firewalld/0001-fedora-patch-to-default-to-iptables-backend.patch

From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 30 Aug 2018 16:34:19 -0400
Subject: [PATCH] fedora patch to default to iptables backend

---
 config/firewalld.conf                  |  7 -------
 src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
 src/tests/dbus/firewalld.conf.at       |  2 +-
 src/tests/functions.at                 |  4 ++--
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/config/firewalld.conf b/config/firewalld.conf
index 532f045..0f64a56 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -40,13 +40,6 @@ IndividualCalls=no
 # Default: off
 LogDenied=off
 
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
-
 # FlushAllOnReload
 # Flush all runtime rules on a reload. In previous releases some runtime
 # configuration was retained during a reload, namely; interface to zone
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 7c70921..4e83d6e 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -268,6 +268,12 @@ class firewalld_conf(object):
                     if key not in done:
                         if (key in self._config and \
                                 self._config[key] != value):
+                            # Only write FirewallBackend if it's not the default.
+                            # We will change the default in the future.
+                            if key == "FirewallBackend" and \
+                               self._config[key] == config.FALLBACK_FIREWALL_BACKEND:
+                                done.append(key)
+                                continue
                             empty = False
                             temp_file.write(u'%s=%s\n' %
                                             (key, self._config[key]))
@@ -275,6 +281,12 @@ class firewalld_conf(object):
                         elif key in self._deleted:
                             modified = True
                         else:
+                            # Only write FirewallBackend if it's not the default.
+                            # We will change the default in the future.
+                            if key == "FirewallBackend" and \
+                               value == config.FALLBACK_FIREWALL_BACKEND:
+                                done.append(key)
+                                continue
                             empty = False
                             temp_file.write(line+u"\n")
                         done.append(key)
@@ -286,6 +298,11 @@ class firewalld_conf(object):
             for (key,value) in self._config.items():
                 if key in done:
                     continue
+                # Only write FirewallBackend if it's not the default.
+                # We will change the default in the future.
+                if key == "FirewallBackend" and \
+                   value == config.FALLBACK_FIREWALL_BACKEND:
+                    continue
                 if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config
                     continue
                 if not empty:
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index cc15318..374312b 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no"
 string "AutomaticHelpers" : variant string "no"
 string "CleanupOnExit" : variant string "no"
 string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
+string "FirewallBackend" : variant string "iptables"
 string "FlushAllOnReload" : variant string "yes"
 string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
 string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 582fdcc..5a1aad1 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [
     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
         AT_KEYWORDS(offline)
     ], [
-        m4_define_default([FIREWALL_BACKEND], [nftables])
+        m4_define_default([FIREWALL_BACKEND], [iptables])
 
         AT_KEYWORDS(FIREWALL_BACKEND)
 
@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [
         AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
 
         dnl set the appropriate backend
-        AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+        AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf])
 
         dnl fib matching is pretty new in nftables. Don't use rpfilter on older
         dnl kernels.
-- 
1.8.3.1
Package init 2019-09-30 10:38:52 -04:00			`From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001`
			`From: Eric Garver <e@erig.me>`
			`Date: Thu, 30 Aug 2018 16:34:19 -0400`
			`Subject: [PATCH] fedora patch to default to iptables backend`

			`---`
			`config/firewalld.conf \| 7 -------`
			`src/firewall/core/io/firewalld_conf.py \| 17 +++++++++++++++++`
			`src/tests/dbus/firewalld.conf.at \| 2 +-`
			`src/tests/functions.at \| 4 ++--`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`4 files changed, 20 insertions(+), 10 deletions(-)`
Package init 2019-09-30 10:38:52 -04:00
			`diff --git a/config/firewalld.conf b/config/firewalld.conf`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`index 532f045..0f64a56 100644`
Package init 2019-09-30 10:38:52 -04:00			`--- a/config/firewalld.conf`
			`+++ b/config/firewalld.conf`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`@@ -40,13 +40,6 @@ IndividualCalls=no`
			`# Default: off`
			`LogDenied=off`

Package init 2019-09-30 10:38:52 -04:00			`-# FirewallBackend`
			`-# Selects the firewall backend implementation.`
			`-# Choices are:`
			`-# - nftables (default)`
			`-# - iptables (iptables, ip6tables, ebtables and ipset)`
			`-FirewallBackend=nftables`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`-`
			`# FlushAllOnReload`
			`# Flush all runtime rules on a reload. In previous releases some runtime`
			`# configuration was retained during a reload, namely; interface to zone`
Package init 2019-09-30 10:38:52 -04:00			`diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`index 7c70921..4e83d6e 100644`
Package init 2019-09-30 10:38:52 -04:00			`--- a/src/firewall/core/io/firewalld_conf.py`
			`+++ b/src/firewall/core/io/firewalld_conf.py`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`@@ -268,6 +268,12 @@ class firewalld_conf(object):`
Package init 2019-09-30 10:38:52 -04:00			`if key not in done:`
			`if (key in self._config and \`
			`self._config[key] != value):`
			`+ # Only write FirewallBackend if it's not the default.`
			`+ # We will change the default in the future.`
			`+ if key == "FirewallBackend" and \`
			`+ self._config[key] == config.FALLBACK_FIREWALL_BACKEND:`
			`+ done.append(key)`
			`+ continue`
			`empty = False`
			`temp_file.write(u'%s=%s\n' %`
			`(key, self._config[key]))`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`@@ -275,6 +281,12 @@ class firewalld_conf(object):`
Package init 2019-09-30 10:38:52 -04:00			`elif key in self._deleted:`
			`modified = True`
			`else:`
			`+ # Only write FirewallBackend if it's not the default.`
			`+ # We will change the default in the future.`
			`+ if key == "FirewallBackend" and \`
			`+ value == config.FALLBACK_FIREWALL_BACKEND:`
			`+ done.append(key)`
			`+ continue`
			`empty = False`
			`temp_file.write(line+u"\n")`
			`done.append(key)`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`@@ -286,6 +298,11 @@ class firewalld_conf(object):`
Package init 2019-09-30 10:38:52 -04:00			`for (key,value) in self._config.items():`
			`if key in done:`
			`continue`
			`+ # Only write FirewallBackend if it's not the default.`
			`+ # We will change the default in the future.`
			`+ if key == "FirewallBackend" and \`
			`+ value == config.FALLBACK_FIREWALL_BACKEND:`
			`+ continue`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config`
			`continue`
Package init 2019-09-30 10:38:52 -04:00			`if not empty:`
			`diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`index cc15318..374312b 100644`
Package init 2019-09-30 10:38:52 -04:00			`--- a/src/tests/dbus/firewalld.conf.at`
			`+++ b/src/tests/dbus/firewalld.conf.at`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`@@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no"`
			`string "AutomaticHelpers" : variant string "no"`
Package init 2019-09-30 10:38:52 -04:00			`string "CleanupOnExit" : variant string "no"`
			`string "DefaultZone" : variant string "public"`
			`-string "FirewallBackend" : variant string "nftables"`
			`+string "FirewallBackend" : variant string "iptables"`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`string "FlushAllOnReload" : variant string "yes"`
			`string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])`
			`string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])`
Package init 2019-09-30 10:38:52 -04:00			`diff --git a/src/tests/functions.at b/src/tests/functions.at`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`index 582fdcc..5a1aad1 100644`
Package init 2019-09-30 10:38:52 -04:00			`--- a/src/tests/functions.at`
			`+++ b/src/tests/functions.at`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [`
			`m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [`
			`AT_KEYWORDS(offline)`
			`], [`
Package init 2019-09-30 10:38:52 -04:00			`- m4_define_default([FIREWALL_BACKEND], [nftables])`
			`+ m4_define_default([FIREWALL_BACKEND], [iptables])`

update version to 0.8.3 2020-07-29 20:18:05 +08:00			`AT_KEYWORDS(FIREWALL_BACKEND)`

			`@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [`
Package init 2019-09-30 10:38:52 -04:00			`AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])`

			`dnl set the appropriate backend`
			`- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])`
			`+ AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf])`

			`dnl fib matching is pretty new in nftables. Don't use rpfilter on older`
			`dnl kernels.`
			`--`
update version to 0.8.3 2020-07-29 20:18:05 +08:00			`1.8.3.1`
Package init 2019-09-30 10:38:52 -04:00