[packages/firewalld] new, version
glen at pld-linux.org
Mon Jan 4 15:04:07 CET 2016
commit f4a37e4d84b48ee59c46d6f78968752268e94d6c
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Mon Jan 4 16:03:17 2016 +0200
new, version
based on fedora package, 01f44ea
FedoraServer.xml | 8 +
FedoraWorkstation.xml | 10 +
MDNS-default.patch | 40 ++++
firewalld.spec | 442 +++++++++++++++++++++++++++++++++++++++++++++
pid_file_RHBZ1233232.patch | 58 ++++++
5 files changed, 558 insertions(+)
diff --git a/firewalld.spec b/firewalld.spec
new file mode 100644
index 0000000..6462714
--- /dev/null
+++ b/firewalld.spec
@@ -0,0 +1,442 @@
+# Conditional build:
+%bcond_with python3 # CPython 3.x package
+Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
+Name: firewalld
+Release: 0.1
+License: GPL v2+
+Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2
+# Source0-md5: 5984690845a7be38dff3cedff273b73a
+Source1: FedoraServer.xml
+Group: Networking/Admin
+Source2: FedoraWorkstation.xml
+Patch0: MDNS-default.patch
+Patch1: pid_file_RHBZ1233232.patch
+URL: http://www.firewalld.org/
+BuildRequires: desktop-file-utils
+BuildRequires: docbook-style-xsl
+BuildRequires: gettext
+BuildRequires: glib2
+# glib2-devel is needed for gsettings.m4
+BuildRequires: glib2-devel
+BuildRequires: intltool
+BuildRequires: python-devel
+BuildRequires: rpm-pythonprov
+BuildRequires: rpmbuild(macros) >= 1.713
+BuildRequires: systemd-units
+%if %{with python3}
+BuildRequires: python3-devel
+Requires: ebtables
+Requires: iptables
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires: firewalld-config
+Requires: firewalld-filesystem = %{version}-%{release}
+Requires: python-firewall = %{version}-%{release}
+Obsoletes: firewalld-config-cloud <= 0.3.15
+Obsoletes: firewalld-config-server <= 0.3.15
+Obsoletes: firewalld-config-standard <= 0.3.15
+Obsoletes: firewalld-config-workstation <= 0.3.15
+BuildArch: noarch
+BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+firewalld is a firewall service daemon that provides a dynamic
+customizable firewall with a D-Bus interface.
+%package -n python-firewall
+Summary: Python2 bindings for firewalld
+Group: Libraries/Python
+Requires: pygobject3-base
+Requires: python-dbus
+Requires: python-decorator
+Requires: python-slip-dbus
+Provides: python2-firewall
+Obsoletes: python2-firewall
+%description -n python-firewall
+Python2 bindings for firewalld.
+%package -n python3-firewall
+Summary: Python3 bindings for firewalld
+Group: Libraries/Python
+Requires: python3-dbus
+Requires: python3-decorator
+Requires: python3-gobject
+Requires: python3-slip-dbus
+%description -n python3-firewall
+Python3 bindings for firewalld.
+%package -n firewalld-filesystem
+Summary: Firewalld directory layout and rpm macros
+Group: Base
+%description -n firewalld-filesystem
+This package provides directories and rpm macros which are required by
+other packages that add firewalld configuration files.
+%package -n firewall-applet
+Summary: Firewall panel applet
+Group: X11/Applications
+Requires: %{name} = %{version}-%{release}
+Requires: NetworkManager-glib
+Requires: PyQt4
+Requires: firewall-config = %{version}-%{release}
+Requires: hicolor-icon-theme
+Requires: libnotify
+Requires: pygobject3-base
+%description -n firewall-applet
+The firewall panel applet provides a status information of firewalld
+and also the firewall settings.
+%package -n firewall-config
+Summary: Firewall configuration application
+Group: Base
+Requires: %{name} = %{version}-%{release}
+Requires: NetworkManager-glib
+Requires: gtk+3
+Requires: hicolor-icon-theme
+Requires: pygobject3-base
+%description -n firewall-config
+The firewall configuration application provides an configuration
+interface for firewalld.
+%package config-standard
+Summary: Firewalld standard configuration settings
+Group: Base
+Requires: firewalld = %{version}-%{release}
+Provides: firewalld-config
+Conflicts: firewalld-config-server
+Conflicts: firewalld-config-workstation
+Conflicts: system-release-server
+Conflicts: system-release-workstation
+%description config-standard
+Standard product firewalld configuration settings.
+%package config-server
+Summary: Firewalld server configuration settings
+Group: Base
+Requires: firewalld = %{version}-%{release}
+Requires: system-release-server
+Provides: firewalld-config
+Conflicts: firewalld-config-standard
+Conflicts: firewalld-config-workstation
+%description config-server
+Server product specific firewalld configuration settings.
+%package config-workstation
+Summary: Firewalld workstation configuration settings
+Group: Base
+Requires: firewalld = %{version}-%{release}
+Requires: system-release-workstation
+Provides: firewalld-config
+Conflicts: firewalld-config-server
+Conflicts: firewalld-config-standard
+%description config-workstation
+Workstation product specific firewalld configuration settings.
+%setup -q
+%patch0 -p1
+%patch1 -p1
+%if %{with python3}
+rm -rf py3
+cp -a . py3
+%configure \
+ --enable-sysconfig \
+ --enable-rpmmacros \
+ PYTHON=%{__python}
+%if %{with python3}
+cd py3
+ %configure \
+ --enable-sysconfig \
+ --enable-rpmmacros \
+ PYTHON=%{__python3}
+%{__make} install \
+ PYTHON=%{__python} \
+%if %{with python3}
+cd py3
+%{__make} -C src \
+ install-nobase_dist_pythonDATA \
+ PYTHON=%{__python3} \
+%find_lang %{name} --all-name
+desktop-file-install --delete-original \
+ --dir $RPM_BUILD_ROOT%{_sysconfdir}/xdg/autostart \
+ $RPM_BUILD_ROOT%{_sysconfdir}/xdg/autostart/firewall-applet.desktop
+desktop-file-install --delete-original \
+ --dir $RPM_BUILD_ROOT%{_desktopdir} \
+ $RPM_BUILD_ROOT%{_desktopdir}/firewall-config.desktop
+install -d $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/zones/
+install -c %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/zones/FedoraServer.xml
+install -c %{SOURCE2} $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/zones/FedoraWorkstation.xml
+# standard firewalld.conf
+mv $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld.conf \
+ $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-standard.conf
+# server firewalld.conf
+cp -a $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-standard.conf \
+ $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-server.conf
+sed -i 's|^DefaultZone=.*|DefaultZone=FedoraServer|g' \
+ $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-server.conf
+# workstation firewalld.conf
+cp -a $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-standard.conf \
+ $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-workstation.conf
+sed -i 's|^DefaultZone=.*|DefaultZone=FedoraWorkstation|g' \
+ $RPM_BUILD_ROOT%{_sysconfdir}/firewalld/firewalld-workstation.conf
+rm -f $RPM_BUILD_ROOT%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+%systemd_post firewalld.service
+%systemd_preun firewalld.service
+%systemd_postun_with_restart firewalld.service
+# If we don't yet have a symlink or existing file for firewalld.conf,
+# create it. Note: this will intentionally reset the policykit policy
+# at the same time, so they are in sync.
+# Import %{_sysconfdir}/os-release to get the variant definition
+. %{_sysconfdir}/os-release || :
+if [ ! -e %{_sysconfdir}/firewalld/firewalld.conf ]; then
+ case "$VARIANT_ID" in
+ server)
+ ln -sf firewalld-server.conf %{_sysconfdir}/firewalld/firewalld.conf || :
+ ;;
+ workstation)
+ ln -sf firewalld-workstation.conf %{_sysconfdir}/firewalld/firewalld.conf || :
+ ;;
+ *)
+ ln -sf firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf
+ ;;
+ esac
+if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; then
+ case "$VARIANT_ID" in
+ workstation)
+ ln -sf org.fedoraproject.FirewallD1.desktop.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+ ;;
+ *)
+ # For all other editions, we'll use the Server polkit policy
+ ln -sf org.fedoraproject.FirewallD1.server.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+ esac
+%post -n firewall-applet
+%update_icon_cache hicolor
+%postun -n firewall-applet
+%update_icon_cache hicolor
+%posttrans -n firewall-applet
+%update_icon_cache hicolor
+%post -n firewall-config
+%update_icon_cache hicolor
+%postun -n firewall-config
+%update_icon_cache hicolor
+%posttrans -n firewall-config
+%update_icon_cache hicolor
+%post config-standard
+if [ $1 -eq 1 ]; then # Initial installation
+ # link standard config
+ rm -f %{_sysconfdir}/firewalld/firewalld.conf
+ ln -sf firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf || :
+%triggerin config-standard -- firewalld
+if [ $1 -eq 1 ]; then
+ # link server policy
+ rm -f %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+ ln -sf org.fedoraproject.FirewallD1.server.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+%post config-server
+if [ $1 -eq 1 ]; then # Initial installation
+ # link server config
+ rm -f %{_sysconfdir}/firewalld/firewalld.conf
+ ln -sf firewalld-server.conf %{_sysconfdir}/firewalld/firewalld.conf || :
+%triggerin config-server -- firewalld
+if [ $1 -eq 1 ]; then
+ # link server policy
+ rm -f %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+ ln -sf org.fedoraproject.FirewallD1.server.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+%post config-workstation
+if [ $1 -eq 1 ]; then # Initial installation
+ # link workstation config
+ rm -f %{_sysconfdir}/firewalld/firewalld.conf
+ ln -sf firewalld-workstation.conf %{_sysconfdir}/firewalld/firewalld.conf || :
+%triggerin config-workstation -- firewalld
+if [ $1 -eq 1 ]; then
+ # link desktop policy
+ rm -f %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+ ln -sf org.fedoraproject.FirewallD1.desktop.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
+%files -f %{name}.lang
+%doc README
+%attr(755,root,root) %{_sbindir}/firewalld
+%attr(755,root,root) %{_bindir}/firewall-cmd
+%attr(755,root,root) %{_bindir}/firewall-offline-cmd
+%dir %{bash_compdir}
+%dir %attr(750,root,root) %dir %{_sysconfdir}/firewalld
+#%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
+#%config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf
+#%config(noreplace) %{_sysconfdir}/firewalld/firewalld-server.conf
+#%config(noreplace) %{_sysconfdir}/firewalld/firewalld-workstation.conf
+%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
+%attr(750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
+%attr(750,root,root) %dir %{_sysconfdir}/firewalld/services
+%attr(750,root,root) %dir %{_sysconfdir}/firewalld/zones
+%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/firewalld
+%config(noreplace) /etc/dbus-1/system.d/FirewallD.conf
+#%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+%files -n python-firewall
+%dir %{py_sitescriptdir}/firewall
+%dir %{py_sitescriptdir}/firewall/config
+%dir %{py_sitescriptdir}/firewall/core
+%dir %{py_sitescriptdir}/firewall/core/io
+%dir %{py_sitescriptdir}/firewall/server
+%if %{with python3}
+%files -n python3-firewall
+%dir %{py3_sitescriptdir}/firewall
+%dir %{py3_sitescriptdir}/firewall/__pycache__
+%dir %{py3_sitescriptdir}/firewall/config
+%dir %{py3_sitescriptdir}/firewall/config/__pycache__
+%dir %{py3_sitescriptdir}/firewall/core
+%dir %{py3_sitescriptdir}/firewall/core/__pycache__
+%dir %{py3_sitescriptdir}/firewall/core/io
+%dir %{py3_sitescriptdir}/firewall/core/io/__pycache__
+%dir %{py3_sitescriptdir}/firewall/server
+%dir %{py3_sitescriptdir}/firewall/server/__pycache__
+%files -n firewalld-filesystem
+%dir %{_prefix}/lib/firewalld
+%dir %{_prefix}/lib/firewalld/icmptypes
+%dir %{_prefix}/lib/firewalld/services
+%dir %{_prefix}/lib/firewalld/zones
+%dir %{_prefix}/lib/firewalld/xmlschema
+%files -n firewall-applet
+%attr(755,root,root) %{_bindir}/firewall-applet
+%files -n firewall-config
+%attr(755,root,root) %{_bindir}/firewall-config
+%files config-standard
+%config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf
+#%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
+#%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+%files config-server
+%config(noreplace) %{_sysconfdir}/firewalld/firewalld-server.conf
+#%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
+#%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
+%files config-workstation
+%config(noreplace) %{_sysconfdir}/firewalld/firewalld-workstation.conf
+#%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
+#%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
diff --git a/FedoraServer.xml b/FedoraServer.xml
new file mode 100644
index 0000000..617e131
--- /dev/null
+++ b/FedoraServer.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+ <short>Public</short>
+ <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+ <service name="ssh"/>
+ <service name="dhcpv6-client"/>
+ <service name="cockpit"/>
diff --git a/FedoraWorkstation.xml b/FedoraWorkstation.xml
new file mode 100644
index 0000000..d29d550
--- /dev/null
+++ b/FedoraWorkstation.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+ <short>Fedora Workstation</short>
+ <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+ <service name="dhcpv6-client"/>
+ <service name="ssh"/>
+ <service name="samba-client"/>
+ <port protocol="udp" port="1025-65535"/>
+ <port protocol="tcp" port="1025-65535"/>
diff --git a/MDNS-default.patch b/MDNS-default.patch
new file mode 100644
index 0000000..0316962
--- /dev/null
+++ b/MDNS-default.patch
@@ -0,0 +1,40 @@
+From 0e9306e9df41142503b4efc90032043183a3cb7b Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw at gnome.org>
+Date: Mon, 6 Aug 2012 10:01:09 +0200
+Subject: [PATCH] Make MDNS work in all but the most restrictive zones
+ * MDNS is a discovery protocol, and much like DNS or DHCP should
+ be available for the network to function as expected.
+ * Avahi (the main MDNS) implementation has taken steps to make sure
+ no private information is published by default.
+ * See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
+ config/zones/public.xml | 1 +
+ config/zones/work.xml | 1 +
+ 2 files changed, 2 insertions(+)
+diff --git a/config/zones/public.xml b/config/zones/public.xml
+index 929ad72..a56e95c 100644
+--- a/config/zones/public.xml
++++ b/config/zones/public.xml
+@@ -3,5 +3,6 @@
+ <short>Public</short>
+ <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+ <service name="ssh"/>
++ <service name="mdns"/>
+ <service name="dhcpv6-client"/>
+ </zone>
+diff --git a/config/zones/work.xml b/config/zones/work.xml
+index 7e750fc..77f13c8 100644
+--- a/config/zones/work.xml
++++ b/config/zones/work.xml
+@@ -3,5 +3,6 @@
+ <short>Work</short>
+ <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+ <service name="ssh"/>
++ <service name="mdns"/>
+ <service name="dhcpv6-client"/>
+ </zone>
diff --git a/pid_file_RHBZ1233232.patch b/pid_file_RHBZ1233232.patch
new file mode 100644
index 0000000..f785bc7
--- /dev/null
+++ b/pid_file_RHBZ1233232.patch
@@ -0,0 +1,58 @@
+commit 3a1f22c95bb5723456533de5aa821143682b8e3d
+Author: Thomas Woerner <twoerner at redhat.com>
+Date: Thu Jun 18 16:55:40 2015 +0200
+ firewalld: Fixed 'pid_file' referenced before assignment (RHBZ#1233232)
+diff --git a/src/firewalld b/src/firewalld
+index 2db71a8..bd81316 100755
+--- a/src/firewalld
++++ b/src/firewalld
+@@ -82,6 +82,7 @@ def setup_logging(args):
+ log.addDebugLogging("*", log.stdout)
+ def startup(args):
++ pid_file = "/var/run/firewalld.pid"
+ try:
+ if not args.nofork:
+ # do the UNIX double-fork magic, see Stevens' "Advanced
+@@ -119,7 +120,6 @@ def startup(args):
+ if not args.nopid:
+ # write the pid file
+- pid_file = "/var/run/firewalld.pid"
+ with open(pid_file, "w") as f:
+ f.write(str(os.getpid()))
+@@ -128,27 +128,27 @@ def startup(args):
+ server.run_server(args.debug_gc)
+ # Clean up on exit
+- if os.path.exists(pid_file) and not args.nopid:
++ if not args.nopid and os.path.exists(pid_file):
+ os.remove(pid_file)
+ except OSError as e:
+ log.fatal(_("Fork #1 failed: %d (%s)") % (e.errno, e.strerror))
+ log.error(traceback.format_exc())
+- if os.path.exists(pid_file) and not args.nopid:
++ if not args.nopid and os.path.exists(pid_file):
+ os.remove(pid_file)
+ sys.exit(1)
+ except dbus.exceptions.DBusException as e:
+ log.fatal(str(e))
+ log.error(traceback.format_exc())
+- if os.path.exists(pid_file) and not args.nopid:
++ if not args.nopid and os.path.exists(pid_file):
+ os.remove(pid_file)
+ sys.exit(1)
+ except IOError as e:
+ log.fatal(str(e))
+ log.error(traceback.format_exc())
+- if os.path.exists(pid_file) and not args.nopid:
++ if not args.nopid and os.path.exists(pid_file):
+ os.remove(pid_file)
+ sys.exit(1)
---- gitweb:
More information about the pld-cvs-commit
mailing list