update version to 0.8.3

0001-Fix-translating-labels-392.patch

@@ -1,35 +0,0 @@
-From 5494006021e83f27195dc902c3c9fd024e71dc3b Mon Sep 17 00:00:00 2001
-From: MeggyCal <MeggyCal@users.noreply.github.com>
-Date: Thu, 20 Sep 2018 15:37:17 +0200
-Subject: [PATCH] Fix translating labels (#392)
-
-Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active.
-
-Fixes: #344
-(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f)
----
- src/firewall-config.glade | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/firewall-config.glade b/src/firewall-config.glade
-index 22bed58aafaf..75c229b408fd 100644
---- a/src/firewall-config.glade
-+++ b/src/firewall-config.glade
-@@ -10135,10 +10135,10 @@
-                             <property name="halign">start</property>
-                             <property name="valign">start</property>
-                             <items>
--                              <item>accept</item>
--                              <item>reject</item>
--                              <item>drop</item>
--                              <item>mark</item>
-+                              <item translatable="yes">accept</item>
-+                              <item translatable="yes">reject</item>
-+                              <item translatable="yes">drop</item>
-+                              <item translatable="yes">mark</item>
-                             </items>
-                             <signal name="changed" handler="on_richRuleDialog_changed" swapped="no"/>
-                           </object>
--- 
-2.18.0
-

0001-fedora-patch-to-default-to-iptables-backend.patch

@@ -5,42 +5,34 @@ Subject: [PATCH] fedora patch to default to iptables backend
 
 ---
  config/firewalld.conf                  |  7 -------
- src/firewall/config/__init__.py.in     |  2 +-
  src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
  src/tests/dbus/firewalld.conf.at       |  2 +-
  src/tests/functions.at                 |  4 ++--
- 5 files changed, 21 insertions(+), 11 deletions(-)
+ 4 files changed, 20 insertions(+), 10 deletions(-)
 
 diff --git a/config/firewalld.conf b/config/firewalld.conf
-index b53c0aa50c53..63df409bf567 100644
+index 532f045..0f64a56 100644
 --- a/config/firewalld.conf
 +++ b/config/firewalld.conf
-@@ -55,10 +55,3 @@ LogDenied=off
+@@ -40,13 +40,6 @@ IndividualCalls=no
- # will be used. Possible values are: yes, no and system.
+ # Default: off
- # Default: system
+ LogDenied=off
- AutomaticHelpers=system
+ 
--
 -# FirewallBackend
 -# Selects the firewall backend implementation.
 -# Choices are:
 -#	- nftables (default)
 -#	- iptables (iptables, ip6tables, ebtables and ipset)
 -FirewallBackend=nftables
-diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+-
-index 955be32077e1..cff7c3fe9025 100644
+ # FlushAllOnReload
---- a/src/firewall/config/__init__.py.in
+ # Flush all runtime rules on a reload. In previous releases some runtime
-+++ b/src/firewall/config/__init__.py.in
+ # configuration was retained during a reload, namely; interface to zone
-@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
- FALLBACK_INDIVIDUAL_CALLS = False
- FALLBACK_LOG_DENIED = "off"
- FALLBACK_AUTOMATIC_HELPERS = "system"
--FALLBACK_FIREWALL_BACKEND = "nftables"
-+FALLBACK_FIREWALL_BACKEND = "iptables"
 diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
-index 4d57bad693c1..6264f45a1913 100644
+index 7c70921..4e83d6e 100644
 --- a/src/firewall/core/io/firewalld_conf.py
 +++ b/src/firewall/core/io/firewalld_conf.py
-@@ -240,6 +240,12 @@ class firewalld_conf(object):
+@@ -268,6 +268,12 @@ class firewalld_conf(object):
                      if key not in done:
                          if (key in self._config and \
                                  self._config[key] != value):
@@ -53,7 +45,7 @@ index 4d57bad693c1..6264f45a1913 100644
                              empty = False
                              temp_file.write(u'%s=%s\n' %
                                              (key, self._config[key]))
-@@ -247,6 +253,12 @@ class firewalld_conf(object):
+@@ -275,6 +281,12 @@ class firewalld_conf(object):
                          elif key in self._deleted:
                              modified = True
                          else:
@@ -66,7 +58,7 @@ index 4d57bad693c1..6264f45a1913 100644
                              empty = False
                              temp_file.write(line+u"\n")
                          done.append(key)
-@@ -258,6 +270,11 @@ class firewalld_conf(object):
+@@ -286,6 +298,11 @@ class firewalld_conf(object):
              for (key,value) in self._config.items():
                  if key in done:
                      continue
@@ -75,34 +67,36 @@ index 4d57bad693c1..6264f45a1913 100644
 +                if key == "FirewallBackend" and \
 +                   value == config.FALLBACK_FIREWALL_BACKEND:
 +                    continue
+                 if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config
+                     continue
                  if not empty:
-                     temp_file.write(u"\n")
-                     empty = True
 diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
-index 473210de10af..44e649111ffb 100644
+index cc15318..374312b 100644
 --- a/src/tests/dbus/firewalld.conf.at
 +++ b/src/tests/dbus/firewalld.conf.at
-@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl
+@@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no"
- string "AutomaticHelpers" : variant string "system"
+ string "AutomaticHelpers" : variant string "no"
  string "CleanupOnExit" : variant string "no"
  string "DefaultZone" : variant string "public"
 -string "FirewallBackend" : variant string "nftables"
 +string "FirewallBackend" : variant string "iptables"
- m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
+ string "FlushAllOnReload" : variant string "yes"
- string "IPv6_rpfilter" : variant string "no"],[dnl
+ string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
- string "IPv6_rpfilter" : variant string "yes"])
+ string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
 diff --git a/src/tests/functions.at b/src/tests/functions.at
-index 3b79a9f31305..dd7b43d9dac6 100644
+index 582fdcc..5a1aad1 100644
 --- a/src/tests/functions.at
 +++ b/src/tests/functions.at
-@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [
+@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [
-     fi
+     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
- 
+         AT_KEYWORDS(offline)
-     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
+     ], [
 -        m4_define_default([FIREWALL_BACKEND], [nftables])
 +        m4_define_default([FIREWALL_BACKEND], [iptables])
  
-         dnl don't unload modules or bother cleaning up, the namespace will be deleted
+         AT_KEYWORDS(FIREWALL_BACKEND)
+ 
+@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [
          AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
  
          dnl set the appropriate backend
@@ -112,5 +106,5 @@ index 3b79a9f31305..dd7b43d9dac6 100644
          dnl fib matching is pretty new in nftables. Don't use rpfilter on older
          dnl kernels.
 -- 
-2.18.0
+1.8.3.1
 

0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch

@@ -1,48 +0,0 @@
-From 2e53fab83ac844c1d2fb2781116ad47b8900ab85 Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Fri, 21 Sep 2018 11:02:18 -0400
-Subject: [PATCH 1/2] fw_transaction: On clear zone transaction, must clear fw
- and other zones
-
-Just like FirewallZoneTransaction.execute() that was spawned from a
-FirewallTransaction must call FirewallTransaction.exectue() we should
-also make sure the same is done for clear(). Otherwise we can end up
-with a partially cleared transaction. This gets really hairy if the
-FirewallTransaction contains many instances of FirewallZoneTransaction
-which is common during startup with non-default configuration.
-
-Fixes: #374
----
- src/firewall/core/fw_transaction.py | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
-index f169e4a923dd..ad204c1991cf 100644
---- a/src/firewall/core/fw_transaction.py
-+++ b/src/firewall/core/fw_transaction.py
-@@ -231,9 +231,19 @@ class FirewallZoneTransaction(SimpleFirewallTransaction):
-         self.modules = [ ] # [ module,.. ]
- 
-     def clear(self):
--        super(FirewallZoneTransaction, self).clear()
--        del self.chains[:]
--        del self.modules[:]
-+        # calling clear on a zone_transaction that was spawned from a
-+        # FirewallTransaction needs to clear the fw_transaction and all the
-+        # other zones otherwise we end up with a partially cleared transaction.
-+        if self.fw_transaction:
-+            super(FirewallTransaction, self.fw_transaction).clear()
-+            for zone in self.fw_transaction.zone_transactions.keys():
-+                super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear()
-+                del self.fw_transaction.zone_transactions[zone].chains[:]
-+                del self.fw_transaction.zone_transactions[zone].modules[:]
-+        else:
-+            super(FirewallZoneTransaction, self).clear()
-+            del self.chains[:]
-+            del self.modules[:]
- 
-     def prepare(self, enable, rules=None, modules=None):
-         log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
--- 
-2.18.0
-

firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch

@@ -1,135 +0,0 @@
-From 7cdd8027d13677185b301f849d42957e635ffa67 Mon Sep 17 00:00:00 2001
-From: StefanBruens <stefan.bruens@rwth-aachen.de>
-Date: Tue, 25 Sep 2018 21:56:36 +0200
-Subject: [PATCH 006/127] firewall/core/io/*.py: Let SAX handle the encoding of
- XML files (#395)
-
-SAX is able to determine the encoding of XML files itself if the file
-contains a correct "encoding" pseudo attribute, e.g.:
-<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
-
-For this to work, the file stream has to be opened in binary mode, and
-the parser has to read the stream using a SAX InputStream, which
-autodetects the encoding.
-
-Fixes: #303
----
- src/firewall/core/io/direct.py   | 6 ++++--
- src/firewall/core/io/helper.py   | 6 ++++--
- src/firewall/core/io/icmptype.py | 6 ++++--
- src/firewall/core/io/ipset.py    | 6 ++++--
- src/firewall/core/io/service.py  | 6 ++++--
- src/firewall/core/io/zone.py     | 6 ++++--
- 6 files changed, 24 insertions(+), 12 deletions(-)
-
-diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py
-index 07e159da..b0c2cb52 100644
---- a/src/firewall/core/io/direct.py
-+++ b/src/firewall/core/io/direct.py
-@@ -360,9 +360,11 @@ class Direct(IO_Object):
-         handler = direct_ContentHandler(self)
-         parser = sax.make_parser()
-         parser.setContentHandler(handler)
--        with open(self.filename, "r") as f:
-+        with open(self.filename, "rb") as f:
-+            source = sax.InputSource(None)
-+            source.setByteStream(f)
-             try:
--                parser.parse(f)
-+                parser.parse(source)
-             except sax.SAXParseException as msg:
-                 raise FirewallError(errors.INVALID_TYPE,
-                                     "Not a valid file: %s" % \
-diff --git a/src/firewall/core/io/helper.py b/src/firewall/core/io/helper.py
-index 4a2420dd..a5c81b9f 100644
---- a/src/firewall/core/io/helper.py
-+++ b/src/firewall/core/io/helper.py
-@@ -156,9 +156,11 @@ def helper_reader(filename, path):
-     parser = sax.make_parser()
-     parser.setContentHandler(handler)
-     name = "%s/%s" % (path, filename)
--    with open(name, "r") as f:
-+    with open(name, "rb") as f:
-+        source = sax.InputSource(None)
-+        source.setByteStream(f)
-         try:
--            parser.parse(f)
-+            parser.parse(source)
-         except sax.SAXParseException as msg:
-             raise FirewallError(errors.INVALID_HELPER,
-                                 "not a valid helper file: %s" % \
-diff --git a/src/firewall/core/io/icmptype.py b/src/firewall/core/io/icmptype.py
-index 91b48867..32103c59 100644
---- a/src/firewall/core/io/icmptype.py
-+++ b/src/firewall/core/io/icmptype.py
-@@ -121,9 +121,11 @@ def icmptype_reader(filename, path):
-     parser = sax.make_parser()
-     parser.setContentHandler(handler)
-     name = "%s/%s" % (path, filename)
--    with open(name, "r") as f:
-+    with open(name, "rb") as f:
-+        source = sax.InputSource(None)
-+        source.setByteStream(f)
-         try:
--            parser.parse(f)
-+            parser.parse(source)
-         except sax.SAXParseException as msg:
-             raise FirewallError(errors.INVALID_ICMPTYPE,
-                                 "not a valid icmptype file: %s" % \
-diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py
-index 0670677b..8cc6a1f9 100644
---- a/src/firewall/core/io/ipset.py
-+++ b/src/firewall/core/io/ipset.py
-@@ -390,9 +390,11 @@ def ipset_reader(filename, path):
-     parser = sax.make_parser()
-     parser.setContentHandler(handler)
-     name = "%s/%s" % (path, filename)
--    with open(name, "r") as f:
-+    with open(name, "rb") as f:
-+        source = sax.InputSource(None)
-+        source.setByteStream(f)
-         try:
--            parser.parse(f)
-+            parser.parse(source)
-         except sax.SAXParseException as msg:
-             raise FirewallError(errors.INVALID_IPSET,
-                                 "not a valid ipset file: %s" % \
-diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
-index c04d612e..487d5ba3 100644
---- a/src/firewall/core/io/service.py
-+++ b/src/firewall/core/io/service.py
-@@ -219,9 +219,11 @@ def service_reader(filename, path):
-     parser = sax.make_parser()
-     parser.setContentHandler(handler)
-     name = "%s/%s" % (path, filename)
--    with open(name, "r") as f:
-+    with open(name, "rb") as f:
-+        source = sax.InputSource(None)
-+        source.setByteStream(f)
-         try:
--            parser.parse(f)
-+            parser.parse(source)
-         except sax.SAXParseException as msg:
-             raise FirewallError(errors.INVALID_SERVICE,
-                                 "not a valid service file: %s" % \
-diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
-index c048c867..05368e9c 100644
---- a/src/firewall/core/io/zone.py
-+++ b/src/firewall/core/io/zone.py
-@@ -696,9 +696,11 @@ def zone_reader(filename, path, no_check_name=False):
-     parser = sax.make_parser()
-     parser.setContentHandler(handler)
-     name = "%s/%s" % (path, filename)
--    with open(name, "r") as f:
-+    with open(name, "rb") as f:
-+        source = sax.InputSource(None)
-+        source.setByteStream(f)
-         try:
--            parser.parse(f)
-+            parser.parse(source)
-         except sax.SAXParseException as msg:
-             raise FirewallError(errors.INVALID_ZONE,
-                                 "not a valid zone file: %s" % \
--- 
-2.19.1
-

firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch

@@ -1,31 +0,0 @@
-From 17adfe4137cfd1c1734ff1b77304f70e163313fa Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Tue, 9 Oct 2018 14:55:21 -0400
-Subject: [PATCH 018/127] firewalld: fix --runtime-to-permanent if NM not in
- use.
-
-Due to scope "settings" was not defined.
-
-Fixes: #404
-Fixes: e7c00a4063ff ("ifcfg: Modify ZONE= on permanent config changes")
----
- src/firewall/server/firewalld.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
-index 6810b68c..bc04f2d0 100644
---- a/src/firewall/server/firewalld.py
-+++ b/src/firewall/server/firewalld.py
-@@ -441,8 +441,8 @@ class FirewallD(slip.dbus.service.Object):
-         nm_bus_name = nm_get_bus_name()
-         for name in self.fw.zone.get_zones():
-             conf = self.getZoneSettings(name)
-+            settings = FirewallClientZoneSettings(conf)
-             if nm_bus_name is not None:
--                settings = FirewallClientZoneSettings(conf)
-                 changed = False
-                 for interface in settings.getInterfaces():
-                     if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name:
--- 
-2.19.1
-

firewalld.spec

@@ -1,42 +1,26 @@
 Name:      firewalld
-Version:   0.6.2
+Version:   0.8.3
-Release:   4
+Release:   1
 Summary:   A firewall daemon with D-Bus interface providing a dynamic firewall
 License:   GPLv2+
 URL:       http://www.firewalld.org
 Source0:   https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 #backport from gnome
-Patch0:     firewalld-0.2.6-MDNS-default.patch
+Patch0:    firewalld-0.2.6-MDNS-default.patch
 #backport from Eric Garver <e@erig.me>
-Patch1:     0001-fedora-patch-to-default-to-iptables-backend.patch
+Patch1:    0001-fedora-patch-to-default-to-iptables-backend.patch
-#Patch2,3 backport from upstream
-Patch2:     0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch
-Patch3:     0001-Fix-translating-labels-392.patch
 
-Patch6000:  firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch
+Patch2:    repair-test-cases.patch
-Patch6001:  nftables-fix-destination-checks-not-allowing-masks.patch
-Patch6002:  firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch
-Patch6003:  nftables-fix-reject-statement-in-block-zone.patch
-Patch6004:  ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch
-Patch6005:  rich-rules-fix-mark-action.patch
-Patch6006:  nftables-fix-panic-mode-not-filtering-output-packets.patch
-Patch6007:  fw_zone-fix-rich-rule-masquerading.patch
-Patch6008:  fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch
-Patch6009:  nftables-fix-rich-rule-masquerade.patch
-Patch6010:  nftables-fix-ipv6-rich-rule-forward-ports.patch
-Patch6011:  ipset-fix-set-apply-if-IndividualCalls-yes.patch
-Patch6012:  fix-issue-457.patch
-
-Patch9000:  repair-test-cases.patch
 
 
 BuildArch:     noarch
 BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
-BuildRequires: libxslt iptables ebtables ipset nftables python3-devel
+BuildRequires: libxslt iptables ebtables ipset python3-devel
 
 
 Requires:  iptables ebtables ipset systemd hicolor-icon-theme python3-gobject NetworkManager-libnm dbus-x11 gtk3
-Requires:  nftables >= 0.9.0 kernel >= 4.18.0 python3-firewall  = %{version}-%{release}
+Requires:  python3-firewall  = %{version}-%{release}
+Suggests:  iptables-nft
 
 Obsoletes: firewalld-selinux < 0.4.4.2-2
 Conflicts: selinux-policy < 3.14.1-28
@@ -70,7 +54,7 @@ Summary: Python3 bindings for firewalld
 
 Obsoletes: python-firewall < 0.5.2-2 
 Obsoletes: python2-firewall < 0.5.2-2
-Requires: python3-dbus python3-slip-dbus python3-decorator python3-gobject-base
+Requires: python3-dbus python3-slip-dbus python3-decorator python3-gobject-base python3-nftables
 
 %description -n python3-firewall
 Python3 bindings for firewalld.
@@ -163,6 +147,7 @@ fi
 %{_bindir}/firewall-cmd
 %{_bindir}/firewall-offline-cmd
 %{_datadir}/bash-completion/completions/firewall-cmd
+%{_datadir}/zsh/site-functions/_firewalld
 %{_prefix}/lib/firewalld/*
 %attr(0750,root,root) %dir %{_sysconfdir}/firewalld/
 %config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf
@@ -176,12 +161,12 @@ fi
 %defattr(0644,root,root)
 %config(noreplace) %{_sysconfdir}/sysconfig/firewalld
 %{_unitdir}/firewalld.service
-%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
+%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf
 %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
 %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
 %ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
 %{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
-
+%{_sysconfdir}/logrotate.d/firewalld
 %{_rpmconfigdir}/macros.d/macros.firewalld
 
 #we don't need applet
@@ -211,6 +196,12 @@ fi
 
 
 %changelog
+* Wed Apr 29 2020 zhouyihang <zhouyihang3@huawei.com> - 0.8.3-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:update firewalld version to 0.8.3
+
 * Wed Jan 15 2020 zhangrui <zhangrui182@huawei.com> - 0.6.2-4
 - create firewalld.conf file
 

fix-issue-457.patch

@@ -1,26 +0,0 @@
-From 7da05eff467244f0da6a4e7c1370dd6c7605e9f4 Mon Sep 17 00:00:00 2001
-From: Daniel Nicolai <dalanicolai@gmail.com>
-Date: Mon, 11 Feb 2019 12:16:31 +0100
-Subject: [PATCH 102/127] fix issue #457
-
-I found out I did not set a value for invert when adding the rich rule via firewall-cmd. Then I got the error as mentioned in issue #457 because the invert attribute was given a default value None. I corrected it here so that it gets the default value False. This fixed the issue for me.
----
- src/firewall/core/rich.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
-index 91f53fd9..dacaeb9c 100644
---- a/src/firewall/core/rich.py
-+++ b/src/firewall/core/rich.py
-@@ -394,7 +394,7 @@ class Rich_Rule(object):
-                 elif element in ['not', 'NOT']:
-                     attrs['invert'] = True
-                 else:
--                    self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert'))
-+                    self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False))
-                     in_elements.pop() # source
-                     attrs.clear()
-                     index = index -1 # return token to input
--- 
-2.19.1
-

fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch

@@ -1,39 +0,0 @@
-From 2210822a2450a7b9ed853593c3d88aca1c43c2fc Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Wed, 5 Dec 2018 16:29:49 -0500
-Subject: [PATCH 048/127] fw_zone: fix IPv6 rich rule forward-port without
- toaddr
-
-Using a rich rule with family=ipv6 and no toaddr specified was silently
-not applying any rules.
----
- src/firewall/core/fw_zone.py | 11 ++---------
- 1 file changed, 2 insertions(+), 9 deletions(-)
-
-diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
-index 816fa503..db90c32b 100644
---- a/src/firewall/core/fw_zone.py
-+++ b/src/firewall/core/fw_zone.py
-@@ -1702,17 +1702,10 @@ class FirewallZone(object):
-                 for ipv in ipvs:
-                     if backend.is_ipv_supported(ipv):
-                         self.check_forward_port(ipv, port, protocol, toport, toaddr)
--
--                if check_single_address("ipv6", toaddr):
--                    ipv = "ipv6"
--                else:
--                    ipv = "ipv4"
--
--                if not backend.is_ipv_supported(ipv):
--                    continue
-+                    if enable:
-+                        zone_transaction.add_post(enable_ip_forwarding, ipv)
- 
-                 if enable:
--                    zone_transaction.add_post(enable_ip_forwarding, ipv)
-                     mark_id = self._fw.new_mark()
- 
-                 filter_chain = "INPUT" if not toaddr else "FORWARD_IN"
--- 
-2.19.1
-

fw_zone-fix-rich-rule-masquerading.patch

@@ -1,27 +0,0 @@
-From 14acf26afe09ff9092bebbfc7ffe718b1758c573 Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Wed, 5 Dec 2018 13:09:28 -0500
-Subject: [PATCH 047/127] fw_zone: fix rich rule masquerading
-
-We weren't passing the rich rule to the backend so filtering on
-source/destination would not work.
----
- src/firewall/core/fw_zone.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
-index ca90f7fb..816fa503 100644
---- a/src/firewall/core/fw_zone.py
-+++ b/src/firewall/core/fw_zone.py
-@@ -1690,7 +1690,7 @@ class FirewallZone(object):
-                         if backend.is_ipv_supported(ipv):
-                             zone_transaction.add_post(enable_ip_forwarding, ipv)
- 
--                rules = backend.build_zone_masquerade_rules(enable, zone)
-+                rules = backend.build_zone_masquerade_rules(enable, zone, rule)
-                 zone_transaction.add_rules(backend, rules)
- 
-             # FORWARD PORT
--- 
-2.19.1
-

ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch

@@ -1,43 +0,0 @@
-From 93824072768f989991a11069ac75f1cd3d56ae34 Mon Sep 17 00:00:00 2001
-From: Federico Cuello <fedux@fedux.com.ar>
-Date: Sat, 20 Oct 2018 15:47:28 +0200
-Subject: [PATCH 023/127] ipXtables/nftables: Fix "object has no attribute
- '_log_denied'"
-
-This fixes nftables and ipXtables (when IndividualCalls=yes),
-as _log_denied is not an attribute of the class but a param.
----
- src/firewall/core/ipXtables.py | 3 +--
- src/firewall/core/nftables.py  | 2 +-
- 2 files changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
-index 02a518d2..11aebec6 100644
---- a/src/firewall/core/ipXtables.py
-+++ b/src/firewall/core/ipXtables.py
-@@ -492,8 +492,7 @@ class ip4tables(object):
-             if log_denied == "off":
-                 return ""
-             if log_denied in [ "unicast", "broadcast", "multicast" ]:
--                rule[i:i+1] = [ "-m", "pkttype", "--pkt-type",
--                                self._log_denied ]
-+                rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ]
-             else:
-                 rule.pop(i)
- 
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index 3c871069..cd05b2c3 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -290,7 +290,7 @@ class nftables(object):
-             if log_denied == "off":
-                 return ""
-             if log_denied in ["unicast", "broadcast", "multicast"]:
--                rule[i:i+1] = ["pkttype", self._log_denied]
-+                rule[i:i+1] = ["pkttype", log_denied]
-             else:
-                 rule.pop(i)
- 
--- 
-2.19.1
-

ipset-fix-set-apply-if-IndividualCalls-yes.patch

@@ -1,81 +0,0 @@
-From 4157393136bbaff53e812029376b2a0a5113cedb Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Tue, 11 Dec 2018 11:32:54 -0500
-Subject: [PATCH 070/127] ipset: fix set apply if IndividualCalls=yes
-
-Fixes: rhbz 1644834
-Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall")
----
- src/firewall/core/fw_ipset.py       |  2 +-
- src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++
- 2 files changed, 44 insertions(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
-index b06a60d0..54ace39e 100644
---- a/src/firewall/core/fw_ipset.py
-+++ b/src/firewall/core/fw_ipset.py
-@@ -125,7 +125,7 @@ class FirewallIPSet(object):
-                         raise FirewallError(errors.COMMAND_FAILED, msg)
-                     else:
-                         obj.applied = True
--                        if "timeout" not in obj.options or \
-+                        if "timeout" in obj.options and \
-                            obj.options["timeout"] != "0":
-                             # no entries visible for ipsets with timeout
-                             continue
-diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
-index 0676bb82..5ba0cee4 100644
---- a/src/tests/regression/rhbz1601610.at
-+++ b/src/tests/regression/rhbz1601610.at
-@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
- FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
- ])
- 
-+dnl rhbz 1644834
-+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16])
-+FWD_CHECK([-q --runtime-to-permanent])
-+FWD_RELOAD
-+m4_if(nftables, FIREWALL_BACKEND, [
-+NFT_LIST_SET([foobar], 0, [dnl
-+table inet firewalld {
-+set foobar {
-+type ipv4_addr
-+flags interval
-+elements = { 10.1.0.0/16, 10.2.0.0/22 }
-+}
-+}
-+])], [
-+IPSET_LIST_SET([foobar], 0, [dnl
-+Name: foobar
-+Type: hash:net
-+Members:
-+10.1.0.0/16
-+10.2.0.0/22
-+])])
-+
-+dnl rhbz 1644834, again with IndividualCalls=yes
-+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
-+FWD_RELOAD
-+m4_if(nftables, FIREWALL_BACKEND, [
-+NFT_LIST_SET([foobar], 0, [dnl
-+table inet firewalld {
-+set foobar {
-+type ipv4_addr
-+flags interval
-+elements = { 10.1.0.0/16, 10.2.0.0/22 }
-+}
-+}
-+])], [
-+IPSET_LIST_SET([foobar], 0, [dnl
-+Name: foobar
-+Type: hash:net
-+Members:
-+10.1.0.0/16
-+10.2.0.0/22
-+])])
-+
- FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
-               -e '/ERROR: COMMAND_FAILED:.*element.*exists/d'])
--- 
-2.19.1
-

nftables-fix-destination-checks-not-allowing-masks.patch

@@ -1,63 +0,0 @@
-From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Thu, 27 Sep 2018 08:52:22 -0400
-Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks
-
-Some destination checks were using check_single_address() which make it
-impossible to use a mask. This was discovered in issue #399.
----
- src/firewall/core/nftables.py | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index 811f4e71..64191d1f 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -753,7 +753,7 @@ class nftables(object):
-             return []
- 
-         rule_fragment = []
--        if check_single_address("ipv4", rich_dest.addr):
-+        if check_address("ipv4", rich_dest.addr):
-             rule_fragment += ["ip"]
-         else:
-             rule_fragment += ["ip6"]
-@@ -803,7 +803,7 @@ class nftables(object):
-         if rich_rule:
-             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
-         if destination:
--            if check_single_address("ipv4", destination):
-+            if check_address("ipv4", destination):
-                 rule_fragment += ["ip"]
-             else:
-                 rule_fragment += ["ip6"]
-@@ -835,7 +835,7 @@ class nftables(object):
-         if rich_rule:
-             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
-         if destination:
--            if check_single_address("ipv4", destination):
-+            if check_address("ipv4", destination):
-                 rule_fragment += ["ip"]
-             else:
-                 rule_fragment += ["ip6"]
-@@ -869,7 +869,7 @@ class nftables(object):
-         if rich_rule:
-             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
-         if destination:
--            if check_single_address("ipv4", destination):
-+            if check_address("ipv4", destination):
-                 rule_fragment += ["ip"]
-             else:
-                 rule_fragment += ["ip6"]
-@@ -900,7 +900,7 @@ class nftables(object):
-         rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
-                 "raw_%s_allow" % (target), proto]
-         if destination:
--            if check_single_address("ipv4", destination):
-+            if check_address("ipv4", destination):
-                 rule += ["ip"]
-             else:
-                 rule += ["ip6"]
--- 
-2.19.1
-

nftables-fix-ipv6-rich-rule-forward-ports.patch

@@ -1,29 +0,0 @@
-From 628657cdafa7ba3217fb031c748f5a7d32924c90 Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Wed, 5 Dec 2018 19:11:06 -0500
-Subject: [PATCH 050/127] nftables: fix ipv6 rich rule forward-ports
-
-The were mistakenly being added to the ipv4 nat tables as well.
-
-Fixes: #422
-Fixes: b630abd8e901 ("backend: introduce nftables support")
----
- src/firewall/core/nftables.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index 00a02ad1..a1cb2c47 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -980,7 +980,7 @@ class nftables(object):
-            or toaddr and check_single_address("ipv6", toaddr)):
-             rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
-                                 protocol, mark_fragment, toaddr, toport, "ip6"))
--        if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
-+        elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
-            or toaddr and check_single_address("ipv4", toaddr)):
-             rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
-                                 protocol, mark_fragment, toaddr, toport, "ip"))
--- 
-2.19.1
-

nftables-fix-panic-mode-not-filtering-output-packets.patch

@@ -1,73 +0,0 @@
-From 2f5608b4897ff99afbb1c2425a94df035031c1a2 Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Mon, 3 Dec 2018 12:40:41 -0500
-Subject: [PATCH 043/127] nftables: fix panic mode not filtering output packets
-
-This simplifies policy in the nftables backend by filtering only on the
-prerouting and output hooks. The others hooks are unnecessary since
-we're using a higher precedence.
-
-Also fixes an issue when re-enabling panic mode multiple times. Due to
-rule de-duplication the policy drop rule was not being re-added.
-
-Fixes: rhbz 1579740
-Fixes: a0f683dfef2c ("nftables: fix policy")
----
- src/firewall/core/nftables.py | 36 +++++++++--------------------------
- 1 file changed, 9 insertions(+), 27 deletions(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index 69236a96..44cd4f9e 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -314,38 +314,20 @@ class nftables(object):
-         # packets while initially starting and for panic mode. As such, using
-         # hooks with a higher priority than our base chains is sufficient.
-         #
--        table_chains = []
--        for table in list(IPTABLES_TO_NFT_HOOK.keys()):
--            for chain in IPTABLES_TO_NFT_HOOK[table]:
--                table_chains.append((table, chain))
--
-         table_name = TABLE_NAME + "_" + "policy_drop"
- 
--        def _policy_drop_helper(table, chain, family, rules):
--            _chain = "%s_%s" % (table, chain)
--            _hook = IPTABLES_TO_NFT_HOOK[table][chain][0]
--            # add hooks with priority -1, only contain drop rule
--            _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1
--            _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \
--                         (family, table_name, _chain, _hook, _priority)
--            rules.append(splitArgs(_add_chain))
--            rules.append(["add", "rule", family, table_name, _chain, "drop"])
--
-         rules = []
-         if policy == "DROP":
--            for family in ["inet", "ip", "ip6"]:
--                rules.append(["add", "table", family, table_name])
--
--            for table,chain in table_chains:
--                if table == "nat":
--                    # nat requires two families
--                    for family in ["ip", "ip6"]:
--                        _policy_drop_helper(table, chain, family, rules)
--                else:
--                    _policy_drop_helper(table, chain, "inet", rules)
-+            rules.append(["add", "table", "inet", table_name])
-+
-+            # To drop everything we need to use the "raw" priority. These occur
-+            # before conntrack, mangle, nat, etc
-+            for hook in ["prerouting", "output"]:
-+                _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \
-+                             (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1)
-+                rules.append(splitArgs(_add_chain))
-         elif policy == "ACCEPT":
--            for family in ["inet", "ip", "ip6"]:
--                rules.append(["delete", "table", family, table_name])
-+            rules.append(["delete", "table", "inet", table_name])
-         else:
-             FirewallError(UNKNOWN_ERROR, "not implemented")
- 
--- 
-2.19.1
-

nftables-fix-reject-statement-in-block-zone.patch

@@ -1,43 +0,0 @@
-From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Thu, 11 Oct 2018 11:58:22 -0400
-Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone
-
-Also add test coverage.
-
-Fixes: #406
----
- src/firewall/core/nftables.py | 3 ++-
- src/tests/firewall-cmd.at     | 2 ++
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index 8a305539..3c871069 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -619,7 +619,8 @@ class nftables(object):
-            target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \
-            chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]:
-             rules.append(["add", "rule", family, "%s" % TABLE_NAME,
--                          "%s_%s" % (table, _zone), target.lower()])
-+                          "%s_%s" % (table, _zone),
-+                          target.lower() if target != "%%REJECT%%" else "%%REJECT%%"])
- 
-         return rules
- 
-diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
-index ef45110c..b7ec3816 100644
---- a/src/tests/firewall-cmd.at
-+++ b/src/tests/firewall-cmd.at
-@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces])
-     FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore)
-     FWD_CHECK([--get-zone-of-interface=dummy], 0, [public
- ])
-+    FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore)
-+    FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore)
- 
-     FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore)
-     FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz
--- 
-2.19.1
-

nftables-fix-rich-rule-masquerade.patch

@@ -1,38 +0,0 @@
-From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Wed, 5 Dec 2018 17:16:30 -0500
-Subject: [PATCH 049/127] nftables: fix rich rule masquerade
-
----
- src/firewall/core/nftables.py | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index 44cd4f9e..00a02ad1 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -900,7 +900,6 @@ class nftables(object):
- 
-         rule_fragment = []
-         if rich_rule:
--            rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
-             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
-             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
- 
-@@ -912,10 +911,10 @@ class nftables(object):
-         # nat tables needs to use ip/ip6 family
-         rules = []
-         if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"
--           or rich_rule.source and check_address("ipv6", rich_rule.source)):
-+           or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):
-             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
--        if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
--           or rich_rule.source and check_address("ipv4", rich_rule.source)):
-+        elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
-+           or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
-             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
-         else:
-             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
--- 
-2.19.1
-

repair-test-cases.patch

@@ -1,52 +1,38 @@
-From a43ae627eeb4f99bb15ed737fd58f0ec15d55dea Mon Sep 17 00:00:00 2001
+From 9904b48fdce1e28b122d8f64961d2dda81d4c546 Mon Sep 17 00:00:00 2001
-From: yanghua <yanghua21@huawei.com>
+From: sherlock2010 <15151851377@163.com>
-Date: Mon, 6 May 2019 16:28:01 +0800
+Date: Wed, 29 Jul 2020 17:29:59 +0800
-Subject: [PATCH] Repair test cases gh366 rhbz1514043 rhbz1601610
+Subject: [PATCH 3/3] third commit
 
 ---
- src/tests/functions.at              | 2 +-
  src/tests/regression/gh366.at       | 1 +
  src/tests/regression/rhbz1514043.at | 2 +-
- 3 files changed, 3 insertions(+), 2 deletions(-)
+ 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/functions.at b/src/tests/functions.at
-index d1f3429..243724f 100644
---- a/src/tests/functions.at
-+++ b/src/tests/functions.at
-@@ -244,7 +244,7 @@ m4_define([NFT_LIST_RULES], [
- m4_define([IPSET_LIST_SET], [
-     NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl
-               grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
--              awk 'NR <= 4; NR > 4 {print | "sort"}'],
-+              awk 'NR <= 3; NR > 3 {print | "sort"}'],
-              [$2], [$3], [$4], [$5], [$6])
- ])
 
 diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
-index dd6963f..46307cf 100644
+index 1441a6b..be33ed7 100644
 --- a/src/tests/regression/gh366.at
 +++ b/src/tests/regression/gh366.at
 @@ -22,6 +22,7 @@ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
  ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
- ])])])
+ ])])
  
 +FWD_CHECK([-q --zone=public --remove-service=mdns])
  FWD_CHECK([-q --zone=public --add-service=mdns])
  check_firewall_backend_output
  FWD_CHECK([-q --zone=public --remove-service=mdns])
 diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
-index 4831460..077c007 100644
+index efc33e0..694a198 100644
 --- a/src/tests/regression/rhbz1514043.at
 +++ b/src/tests/regression/rhbz1514043.at
-@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all])
+@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all])
  FWD_CHECK([-q --permanent --zone=public --add-service=samba])
  FWD_RELOAD
  FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
--services: ssh dhcpv6-client samba
+-services: dhcpv6-client samba ssh
 +services: ssh mdns dhcpv6-client samba
  ])
- dnl check that log denied actually took effect
+ 
- m4_if(iptables, FIREWALL_BACKEND, [
+ dnl check that log denied actually took effect
--- 
+-- 
-2.19.1
+1.8.3.1
 

rich-rules-fix-mark-action.patch

@@ -1,65 +0,0 @@
-From 5d36e0f55887c6204e07bd8095ead1ce2d535ddb Mon Sep 17 00:00:00 2001
-From: Eric Garver <e@erig.me>
-Date: Fri, 2 Nov 2018 14:10:38 -0400
-Subject: [PATCH 025/127] rich rules: fix mark action
-
-They were being placed in the wrong (and nonexistent) chain. Also add
-test coverage for the "mark" action.
-
-Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
-Tested-by: Felix Kaechele <heffer@fedoraproject.org>
----
- src/firewall/core/ipXtables.py | 4 ++--
- src/firewall/core/nftables.py  | 4 ++--
- src/tests/firewall-cmd.at      | 1 +
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
-index 11aebec6..b98ba522 100644
---- a/src/firewall/core/ipXtables.py
-+++ b/src/firewall/core/ipXtables.py
-@@ -807,10 +807,10 @@ class ip4tables(object):
-             chain = "%s_deny" % target
-             rule_action = [ "-j", "DROP" ]
-         elif type(rich_rule.action) == Rich_Mark:
--            chain = "%s_allow" % target
--            table = "mangle"
-             target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
-                                                 zone=zone)
-+            table = "mangle"
-+            chain = "%s_allow" % target
-             rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
-         else:
-             raise FirewallError(INVALID_RULE,
-diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
-index cd05b2c3..69236a96 100644
---- a/src/firewall/core/nftables.py
-+++ b/src/firewall/core/nftables.py
-@@ -723,10 +723,10 @@ class nftables(object):
-             chain = "%s_%s_deny" % (table, target)
-             rule_action = ["drop"]
-         elif type(rich_rule.action) == Rich_Mark:
--            table = "mangle"
--            chain = "%s_%s_allow" % (table, target)
-             target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
-                                                 zone=zone)
-+            table = "mangle"
-+            chain = "%s_%s_allow" % (table, target)
-             rule_action = ["meta", "mark", "set", rich_rule.action.set]
-         else:
-             raise FirewallError(INVALID_RULE,
-diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
-index b7ec3816..f31c8955 100644
---- a/src/tests/firewall-cmd.at
-+++ b/src/tests/firewall-cmd.at
-@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good])
-     rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
-     rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
-     rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
-+    rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
- FWD_END_TEST
- FWD_START_TEST([rich rules audit])
- 	CHECK_LOG_AUDIT
--- 
-2.19.1
-