[firewalld/f18] Another fix for RHBZ#912782
Jiří Popelka
jpopelka at fedoraproject.org
Thu Mar 7 09:59:13 UTC 2013
commit d79f3b30242e75fba4177c9eeeea707cd43746c7
Author: Jiri Popelka <jpopelka at redhat.com>
Date: Thu Mar 7 10:52:21 2013 +0100
Another fix for RHBZ#912782
firewalld-0.2.12-bz912782_2.patch | 72 +++++++++++++++++++++++++++++++++++++
firewalld.spec | 7 +++-
2 files changed, 78 insertions(+), 1 deletions(-)
---
diff --git a/firewalld-0.2.12-bz912782_2.patch b/firewalld-0.2.12-bz912782_2.patch
new file mode 100644
index 0000000..076a78a
--- /dev/null
+++ b/firewalld-0.2.12-bz912782_2.patch
@@ -0,0 +1,72 @@
+From 41a1a4c69448991bb89b22081b29bffe47bfcca1 Mon Sep 17 00:00:00 2001
+From: Jiri Popelka <jpopelka at redhat.com>
+Date: Wed, 6 Mar 2013 17:21:00 +0100
+Subject: [PATCH] FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains
+ (RHBZ#912782)
+
+We need to separate top-level FORWARD_ZONES chain
+into these two chains to be able to correctly match
+rules for input and output interface, see
+https://bugzilla.redhat.com/show_bug.cgi?id=912782#c11
+---
+ src/firewall/core/base.py | 4 ++--
+ src/firewall/core/fw_zone.py | 2 +-
+ src/firewall/core/ipXtables.py | 10 ++++++----
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/firewall/core/base.py b/src/firewall/core/base.py
+index b89870d..1dcf30b 100644
+--- a/src/firewall/core/base.py
++++ b/src/firewall/core/base.py
+@@ -44,8 +44,8 @@ INTERFACE_ZONE_SRC = {
+ "PREROUTING": "PREROUTING",
+ "POSTROUTING": "POSTROUTING",
+ "INPUT": "INPUT",
+- "FORWARD_IN": "FORWARD",
+- "FORWARD_OUT": "FORWARD",
++ "FORWARD_IN": "FORWARD_IN",
++ "FORWARD_OUT": "FORWARD_OUT",
+ "OUTPUT": "OUTPUT",
+ }
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 2b0ac8b..c72055e 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -264,7 +264,7 @@ class FirewallZone:
+ target = self._zones[zone].target.format(
+ chain=SHORTCUTS[chain], zone=zone)
+ if target in [ "REJECT", "%%REJECT%%" ] and \
+- src_chain not in [ "INPUT", "FORWARD", "OUTPUT" ]:
++ src_chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
+ # REJECT is only valid in the INPUT, FORWARD and
+ # OUTPUT chains, and user-defined chains which are
+ # only called from those chains
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index d172151..311f9e4 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -83,14 +83,16 @@ DEFAULT_RULES["filter"] = [
+ "-I INPUT 6 -j %%REJECT%%",
+
+ "-N FORWARD_direct",
+- "-N FORWARD_ZONES",
++ "-N FORWARD_IN_ZONES",
++ "-N FORWARD_OUT_ZONES",
+
+ "-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+ "-I FORWARD 2 -i lo -j ACCEPT",
+ "-I FORWARD 3 -j FORWARD_direct",
+- "-I FORWARD 4 -j FORWARD_ZONES",
+- "-I FORWARD 5 -p %%ICMP%% -j ACCEPT",
+- "-I FORWARD 6 -j %%REJECT%%",
++ "-I FORWARD 4 -j FORWARD_IN_ZONES",
++ "-I FORWARD 5 -j FORWARD_OUT_ZONES",
++ "-I FORWARD 6 -p %%ICMP%% -j ACCEPT",
++ "-I FORWARD 7 -j %%REJECT%%",
+
+ "-N OUTPUT_direct",
+
+--
+1.8.1.4
+
diff --git a/firewalld.spec b/firewalld.spec
index 4c3b00b..4b6bff5 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,7 +1,7 @@
Summary: A firewall daemon with D-BUS interface providing a dynamic firewall
Name: firewalld
Version: 0.2.12
-Release: 3%{?dist}
+Release: 4%{?dist}
URL: http://fedorahosted.org/firewalld
License: GPLv2+
ExclusiveOS: Linux
@@ -14,6 +14,7 @@ Patch0: firewalld-0.2.6-MDNS-default.patch
Patch1: firewalld-0.2.12-conf.patch
Patch2: firewalld-0.2.12-gtk.patch
Patch3: firewalld-0.2.12-bz912782.patch
+Patch4: firewalld-0.2.12-bz912782_2.patch
BuildRequires: desktop-file-utils
BuildRequires: gettext
BuildRequires: intltool
@@ -82,6 +83,7 @@ firewalld.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
%configure --with-systemd-unitdir=%{_unitdir}
@@ -198,6 +200,9 @@ fi
%{_datadir}/icons/hicolor/*/apps/firewall-config*.*
%changelog
+* Thu Mar 07 2013 Jiri Popelka <jpopelka at redhat.com> - 0.2.12-4
+- Another fix for RHBZ#912782
+
* Wed Feb 20 2013 Jiri Popelka <jpopelka at redhat.com> - 0.2.12-3
- Stop default zone rules being applied to all zones (RHBZ#912782)
More information about the scm-commits
mailing list