスを指定すると、サービスの項目が送信先アドレスとタイプに制限されます。どちらの項目も空の場合、制限がありません。" - - #: ../src/firewall-config.glade.h:150 - msgid "IPv4:" -@@ -1373,17 +1321,13 @@ msgstr "IPv6:" - msgid "" - "Services can only be changed in the permanent configuration view. The " - "runtime configuration of services is fixed." --msgstr "" --"サービスは永続的な設定の表示画面だけで変更できます。サービスの実行時の設定が" --"変更されます。" -+msgstr "サービスは永続的な設定の表示画面だけで変更できます。サービスの実行時の設定が変更されます。" - - #: ../src/firewall-config.glade.h:153 - msgid "" - "An IPSet can be used to create white or black lists and is able to store for " - "example IP addresses, port numbers or MAC addresses. " --msgstr "" --"IPSet はホワイトリストもしくはブラックリストを作成でき、その中に、IPアドレス" --"やポート番号、MAC アドレスの情報を格納できます。" -+msgstr "IPSet はホワイトリストもしくはブラックリストを作成でき、その中に、IPアドレスやポート番号、MAC アドレスの情報を格納できます。" - - #: ../src/firewall-config.glade.h:154 - msgid "IPSet" -@@ -1412,17 +1356,16 @@ msgid "" - "added by firewalld. Entries, that have been directly added with the ipset " - "command wil not be listed here." - msgstr "" --"IPSet エントリーの一覧では、タイムアウトオプションを使用していない IPSet のエ" --"ントリー、firewalld によって追加されたエントリーのみを確認することができま" --"す。ipset コマンドを直接実行して追加したエントリーは表示されません。" -+"IPSet エントリーの一覧では、タイムアウトオプションを使用していない IPSet のエントリー、firewalld " -+"によって追加されたエントリーのみを確認することができます。ipset コマンドを直接実行して追加したエントリーは表示されません。" - - #: ../src/firewall-config.glade.h:160 - msgid "" - "This IPSet uses the timeout option, therefore no entries are visible here. " - "The entries should be taken care directly with the ipset command." - msgstr "" --"この IPSet はタイムアウトオプションを使っています。従って、ここにはエントリー" --"が表示されません。エントリーは ipset コマンドを直接実行する必要があります。" -+"この IPSet はタイムアウトオプションを使っています。従って、ここにはエントリーが表示されません。エントリーは ipset " -+"コマンドを直接実行する必要があります。" - - #: ../src/firewall-config.glade.h:161 - msgid "Add" -@@ -1442,8 +1385,8 @@ msgid "" - "A firewalld icmptype provides the information for an Internet Control " - "Message Protocol (ICMP) type for firewalld." - msgstr "" --"firewalld の ICMP タイプは firewalld 用の Internet Control Message Protocol " --"(ICMP) タイプの情報を提供します。" -+"firewalld の ICMP タイプは firewalld 用の Internet Control Message Protocol (ICMP) " -+"タイプの情報を提供します。" - - #: ../src/firewall-config.glade.h:166 - msgid "Add ICMP Type" -@@ -1463,16 +1406,13 @@ msgstr "ICMP タイプの初期値の読 - - #: ../src/firewall-config.glade.h:170 - msgid "Specify whether this ICMP Type is available for IPv4 and/or IPv6." --msgstr "" --"この ICMP タイプが IPv4 と IPv6 に対して利用可能であるかどうかを指定します。" -+msgstr "この ICMP タイプが IPv4 と IPv6 に対して利用可能であるかどうかを指定します。" - - #: ../src/firewall-config.glade.h:171 - msgid "" - "ICMP Types can only be changed in the permanent configuration view. The " - "runtime configuration of ICMP Types is fixed." --msgstr "" --"ICMP タイプは永続的な設定の表示画面だけで変更できます。ICMP タイプの実行時の" --"設定は変更されます。" -+msgstr "ICMP タイプは永続的な設定の表示画面だけで変更できます。ICMP タイプの実行時の設定は変更されます。" - - #: ../src/firewall-config.glade.h:172 - msgid "" -@@ -1481,12 +1421,11 @@ msgid "" - "are using ports that are unrelated to the signaling connection and are " - "therefore blocked by the firewall without the helper." - msgstr "" -+"接続追跡ヘルパーはシグナルおよびデータ転送に異なるフローを使用しているプロトコルが機能するよう支援します。データ転送はシグナル接続とは関連のないポートを使用しているので、ヘルパーがないとファイアウォールでブロックされます。" - - #: ../src/firewall-config.glade.h:173 - msgid "Define ports or port ranges, which are monitored by the helper." --msgstr "" --"ポートもしくはポートの範囲を定義し、それをヘルパーによってモニタリングされま" --"す。" -+msgstr "ポートもしくはポートの範囲を定義し、それをヘルパーによってモニタリングされます。" - - #: ../src/firewall-config.glade.h:174 - msgid "" -@@ -1495,11 +1434,8 @@ msgid "" - "commands, parameters and targets. Direct configuration should be used only " - "as a last resort when it is not possible to use other firewalld features." - msgstr "" --"ダイレクト設定により、ファイアウォールにより直接アクセスできます。これらのオ" --"プションは、ユーザーが iptables の基本的な概念、つまりテーブル、チェイン、コ" --"マンド、パラメーター、ターゲットに関する知識を有していることを前提にしていま" --"す。ダイレクト設定は、他のファイアウォール機能を使用できない場合に、最終手段" --"としてのみ使用すべきです。" -+"ダイレクト設定により、ファイアウォールにより直接アクセスできます。これらのオプションは、ユーザーが iptables " -+"の基本的な概念、つまりテーブル、チェイン、コマンド、パラメーター、ターゲットに関する知識を有していることを前提にしています。ダイレクト設定は、他のファイアウォール機能を使用できない場合に、最終手段としてのみ使用すべきです。" - - #: ../src/firewall-config.glade.h:175 - msgid "" -@@ -1507,9 +1443,9 @@ msgid "" - "will be for iptables, with ipv6 for ip6tables and with eb for ethernet " - "bridges (ebtables)." - msgstr "" --"各オプションの ipv 引数は ipv4, ipv6, eb のどれかである必要があります。ipv4 " --"を指定すると、iptables が使用されます。ipv6 を指定すると、ip6tables が使用さ" --"れます。eb を指定すると、イーサネットブリッジ (ebtables) が使用されます。" -+"各オプションの ipv 引数は ipv4, ipv6, eb のどれかである必要があります。ipv4 を指定すると、iptables " -+"が使用されます。ipv6 を指定すると、ip6tables が使用されます。eb を指定すると、イーサネットブリッジ (ebtables) " -+"が使用されます。" - - #: ../src/firewall-config.glade.h:176 - msgid "Additional chains for use with rules." -@@ -1534,9 +1470,7 @@ msgstr "チェイン" - #: ../src/firewall-config.glade.h:181 - msgid "" - "Add a rule with the arguments args to a chain in a table with a priority." --msgstr "" --"ルールを args 引数とともに、テーブルにあるチェインに優先度を付けて追加しま" --"す。" -+msgstr "ルールを args 引数とともに、テーブルにあるチェインに優先度を付けて追加します。" - - #: ../src/firewall-config.glade.h:182 - msgid "" -@@ -1547,11 +1481,8 @@ msgid "" - "after another one, use a low priority for the first and a higher for the " - "following." - msgstr "" --"優先度はルールの順序をつけるために使用されます。優先度 0 はルールをチェインの" --"最初に追加します。より高い優先度を持つルールがさらに下に追加されます。同じ優" --"先度を持つルールは同じレベルになります。これらのルールの順序は固定されず、変" --"更されるかもしれません。ルールを確実に他のルールの後ろに追加したい場合、最初" --"に低い優先度を使用し、次により高い優先度を使用します。" -+"優先度はルールの順序をつけるために使用されます。優先度 0 " -+"はルールをチェインの最初に追加します。より高い優先度を持つルールがさらに下に追加されます。同じ優先度を持つルールは同じレベルになります。これらのルールの順序は固定されず、変更されるかもしれません。ルールを確実に他のルールの後ろに追加したい場合、最初に低い優先度を使用し、次により高い優先度を使用します。" - - #: ../src/firewall-config.glade.h:183 - msgid "Add Rule" -@@ -1575,15 +1506,12 @@ msgid "" - "not placed in special chains. All iptables, ip6tables and ebtables options " - "can be used." - msgstr "" --"パススルールールは直接ファイアウォールに渡されるルールです。特別なチェインに" --"置かれません。iptables, ip6tables, ebtables のすべてのオプションが使用できま" --"す。" -+"パススルールールは直接ファイアウォールに渡されるルールです。特別なチェインに置かれません。iptables, ip6tables, ebtables " -+"のすべてのオプションが使用できます。" - - #: ../src/firewall-config.glade.h:188 - msgid "Please be careful with passthrough rules to not damage the firewall." --msgstr "" --"パススルールールを追加する場合、ファイアウォールを壊さないよう注意してくださ" --"い。" -+msgstr "パススルールールを追加する場合、ファイアウォールを壊さないよう注意してください。" - - #: ../src/firewall-config.glade.h:189 - msgid "Add Passthrough" -@@ -1607,10 +1535,9 @@ msgid "" - "firewalld. It limits changes to the firewall. The lockdown whitelist can " - "contain commands, contexts, users and user ids." - msgstr "" --"ロックダウン機能はユーザーとアプリケーションのポリシーの firewalld 向け軽量" --"バージョンです。これにより、ファイアウォールへの変更が制限されます。ロックダ" --"ウン・ホワイトリストは、コマンド、コンテキスト、ユーザーおよびユーザー ID を" --"含められます。" -+"ロックダウン機能はユーザーとアプリケーションのポリシーの firewalld " -+"向け軽量バージョンです。これにより、ファイアウォールへの変更が制限されます。ロックダウン・ホワイトリストは、コマンド、コンテキスト、ユーザーおよびユーザー " -+"ID を含められます。" - - #: ../src/firewall-config.glade.h:194 - msgid "" -@@ -1618,9 +1545,8 @@ msgid "" - "service. To get the context of a running application use ps -e --" - "context." - msgstr "" --"コンテキストは実行中のアプリケーションやサービスのセキュリティーコンテキスト" --"(SELinux コンテキスト)です。実行中のアプリケーションのコンテキストを確認する" --"には、ps -e --contextコマンドを使用します。" -+"コンテキストは実行中のアプリケーションやサービスのセキュリティーコンテキスト(SELinux " -+"コンテキスト)です。実行中のアプリケーションのコンテキストを確認するには、ps -e --contextコマンドを使用します。" - - #: ../src/firewall-config.glade.h:195 - msgid "Add Context" -@@ -1644,9 +1570,8 @@ msgid "" - "command lines starting with the command will match. If the '*' is not there " - "the absolute command inclusive arguments must match." - msgstr "" --"ホワイトリストのコマンドがアスタリスク '*' で終わっている場合、そのコマンドか" --"ら始まるすべてのコマンドラインに一致します。もし '*' がなければ、引数を含め、" --"コマンドが完全に一致する必要があります。" -+"ホワイトリストのコマンドがアスタリスク '*' で終わっている場合、そのコマンドから始まるすべてのコマンドラインに一致します。もし '*' " -+"がなければ、引数を含め、コマンドが完全に一致する必要があります。" - - #: ../src/firewall-config.glade.h:200 - msgid "Add Command Line" -@@ -1705,20 +1630,20 @@ msgid "User Ids" - msgstr "ユーザー ID" - - #: ../src/firewall-config.glade.h:214 --msgid "Default Zone:" --msgstr "標準ゾーン:" -- --#: ../src/firewall-config.glade.h:215 - msgid "Current default zone of the system." - msgstr "現在のシステムの標準ゾーン。" - --#: ../src/firewall-config.glade.h:216 -+#: ../src/firewall-config.glade.h:215 - msgctxt "" - "Meaning: Log of denied packets. But this is too long. LogDenied is also the " - "parameter used in firewalld.conf." - msgid "Log Denied:" - msgstr "拒否されたログ:" - -+#: ../src/firewall-config.glade.h:216 -+msgid "Panic Mode:" -+msgstr "パニックモード:" -+ - #: ../src/firewall-config.glade.h:217 - msgctxt "" - "Meaning: Log of denied packets. But this is too long. LogDenied is also the " -@@ -1731,235 +1656,238 @@ msgid "Lockdown:" - msgstr "ロックダウン:" - - #: ../src/firewall-config.glade.h:219 --msgid "Panic Mode:" --msgstr "パニックモード:" -+msgid "Default Zone:" -+msgstr "標準ゾーン:" - - #: ../src/firewall-config.glade.h:220 -+msgid "Interface" -+msgstr "インターフェース" -+ -+#: ../src/firewall-config.glade.h:221 - msgid "Base IPSet Settings" - msgstr "基本 IPSet 設定" - --#: ../src/firewall-config.glade.h:221 -+#: ../src/firewall-config.glade.h:222 - msgid "Please configure base ipset settings:" - msgstr "基本IPSet設定を設定してください:" - --#: ../src/firewall-config.glade.h:222 -+#: ../src/firewall-config.glade.h:223 - msgid "Type:" - msgstr "タイプ:" - --#: ../src/firewall-config.glade.h:223 -+#: ../src/firewall-config.glade.h:224 - msgid "Timeout:" - msgstr "タイムアウト:" - --#: ../src/firewall-config.glade.h:224 -+#: ../src/firewall-config.glade.h:225 - msgid "Hashsize:" - msgstr "ハッシュサイズ:" - --#: ../src/firewall-config.glade.h:225 -+#: ../src/firewall-config.glade.h:226 - msgid "Maxelem:" - msgstr "最大要素:" - --#: ../src/firewall-config.glade.h:226 -+#: ../src/firewall-config.glade.h:227 - msgid "Timeout value in seconds" - msgstr "タイムアウトの秒数" - --#: ../src/firewall-config.glade.h:227 -+#: ../src/firewall-config.glade.h:228 - msgid "Initial hash size, default 1024" - msgstr "ハッシュサイズの初期値、デフォルトは 1024" - --#: ../src/firewall-config.glade.h:228 -+#: ../src/firewall-config.glade.h:229 - msgid "Max number of elements, default 65536" - msgstr "要素の最大数、デフォルトは 65536" - --#: ../src/firewall-config.glade.h:229 -+#: ../src/firewall-config.glade.h:230 - msgid "Please select an ipset:" - msgstr "IPSet を選択してください:" - --#: ../src/firewall-config.glade.h:230 -+#: ../src/firewall-config.glade.h:232 - msgid "Log Denied" - msgstr "拒否されたログ" - --#: ../src/firewall-config.glade.h:231 -+#: ../src/firewall-config.glade.h:233 - msgid "Please select the log denied value:" - msgstr "拒否されたログの値を選択してください:" - --#: ../src/firewall-config.glade.h:232 -+#: ../src/firewall-config.glade.h:234 - msgid "Mark" - msgstr "マーク" - --#: ../src/firewall-config.glade.h:233 -+#: ../src/firewall-config.glade.h:235 - msgid "Please enter a mark with an optional mask." - msgstr "オプションのマスクと共にマークを入力してください。" - --#: ../src/firewall-config.glade.h:234 -+#: ../src/firewall-config.glade.h:236 - msgid "The mark and the mask fields are both 32 bits wide unsigned numbers." - msgstr "マークとマスクフィールドはどちらも 32 ビットの符号なし数値になります。" - --#: ../src/firewall-config.glade.h:235 -+#: ../src/firewall-config.glade.h:237 - msgid "Mark:" - msgstr "マーク:" - --#: ../src/firewall-config.glade.h:236 -+#: ../src/firewall-config.glade.h:238 - msgid "Mask:" - msgstr "マスク:" - --#: ../src/firewall-config.glade.h:237 -+#: ../src/firewall-config.glade.h:239 - msgid "Please select a netfilter conntrack helper:" - msgstr "netfilter conntrack ヘルパーを選択してください:" - --#: ../src/firewall-config.glade.h:238 -+#: ../src/firewall-config.glade.h:240 - msgid "- Select -" - msgstr "- 選択 -" - --#: ../src/firewall-config.glade.h:239 -+#: ../src/firewall-config.glade.h:241 - msgid "Other Module:" - msgstr "その他のモジュール:" - --#: ../src/firewall-config.glade.h:240 -+#: ../src/firewall-config.glade.h:242 - msgid "Port and Protocol" - msgstr "ポートとプロトコル" - --#: ../src/firewall-config.glade.h:241 -+#: ../src/firewall-config.glade.h:243 - msgid "Please enter a port and protocol." - msgstr "ポートおよびプロトコルを入力してください。" - --#: ../src/firewall-config.glade.h:242 -+#: ../src/firewall-config.glade.h:244 - msgid "Direct Rule" - msgstr "ダイレクトルール" - --#: ../src/firewall-config.glade.h:243 -+#: ../src/firewall-config.glade.h:245 - msgid "Please select ipv and table, chain priority and enter the args." - msgstr "ipv、テーブル、チェイン優先度および引数を入力してください。" - --#: ../src/firewall-config.glade.h:244 -+#: ../src/firewall-config.glade.h:246 - msgid "Priority:" - msgstr "優先度:" - --#: ../src/firewall-config.glade.h:246 -+#: ../src/firewall-config.glade.h:248 - msgid "Please enter a protocol." - msgstr "プロトコルを入力してください。" - --#: ../src/firewall-config.glade.h:247 -+#: ../src/firewall-config.glade.h:249 - msgid "Other Protocol:" - msgstr "他のプロトコル:" - --#: ../src/firewall-config.glade.h:248 -+#: ../src/firewall-config.glade.h:250 - msgid "Rich Rule" - msgstr "高度なルール" - --#: ../src/firewall-config.glade.h:249 -+#: ../src/firewall-config.glade.h:251 - msgid "Please enter a rich rule." - msgstr "高度なルールを入力してください。" - --#: ../src/firewall-config.glade.h:250 -+#: ../src/firewall-config.glade.h:252 - msgid "For host or network white or blacklisting deactivate the element." --msgstr "" --"ホワイトリストまたはブラックリストにより、ホストまたはネットワークに対して要" --"素を非アクティブ化します。" -+msgstr "ホワイトリストまたはブラックリストにより、ホストまたはネットワークに対して要素を非アクティブ化します。" - --#: ../src/firewall-config.glade.h:251 -+#: ../src/firewall-config.glade.h:253 - msgid "Source:" - msgstr "送信元:" - --#: ../src/firewall-config.glade.h:252 -+#: ../src/firewall-config.glade.h:254 - msgid "Destination:" - msgstr "送信先:" - --#: ../src/firewall-config.glade.h:253 -+#: ../src/firewall-config.glade.h:255 - msgid "Log:" - msgstr "ログ:" - --#: ../src/firewall-config.glade.h:254 -+#: ../src/firewall-config.glade.h:256 - msgid "Audit:" - msgstr "監査:" - --#: ../src/firewall-config.glade.h:255 -+#: ../src/firewall-config.glade.h:257 - msgid "ipv4 and ipv6" - msgstr "IPv4 と IPv6" - --#: ../src/firewall-config.glade.h:256 -+#: ../src/firewall-config.glade.h:258 - msgid "inverted" - msgstr "反転" - --#: ../src/firewall-config.glade.h:257 -+#: ../src/firewall-config.glade.h:259 - msgid "" --"To enable this Action has to be 'reject' and Family either 'ipv4' or " --"'ipv6' (not both)." -+"To enable this Action has to be 'reject' and Family either 'ipv4' or 'ipv6' " -+"(not both)." - msgstr "" --"これを有効にするには、アクションを 'reject' にし、ファミリーを 'ipv4' または " --"'ipv6' のいずれか (両方ではない) にする必要があります。" -+"これを有効にするには、アクションを 'reject' にし、ファミリーを 'ipv4' または 'ipv6' のいずれか (両方ではない) " -+"にする必要があります。" - --#: ../src/firewall-config.glade.h:258 -+#: ../src/firewall-config.glade.h:260 - msgid "with Type:" - msgstr "タイプ:" - --#: ../src/firewall-config.glade.h:259 -+#: ../src/firewall-config.glade.h:261 - msgid "With limit:" - msgstr "有効期限:" - --#: ../src/firewall-config.glade.h:260 -+#: ../src/firewall-config.glade.h:262 - msgid "/" - msgstr "/" - --#: ../src/firewall-config.glade.h:265 -+#: ../src/firewall-config.glade.h:267 - msgid "Prefix:" - msgstr "プレフィックス:" - --#: ../src/firewall-config.glade.h:266 -+#: ../src/firewall-config.glade.h:268 - msgid "Level:" - msgstr "レベル:" - --#: ../src/firewall-config.glade.h:282 -+#: ../src/firewall-config.glade.h:285 - msgid "Element:" - msgstr "要素:" - --#: ../src/firewall-config.glade.h:283 -+#: ../src/firewall-config.glade.h:286 - msgid "Action:" - msgstr "アクション:" - --#: ../src/firewall-config.glade.h:284 -+#: ../src/firewall-config.glade.h:287 - msgid "Base Service Settings" - msgstr "基本サービス設定" - --#: ../src/firewall-config.glade.h:285 -+#: ../src/firewall-config.glade.h:288 - msgid "Please configure base service settings:" - msgstr "基本サービス設定を設定してください:" - --#: ../src/firewall-config.glade.h:286 -+#: ../src/firewall-config.glade.h:289 - msgid "Please select a service." - msgstr "サービスを選択してください。" - --#: ../src/firewall-config.glade.h:287 -+#: ../src/firewall-config.glade.h:290 - msgid "User ID" - msgstr "ユーザー ID" - --#: ../src/firewall-config.glade.h:288 -+#: ../src/firewall-config.glade.h:291 - msgid "Please enter the user id." - msgstr "ユーザー ID を入力してください。" - --#: ../src/firewall-config.glade.h:289 -+#: ../src/firewall-config.glade.h:292 - msgid "User name" - msgstr "ユーザー名" - --#: ../src/firewall-config.glade.h:290 -+#: ../src/firewall-config.glade.h:293 - msgid "Please enter the user name." - msgstr "ユーザー名を入力してください。" - --#: ../src/firewall-config.glade.h:291 -+#: ../src/firewall-config.glade.h:294 - msgid "label" - msgstr "ラベル" - --#: ../src/firewall-config.glade.h:292 -+#: ../src/firewall-config.glade.h:295 - msgid "Base Zone Settings" - msgstr "基本ゾーン設定" - --#: ../src/firewall-config.glade.h:293 -+#: ../src/firewall-config.glade.h:296 - msgid "Please configure base zone settings:" - msgstr "基本ゾーン設定を設定してください:" - --#: ../src/firewall-config.glade.h:294 -+#: ../src/firewall-config.glade.h:297 - msgid "Default Target" - msgstr "標準ターゲット" - --#: ../src/firewall-config.glade.h:295 -+#: ../src/firewall-config.glade.h:298 - msgid "Target:" - msgstr "ターゲット:" -+ diff --git a/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch b/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch deleted file mode 100644 index b796d31..0000000 --- a/SOURCES/firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch +++ /dev/null @@ -1,542 +0,0 @@ -From bc6ba9d59f8070b0e76f127f16ef1cd99da90ffc Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Fri, 19 May 2017 15:35:54 +0200 -Subject: [PATCH 5/6] D-Bus interfaces: Fix GetAll for interfaces without - properties (RHBZ#1452017) - -Also: Make D-Bus error messages consistent in all interfaces. -(cherry picked from commit fb44764d1275958401e2e69161d997bfb6e02899) ---- - src/firewall/server/config.py | 115 +++++++++++++++++++-------------- - src/firewall/server/config_helper.py | 15 ++--- - src/firewall/server/config_icmptype.py | 15 ++--- - src/firewall/server/config_ipset.py | 15 ++--- - src/firewall/server/config_service.py | 15 ++--- - src/firewall/server/config_zone.py | 15 ++--- - src/firewall/server/firewalld.py | 71 ++++++++++++++------ - 7 files changed, 152 insertions(+), 109 deletions(-) - -diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py -index 55bfffbebe76..33f72027d048 100644 ---- a/src/firewall/server/config.py -+++ b/src/firewall/server/config.py -@@ -486,8 +486,8 @@ class FirewallDConfig(slip.dbus.service.Object): - "Lockdown", "IPv6_rpfilter", "IndividualCalls", - "LogDenied", "AutomaticHelpers" ]: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % prop) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % prop) - - value = self.config.get_firewalld_conf().get(prop) - -@@ -546,8 +546,8 @@ class FirewallDConfig(slip.dbus.service.Object): - return dbus.String(self._get_property(prop)) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % prop) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % prop) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -558,10 +558,17 @@ class FirewallDConfig(slip.dbus.service.Object): - property_name = dbus_to_python(property_name, str) - log.debug1("config.Get('%s', '%s')", interface_name, property_name) - -- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: -+ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: -+ return self._get_dbus_property(property_name) -+ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, -+ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: -+ raise dbus.exceptions.DBusException( -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) -+ else: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - return self._get_dbus_property(property_name) - -@@ -572,16 +579,20 @@ class FirewallDConfig(slip.dbus.service.Object): - interface_name = dbus_to_python(interface_name, str) - log.debug1("config.GetAll('%s')", interface_name) - -- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: -+ ret = { } -+ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: -+ for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", -+ "Lockdown", "IPv6_rpfilter", "IndividualCalls", -+ "LogDenied", "AutomaticHelpers" ]: -+ ret[x] = self._get_property(x) -+ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, -+ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: -+ pass -+ else: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - -- ret = { } -- for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", -- "IPv6_rpfilter", "IndividualCalls", "LogDenied", -- "AutomaticHelpers" ]: -- ret[x] = self._get_property(x) - return dbus.Dictionary(ret, signature="sv") - - @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) -@@ -595,49 +606,55 @@ class FirewallDConfig(slip.dbus.service.Object): - property_name, new_value) - self.accessCheck(sender) - -- if interface_name != config.dbus.DBUS_INTERFACE_CONFIG: -- raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -- -- if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", -- "IPv6_rpfilter", "IndividualCalls", "LogDenied", -- "AutomaticHelpers" ]: -- if property_name == "MinimalMark": -+ if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: -+ if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", -+ "IPv6_rpfilter", "IndividualCalls", -+ "LogDenied", "AutomaticHelpers" ]: -+ if property_name == "MinimalMark": -+ try: -+ int(new_value) -+ except ValueError: -+ raise FirewallError(errors.INVALID_MARK, new_value) - try: -- int(new_value) -- except ValueError: -- raise FirewallError(errors.INVALID_MARK, new_value) -- try: -- new_value = str(new_value) -- except: -- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ -+ new_value = str(new_value) -+ except: -+ raise FirewallError(errors.INVALID_VALUE, -+ "'%s' for %s" % \ -+ (new_value, property_name)) -+ if property_name in [ "CleanupOnExit", "Lockdown", -+ "IPv6_rpfilter", "IndividualCalls" ]: -+ if new_value.lower() not in [ "yes", "no", -+ "true", "false" ]: -+ raise FirewallError(errors.INVALID_VALUE, -+ "'%s' for %s" % \ - (new_value, property_name)) -- if property_name in [ "CleanupOnExit", "Lockdown", -- "IPv6_rpfilter", "IndividualCalls" ]: -- if new_value.lower() not in [ "yes", "no", "true", "false" ]: -- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ -+ if property_name == "LogDenied": -+ if new_value not in config.LOG_DENIED_VALUES: -+ raise FirewallError(errors.INVALID_VALUE, -+ "'%s' for %s" % \ - (new_value, property_name)) -- if property_name == "LogDenied": -- if new_value not in config.LOG_DENIED_VALUES: -- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ -+ if property_name == "AutomaticHelpers": -+ if new_value not in config.AUTOMATIC_HELPERS_VALUES: -+ raise FirewallError(errors.INVALID_VALUE, -+ "'%s' for %s" % \ - (new_value, property_name)) -- if property_name == "AutomaticHelpers": -- if new_value not in config.AUTOMATIC_HELPERS_VALUES: -- raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ -- (new_value, property_name)) -- self.config.get_firewalld_conf().set(property_name, new_value) -- self.config.get_firewalld_conf().write() -- self.PropertiesChanged(interface_name, -- { property_name: new_value }, [ ]) -- elif property_name in [ "DefaultZone" ]: -+ self.config.get_firewalld_conf().set(property_name, new_value) -+ self.config.get_firewalld_conf().write() -+ self.PropertiesChanged(interface_name, -+ { property_name: new_value }, [ ]) -+ else: -+ raise dbus.exceptions.DBusException( -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) -+ elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, -+ config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.PropertyReadOnly: " -- "Property '%s' is read-only" % property_name) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' does not exist" % property_name) -+ "org.freedesktop.DBus.Error.UnknownInterface: " -+ "Interface '%s' does not exist" % interface_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, -diff --git a/src/firewall/server/config_helper.py b/src/firewall/server/config_helper.py -index e3683e9b7788..23e30e04ba26 100644 ---- a/src/firewall/server/config_helper.py -+++ b/src/firewall/server/config_helper.py -@@ -92,9 +92,8 @@ class FirewallDConfigHelper(slip.dbus.service.Object): - return dbus.Boolean(self.obj.builtin) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % \ -- property_name) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -109,7 +108,7 @@ class FirewallDConfigHelper(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - return self._get_property(property_name) - -@@ -123,7 +122,7 @@ class FirewallDConfigHelper(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - ret = { } - for x in [ "name", "filename", "path", "default", "builtin" ]: -@@ -144,11 +143,11 @@ class FirewallDConfigHelper(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' is not settable" % property_name) -+ "org.freedesktop.DBus.Error.PropertyReadOnly: " -+ "Property '%s' is read-only" % property_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, -diff --git a/src/firewall/server/config_icmptype.py b/src/firewall/server/config_icmptype.py -index 9f571ae98128..e1724550d740 100644 ---- a/src/firewall/server/config_icmptype.py -+++ b/src/firewall/server/config_icmptype.py -@@ -92,9 +92,8 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): - return dbus.Boolean(self.obj.builtin) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % \ -- property_name) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -109,7 +108,7 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - return self._get_property(property_name) - -@@ -123,7 +122,7 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - ret = { } - for x in [ "name", "filename", "path", "default", "builtin" ]: -@@ -144,11 +143,11 @@ class FirewallDConfigIcmpType(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' is not settable" % property_name) -+ "org.freedesktop.DBus.Error.PropertyReadOnly: " -+ "Property '%s' is read-only" % property_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, -diff --git a/src/firewall/server/config_ipset.py b/src/firewall/server/config_ipset.py -index a1613c6933ab..8c647bc29ab9 100644 ---- a/src/firewall/server/config_ipset.py -+++ b/src/firewall/server/config_ipset.py -@@ -93,9 +93,8 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - return dbus.Boolean(self.obj.builtin) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % \ -- property_name) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -110,7 +109,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - return self._get_property(property_name) - -@@ -124,7 +123,7 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - ret = { } - for x in [ "name", "filename", "path", "default", "builtin" ]: -@@ -145,11 +144,11 @@ class FirewallDConfigIPSet(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' is not settable" % property_name) -+ "org.freedesktop.DBus.Error.PropertyReadOnly: " -+ "Property '%s' is read-only" % property_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, -diff --git a/src/firewall/server/config_service.py b/src/firewall/server/config_service.py -index 6745e253f88a..47530d319bdb 100644 ---- a/src/firewall/server/config_service.py -+++ b/src/firewall/server/config_service.py -@@ -92,9 +92,8 @@ class FirewallDConfigService(slip.dbus.service.Object): - return dbus.Boolean(self.obj.builtin) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % \ -- property_name) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -109,7 +108,7 @@ class FirewallDConfigService(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - return self._get_property(property_name) - -@@ -123,7 +122,7 @@ class FirewallDConfigService(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - ret = { } - for x in [ "name", "filename", "path", "default", "builtin" ]: -@@ -144,11 +143,11 @@ class FirewallDConfigService(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' is not settable" % property_name) -+ "org.freedesktop.DBus.Error.PropertyReadOnly: " -+ "Property '%s' is read-only" % property_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, -diff --git a/src/firewall/server/config_zone.py b/src/firewall/server/config_zone.py -index 42ec963549d8..f98f700bec59 100644 ---- a/src/firewall/server/config_zone.py -+++ b/src/firewall/server/config_zone.py -@@ -94,9 +94,8 @@ class FirewallDConfigZone(slip.dbus.service.Object): - return dbus.Boolean(self.obj.builtin) - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % \ -- property_name) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -111,7 +110,7 @@ class FirewallDConfigZone(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - return self._get_property(property_name) - -@@ -125,7 +124,7 @@ class FirewallDConfigZone(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - ret = { } - for x in [ "name", "filename", "path", "default", "builtin" ]: -@@ -146,11 +145,11 @@ class FirewallDConfigZone(slip.dbus.service.Object): - if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' is not settable" % property_name) -+ "org.freedesktop.DBus.Error.PropertyReadOnly: " -+ "Property '%s' is read-only" % property_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, -diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py -index 2f1f8234ab9c..8c4bd4f0c66a 100644 ---- a/src/firewall/server/firewalld.py -+++ b/src/firewall/server/firewalld.py -@@ -184,8 +184,8 @@ class FirewallD(slip.dbus.service.Object): - - else: - raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' isn't exported (or may not exist)" % prop) -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % prop) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', - out_signature='v') -@@ -196,12 +196,19 @@ class FirewallD(slip.dbus.service.Object): - property_name = dbus_to_python(property_name, str) - log.debug1("Get('%s', '%s')", interface_name, property_name) - -- if interface_name != config.dbus.DBUS_INTERFACE: -+ if interface_name == config.dbus.DBUS_INTERFACE: -+ return self._get_property(property_name) -+ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, -+ config.dbus.DBUS_INTERFACE_DIRECT, -+ config.dbus.DBUS_INTERFACE_POLICIES, -+ config.dbus.DBUS_INTERFACE_IPSET ]: -+ raise dbus.exceptions.DBusException( -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) -+ else: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -- -- return self._get_property(property_name) -+ "Interface '%s' does not exist" % interface_name) - - @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', - out_signature='a{sv}') -@@ -210,17 +217,24 @@ class FirewallD(slip.dbus.service.Object): - interface_name = dbus_to_python(interface_name, str) - log.debug1("GetAll('%s')", interface_name) - -- if interface_name != config.dbus.DBUS_INTERFACE: -+ ret = { } -+ if interface_name == config.dbus.DBUS_INTERFACE: -+ for x in [ "version", "interface_version", "state", -+ "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", -+ "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", -+ "nf_conntrack_helpers", "IPv4ICMPTypes", -+ "IPv6ICMPTypes" ]: -+ ret[x] = self._get_property(x) -+ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, -+ config.dbus.DBUS_INTERFACE_DIRECT, -+ config.dbus.DBUS_INTERFACE_POLICIES, -+ config.dbus.DBUS_INTERFACE_IPSET ]: -+ pass -+ else: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -+ "Interface '%s' does not exist" % interface_name) - -- ret = { } -- for x in [ "version", "interface_version", "state", -- "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", -- "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", -- "nf_conntrack_helpers", "IPv4ICMPTypes", "IPv6ICMPTypes" ]: -- ret[x] = self._get_property(x) - return dbus.Dictionary(ret, signature="sv") - - @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) -@@ -234,14 +248,31 @@ class FirewallD(slip.dbus.service.Object): - new_value) - self.accessCheck(sender) - -- if interface_name != config.dbus.DBUS_INTERFACE: -+ if interface_name == config.dbus.DBUS_INTERFACE: -+ if property_name in [ "version", "interface_version", "state", -+ "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", -+ "IPSet", "IPSetTypes", -+ "nf_conntrack_helper_setting", -+ "nf_conntrack_helpers", "IPv4ICMPTypes", -+ "IPv6ICMPTypes" ]: -+ raise dbus.exceptions.DBusException( -+ "org.freedesktop.DBus.Error.PropertyReadOnly: " -+ "Property '%s' is read-only" % property_name) -+ else: -+ raise dbus.exceptions.DBusException( -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) -+ elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, -+ config.dbus.DBUS_INTERFACE_DIRECT, -+ config.dbus.DBUS_INTERFACE_POLICIES, -+ config.dbus.DBUS_INTERFACE_IPSET ]: -+ raise dbus.exceptions.DBusException( -+ "org.freedesktop.DBus.Error.InvalidArgs: " -+ "Property '%s' does not exist" % property_name) -+ else: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.UnknownInterface: " -- "FirewallD does not implement %s" % interface_name) -- -- raise dbus.exceptions.DBusException( -- "org.freedesktop.DBus.Error.AccessDenied: " -- "Property '%s' is not settable" % property_name) -+ "Interface '%s' does not exist" % interface_name) - - @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') - def PropertiesChanged(self, interface_name, changed_properties, --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch deleted file mode 100644 index cbffa21..0000000 --- a/SOURCES/firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f80a02d760b1810bb5a3021aabb78ed20f5e629d Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 22 May 2017 17:56:41 +0200 -Subject: [PATCH 2/6] firewall.core.fw: Get NAT helpers and store them - internally. - -The NAT helpers are stored internally to be able to use them in zones with the -conntrack helpers. - -This is needed for RHBZ#1452681 - -(cherry picked from commit f0109e044e5601fba20d42db24c25e8e8cf804a0) ---- - src/firewall/core/fw.py | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index 8dbe59b6e3b5..4db856c4e17d 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -114,6 +114,7 @@ class Firewall(object): - self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS - self.nf_conntrack_helper_setting = 0 - self.nf_conntrack_helpers = { } -+ self.nf_nat_helpers = { } - - def individual_calls(self): - return self._individual_calls -@@ -203,8 +204,18 @@ class Firewall(object): - log.debug1(" %s: %s", key, ", ".join(values)) - else: - log.debug1("No conntrack helpers supported by the kernel.") -+ -+ self.nf_nat_helpers = functions.get_nf_nat_helpers() -+ if len(self.nf_nat_helpers) > 0: -+ log.debug1("NAT helpers supported by the kernel:") -+ for key,values in self.nf_nat_helpers.items(): -+ log.debug1(" %s: %s", key, ", ".join(values)) -+ else: -+ log.debug1("No NAT helpers supported by the kernel.") -+ - else: - self.nf_conntrack_helpers = { } -+ self.nf_nat_helpers = { } - log.warning("modinfo command is missing, not able to detect conntrack helpers.") - - def _start(self, reload=False, complete_reload=False): --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch deleted file mode 100644 index 9635f55..0000000 --- a/SOURCES/firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 3bcaadbc99a10634d5a7552d7398436ef836f428 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 22 May 2017 17:59:10 +0200 -Subject: [PATCH 3/6] firewall.core.fw_zone: Load NAT helpers with conntrack - helpers - -If a conntrack helper is used, then the NAT helper will automatically be loaded -also if there is a matching NAT helper. - -Fixes: RHBZ#1452681 -(cherry picked from commit af59d816c92e0391d118949542eb19bcf8b74580) ---- - src/firewall/core/fw_zone.py | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py -index 2c99b0cbce8a..3089d12edd1b 100644 ---- a/src/firewall/core/fw_zone.py -+++ b/src/firewall/core/fw_zone.py -@@ -1155,9 +1155,15 @@ class FirewallZone(object): - _rule += [ "-j", "CT", "--helper", helper.name ] - self.__rule_source(rule.source, _rule) - zone_transaction.add_rule(ipv, _rule) -+ nat_module = module.replace("conntrack", "nat") -+ if nat_module in self._fw.nf_nat_helpers: -+ modules.append(nat_module) - else: - if helper.module not in modules: - modules.append(helper.module) -+ nat_module = helper.module.replace("conntrack", "nat") -+ if nat_module in self._fw.nf_nat_helpers: -+ modules.append(nat_module) - zone_transaction.add_modules(modules) - - target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], -@@ -1624,6 +1630,9 @@ class FirewallZone(object): - modules = [ ] - for helper in helpers: - modules.append(helper.module) -+ nat_module = helper.module.replace("conntrack", "nat") -+ if nat_module in self._fw.nf_nat_helpers: -+ modules.append(nat_module) - zone_transaction.add_modules(modules) - zone_transaction.add_chain("filter", "INPUT") - -@@ -1641,6 +1650,9 @@ class FirewallZone(object): - raise FirewallError( - errors.INVALID_HELPER, - "'%s' is not available in kernel" % module) -+ nat_module = helper.module.replace("conntrack", "nat") -+ if nat_module in self._fw.nf_nat_helpers: -+ zone_transaction.add_module(nat_module) - if helper.family != "" and helper.family != ipv: - # no support for family ipv, continue - continue --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch deleted file mode 100644 index 327e32d..0000000 --- a/SOURCES/firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 5a864808c03b703fd9073133fd185347703177c7 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 22 May 2017 17:50:40 +0200 -Subject: [PATCH 1/6] firewall.functions: New function get_nf_nat_helpers - -This function returns a dict { module: [helper, ..], .. } similar to -get_nf_conntrack_helpers but for NAT helpers only. NAT helpers are not part -of the dict that is returned by get_nf_conntrack_helpers as it only lists -connection tracking helpers. - -This is needed for RHBZ#1452681 - -(cherry picked from commit 577668e9b788e9982e90f331d934aaa8d79cae56) ---- - src/firewall/functions.py | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/src/firewall/functions.py b/src/firewall/functions.py -index 71d39a540754..07e65ab7c7f8 100644 ---- a/src/firewall/functions.py -+++ b/src/firewall/functions.py -@@ -25,7 +25,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName", - "firewalld_is_active", "tempFile", "readfile", "writefile", - "enable_ip_forwarding", "get_nf_conntrack_helper_setting", - "set_nf_conntrack_helper_setting", "get_nf_conntrack_helpers", -- "check_port", "check_address", -+ "get_nf_nat_helpers", "check_port", "check_address", - "check_single_address", "check_mac", "uniqify", "ppid_of_pid", - "max_zone_name_len", "checkUser", "checkUid", "checkCommand", - "checkContext", "joinArgs", "splitArgs", -@@ -351,6 +351,26 @@ def get_nf_conntrack_helpers(): - helpers.setdefault(module, [ ]).append(helper) - return helpers - -+def get_nf_nat_helpers(): -+ kver = os.uname()[2] -+ path = "/lib/modules/%s/kernel/net/netfilter/" % kver -+ helpers = { } -+ if os.path.isdir(path): -+ for filename in sorted(os.listdir(path)): -+ if not filename.startswith("nf_nat_"): -+ continue -+ module = filename.split(".")[0] -+ (status, ret) = runProg(COMMANDS["modinfo"], [ module, ]) -+ if status != 0: -+ continue -+ alias = None -+ for line in ret.split("\n"): -+ if line.startswith("description:") and "NAT helper" in line: -+ helper = module.replace("nf_nat_", "") -+ helper = helper.replace("_", "-") -+ helpers.setdefault(module, [ ]).append(helper) -+ return helpers -+ - def get_nf_conntrack_helper_setting(): - try: - return int(readfile("/proc/sys/net/netfilter/nf_conntrack_helper")[0]) --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch deleted file mode 100644 index 950b2b2..0000000 --- a/SOURCES/firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch +++ /dev/null @@ -1,72 +0,0 @@ -From acc3cfe586947cd2d98d4b8b4303cca127ffc396 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 22 May 2017 18:07:03 +0200 -Subject: [PATCH 6/6] firewall.server.firewalld: New property for NAT helpers - supported by the kernel - -The property nf_nat_helpers provides a dict with the nat helpers in a similar -way as nf_conntrack_helpers. - -New description for the property nf_nat_helpers in firewalld.dbus man page. - -Related: RHBZ#1452681 -(cherry picked from commit 34558ad775afd9476c4ec5373b9bc9ee03a195af) ---- - doc/xml/firewalld.dbus.xml | 4 ++++ - src/firewall/server/firewalld.py | 11 +++++++---- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml -index 52b5b3b0f955..92fe5c843dfc 100644 ---- a/doc/xml/firewalld.dbus.xml -+++ b/doc/xml/firewalld.dbus.xml -@@ -467,6 +467,10 @@ - nf_conntrack_helpers - a{sas} - (ro) - The list of conntrack helpers supported by the kernel. - -+ -+ nf_nat_helpers - a{sas} - (ro) -+ The list of nat helpers supported by the kernel. -+ - - interface_version - s - (ro) - firewalld D-Bus interface version string. -diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py -index 8c4bd4f0c66a..9c5d463de793 100644 ---- a/src/firewall/server/firewalld.py -+++ b/src/firewall/server/firewalld.py -@@ -182,6 +182,9 @@ class FirewallD(slip.dbus.service.Object): - elif prop == "nf_conntrack_helpers": - return dbus.Dictionary(self.fw.nf_conntrack_helpers, "sas") - -+ elif prop == "nf_nat_helpers": -+ return dbus.Dictionary(self.fw.nf_nat_helpers, "sas") -+ - else: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.InvalidArgs: " -@@ -222,8 +225,8 @@ class FirewallD(slip.dbus.service.Object): - for x in [ "version", "interface_version", "state", - "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", - "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", -- "nf_conntrack_helpers", "IPv4ICMPTypes", -- "IPv6ICMPTypes" ]: -+ "nf_conntrack_helpers", "nf_nat_helpers", -+ "IPv4ICMPTypes", "IPv6ICMPTypes" ]: - ret[x] = self._get_property(x) - elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, - config.dbus.DBUS_INTERFACE_DIRECT, -@@ -253,8 +256,8 @@ class FirewallD(slip.dbus.service.Object): - "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", - "IPSet", "IPSetTypes", - "nf_conntrack_helper_setting", -- "nf_conntrack_helpers", "IPv4ICMPTypes", -- "IPv6ICMPTypes" ]: -+ "nf_conntrack_helpers", "nf_nat_helpers", -+ "IPv4ICMPTypes", "IPv6ICMPTypes" ]: - raise dbus.exceptions.DBusException( - "org.freedesktop.DBus.Error.PropertyReadOnly: " - "Property '%s' is read-only" % property_name) --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch b/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch deleted file mode 100644 index 5659c40..0000000 --- a/SOURCES/firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 930e9fae6babcffc6b74823d45d3bbf394e05cc9 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 22 May 2017 18:05:38 +0200 -Subject: [PATCH 4/6] firewalld.dbus: Add missing properties - nf_conntrach_helper_setting and nf_conntrack_helpers - -(cherry picked from commit 89a186db02dd3776dce4105d1266b4863b3b4e8b) ---- - doc/xml/firewalld.dbus.xml | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml -index de18ab2d514a..52b5b3b0f955 100644 ---- a/doc/xml/firewalld.dbus.xml -+++ b/doc/xml/firewalld.dbus.xml -@@ -459,7 +459,15 @@ - IPv6ICMPTypes - as - (ro) - The list of supported IPv6 ICMP types. - -- -+ -+ nf_conntrach_helper_setting - b - (ro) -+ Kernel nf_conntrack_helper setting. -+ -+ -+ nf_conntrack_helpers - a{sas} - (ro) -+ The list of conntrack helpers supported by the kernel. -+ -+ - interface_version - s - (ro) - firewalld D-Bus interface version string. - --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch b/SOURCES/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch deleted file mode 100644 index db219c1..0000000 --- a/SOURCES/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch +++ /dev/null @@ -1,28 +0,0 @@ -From cf50bd0004418abe1294f53b58387a181dfd2b51 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Thu, 8 Jun 2017 17:44:32 +0200 -Subject: [PATCH] firewall.core.fw_zone: Rich-rule ICMP type: Error only for - conflicting family - -Only raise error for an ICMP block in a rich-rule if a family has been -specified and conflicts with the ICMP destination. - -Fixes: RHBZ#1459921 ---- - src/firewall/core/fw_zone.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py -index 4f3f18c0..f47222e4 100644 ---- a/src/firewall/core/fw_zone.py -+++ b/src/firewall/core/fw_zone.py -@@ -1425,6 +1425,9 @@ def __rule_prepare(self, enable, zone, rule, mark_id, zone_transaction): - raise FirewallError(errors.INVALID_RULE, - "IcmpBlock not usable with accept action") - if ict.destination and ipv not in ict.destination: -+ if rule.family is None: -+ # Add for IPv4 or IPv6 depending on ict.destination -+ continue - raise FirewallError( - errors.INVALID_RULE, - "Icmp%s %s not usable with %s" % \ diff --git a/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch b/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch deleted file mode 100644 index b761380..0000000 --- a/SOURCES/firewalld-0.4.4.6-Add-NFSv3-service.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 4b8a12785c96c33a77eb59fdd1c088d25978f7d8 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 26 Jul 2017 10:10:19 -0400 -Subject: [PATCH] Add NFSv3 service. - -This is distinct from the NFS service (v4) because it also opens up UDP -ports. - -Fixes: RHBZ#1462088 -(cherry picked from commit a127d697177b78b7f9b766deb978efd95590a2ac) ---- - config/Makefile.am | 1 + - config/services/nfs3.xml | 7 +++++++ - 2 files changed, 8 insertions(+) - create mode 100644 config/services/nfs3.xml - -diff --git a/config/Makefile.am b/config/Makefile.am -index bdc5651c154c..1035c9f940a9 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -173,6 +173,7 @@ CONFIG_FILES = \ - services/ms-wbt.xml \ - services/mysql.xml \ - services/nfs.xml \ -+ services/nfs3.xml \ - services/nrpe.xml \ - services/ntp.xml \ - services/openvpn.xml \ -diff --git a/config/services/nfs3.xml b/config/services/nfs3.xml -new file mode 100644 -index 000000000000..4075d48211bd ---- /dev/null -+++ b/config/services/nfs3.xml -@@ -0,0 +1,7 @@ -+ -+ -+ NFS3 -+ The NFS3 protocol is used to share files. You will need to have the NFS tools installed and properly configure your NFS server for this option to be useful. -+ -+ -+ --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch b/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch deleted file mode 100644 index 2fd2eeb..0000000 --- a/SOURCES/firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 34b616a67585d42060ec6be376deb3dd3eb25353 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 6 Sep 2017 10:58:27 -0400 -Subject: [PATCH] Add missing ports to RH-Satellite-6 service - -Fixes: RHBZ#1422149 ---- - config/services/RH-Satellite-6.xml | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/config/services/RH-Satellite-6.xml b/config/services/RH-Satellite-6.xml -index 5462a6e673bb..76f4d97954db 100644 ---- a/config/services/RH-Satellite-6.xml -+++ b/config/services/RH-Satellite-6.xml -@@ -2,11 +2,16 @@ - - Red Hat Satellite 6 - Red Hat Satellite 6 is a systems management server that can be used to configure new systems, subscribe to updates, and maintain installations in distributed environments. -+ -+ -+ - - -+ - - -- -+ - -+ - - --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch b/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch deleted file mode 100644 index 241ebf3..0000000 --- a/SOURCES/firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch +++ /dev/null @@ -1,126 +0,0 @@ -From c41e34a5a8fbda2731aa724e65dcc93aa9ab7b64 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Thu, 3 Aug 2017 15:06:57 -0400 -Subject: [PATCH] Reload nf_conntrack sysctls after the module is loaded - -Add a modprobe config file that will cause specified sysctls to be -reloaded after a given module is loaded. This is needed because sysctls -will go away and reappear when modules are unloaded which happens on a -firewalld restart. e.g. nf_conntrack_max. - -Fixes: RHBZ#1462977 -(cherry picked from commit 65434db736fa68a25e1ab417f6c330c03c5eafde) ---- - config/Makefile.am | 22 ++++++++++++++++++++-- - config/firewalld-sysctls.conf.in | 1 + - configure.ac | 1 + - firewalld.spec | 1 + - 4 files changed, 23 insertions(+), 2 deletions(-) - create mode 100644 config/firewalld-sysctls.conf.in - -diff --git a/config/Makefile.am b/config/Makefile.am -index 1035c9f940a9..a66ae05d8122 100644 ---- a/config/Makefile.am -+++ b/config/Makefile.am -@@ -42,6 +42,7 @@ BUILT_SOURCES = \ - $(applet_desktop_DATA) \ - $(polkit1_action_DATA) \ - $(gsettings_SCHEMAS) \ -+ firewalld-sysctls.conf \ - firewalld.service - - @INTLTOOL_DESKTOP_RULE@ -@@ -51,7 +52,7 @@ BUILT_SOURCES = \ - - all: $(desktop_DATA) $(appdata_DATA) $(applet_desktop_DATA) $(polkit1_action_DATA) $(gsettings_SCHEMAS) - --CLEANFILES = *~ *\# .\#* firewalld.service -+CLEANFILES = *~ *\# .\#* firewalld.service firewalld-sysctls.conf - - DISTCLEANFILES = \ - $(desktop_DATA) \ -@@ -246,6 +247,7 @@ EXTRA_DIST = \ - $(CONFIG_FILES) \ - $(dist_xmlschema_DATA) \ - firewalld.init \ -+ firewalld-sysctls.conf.in \ - firewalld.service.in \ - firewalld.sysconfig \ - macros.firewalld -@@ -253,6 +255,9 @@ EXTRA_DIST = \ - INSTALL_TARGETS = install-config - UNINSTALL_TARGETS = uninstall-config - -+INSTALL_TARGETS += install-modprobe.d -+UNINSTALL_TARGETS += uninstall-modprobe.d -+ - if USE_SYSTEMD - INSTALL_TARGETS += install-service - UNINSTALL_TARGETS += uninstall-service -@@ -275,11 +280,16 @@ edit = sed \ - -e 's|@bindir[@]|$(bindir)|g' \ - -e 's|@sbindir[@]|$(sbindir)|g' \ - -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ -- -e 's|@localstatedir[@]|$(localstatedir)|g' -+ -e 's|@localstatedir[@]|$(localstatedir)|g' \ -+ -e 's|@MODPROBE[@]|$(MODPROBE)|g' \ -+ -e 's|@SYSCTL[@]|$(SYSCTL)|g' - - firewalld.service: firewalld.service.in - $(edit) $< >$@ - -+firewalld-sysctls.conf: firewalld-sysctls.conf.in -+ $(edit) $< >$@ -+ - install-sysconfig: - $(MKDIR_P) $(DESTDIR)$(sysconfdir)/sysconfig - $(INSTALL_DATA) $(srcdir)/firewalld.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/firewalld -@@ -312,6 +322,14 @@ uninstall-service: uninstall-sysconfig - rm -f $(DESTDIR)$(SYSTEMD_UNITDIR)/firewalld.service - rmdir $(DESTDIR)$(SYSTEMD_UNITDIR) || : - -+install-modprobe.d: -+ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/modprobe.d -+ $(INSTALL_DATA) firewalld-sysctls.conf $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf -+ -+uninstall-modprobe.d: -+ rm -f $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf -+ rmdir $(DESTDIR)$(sysconfdir)/modprobe.d || : -+ - install-config: - $(MKDIR_P) $(DESTDIR)$(sconfdir) - $(MKDIR_P) $(DESTDIR)$(sconfdir)/icmptypes -diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in -new file mode 100644 -index 000000000000..976027743e8f ---- /dev/null -+++ b/config/firewalld-sysctls.conf.in -@@ -0,0 +1 @@ -+install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system -diff --git a/configure.ac b/configure.ac -index e3525703819d..776e627b0fa0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -33,6 +33,7 @@ AC_PATH_PROG([KILL], [kill], [/usr/bin/kill]) - AC_PATH_PROG([MODINFO], [modinfo], [/sbin/modinfo]) - AC_PATH_PROG([MODPROBE], [modprobe], [/sbin/modprobe]) - AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod]) -+AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl]) - - GLIB_GSETTINGS - -diff --git a/firewalld.spec b/firewalld.spec -index 7f16f38d2932..476f9668d44f 100644 ---- a/firewalld.spec -+++ b/firewalld.spec -@@ -240,6 +240,7 @@ fi - %{_mandir}/man1/firewallctl*.1* - %{_mandir}/man1/firewalld*.1* - %{_mandir}/man5/firewall*.5* -+%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf - - %files -n python-firewall - %attr(0755,root,root) %dir %{python2_sitelib}/firewall --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch b/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch deleted file mode 100644 index a681b93..0000000 --- a/SOURCES/firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a6f0c40b24ad977d7e32e4fd9cf87b57381f5e83 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 12 Sep 2017 01:13:55 +0200 -Subject: [PATCH 2/5] core: Log unsupported ICMP types as informational only - -iptables-1.4 lacks support for a number of ICMPv6 types. Since this is -not a problem per se, avoid unnecessarily alerting the user with two -warning messages for each of them. Instead, make these informational -messages only so the default configuration does not emit them. - -Fixes: RHBZ#1479951 -Signed-off-by: Phil Sutter ---- - src/firewall/core/fw.py | 2 +- - src/firewall/core/fw_icmptype.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index bc6ffe2dbc238..0dda11d49116a 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -502,7 +502,7 @@ class Firewall(object): - try: - self.icmptype.add_icmptype(obj) - except FirewallError as error: -- log.warning("%s: %s, ignoring for run-time." % \ -+ log.info1("%s: %s, ignoring for run-time." % \ - (obj.name, str(error))) - # add a deep copy to the configuration interface - self.config.add_icmptype(copy.deepcopy(obj)) -diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py -index 5bf1c7fe512c6..afe9f91d6bf6e 100644 ---- a/src/firewall/core/fw_icmptype.py -+++ b/src/firewall/core/fw_icmptype.py -@@ -67,7 +67,7 @@ class FirewallIcmpType(object): - else: - supported_icmps = [ ] - if obj.name.lower() not in supported_icmps: -- log.warning("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) -+ log.info1("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) - ipvs.remove(ipv) - if len(ipvs) != len(orig_ipvs): - if len(ipvs) < 1: --- -2.13.1 - diff --git a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch deleted file mode 100644 index 98856f0..0000000 --- a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 136d2309988f7c379f6439363b53c14404738d7a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 14 Sep 2017 11:43:41 +0200 -Subject: [PATCH 4/5] doc: firewall-cmd: Document --query-* options return - codes - -The "EXIT CODES" section didn't cover the fact that all --query-* -options return 1 if no error occurred but the query itself was not -successful. - -Fixes: RHBZ#1372716 -Signed-off-by: Phil Sutter ---- - doc/xml/firewall-cmd.xml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml -index bdb5767634aaa..0b54b0be999c8 100644 ---- a/doc/xml/firewall-cmd.xml -+++ b/doc/xml/firewall-cmd.xml -@@ -2281,6 +2281,9 @@ firewall-cmd --permanent --add-port=443/tcp - - - -+ -+ Note that return codes of --query-* options are special: Successful queries return 0, unsuccessful ones return 1 unless an error occurred in which case the table above applies. -+ - - - &seealso; --- -2.13.1 - diff --git a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch b/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch deleted file mode 100644 index a777411..0000000 --- a/SOURCES/firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 2243b7f14921a1d8b24c8090d531451e7ab9e0dd Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Mon, 11 Sep 2017 18:47:21 +0200 -Subject: [PATCH 1/5] doc: firewall-cmd: Document quirk in --reload option - -Contrary to what one might assume, --reload and --complete-reload leave -changes done via the direct interface in place. - -Fixes: RHBZ#1452137 -Signed-off-by: Phil Sutter ---- - doc/xml/firewall-cmd.xml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml -index bf4e7a0c21a9c..bdb5767634aaa 100644 ---- a/doc/xml/firewall-cmd.xml -+++ b/doc/xml/firewall-cmd.xml -@@ -132,6 +132,11 @@ - i.e. all runtime only changes done until reload are lost with reload - if they have not been also in permanent configuration. - -+ -+ Note: Runtime changes applied via the direct interface are not -+ affected and will therefore stay in place until firewalld daemon -+ is restarted completely. -+ - - - -@@ -141,6 +146,11 @@ - - Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules. - -+ -+ Note: Runtime changes applied via the direct interface are not -+ affected and will therefore stay in place until firewalld daemon -+ is restarted completely. -+ - - - --- -2.13.1 - diff --git a/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch b/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch deleted file mode 100644 index 9765e2f..0000000 --- a/SOURCES/firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 68834a49d9d55bffdc4febeaf23a892011399a63 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 13 Sep 2017 22:03:31 +0200 -Subject: [PATCH 3/5] firewall-cmd: Use colors only if output is a TTY - -Use isatty() method to check whether output is a TTY or not (e.g. -redirected to a file or pipe) before enclosing error messages in TTY -color escape strings. - -While here, simplify things a bit by making print_and_exit() call -print_warning() internally, also adjust commented out code for colored -non-error messages. - -Fixes: RHBZ#1368544 -Signed-off-by: Phil Sutter ---- - src/firewall/command.py | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/src/firewall/command.py b/src/firewall/command.py -index 2dc1c509ae556..50bd4bd0f4103 100644 ---- a/src/firewall/command.py -+++ b/src/firewall/command.py -@@ -64,17 +64,19 @@ class FirewallCommand(object): - def print_warning(self, msg=None): - FAIL = '\033[91m' - END = '\033[00m' -- self.print_error_msg(FAIL + msg + END) -+ if sys.stderr.isatty(): -+ msg = FAIL + msg + END -+ self.print_error_msg(msg) - - def print_and_exit(self, msg=None, exit_code=0): - #OK = '\033[92m' -- FAIL = '\033[91m' -- END = '\033[00m' -+ #END = '\033[00m' - if exit_code > 1: -- self.print_error_msg(FAIL + msg + END) -+ self.print_warning(msg) - else: -+ #if sys.stdout.isatty(): -+ # msg = OK + msg + END - self.print_msg(msg) -- #self.print_msg(OK + msg + END) - sys.exit(exit_code) - - def fail(self, msg=None): --- -2.13.1 - diff --git a/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch b/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch deleted file mode 100644 index 46ba775..0000000 --- a/SOURCES/firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 75f06cb4139f6f00dfe952eac84ff31d3db014cb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 14 Sep 2017 12:05:09 +0200 -Subject: [PATCH 5/5] firewall-offline-cmd: Don't require root for help output - -Allow unprivileged users to retrieve help output. - -Fixes: RHBZ#1445214 -Signed-off-by: Phil Sutter ---- - src/firewall-offline-cmd | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd -index 1b4550830b7bb..fccfb7251c4f5 100755 ---- a/src/firewall-offline-cmd -+++ b/src/firewall-offline-cmd -@@ -43,9 +43,10 @@ from firewall.core.io.helper import helper_reader - from firewall.command import FirewallCommand - - # check for root user --if os.getuid() != 0: -- sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0]) -- sys.exit(-1) -+def assert_root(): -+ if os.getuid() != 0: -+ sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0]) -+ sys.exit(-1) - - SYSTEM_CONFIG_FIREWALL = config.SYSCONFIGDIR + '/system-config-firewall' - -@@ -775,6 +776,8 @@ if len(sys.argv) > 1 and \ - if a.help: - __usage() - sys.exit(0) -+ else: -+ assert_root() - if a.quiet: - # it makes no sense to use --quiet with these options - a.quiet = False -@@ -809,6 +812,7 @@ elif len(sys.argv) > 1: - args = aux_args[:i+1] # all but not - args.append(joinArgs(aux_args[i+1:])) # add as one arg - else: -+ assert_root() - # migrate configuration from SYSTEM_CONFIG_FIREWALL - args = read_sysconfig_args() - if not args: -@@ -1020,6 +1024,8 @@ if a.help: - __usage() - sys.exit(0) - -+assert_root() -+ - zone = a.zone - fw = Firewall_test() - fw.start() --- -2.13.1 - diff --git a/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch b/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch deleted file mode 100644 index d1b695c..0000000 --- a/SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 8a8d61822d37639e1d952befc4528c32a3240dc5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 28 Nov 2017 20:56:38 +0100 -Subject: [PATCH] Fix and improve firewalld-sysctls.conf - -The output generated by the call to sysctl apparently messed up kernel -module auto-loading via iptables. To reproduce: - -| # iptables -F INPUT -| # rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack -| # iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes -| iptables: No chain/target/match by that name. - -This is solved by silencing sysctl with '--quiet' parameter. - -Another (potential) issue is that module parameters passed to modprobe -when manually loading nf_conntrack: - -| # modprobe --ignore-install nf_conntrack nf_conntrack_helper=1 -| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper -| Y -| # rmmod nf_conntrack -| # modprobe nf_conntrack nf_conntrack_helper=1 -| * Applying /usr/lib/sysctl.d/00-system.conf ... -| * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... -| * Applying /usr/lib/sysctl.d/50-default.conf ... -| * Applying /etc/sysctl.d/99-sysctl.conf ... -| * Applying /etc/sysctl.conf ... -| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper -| N - -This is fixed by adding $CMDLINE_OPTS as last parameter to the modprobe -call as described in modprobe.conf(5). ---- - config/firewalld-sysctls.conf.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in -index 976027743e8f..945193f13c75 100644 ---- a/config/firewalld-sysctls.conf.in -+++ b/config/firewalld-sysctls.conf.in -@@ -1 +1 @@ --install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system -+install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack $CMDLINE_OPTS && @SYSCTL@ --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch b/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch deleted file mode 100644 index 689b7a6..0000000 --- a/SOURCES/firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 8ec42cd1041ba342c9f87f51b62f80be278f682b Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 21 Nov 2017 16:04:23 -0500 -Subject: [PATCH] firewalld: also reload dbus config interface for global - options - -These options require the firewall to be reloaded, but it was not also -reloading the dbus config interface. The interface objects would end up -pointing to stale cleanup()'d config objects (via firewall.core.fw -reload()). Therefore we also need to reload/refresh the config -interface. - -Fixes: rhbz 1514043 ---- - src/firewall/core/fw.py | 6 ------ - src/firewall/server/firewalld.py | 8 ++++++++ - 2 files changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py -index 0dda11d49116..2a119b1dc4d4 100644 ---- a/src/firewall/core/fw.py -+++ b/src/firewall/core/fw.py -@@ -1142,9 +1142,6 @@ class Firewall(object): - self._log_denied = value - self._firewalld_conf.set("LogDenied", value) - self._firewalld_conf.write() -- -- # now reload the firewall -- self.reload() - else: - raise FirewallError(errors.ALREADY_SET, value) - -@@ -1163,9 +1160,6 @@ class Firewall(object): - self._automatic_helpers = value - self._firewalld_conf.set("AutomaticHelpers", value) - self._firewalld_conf.write() -- -- # now reload the firewall -- self.reload() - else: - raise FirewallError(errors.ALREADY_SET, value) - -diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py -index 9c5d463de793..fc7422f12261 100644 ---- a/src/firewall/server/firewalld.py -+++ b/src/firewall/server/firewalld.py -@@ -939,6 +939,10 @@ class FirewallD(slip.dbus.service.Object): - self.accessCheck(sender) - self.fw.set_log_denied(value) - self.LogDeniedChanged(value) -+ # must reload the firewall as well -+ self.fw.reload() -+ self.config.reload() -+ self.Reloaded() - - @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') - @dbus_handle_exceptions -@@ -969,6 +973,10 @@ class FirewallD(slip.dbus.service.Object): - self.accessCheck(sender) - self.fw.set_automatic_helpers(value) - self.AutomaticHelpersChanged(value) -+ # must reload the firewall as well -+ self.fw.reload() -+ self.config.reload() -+ self.Reloaded() - - @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') - @dbus_handle_exceptions --- -2.12.0 - diff --git a/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch b/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch deleted file mode 100644 index 947ba42..0000000 --- a/SOURCES/firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b20345ad5db13cf9a8ca8f5cb036ef526ab6693b Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Tue, 12 Dec 2017 13:57:55 -0500 -Subject: [PATCH] services/high-availability: Add port 9929 - -TCP/UDP 9929 is used by boothd and should be opened for -high-availability. - -Resolves: RHBZ 1486143 ---- - config/services/high-availability.xml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/config/services/high-availability.xml b/config/services/high-availability.xml -index 002dd0e4a9d0..b6d14b793250 100644 ---- a/config/services/high-availability.xml -+++ b/config/services/high-availability.xml -@@ -7,5 +7,7 @@ - - - -+ -+ - - --- -2.12.0 - diff --git a/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch b/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch deleted file mode 100644 index 2cd1f74..0000000 --- a/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 5f41f061390876f4c43c2306911d9b3482aed396 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Mon, 16 Jul 2018 17:42:34 +0200 -Subject: [PATCH 1/3] firewall.core.fw_nm: avoid iterating NM devices, - connections - -NetworkManager has an API to do the lookups. - -(cherry picked from commit 65f92930a5d049404dac780c15eebe2d788e6285) ---- - src/firewall/core/fw_nm.py | 70 ++++++++++++++++++---------------------------- - 1 file changed, 27 insertions(+), 43 deletions(-) - -diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py -index f75733fe65f6..76901cee2adf 100644 ---- a/src/firewall/core/fw_nm.py -+++ b/src/firewall/core/fw_nm.py -@@ -73,22 +73,18 @@ def nm_get_zone_of_connection(connection): - """ - check_nm_imported() - -- active_connections = nm_get_client().get_active_connections() -+ con = nm_get_client().get_connection_by_id(connection) -+ if con is None: -+ return False - -- for active_con in active_connections: -- if active_con.get_id() == connection: -- con = active_con.get_connection() -- if con is None: -- continue -- setting_con = con.get_setting_connection() -- if setting_con is None: -- continue -- zone = setting_con.get_zone() -- if zone is None: -- zone = "" -- return zone -+ setting_con = con.get_setting_connection() -+ if setting_con is None: -+ return False - -- return None -+ zone = setting_con.get_zone() -+ if zone is None: -+ zone = "" -+ return zone - - def nm_set_zone_of_connection(zone, connection): - """Set the zone for a connection -@@ -98,24 +94,18 @@ def nm_set_zone_of_connection(zone, connection): - """ - check_nm_imported() - -- active_connections = nm_get_client().get_active_connections() -- -- for active_con in active_connections: -- con = active_con.get_connection() -- if con is None: -- continue -+ con = nm_get_client().get_connection_by_id(connection) -+ if con is None: -+ return False - -- if active_con.get_id() == connection: -- setting_con = con.get_setting_connection() -- if setting_con is None: -- continue -- if zone == "": -- zone = None -- setting_con.set_property("zone", zone) -- con.commit_changes(True, None) -- return True -+ setting_con = con.get_setting_connection() -+ if setting_con is None: -+ return False - -- return False -+ if zone == "": -+ zone = None -+ setting_con.set_property("zone", zone) -+ return con.commit_changes(True, None) - - def nm_get_connections(connections, connections_uuid): - """Get active connections from NM -@@ -150,21 +140,15 @@ def nm_get_connection_of_interface(interface): - """ - check_nm_imported() - -- active_connections = nm_get_client().get_active_connections() -- -- for active_con in active_connections: -- # ignore vpn devices for now -- if active_con.get_vpn(): -- continue -- -- devices = active_con.get_devices() -- -- for dev in devices: -- if dev.get_iface() == interface: -- return active_con.get_id() -+ device = nm_get_client().get_device_by_iface(interface) -+ if device is None: -+ return None - -+ active_con = device.get_active_connection() -+ if active_con is None: -+ return None - -- return None -+ return active_con.get_id() - - def nm_get_bus_name(): - if not _nm_imported: --- -2.16.3 - diff --git a/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-identify-the-connections-by-uuid.patch b/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-identify-the-connections-by-uuid.patch deleted file mode 100644 index 1cee69c..0000000 --- a/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-identify-the-connections-by-uuid.patch +++ /dev/null @@ -1,352 +0,0 @@ -From 0ce07e30014a8ee6b2a8a4909c313f207d9c9b31 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Mon, 16 Jul 2018 17:43:04 +0200 -Subject: [PATCH 2/3] firewall.core.fw_nm: identify the connections by uuid - -...as opposed by id. Uuid is guarranteed to be uniquie, while the id is -provided merely for convenience without any guarrantees. - -(cherry picked from commit 624039964bd16e5e0e8ffb73e708d3d0c40e89d3) ---- - src/firewall-applet | 38 ++++++++++++++++++++------------------ - src/firewall-config | 45 +++++++++++++++++++++++++-------------------- - src/firewall/core/fw_nm.py | 16 ++++++++-------- - 3 files changed, 53 insertions(+), 46 deletions(-) - -diff --git a/src/firewall-applet b/src/firewall-applet -index 3dc149c32755..86aaccab9f88 100755 ---- a/src/firewall-applet -+++ b/src/firewall-applet -@@ -155,11 +155,12 @@ class ZoneInterfaceEditor(QtGui.QDialog): - # ZoneConnectionEditor ######################################################## - - class ZoneConnectionEditor(ZoneInterfaceEditor): -- def __init__(self, fw, connection, zone): -+ def __init__(self, fw, connection, connection_name, zone): - self.fw = fw - self.connection = connection -+ self.connection_name = connection_name - self.zone = None -- self.title = _("Select zone for connection '%s'") % self.connection -+ self.title = _("Select zone for connection '%s'") % self.connection_name - - QtGui.QDialog.__init__(self) - self.create_ui(zone) -@@ -168,12 +169,12 @@ class ZoneConnectionEditor(ZoneInterfaceEditor): - # apply changes - try: - nm_set_zone_of_connection(self.get_zone(), self.connection) -- except Exception as msg: -- text = _("Failed to set zone {zone} for connection {connection}") -+ except Exception: -+ text = _("Failed to set zone {zone} for connection {connection_name}") - QtGui.QMessageBox.warning(None, fromUTF8(escape(self.title)), - escape(text.format( - zone=self.get_zone(), -- connection=self.connection))) -+ connection_name=self.connection_name))) - self.hide() - - # ZoneSourceEditor ############################################################ -@@ -428,7 +429,7 @@ class TrayApplet(QtGui.QSystemTrayIcon): - - self.active_zones = { } - self.connections = { } -- self.connections_uuid = { } -+ self.connections_name = { } - self.default_zone = None - self.zone_connection_editors = { } - self.zone_interface_editors = { } -@@ -666,30 +667,31 @@ class TrayApplet(QtGui.QSystemTrayIcon): - # NM controlled connections - for interface in self.connections: - connection = self.connections[interface] -- if connection not in self.connections_uuid: -- uuid = None -+ if connection not in self.connections_name: -+ connection_name = None - else: -- uuid = self.connections_uuid[connection] -+ connection_name = self.connections_name[connection] - zone = nm_get_zone_of_connection(connection) -- connections[connection] = [ zone, uuid ] -+ connections[connection] = [ zone, connection_name ] - - binding = _("{entry} (Zone: {zone})") - - # add NM controlled bindings - for connection in sorted(connections): - zone = connections[connection][0] -+ connection_name = connections[connection][1] - if zone == "": - _binding = _("{entry} (Default Zone: {default_zone})") - action = QtGui.QAction( - fromUTF8(escape( - _binding.format(default_zone=self.default_zone, -- entry=connection))), self) -+ entry=connection_name))), self) - else: - action = QtGui.QAction( - fromUTF8(escape(binding.format(zone=zone, -- entry=connection))), self) -+ entry=connection_name))), self) - action.triggered.connect(functools.partial( -- self.zone_connection_editor, connection, zone)) -+ self.zone_connection_editor, connection, connection_name, zone)) - self.left_menu.addAction(action) - - # add interfaces entry -@@ -729,13 +731,13 @@ class TrayApplet(QtGui.QSystemTrayIcon): - editor.raise_() - editor.show() - -- def zone_connection_editor(self, connection, zone): -+ def zone_connection_editor(self, connection, connection_name, zone): - if connection in self.zone_connection_editors: - self.zone_connection_editors[connection].set_zone(zone) - self.zone_connection_editors[connection].show() - return self.zone_connection_editors[connection].raise_() - -- editor = ZoneConnectionEditor(self.fw, connection, zone) -+ editor = ZoneConnectionEditor(self.fw, connection, connection_name, zone) - self.zone_connection_editors[connection] = editor - editor.show() - editor.raise_() -@@ -755,15 +757,15 @@ class TrayApplet(QtGui.QSystemTrayIcon): - - def nm_signal_receiver(self, *args, **kwargs): - self.connections.clear() -- self.connections_uuid.clear() -+ self.connections_name.clear() - - # do not use NMClient could result in python core dump - - if nm_is_imported(): - text = _("Failed to get connections from NetworkManager") - try: -- nm_get_connections(self.connections, self.connections_uuid) -- except Exception as msg: -+ nm_get_connections(self.connections, self.connections_name) -+ except Exception: - self.notify(escape(text), urgency=Notify.Urgency.CRITICAL) - if text not in self.tooltip_messages: - self.tooltip_messages.append(text) -diff --git a/src/firewall-config b/src/firewall-config -index 02bffabf457c..223c0ff6d27d 100755 ---- a/src/firewall-config -+++ b/src/firewall-config -@@ -1368,7 +1368,7 @@ class FirewallConfig(object): - # connect - - self.connections = { } -- self.connections_uuid = { } -+ self.connections_name = { } - - if nm_is_imported(): - self.fw.bus.add_signal_receiver( -@@ -1428,11 +1428,11 @@ class FirewallConfig(object): - self.fw.changeZoneOfInterface(editor.get_zone(), interface) - del self.zone_interface_editors[interface] - -- def change_zone_connection_editor(self, item, connection, zone): -+ def change_zone_connection_editor(self, item, connection, connection_name, zone): - if connection in self.zone_connection_editors: - return self.zone_connection_editors[connection].present() - -- editor = ZoneConnectionEditor(self.fw, connection, zone) -+ editor = ZoneConnectionEditor(self.fw, connection, connection_name, zone) - editor.set_icon(self.icon) - editor.set_position(Gtk.WindowPosition.CENTER_ON_PARENT) - editor.set_transient_for(self.mainWindow) -@@ -1557,14 +1557,14 @@ class FirewallConfig(object): - self.update_active_zones() - - self.connections.clear() -- self.connections_uuid.clear() -+ self.connections_name.clear() - - # do not use NMClient could result in python core dump - - if nm_is_imported(): - try: -- nm_get_connections(self.connections, self.connections_uuid) -- except Exception as msg: -+ nm_get_connections(self.connections, self.connections_name) -+ except Exception: - text = _("Failed to get connections from NetworkManager") - self._warning(text) - -@@ -1572,12 +1572,14 @@ class FirewallConfig(object): - while iter: - interface = self.interfaceStore.get_value(iter, 0) - if interface in self.connections: -- zone = nm_get_zone_of_connection(self.connections[interface]) -+ connection = self.connections[interface] -+ connection_name = self.connections_name[connection] -+ zone = nm_get_zone_of_connection(connection) - if zone == "": - comment = self.default_zone_used_by_label % \ -- self.connections[interface] -+ connection_name - else: -- comment = self.used_by_label % self.connections[interface] -+ comment = self.used_by_label % connection_name - self.interfaceStore.set_value(iter, 1, comment) - iter = self.interfaceStore.iter_next(iter) - self.change_interface_selection_cb(self.interfaceView.get_selection()) -@@ -2427,37 +2429,38 @@ class FirewallConfig(object): - # add NM controlled entries - for connection in sorted(connections): - [ zone, _interfaces ] = connections[connection] -+ connection_name = self.connections_name[connection] - - item = Gtk.MenuItem.new() - hbox = Gtk.Box(orientation=Gtk.Orientation.HORIZONTAL, spacing=6) - label = Gtk.Label() - if zone == "": - label.set_markup("%s (%s)\n%s: %s" % \ -- (connection, ",".join(_interfaces), -+ (connection_name, ",".join(_interfaces), - escape(_("Default Zone")), self.default_zone)) - else: - label.set_markup("%s (%s)\n%s: %s" % \ -- (connection, ",".join(_interfaces), -+ (connection_name, ",".join(_interfaces), - escape(_("Zone")), zone)) - label.set_alignment(0, 0.5) - label.set_padding(12, 0) - hbox.pack_start(label, True, True, 0) - item.add(hbox) -- item.connect("activate", self.change_zone_connection_editor, connection, zone) -+ item.connect("activate", self.change_zone_connection_editor, connection, connection_name, zone) - self.left_menu.append(item) - - if zone == "": - self.bindingsStore.append( - self.connectionsIter, - [ "%s (%s)\n%s" % ( -- connection, ",".join(_interfaces), -+ connection_name, ",".join(_interfaces), - _("Default Zone: %s") % self.default_zone), - connection, zone ]) - else: - self.bindingsStore.append( - self.connectionsIter, - [ "%s (%s)\n%s" % ( -- connection, ",".join(_interfaces), -+ connection_name, ",".join(_interfaces), - _("Zone: %s") % zone), - connection, zone ]) - -@@ -2683,7 +2686,7 @@ class FirewallConfig(object): - zone = self.bindingsStore.get_value(iter, 2) - - if self.bindingsStore.get_value(parent_iter, 0) == _("Connections"): -- self.change_zone_connection_editor(None, item, zone) -+ self.change_zone_connection_editor(None, item, self.connections_name[item], zone) - elif self.bindingsStore.get_value(parent_iter, 0) == _("Interfaces"): - self.change_zone_interface_editor(None, item, zone) - elif self.bindingsStore.get_value(parent_iter, 0) == _("Sources"): -@@ -3894,9 +3897,10 @@ class FirewallConfig(object): - interface = self.interfaceStore.get_value(iter, 0) - if interface in self.connections: - connection = self.connections[interface] -+ connection_name = self.connections_name[connection] - if selected_zone == self.default_zone: - selected_zone = nm_get_zone_of_connection(connection) -- editor = ZoneConnectionEditor(self.fw, connection, selected_zone) -+ editor = ZoneConnectionEditor(self.fw, connection, connection_name, selected_zone) - editor.set_icon(self.icon) - editor.set_position(Gtk.WindowPosition.CENTER_ON_PARENT) - editor.set_transient_for(self.mainWindow) -@@ -3905,9 +3909,9 @@ class FirewallConfig(object): - result = editor.run() - except Exception: - text = _("Failed to set zone {zone} " -- "for connection {connection}") -+ "for connection {connection_name}") - self._warning(text.format(zone=editor.get_zone(), -- connection=editor.connection)) -+ connection_name=editor.connection_name)) - editor.hide() - else: - self.add_edit_interface(False) -@@ -8115,11 +8119,12 @@ class ZoneInterfaceEditor(Gtk.Dialog): - self.fw.changeZoneOfInterface(self.get_zone(), self.interface) - - class ZoneConnectionEditor(ZoneInterfaceEditor): -- def __init__(self, fw, connection, zone): -+ def __init__(self, fw, connection, connection_name, zone): - self.fw = fw - self.connection = connection -+ self.connection_name = connection_name - self.zone = None -- self.title = _("Select zone for connection '%s'") % self.connection -+ self.title = _("Select zone for connection '%s'") % self.connection_name - - Gtk.Dialog.__init__(self, self.title) - self.create_ui(zone) -diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py -index 76901cee2adf..d21cc25feb8b 100644 ---- a/src/firewall/core/fw_nm.py -+++ b/src/firewall/core/fw_nm.py -@@ -73,7 +73,7 @@ def nm_get_zone_of_connection(connection): - """ - check_nm_imported() - -- con = nm_get_client().get_connection_by_id(connection) -+ con = nm_get_client().get_connection_by_uuid(connection) - if con is None: - return False - -@@ -94,7 +94,7 @@ def nm_set_zone_of_connection(zone, connection): - """ - check_nm_imported() - -- con = nm_get_client().get_connection_by_id(connection) -+ con = nm_get_client().get_connection_by_uuid(connection) - if con is None: - return False - -@@ -107,14 +107,14 @@ def nm_set_zone_of_connection(zone, connection): - setting_con.set_property("zone", zone) - return con.commit_changes(True, None) - --def nm_get_connections(connections, connections_uuid): -+def nm_get_connections(connections, connections_name): - """Get active connections from NM - @param connections return dict -- @param connections_uuid return dict -+ @param connections_name return dict - """ - - connections.clear() -- connections_uuid.clear() -+ connections_name.clear() - - check_nm_imported() - -@@ -129,9 +129,9 @@ def nm_get_connections(connections, connections_uuid): - uuid = active_con.get_uuid() - devices = active_con.get_devices() - -- connections_uuid[name] = uuid -+ connections_name[uuid] = name - for dev in devices: -- connections[dev.get_iface()] = name -+ connections[dev.get_iface()] = uuid - - def nm_get_connection_of_interface(interface): - """Get connection from NM that is using the interface -@@ -148,7 +148,7 @@ def nm_get_connection_of_interface(interface): - if active_con is None: - return None - -- return active_con.get_id() -+ return active_con.get_uuid() - - def nm_get_bus_name(): - if not _nm_imported: --- -2.16.3 - diff --git a/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-ignore-generated-connections.patch b/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-ignore-generated-connections.patch deleted file mode 100644 index f62eb60..0000000 --- a/SOURCES/firewalld-0.6.1-firewall.core.fw_nm-ignore-generated-connections.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a3e6d2c48a1535b56bc5f28094818f10f93bf352 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Mon, 16 Jul 2018 17:43:25 +0200 -Subject: [PATCH 3/3] firewall.core.fw_nm: ignore generated connections - -If a connection is generated by NetworkManager, changing it persists it and -makes the device managed by NetworkManager. - -(cherry picked from commit a102dde5d9430d503767cbface3e3b610134bdb6) ---- - src/firewall/core/fw_nm.py | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py -index d21cc25feb8b..0ed19248a79f 100644 ---- a/src/firewall/core/fw_nm.py -+++ b/src/firewall/core/fw_nm.py -@@ -148,6 +148,16 @@ def nm_get_connection_of_interface(interface): - if active_con is None: - return None - -+ try: -+ con = active_con.get_connection() -+ if con.get_flags() & NM.SettingsConnectionFlags.NM_GENERATED: -+ return None -+ except AttributeError: -+ # Prior to NetworkManager 1.12, we can only guess -+ # that a connection was generated. -+ if con.get_unsaved(): -+ return None -+ - return active_con.get_uuid() - - def nm_get_bus_name(): --- -2.16.3 - diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index d9cf889..e8d9169 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -7,42 +7,26 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 0.4.4.4 -Release: 15%{?dist} +Version: 0.5.3 +Release: 5%{?dist} URL: http://www.firewalld.org License: GPLv2+ -Source0: https://github.com/t-woerner/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch1: firewalld-0.4.4.3-qt4_applet.patch Patch2: firewalld-0.4.4.3-exclude_firewallctl_rhbz#1374799.patch -Patch3: firewalld-0.4.4.4-support_sctp_and_dccp_rhbz#1429808.patch -Patch4: firewalld-0.4.4.4-fix_offline_remove_service_from_zone_rhbz#1438127.patch -Patch5: firewalld-0.4.4.4-fix_get_set_short_description_in_zone_rhbz#1416325.patch -Patch6: firewalld-0.4.4.4-man_pages_add_sctp_and_dccp_rhbz#1429808.patch -Patch7: firewalld-0.4.4.4-restore_wait_rhbz#1446162.patch -Patch8: firewalld-0.4.4.4-ovirt-services_rhbz#1449158.patch -Patch9: firewalld-0.4.4.4-policy-choice_rhbz#1449754.patch -Patch10: firewalld-0.4.4.4-translation-update-ja_rhbz#1382652.patch -Patch11: firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix_rhbz#1459921.patch -Patch12: firewalld-0.4.4.5-firewall.functions-New-function-get_nf_nat_helpers-rhbz#1452681.patch -Patch13: firewalld-0.4.4.5-firewall.core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681.patch -Patch14: firewalld-0.4.4.5-firewall.core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681.patch -Patch15: firewalld-0.4.4.5-firewalld.dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681.patch -Patch16: firewalld-0.4.4.5-D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017.patch -Patch17: firewalld-0.4.4.5-firewall.server.firewalld-New-property-for-NAT-helpe-rhbz#1452681.patch -Patch18: firewalld-0.4.4.6-Add-NFSv3-service.patch -Patch19: firewalld-0.4.4.6-Reload-nf_conntrack-sysctls-after-the-module-is-load-rhbz#1462977.patch -Patch20: firewalld-0.4.4.6-Add-missing-ports-to-RH-Satellite-6-service.patch -Patch21: firewalld-0.4.4.6-core-Log-unsupported-ICMP-types-as-informational-onl.patch -Patch22: firewalld-0.4.4.6-doc-firewall-cmd-Document-query-options-return-codes.patch -Patch23: firewalld-0.4.4.6-doc-firewall-cmd-Document-quirk-in-reload-option.patch -Patch24: firewalld-0.4.4.6-firewall-cmd-Use-colors-only-if-output-is-a-TTY.patch -Patch25: firewalld-0.4.4.6-firewall-offline-cmd-Don-t-require-root-for-help-out.patch -Patch26: firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch -Patch27: firewalld-0.4.4.7-firewalld-also-reload-dbus-config-interface-for-glob.patch -Patch28: firewalld-0.4.4.7-services-high-availability-Add-port-9929.patch -Patch29: firewalld-0.6.1-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch -Patch30: firewalld-0.6.1-firewall.core.fw_nm-identify-the-connections-by-uuid.patch -Patch31: firewalld-0.6.1-firewall.core.fw_nm-ignore-generated-connections.patch +Patch3: 0001-ipset-check-type-when-parsing-ipset-definition.patch +Patch4: 0002-firewall-core-io-functions-add-check_config.patch +Patch5: 0003-firewall-offline-cmd-add-check-config-option.patch +Patch6: 0004-firewall-cmd-add-check-config-option.patch +Patch7: 0005-tests-firewall-cmd-exercise-check-config.patch +Patch8: 0001-firewall.core.fw_nm-avoid-iterating-NM-devices-conne.patch +Patch9: 0002-firewall.core.fw_nm-identify-the-connections-by-uuid.patch +Patch10: 0003-firewall.core.fw_nm-ignore-generated-connections.patch +Patch11: 0001-tests-functions-check-state-after-a-reload.patch +Patch12: 0002-fw-on-restart-set-policy-from-same-function.patch +Patch13: 0003-fw-if-failure-occurs-during-startup-set-state-to-FAI.patch +Patch14: 0001-fw-if-startup-fails-on-reload-reapply-non-perm-confi.patch +Patch15: 0002-fw-If-direct-rules-fail-to-apply-add-a-Direct-label-.patch BuildArch: noarch BuildRequires: desktop-file-utils @@ -152,41 +136,7 @@ The firewall configuration application provides an configuration interface for firewalld. %prep -%setup -q -%patch1 -p1 -b .qt4_applet -%patch2 -p1 -b .exclude_firewallctl_rhbz#1374799 -%patch3 -p1 -b .support_sctp_and_dccp_rhbz#1429808 -%patch4 -p1 -b .fix_offline_remove_service_from_zone_rhbz#1438127 -%patch5 -p1 -b .fix_get_set_short_description_in_zone_rhbz#1416325 -%patch6 -p1 -b .man_pages_add_sctp_and_dccp_rhbz#1429808 -%patch7 -p1 -b .restore_wait_rhbz#1446162 -# Do not create backup files with -b .ovirt-services_rhbz#1449158 for patch8 -%patch8 -p1 -%patch9 -p1 -b .policy-choice_rhbz#1449754 -%patch10 -p1 -b .translation-update-ja_rhbz#1382652 -%patch11 -p1 -b .ipv6_icmptype_only_rich_rule_fix_rhbz#1459921 -%patch12 -p1 -b .functions-New-function-get_nf_nat_helpers-rhbz#1452681 -%patch13 -p1 -b .core.fw-Get-NAT-helpers-and-store-them-inte-rhbz#1452681 -%patch14 -p1 -b .core.fw_zone-Load-NAT-helpers-with-conntrac-rhbz#1452681 -%patch15 -p1 -b .dbus-Add-missing-properties-nf_conntrach_h-rhbz#1452681 -%patch16 -p1 -b .D-Bus-interfaces-Fix-GetAll-for-interfaces-without-p-rhbz#1452017 -%patch17 -p1 -b .server.firewalld-New-property-for-NAT-helpe-rhbz#1452681 -# Do not create backup files with -b .Add-NFSv3-service_rhbz#1462088 for patch18 -%patch18 -p1 -%patch19 -p1 -b .Reload-nf_conntrack-sysctls-after-the-module-rhbz#1462977 -# Do not create backup files with -b .Add-missing-ports-to-RH-Satellite-6-service for patch20 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -b .Fix-and-improve-firewalld-sysctls.conf -%patch27 -p1 -b .firewalld-also-reload-dbus-config-interface-for-glob -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 +%autosetup -p1 ./autogen.sh %if 0%{?with_python3} @@ -299,8 +249,6 @@ fi %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones %dir %{_datadir}/firewalld -%dir %{_datadir}/firewalld/tests -%{_datadir}/firewalld/tests %defattr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/firewalld #%attr(0755,root,root) %{_initrddir}/firewalld @@ -382,9 +330,21 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog -* Fri Aug 10 2018 Eric Garver - 0.4.4.4-15 +* Fri Aug 17 2018 Eric Garver - 0.5.3-5 +- even if startup failed, reapply non-permanent interface to zone assignments + +* Thu Aug 16 2018 Eric Garver - 0.5.3-4 +- backport patches to enter failed state if startup fails + +* Thu Jul 19 2018 Eric Garver - 0.5.3-3 - backport patches to avoid NM for generated connections +* Tue Jun 12 2018 Eric Garver - 0.5.3-2 +- backport patches for --check-config option + +* Tue May 15 2018 Eric Garver - 0.5.3-1 +- rebase package to v0.5.3 + * Tue Dec 12 2017 Eric Garver - 0.4.4.4-14 - services/high-availability: Add port 9929 (RHBZ#1486143)