Hello community, here is the log from the commit of package firewalld for openSUSE:Factory checked in at 2017-03-02 19:26:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/firewalld (Old) and /work/SRC/openSUSE:Factory/.firewalld.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "firewalld" Thu Mar 2 19:26:59 2017 rev:17 rq:459179 version:0.4.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/firewalld/firewalld.changes 2016-12-06 14:27:49.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.firewalld.new/firewalld.changes 2017-03-02 19:27:01.419190604 +0100 @@ -1,0 +2,47 @@ +Mon Feb 13 16:20:27 UTC 2017 - mchandras@suse.de + +- Update to version 0.4.4.3 + * New service freeipa-trust (rh#1411650) + * Complete icmp types for IPv4 and IPv6 + * New h323 helper container + * Support helper container: h323 + * firewall.server.decorators: ALREADY_ errors should be logged as warnings + * firewall.command: ALREADY_SET should also result in zero exit code + * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd + * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface + * New checks for ipset entry validation + * Use ipset dimension for match + * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list + * New firewall.core.icmp providing names and types for icmp and icmpv6 values + * firewall.core.fw_ipset: New methods to get ipset dimension and applied state + * firewall.errors: New error NOT_APPLIED + * firewall-cmd man page: Add missing --get-ipset-types + * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345) + * firewall.core.prog: Fix addition of the error output in runProg + * Speed up ipset handling, (re)loading and import from file + * Support --family option for --new-ipset + * Handle FirewallError for query sequences in command line tools + * Fail to alter entries of ipsets with timeout + * Extended tests for ipset options + * Return empty list for ipsets using timeouts + * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186) + * firewalld.conf man page: New section about AutomaticHelpers + * firewall-offline-cmd man page: Added -v and -q options, fixed section ids + * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface + * firewall.core.fw_zone: Limit masquerading forward rule to new connections + * firewall-config: Update active zones on reloaded signal + * firewall-applet: Update active zones and tooltip on reloaded signal + * firewall.core.fw_zone: Fix missing chain for helper in rich rules using service (rh#1416578) + * Support icmp-type usage in rich rules (rh#1409544) + * firewall[-offline]-cmd: Fix --{set,get}-{short,description} for ipset and helper (rh#1416325) + * firewall.core.ipset: Solve ipset creation issues with -exist and more flag tests + * Speed up start and restart for ipsets with lots of entries (rh#1416817) + * Speed up of ipset alteration by adding and removing entries using a file (rh#1416817) + * Code cleanup and minor bug fixes + * firewall.core.prog: Fix addition of the error output in runProg + * New services mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync + * Translation updates +- Add upstream patch to fix ipset overloading from /etc/firewalld/ipsets (gh#t-woerner/firewalld#206) + * 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch + +------------------------------------------------------------------- @@ -95 +142 @@ - * New firewallctl utility (RHBZ#1147959) + * New firewallctl utility (rh#1147959) @@ -97 +144 @@ - * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (RHBZ#1339251) + * firewall.core.fw_config: Create backup on zone, service, ipset and icmptype removal (rh#1339251) @@ -103 +150 @@ - * config.xmlschema.service.xsd: Fix service destination conflicts (RHBZ#1296573) + * config.xmlschema.service.xsd: Fix service destination conflicts (rh#1296573) @@ -184 +231 @@ - * rich rules: Allow destination action (RHBZ#1163428) + * rich rules: Allow destination action (rh#1163428) @@ -253 +300 @@ - * Reduced calls to get ids for port and protocol names (RHBZ#1305434) + * Reduced calls to get ids for port and protocol names (rh#1305434) Old: ---- firewalld-0.4.4.2.tar.bz2 New: ---- 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch firewalld-0.4.4.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ firewalld.spec ++++++ --- /var/tmp/diff_new_pack.1IxLrZ/_old 2017-03-02 19:27:02.035103485 +0100 +++ /var/tmp/diff_new_pack.1IxLrZ/_new 2017-03-02 19:27:02.035103485 +0100 @@ -1,7 +1,7 @@ # # spec file for package firewalld # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,15 @@ Name: firewalld -Version: 0.4.4.2 +Version: 0.4.4.3 Release: 0 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPL-2.0+ Group: Productivity/Networking/Security Url: http://www.firewalld.org Source: https://fedorahosted.org/released/%{name}/%{name}-%{version}.tar.bz2 +# PATCH-FIX-UPSTREAM: 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch (gh#t-woerner/firewalld#206) +Patch: 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch BuildRequires: desktop-file-utils BuildRequires: docbook-xsl-stylesheets BuildRequires: gettext @@ -84,6 +86,7 @@ %prep %setup -q +%patch -p1 %build %configure --enable-sysconfig --enable-rpmmacros ++++++ 0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch ++++++
From 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoerner@redhat.com> Date: Wed, 15 Feb 2017 11:11:40 +0100 Subject: [PATCH] firewall.core.fw_ipset: get_ipset may not ckeck if set is applied by default
This breaks the ipset overloading from /etc/firewalld/ipsets. Fixes: #206 --- src/firewall/core/fw_ipset.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py index bbbc8eb9..952d1226 100644 --- a/src/firewall/core/fw_ipset.py +++ b/src/firewall/core/fw_ipset.py @@ -55,10 +55,11 @@ class FirewallIPSet(object): def has_ipsets(self): return len(self._ipsets) > 0 - def get_ipset(self, name): + def get_ipset(self, name, applied=False): self.check_ipset(name) obj = self._ipsets[name] - self.check_applied_obj(obj) + if applied: + self.check_applied_obj(obj) return obj def _error2warning(self, f, name, *args): @@ -141,11 +142,11 @@ class FirewallIPSet(object): # TYPE def get_type(self, name): - return self.get_ipset(name).type + return self.get_ipset(name, applied=True).type # DIMENSION def get_dimension(self, name): - return len(self.get_ipset(name).type.split(",")) + return len(self.get_ipset(name, applied=True).type.split(",")) # APPLIED @@ -164,7 +165,7 @@ class FirewallIPSet(object): # OPTIONS def get_family(self, name): - obj = self.get_ipset(name) + obj = self.get_ipset(name, applied=True) if "family" in obj.options: if obj.options["family"] == "inet6": return "ipv6" @@ -179,7 +180,7 @@ class FirewallIPSet(object): pass def add_entry(self, name, entry): - obj = self.get_ipset(name) + obj = self.get_ipset(name, applied=True) if "timeout" in obj.options and obj.options["timeout"] != "0": # no entries visible for ipsets with timeout raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) @@ -201,7 +202,7 @@ class FirewallIPSet(object): obj.entries.append(entry) def remove_entry(self, name, entry): - obj = self.get_ipset(name) + obj = self.get_ipset(name, applied=True) if "timeout" in obj.options and obj.options["timeout"] != "0": # no entries visible for ipsets with timeout raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) @@ -222,7 +223,7 @@ class FirewallIPSet(object): obj.entries.remove(entry) def query_entry(self, name, entry): - obj = self.get_ipset(name) + obj = self.get_ipset(name, applied=True) if "timeout" in obj.options and obj.options["timeout"] != "0": # no entries visible for ipsets with timeout raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) @@ -230,11 +231,11 @@ class FirewallIPSet(object): return entry in obj.entries def get_entries(self, name): - obj = self.get_ipset(name) + obj = self.get_ipset(name, applied=True) return obj.entries def set_entries(self, name, entries): - obj = self.get_ipset(name) + obj = self.get_ipset(name, applied=True) if "timeout" in obj.options and obj.options["timeout"] != "0": # no entries visible for ipsets with timeout raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) -- 2.11.0 ++++++ firewalld-0.4.4.2.tar.bz2 -> firewalld-0.4.4.3.tar.bz2 ++++++ ++++ 5146 lines of diff (skipped)