开源软件构建与测试

_service:tar_scm:firewalld.spec Changed

@@ -1,14 +1,15 @@
 Name:      firewalld
-Version:   1.0.2
-Release:   3
+Version:   1.2.1
+Release:   2
 Summary:   A firewall daemon with D-Bus interface providing a dynamic firewall
 License:   GPLv2+
 URL:       http://www.firewalld.org
 Source0:   https://github.com/firewalld/firewalld/releases/download/v%{version}/%{name}-%{version}.tar.gz
-#backport from gnome
+
 Patch0:    firewalld-0.2.6-MDNS-default.patch
 Patch1:    repair-test-cases.patch
 Patch2:    add-Restart-on-failure-on-firewalld.service.patch
+Patch3:    0001-fix-config-Specify-the-translation-encoding-format-a.patch
 
 BuildArch:     noarch
 BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
@@ -147,7 +148,7 @@
 
 
 %files -f %{name}.lang
-%doc COPYING README
+%doc COPYING README.md
 %{_sbindir}/firewalld
 %if %{?openEuler:1}0
 %{_bindir}/firewall-config
@@ -219,7 +220,7 @@
 
 %files -n firewalld-test
 %dir %{_datadir}/firewalld/testsuite
-%{_datadir}/firewalld/testsuite/README
+%{_datadir}/firewalld/testsuite/README.md
 %{_datadir}/firewalld/testsuite/testsuite
 %dir %{_datadir}/firewalld/testsuite/integration
 %{_datadir}/firewalld/testsuite/integration/testsuite
@@ -230,6 +231,28 @@
 %{_datadir}/firewalld/testsuite/python/firewalld_test.py
 
 %changelog
+* Tue Nov 15 2022 luoqing <luoqing@kylinsec.com.cn> - 1.2.1-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:specify the translation encoding format as UTF-8
+
+* Mon Nov 14 2022 yanglu <yanglu72@h-partners.com> - 1.2.1-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:update firewalld version to 1.2.1
+
+* Thu Sep 01 2022 xinghe <xinghe2@h-partnres.com> - 1.0.2-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix zone combined forward must not default to True
+       fix fw icmptype don't alter ipvs in io_object
+       fix check config use the dictionary variants
+       fix functions check config fails if direct.xml exists
+       fix service adding includes
+
 * Thu Jun 30 2022 gaihuiying <eaglegai@163.com> - 1.0.2-3
 - Type:bugfix
 - ID:NA

_service:tar_scm:0001-fix-config-Specify-the-translation-encoding-format-a.patch Added

@@ -0,0 +1,51 @@
+From 8e018f450b57f7ab1c0eec258d81816f75cd97de Mon Sep 17 00:00:00 2001
+From: luoqing <luoqing@kylinsec.com.cn>
+Date: Mon, 14 Nov 2022 16:21:25 +0800
+Subject: PATCH fix(config):Specify the translation encoding format as UTF-8
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 指定翻译编码格式为UTF-8
+---
+ src/firewall/config/__init__.py    | 2 ++
+ src/firewall/config/__init__.py.in | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/firewall/config/__init__.py b/src/firewall/config/__init__.py
+index 1dc34d5..cf6b63c 100644
+--- a/src/firewall/config/__init__.py
++++ b/src/firewall/config/__init__.py
+@@ -22,10 +22,12 @@
+ import locale
+ try:
+     locale.setlocale(locale.LC_ALL, "")
++    locale.bind_textdomain_codeset("firewalld","UTF-8")
+ except locale.Error:
+     import os
+     os.environ'LC_ALL' = 'C'
+     locale.setlocale(locale.LC_ALL, "")
++    locale.bind_textdomain_codeset("firewalld","UTF-8")
+ 
+ DOMAIN = 'firewalld'
+ import gettext
+diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
+index 6322334..0b5804f 100644
+--- a/src/firewall/config/__init__.py.in
++++ b/src/firewall/config/__init__.py.in
+@@ -22,10 +22,12 @@
+ import locale
+ try:
+     locale.setlocale(locale.LC_ALL, "")
++    locale.bind_textdomain_codeset("firewalld","UTF-8")
+ except locale.Error:
+     import os
+     os.environ'LC_ALL' = 'C'
+     locale.setlocale(locale.LC_ALL, "")
++    locale.bind_textdomain_codeset("firewalld","UTF-8")
+ 
+ DOMAIN = 'firewalld'
+ import gettext
+-- 
+2.33.0
+

_service Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/README Deleted

@@ -1,167 +0,0 @@
-README for firewalld
-====================
-
-firewalld provides a dynamically managed firewall with support for network or 
-firewall zones to define the trust level of network connections or interfaces. 
-It has support for IPv4, IPv6 firewall settings and for ethernet bridges and a 
-separation of runtime and permanent configuration options. It also provides an 
-interface for services or applications to add ip*tables and ebtables rules 
-directly. 
-
-
-Development
------------
-To check out the source repository, you can use:
-
-  git clone https://github.com/firewalld/firewalld.git
-
-This will create a local copy of the repository.
-
-Language Translations
----------------------
-Firewalld uses GNU gettext for localization support. Translations can be done
-using Fedora's Weblate instance 1. Translations are periodically merged into
-the main firewalld repository.
-
-1 https://translate.stg.fedoraproject.org/projects/firewalld/
-
-Dependencies
-------------
-These are the runtime dependencies:
-
-  linux >= 5.3
-  python3-dbus
-  python3-gobject
-  python3-nftables >= 0.9.4
-
-Note: python2 is _not_ supported.
-
-Optional Dependencies
----------------------
-These dependencies may enhance firewalld's functionality, but they are not
-required.
-
-  ebtables
-  ipset
-  iptables
-  polkit
-  python3-capng (libcap-ng-python3)
-
-Working With The Source Repository
-----------------------------------
-In addition to the runtime dependencies some others are needed to build from
-source:
-
-  desktop-file-utils: /usr/bin/desktop-file-install
-  gettext
-  intltool
-  glib2: /usr/bin/glib-compile-schemas
-  glib2-devel: /usr/share/aclocal/gsettings.m4
-  systemd-units
-
-To be able to create man pages and documentation from docbook files:
-
-  docbook-style-xsl
-  libxslt
-
-Use the usual autoconf/automake incantation to generate makefiles
-
-  ./autogen.sh
-  ./configure
-
-You can use a specific python interpreter by passing the PYTHON variable. This
-is also used by the testsuite.
-
-  ./configure PYTHON=/path/to/python3
-
-Use
-
-  make
-
-to create the documentation and to update the po files.
-
-Use
-
-  make check
-
-to run the testsuite. Tests are run inside network namespaces and do not
-interfere with the host's running firewalld. They can also be run in parallel
-by passing flags to autotest.
-
-  make check TESTSUITEFLAGS="-j4"
-
-The testsuite also uses keywords to allow running a subset of tests that
-exercise a specific area.
-For example:
-
-  make check TESTSUITEFLAGS="-k rich -j4"
-   24: rich rules audit                                ok
-   25: rich rules priority                             ok
-   26: rich rules bad                                  ok
-   53: rich rules audit                                ok
-   23: rich rules good                                 ok
-   55: rich rules bad                                  ok
-   74: remove forward-port after reload                ok
-
-You can get a list of tests and keywords
-
-  make -C src/tests check TESTSUITEFLAGS="-l"
-
-Or just the keywords
-
-  make -C src/tests check TESTSUITEFLAGS="-l" \
-    |awk '/^:space:*:digit:+/{getline; print $0}' \
-    |tr ' ' '\n' |sort |uniq
-
-There are integration tests. Currently this includes NetworkManager. These may
-be _destructive_ to the host. Run them in a disposable VM or container.
-
-    make check-integration
-
-There is also a check-container target that will run the testsuite inside
-various podman/docker containers. This is useful for coverage of multiple
-distributions. It also runs tests that may be destructive to the host such as
-integration tests.
-
-  make check-container TESTSUITEFLAGS="-j4"
-
-RPM package
------------
-
-For Fedora and RHEL based distributions, there is a spec file in the source
-repo named firewalld.spec. This should be usable for Fedora versions >= 16 and
-RHEL >= 7.
-
-
-Links
------
-Homepage:          http://firewalld.org
-Report a bug:      https://github.com/firewalld/firewalld/issues
-Git repo browser:  https://github.com/firewalld/firewalld
-Git repo:          https://github.com/firewalld/firewalld.git
-Documentation:     http://firewalld.org/documentation/
-
-
-Mailing lists
--------------
-For usage:         https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org/
-For development:   https://lists.fedorahosted.org/archives/list/firewalld-devel@lists.fedorahosted.org/
-
-
-Directory Structure
--------------------
-config/                 Configuration files
-config/icmptypes/       Predefined ICMP types
-config/services/        Predefined services
-config/zones/           Predefined zones
-config/ipsets/          Predefined ipsets
-doc/                    Documentation
-doc/man/                Base directory for man pages
-doc/man/man1/           Man(1) pages
-doc/man/man5/           Man(5) pages
-po/                     Translations
-shell-completion/       Base directory for auto completion scripts
-src/                    Source tree
-src/firewall/           Import tree for the sevice and all applications
-src/icons/              Icons in the sizes: 16, 22, 24, 32, 48 and scalable
-src/tests/              Testsuite

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/README Deleted

@@ -1,36 +0,0 @@
-# firewalld testsuite
-
-This is the firewalld testsuite. It consists of standalone autotest scripts
-that can be run from any location.
-
-# Example usage
-The tests can be run from any location. They generate output in the current
-directory so it's suggested to run them from `/tmp`. Tests must be run as root.
-
-## Standard tests
-The standard testsuite is run inside temporary network namespaces. As such
-they're non-destructive to the host and may be run while firewalld is running
-on the host.
-
-To run the tests serially:
-
-    # cd /tmp
-    # /usr/share/firewalld/testsuite/testsuite
-
-To run the tests in parallel:
-
-    # /usr/share/firewalld/testsuite/testsuite -j4
-
-To run a test for a specific bug use a keyword:
-
-    # /usr/share/firewalld/testsuite/testsuite -k rhbz1404076
-    # /usr/share/firewalld/testsuite/testsuite -k gh366
-
-## Integration tests
-The integration tests are destructive and require that at least firewalld and
-NetworkManager are _not_ running on the host.
-
-These tests _must_ be run serially:
-
-    # cd /tmp
-    # /usr/share/firewalld/testsuite/integration/testsuite

_service:tar_scm:firewalld-1.2.1.tar.gz/CODE_OF_CONDUCT.md Added

@@ -0,0 +1,131 @@
+# FirewallD - Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leader responsible for enforcement at
+eric@garver.life. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the Contributor Covenanthomepage,
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.htmlv2.1.
+
+Community Impact Guidelines were inspired by
+Mozilla's code of conduct enforcement ladderMozilla CoC.
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faqFAQ. Translations are available at
+https://www.contributor-covenant.org/translationstranslations.
+
+homepage: https://www.contributor-covenant.org
+v2.1: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+Mozilla CoC: https://github.com/mozilla/diversity
+FAQ: https://www.contributor-covenant.org/faq
+translations: https://www.contributor-covenant.org/translations

_service:tar_scm:firewalld-1.0.2.tar.gz/Makefile.am -> _service:tar_scm:firewalld-1.2.1.tar.gz/Makefile.am Changed

@@ -2,8 +2,9 @@
 DIST_TARGETS = dist-gzip
 
 EXTRA_DIST = \
+	CODE_OF_CONDUCT.md \
 	COPYING \
-	README \
+	README.md \
 	autogen.sh \
 	${PACKAGE_NAME}.spec
 
@@ -43,6 +44,16 @@
 
 dist: clean-docs update-docs
 
+dist-container:
+	$(PODMAN) build --squash-all -t firewalld -f $(abs_top_srcdir)/Dockerfile $(abs_top_srcdir)
+	$(PODMAN) tag firewalld firewalld:$(PACKAGE_VERSION)
+	$(PODMAN) tag firewalld firewalld:latest
+	$(PODMAN) tag firewalld:$(PACKAGE_VERSION) quay.io/firewalld/firewalld:$(PACKAGE_VERSION)
+	$(PODMAN) tag firewalld:latest quay.io/firewalld/firewalld:latest
+	$(PODMAN) push quay.io/firewalld/firewalld:$(PACKAGE_VERSION)
+	$(PODMAN) push quay.io/firewalld/firewalld:latest
+	$(PODMAN) save --format oci-archive --output firewalld-oci-$(PACKAGE_VERSION).tar firewalld:$(PACKAGE_VERSION)
+
 dist-check:
 	@rm -f _dist_check_failed
 	@(cat config/Makefile.am | sed -n '/^CONFIG_FILES/,/^$$/p' | head -n-1 | tail -n+2) > _config
@@ -80,6 +91,7 @@
 	$(MAKE) -C src/tests $@
 
 .PHONY: check-container check-integration installcheck-integration
+.PHONY: dist-container
 
 update-docs:
 	$(MAKE) -C doc/xml
@@ -98,10 +110,10 @@
 	@rm -rf /tmp/${PACKAGE_NAME}-$(PACKAGE_VERSION)	
 	@echo "The archive is in ${PACKAGE_NAME}-$(PACKAGE_VERSION).tar.gz"
 
-test-rpm: dist
+test-rpm: dist-gzip
 	@rpmbuild -ta $(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz
 
-test-srpm: dist
+test-srpm: dist-gzip
 	@rpmbuild -ts $(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz
 
 update-po:

_service:tar_scm:firewalld-1.0.2.tar.gz/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -151,10 +151,13 @@
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+CSCOPE = cscope
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/doxygen.conf.in \
 	$(top_srcdir)/src/firewall/config/__init__.py.in COPYING \
-	README install-sh missing
+	install-sh missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -192,8 +195,6 @@
   reldir="$$dir2"
 GZIP_ENV = --best
 DIST_ARCHIVES = $(distdir).tar.bz2
-# Exists only to be overridden by the user if desired.
-AM_DISTCHECK_DVI_TARGET = dvi
 distuninstallcheck_listfiles = find . -type f -print
 am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
   | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
@@ -207,16 +208,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -254,8 +253,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -342,8 +341,9 @@
 SUBDIRS = config doc po shell-completion src
 DIST_TARGETS = dist-gzip
 EXTRA_DIST = \
+	CODE_OF_CONDUCT.md \
 	COPYING \
-	README \
+	README.md \
 	autogen.sh \
 	${PACKAGE_NAME}.spec
 
@@ -496,6 +496,7 @@
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 	-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -578,10 +579,6 @@
 	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
 	$(am__post_remove_distdir)
 
-dist-zstd: distdir
-	tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst
-	$(am__post_remove_distdir)
-
 dist-tarZ: distdir
 	@echo WARNING: "Support for distribution archives compressed with" \
 		       "legacy program 'compress' is deprecated." >&2
@@ -624,8 +621,6 @@
 	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
-	*.tar.zst*) \
-	  zstd -dc $(distdir).tar.zst | $(am__untar) ;;\
 	esac
 	chmod -R a-w $(distdir)
 	chmod u+w $(distdir)
@@ -641,7 +636,7 @@
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	    --srcdir=../.. --prefix="$$dc_install_base" \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
-	  && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \
+	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
 	  && $(MAKE) $(AM_MAKEFLAGS) install \
 	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
@@ -805,17 +800,17 @@
 	am--refresh check check-am clean clean-cscope clean-generic \
 	cscope cscopelist-am ctags ctags-am dist dist-all dist-bzip2 \
 	dist-gzip dist-lzip dist-shar dist-tarZ dist-xz dist-zip \
-	dist-zstd distcheck distclean distclean-generic \
-	distclean-local distclean-tags distcleancheck distdir \
-	distuninstallcheck dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags \
-	tags-am uninstall uninstall-am
+	distcheck distclean distclean-generic distclean-local \
+	distclean-tags distcleancheck distdir distuninstallcheck dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am
 
 .PRECIOUS: Makefile
 
@@ -850,6 +845,16 @@
 
 dist: clean-docs update-docs
 
+dist-container:
+	$(PODMAN) build --squash-all -t firewalld -f $(abs_top_srcdir)/Dockerfile $(abs_top_srcdir)
+	$(PODMAN) tag firewalld firewalld:$(PACKAGE_VERSION)
+	$(PODMAN) tag firewalld firewalld:latest
+	$(PODMAN) tag firewalld:$(PACKAGE_VERSION) quay.io/firewalld/firewalld:$(PACKAGE_VERSION)
+	$(PODMAN) tag firewalld:latest quay.io/firewalld/firewalld:latest
+	$(PODMAN) push quay.io/firewalld/firewalld:$(PACKAGE_VERSION)
+	$(PODMAN) push quay.io/firewalld/firewalld:latest
+	$(PODMAN) save --format oci-archive --output firewalld-oci-$(PACKAGE_VERSION).tar firewalld:$(PACKAGE_VERSION)
+
 dist-check:
 	@rm -f _dist_check_failed
 	@(cat config/Makefile.am | sed -n '/^CONFIG_FILES/,/^$$/p' | head -n-1 | tail -n+2) > _config
@@ -887,6 +892,7 @@
 	$(MAKE) -C src/tests $@
 
 .PHONY: check-container check-integration installcheck-integration
+.PHONY: dist-container
 
 update-docs:
 	$(MAKE) -C doc/xml
@@ -905,10 +911,10 @@
 	@rm -rf /tmp/${PACKAGE_NAME}-$(PACKAGE_VERSION)	
 	@echo "The archive is in ${PACKAGE_NAME}-$(PACKAGE_VERSION).tar.gz"
 
-test-rpm: dist
+test-rpm: dist-gzip
 	@rpmbuild -ta $(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz
 
-test-srpm: dist
+test-srpm: dist-gzip
 	@rpmbuild -ts $(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz
 
 update-po:

_service:tar_scm:firewalld-1.2.1.tar.gz/README.md Added

@@ -0,0 +1,298 @@
+!Build status(https://github.com/firewalld/firewalld/workflows/testsuite/badge.svg)(https://github.com/firewalld/firewalld/actions/workflows/testsuite.yml?query=event%3Apush+workflow%3Atestsuite)
+!Integration status(https://github.com/firewalld/firewalld/workflows/integration%20testsuite/badge.svg)(https://github.com/firewalld/firewalld/actions?query=event%3Apush+branch%3Amaster+workflow%3Aintegration-testsuite)
+!Source status(https://github.com/firewalld/firewalld/workflows/source%20code%20and%20build%20checks/badge.svg)(https://github.com/firewalld/firewalld/actions?query=event%3Apush+branch%3Amaster+workflow%3Asource-checks)
+
+
+FirewallD - A firewall daemon with D-Bus interface providing a dynamic firewall
+====================
+
+firewalld provides a dynamically managed firewall with support for network or 
+firewall zones to define the trust level of network connections or interfaces. 
+It has support for IPv4, IPv6 firewall settings and for ethernet bridges and a 
+separation of runtime and permanent configuration options. It also provides an 
+interface for services or applications to add ip*tables and ebtables rules 
+directly. 
+
+
+Development
+-----------
+
+To check out the source repository, you can use:
+
+```sh
+git clone https://github.com/firewalld/firewalld.git
+```
+
+This will create a local copy of the repository.
+
+The contributor code of conduct can be found in CODE_OF_CONDUCT.md(CODE_OF_CONDUCT.md)
+
+Language Translations
+---------------------
+
+Firewalld uses GNU gettext for localization support. Translations can be done
+using Fedora's Weblate instance1. Translations are periodically merged into
+the main firewalld repository.
+
+1: https://translate.stg.fedoraproject.org/projects/firewalld/
+
+Dependencies
+------------
+
+These are the runtime dependencies:
+
+```
+  linux >= 5.3
+  python3-dbus
+  python3-gobject
+  python3-nftables >= 0.9.4
+```
+
+**Note**: python2 is _not_ supported.
+
+Optional Dependencies
+---------------------
+
+These dependencies may enhance firewalld's functionality, but they are not
+required.
+
+```
+  ebtables
+  ipset
+  iptables
+  polkit
+  python3-capng (libcap-ng-python3)
+```
+
+Working With The Source Repository
+----------------------------------
+
+In addition to the runtime dependencies some others are needed to build from
+source:
+
+```
+  desktop-file-utils: /usr/bin/desktop-file-install
+  gettext
+  intltool
+  glib2: /usr/bin/glib-compile-schemas
+  glib2-devel: /usr/share/aclocal/gsettings.m4
+  systemd-units
+```
+
+To be able to create man pages and documentation from docbook files:
+
+```
+  docbook-style-xsl
+  libxslt
+```
+
+Use the usual autoconf/automake incantation to generate makefiles
+
+```sh
+./autogen.sh
+./configure
+```
+
+You can use a specific python interpreter by passing the PYTHON variable. This
+is also used by the testsuite.
+
+```sh
+./configure PYTHON=/path/to/python3
+```
+
+Use
+
+```sh
+make
+```
+
+to create the documentation and to update the po files.
+
+Use
+
+```sh
+make check
+```
+
+to run the testsuite. Tests are run inside network namespaces and do not
+interfere with the host's running firewalld. They can also be run in parallel
+by passing flags to autotest.
+
+```sh
+make check TESTSUITEFLAGS="-j4"
+```
+
+The testsuite also uses keywords to allow running a subset of tests that
+exercise a specific area.
+For example:
+
+```sh
+make check TESTSUITEFLAGS="-k rich -j4"
+```
+
+Output:
+
+```sh
+  24: rich rules audit                                ok
+  25: rich rules priority                             ok
+  26: rich rules bad                                  ok
+  53: rich rules audit                                ok
+  23: rich rules good                                 ok
+  55: rich rules bad                                  ok
+  74: remove forward-port after reload                ok
+```
+
+You can get a list of tests and keywords
+
+```sh
+make -C src/tests check TESTSUITEFLAGS="-l"
+```
+
+Or just the keywords
+
+```sh
+make -C src/tests check TESTSUITEFLAGS="-l" \
+  |awk '/^:space:*:digit:+/{getline; print $0}' \
+  |tr ' ' '\n' |sort |uniq
+```
+
+There are integration tests. Currently this includes NetworkManager. These may
+be _destructive_ to the host. Run them in a disposable VM or container.
+
+```sh
+make check-integration
+```
+
+There is also a check-container target that will run the testsuite inside
+various podman/docker containers. This is useful for coverage of multiple
+distributions. It also runs tests that may be destructive to the host such as
+integration tests.
+
+```sh
+make check-container TESTSUITEFLAGS="-j4"
+```
+
+OCI Container Image
+-------------------
+
+As part of the `dist` build target an OCI container image is generated. This is
+distributed alongside the normal release tarball. It can be used to run
+firewalld from a container. The containerized firewalld will _not_ integrate
+with the host (e.g. podman, libvirt, NetworkManager).
+
+To manually load the container image into your environment:
+
+```sh
+podman load -i .../path/to/firewalld-oci-<ver>.tar
+```
+
+To fetch the image from quay.io:
+
+```sh
+podman pull quay.io/firewalld/firewalld:<ver>
+```
+
+where `<ver>` is optional, the latest version will be used if omitted.
+                  
+To start the daemon/container:
+
+```sh

_service:tar_scm:firewalld-1.0.2.tar.gz/aclocal.m4 -> _service:tar_scm:firewalld-1.2.1.tar.gz/aclocal.m4 Changed

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.4 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
 
-# Copyright (C) 1996-2021 Free Software Foundation, Inc.
+# Copyright (C) 1996-2018 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,8 +14,8 @@
 m4_ifndef(AC_CONFIG_MACRO_DIRS, m4_defun(_AM_CONFIG_MACRO_DIRS, )m4_defun(AC_CONFIG_MACRO_DIRS, _AM_CONFIG_MACRO_DIRS($@)))
 m4_ifndef(AC_AUTOCONF_VERSION,
   m4_copy(m4_PACKAGE_VERSION, AC_AUTOCONF_VERSION))dnl
-m4_if(m4_defn(AC_AUTOCONF_VERSION), 2.71,,
-m4_warning(this file was generated for autoconf 2.71.
+m4_if(m4_defn(AC_AUTOCONF_VERSION), 2.69,,
+m4_warning(this file was generated for autoconf 2.69.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically 'autoreconf'.))
@@ -109,19 +109,19 @@
 
 )
 
-# nls.m4 serial 6 (gettext-0.20.2)
-dnl Copyright (C) 1995-2003, 2005-2006, 2008-2014, 2016, 2019-2020 Free
-dnl Software Foundation, Inc.
+# nls.m4 serial 5 (gettext-0.18)
+dnl Copyright (C) 1995-2003, 2005-2006, 2008-2014, 2016 Free Software
+dnl Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
 dnl
 dnl This file can be used in projects which are not available under
-dnl the GNU General Public License or the GNU Lesser General Public
+dnl the GNU General Public License or the GNU Library General Public
 dnl License but which still want to provide support for the GNU gettext
 dnl functionality.
 dnl Please note that the actual code of the GNU gettext library is covered
-dnl by the GNU Lesser General Public License, and the rest of the GNU
+dnl by the GNU Library General Public License, and the rest of the GNU
 dnl gettext package is covered by the GNU General Public License.
 dnl They are *not* in the public domain.
 
@@ -142,9 +142,9 @@
   AC_SUBST(USE_NLS)
 )
 
-# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-# serial 11 (pkg-config-0.29.1)
-
+dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+dnl serial 11 (pkg-config-0.29.1)
+dnl
 dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
 dnl
@@ -418,86 +418,18 @@
 AS_VAR_IF($1, "", $5, $4)dnl
 )dnl PKG_CHECK_VAR
 
-dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
-dnl   ACTION-IF-FOUND,ACTION-IF-NOT-FOUND,
-dnl   DESCRIPTION, DEFAULT)
-dnl ------------------------------------------
-dnl
-dnl Prepare a "--with-" configure option using the lowercase
-dnl VARIABLE-PREFIX name, merging the behaviour of AC_ARG_WITH and
-dnl PKG_CHECK_MODULES in a single macro.
-AC_DEFUN(PKG_WITH_MODULES,
-
-m4_pushdef(with_arg, m4_tolower($1))
-
-m4_pushdef(description,
-           m4_default($5, build with with_arg support))
-
-m4_pushdef(def_arg, m4_default($6, auto))
-m4_pushdef(def_action_if_found, AS_TR_SH(with_with_arg)=yes)
-m4_pushdef(def_action_if_not_found, AS_TR_SH(with_with_arg)=no)
-
-m4_case(def_arg,
-            yes,m4_pushdef(with_without, --without-with_arg),
-            m4_pushdef(with_without,--with-with_arg))
-
-AC_ARG_WITH(with_arg,
-     AS_HELP_STRING(with_without, description @<:@default=def_arg@:>@),,
-    AS_TR_SH(with_with_arg)=def_arg)
-
-AS_CASE($AS_TR_SH(with_with_arg),
-            yes,PKG_CHECK_MODULES($1,$2,$3,$4),
-            auto,PKG_CHECK_MODULES($1,$2,
-                                        m4_n(def_action_if_found) $3,
-                                        m4_n(def_action_if_not_found) $4))
-
-m4_popdef(with_arg)
-m4_popdef(description)
-m4_popdef(def_arg)
-
-)dnl PKG_WITH_MODULES
-
-dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
-dnl   DESCRIPTION, DEFAULT)
-dnl -----------------------------------------------
-dnl
-dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
-dnl check._VARIABLE-PREFIX is exported as make variable.
-AC_DEFUN(PKG_HAVE_WITH_MODULES,
-
-PKG_WITH_MODULES($1,$2,,,$3,$4)
-
-AM_CONDITIONAL(HAVE_$1,
-               test "$AS_TR_SH(with_m4_tolower($1))" = "yes")
-)dnl PKG_HAVE_WITH_MODULES
-
-dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
-dnl   DESCRIPTION, DEFAULT)
-dnl ------------------------------------------------------
-dnl
-dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
-dnl PKG_WITH_MODULES check. HAVE_VARIABLE-PREFIX is exported as make
-dnl and preprocessor variable.
-AC_DEFUN(PKG_HAVE_DEFINE_WITH_MODULES,
-
-PKG_HAVE_WITH_MODULES($1,$2,$3,$4)
-
-AS_IF(test "$AS_TR_SH(with_m4_tolower($1))" = "yes",
-        AC_DEFINE(HAVE_$1, 1, Enable m4_tolower($1) support))
-)dnl PKG_HAVE_DEFINE_WITH_MODULES
-
-# po.m4 serial 31 (gettext-0.20.2)
-dnl Copyright (C) 1995-2014, 2016, 2018-2020 Free Software Foundation, Inc.
+# po.m4 serial 24 (gettext-0.19)
+dnl Copyright (C) 1995-2014, 2016 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
 dnl
 dnl This file can be used in projects which are not available under
-dnl the GNU General Public License or the GNU Lesser General Public
+dnl the GNU General Public License or the GNU Library General Public
 dnl License but which still want to provide support for the GNU gettext
 dnl functionality.
 dnl Please note that the actual code of the GNU gettext library is covered
-dnl by the GNU Lesser General Public License, and the rest of the GNU
+dnl by the GNU Library General Public License, and the rest of the GNU
 dnl gettext package is covered by the GNU General Public License.
 dnl They are *not* in the public domain.
 
@@ -518,7 +450,7 @@
 
   dnl Release version of the gettext macros. This is used to ensure that
   dnl the gettext macros and po/Makefile.in.in are in sync.
-  AC_SUBST(GETTEXT_MACRO_VERSION, 0.20)
+  AC_SUBST(GETTEXT_MACRO_VERSION, 0.19)
 
   dnl Perform the following tests also if --disable-nls has been given,
   dnl because they are needed for "make dist" to work.
@@ -534,6 +466,13 @@
 
   dnl Test whether it is GNU msgfmt >= 0.15.
 changequote(,)dnl
+  case `$MSGFMT --version | sed 1q | sed -e 's,^^0-9*,,'` in
+    '' | 0.0-9 | 0.0-9.* | 0.10-4 | 0.10-4.*) MSGFMT_015=: ;;
+    *) MSGFMT_015=$MSGFMT ;;
+  esac
+changequote(,)dnl
+  AC_SUBST(MSGFMT_015)
+changequote(,)dnl
   case `$GMSGFMT --version | sed 1q | sed -e 's,^^0-9*,,'` in
     '' | 0.0-9 | 0.0-9.* | 0.10-4 | 0.10-4.*) GMSGFMT_015=: ;;
     *) GMSGFMT_015=$GMSGFMT ;;
@@ -564,21 +503,11 @@
   AM_PATH_PROG_WITH_TEST(MSGMERGE, msgmerge,
     $ac_dir/$ac_word --update -q /dev/null /dev/null >&AS_MESSAGE_LOG_FD 2>&1, :)
 
-  dnl Test whether it is GNU msgmerge >= 0.20.
-  if LC_ALL=C $MSGMERGE --help | grep ' --for-msgfmt ' >/dev/null; then
-    MSGMERGE_FOR_MSGFMT_OPTION='--for-msgfmt'
-  else
-    dnl Test whether it is GNU msgmerge >= 0.12.
-    if LC_ALL=C $MSGMERGE --help | grep ' --no-fuzzy-matching ' >/dev/null; then
-      MSGMERGE_FOR_MSGFMT_OPTION='--no-fuzzy-matching --no-location --quiet'
-    else
-      dnl With these old versions, $(MSGMERGE) $(MSGMERGE_FOR_MSGFMT_OPTION) is
-      dnl slow. But this is not a big problem, as such old gettext versions are
-      dnl hardly in use any more.
-      MSGMERGE_FOR_MSGFMT_OPTION='--no-location --quiet'
-    fi
-  fi
-  AC_SUBST(MSGMERGE_FOR_MSGFMT_OPTION)
+  dnl Installation directories.
+  dnl Autoconf >= 2.60 defines localedir. For older versions of autoconf, we
+  dnl have to define it here, so that it can be used in po/Makefile.
+  test -n "$localedir" || localedir='${datadir}/locale'
+  AC_SUBST(localedir)
 
   dnl Support for AM_XGETTEXT_OPTION.
   test -n "${XGETTEXT_EXTRA_OPTIONS+set}" || XGETTEXT_EXTRA_OPTIONS=
@@ -621,11 +550,14 @@

_service:tar_scm:firewalld-1.0.2.tar.gz/config/Makefile.am -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/Makefile.am Changed

@@ -113,14 +113,16 @@
 	icmptypes/ttl-zero-during-transit.xml \
 	icmptypes/unknown-header-type.xml \
 	icmptypes/unknown-option.xml \
-	ipsets/README \
+	ipsets/README.md \
 	policies/allow-host-ipv6.xml \
+	services/afp.xml \
 	services/amanda-client.xml \
 	services/amanda-k5-client.xml \
 	services/amqp.xml \
 	services/amqps.xml \
 	services/apcupsd.xml \
 	services/audit.xml \
+	services/ausweisapp2.xml \
 	services/bacula-client.xml \
 	services/bacula.xml \
 	services/bb.xml \
@@ -134,9 +136,11 @@
 	services/ceph-mon.xml \
 	services/ceph.xml \
 	services/cfengine.xml \
+	services/checkmk-agent.xml \
 	services/cockpit.xml \
 	services/collectd.xml \
 	services/condor-collector.xml \
+	services/cratedb.xml \
 	services/ctdb.xml \
 	services/dhcpv6-client.xml \
 	services/dhcpv6.xml \
@@ -163,13 +167,17 @@
 	services/ganglia-client.xml \
 	services/ganglia-master.xml \
 	services/git.xml \
+	services/gpsd.xml \
 	services/grafana.xml \
 	services/gre.xml \
 	services/high-availability.xml \
+	services/http3.xml \
 	services/https.xml \
 	services/http.xml \
+	services/ident.xml \
 	services/imaps.xml \
 	services/imap.xml \
+	services/ipfs.xml \
 	services/ipp-client.xml \
 	services/ipp.xml \
 	services/ipsec.xml \
@@ -177,6 +185,7 @@
 	services/irc.xml \
 	services/iscsi-target.xml \
 	services/isns.xml \
+	services/jellyfin.xml \
 	services/jenkins.xml \
 	services/kadmin.xml \
 	services/kdeconnect.xml \
@@ -186,16 +195,25 @@
 	services/kpasswd.xml \
 	services/kprop.xml \
 	services/kshell.xml \
+	services/kubelet.xml \
+	services/kubelet-readonly.xml \
+	services/kubelet-worker.xml \
 	services/kube-api.xml \
 	services/kube-apiserver.xml \
 	services/kube-control-plane.xml \
+	services/kube-control-plane-secure.xml \
 	services/kube-controller-manager.xml \
+	services/kube-controller-manager-secure.xml \
+	services/kube-nodeport-services.xml \
 	services/kube-scheduler.xml \
-	services/kubelet-worker.xml \
+	services/kube-scheduler-secure.xml \
+	services/kube-worker.xml \
 	services/ldaps.xml \
 	services/ldap.xml \
 	services/libvirt-tls.xml \
 	services/libvirt.xml \
+	services/llmnr-tcp.xml \
+	services/llmnr-udp.xml \
 	services/llmnr.xml \
 	services/managesieve.xml \
 	services/matrix.xml \
@@ -213,6 +231,7 @@
 	services/mysql.xml \
 	services/nbd.xml \
 	services/netbios-ns.xml \
+	services/netdata-dashboard.xml \
 	services/nfs.xml \
 	services/nfs3.xml \
 	services/nmea-0183.xml \
@@ -232,8 +251,10 @@
 	services/pop3.xml \
 	services/postgresql.xml \
 	services/privoxy.xml \
+	services/prometheus-node-exporter.xml \
 	services/prometheus.xml \
 	services/proxy-dhcp.xml \
+	services/ps3netsrv.xml \
 	services/ptp.xml \
 	services/pulseaudio.xml \
 	services/puppetmaster.xml \
@@ -262,6 +283,8 @@
 	services/smtp.xml \
 	services/snmptrap.xml \
 	services/snmp.xml \
+	services/snmptls-trap.xml \
+	services/snmptls.xml \
 	services/spideroak-lansync.xml \
 	services/spotify-sync.xml \
 	services/squid.xml \
@@ -288,6 +311,10 @@
 	services/wbem-http.xml \
 	services/wbem-https.xml \
 	services/wireguard.xml \
+	services/ws-discovery-client.xml \
+	services/ws-discovery-tcp.xml \
+	services/ws-discovery-udp.xml \
+	services/ws-discovery.xml \
 	services/wsman.xml \
 	services/wsmans.xml \
 	services/xdmcp.xml \
@@ -297,6 +324,7 @@
 	services/xmpp-server.xml \
 	services/zabbix-agent.xml \
 	services/zabbix-server.xml \
+	services/zerotier.xml \
 	zones/block.xml \
 	zones/dmz.xml \
 	zones/drop.xml \
@@ -462,7 +490,7 @@
 
 # make sure CONFIG_FILES are also in POTFILES
 check-local:
-	@for file in $(filter-out helpers/% %/README,$(CONFIG_FILES)); do \
+	@for file in $(filter-out helpers/% %/README.md,$(CONFIG_FILES)); do \
 		if ! grep "$${file}" ${top_srcdir}/po/POTFILES.in > /dev/null; then \
 			echo "$${file} should be in ${abs_top_srcdir}/po/POTFILES.in"; \
 			exit 1; \

_service:tar_scm:firewalld-1.0.2.tar.gz/config/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -172,16 +172,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -219,8 +217,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -404,14 +402,16 @@
 	icmptypes/ttl-zero-during-transit.xml \
 	icmptypes/unknown-header-type.xml \
 	icmptypes/unknown-option.xml \
-	ipsets/README \
+	ipsets/README.md \
 	policies/allow-host-ipv6.xml \
+	services/afp.xml \
 	services/amanda-client.xml \
 	services/amanda-k5-client.xml \
 	services/amqp.xml \
 	services/amqps.xml \
 	services/apcupsd.xml \
 	services/audit.xml \
+	services/ausweisapp2.xml \
 	services/bacula-client.xml \
 	services/bacula.xml \
 	services/bb.xml \
@@ -425,9 +425,11 @@
 	services/ceph-mon.xml \
 	services/ceph.xml \
 	services/cfengine.xml \
+	services/checkmk-agent.xml \
 	services/cockpit.xml \
 	services/collectd.xml \
 	services/condor-collector.xml \
+	services/cratedb.xml \
 	services/ctdb.xml \
 	services/dhcpv6-client.xml \
 	services/dhcpv6.xml \
@@ -454,13 +456,17 @@
 	services/ganglia-client.xml \
 	services/ganglia-master.xml \
 	services/git.xml \
+	services/gpsd.xml \
 	services/grafana.xml \
 	services/gre.xml \
 	services/high-availability.xml \
+	services/http3.xml \
 	services/https.xml \
 	services/http.xml \
+	services/ident.xml \
 	services/imaps.xml \
 	services/imap.xml \
+	services/ipfs.xml \
 	services/ipp-client.xml \
 	services/ipp.xml \
 	services/ipsec.xml \
@@ -468,6 +474,7 @@
 	services/irc.xml \
 	services/iscsi-target.xml \
 	services/isns.xml \
+	services/jellyfin.xml \
 	services/jenkins.xml \
 	services/kadmin.xml \
 	services/kdeconnect.xml \
@@ -477,16 +484,25 @@
 	services/kpasswd.xml \
 	services/kprop.xml \
 	services/kshell.xml \
+	services/kubelet.xml \
+	services/kubelet-readonly.xml \
+	services/kubelet-worker.xml \
 	services/kube-api.xml \
 	services/kube-apiserver.xml \
 	services/kube-control-plane.xml \
+	services/kube-control-plane-secure.xml \
 	services/kube-controller-manager.xml \
+	services/kube-controller-manager-secure.xml \
+	services/kube-nodeport-services.xml \
 	services/kube-scheduler.xml \
-	services/kubelet-worker.xml \
+	services/kube-scheduler-secure.xml \
+	services/kube-worker.xml \
 	services/ldaps.xml \
 	services/ldap.xml \
 	services/libvirt-tls.xml \
 	services/libvirt.xml \
+	services/llmnr-tcp.xml \
+	services/llmnr-udp.xml \
 	services/llmnr.xml \
 	services/managesieve.xml \
 	services/matrix.xml \
@@ -504,6 +520,7 @@
 	services/mysql.xml \
 	services/nbd.xml \
 	services/netbios-ns.xml \
+	services/netdata-dashboard.xml \
 	services/nfs.xml \
 	services/nfs3.xml \
 	services/nmea-0183.xml \
@@ -523,8 +540,10 @@
 	services/pop3.xml \
 	services/postgresql.xml \
 	services/privoxy.xml \
+	services/prometheus-node-exporter.xml \
 	services/prometheus.xml \
 	services/proxy-dhcp.xml \
+	services/ps3netsrv.xml \
 	services/ptp.xml \
 	services/pulseaudio.xml \
 	services/puppetmaster.xml \
@@ -553,6 +572,8 @@
 	services/smtp.xml \
 	services/snmptrap.xml \
 	services/snmp.xml \
+	services/snmptls-trap.xml \
+	services/snmptls.xml \
 	services/spideroak-lansync.xml \
 	services/spotify-sync.xml \
 	services/squid.xml \
@@ -579,6 +600,10 @@
 	services/wbem-http.xml \
 	services/wbem-https.xml \
 	services/wireguard.xml \
+	services/ws-discovery-client.xml \
+	services/ws-discovery-tcp.xml \
+	services/ws-discovery-udp.xml \
+	services/ws-discovery.xml \
 	services/wsman.xml \
 	services/wsmans.xml \
 	services/xdmcp.xml \
@@ -588,6 +613,7 @@
 	services/xmpp-server.xml \
 	services/zabbix-agent.xml \
 	services/zabbix-server.xml \
+	services/zerotier.xml \
 	zones/block.xml \
 	zones/dmz.xml \
 	zones/drop.xml \
@@ -815,6 +841,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -859,8 +886,7 @@
 	done
 install: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) install-am
-install-exec: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) install-exec-am
+install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
 
@@ -966,7 +992,7 @@
 	uninstall-local uninstall-polkit1_actionDATA
 
 .MAKE: all check check-am install install-am install-data-am \
-	install-exec install-strip
+	install-strip
 
 .PHONY: all all-am check check-am check-local clean clean-generic \
 	cscopelist-am ctags-am distclean distclean-generic distdir dvi \
@@ -1103,7 +1129,7 @@
 
 # make sure CONFIG_FILES are also in POTFILES
 check-local:
-	@for file in $(filter-out helpers/% %/README,$(CONFIG_FILES)); do \

_service:tar_scm:firewalld-1.0.2.tar.gz/config/firewalld.conf -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/firewalld.conf Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/firewalld.init -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/firewalld.init Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/icmptypes/beyond-scope.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/icmptypes/beyond-scope.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/ipsets/README.md Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/lockdown-whitelist.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/lockdown-whitelist.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/afp.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ausweisapp2.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/checkmk-agent.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/cratedb.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/gpsd.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/http3.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ident.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ipfs.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/ipsec.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ipsec.xml Changed

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>IPsec</short>
-  <description>Internet Protocol Security (IPsec) is the standarized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practise.</description>
+  <description>Internet Protocol Security (IPsec) is the standardized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practice.</description>
   <port protocol="ah" port=""/>
   <port protocol="esp" port=""/>
   <port protocol="udp" port="500"/>

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/jellyfin.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/kube-api.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-api.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-control-plane-secure.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/kube-control-plane.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-control-plane.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-controller-manager-secure.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-nodeport-services.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-scheduler-secure.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kube-worker.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kubelet-readonly.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/kubelet-worker.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kubelet-worker.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/kubelet.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/llmnr-tcp.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/llmnr-udp.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/llmnr.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/llmnr.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/minidlna.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/minidlna.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/ms-wbt.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ms-wbt.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/netdata-dashboard.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/plex.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/plex.xml Changed

@@ -1,12 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>PLEX</short>
-  <description> Plex Media Server (PMS) is the back-end media server component of Plex.
-  It organizes audio (music) and visual (photos and videos) content from personal media
-  libraries and streams it to their player counterparts, either on the same machine,
-  the same local area network, or over the Internet. </description>
+  <description>Plex Media Server (PMS) is the back-end media server component of Plex. It organizes content from personal media libraries and streams it to the network.</description>
   <port protocol="tcp" port="32400"/><port protocol="udp" port="32400"/> 
-  <port protocol="tcp" port="32469"/><port protocol="udp" port="1900"/> 
+  <port protocol="tcp" port="32469"/><include service="ssdp"/> 
   <port protocol="tcp" port="3005"/>
   <port protocol="tcp" port="8324"/>
   <port protocol="udp" port="32410"/>

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/prometheus-node-exporter.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ps3netsrv.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/samba-client.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/samba-client.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/samba-dc.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/samba-dc.xml Changed

@@ -2,22 +2,15 @@
 <service>
   <short>Samba DC</short>
   <description>This option allows you to use this computer as a Samba Active Directory Domain Controller. You need the samba-dc package installed for this option to be useful.</description>
-  <port protocol="tcp" port="53"/>
-  <port protocol="udp" port="53"/>
-  <port protocol="tcp" port="88"/>
-  <port protocol="udp" port="88"/>
+  <include service="samba"/>
+  <include service="dns"/>
+  <include service="kerberos"/>
+  <include service="ldap"/>
+  <include service="ldaps"/>
+  <include service="kpasswd"/>
   <port protocol="tcp" port="135"/>
-  <port protocol="udp" port="137"/>
-  <port protocol="udp" port="138"/>
-  <port protocol="tcp" port="139"/>
-  <port protocol="tcp" port="389"/>
   <port protocol="udp" port="389"/>
-  <port protocol="tcp" port="445"/>
-  <port protocol="tcp" port="464"/>
-  <port protocol="udp" port="464"/>
-  <port protocol="tcp" port="636"/>
   <port protocol="tcp" port="49152-65535"/>
   <port protocol="tcp" port="3268"/>
   <port protocol="tcp" port="3269"/>
-  <helper name="netbios-ns"/>
 </service>

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/samba.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/samba.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/snmptls-trap.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/snmptls.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/ssdp.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ssdp.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/config/services/syncthing.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/config/services/syncthing.xml Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ws-discovery-client.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ws-discovery-tcp.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ws-discovery-udp.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/ws-discovery.xml Added

_service:tar_scm:firewalld-1.2.1.tar.gz/config/services/zerotier.xml Added

_service:tar_scm:firewalld-1.0.2.tar.gz/configure -> _service:tar_scm:firewalld-1.2.1.tar.gz/configure Changed

@@ -1,10 +1,9 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for firewalld 1.0.2.
+# Generated by GNU Autoconf 2.69 for firewalld 1.2.1.
 #
 #
-# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
-# Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@@ -15,16 +14,14 @@
 
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
-as_nop=:
-if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
-then :
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
-else $as_nop
+else
   case `(set -o) 2>/dev/null` in #(
   *posix*) :
     set -o posix ;; #(
@@ -34,46 +31,46 @@
 fi
 
 
-
-# Reset variables that may have inherited troublesome values from
-# the environment.
-
-# IFS needs to be set, to space, tab, and newline, in precisely that order.
-# (If _AS_PATH_WALK were called with IFS unset, it would have the
-# side effect of setting IFS to empty, thus disabling word splitting.)
-# Quoting is to prevent editors from complaining about space-tab.
 as_nl='
 '
 export as_nl
-IFS=" ""	$as_nl"
-
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# Ensure predictable behavior from utilities with locale-dependent output.
-LC_ALL=C
-export LC_ALL
-LANGUAGE=C
-export LANGUAGE
-
-# We cannot yet rely on "unset" to work, but we need these variables
-# to be unset--not just set to an empty or harmless value--now, to
-# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh).  This construct
-# also avoids known problems related to "unset" and subshell syntax
-# in other old shells (e.g. bash 2.01 and pdksh 5.2.14).
-for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH
-do eval test \${$as_var+y} \
-  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
-done
-
-# Ensure that fds 0, 1, and 2 are open.
-if (exec 3>&0) 2>/dev/null; then :; else exec 0</dev/null; fi
-if (exec 3>&1) 2>/dev/null; then :; else exec 1>/dev/null; fi
-if (exec 3>&2)            ; then :; else exec 2>/dev/null; fi
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
+  else
+    as_echo_body='eval expr "X$1" : "X\$.*\$"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in #(
+      *"$as_nl"*)
+	expr "X$arg" : "X\$.*\$$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\$.*\$"`;;
+      esac;
+      expr "X$arg" : "X\$.*\$" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
+  fi
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
 
 # The user is always right.
-if ${PATH_SEPARATOR+false} :; then
+if test "${PATH_SEPARATOR+set}" != set; then
   PATH_SEPARATOR=:
   (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
     (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
@@ -82,6 +79,13 @@
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" ""	$as_nl"
+
 # Find who we are.  Look in the path if we contain no directory separator.
 as_myself=
 case $0 in #((
@@ -90,12 +94,8 @@
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
-  case $as_dir in #(((
-    '') as_dir=./ ;;
-    */) ;;
-    *) as_dir=$as_dir/ ;;
-  esac
-    test -r "$as_dir$0" && as_myself=$as_dir$0 && break
+  test -z "$as_dir" && as_dir=.
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
   done
 IFS=$as_save_IFS
 
@@ -107,10 +107,30 @@
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   exit 1
 fi
 
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 # Use a proper internal environment variable to ensure we don't fall
   # into an infinite loop, continuously re-executing ourselves.
@@ -132,22 +152,20 @@
 exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
 # Admittedly, this is quite paranoid, since all the known shells bail
 # out after a failed `exec'.
-printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2
-exit 255
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
   fi
   # We don't want this to propagate to other subprocesses.
           { _as_can_reexec=; unset _as_can_reexec;}
 if test "x$CONFIG_SHELL" = x; then
-  as_bourne_compatible="as_nop=:
-if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
-then :
+  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '\${1+\"\$@\"}'='\"\$@\"'
   setopt NO_GLOB_SUBST
-else \$as_nop
+else
   case \`(set -o) 2>/dev/null\` in #(

_service:tar_scm:firewalld-1.0.2.tar.gz/configure.ac -> _service:tar_scm:firewalld-1.2.1.tar.gz/configure.ac Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -148,6 +148,8 @@
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -185,16 +187,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -232,8 +232,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -449,6 +449,7 @@
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -148,6 +148,8 @@
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -185,16 +187,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -232,8 +232,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -449,6 +449,7 @@
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man1/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man1/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -158,16 +158,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -205,8 +203,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -373,6 +371,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man1/firewall-applet.1 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man1/firewall-applet.1 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man1/firewall-cmd.1 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man1/firewall-cmd.1 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewall-cmd
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewall-cmd
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALL\-CMD" "1" "" "firewalld 1.0.2" "firewall-cmd"
+.TH "FIREWALL\-CMD" "1" "" "firewalld 1.2.1" "firewall-cmd"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -359,7 +359,7 @@
 Get the target\&.
 .RE
 .PP
-\fB\-\-permanent\fR \fB\-\-zone\fR=\fIzone\fR \fB\-\-policy\fR=\fIpolicy\fR \fB\-\-set\-target\fR=\fIzone\fR
+\fB\-\-permanent\fR \fB\-\-zone\fR=\fIzone\fR \fB\-\-policy\fR=\fIpolicy\fR \fB\-\-set\-target\fR=\fItarget\fR
 .RS 4
 Set the target\&.
 .sp
@@ -867,7 +867,7 @@
 Get the priority\&.
 .RE
 .PP
-\fB\-\-permanent\fR \fB\-\-policy\fR=\fIpolicy\fR \fB\-\-set\-priority\fR\fIpriority\fR
+\fB\-\-permanent\fR \fB\-\-policy\fR=\fIpolicy\fR \fB\-\-set\-priority\fR=\fIpriority\fR
 .RS 4
 Set the priority\&. The priority determines the relative ordering of policies\&. This is an integer value between \-32768 and 32767 where \-1 is the default value for new policies and 0 is reserved for internal use\&.
 .sp
@@ -1008,7 +1008,7 @@
 .RS 4
 If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface\&. If this fails, the zone binding is created in firewalld and the limitations below apply\&.
 .sp
-For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface\&.
+For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface\&.
 .sp
 Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file\&. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone\&. Only the zone binding is then removed in firewalld then\&.
 .sp
@@ -1277,7 +1277,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-port\fR=\fIportid\fR\-\fIportid\fR/\fIprotocol\fR
 .RS 4
-Return wether the port has been added to the permanent service\&.
+Return whether the port has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-ports\fR
@@ -1297,7 +1297,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-protocol\fR=\fIprotocol\fR
 .RS 4
-Return wether the protocol has been added to the permanent service\&.
+Return whether the protocol has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-protocols\fR
@@ -1317,7 +1317,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-source\-port\fR=\fIportid\fR\-\fIportid\fR/\fIprotocol\fR
 .RS 4
-Return wether the source port has been added to the permanent service\&.
+Return whether the source port has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-source\-ports\fR
@@ -1337,7 +1337,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-helper\fR=\fIhelper\fR
 .RS 4
-Return wether the helper has been added to the permanent service\&.
+Return whether the helper has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-service\-helpers\fR
@@ -1357,7 +1357,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-destination\fR=\fIipv\fR:\fIaddress\fR/\fImask\fR
 .RS 4
-Return wether the destination ipv to address/mask has been set in the permanent service\&.
+Return whether the destination ipv to address/mask has been set in the permanent service\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-destinations\fR
@@ -1377,7 +1377,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-include\fR=\fIservice\fR
 .RS 4
-Return wether the include has been added to the permanent service\&.
+Return whether the include has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-includes\fR
@@ -1475,7 +1475,7 @@
 .PP
 \fB\-\-permanent\fR \fB\-\-helper\fR=\fIhelper\fR \fB\-\-query\-port\fR=\fIportid\fR\-\fIportid\fR/\fIprotocol\fR
 .RS 4
-Return wether the port has been added to the permanent helper\&.
+Return whether the port has been added to the permanent helper\&.
 .RE
 .PP
 \fB\-\-permanent\fR \fB\-\-helper\fR=\fIhelper\fR \fB\-\-get\-ports\fR
@@ -2125,6 +2125,9 @@
 l r
 l r
 l r
+l r
+l r
+l r
 l r.
 T{
 ALREADY_ENABLED
@@ -2472,6 +2475,21 @@
 140
 T}
 T{
+INVALID_LOG_PREFIX
+T}:T{
+141
+T}
+T{
+INVALID_NFLOG_GROUP
+T}:T{
+142
+T}
+T{
+INVALID_NFLOG_QUEUE
+T}:T{
+143
+T}
+T{
 MISSING_TABLE
 T}:T{
 200

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man1/firewall-config.1 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man1/firewall-config.1 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man1/firewall-offline-cmd.1 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man1/firewall-offline-cmd.1 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewall-offline-cmd
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewall-offline-cmd
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALL\-OFFLINE\-C" "1" "" "firewalld 1.0.2" "firewall-offline-cmd"
+.TH "FIREWALL\-OFFLINE\-C" "1" "" "firewalld 1.2.1" "firewall-offline-cmd"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -60,7 +60,7 @@
 .PP
 \fB\-h\fR, \fB\-\-help\fR
 .RS 4
-Prints a short help text and exists\&.
+Prints a short help text and exits\&.
 .RE
 .PP
 \fB\-V\fR, \fB\-\-version\fR
@@ -427,7 +427,7 @@
 Get the target\&.
 .RE
 .PP
-\fB\-\-zone\fR=\fIzone\fR \fB\-\-policy\fR=\fIpolicy\fR \fB\-\-set\-target\fR=\fIzone\fR
+\fB\-\-zone\fR=\fIzone\fR \fB\-\-policy\fR=\fIpolicy\fR \fB\-\-set\-target\fR=\fItarget\fR
 .RS 4
 Set the target\&.
 .sp
@@ -1165,7 +1165,7 @@
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-port\fR=\fIportid\fR\-\fIportid\fR/\fIprotocol\fR
 .RS 4
-Return wether the port has been added to the permanent service\&.
+Return whether the port has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-ports\fR
@@ -1185,7 +1185,7 @@
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-protocol\fR=\fIprotocol\fR
 .RS 4
-Return wether the protocol has been added to the permanent service\&.
+Return whether the protocol has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-protocols\fR
@@ -1205,7 +1205,7 @@
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-source\-port\fR=\fIportid\fR\-\fIportid\fR/\fIprotocol\fR
 .RS 4
-Return wether the source port has been added to the permanent service\&.
+Return whether the source port has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-source\-ports\fR
@@ -1225,7 +1225,7 @@
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-helper\fR=\fIhelper\fR
 .RS 4
-Return wether the helper has been added to the permanent service\&.
+Return whether the helper has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-service\-helpers\fR
@@ -1245,7 +1245,7 @@
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-destination\fR=\fIipv\fR:\fIaddress\fR/\fImask\fR
 .RS 4
-Return wether the destination ipv to address/mask has been set in the permanent service\&.
+Return whether the destination ipv to address/mask has been set in the permanent service\&.
 .RE
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-destinations\fR
@@ -1265,7 +1265,7 @@
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-query\-include\fR=\fIservice\fR
 .RS 4
-Return wether the include has been added to the permanent service\&.
+Return whether the include has been added to the permanent service\&.
 .RE
 .PP
 \fB\-\-service\fR=\fIservice\fR \fB\-\-get\-includes\fR
@@ -1363,7 +1363,7 @@
 .PP
 \fB\-\-helper\fR=\fIhelper\fR \fB\-\-query\-port\fR=\fIportid\fR\-\fIportid\fR/\fIprotocol\fR
 .RS 4
-Return wether the port has been added to the permanent helper\&.
+Return whether the port has been added to the permanent helper\&.
 .RE
 .PP
 \fB\-\-helper\fR=\fIhelper\fR \fB\-\-get\-ports\fR

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man1/firewalld.1 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man1/firewalld.1 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD" "1" "" "firewalld 1.0.2" "firewalld"
+.TH "FIREWALLD" "1" "" "firewalld 1.2.1" "firewalld"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -41,7 +41,7 @@
 .PP
 \fB\-h\fR, \fB\-\-help\fR
 .RS 4
-Prints a short help text and exists\&.
+Prints a short help text and exits\&.
 .RE
 .PP
 \fB\-\-default\-config\fR
@@ -53,8 +53,7 @@
 \fB\-\-debug\fR=\fIlevel\fR
 .RS 4
 Set the debug level for firewalld to
-\fIlevel\fR\&. The range of the debug level is 1 (lowest level) to 10 (highest level)\&. The debug output will be written to the firewalld log file
-\fI/var/log/firewalld\fR\&.
+\fIlevel\fR\&. The range of the debug level is 1 (lowest level) to 10 (highest level)\&. The debug output will be written to the firewalld log file specified by \-\-log\-file\&.
 .RE
 .PP
 \fB\-\-debug\-gc\fR
@@ -62,6 +61,17 @@
 Print garbage collector leak information\&. The collector runs every 10 seconds and if there are leaks, it prints information about the leaks\&.
 .RE
 .PP
+\fB\-\-log\-target\fR
+.RS 4
+Define the output target to which log messages are written\&. In mixed mode, Firewalld writes info\-level log messages to syslog\&. Debug messages are written to a file (see the \-\-log\-file parameter)\&. Info messages also go to stdout and stderr\&. The syslog, file or console modes write all messages to the one configured target only\&.
+.RE
+.PP
+\fB\-\-log\-file\fR
+.RS 4
+Define the file where debug messages are written to\&. The default file is
+\fI/var/log/firewalld\fR\&.
+.RE
+.PP
 \fB\-\-nofork\fR
 .RS 4
 Turn off daemon forking\&. Force firewalld to run as a foreground process instead of as a daemon in the background\&.

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -158,16 +158,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -205,8 +203,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -373,6 +371,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.conf.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.conf.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.conf
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.conf
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.CONF" "5" "" "firewalld 1.0.2" "firewalld.conf"
+.TH "FIREWALLD\&.CONF" "5" "" "firewalld 1.2.1" "firewalld.conf"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -78,7 +78,7 @@
 .PP
 \fBIndividualCalls\fR
 .RS 4
-If this option is disabled (it is by default), combined \-restore calls are used and not individual calls to apply changes to the firewall\&. The use of individiual calls increases the time that is needed to apply changes and to start the daemon, but is good for debugging as error messages are more specific\&.
+If this option is disabled (it is by default), combined \-restore calls are used and not individual calls to apply changes to the firewall\&. The use of individual calls increases the time that is needed to apply changes and to start the daemon, but is good for debugging as error messages are more specific\&.
 .RE
 .PP
 \fBLogDenied\fR

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.dbus.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.dbus.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.dbus
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.dbus
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.DBUS" "5" "" "firewalld 1.0.2" "firewalld.dbus"
+.TH "FIREWALLD\&.DBUS" "5" "" "firewalld 1.2.1" "firewalld.dbus"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -210,7 +210,7 @@
 .PP
 getLogDenied() → s
 .RS 4
-Retruns the LogDenied value\&. If LogDenied is enabled, then logging rules are added right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones\&. Possible values are:
+Returns the LogDenied value\&. If LogDenied is enabled, then logging rules are added right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones\&. Possible values are:
 \fIall\fR,
 \fIunicast\fR,
 \fIbroadcast\fR,
@@ -231,7 +231,7 @@
 .RS 4
 Return runtime settings of given
 \fIservice\fR\&. For getting permanent settings see
-org\&.fedoraproject\&.FirewallD1\&.config\&.service\&.Methods\&.getSettings2\&. Settings are a dictionary indexed by keywords\&. For the type of each value see below\&. If the value is empty it may be ommitted\&.
+org\&.fedoraproject\&.FirewallD1\&.config\&.service\&.Methods\&.getSettings2\&. Settings are a dictionary indexed by keywords\&. For the type of each value see below\&. If the value is empty it may be omitted\&.
 .PP
 \fIversion (s)\fR: see \fIversion\fR attribute of \fIservice\fR tag in \fBfirewalld.service\fR(5)\&.
 .RS 4
@@ -466,7 +466,7 @@
 .RE
 .SS "org\&.fedoraproject\&.FirewallD1\&.ipset"
 .PP
-Operations in this interface allows to get, add, remove and query runtime ipset settings\&. For permanent configuration see
+Operations in this interface allows one to get, add, remove and query runtime ipset settings\&. For permanent configuration see
 org\&.fedoraproject\&.FirewallD1\&.config\&.ipset
 interface\&.
 .sp
@@ -499,7 +499,7 @@
 Possible errors: INVALID_IPSET, IPSET_WITH_TIMEOUT
 .RE
 .PP
-getSettings(s: ipset) → (ssssa{ss}as)
+getIPSetSettings(s: ipset) → (ssssa{ss}as)
 .RS 4
 Return runtime settings of given
 \fIipset\fR\&. For getting permanent settings see
@@ -1075,7 +1075,7 @@
 .PP
 PassthroughAdded(s: ipv, as: args)
 .RS 4
-Emitted when a tracked passthruogh rule with
+Emitted when a tracked passthrough rule with
 \fIargs\fR
 has been added for
 \fIipv\fR
@@ -1403,7 +1403,7 @@
 .RE
 .SS "org\&.fedoraproject\&.FirewallD1\&.zone"
 .PP
-Operations in this interface allows to get, add, remove and query runtime zone\*(Aqs settings\&. For permanent settings see
+Operations in this interface allows one to get, add, remove and query runtime zone\*(Aqs settings\&. For permanent settings see
 org\&.fedoraproject\&.FirewallD1\&.config\&.zone
 interface\&.
 .sp
@@ -2451,7 +2451,7 @@
 .RE
 .SS "org\&.fedoraproject\&.FirewallD1\&.policy"
 .PP
-Operations in this interface allows to get, add, remove and query runtime policy settings\&. For permanent settings see
+Operations in this interface allows one to get, add, remove and query runtime policy settings\&. For permanent settings see
 org\&.fedoraproject\&.FirewallD1\&.config\&.policy
 interface\&.
 .sp
@@ -2520,7 +2520,7 @@
 .RE
 .SS "org\&.fedoraproject\&.FirewallD1\&.config"
 .PP
-Allows to permanently add, remove and query zones, services and icmp types\&.
+Allows one to permanently add, remove and query zones, services and icmp types\&.
 .sp
 .it 1 an-trap
 .nr an-no-space-flag 1
@@ -3847,7 +3847,7 @@
 .PP
 getSettings() → (ssssa{ss}as)
 .RS 4
-Return permament settings of the ipset\&. For getting runtime settings see
+Return permanent settings of the ipset\&. For getting runtime settings see
 org\&.fedoraproject\&.FirewallD1\&.ipset\&.Methods\&.getIPSetSettings\&. Settings are in format:
 \fIversion\fR,
 \fIname\fR,
@@ -5289,7 +5289,7 @@
 .RS 4
 Return runtime settings of given
 \fIservice\fR\&. For getting runtime settings see
-org\&.fedoraproject\&.FirewallD1\&.Methods\&.getServiceSettings2\&. Settings are a dictionary indexed by keywords\&. For the type of each value see below\&. If the value is empty it may be ommitted\&.
+org\&.fedoraproject\&.FirewallD1\&.Methods\&.getServiceSettings2\&. Settings are a dictionary indexed by keywords\&. For the type of each value see below\&. If the value is empty it may be omitted\&.
 .PP
 \fIversion (s)\fR: see \fIversion\fR attribute of \fIservice\fR tag in \fBfirewalld.service\fR(5)\&.
 .RS 4

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.direct.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.direct.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.direct
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.direct
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.DIRECT" "5" "" "firewalld 1.0.2" "firewalld.direct"
+.TH "FIREWALLD\&.DIRECT" "5" "" "firewalld 1.2.1" "firewalld.direct"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -58,7 +58,7 @@
 in
 \fBfirewall-cmd\fR(1)\&.
 .PP
-A firewalld direct configuration file contains informations about permanent direct chains, rules and passthrough \&.\&.\&.
+A firewalld direct configuration file contains information about permanent direct chains, rules and passthrough \&.\&.\&.
 .PP
 This is the structure of a direct configuration file:
 .sp

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.helper.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.helper.5 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.icmptype.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.icmptype.5 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.ipset.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.ipset.5 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.lockdown-whitelist.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.lockdown-whitelist.5 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.policies.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.policies.5 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.policy.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.policy.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.policy
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.policy
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.POLICY" "5" "" "firewalld 1.0.2" "firewalld.policy"
+.TH "FIREWALLD\&.POLICY" "5" "" "firewalld 1.2.1" "firewalld.policy"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -66,9 +66,9 @@
      <forward\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" to\-port="\fIportid\fR\-\fIportid\fR" to\-addr="\fIIP address\fR"/> 
      <source\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> 
     
-        <rule family="\fIipv4\fR|\fIipv6\fR">
+        <rule family="\fIipv4\fR|\fIipv6\fR" priority="\fIpriority\fR">
              <source address="\fIaddress\fR/\fImask\fR"|mac="\fIMAC\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
-             <destination address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/> 
+             <destination address="\fIaddress\fR/\fImask\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
             
                 <service name="\fIstring\fR"/> |
                 <port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> |
@@ -78,7 +78,10 @@
                 <masquerade/> |
                 <forward\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" to\-port="\fIportid\fR\-\fIportid\fR" to\-addr="\fIaddress\fR"/>
             
-             <log prefix="\fIprefixtext\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> 
+            
+                <log prefix="\fIprefix text\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> |
+                <nflog group="\fIgroup id\fR" prefix="\fIprefix text\fR" queue\-size="\fIthreshold\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </nflog>
+            
              <audit> <limit value="\fIrate\fR/\fIduration\fR"/> </audit> 
             
                 <accept> <limit value="\fIrate\fR/\fIduration\fR"/> </accept> |
@@ -281,9 +284,9 @@
 .RS 4
 .\}
 .nf
-<rule family="\fIipv4\fR|\fIipv6\fR">
-     <source address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/> 
-     <destination address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/> 
+<rule family="\fIipv4\fR|\fIipv6\fR" priority="\fIpriority\fR">
+     <source address="\fIaddress\fR/\fImask\fR"|mac="\fIMAC\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
+     <destination address="\fIaddress\fR/\fImask\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
     
         <service name="\fIstring\fR"/> |
         <port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> |
@@ -294,7 +297,10 @@
         <forward\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" to\-port="\fIportid\fR\-\fIportid\fR" to\-addr="\fIaddress\fR"/> |
         <source\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> |
     
-     <log prefix="\fIprefixtext\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"/> <limit value="\fIrate\fR/\fIduration\fR"/> </log> 
+     
+        <log prefix="\fIprefix text\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> |
+        <nflog group="\fIgroup id\fR" prefix="\fIprefix text\fR" queue\-size="\fIthreshold\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </nflog>
+    
      <audit> <limit value="\fIrate\fR/\fIduration\fR"/> </audit> 
     
         <accept> <limit value="\fIrate\fR/\fIduration\fR"/> </accept> |
@@ -315,9 +321,12 @@
 .RS 4
 .\}
 .nf
-<rule family="\fIipv4\fR|\fIipv6\fR">
-    <source address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/>
-     <log prefix="\fIprefixtext\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"/> <limit value="\fIrate\fR/\fIduration\fR"/> </log> 
+<rule family="\fIipv4\fR|\fIipv6\fR" priority="\fIpriority\fR">
+    <source address="\fIaddress\fR/\fImask\fR"|mac="\fIMAC\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/>
+     
+        <log prefix="\fIprefix text\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> |
+        <nflog group="\fIgroup id\fR" prefix="\fIprefix text\fR" queue\-size="\fIthreshold\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </nflog>
+    
      <audit> <limit value="\fIrate\fR/\fIduration\fR"/> </audit> 
     <accept> <limit value="\fIrate\fR/\fIduration\fR"/> </accept> |
     <reject type="\fIrejecttype\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </reject> |

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.richlanguage.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.richlanguage.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.richlanguage
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.richlanguage
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.RICHLANG" "5" "" "firewalld 1.0.2" "firewalld.richlanguage"
+.TH "FIREWALLD\&.RICHLANG" "5" "" "firewalld 1.2.1" "firewalld.richlanguage"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -50,7 +50,7 @@
   source
   destination
   service|port|protocol|icmp\-block|icmp\-type|masquerade|forward\-port|source\-port
-  log
+  log|nflog
   audit
   accept|reject|drop|mark
       
@@ -69,7 +69,7 @@
 .nf
 rule
   source
-  log
+  log|nflog
   audit
   accept|reject|drop|mark
       
@@ -97,7 +97,7 @@
 .PP
 If the rule family is provided, it can be either "ipv4" or "ipv6", which limits the rule to IPv4 or IPv6\&. If the rule family is not provided, the rule will be added for IPv4 and IPv6\&. If source or destination addresses are used in a rule, then the rule family need to be provided\&. This is also the case for port/packet forwarding\&.
 .PP
-If the rule priority is provided, it can be in the range of \-32768 to 32767 where lower values have higher precendence\&. Rich rules are sorted by priority\&. Ordering for rules with the same priority value is undefined\&. A negative priority value will be executed before other firewalld primitives\&. A positive priority value will be executed after other firewalld primitives\&. A priority value of 0 will place the rule in a chain based on the action as per the "Information about logging and actions" below\&.
+If the rule priority is provided, it can be in the range of \-32768 to 32767 where lower values have higher precedence\&. Rich rules are sorted by priority\&. Ordering for rules with the same priority value is undefined\&. A negative priority value will be executed before other firewalld primitives\&. A positive priority value will be executed after other firewalld primitives\&. A priority value of 0 will place the rule in a chain based on the action as per the "Information about logging and actions" below\&.
 .SS "Source"
 .PP
 .if n \{\
@@ -156,7 +156,7 @@
 .RS 4
 .\}
 .nf
-port port="port value" protocol="tcp|udp"
+port port="port value" protocol="tcp|udp|sctp|dccp"
 	
 .fi
 .if n \{\
@@ -169,9 +169,11 @@
 \fIportid\fR
 or a port range
 \fIportid\fR\-\fIportid\fR\&. The protocol can either be
-\fItcp\fR
+\fItcp\fR,
+\fIudp\fR,
+\fIsctp\fR
 or
-\fIudp\fR\&.
+\fIdccp\fR\&.
 .SS "Protocol"
 .PP
 .if n \{\
@@ -260,7 +262,7 @@
 .RS 4
 .\}
 .nf
-forward\-port port="port value" protocol="tcp|udp" to\-port="port value" to\-addr="address"
+forward\-port port="port value" protocol="tcp|udp|sctp|dccp" to\-port="port value" to\-addr="address"
 	
 .fi
 .if n \{\
@@ -272,7 +274,12 @@
 The port value can either be a single port number or a port range
 \fIportid\-portid\fR\&. The
 \fBto\-addr\fR
-is an IP address\&.
+is an IP address\&. The protocol can either be
+\fItcp\fR,
+\fIudp\fR,
+\fIsctp\fR
+or
+\fIdccp\fR\&.
 .PP
 It is not allowed to specify an action here\&. forward\-port uses the action accept internally\&.
 .PP
@@ -286,7 +293,7 @@
 .RS 4
 .\}
 .nf
-source\-port port="port value" protocol="tcp|udp"
+source\-port port="port value" protocol="tcp|udp|sctp|dccp"
 	
 .fi
 .if n \{\
@@ -299,9 +306,11 @@
 \fIportid\fR
 or a port range
 \fIportid\fR\-\fIportid\fR\&. The protocol can either be
-\fItcp\fR
+\fItcp\fR,
+\fIudp\fR,
+\fIsctp\fR
 or
-\fIudp\fR\&.
+\fIdccp\fR\&.
 .SS "Log"
 .PP
 .if n \{\
@@ -315,11 +324,54 @@
 .RE
 .\}
 .PP
-Log new connection attempts to the rule with kernel logging for example in syslog\&. You can define a prefix text that will be added to the log message as a prefix\&. Log level can be one of "\fBemerg\fR", "\fBalert\fR", "\fBcrit\fR", "\fBerror\fR", "\fBwarning\fR", "\fBnotice\fR", "\fBinfo\fR" or "\fBdebug\fR", where default (i\&.e\&. if there\*(Aqs no one specified) is "\fBwarning\fR"\&. See
+Log new connection attempts to the rule with kernel logging for example in syslog\&. You can define a prefix text with a maximum length of 127 characters that will be added to the log message as a prefix\&. Log level can be one of "\fBemerg\fR", "\fBalert\fR", "\fBcrit\fR", "\fBerror\fR", "\fBwarning\fR", "\fBnotice\fR", "\fBinfo\fR" or "\fBdebug\fR", where default (i\&.e\&. if there\*(Aqs no one specified) is "\fBwarning\fR"\&. See
 \fBsyslog\fR(3)
 for description of levels\&. See Limit section for description of
 \fBlimit\fR
 tag\&.
+.PP
+\fINote:\fR
+The iptables backend truncates prefix to 29 characters\&.
+.SS "NFLog"
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+nflog group="group id" prefix="prefix text" queue\-size="threshold" limit value="rate/duration"
+	
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Log new connection attempts to the rule using kernel logging to pass the packets through a \*(Aqnetlink\*(Aq socket to users or applications monitoring the multicast
+\fBgroup\fR\&. The minimum and default value for
+\fBgroup\fR
+is 0, maximum value is 65535\&. See NETLINK_NETFILTER in
+\fBnetlink\fR(7)
+man page and NFLOG in both
+\fBiptables-extensions\fR(8)
+and
+\fBnft\fR(8)
+man pages for a more detailed description\&.
+.PP
+You can define a prefix text with a maximum length of 127 characters that will be added to the log message as a prefix\&. The
+\fBqueue\-size\fR
+option can be set to increase the queue threshold which can help limit context switching\&. The default value for
+\fBqueue\-size\fR
+is 1, maximum value is 65535\&. See
+\fBiptables-extensions\fR(8)
+and
+\fBnft\fR(8)
+for more details\&.
+.PP
+See Limit section for description of
+\fBlimit\fR
+tag\&.
+.PP
+\fINote:\fR
+The iptables backend truncates prefix to 63 characters\&.
 .SS "Audit"
 .PP
 .if n \{\
@@ -423,10 +475,10 @@
 .RE
 .\}
 .PP
-It is possible to limit Log, Audit and Action\&. A rule using this tag will match until this limit is reached\&. The rate is a natural positive number 1, \&.\&. The duration is of "s", "m", "h", "d"\&. "s" means seconds, "m" minutes, "h" hours and "d" days\&. Maximum limit value is "2/d", which means at maximum two matches per day\&.
+It is possible to limit Log, NFLog, Audit and Action\&. A rule using this tag will match until this limit is reached\&. The rate is a natural positive number 1, \&.\&. The duration is of "s", "m", "h", "d"\&. "s" means seconds, "m" minutes, "h" hours and "d" days\&. Maximum limit value is "2/d", which means at maximum two matches per day\&.
 .SS "Information about logging and actions"
 .PP
-Logging can be done with the log and audit actions\&. A new chain is added to all zones: zone_log\&. This will be jumped into before the deny chain to be able to have a proper ordering\&.
+Logging can be done with the log, nflog and audit actions\&. A new chain is added to all zones: zone_log\&. This will be jumped into before the deny chain to be able to have a proper ordering\&.
 .PP
 The rules or parts of them are placed in separate chains according to the priority and action of the rule:
 .PP
@@ -450,7 +502,8 @@
 \fIzone\fR_pre chain\&.
 .PP
 When
-\fIpriority == 0\fRThen all logging rules will be placed in the
+\fIpriority == 0\fR
+Then all logging rules will be placed in the
 \fIzone\fR_log chain\&. All reject and drop rules will be placed in the
 \fIzone\fR_deny chain, which will be walked after the log chain\&. All accept rules will be placed in the
 \fIzone\fR_allow chain, which will be walked after the deny chain\&. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains\&.

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.service.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.service.5 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.zone.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.zone.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.zone
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.zone
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.ZONE" "5" "" "firewalld 1.0.2" "firewalld.zone"
+.TH "FIREWALLD\&.ZONE" "5" "" "firewalld 1.2.1" "firewalld.zone"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -68,9 +68,9 @@
      <forward\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" to\-port="\fIportid\fR\-\fIportid\fR" to\-addr="\fIIP address\fR"/> 
      <source\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> 
     
-        <rule family="\fIipv4\fR|\fIipv6\fR">
+        <rule family="\fIipv4\fR|\fIipv6\fR" priority="\fIpriority\fR">
              <source address="\fIaddress\fR/\fImask\fR"|mac="\fIMAC\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
-             <destination address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/> 
+             <destination address="\fIaddress\fR/\fImask\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
             
                 <service name="\fIstring\fR"/> |
                 <port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> |
@@ -80,7 +80,10 @@
                 <masquerade/> |
                 <forward\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" to\-port="\fIportid\fR\-\fIportid\fR" to\-addr="\fIaddress\fR"/>
             
-             <log prefix="\fIprefixtext\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> 
+            
+                <log prefix="\fIprefix text\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> |
+                <nflog group="\fIgroup id\fR" prefix="\fIprefix text\fR" queue\-size="\fIthreshold\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </nflog>
+            
              <audit> <limit value="\fIrate\fR/\fIduration\fR"/> </audit> 
             
                 <accept> <limit value="\fIrate\fR/\fIduration\fR"/> </accept> |
@@ -317,9 +320,9 @@
 .RS 4
 .\}
 .nf
-<rule family="\fIipv4\fR|\fIipv6\fR">
-     <source address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/> 
-     <destination address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/> 
+<rule family="\fIipv4\fR|\fIipv6\fR" priority="\fIpriority\fR">
+     <source address="\fIaddress\fR/\fImask\fR"|mac="\fIMAC\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
+     <destination address="\fIaddress\fR/\fImask\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/> 
     
         <service name="\fIstring\fR"/> |
         <port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> |
@@ -330,7 +333,10 @@
         <forward\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" to\-port="\fIportid\fR\-\fIportid\fR" to\-addr="\fIaddress\fR"/> |
         <source\-port port="\fIportid\fR\-\fIportid\fR" protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR"/> |
     
-     <log prefix="\fIprefixtext\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"/> <limit value="\fIrate\fR/\fIduration\fR"/> </log> 
+     
+        <log prefix="\fIprefix text\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> |
+        <nflog group="\fIgroup id\fR" prefix="\fIprefix text\fR" queue\-size="\fIthreshold\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </nflog>
+    
      <audit> <limit value="\fIrate\fR/\fIduration\fR"/> </audit> 
     
         <accept> <limit value="\fIrate\fR/\fIduration\fR"/> </accept> |
@@ -351,9 +357,12 @@
 .RS 4
 .\}
 .nf
-<rule family="\fIipv4\fR|\fIipv6\fR">
-    <source address="\fIaddress\fR/\fImask\fR" invert="\fITrue\fR"/>
-     <log prefix="\fIprefixtext\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"/> <limit value="\fIrate\fR/\fIduration\fR"/> </log> 
+<rule family="\fIipv4\fR|\fIipv6\fR" priority="\fIpriority\fR">
+    <source address="\fIaddress\fR/\fImask\fR"|mac="\fIMAC\fR"|ipset="\fIipset\fR" invert="\fITrue\fR"/>
+     
+        <log prefix="\fIprefix text\fR" level="\fIemerg\fR|\fIalert\fR|\fIcrit\fR|\fIerr\fR|\fIwarn\fR|\fInotice\fR|\fIinfo\fR|\fIdebug\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </log> |
+        <nflog group="\fIgroup id\fR" prefix="\fIprefix text\fR" queue\-size="\fIthreshold\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </nflog>
+    
      <audit> <limit value="\fIrate\fR/\fIduration\fR"/> </audit> 
     <accept> <limit value="\fIrate\fR/\fIduration\fR"/> </accept> |
     <reject type="\fIrejecttype\fR"> <limit value="\fIrate\fR/\fIduration\fR"/> </reject> |

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/man/man5/firewalld.zones.5 -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/man/man5/firewalld.zones.5 Changed

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: firewalld.zones
 .\"    Author: Thomas Woerner <twoerner@redhat.com>
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 
 .\"    Manual: firewalld.zones
-.\"    Source: firewalld 1.0.2
+.\"    Source: firewalld 1.2.1
 .\"  Language: English
 .\"
-.TH "FIREWALLD\&.ZONES" "5" "" "firewalld 1.0.2" "firewalld.zones"
+.TH "FIREWALLD\&.ZONES" "5" "" "firewalld 1.2.1" "firewalld.zones"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -68,9 +68,11 @@
 .RS 4
 .PP
 Definition of
-\fItcp\fR
+\fItcp\fR,
+\fIudp\fR,
+\fIsctp\fR
 or
-\fIudp\fR
+\fIdccp\fR
 ports, where ports can be a single port or a port range\&.
 .RE
 .sp
@@ -208,7 +210,7 @@
 \fBnm\-connection\-editor\fR
 to change the zone\&.
 .PP
-For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface\&.
+For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface\&.
 .PP
 Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file\&. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone\&. Only the zone binding is then removed in firewalld then\&.
 .SH "SEE ALSO"

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -159,16 +159,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -206,8 +204,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -462,6 +460,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/errorcodes.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/errorcodes.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewall-applet.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewall-applet.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewall-cmd.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewall-cmd.xml Changed

@@ -523,7 +523,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--permanent</option> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <optional><option>--policy</option>=<replaceable>policy</replaceable></optional> <option>--set-target</option>=<replaceable>zone</replaceable></term>
+        <term><option>--permanent</option> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <optional><option>--policy</option>=<replaceable>policy</replaceable></optional> <option>--set-target</option>=<replaceable>target</replaceable></term>
         <listitem>
           <para>
             Set the target.
@@ -1062,7 +1062,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--permanent</option> <option>--policy</option>=<replaceable>policy</replaceable> <option>--set-priority</option><replaceable>priority</replaceable></term>
+        <term><option>--permanent</option> <option>--policy</option>=<replaceable>policy</replaceable> <option>--set-priority</option>=<replaceable>priority</replaceable></term>
         <listitem>
           <para>
             Set the priority. The priority determines the relative ordering of
@@ -1252,7 +1252,7 @@
 	      If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply.
 	    </para>
 	    <para>
-	      For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
+	      For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
 	    </para>
 	    <para>
 	      Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
@@ -1631,7 +1631,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the port has been added to the permanent service.
+             Return whether the port has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1664,7 +1664,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-protocol</option>=<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the protocol has been added to the permanent service.
+             Return whether the protocol has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1697,7 +1697,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the source port has been added to the permanent service.
+             Return whether the source port has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1730,7 +1730,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-helper</option>=<replaceable>helper</replaceable></term>
          <listitem>
            <para>
-             Return wether the helper has been added to the permanent service.
+             Return whether the helper has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1763,7 +1763,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-destination</option>=<replaceable>ipv</replaceable>:<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
          <listitem>
            <para>
-             Return wether the destination ipv to address/mask has been set in the permanent service.
+             Return whether the destination ipv to address/mask has been set in the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1796,7 +1796,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-include</option>=<replaceable>service</replaceable></term>
          <listitem>
            <para>
-             Return wether the include has been added to the permanent service.
+             Return whether the include has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1942,7 +1942,7 @@
          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the port has been added to the permanent helper.
+             Return whether the port has been added to the permanent helper.
            </para>
          </listitem>
        </varlistentry>

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewall-cmd.xml.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewall-cmd.xml.in Changed

@@ -523,7 +523,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--permanent</option> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <optional><option>--policy</option>=<replaceable>policy</replaceable></optional> <option>--set-target</option>=<replaceable>zone</replaceable></term>
+        <term><option>--permanent</option> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <optional><option>--policy</option>=<replaceable>policy</replaceable></optional> <option>--set-target</option>=<replaceable>target</replaceable></term>
         <listitem>
           <para>
             Set the target.
@@ -1062,7 +1062,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--permanent</option> <option>--policy</option>=<replaceable>policy</replaceable> <option>--set-priority</option><replaceable>priority</replaceable></term>
+        <term><option>--permanent</option> <option>--policy</option>=<replaceable>policy</replaceable> <option>--set-priority</option>=<replaceable>priority</replaceable></term>
         <listitem>
           <para>
             Set the priority. The priority determines the relative ordering of
@@ -1252,7 +1252,7 @@
 	      If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply.
 	    </para>
 	    <para>
-	      For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
+	      For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
 	    </para>
 	    <para>
 	      Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
@@ -1631,7 +1631,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the port has been added to the permanent service.
+             Return whether the port has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1664,7 +1664,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-protocol</option>=<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the protocol has been added to the permanent service.
+             Return whether the protocol has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1697,7 +1697,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the source port has been added to the permanent service.
+             Return whether the source port has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1730,7 +1730,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-helper</option>=<replaceable>helper</replaceable></term>
          <listitem>
            <para>
-             Return wether the helper has been added to the permanent service.
+             Return whether the helper has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1763,7 +1763,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-destination</option>=<replaceable>ipv</replaceable>:<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
          <listitem>
            <para>
-             Return wether the destination ipv to address/mask has been set in the permanent service.
+             Return whether the destination ipv to address/mask has been set in the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1796,7 +1796,7 @@
          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-include</option>=<replaceable>service</replaceable></term>
          <listitem>
            <para>
-             Return wether the include has been added to the permanent service.
+             Return whether the include has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1942,7 +1942,7 @@
          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the port has been added to the permanent helper.
+             Return whether the port has been added to the permanent helper.
            </para>
          </listitem>
        </varlistentry>

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewall-offline-cmd.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewall-offline-cmd.xml Changed

@@ -88,7 +88,7 @@
           <term><option>--help</option></term>
           <listitem>
 	    <para>
-	      Prints a short help text and exists.
+	      Prints a short help text and exits.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -615,7 +615,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <optional><option>--policy</option>=<replaceable>policy</replaceable></optional> <option>--set-target</option>=<replaceable>zone</replaceable></term>
+        <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <optional><option>--policy</option>=<replaceable>policy</replaceable></optional> <option>--set-target</option>=<replaceable>target</replaceable></term>
         <listitem>
           <para>
             Set the target.
@@ -1633,7 +1633,7 @@
          <term><option>--service</option>=<replaceable>service</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the port has been added to the permanent service.
+             Return whether the port has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1666,7 +1666,7 @@
          <term><option>--service</option>=<replaceable>service</replaceable> <option>--query-protocol</option>=<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the protocol has been added to the permanent service.
+             Return whether the protocol has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1699,7 +1699,7 @@
          <term><option>--service</option>=<replaceable>service</replaceable> <option>--query-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the source port has been added to the permanent service.
+             Return whether the source port has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1732,7 +1732,7 @@
          <term><option>--service</option>=<replaceable>service</replaceable> <option>--query-helper</option>=<replaceable>helper</replaceable></term>
          <listitem>
            <para>
-             Return wether the helper has been added to the permanent service.
+             Return whether the helper has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1765,7 +1765,7 @@
          <term><option>--service</option>=<replaceable>service</replaceable> <option>--query-destination</option>=<replaceable>ipv</replaceable>:<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
          <listitem>
            <para>
-             Return wether the destination ipv to address/mask has been set in the permanent service.
+             Return whether the destination ipv to address/mask has been set in the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1798,7 +1798,7 @@
          <term><option>--service</option>=<replaceable>service</replaceable> <option>--query-include</option>=<replaceable>service</replaceable></term>
          <listitem>
            <para>
-             Return wether the include has been added to the permanent service.
+             Return whether the include has been added to the permanent service.
            </para>
          </listitem>
        </varlistentry>
@@ -1944,7 +1944,7 @@
          <term><option>--helper</option>=<replaceable>helper</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
          <listitem>
            <para>
-             Return wether the port has been added to the permanent helper.
+             Return whether the port has been added to the permanent helper.
            </para>
          </listitem>
        </varlistentry>

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.conf.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.conf.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.dbus.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.dbus.xml Changed

@@ -230,7 +230,7 @@
             <term><methodname>getLogDenied</methodname>() &rarr; s</term>
             <listitem>
               <para>
-		Retruns the LogDenied value.
+		Returns the LogDenied value.
 		If LogDenied is enabled, then logging rules are added right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones.
 		Possible values are: <literal>all</literal>, <literal>unicast</literal>, <literal>broadcast</literal>, <literal>multicast</literal> and <literal>off</literal>.
 		The default value is <literal>off</literal>
@@ -252,7 +252,7 @@
               <para>
                 Return runtime settings of given <replaceable>service</replaceable>.
                 For getting permanent settings see <link linkend="FirewallD1.config.service.Methods.getSettings2">org.fedoraproject.FirewallD1.config.service.Methods.getSettings2</link>.
-                Settings are a dictionary indexed by keywords. For the type of each value see below. If the value is empty it may be ommitted.
+                Settings are a dictionary indexed by keywords. For the type of each value see below. If the value is empty it may be omitted.
               </para>
               <para>
                 <variablelist>
@@ -488,7 +488,7 @@
     <refsect2 id="FirewallD1.ipset">
       <title>org.fedoraproject.FirewallD1.ipset</title>
       <para>
-	Operations in this interface allows to get, add, remove and query runtime ipset settings.
+	Operations in this interface allows one to get, add, remove and query runtime ipset settings.
 	For permanent configuration see <link linkend="FirewallD1.config.ipset">org.fedoraproject.FirewallD1.config.ipset</link> interface.
       </para>
 
@@ -524,7 +524,7 @@
           </varlistentry>
 
           <varlistentry id="FirewallD1.ipset.Methods.getIPSetSettings">
-            <term><methodname>getSettings</methodname>(s: ipset) &rarr; (ssssa{ss}as)</term>
+            <term><methodname>getIPSetSettings</methodname>(s: ipset) &rarr; (ssssa{ss}as)</term>
             <listitem>
               <para>
                 Return runtime settings of given <replaceable>ipset</replaceable>.
@@ -939,7 +939,7 @@
             <term>PassthroughAdded(s: ipv, as: args)</term>
             <listitem>
               <para>
-		Emitted when a tracked passthruogh rule with <replaceable>args</replaceable> has been added for <replaceable>ipv</replaceable> being either <literal>ipv4</literal> (iptables) or <literal>ipv6</literal> (ip6tables) or <literal>eb</literal> (ebtables).
+		Emitted when a tracked passthrough rule with <replaceable>args</replaceable> has been added for <replaceable>ipv</replaceable> being either <literal>ipv4</literal> (iptables) or <literal>ipv6</literal> (ip6tables) or <literal>eb</literal> (ebtables).
               </para>
             </listitem>
           </varlistentry>
@@ -1281,7 +1281,7 @@
     <refsect2 id="FirewallD1.zone">
       <title>org.fedoraproject.FirewallD1.zone</title>
       <para>
-	Operations in this interface allows to get, add, remove and query runtime zone's settings.
+	Operations in this interface allows one to get, add, remove and query runtime zone's settings.
 	For permanent settings see <link linkend="FirewallD1.config.zone">org.fedoraproject.FirewallD1.config.zone</link> interface.
       </para>
 
@@ -2313,7 +2313,7 @@
     <refsect2 id="FirewallD1.policy">
       <title>org.fedoraproject.FirewallD1.policy</title>
       <para>
-        Operations in this interface allows to get, add, remove and query runtime policy settings.
+        Operations in this interface allows one to get, add, remove and query runtime policy settings.
         For permanent settings see <link linkend="FirewallD1.config.policy">org.fedoraproject.FirewallD1.config.policy</link> interface.
       </para>
 
@@ -2391,7 +2391,7 @@
     <refsect2 id="FirewallD1.config">
       <title>org.fedoraproject.FirewallD1.config</title>
       <para>
-	Allows to permanently add, remove and query zones, services and icmp types.
+	Allows one to permanently add, remove and query zones, services and icmp types.
       </para>
 
       <refsect3 id="FirewallD1.config.Methods">
@@ -3510,7 +3510,7 @@
             <term><methodname>getSettings</methodname>() &rarr; (ssssa{ss}as)</term>
             <listitem>
               <para>
-                Return permament settings of the ipset.
+                Return permanent settings of the ipset.
 		For getting runtime settings see <link linkend="FirewallD1.ipset.Methods.getIPSetSettings">org.fedoraproject.FirewallD1.ipset.Methods.getIPSetSettings</link>.
                 Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, <parameter>type</parameter>, dictionary of <parameter>options</parameter> and array of <parameter>entries</parameter>.
               </para>
@@ -4934,7 +4934,7 @@
               <para>
                 Return runtime settings of given <replaceable>service</replaceable>.
                 For getting runtime settings see <link linkend="FirewallD1.Methods.getServiceSettings2">org.fedoraproject.FirewallD1.Methods.getServiceSettings2</link>.
-                Settings are a dictionary indexed by keywords. For the type of each value see below. If the value is empty it may be ommitted.
+                Settings are a dictionary indexed by keywords. For the type of each value see below. If the value is empty it may be omitted.
               </para>
               <para>
                 <variablelist>

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.direct.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.direct.xml Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.richlanguage.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.richlanguage.xml Changed

@@ -71,7 +71,7 @@
   source
   destination
   service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
-  log
+  log|nflog
   audit
   accept|reject|drop|mark
       </programlisting>
@@ -83,7 +83,7 @@
       <programlisting>
 rule
   source
-  log
+  log|nflog
   audit
   accept|reject|drop|mark
       </programlisting>
@@ -106,7 +106,7 @@
       If the rule family is provided, it can be either "ipv4" or "ipv6", which limits the rule to IPv4 or IPv6. If the rule family is not provided, the rule will be added for IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family need to be provided. This is also the case for port/packet forwarding.
       </para>
       <para>
-      If the rule priority is provided, it can be in the range of -32768 to 32767 where lower values have higher precendence. Rich rules are sorted by priority. Ordering for rules with the same priority value is undefined. A negative priority value will be executed before other firewalld primitives. A positive priority value will be executed after other firewalld primitives. A priority value of 0 will place the rule in a chain based on the action as per the "Information about logging and actions" below.
+      If the rule priority is provided, it can be in the range of -32768 to 32767 where lower values have higher precedence. Rich rules are sorted by priority. Ordering for rules with the same priority value is undefined. A negative priority value will be executed before other firewalld primitives. A positive priority value will be executed after other firewalld primitives. A priority value of 0 will place the rule in a chain based on the action as per the "Information about logging and actions" below.
       </para>
     </refsect2>
 
@@ -157,11 +157,12 @@
       <title>Port</title>
       <para>
 	<programlisting>
-port port="port value" protocol="tcp|udp"
+port port="port value" protocol="tcp|udp|sctp|dccp"
 	</programlisting>
       </para>
       <para>
-	The port <replaceable>port value</replaceable> can either be a single port number <replaceable>portid</replaceable> or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <replaceable>tcp</replaceable> or <replaceable>udp</replaceable>.
+	The port <replaceable>port value</replaceable> can either be a single port number <replaceable>portid</replaceable> or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. 
+      The protocol can either be <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal>.
       </para>
     </refsect2>
 
@@ -242,14 +243,15 @@
       <title>Forward-Port</title>
       <para>
 	<programlisting>
-forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
+forward-port port="port value" protocol="tcp|udp|sctp|dccp" to-port="port value" to-addr="address"
 	</programlisting>
       </para>
       <para>
 	Forward port/packets from local port value with protocol "tcp" or "udp" to either another port locally or to another machine or to another port on another machine.
       </para>
       <para>
-	The port value can either be a single port number or a port range <replaceable>portid-portid</replaceable>. The <option>to-addr</option> is an IP address.
+	The port value can either be a single port number or a port range <replaceable>portid-portid</replaceable>. The <option>to-addr</option> is an IP address. 
+      The protocol can either be <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal>.
       </para>
       <para>
 	It is not allowed to specify an action here. forward-port uses the action accept internally.
@@ -263,11 +265,12 @@
       <title>Source-Port</title>
       <para>
 	<programlisting>
-source-port port="port value" protocol="tcp|udp"
+source-port port="port value" protocol="tcp|udp|sctp|dccp"
 	</programlisting>
       </para>
       <para>
-	The source-port <replaceable>port value</replaceable> can either be a single port number <replaceable>portid</replaceable> or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <replaceable>tcp</replaceable> or <replaceable>udp</replaceable>.
+	The source-port <replaceable>port value</replaceable> can either be a single port number <replaceable>portid</replaceable> or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. 
+      The protocol can either be <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal>.
       </para>
     </refsect2>
 
@@ -280,10 +283,39 @@
       </para>
       <para>
 	Log new connection attempts to the rule with kernel logging for example in syslog.
-	You can define a prefix text that will be added to the log message as a prefix.
+	You can define a prefix text with a maximum length of 127 characters that will be added to the log message as a prefix.
 	Log level can be one of "<option>emerg</option>", "<option>alert</option>", "<option>crit</option>", "<option>error</option>", "<option>warning</option>", "<option>notice</option>", "<option>info</option>" or "<option>debug</option>", where default (i.e. if there's no one specified) is "<option>warning</option>". See <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for description of levels.
 	See Limit section for description of <option>limit</option> tag.
       </para>
+      <para>
+        <emphasis>Note:</emphasis> The iptables backend truncates prefix to 29 characters.
+      </para>
+    </refsect2>
+
+    <refsect2>
+      <title>NFLog</title>
+      <para>
+	<programlisting>
+nflog group="group id" prefix="prefix text" queue-size="threshold" limit value="rate/duration"
+	</programlisting>
+      </para>
+      <para>
+	Log new connection attempts to the rule using kernel logging to pass the packets through a 'netlink' socket to users or applications monitoring the multicast <option>group</option>.
+      The minimum and default value for <option>group</option> is 0, maximum value is 65535.
+	See NETLINK_NETFILTER in <citerefentry><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry> man page and NFLOG in both <citerefentry><refentrytitle>iptables-extensions</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>nft</refentrytitle><manvolnum>8</manvolnum></citerefentry> man pages for a more detailed description.
+      </para>
+      <para>
+      You can define a prefix text with a maximum length of 127 characters that will be added to the log message as a prefix.
+      The <option>queue-size</option> option can be set to increase the queue threshold which can help limit context switching.
+      The default value for <option>queue-size</option> is 1, maximum value is 65535.
+	See <citerefentry><refentrytitle>iptables-extensions</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>nft</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more details. 
+      </para>
+      <para>
+      See Limit section for description of <option>limit</option> tag.
+      </para>
+      <para>
+        <emphasis>Note:</emphasis> The iptables backend truncates prefix to 63 characters.
+      </para>
     </refsect2>
 
     <refsect2>
@@ -348,7 +380,7 @@
 	</programlisting>
       </para>
        <para>
-	 It is possible to limit Log, Audit and Action.
+	 It is possible to limit Log, NFLog, Audit and Action.
 	 A rule using this tag will match until this limit is reached.
 	 The rate is a natural positive number 1, ..
 	 The duration is of "s", "m", "h", "d". "s" means seconds, "m" minutes, "h" hours and "d" days.
@@ -359,7 +391,7 @@
     <refsect2>
       <title>Information about logging and actions</title>
       <para>
-	Logging can be done with the log and audit actions. A new chain is added to all zones: zone_log. This will be jumped into before the deny chain to be able to have a proper ordering.
+	Logging can be done with the log, nflog and audit actions. A new chain is added to all zones: zone_log. This will be jumped into before the deny chain to be able to have a proper ordering.
       </para>
       <para>
 	The rules or parts of them are placed in separate chains according to the priority and action of the rule:
@@ -377,7 +409,7 @@
         When <emphasis>priority &lt; 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_pre chain.
       </para>
       <para>
-        When <emphasis>priority == 0</emphasis>Then all logging rules will be placed in the <replaceable>zone</replaceable>_log chain. All reject and drop rules will be placed in the <replaceable>zone</replaceable>_deny chain, which will be walked after the log chain. All accept rules will be placed in the <replaceable>zone</replaceable>_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.
+        When <emphasis>priority == 0</emphasis> Then all logging rules will be placed in the <replaceable>zone</replaceable>_log chain. All reject and drop rules will be placed in the <replaceable>zone</replaceable>_deny chain, which will be walked after the log chain. All accept rules will be placed in the <replaceable>zone</replaceable>_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.
       </para>
       <para>
         When <emphasis>priority &gt; 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_post chain.

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.xml Changed

@@ -71,7 +71,7 @@
         <term><option>--help</option></term>
         <listitem>
 	  <para>
-	    Prints a short help text and exists.
+	    Prints a short help text and exits.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -90,7 +90,7 @@
         <term><option>--debug</option><optional>=<replaceable>level</replaceable></optional></term>
         <listitem>
 	  <para>
-	    Set the debug level for firewalld to <replaceable>level</replaceable>. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file <filename class="directory">/var/log/firewalld</filename>.
+	    Set the debug level for firewalld to <replaceable>level</replaceable>. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file specified by --log-file.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -105,6 +105,28 @@
       </varlistentry>
 
       <varlistentry>
+        <term>
+          <option>--log-target</option>
+        </term>
+        <listitem>
+          <para>
+            Define the output target to which log messages are written. In mixed mode, Firewalld writes info-level log messages to syslog. Debug messages are written to a file (see the --log-file parameter). Info messages also go to stdout and stderr. The syslog, file or console modes write all messages to the one configured target only.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          <option>--log-file</option>
+        </term>
+        <listitem>
+          <para>
+            Define the file where debug messages are written to. The default file is <filename class="directory">/var/log/firewalld</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>--nofork</option></term>
         <listitem>
 	  <para>

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.xml.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.xml.in Changed

@@ -71,7 +71,7 @@
         <term><option>--help</option></term>
         <listitem>
 	  <para>
-	    Prints a short help text and exists.
+	    Prints a short help text and exits.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -90,7 +90,7 @@
         <term><option>--debug</option><optional>=<replaceable>level</replaceable></optional></term>
         <listitem>
 	  <para>
-	    Set the debug level for firewalld to <replaceable>level</replaceable>. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file <filename class="directory">/var/log/firewalld</filename>.
+	    Set the debug level for firewalld to <replaceable>level</replaceable>. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file specified by --log-file.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -105,6 +105,28 @@
       </varlistentry>
 
       <varlistentry>
+        <term>
+          <option>--log-target</option>
+        </term>
+        <listitem>
+          <para>
+            Define the output target to which log messages are written. In mixed mode, Firewalld writes info-level log messages to syslog. Debug messages are written to a file (see the --log-file parameter). Info messages also go to stdout and stderr. The syslog, file or console modes write all messages to the one configured target only.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          <option>--log-file</option>
+        </term>
+        <listitem>
+          <para>
+            Define the file where debug messages are written to. The default file is <filename class="directory">/var/log/firewalld</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>--nofork</option></term>
         <listitem>
 	  <para>

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/firewalld.zones.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/firewalld.zones.xml Changed

@@ -76,7 +76,7 @@
       <refsect3>
 	<title>Ports and protocols</title>
 	<para>
-	  Definition of <literal>tcp</literal> or <literal>udp</literal> ports, where ports can be a single port or a port range.
+	  Definition of <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal> ports, where ports can be a single port or a port range.
 	</para>
       </refsect3>
 
@@ -238,7 +238,7 @@
        If the connection is controlled by NetworkManager, you can also use <command>nm-connection-editor</command> to change the zone.
       </para>
       <para>
-	For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
+	For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
       </para>
       <para>
 	Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/policy_zone_descriptions.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/policy_zone_descriptions.xml Changed

@@ -271,9 +271,9 @@
     </para>
     <para>
         <programlisting>
-&lt;rule family="<literal>ipv4</literal>|<literal>ipv6</literal>"&gt;
-     &lt;source address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
-     &lt;destination address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
+&lt;rule family="<literal>ipv4</literal>|<literal>ipv6</literal>" priority="<replaceable>priority</replaceable>"&gt;
+     &lt;source address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
+     &lt;destination address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>"|ipset="<replaceable>ipset</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
     
         &lt;service name="<replaceable>string</replaceable>"/&gt; |
         &lt;port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/&gt; |
@@ -284,7 +284,10 @@
         &lt;forward-port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>" to-port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" to-addr="<replaceable>address</replaceable>"/&gt; |
         &lt;source-port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/&gt; |
     
-     &lt;log prefix="<replaceable>prefixtext</replaceable>" level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"/&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/log&gt; 
+     
+        &lt;log prefix="<replaceable>prefix text</replaceable>" level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/log&gt; |
+        &lt;nflog group="<replaceable>group id</replaceable>" prefix="<replaceable>prefix text</replaceable>" queue-size="<replaceable>threshold</replaceable>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/nflog&gt;
+    
      &lt;audit&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/audit&gt; 
     
         &lt;accept&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/accept&gt; |
@@ -300,9 +303,12 @@
     </para>
     <para>
         <programlisting>
-&lt;rule family="<literal>ipv4</literal>|<literal>ipv6</literal>"&gt;
-    &lt;source address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>" invert="<replaceable>True</replaceable>"/&gt;
-     &lt;log prefix="<replaceable>prefixtext</replaceable>" level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"/&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/log&gt; 
+&lt;rule family="<literal>ipv4</literal>|<literal>ipv6</literal>" priority="<replaceable>priority</replaceable>"&gt;
+    &lt;source address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>" invert="<replaceable>True</replaceable>"/&gt;
+     
+        &lt;log prefix="<replaceable>prefix text</replaceable>" level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/log&gt; |
+        &lt;nflog group="<replaceable>group id</replaceable>" prefix="<replaceable>prefix text</replaceable>" queue-size="<replaceable>threshold</replaceable>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/nflog&gt;
+    
      &lt;audit&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/audit&gt; 
     &lt;accept&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/accept&gt; |
     &lt;reject type="<replaceable>rejecttype</replaceable>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/reject&gt; |

_service:tar_scm:firewalld-1.0.2.tar.gz/doc/xml/policy_zone_syntax.xml -> _service:tar_scm:firewalld-1.2.1.tar.gz/doc/xml/policy_zone_syntax.xml Changed

@@ -31,9 +31,9 @@
      &lt;forward-port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>" to-port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" to-addr="<replaceable>IP address</replaceable>"/&gt; 
      &lt;source-port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/&gt; 
     
-        &lt;rule family="<literal>ipv4</literal>|<literal>ipv6</literal>"&gt;
+        &lt;rule family="<literal>ipv4</literal>|<literal>ipv6</literal>" priority="<replaceable>priority</replaceable>"&gt;
              &lt;source address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
-             &lt;destination address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
+             &lt;destination address="<replaceable>address</replaceable>/<replaceable>mask</replaceable>"|ipset="<replaceable>ipset</replaceable>" invert="<replaceable>True</replaceable>"/&gt; 
             
                 &lt;service name="<replaceable>string</replaceable>"/&gt; |
                 &lt;port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/&gt; |
@@ -43,7 +43,10 @@
                 &lt;masquerade/&gt; |
                 &lt;forward-port port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>" to-port="<replaceable>portid</replaceable>-<replaceable>portid</replaceable>" to-addr="<replaceable>address</replaceable>"/&gt;
             
-             &lt;log prefix="<replaceable>prefixtext</replaceable>" level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/log&gt; 
+            
+                &lt;log prefix="<replaceable>prefix text</replaceable>" level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/log&gt; |
+                &lt;nflog group="<replaceable>group id</replaceable>" prefix="<replaceable>prefix text</replaceable>" queue-size="<replaceable>threshold</replaceable>"&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/nflog&gt;
+            
              &lt;audit&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/audit&gt; 
             
                 &lt;accept&gt; &lt;limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/&gt; &lt;/accept&gt; |

_service:tar_scm:firewalld-1.0.2.tar.gz/firewalld.spec -> _service:tar_scm:firewalld-1.2.1.tar.gz/firewalld.spec Changed

@@ -1,6 +1,6 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
-Version: 1.0.2
+Version: 1.2.1
 Release: 1%{?dist}
 URL:     http://firewalld.org
 License: GPLv2+
@@ -145,7 +145,7 @@
 /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 
 %files -f %{name}.lang
-%doc COPYING README
+%doc COPYING README.md CODE_OF_CONDUCT.md
 %{_sbindir}/firewalld
 %{_bindir}/firewall-cmd
 %{_bindir}/firewall-offline-cmd
@@ -154,7 +154,7 @@
 %dir %{_datadir}/zsh/site-functions
 %{_datadir}/zsh/site-functions/_firewalld
 %{_prefix}/lib/firewalld/icmptypes/*.xml
-%{_prefix}/lib/firewalld/ipsets/README
+%{_prefix}/lib/firewalld/ipsets/README.md
 %{_prefix}/lib/firewalld/policies/*.xml
 %{_prefix}/lib/firewalld/services/*.xml
 %{_prefix}/lib/firewalld/zones/*.xml
@@ -216,7 +216,7 @@
 
 %files -n firewalld-test
 %dir %{_datadir}/firewalld/testsuite
-%{_datadir}/firewalld/testsuite/README
+%{_datadir}/firewalld/testsuite/README.md
 %{_datadir}/firewalld/testsuite/testsuite
 %dir %{_datadir}/firewalld/testsuite/integration
 %{_datadir}/firewalld/testsuite/integration/testsuite
@@ -248,14 +248,8 @@
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
-* Wed Nov 03 2021 Eric Garver <eric@garver.life> - 1.0.2-1
-- release v1.0.2
+* Wed Sep 28 2022 Eric Garver <eric@garver.life> - 1.2.1-1
+- release v1.2.1
 
-* Thu Aug 12 2021 Eric Garver <eric@garver.life> - 1.0.1-1
-- release v1.0.1
-
-* Thu Jul 22 2021 Eric Garver <eric@garver.life> - 1.0.0-1
-- release v1.0.0
-
-* Tue May 25 2021 Eric Garver <eric@garver.life> - 1.0.0-0.1.alpha
-- release v1.0.0-alpha
+* Fri Jul 01 2022 Eric Garver <eric@garver.life> - 1.2.0-1
+- release v1.2.0

_service:tar_scm:firewalld-1.0.2.tar.gz/install-sh -> _service:tar_scm:firewalld-1.2.1.tar.gz/install-sh Changed

@@ -1,301 +1,518 @@
 #!/bin/sh
+# install - install a program, script, or datafile
+
+scriptversion=2018-03-11.20; # UTC
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
 #
-# $NetBSD: install-sh.in,v 1.6 2012/01/11 13:07:31 hans Exp $
-# This script now also installs multiple files, but might choke on installing
-# multiple files with spaces in the file names.
+# Copyright (C) 1994 X Consortium
 #
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
 #
-# Copyright 1991 by the Massachusetts Institute of Technology
 #
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
+# FSF changes to this file are in the public domain.
 #
 # Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
+# 'make' implicit rules from creating a file called install from it
 # when there is no Makefile.
 #
 # This script is compatible with the BSD install script, but was written
 # from scratch.
 
-# set DOITPROG to echo to test this script
+tab='	'
+nl='
+'
+IFS=" $tab$nl"
+
+# Set DOITPROG to "echo" to test this script.
 
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
+doit=${DOITPROG-}
+doit_exec=${doit:-exec}
 
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
 
-# put in absolute paths if you don't have them in your path; or use env. vars.
+chgrpprog=${CHGRPPROG-chgrp}
+chmodprog=${CHMODPROG-chmod}
+chownprog=${CHOWNPROG-chown}
+cmpprog=${CMPPROG-cmp}
+cpprog=${CPPROG-cp}
+mkdirprog=${MKDIRPROG-mkdir}
+mvprog=${MVPROG-mv}
+rmprog=${RMPROG-rm}
+stripprog=${STRIPPROG-strip}
 
-awkprog="${AWKPROG-awk}"
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
+posix_mkdir=
 
-instcmd="$cpprog"
-instflags=""
-pathcompchmodcmd="$chmodprog 755"
-chmodcmd="$chmodprog 755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-stripflags=""
+# Desired mode of installed file.
+mode=0755
+
+chgrpcmd=
+chmodcmd=$chmodprog
+chowncmd=
+mvcmd=$mvprog
 rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-msrc=""
-dst=""
-dir_arg=""
-suffix=""
-suffixfmt=""
-
-while  x"$1" != x ; do
-    case $1 in
-	-b) suffix=".old"
-	    shift
-	    continue;;
-
-	-B) suffixfmt="$2"
-	    shift
-	    shift
-	    continue;;
-
-	-c) instcmd="$cpprog"
-	    shift
-	    continue;;
-
-	-d) dir_arg=true
-	    shift
-	    continue;;
-
-	-m) chmodcmd="$chmodprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-m*)
-	    chmodcmd="$chmodprog ${1#-m}"
-	    shift
-	    continue;;
-
-	-o) chowncmd="$chownprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-g) chgrpcmd="$chgrpprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-s) stripcmd="$stripprog"
-	    shift
-	    continue;;
-
-	-S) stripcmd="$stripprog"
-	    stripflags="-S $2 $stripflags"
-	    shift
-	    shift
-	    continue;;
-
-	-p) instflags="-p"
-	    shift
-	    continue;;
-
-	*)  if  x"$msrc" = x 
-	    then
-		msrc="$dst"
-	    else
-		msrc="$msrc $dst"
-	    fi
-	    src="$dst"
-	    dst="$1"
-	    shift
-	    continue;;
-    esac
-done
+stripcmd=
 
-if  x"$dir_arg" = x 
-then
-	dstisfile=""
-	if  ! -d "$dst" 
-	then
-		if  x"$msrc" = x"$src" 
-		then
-			dstisfile=true
-		else
-			echo "install: destination is not a directory"
-			exit 1

_service:tar_scm:firewalld-1.0.2.tar.gz/missing -> _service:tar_scm:firewalld-1.2.1.tar.gz/missing Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/po/LINGUAS -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/LINGUAS Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/po/POTFILES.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/POTFILES.in Changed

@@ -48,12 +48,14 @@
 config/org.fedoraproject.FirewallD1.desktop.policy.in
 config/org.fedoraproject.FirewallD1.server.policy.in
 config/policies/allow-host-ipv6.xml
+config/services/afp.xml
 config/services/amanda-client.xml
 config/services/amanda-k5-client.xml
 config/services/amqps.xml
 config/services/amqp.xml
 config/services/apcupsd.xml
 config/services/audit.xml
+config/services/ausweisapp2.xml
 config/services/bacula-client.xml
 config/services/bacula.xml
 config/services/bb.xml
@@ -66,9 +68,11 @@
 config/services/ceph-mon.xml
 config/services/ceph.xml
 config/services/cfengine.xml
+config/services/checkmk-agent.xml
 config/services/cockpit.xml
 config/services/condor-collector.xml
 config/services/collectd.xml
+config/services/cratedb.xml
 config/services/ctdb.xml
 config/services/dhcpv6-client.xml
 config/services/dhcpv6.xml
@@ -95,13 +99,17 @@
 config/services/ganglia-client.xml
 config/services/ganglia-master.xml
 config/services/git.xml
+config/services/gpsd.xml
 config/services/grafana.xml
 config/services/gre.xml
 config/services/high-availability.xml
+config/services/http3.xml
 config/services/https.xml
 config/services/http.xml
+config/services/ident.xml
 config/services/imaps.xml
 config/services/imap.xml
+config/services/ipfs.xml
 config/services/ipp-client.xml
 config/services/ipp.xml
 config/services/ipsec.xml
@@ -109,6 +117,7 @@
 config/services/irc.xml
 config/services/iscsi-target.xml
 config/services/isns.xml
+config/services/jellyfin.xml
 config/services/jenkins.xml
 config/services/kadmin.xml
 config/services/kdeconnect.xml
@@ -118,17 +127,26 @@
 config/services/kpasswd.xml
 config/services/kprop.xml
 config/services/kshell.xml
+config/services/kubelet.xml
+config/services/kubelet-readonly.xml
+config/services/kubelet-worker.xml
 config/services/kube-api.xml
 config/services/kube-apiserver.xml
 config/services/kube-control-plane.xml
+config/services/kube-control-plane-secure.xml
 config/services/kube-controller-manager.xml
+config/services/kube-controller-manager-secure.xml
+config/services/kube-nodeport-services.xml
 config/services/kube-scheduler.xml
-config/services/kubelet-worker.xml
+config/services/kube-scheduler-secure.xml
+config/services/kube-worker.xml
 config/services/ldaps.xml
 config/services/ldap.xml
 config/services/libvirt-tls.xml
 config/services/libvirt.xml
 config/services/lightning-network.xml
+config/services/llmnr-tcp.xml
+config/services/llmnr-udp.xml
 config/services/llmnr.xml
 config/services/managesieve.xml
 config/services/matrix.xml
@@ -146,6 +164,7 @@
 config/services/mysql.xml
 config/services/nbd.xml
 config/services/netbios-ns.xml
+config/services/netdata-dashboard.xml
 config/services/nfs3.xml
 config/services/nfs.xml
 config/services/nmea-0183.xml
@@ -165,8 +184,10 @@
 config/services/pop3.xml
 config/services/postgresql.xml
 config/services/privoxy.xml
+config/services/prometheus-node-exporter.xml
 config/services/prometheus.xml
 config/services/proxy-dhcp.xml
+config/services/ps3netsrv.xml
 config/services/ptp.xml
 config/services/pulseaudio.xml
 config/services/puppetmaster.xml
@@ -195,6 +216,8 @@
 config/services/smtp.xml
 config/services/snmptrap.xml
 config/services/snmp.xml
+config/services/snmptls-trap.xml
+config/services/snmptls.xml
 config/services/spideroak-lansync.xml
 config/services/spotify-sync.xml
 config/services/squid.xml
@@ -221,6 +244,10 @@
 config/services/wbem-https.xml
 config/services/wbem-http.xml
 config/services/wireguard.xml
+config/services/ws-discovery-client.xml
+config/services/ws-discovery-tcp.xml
+config/services/ws-discovery-udp.xml
+config/services/ws-discovery.xml
 config/services/wsmans.xml
 config/services/wsman.xml
 config/services/xdmcp.xml
@@ -230,6 +257,7 @@
 config/services/xmpp-server.xml
 config/services/zabbix-agent.xml
 config/services/zabbix-server.xml
+config/services/zerotier.xml
 config/zones/block.xml
 config/zones/dmz.xml
 config/zones/drop.xml

_service:tar_scm:firewalld-1.0.2.tar.gz/po/ar.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/ar.po Changed

@@ -13,22 +13,23 @@
 # Sherif Abdelgawad <sherif@redhat.com>, 2004
 # SuSE Linux Products GmbH, Nuernberg, 2018
 # Eric Garver <e@erig.me>, 2018. #zanata
+# Mostafa Gamal <mostafa.2c6@gmail.com>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2018-11-16 08:20+0000\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
-"Language-Team: Arabic (http://www.transifex.com/projects/p/firewalld/"
-"language/ar/)\n"
+"PO-Revision-Date: 2022-05-23 16:18+0000\n"
+"Last-Translator: Mostafa Gamal <mostafa.2c6@gmail.com>\n"
+"Language-Team: Arabic <https://translate.fedoraproject.org/projects/"
+"firewalld/master/ar/>\n"
 "Language: ar\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=6; plural=n==0 ? 0 : n==1 ? 1 : n==2 ? 2 : n%100>=3 "
-"&& n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5;\n"
-"X-Generator: Zanata 4.6.2\n"
+"&& n%100<=10 ? 3 : n%100>=11 ? 4 : 5;\n"
+"X-Generator: Weblate 4.12.2\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -1878,7 +1879,8 @@
 #: ../src/firewall-config.glade.h:255
 #, fuzzy
 msgid "For host or network allow or denylisting deactivate the element."
-msgstr "للقائمة البيضاء أو السوداء لمضيف أو شبكة، قم بإلغاء تنشيط العنصر."
+msgstr ""
+"للقائمة البيضاء أو السوداء لمضيف أو شبكة، قم بالسماح أو بإلغاء تنشيط العنصر."
 
 #: ../src/firewall-config.glade.h:256
 msgid "Source:"

_service:tar_scm:firewalld-1.0.2.tar.gz/po/cs.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/cs.po Changed

@@ -21,7 +21,7 @@
 # Zdenek <chmelarz@gmail.com>, 2017. #zanata
 # Eric Garver <e@erig.me>, 2018. #zanata
 # Robert Chudý <robertch@virtus.cz>, 2018. #zanata
-# Pavel Borecki <pavel.borecki@gmail.com>, 2019. #zanata, 2020.
+# Pavel Borecki <pavel.borecki@gmail.com>, 2019. #zanata, 2020, 2021.
 # Eric Garver <egarver@redhat.com>, 2020.
 # Tomáš Doležal <todoleza@redhat.com>, 2020.
 msgid ""
@@ -29,7 +29,7 @@
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2020-02-02 19:16+0000\n"
+"PO-Revision-Date: 2021-12-03 22:16+0000\n"
 "Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n"
 "Language-Team: Czech <https://translate.fedoraproject.org/projects/firewalld/"
 "master/cs/>\n"
@@ -38,7 +38,7 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
-"X-Generator: Weblate 3.10.3\n"
+"X-Generator: Weblate 4.9.1\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -1164,7 +1164,7 @@
 
 #: ../src/firewall-config.glade.h:101
 msgid "Add protocols, which need to be accessible for all hosts or networks."
-msgstr "Přidat protokoly, které musí být přístupné pro všechny storje a sítě."
+msgstr "Přidat protokoly, které musí být přístupné pro všechny stroje a sítě."
 
 #: ../src/firewall-config.glade.h:102
 msgid "Add Protocol"
@@ -1908,11 +1908,10 @@
 msgstr "Zadejte bohaté pravidlo."
 
 #: ../src/firewall-config.glade.h:255
-#, fuzzy
 msgid "For host or network allow or denylisting deactivate the element."
 msgstr ""
-"Seznam povolených nebo zakázaných výjimek deaktivuje element pro počítač "
-"nebo síť."
+"Pokud chcete povolovat nebo odpírat přístup do sítě na základě seznamu, "
+"deaktivujte tento prvek."
 
 #: ../src/firewall-config.glade.h:256
 msgid "Source:"

_service:tar_scm:firewalld-1.0.2.tar.gz/po/de.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/de.po Changed

@@ -36,21 +36,23 @@
 # Eric Garver <e@erig.me>, 2018. #zanata
 # Fabian Affolter <fab@fedoraproject.org>, 2018. #zanata
 # Phil Sutter <psutter@redhat.com>, 2020.
+# Joachim Philipp <joachim.philipp@gmail.com>, 2022.
+# Daniel Ziegenberg <daniel@ziegenberg.at>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2020-01-14 14:02+0000\n"
-"Last-Translator: Phil Sutter <psutter@redhat.com>\n"
-"Language-Team: German <https://translate.stg.fedoraproject.org/projects/"
+"PO-Revision-Date: 2022-09-16 21:19+0000\n"
+"Last-Translator: Daniel Ziegenberg <daniel@ziegenberg.at>\n"
+"Language-Team: German <https://translate.fedoraproject.org/projects/"
 "firewalld/master/de/>\n"
 "Language: de\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 3.10.1\n"
+"X-Generator: Weblate 4.14\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -251,7 +253,7 @@
 
 #: ../src/firewall-applet.in:893
 msgid "No Active Zones."
-msgstr "Keine aktiven Zonen"
+msgstr "Keine aktivierten Zonen"
 
 #: ../src/firewall-applet.in:952
 msgid "Connection to FirewallD established."
@@ -1959,7 +1961,6 @@
 msgstr "Bitte eine umfassende Regel eingeben."
 
 #: ../src/firewall-config.glade.h:255
-#, fuzzy
 msgid "For host or network allow or denylisting deactivate the element."
 msgstr ""
 "Element deaktivieren, um Positiv- oder Negativlisten für Host oder Netzwerk "

_service:tar_scm:firewalld-1.0.2.tar.gz/po/et.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/et.po Changed

@@ -6,21 +6,22 @@
 # mihkel <turakas@gmail.com>, 2012
 # mihkel <turakas@gmail.com>, 2012
 # Thomas Woerner <twoerner@redhat.com>, 2016. #zanata
+# H A <contact+fedora@hen.ee>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2016-01-04 12:21+0000\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
-"Language-Team: Estonian (http://www.transifex.com/projects/p/firewalld/"
-"language/et/)\n"
+"PO-Revision-Date: 2022-06-12 21:18+0000\n"
+"Last-Translator: H A <contact+fedora@hen.ee>\n"
+"Language-Team: Estonian <https://translate.fedoraproject.org/projects/"
+"firewalld/master/et/>\n"
 "Language: et\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 4.6.2\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.12.2\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -37,19 +38,19 @@
 #. Translators: These are searchable keywords for the firewall configuration tool
 #: ../config/firewall-config.desktop.in.h:4
 msgid "firewall;network;security;iptables;netfilter;"
-msgstr ""
+msgstr "tulemüür;võrk;turvalisus;iptables;netfliter;firewall;network;security;"
 
 #: ../src/firewall-applet.in:84 ../src/firewall-config.in:7986
 #, c-format
 msgid "Select zone for interface '%s'"
-msgstr ""
+msgstr "Vali tsoon liidese jaoks '%s'"
 
 #: ../src/firewall-applet.in:124 ../src/firewall-applet.in:131
 #: ../src/firewall-applet.in:137 ../src/firewall-config.in:2446
 #: ../src/firewall-config.in:8031 ../src/firewall-config.in:8039
 #: ../src/firewall-config.in:8072 ../src/firewall-config.glade.h:8
 msgid "Default Zone"
-msgstr ""
+msgstr "Vaiketsoon"
 
 #: ../src/firewall-applet.in:158 ../src/firewall-config.in:8065
 #, c-format
@@ -98,7 +99,7 @@
 
 #: ../src/firewall-applet.in:383
 msgid "Authors"
-msgstr ""
+msgstr "Autorid"
 
 #: ../src/firewall-applet.in:393
 msgid "License"
@@ -804,7 +805,7 @@
 
 #: ../src/firewall-config.glade.h:24
 msgid "Port / Port Range:"
-msgstr "Port /  Portide vahemik:"
+msgstr "Port / Portide vahemik:"
 
 #: ../src/firewall-config.glade.h:25
 msgid "IP address:"

_service:tar_scm:firewalld-1.2.1.tar.gz/po/hr.po Added

@@ -0,0 +1,1879 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# Gogo Gogsi <linux.hr@protonmail.com>, 2021.
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2021-05-25 10:54-0400\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: Automatically generated\n"
+"Language-Team: none\n"
+"Language: hr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
+msgid "Firewall Applet"
+msgstr ""
+
+#: ../config/firewall-config.desktop.in.h:1
+msgid "Firewall"
+msgstr ""
+
+#: ../config/firewall-config.desktop.in.h:2 ../src/firewall-config.glade.h:55
+msgid "Firewall Configuration"
+msgstr ""
+
+#. Translators: These are searchable keywords for the firewall configuration tool
+#: ../config/firewall-config.desktop.in.h:4
+msgid "firewall;network;security;iptables;netfilter;"
+msgstr ""
+
+#: ../src/firewall-applet.in:84 ../src/firewall-config.in:7986
+#, c-format
+msgid "Select zone for interface '%s'"
+msgstr ""
+
+#: ../src/firewall-applet.in:124 ../src/firewall-applet.in:131
+#: ../src/firewall-applet.in:137 ../src/firewall-config.in:2446
+#: ../src/firewall-config.in:8031 ../src/firewall-config.in:8039
+#: ../src/firewall-config.in:8072 ../src/firewall-config.glade.h:8
+msgid "Default Zone"
+msgstr ""
+
+#: ../src/firewall-applet.in:158 ../src/firewall-config.in:8065
+#, c-format
+msgid "Select zone for connection '%s'"
+msgstr ""
+
+#: ../src/firewall-applet.in:168 ../src/firewall-config.in:3925
+msgid "Failed to set zone {zone} for connection {connection_name}"
+msgstr ""
+
+#: ../src/firewall-applet.in:182
+#, c-format
+msgid "Select zone for source '%s'"
+msgstr ""
+
+#: ../src/firewall-applet.in:199
+msgid "Configure Shields Up/Down Zones"
+msgstr ""
+
+#: ../src/firewall-applet.in:212
+msgid "Here you can select the zones used for Shields Up and Shields Down."
+msgstr ""
+
+#: ../src/firewall-applet.in:218
+msgid ""
+"This feature is useful for people using the default zones mostly. For users, "
+"that are changing zones of connections, it might be of limited use."
+msgstr ""
+
+#: ../src/firewall-applet.in:227
+msgid "Shields Up Zone:"
+msgstr ""
+
+#: ../src/firewall-applet.in:236 ../src/firewall-applet.in:249
+msgid "Reset To Default"
+msgstr ""
+
+#: ../src/firewall-applet.in:240
+msgid "Shields Down Zone:"
+msgstr ""
+
+#: ../src/firewall-applet.in:332
+#, c-format
+msgid "About %s"
+msgstr ""
+
+#: ../src/firewall-applet.in:383
+msgid "Authors"
+msgstr ""
+
+#: ../src/firewall-applet.in:393
+msgid "License"
+msgstr ""
+
+#: ../src/firewall-applet.in:462
+msgid "Shields Up"
+msgstr ""
+
+#: ../src/firewall-applet.in:469
+msgid "Enable Notifications"
+msgstr ""
+
+#: ../src/firewall-applet.in:475
+msgid "Edit Firewall Settings..."
+msgstr ""
+
+#: ../src/firewall-applet.in:479 ../src/firewall-config.glade.h:61
+msgid "Change Zones of Connections..."
+msgstr ""
+
+#: ../src/firewall-applet.in:483
+msgid "Configure Shields UP/Down Zones..."
+msgstr ""
+
+#: ../src/firewall-applet.in:487
+msgid "Block all network traffic"
+msgstr ""
+
+#: ../src/firewall-applet.in:492
+msgid "About"
+msgstr ""
+
+#: ../src/firewall-applet.in:500 ../src/firewall-config.in:618
+#: ../src/firewall-config.in:2387 ../src/firewall-config.in:2668
+#: ../src/firewall-config.in:2694
+msgid "Connections"
+msgstr ""
+
+#: ../src/firewall-applet.in:504 ../src/firewall-config.in:620
+#: ../src/firewall-config.in:2475 ../src/firewall-config.in:2671
+#: ../src/firewall-config.in:2696 ../src/firewall-config.glade.h:130
+msgid "Interfaces"
+msgstr ""
+
+#: ../src/firewall-applet.in:508 ../src/firewall-config.in:622
+#: ../src/firewall-config.in:2506 ../src/firewall-config.in:2674
+#: ../src/firewall-config.in:2698 ../src/firewall-config.glade.h:135
+msgid "Sources"
+msgstr ""
+
+#: ../src/firewall-applet.in:579 ../src/firewall-config.in:2288
+msgid "Authorization failed."
+msgstr ""
+
+#: ../src/firewall-applet.in:581 ../src/firewall-config.in:2290
+msgid "Invalid name"
+msgstr ""
+
+#: ../src/firewall-applet.in:585 ../src/firewall-config.in:2293
+msgid "Name already exists"
+msgstr ""
+
+#: ../src/firewall-applet.in:677
+msgid "{entry} (Zone: {zone})"
+msgstr ""
+
+#: ../src/firewall-applet.in:684
+msgid "{entry} (Default Zone: {default_zone})"
+msgstr ""
+
+#: ../src/firewall-applet.in:762 ../src/firewall-config.in:1574
+msgid "Failed to get connections from NetworkManager"
+msgstr ""
+
+#: ../src/firewall-applet.in:774 ../src/firewall-config.in:1386
+msgid "No NetworkManager imports available"
+msgstr ""
+
+#: ../src/firewall-applet.in:851
+msgid "No connection to firewall daemon"
+msgstr ""
+
+#: ../src/firewall-applet.in:857 ../src/firewall-applet.in:994
+msgid "All network traffic is blocked."
+msgstr ""
+
+#: ../src/firewall-applet.in:860
+#, c-format
+msgid "Default Zone: '%s'"
+msgstr ""
+
+#: ../src/firewall-applet.in:866
+msgid ""
+"Default Zone '{default_zone}' active for connection '{connection}' on "
+"interface '{interface}'"
+msgstr ""
+
+#: ../src/firewall-applet.in:869
+msgid ""
+"Zone '{zone}' active for connection '{connection}' on interface '{interface}'"
+msgstr ""
+
+#: ../src/firewall-applet.in:881
+msgid "Zone '{zone}' active for interface '{interface}'"

_service:tar_scm:firewalld-1.0.2.tar.gz/po/ka.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/ka.po Changed

@@ -5,25 +5,26 @@
 # Translators:
 # George Machitidze <giomac@gmail.com>, 2013
 # Thomas Woerner <twoerner@redhat.com>, 2016. #zanata
+# Temuri Doghonadze <temuri.doghonadze@gmail.com>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2016-01-04 12:24+0000\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
-"Language-Team: Georgian (http://www.transifex.com/projects/p/firewalld/"
-"language/ka/)\n"
+"PO-Revision-Date: 2022-07-31 08:19+0000\n"
+"Last-Translator: Temuri Doghonadze <temuri.doghonadze@gmail.com>\n"
+"Language-Team: Georgian <https://translate.fedoraproject.org/projects/"
+"firewalld/master/ka/>\n"
 "Language: ka\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Zanata 4.6.2\n"
+"X-Generator: Weblate 4.13\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
-msgstr ""
+msgstr "ბრანდმაუერის აპლეტი"
 
 #: ../config/firewall-config.desktop.in.h:1
 msgid "Firewall"
@@ -36,76 +37,79 @@
 #. Translators: These are searchable keywords for the firewall configuration tool
 #: ../config/firewall-config.desktop.in.h:4
 msgid "firewall;network;security;iptables;netfilter;"
-msgstr ""
+msgstr "ბრანდმაუერი;ქსელი;უსაფრთხოება;iptables;netfilter;"
 
 #: ../src/firewall-applet.in:84 ../src/firewall-config.in:7986
 #, c-format
 msgid "Select zone for interface '%s'"
-msgstr ""
+msgstr "აირჩიეთ ინტერფეისის (%s) ზონა"
 
 #: ../src/firewall-applet.in:124 ../src/firewall-applet.in:131
 #: ../src/firewall-applet.in:137 ../src/firewall-config.in:2446
 #: ../src/firewall-config.in:8031 ../src/firewall-config.in:8039
 #: ../src/firewall-config.in:8072 ../src/firewall-config.glade.h:8
 msgid "Default Zone"
-msgstr ""
+msgstr "ნაგულისხმები ზონა"
 
 #: ../src/firewall-applet.in:158 ../src/firewall-config.in:8065
 #, c-format
 msgid "Select zone for connection '%s'"
-msgstr ""
+msgstr "აირჩიეთ კავშირის (%s) ზონა"
 
 #: ../src/firewall-applet.in:168 ../src/firewall-config.in:3925
 msgid "Failed to set zone {zone} for connection {connection_name}"
-msgstr ""
+msgstr "კავშირისთვის ( {connection_name}) ზონის ({zone}) დაყენების შეცდომა"
 
 #: ../src/firewall-applet.in:182
 #, c-format
 msgid "Select zone for source '%s'"
-msgstr ""
+msgstr "აირჩიეთ წყაროს (%s) ზონა"
 
 #: ../src/firewall-applet.in:199
 msgid "Configure Shields Up/Down Zones"
-msgstr ""
+msgstr "ღია/დახურული ზონების მორგება"
 
 #: ../src/firewall-applet.in:212
 msgid "Here you can select the zones used for Shields Up and Shields Down."
-msgstr ""
+msgstr "აქ შეგიძლიათ აირჩიოთ ზონები დაცვის ჩართვა/გამორთვისთვის."
 
 #: ../src/firewall-applet.in:218
 msgid ""
 "This feature is useful for people using the default zones mostly. For users, "
 "that are changing zones of connections, it might be of limited use."
 msgstr ""
+"ეს თვისება ძირითადად საჭიროა ხალხისთვის, რომლებიც ძირითადად ნაგულისხებ "
+"ზონებს იყენებენ. მომხმარებლებისთვის, რომლების კავშირების ზონებს ცვლიან, მას "
+"მხოლოდ მცირება გამოყენება ექნება."
 
 #: ../src/firewall-applet.in:227
 msgid "Shields Up Zone:"
-msgstr ""
+msgstr "ღია ზონა:"
 
 #: ../src/firewall-applet.in:236 ../src/firewall-applet.in:249
 msgid "Reset To Default"
-msgstr ""
+msgstr "ნაგულისხმებზე დაბრუნება"
 
 #: ../src/firewall-applet.in:240
 msgid "Shields Down Zone:"
-msgstr ""
+msgstr "დახურული ზონა:"
 
 #: ../src/firewall-applet.in:332
 #, c-format
 msgid "About %s"
-msgstr ""
+msgstr "%s-ის შესახებ"
 
 #: ../src/firewall-applet.in:383
 msgid "Authors"
-msgstr ""
+msgstr "ავტორები"
 
 #: ../src/firewall-applet.in:393
 msgid "License"
-msgstr ""
+msgstr "ლიცენზია"
 
 #: ../src/firewall-applet.in:462
 msgid "Shields Up"
-msgstr ""
+msgstr "ბრანდმაუერის ჩართვა"
 
 #: ../src/firewall-applet.in:469
 msgid "Enable Notifications"
@@ -117,11 +121,11 @@
 
 #: ../src/firewall-applet.in:479 ../src/firewall-config.glade.h:61
 msgid "Change Zones of Connections..."
-msgstr ""
+msgstr "კავშირების ზონების შეცვლა..."
 
 #: ../src/firewall-applet.in:483
 msgid "Configure Shields UP/Down Zones..."
-msgstr ""
+msgstr "ღია/დახურული ზონების მორგება..."
 
 #: ../src/firewall-applet.in:487
 msgid "Block all network traffic"
@@ -129,13 +133,13 @@
 
 #: ../src/firewall-applet.in:492
 msgid "About"
-msgstr ""
+msgstr "შესახებ"
 
 #: ../src/firewall-applet.in:500 ../src/firewall-config.in:618
 #: ../src/firewall-config.in:2387 ../src/firewall-config.in:2668
 #: ../src/firewall-config.in:2694
 msgid "Connections"
-msgstr "კავშირი არაა."
+msgstr "კავშირები"
 
 #: ../src/firewall-applet.in:504 ../src/firewall-config.in:620
 #: ../src/firewall-config.in:2475 ../src/firewall-config.in:2671
@@ -147,7 +151,7 @@
 #: ../src/firewall-config.in:2506 ../src/firewall-config.in:2674
 #: ../src/firewall-config.in:2698 ../src/firewall-config.glade.h:135
 msgid "Sources"
-msgstr ""
+msgstr "წყაროები"
 
 #: ../src/firewall-applet.in:579 ../src/firewall-config.in:2288
 msgid "Authorization failed."
@@ -155,7 +159,7 @@
 
 #: ../src/firewall-applet.in:581 ../src/firewall-config.in:2290
 msgid "Invalid name"
-msgstr ""
+msgstr "არასწორი სახელი"
 
 #: ../src/firewall-applet.in:585 ../src/firewall-config.in:2293
 msgid "Name already exists"
@@ -163,23 +167,23 @@
 
 #: ../src/firewall-applet.in:677
 msgid "{entry} (Zone: {zone})"
-msgstr ""
+msgstr "{entry} (ზონა: {zone})"
 
 #: ../src/firewall-applet.in:684
 msgid "{entry} (Default Zone: {default_zone})"
-msgstr ""
+msgstr "{entry} (ნაგულისხმები ზონა: {default_zone})"
 
 #: ../src/firewall-applet.in:762 ../src/firewall-config.in:1574
 msgid "Failed to get connections from NetworkManager"
-msgstr ""
+msgstr "NetworkManager-დან კავშირების მიღების შეცდომა"
 
 #: ../src/firewall-applet.in:774 ../src/firewall-config.in:1386
 msgid "No NetworkManager imports available"
-msgstr ""
+msgstr "NetworkManager-დან შემოტანა მიუწვდომელია"
 
 #: ../src/firewall-applet.in:851
 msgid "No connection to firewall daemon"

_service:tar_scm:firewalld-1.0.2.tar.gz/po/ko.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/ko.po Changed

@@ -15,13 +15,14 @@
 # Terry Chuang <tchuang@redhat.com>, 2016. #zanata
 # Eric Garver <e@erig.me>, 2018. #zanata
 # simmon <simmon@nplob.com>, 2021.
+# 김인수 <simmon@nplob.com>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2021-06-22 10:04+0000\n"
-"Last-Translator: simmon <simmon@nplob.com>\n"
+"PO-Revision-Date: 2022-06-06 06:18+0000\n"
+"Last-Translator: 김인수 <simmon@nplob.com>\n"
 "Language-Team: Korean <https://translate.fedoraproject.org/projects/"
 "firewalld/master/ko/>\n"
 "Language: ko\n"
@@ -29,7 +30,7 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 4.7\n"
+"X-Generator: Weblate 4.12.2\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -1004,8 +1005,8 @@
 "Lockdown locks firewall configuration so that only applications on lockdown "
 "whitelist are able to change it."
 msgstr ""
-"잠금 기능은 방화벽 설정을 잠금하여 잠금 화이트리스트에 있는 애플리케이션만 변"
-"경할 수 있게 합니다."
+"잠금 기능은 방화벽 설정을 잠금하여 잠금 화이트 리스트에 있는 응용프로그램만 "
+"변경 할 수 있게 합니다."
 
 #: ../src/firewall-config.glade.h:71
 msgid "Lockdown"
@@ -1205,7 +1206,7 @@
 
 #: ../src/firewall-config.glade.h:111
 msgid "Masquerading"
-msgstr "마스커레이딩 (Masquerading)"
+msgstr "매스쿼레이딩"
 
 #: ../src/firewall-config.glade.h:112
 msgid ""
@@ -1638,8 +1639,8 @@
 "firewalld. It limits changes to the firewall. The lockdown whitelist can "
 "contain commands, contexts, users and user ids."
 msgstr ""
-"잠금 기능은 firewalld의 사용자 및 애플리케이션 정책에 대한 경량 버전입니다. "
-"이는 방화벽 변경을 제한합니다. 잠금 화이트리스트에는 명령, 내용, 사용자 및 사"
+"잠금 기능은 firewalld의 사용자와 응용프로그램 정책에 대한 경량 버전입니다. 이"
+"는 방화벽 변경을 제한합니다. 잠금 화이트 리스트에는 명령, 내용, 사용자 및 사"
 "용자 ID가 포함되어 있습니다."
 
 #: ../src/firewall-config.glade.h:195
@@ -1648,8 +1649,8 @@
 "service. To get the context of a running application use <tt>ps -e --"
 "context</tt>."
 msgstr ""
-"컨텍스트는 실행 중인 애플리케이션이나 서비스의 보안 (SELinux) 컨텍스트입니"
-"다. 실행 중인 애플리케이션의 컨텍스트를 얻으려면 <tt>ps -e --context</tt>를 "
+"컨텍스트는 실행 중인 응용프로그램이나 서비스의 보안 (SELinux) 컨텍스트입니"
+"다. 실행 중인 응용프로그램의 컨텍스트를 얻으려면 <tt>ps -e --context</tt>를 "
 "사용합니다."
 
 #: ../src/firewall-config.glade.h:196

_service:tar_scm:firewalld-1.0.2.tar.gz/po/ru.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/ru.po Changed

@@ -18,22 +18,23 @@
 # Thomas Woerner <twoerner@redhat.com>, 2017. #zanata
 # Eric Garver <e@erig.me>, 2018. #zanata
 # Igor Gorbounov <igor.gorbounov@gmail.com>, 2018. #zanata
+# Sergey A. <sw@atrus.ru>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2018-11-16 08:27+0000\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
-"Language-Team: Russian (http://www.transifex.com/projects/p/firewalld/"
-"language/ru/)\n"
+"PO-Revision-Date: 2022-06-20 00:37+0000\n"
+"Last-Translator: Sergey A. <sw@atrus.ru>\n"
+"Language-Team: Russian <https://translate.fedoraproject.org/projects/"
+"firewalld/master/ru/>\n"
 "Language: ru\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-"X-Generator: Zanata 4.6.2\n"
+"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
+"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+"X-Generator: Weblate 4.13\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -80,7 +81,7 @@
 
 #: ../src/firewall-applet.in:199
 msgid "Configure Shields Up/Down Zones"
-msgstr "Настроить зоны включения/выключения защиты…"
+msgstr "Настроить зоны включения/выключения защиты"
 
 #: ../src/firewall-applet.in:212
 msgid "Here you can select the zones used for Shields Up and Shields Down."
@@ -978,7 +979,7 @@
 
 #: ../src/firewall-config.glade.h:63
 msgid "Change default zone for connections or interfaces."
-msgstr "Изменить стандартную зону для соединений и интерфейсов"
+msgstr "Изменить стандартную зону для соединений и интерфейсов."
 
 #: ../src/firewall-config.glade.h:64
 msgid "Change Log Denied"
@@ -986,7 +987,7 @@
 
 #: ../src/firewall-config.glade.h:65
 msgid "Change LogDenied value."
-msgstr "Изменить правила ограничения журналирования"
+msgstr "Изменить правила ведения журнала (LogDenied)."
 
 #: ../src/firewall-config.glade.h:66
 msgid "Configure Automatic Helper Assigment"
@@ -1102,7 +1103,7 @@
 "filters and rich rules. The zone can be bound to interfaces and source "
 "addresses."
 msgstr ""
-"Зона firewalld  определяет уровень доверия для сетевых соединений, "
+"Зона firewalld определяет уровень доверия для сетевых соединений, "
 "интерфейсов и адресов. Зона объединяет службы, порты, протоколы, "
 "маскирование, переадресацию портов и пакетов, фильтры icmp и расширенные "
 "правила. Зоны могут быть привязаны к интерфейсам и адресам."
@@ -1399,7 +1400,7 @@
 
 #: ../src/firewall-config.glade.h:148
 msgid "Netfilter helper modules are needed for some services."
-msgstr "Для некоторых служб требуются модули поддержки Netfilter"
+msgstr "Для некоторых служб требуются модули поддержки Netfilter."
 
 #: ../src/firewall-config.glade.h:149
 msgid "Modules"
@@ -1517,7 +1518,7 @@
 
 #: ../src/firewall-config.glade.h:171
 msgid "Specify whether this ICMP Type is available for IPv4 and/or IPv6."
-msgstr "Укажите, доступен ли этот тип ICMP для  IPv4 и IPv6."
+msgstr "Укажите, доступен ли этот тип ICMP для IPv4 и/или IPv6."
 
 #: ../src/firewall-config.glade.h:172
 msgid ""
@@ -1566,7 +1567,7 @@
 
 #: ../src/firewall-config.glade.h:177
 msgid "Additional chains for use with rules."
-msgstr "Дополнительные цепочки для правил"
+msgstr "Дополнительные цепочки для правил."
 
 #: ../src/firewall-config.glade.h:178
 msgid "Add Chain"
@@ -1693,7 +1694,7 @@
 "command lines starting with the command will match. If the '*' is not there "
 "the absolute command inclusive arguments must match."
 msgstr ""
-"Команды в белом списке могут содержать символ подстановки «*».  Если он не "
+"Команды в белом списке могут содержать символ подстановки «*». Если он не "
 "указан, будут обработаны лишь точные соответствия."
 
 #: ../src/firewall-config.glade.h:201
@@ -1907,7 +1908,6 @@
 msgstr "Введите правило."
 
 #: ../src/firewall-config.glade.h:255
-#, fuzzy
 msgid "For host or network allow or denylisting deactivate the element."
 msgstr ""
 "Отключите элемент, чтобы получить возможность управления черными и белыми "
@@ -1943,7 +1943,7 @@
 "'ipv6' (not both)."
 msgstr ""
 "Чтобы разрешить, поле «Действие» должно иметь значение «отказать», а "
-"«Семейство протоколов» —  «ipv4» или «ipv6»."
+"«Семейство протоколов» — «ipv4» или «ipv6»."
 
 #: ../src/firewall-config.glade.h:267
 msgid "with Type:"

_service:tar_scm:firewalld-1.0.2.tar.gz/po/si.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/si.po Changed

@@ -7,13 +7,16 @@
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: Automatically generated\n"
-"Language-Team: none\n"
+"PO-Revision-Date: 2021-08-19 06:05+0000\n"
+"Last-Translator: Hela Basa <r45xveza@pm.me>\n"
+"Language-Team: Sinhala <https://translate.fedoraproject.org/projects/"
+"firewalld/master/si/>\n"
 "Language: si\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=n > 1;\n"
+"X-Generator: Weblate 4.7.2\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -21,7 +24,7 @@
 
 #: ../config/firewall-config.desktop.in.h:1
 msgid "Firewall"
-msgstr ""
+msgstr "ගිනිපවුර"
 
 #: ../config/firewall-config.desktop.in.h:2 ../src/firewall-config.glade.h:55
 msgid "Firewall Configuration"
@@ -87,7 +90,7 @@
 #: ../src/firewall-applet.in:332
 #, c-format
 msgid "About %s"
-msgstr ""
+msgstr "%s පිළිබඳව"
 
 #: ../src/firewall-applet.in:383
 msgid "Authors"
@@ -95,7 +98,7 @@
 
 #: ../src/firewall-applet.in:393
 msgid "License"
-msgstr ""
+msgstr "බලපත්‍රය"
 
 #: ../src/firewall-applet.in:462
 msgid "Shields Up"
@@ -103,11 +106,11 @@
 
 #: ../src/firewall-applet.in:469
 msgid "Enable Notifications"
-msgstr ""
+msgstr "දැනුම්දීම් සබල කරන්න"
 
 #: ../src/firewall-applet.in:475
 msgid "Edit Firewall Settings..."
-msgstr ""
+msgstr "ගිනිපවුරෙහි සැකසුම් සංස්කරණය..."
 
 #: ../src/firewall-applet.in:479 ../src/firewall-config.glade.h:61
 msgid "Change Zones of Connections..."
@@ -123,19 +126,19 @@
 
 #: ../src/firewall-applet.in:492
 msgid "About"
-msgstr ""
+msgstr "පිළිබඳව"
 
 #: ../src/firewall-applet.in:500 ../src/firewall-config.in:618
 #: ../src/firewall-config.in:2387 ../src/firewall-config.in:2668
 #: ../src/firewall-config.in:2694
 msgid "Connections"
-msgstr ""
+msgstr "සම්බන්ධතා"
 
 #: ../src/firewall-applet.in:504 ../src/firewall-config.in:620
 #: ../src/firewall-config.in:2475 ../src/firewall-config.in:2671
 #: ../src/firewall-config.in:2696 ../src/firewall-config.glade.h:130
 msgid "Interfaces"
-msgstr ""
+msgstr "අතුරුමුහුණත්"
 
 #: ../src/firewall-applet.in:508 ../src/firewall-config.in:622
 #: ../src/firewall-config.in:2506 ../src/firewall-config.in:2674
@@ -149,11 +152,11 @@
 
 #: ../src/firewall-applet.in:581 ../src/firewall-config.in:2290
 msgid "Invalid name"
-msgstr ""
+msgstr "වලංගු නොවන නාමයකි"
 
 #: ../src/firewall-applet.in:585 ../src/firewall-config.in:2293
 msgid "Name already exists"
-msgstr ""
+msgstr "නම දැනටමත් පවතී"
 
 #: ../src/firewall-applet.in:677
 msgid "{entry} (Zone: {zone})"

_service:tar_scm:firewalld-1.0.2.tar.gz/po/tr.po -> _service:tar_scm:firewalld-1.2.1.tar.gz/po/tr.po Changed

@@ -8,13 +8,14 @@
 # Onuralp SEZER <thunderbirdtr@gmail.com>, 2012
 # Serdar Sağlam <teknomobil@msn.com>, 2019. #zanata
 # Oğuz Ersen <oguzersen@protonmail.com>, 2020.
-# Burak Yavuz <hitowerdigit@hotmail.com>, 2020.
+# Burak Yavuz <hitowerdigit@hotmail.com>, 2020, 2022.
+# Oğuz Ersen <oguz@ersen.moe>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-05-25 10:54-0400\n"
-"PO-Revision-Date: 2020-11-07 16:35+0000\n"
+"PO-Revision-Date: 2022-07-07 20:19+0000\n"
 "Last-Translator: Burak Yavuz <hitowerdigit@hotmail.com>\n"
 "Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
 "firewalld/master/tr/>\n"
@@ -23,7 +24,7 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n>1);\n"
-"X-Generator: Weblate 4.3.2\n"
+"X-Generator: Weblate 4.13\n"
 
 #: ../config/firewall-applet.desktop.in.h:1 ../src/firewall-applet.in:408
 msgid "Firewall Applet"
@@ -165,11 +166,11 @@
 
 #: ../src/firewall-applet.in:581 ../src/firewall-config.in:2290
 msgid "Invalid name"
-msgstr "Argumento inválido %s"
+msgstr "Geçersiz ad"
 
 #: ../src/firewall-applet.in:585 ../src/firewall-config.in:2293
 msgid "Name already exists"
-msgstr "Bu isim zaten kullanılıyor"
+msgstr "Bu ad zaten var"
 
 #: ../src/firewall-applet.in:677
 msgid "{entry} (Zone: {zone})"
@@ -330,7 +331,7 @@
 
 #: ../src/firewall-config.in:125
 msgid "Failed to load icons."
-msgstr "Ikonların yüklenmesi başarısız."
+msgstr "Simgeler yüklenemedi."
 
 #: ../src/firewall-config.in:187 ../src/firewall-config.glade.h:6
 msgid "Context"
@@ -388,7 +389,7 @@
 #: ../src/firewall-config.in:1013 ../src/firewall-config.in:1032
 #: ../src/firewall-config.glade.h:250
 msgid "Protocol"
-msgstr "Protocolo"
+msgstr "Protokol"
 
 #: ../src/firewall-config.in:564
 msgid "To Port"
@@ -731,7 +732,7 @@
 
 #: ../src/firewall-config.in:6882
 msgid "Built-in icmp, rename not supported."
-msgstr "Dahili icmp, Yeniden isimlendirme desteklenmiyor."
+msgstr "Dahili icmp, yeniden adlandırma desteklenmiyor."
 
 #: ../src/firewall-config.in:7954
 #, c-format
@@ -823,9 +824,7 @@
 #: ../src/firewall-config.glade.h:23
 msgid ""
 "Please select the source and destination options according to your needs."
-msgstr ""
-"Por favor, seleccione as opções de origem e destino de acordo com as suas "
-"necessidades."
+msgstr "Lütfen ihtiyaçlarınıza göre kaynak ve hedef seçeneklerini seçin."
 
 #: ../src/firewall-config.glade.h:24
 msgid "Port / Port Range:"
@@ -833,7 +832,7 @@
 
 #: ../src/firewall-config.glade.h:25
 msgid "IP address:"
-msgstr "Endereço IP:"
+msgstr "IP adresi:"
 
 #: ../src/firewall-config.glade.h:26
 msgid "Protocol:"
@@ -874,7 +873,7 @@
 
 #: ../src/firewall-config.glade.h:35
 msgid "Name:"
-msgstr "İsim:"
+msgstr "Ad:"
 
 #: ../src/firewall-config.glade.h:36
 msgid "Version:"
@@ -922,7 +921,7 @@
 
 #: ../src/firewall-config.glade.h:50
 msgid "Add Entry"
-msgstr "Adicionar Entrada"
+msgstr "Giriş Ekle"
 
 #: ../src/firewall-config.glade.h:51
 msgid "Add Entries From File"
@@ -930,7 +929,7 @@
 
 #: ../src/firewall-config.glade.h:52
 msgid "Remove Selected Entry"
-msgstr "Seçilen Girdiyi Kaldır"
+msgstr "Seçilen Girişi Kaldır"
 
 #: ../src/firewall-config.glade.h:53
 msgid "Remove All Entries"
@@ -1289,11 +1288,11 @@
 
 #: ../src/firewall-config.glade.h:123
 msgid "Edit Rich Rule"
-msgstr "Geliştirilmiş Kural Düzenle"
+msgstr "Geliştirilmiş Kuralı Düzenle"
 
 #: ../src/firewall-config.glade.h:124
 msgid "Remove Rich Rule"
-msgstr "Geliştirilmiş Kural Kaldır"
+msgstr "Geliştirilmiş Kuralı Kaldır"
 
 #: ../src/firewall-config.glade.h:125
 msgid "Rich Rules"
@@ -1314,11 +1313,11 @@
 
 #: ../src/firewall-config.glade.h:128
 msgid "Edit Interface"
-msgstr "Arayüz Düzenle"
+msgstr "Arayüzü Düzenle"
 
 #: ../src/firewall-config.glade.h:129
 msgid "Remove Interface"
-msgstr "Arayüz Kaldır"
+msgstr "Arayüzü Kaldır"
 
 #: ../src/firewall-config.glade.h:131
 msgid ""
@@ -1337,11 +1336,11 @@
 
 #: ../src/firewall-config.glade.h:133
 msgid "Edit Source"
-msgstr "Kaynak Düzenle"
+msgstr "Kaynağı Düzenle"
 
 #: ../src/firewall-config.glade.h:134
 msgid "Remove Source"
-msgstr "Kaynak Kaldır"
+msgstr "Kaynağı Kaldır"
 
 #: ../src/firewall-config.glade.h:136
 msgid "Zones"
@@ -1381,11 +1380,11 @@
 
 #: ../src/firewall-config.glade.h:144
 msgid "Edit Entry"
-msgstr "Editar Entrada"
+msgstr "Girişi Düzenle"
 
 #: ../src/firewall-config.glade.h:145
 msgid "Remove Entry"
-msgstr "Girişi sil"
+msgstr "Girişi Kaldır"
 
 #: ../src/firewall-config.glade.h:146
 msgid ""
@@ -1709,9 +1708,9 @@
 "command lines starting with the command will match. If the '*' is not there "
 "the absolute command inclusive arguments must match."
 msgstr ""
-"Beyaz listedeki bir komut girdisi yıldız işareti '*' ile bitiyorsa, o "
-"komutla başlayan tüm komut satırları eşleşecektir. '*' yok ise, argümanlar "
-"dahil komut tamamen eşleşmelidir."
+"Eğer beyaz listedeki bir komut girişi, yıldız işareti '*' ile bitiyorsa, "
+"sonrasında komutla başlayan tüm komut satırları eşleşecektir. Eğer '*' yok "
+"ise, bağımsız değişkenler dahil komut tamamen eşleşmek zorundadır."
 
 #: ../src/firewall-config.glade.h:201
 msgid "Add Command Line"
@@ -1747,7 +1746,7 @@
 
 #: ../src/firewall-config.glade.h:209
 msgid "User names"
-msgstr "Kullanıcı isimleri"
+msgstr "Kullanıcı adları"
 
 #: ../src/firewall-config.glade.h:210
 msgid "User ids."
@@ -1825,7 +1824,7 @@
 
 #: ../src/firewall-config.glade.h:228
 msgid "Maxelem:"
-msgstr "Maks. eleman:"
+msgstr "Azami eleman:"
 
 #: ../src/firewall-config.glade.h:229

_service:tar_scm:firewalld-1.0.2.tar.gz/shell-completion/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/shell-completion/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -159,16 +159,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -206,8 +204,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -380,6 +378,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/shell-completion/bash/firewall-cmd -> _service:tar_scm:firewalld-1.2.1.tar.gz/shell-completion/bash/firewall-cmd Changed

@@ -32,35 +32,48 @@
        --query-lockdown-whitelist-user= --list-lockdown-whitelist-users"
 
 # can be used as standalone or with --permanent
-OPTIONS_CONFIG="--get-zones --get-services --get-icmptypes --get-helpers \
-                ${OPTIONS_LOCKDOWN} --list-all-zones \
-                --info-zone= --info-service= --info-icmptype= \
-		--info-ipset= --info-helper="
+OPTIONS_CONFIG="--get-zones --get-policies --get-services --get-icmptypes --get-helpers \
+                ${OPTIONS_LOCKDOWN} --list-all-zones --list-all-policies \
+                --info-zone= --info-policy= --info-service= --info-icmptype= \
+                --info-ipset= --info-helper="
 
 OPTIONS_ZONE_INTERFACES_SOURCES="\
             --add-interface= --remove-interface= --query-interface= \
-            --list-interfaces --change-interface= --change-zone= \
+            --list-interfaces --change-interface= \
             --add-source= --remove-source= --query-source= \
             --change-source= --list-sources"
 
-OPTIONS_ZONE_ACTION_ACTION="--add-service= --remove-service= --query-service= \
+OPTIONS_ZONE_POLICY_ACTION="--list-all \
+                       --list-services \
+                       --add-service= --remove-service= --query-service= \
+                       --list-ports \
                        --add-port= --remove-port= --query-port= \
-                       --add-source-port= --remove-source-port= --query-source-port= \
+                       --list-protocols \
                        --add-protocol= --remove-protocol= --query-protocol= \
+                       --list-source-ports \
+                       --add-source-port= --remove-source-port= --query-source-port= \
+                       --list-icmp-blocks \
                        --add-icmp-block= --remove-icmp-block= --query-icmp-block= \
-                       --add-forward-port= --remove-forward-port= --query-forward-port="
+                       --list-forward-ports \
+                       --add-forward-port= --remove-forward-port= --query-forward-port= \
+                       --add-masquerade --remove-masquerade --query-masquerade \
+                       --list-rich-rules \
+                       --add-rich-rule= --remove-rich-rule= --query-rich-rule="
 
-OPTIONS_ZONE_ADAPT_QUERY="--add-rich-rule= --remove-rich-rule= --query-rich-rule= \
-                    --add-icmp-block-inversion --remove-icmp-block-inversion \
+OPTIONS_ZONE_ADAPT_QUERY="--add-icmp-block-inversion --remove-icmp-block-inversion \
                     --query-icmp-block-inversion \
-                    --add-forward --remove-forward --query-forward \
-                    --add-masquerade --remove-masquerade --query-masquerade \
-                    --list-services --list-ports --list-protocols \
-                    --list-source-ports --list-icmp-blocks \
-                    --list-forward-ports --list-rich-rules --list-all"
+                    --add-forward --remove-forward --query-forward"
+
+OPTIONS_POLICY_ADAPT_QUERY="--list-ingress-zones \
+                            --add-ingress-zone= --remove-ingress-zone= --query-ingress-zone= \
+                            --list-egress-zones \
+                            --add-egress-zone= --remove-egress-zone= --query-egress-zone="
+
+OPTIONS_ZONE_POLICY_PERMANENT="--get-description --set-description= \
+                                    --get-short --set-short= \
+                                    --get-target --set-target="
 
-OPTIONS_ZONE_PERMANENT_ONLY="--get-description --get-short \
-                             --set-description= --set-short="
+OPTIONS_POLICY_PERMANENT="--get-priority --set-priority="
 
 OPTIONS_IPSET_ACTION_ACTION="--add-entry= --remove-entry= --query-entry= --add-entries-from-file= --remove-entries-from-file"
 
@@ -68,18 +81,24 @@
 
 # can be used with/without preceding --zone=<zone>
 OPTIONS_ZONE="${OPTIONS_ZONE_INTERFACES_SOURCES} \
-              ${OPTIONS_ZONE_ACTION_ACTION} ${OPTIONS_ZONE_ADAPT_QUERY}
-              ${OPTIONS_ZONE_PERMANENT_ONLY}"
+              ${OPTIONS_ZONE_POLICY_ACTION} \
+              ${OPTIONS_ZONE_ADAPT_QUERY}"
 
-OPTIONS_IPSET="${OPTIONS_IPSETACTION_ACTION} ${OPTIONS_IPSET_ADAPT_QUERY}"
+# can be used with preceding --policy=<policy>
+OPTIONS_POLICY="${OPTIONS_ZONE_POLICY_ACTION} \
+                ${OPTIONS_POLICY_ADAPT_QUERY}"
+
+OPTIONS_IPSET="${OPTIONS_IPSET_ACTION_ACTION} ${OPTIONS_IPSET_ADAPT_QUERY}"
 
 OPTIONS_PERMANENT_ONLY="--new-icmptype= --new-icmptype-from-file= --delete-icmptype= \
                         --new-service= --new-service-from-file= --delete-service= \
                         --new-zone= --new-zone-from-file= --delete-zone= \
+                        --load-zone-defaults= \
+                        --new-policy= --new-policy-from-file= --delete-policy= \
+                        --load-policy-defaults= \
                         --new-ipset= --new-helper-from-file= --delete-ipset= \
                         --new-helper= --new-helper-from-file= --delete-helper= \
-                        --get-target --set-target= \
-                        --path-zone= --path-service= --path-icmptype= \
+                        --path-zone= --path-policy= --path-service= --path-icmptype= \
                         --path-ipset= --path-helper="
 
 OPTIONS_NEW_IPSET="--type= --option="
@@ -89,18 +108,22 @@
 OPTIONS_HELPER=""
 
 # can be used after --permanent
-OPTIONS_PERMANENT="${OPTIONS_CONFIG} --zone= ${OPTIONS_ZONE} \
-                   ${OPTIONS_PERMANENT_ONLY}"
+OPTIONS_PERMANENT="${OPTIONS_CONFIG} \
+                   ${OPTIONS_PERMANENT_ONLY} \
+                   --zone= ${OPTIONS_ZONE} \
+                   --policy= ${OPTIONS_POLICY_PERMANENT} \
+                   ${OPTIONS_ZONE_POLICY_PERMANENT}"
 
 OPTIONS_DIRECT="--passthrough \
         --add-chain --remove-chain --query-chain --get-chains --get-all-chains \
-         --add-rule --remove-rule  --remove-rules --query-rule  --get-rules  --get-all-rules \
-         --add-passthrough --remove-passthrough \
-         --query-passthrough --get-passthroughs --get-all-passthroughs"
+        --add-rule --remove-rule  --remove-rules --query-rule  --get-rules  --get-all-rules \
+        --add-passthrough --remove-passthrough \
+        --query-passthrough --get-passthroughs --get-all-passthroughs"
 
 # these all can be used as a "first" option
 OPTIONS_GENERAL="--help --version \
                  --state --reload --complete-reload \
+                 --runtime-to-permanent --check-config \
                  --panic-on --panic-off --query-panic \
                  --get-log-denied --set-log-denied= --get-ipset-types \
                  --lockdown-on --lockdown-off --query-lockdown \
@@ -108,6 +131,7 @@
                  --get-zone-of-interface= --get-zone-of-interface= \
                  ${OPTIONS_CONFIG} \
                  --zone= ${OPTIONS_ZONE} \
+                 --policy= \
                  --permanent --direct"
 
 _firewall_cmd()
@@ -117,8 +141,8 @@
 
     case $prev in
     --*-entries-from-file|--new-*-from-file)
-	_filedir
-	return
+        _filedir
+        return
         ;;
     --new-ipset*)
         if  "$cur" == -* ; then
@@ -132,15 +156,41 @@
         ;;
     --new-*)
         ;;
-    --zone|--set-default-zone|--info-zone|--path-zone)
+    --zone|--set-default-zone|--info-zone|--path-zone|--load-zone-defaults|--delete-zone)
         if  ${words@} == *--permanent* ; then
           COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-zones`' -- "$cur" ) )
         else
           COMPREPLY=( $( compgen -W '`firewall-cmd --get-zones`' -- "$cur" ) )
         fi
         ;;
+    --add-ingress-zone|--remove-ingress-zone|--query-ingress-zone|\
+    --add-egress-zone|--remove-egress-zone|--query-egress-zone)
+        if  ${words@} == *--permanent* ; then
+          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-zones` HOST ANY' -- "$cur" ) )
+        else
+          COMPREPLY=( $( compgen -W '`firewall-cmd --get-zones` HOST ANY' -- "$cur" ) )
+        fi
+        ;;
+    --policy|--info-policy|--path-policy|--load-policy-defaults|--delete-policy)
+        if  ${words@} == *--permanent* ; then
+          COMPREPLY=( $( compgen -W '`firewall-cmd --permanent --get-policies`' -- "$cur" ) )
+        else
+          COMPREPLY=( $( compgen -W '`firewall-cmd --get-policies`' -- "$cur" ) )
+        fi
+        ;;
     --zone=*)
-        COMPREPLY=( $( compgen -W "${OPTIONS_ZONE}" -- "$cur" ) )
+        if  ${words@} == *--permanent* ; then
+            COMPREPLY=( $( compgen -W "${OPTIONS_ZONE} ${OPTIONS_ZONE_POLICY_PERMANENT}" -- "$cur" ) )
+        else
+            COMPREPLY=( $( compgen -W "${OPTIONS_ZONE}" -- "$cur" ) )
+        fi
+        ;;
+    --policy=*)
+        if  ${words@} == *--permanent* ; then
+            COMPREPLY=( $( compgen -W "${OPTIONS_POLICY} ${OPTIONS_POLICY_PERMANENT} ${OPTIONS_ZONE_POLICY_PERMANENT}" -- "$cur" ) )
+        else
+            COMPREPLY=( $( compgen -W "${OPTIONS_POLICY}" -- "$cur" ) )
+        fi
         ;;
     --ipset=*)
         COMPREPLY=( $( compgen -W "${OPTIONS_IPSET}" -- "$cur" ) )
@@ -184,6 +234,8 @@
     --list-forward-ports|--add-forward-port=*|--remove-forward-port=*|--query-forward-port=*|\
     --list-interfaces|--add-interface=*|--remove-interface=*|--query-interface=*|\
     --list-sources|--add-source=*|--remove-source=*|--query-source=*|\
+    --add-ingress-zone=*|--remove-ingress-zone=*|\
+    --add-egress-zone=*|--remove-egress-zone=*|\
     --add-forward|--remove-forward|--query-forward|\
     --add-masquerade|--remove-masquerade|--query-masquerade|--list-all|\
     --get-description|--get-short|--set-description=*|--set-short=*)
@@ -202,7 +254,7 @@
         fi
 
         ;;

_service:tar_scm:firewalld-1.0.2.tar.gz/src/Makefile.am -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/Makefile.am Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -186,6 +186,8 @@
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/firewall-applet.in \
 	$(srcdir)/firewall-cmd.in $(srcdir)/firewall-config.in \
@@ -225,16 +227,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -272,8 +272,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -433,7 +433,7 @@
 	$(dist_bin_SCRIPTS_in) $(dist_sbin_SCRIPTS_in)
 
 CLEANFILES = *~ *\# .\#* *.py?
-FLAKE8_IGNORE = E121,E122,E123,E124,E126,E127,E128,E201,E202,E203,E211,E221,E222,E225,E226,E231,E241,E251,E261,E262,E265,E266,W291,W293,E301,E302,E303,E305,E306,W391,E402,E501,E502,W503,W504,E722,E741
+FLAKE8_IGNORE = E126,E127,E128,E201,E202,E203,E211,E221,E222,E225,E226,E231,E241,E251,E261,E262,E265,E266,E301,E302,E303,E305,E306,E402,E501,E502,W503,W504,E722,E741
 all: all-recursive
 
 .SUFFIXES:
@@ -711,6 +711,7 @@
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall-applet -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall-applet Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall-cmd -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall-cmd Changed

@@ -1,4 +1,4 @@
-#!/home/egarver/bin/python
+#!/opt/hostedtoolcache/Python/3.7.14/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2009-2016 Red Hat, Inc.
@@ -51,7 +51,7 @@
 Usage: firewall-cmd OPTIONS...
 
 General Options
-  -h, --help           Prints a short help text and exists
+  -h, --help           Prints a short help text and exits
   -V, --version        Print the version string of firewalld
   -q, --quiet          Do not print status messages
 
@@ -98,10 +98,10 @@
 
 Policy Options
   --get-policies       Print predefined policies
-  --get-active-policies 
+  --get-active-policies
                        Print currently active policies
   --list-all-policies  List everything added for or enabled in all policies
-  --new-policy=<policy> 
+  --new-policy=<policy>
                        Add a new empty policy
   --new-policy-from-file=<filename> --name=<policy>
                        Add a new policy from file with optional name override P only
@@ -540,7 +540,7 @@
             pass
     return 
 
-parser = argparse.ArgumentParser(usage="see firewall-cmd man page",
+parser = argparse.ArgumentParser(usage="'firewall-cmd --help' for usage information or see firewall-cmd(1) man page",
                                  add_help=False)
 
 parser_group_output = parser.add_mutually_exclusive_group()
@@ -996,19 +996,19 @@
 
 # these are supposed to only write out some output
 options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
- a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
- a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
- a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
- a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
- a.list_sources or a.get_default_zone or a.get_active_zones or \
- a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
- a.get_services or a.get_icmptypes or a.get_target or \
- a.info_zone or a.info_icmptype or a.info_service or \
- a.info_ipset or a.get_ipsets or a.get_entries or \
- a.info_helper or a.get_helpers or \
- a.get_destinations or a.get_description or \
- a.list_all_policies or a.info_policy or a.get_policies or \
- a.get_active_policies
+    a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
+    a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
+    a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
+    a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
+    a.list_sources or a.get_default_zone or a.get_active_zones or \
+    a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
+    a.get_services or a.get_icmptypes or a.get_target or \
+    a.info_zone or a.info_icmptype or a.info_service or \
+    a.info_ipset or a.get_ipsets or a.get_entries or \
+    a.info_helper or a.get_helpers or \
+    a.get_destinations or a.get_description or \
+    a.list_all_policies or a.info_policy or a.get_policies or \
+    a.get_active_policies
 
 # Set quiet and verbose
 
@@ -1020,12 +1020,6 @@
 
 # Check various impossible combinations of options
 
-if not (options_standalone or options_ipset or \
-        options_icmptype or options_service or options_helper or \
-        options_config or options_zone_ops or options_policy or \
-        options_direct or options_permanent_only):
-    cmd.fail(parser.format_usage() + "No option specified.")
-
 if options_standalone and (options_zone or options_permanent or \
                            options_direct or options_permanent_only or \
                            options_ipset or options_policy):
@@ -1152,6 +1146,20 @@
     cmd.print_and_exit("Error: %s" % msg, code)
 
 fw.setExceptionHandler(cmd.exception_handler)
+
+if not (options_standalone or options_ipset or \
+        options_icmptype or options_service or options_helper or \
+        options_config or options_zone_ops or options_policy or \
+        options_direct or options_permanent_only):
+    state = fw.get_property("state")
+    if state == "RUNNING":
+        state = "State: running\n\n"
+    elif state == "FAILED":
+        state = "State: failed\n\n"
+    else:
+        state = "State: not running\n\n"
+    cmd.fail(state + "No options specified\n" + parser.format_usage():-1)
+
 if not fw.connected:
     if a.state:
         cmd.print_and_exit ("not running", errors.NOT_RUNNING)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall-cmd.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall-cmd.in Changed

@@ -51,7 +51,7 @@
 Usage: firewall-cmd OPTIONS...
 
 General Options
-  -h, --help           Prints a short help text and exists
+  -h, --help           Prints a short help text and exits
   -V, --version        Print the version string of firewalld
   -q, --quiet          Do not print status messages
 
@@ -98,10 +98,10 @@
 
 Policy Options
   --get-policies       Print predefined policies
-  --get-active-policies 
+  --get-active-policies
                        Print currently active policies
   --list-all-policies  List everything added for or enabled in all policies
-  --new-policy=<policy> 
+  --new-policy=<policy>
                        Add a new empty policy
   --new-policy-from-file=<filename> --name=<policy>
                        Add a new policy from file with optional name override P only
@@ -540,7 +540,7 @@
             pass
     return 
 
-parser = argparse.ArgumentParser(usage="see firewall-cmd man page",
+parser = argparse.ArgumentParser(usage="'firewall-cmd --help' for usage information or see firewall-cmd(1) man page",
                                  add_help=False)
 
 parser_group_output = parser.add_mutually_exclusive_group()
@@ -996,19 +996,19 @@
 
 # these are supposed to only write out some output
 options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
- a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
- a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
- a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
- a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
- a.list_sources or a.get_default_zone or a.get_active_zones or \
- a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
- a.get_services or a.get_icmptypes or a.get_target or \
- a.info_zone or a.info_icmptype or a.info_service or \
- a.info_ipset or a.get_ipsets or a.get_entries or \
- a.info_helper or a.get_helpers or \
- a.get_destinations or a.get_description or \
- a.list_all_policies or a.info_policy or a.get_policies or \
- a.get_active_policies
+    a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
+    a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
+    a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
+    a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
+    a.list_sources or a.get_default_zone or a.get_active_zones or \
+    a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
+    a.get_services or a.get_icmptypes or a.get_target or \
+    a.info_zone or a.info_icmptype or a.info_service or \
+    a.info_ipset or a.get_ipsets or a.get_entries or \
+    a.info_helper or a.get_helpers or \
+    a.get_destinations or a.get_description or \
+    a.list_all_policies or a.info_policy or a.get_policies or \
+    a.get_active_policies
 
 # Set quiet and verbose
 
@@ -1020,12 +1020,6 @@
 
 # Check various impossible combinations of options
 
-if not (options_standalone or options_ipset or \
-        options_icmptype or options_service or options_helper or \
-        options_config or options_zone_ops or options_policy or \
-        options_direct or options_permanent_only):
-    cmd.fail(parser.format_usage() + "No option specified.")
-
 if options_standalone and (options_zone or options_permanent or \
                            options_direct or options_permanent_only or \
                            options_ipset or options_policy):
@@ -1152,6 +1146,20 @@
     cmd.print_and_exit("Error: %s" % msg, code)
 
 fw.setExceptionHandler(cmd.exception_handler)
+
+if not (options_standalone or options_ipset or \
+        options_icmptype or options_service or options_helper or \
+        options_config or options_zone_ops or options_policy or \
+        options_direct or options_permanent_only):
+    state = fw.get_property("state")
+    if state == "RUNNING":
+        state = "State: running\n\n"
+    elif state == "FAILED":
+        state = "State: failed\n\n"
+    else:
+        state = "State: not running\n\n"
+    cmd.fail(state + "No options specified\n" + parser.format_usage():-1)
+
 if not fw.connected:
     if a.state:
         cmd.print_and_exit ("not running", errors.NOT_RUNNING)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall-config -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall-config Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall-offline-cmd -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall-offline-cmd Changed

@@ -1,4 +1,4 @@
-#!/home/egarver/bin/python
+#!/opt/hostedtoolcache/Python/3.7.14/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2009-2016 Red Hat, Inc.
@@ -36,7 +36,7 @@
 from firewall import config
 from firewall.core.fw import Firewall
 from firewall.functions import joinArgs, splitArgs, getPortRange
-from firewall.core.io.functions import check_config
+from firewall.core.io.functions import check_on_disk_config
 from firewall.core.io.zone import zone_reader
 from firewall.core.io.policy import policy_reader
 from firewall.core.io.service import service_reader
@@ -60,7 +60,7 @@
 If no options are given, configuration from '%s' will be migrated.
 
 General Options
-  -h, --help           Prints a short help text and exists
+  -h, --help           Prints a short help text and exits
   -V, --version        Print the version string of firewalld
   -q, --quiet          Do not print status messages
       --system-config  Path to firewalld system configuration
@@ -138,7 +138,7 @@
 Policy Options
   --get-policies       Print predefined policies
   --list-all-policies  List everything added for or enabled in all policies
-  --new-policy=<policy> 
+  --new-policy=<policy>
                        Add a new empty policy
   --new-policy-from-file=<filename> --name=<policy>
                        Add a new policy from file with optional name override P only
@@ -1046,18 +1046,18 @@
 
 # these are supposed to only write out some output
 options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
- a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
- a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
- a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
- a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
- a.list_sources or a.get_default_zone or \
- a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
- a.get_services or a.get_icmptypes or a.get_target or \
- a.info_zone or a.info_icmptype or a.info_service or \
- a.info_ipset or a.get_ipsets or a.get_entries or \
- a.info_helper or a.get_helpers or \
- a.get_destinations or a.get_description or \
- a.list_all_policies or a.info_policy or a.get_policies
+    a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
+    a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
+    a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
+    a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
+    a.list_sources or a.get_default_zone or \
+    a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
+    a.get_services or a.get_icmptypes or a.get_target or \
+    a.info_zone or a.info_icmptype or a.info_service or \
+    a.info_ipset or a.get_ipsets or a.get_entries or \
+    a.info_helper or a.get_helpers or \
+    a.get_destinations or a.get_description or \
+    a.list_all_policies or a.info_policy or a.get_policies
 
 # Set quiet and verbose
 
@@ -1152,7 +1152,7 @@
     try:
         fw = Firewall(offline=True)
         fw.start()
-        check_config(fw)
+        check_on_disk_config(fw)
     except FirewallError as error:
         cmd.print_and_exit("Configuration error: %s" % error, error.code)
     except Exception as msg:
@@ -1720,7 +1720,7 @@
 
         if a.type=='hash:mac' and a.family:
             cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type")
-        
+
         settings = FirewallClientIPSetSettings()
         settings.setType(a.type)
         if a.option:

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall-offline-cmd.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall-offline-cmd.in Changed

@@ -36,7 +36,7 @@
 from firewall import config
 from firewall.core.fw import Firewall
 from firewall.functions import joinArgs, splitArgs, getPortRange
-from firewall.core.io.functions import check_config
+from firewall.core.io.functions import check_on_disk_config
 from firewall.core.io.zone import zone_reader
 from firewall.core.io.policy import policy_reader
 from firewall.core.io.service import service_reader
@@ -60,7 +60,7 @@
 If no options are given, configuration from '%s' will be migrated.
 
 General Options
-  -h, --help           Prints a short help text and exists
+  -h, --help           Prints a short help text and exits
   -V, --version        Print the version string of firewalld
   -q, --quiet          Do not print status messages
       --system-config  Path to firewalld system configuration
@@ -138,7 +138,7 @@
 Policy Options
   --get-policies       Print predefined policies
   --list-all-policies  List everything added for or enabled in all policies
-  --new-policy=<policy> 
+  --new-policy=<policy>
                        Add a new empty policy
   --new-policy-from-file=<filename> --name=<policy>
                        Add a new policy from file with optional name override P only
@@ -1046,18 +1046,18 @@
 
 # these are supposed to only write out some output
 options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
- a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
- a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
- a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
- a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
- a.list_sources or a.get_default_zone or \
- a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
- a.get_services or a.get_icmptypes or a.get_target or \
- a.info_zone or a.info_icmptype or a.info_service or \
- a.info_ipset or a.get_ipsets or a.get_entries or \
- a.info_helper or a.get_helpers or \
- a.get_destinations or a.get_description or \
- a.list_all_policies or a.info_policy or a.get_policies
+    a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
+    a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
+    a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
+    a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
+    a.list_sources or a.get_default_zone or \
+    a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
+    a.get_services or a.get_icmptypes or a.get_target or \
+    a.info_zone or a.info_icmptype or a.info_service or \
+    a.info_ipset or a.get_ipsets or a.get_entries or \
+    a.info_helper or a.get_helpers or \
+    a.get_destinations or a.get_description or \
+    a.list_all_policies or a.info_policy or a.get_policies
 
 # Set quiet and verbose
 
@@ -1152,7 +1152,7 @@
     try:
         fw = Firewall(offline=True)
         fw.start()
-        check_config(fw)
+        check_on_disk_config(fw)
     except FirewallError as error:
         cmd.print_and_exit("Configuration error: %s" % error, error.code)
     except Exception as msg:
@@ -1720,7 +1720,7 @@
 
         if a.type=='hash:mac' and a.family:
             cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type")
-        
+
         settings = FirewallClientIPSetSettings()
         settings.setType(a.type)
         if a.option:

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/client.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/client.py Changed

@@ -28,7 +28,8 @@
 from firewall.core.base import DEFAULT_ZONE_TARGET, DEFAULT_POLICY_TARGET, DEFAULT_POLICY_PRIORITY
 from firewall.dbus_utils import dbus_to_python
 from firewall.core.rich import Rich_Rule
-from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing
+from firewall.core.ipset import normalize_ipset_entry, check_entry_overlaps_existing, \
+                                check_for_overlapping_entries
 from firewall import errors
 from firewall.errors import FirewallError
 
@@ -77,7 +78,7 @@
                 break
     return _impl
 
-# zone config setings
+# zone config settings
 
 class FirewallClientZoneSettings(object):
     @handle_exceptions
@@ -481,7 +482,7 @@
             dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_ZONE)
         self.fw_properties = dbus.Interface(
             self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties')
-        #TODO: check interface version and revision (need to match client 
+        #TODO: check interface version and revision (need to match client
         # version)
 
     @handle_exceptions
@@ -1517,11 +1518,8 @@
         if "timeout" in self.settings4 and \
            self.settings4"timeout" != "0":
             raise FirewallError(errors.IPSET_WITH_TIMEOUT)
-        _entries = set()
-        for _entry in dbus_to_python(entries, list):
-            check_entry_overlaps_existing(_entry, _entries)
-            _entries.add(normalize_ipset_entry(_entry))
-        self.settings5 = list(_entries)
+        check_for_overlapping_entries(entries)
+        self.settings5 = entries
     @handle_exceptions
     def addEntry(self, entry):
         if "timeout" in self.settings4 and \
@@ -2962,7 +2960,7 @@
             "config:helper-updated": "config:HelperUpdated",
             "config:helper-removed": "config:HelperRemoved",
             "config:helper-renamed": "config:HelperRenamed",
-            }
+        }
 
         # initialize variables used for connection
         self._init_vars()
@@ -3157,7 +3155,7 @@
     @handle_exceptions
     def enablePanicMode(self):
         self.fw.enablePanicMode()
-    
+
     @handle_exceptions
     def disablePanicMode(self):
         self.fw.disablePanicMode()

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/config/__init__.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/config/__init__.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/config/__init__.py.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/config/__init__.py.in Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw.py Changed

@@ -21,11 +21,12 @@
 
 __all__ =  "Firewall" 
 
-import os.path
+import os
 import sys
 import copy
 import time
 import traceback
+from typing import Dict, List
 from firewall import config
 from firewall import functions
 from firewall.core import ipXtables
@@ -45,6 +46,7 @@
 from firewall.core.fw_policy import FirewallPolicy
 from firewall.core.fw_nm import nm_get_bus_name, nm_get_interfaces_in_zone
 from firewall.core.logger import log
+from firewall.core.io.io_object import IO_Object
 from firewall.core.io.firewalld_conf import firewalld_conf
 from firewall.core.io.direct import Direct
 from firewall.core.io.service import service_reader
@@ -54,6 +56,8 @@
 from firewall.core.ipset import IPSET_TYPES
 from firewall.core.io.helper import helper_reader
 from firewall.core.io.policy import policy_reader
+from firewall.core.io.functions import check_on_disk_config
+from firewall.core.rich import Rich_Rule
 from firewall import errors
 from firewall.errors import FirewallError
 
@@ -68,28 +72,12 @@
         self._firewalld_conf = firewalld_conf(config.FIREWALLD_CONF)
         self._offline = offline
 
-        if self._offline:
-            self.ip4tables_enabled = False
-            self.ip6tables_enabled = False
-            self.ebtables_enabled = False
-            self.ipset_enabled = False
-            self.ipset_supported_types = IPSET_TYPES
-            self.nftables_enabled = False
-        else:
+        if not offline:
             self.ip4tables_backend = ipXtables.ip4tables(self)
-            self.ip4tables_enabled = True
-            self.ipv4_supported_icmp_types =  
             self.ip6tables_backend = ipXtables.ip6tables(self)
-            self.ip6tables_enabled = True
-            self.ipv6_supported_icmp_types =  
             self.ebtables_backend = ebtables.ebtables()
-            self.ebtables_enabled = True
             self.ipset_backend = ipset.ipset()
-            self.ipset_enabled = True
-            self.ipset_supported_types = IPSET_TYPES
             self.nftables_backend = nftables.nftables(self)
-            self.nftables_enabled = True
-
             self.modules_backend = modules.modules()
 
         self.icmptype = FirewallIcmpType(self)
@@ -116,7 +104,9 @@
     def __init_vars(self):
         self._state = "INIT"
         self._panic = False
-        self._default_zone = ""
+        self._default_zone = config.FALLBACK_ZONE
+        self._default_zone_interfaces = 
+        self._nm_assigned_interfaces = 
         self._module_refcount = { }
         self._marks =  
         # fallback settings will be overloaded by firewalld.conf
@@ -130,7 +120,77 @@
         self._rfc3964_ipv4 = config.FALLBACK_RFC3964_IPV4
         self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING
 
-    def _check_tables(self):
+        if self._offline:
+            self.ip4tables_enabled = False
+            self.ip6tables_enabled = False
+            self.ebtables_enabled = False
+            self.ipset_enabled = False
+            self.ipset_supported_types = IPSET_TYPES
+            self.nftables_enabled = False
+        else:
+            self.ip4tables_enabled = True
+            self.ipv4_supported_icmp_types =  
+            self.ip6tables_enabled = True
+            self.ipv6_supported_icmp_types =  
+            self.ebtables_enabled = True
+            self.ipset_enabled = True
+            self.ipset_supported_types = IPSET_TYPES
+            self.nftables_enabled = True
+
+    def get_all_io_objects_dict(self):
+        """
+        Returns a dict of dicts of all runtime config objects.
+        """
+        conf_dict = {}
+        conf_dict"ipsets" = {_ipset: self.ipset.get_ipset(_ipset) for _ipset in self.ipset.get_ipsets()}
+        conf_dict"helpers" = {helper: self.helper.get_helper(helper) for helper in self.helper.get_helpers()}
+        conf_dict"icmptypes" = {icmptype: self.icmptype.get_icmptype(icmptype) for icmptype in self.icmptype.get_icmptypes()}
+        conf_dict"services" = {service: self.service.get_service(service) for service in self.service.get_services()}
+        conf_dict"zones" = {zone: self.zone.get_zone(zone) for zone in self.zone.get_zones()}
+        conf_dict"policies" = {policy: self.policy.get_policy(policy) for policy in self.policy.get_policies_not_derived_from_zone()}
+
+        # The runtime might not actually support all the defined icmptypes.
+        # This is the case if ipv6 (ip6tables) is disabled. Unfortunately users
+        # disable IPv6 and also expect the IPv6 stuff to be silently ignored.
+        # This is problematic for defaults that include IPv6 stuff, e.g. policy
+        # 'allow-host-ipv6'. Use this to make a better decision about errors vs
+        # warnings.
+        #
+        conf_dict"icmptypes_unsupported" = {}
+        for icmptype in (set(self.config.get_icmptypes()).difference(
+                         set(self.icmptype.get_icmptypes()))):
+            conf_dict"icmptypes_unsupported"icmptype = self.config.get_icmptype(icmptype)
+        # Some icmptypes support multiple families. Add those that are missing
+        # support for a subset of families.
+        for icmptype in (set(self.config.get_icmptypes()).intersection(
+                         set(self.icmptype.get_icmptypes()))):
+            if icmptype not in self.ipv4_supported_icmp_types or \
+               icmptype not in self.ipv6_supported_icmp_types:
+                conf_dict"icmptypes_unsupported"icmptype = copy.copy(self.config.get_icmptype(icmptype))
+                conf_dict"icmptypes_unsupported"icmptype.destination = 
+                if icmptype not in self.ipv4_supported_icmp_types:
+                    conf_dict"icmptypes_unsupported"icmptype.destination.append("ipv4")
+                if icmptype not in self.ipv6_supported_icmp_types:
+                    conf_dict"icmptypes_unsupported"icmptype.destination.append("ipv6")
+
+        return conf_dict
+
+    def full_check_config(self, extra_io_objects: Dictstr, ListIO_Object = {}):
+        all_io_objects = self.get_all_io_objects_dict()
+        # mix in the extra objects
+        for type_key in extra_io_objects:
+            for obj in extra_io_objectstype_key:
+                all_io_objectstype_keyobj.name = obj
+
+        # we need to check in a well defined order because some io_objects will
+        # cross-check others
+        order = "ipsets", "helpers", "icmptypes", "services", "zones", "policies"
+        for io_obj_type in order:
+            io_objs = all_io_objectsio_obj_type
+            for (name, io_obj) in io_objs.items():
+                io_obj.check_config_dict(io_obj.export_config_dict(), all_io_objects)
+
+    def _start_check_tables(self):
         # check if iptables, ip6tables and ebtables are usable, else disable
         if self.ip4tables_enabled and \
            "filter" not in self.ip4tables_backend.get_available_tables():
@@ -150,10 +210,9 @@
         # is there at least support for ipv4 or ipv6
         if not self.ip4tables_enabled and not self.ip6tables_enabled \
            and not self.nftables_enabled:
-            log.fatal("No IPv4 and IPv6 firewall.")
-            sys.exit(1)
+            raise FirewallError(errors.UNKNOWN_ERROR, "No IPv4 and IPv6 firewall.")
 
-    def _start_check(self):
+    def _start_probe_backends(self):
         try:
             self.ipset_backend.set_list()
         except ValueError:
@@ -227,10 +286,7 @@
             log.debug1("ebtables-restore is not supporting the --noflush "
                        "option, will therefore not be used")
 
-    def _start(self, reload=False, complete_reload=False):
-        # initialize firewall
-        default_zone = config.FALLBACK_ZONE
-
+    def _start_load_firewalld_conf(self):
         # load firewalld config
         log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF)
         try:
@@ -240,7 +296,7 @@
             log.warning("Using fallback firewalld configuration settings.")
         else:
             if self._firewalld_conf.get("DefaultZone"):
-                default_zone = self._firewalld_conf.get("DefaultZone")
+                self._default_zone = self._firewalld_conf.get("DefaultZone")
 
             if self._firewalld_conf.get("CleanupOnExit"):
                 value = self._firewalld_conf.get("CleanupOnExit")
@@ -317,11 +373,7 @@
 
         self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
 
-        self._select_firewall_backend(self._firewall_backend)
-
-        if not self._offline:
-            self._start_check()
-
+    def _start_load_lockdown_whitelist(self):
         # load lockdown whitelist
         log.debug1("Loading lockdown whitelist")
         try:
@@ -337,64 +389,71 @@
         # copy policies to config interface

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_config.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_config.py Changed

@@ -25,8 +25,10 @@
 import os
 import os.path
 import shutil
+from typing import Dict, List
 from firewall import config
 from firewall.core.logger import log
+from firewall.core.io.io_object import IO_Object
 from firewall.core.io.icmptype import IcmpType, icmptype_reader, icmptype_writer
 from firewall.core.io.service import Service, service_reader, service_writer
 from firewall.core.io.zone import Zone, zone_reader, zone_writer
@@ -121,6 +123,35 @@
 
         self.__init_vars()
 
+    def get_all_io_objects_dict(self):
+        """
+        Returns a dict of dicts of all permanent config objects.
+        """
+        conf_dict = {}
+        conf_dict"ipsets" = {ipset: self.get_ipset(ipset) for ipset in self.get_ipsets()}
+        conf_dict"helpers" = {helper: self.get_helper(helper) for helper in self.get_helpers()}
+        conf_dict"icmptypes" = {icmptype: self.get_icmptype(icmptype) for icmptype in self.get_icmptypes()}
+        conf_dict"services" = {service: self.get_service(service) for service in self.get_services()}
+        conf_dict"zones" = {zone: self.get_zone(zone) for zone in self.get_zones()}
+        conf_dict"policies" = {policy: self.get_policy_object(policy) for policy in self.get_policy_objects()}
+
+        return conf_dict
+
+    def full_check_config(self, extra_io_objects: Dictstr, ListIO_Object = {}):
+        all_io_objects = self.get_all_io_objects_dict()
+        # mix in the extra objects
+        for type_key in extra_io_objects:
+            for obj in extra_io_objectstype_key:
+                all_io_objectstype_keyobj.name = obj
+
+        # we need to check in a well defined order because some io_objects will
+        # cross-check others
+        order = "ipsets", "helpers", "icmptypes", "services", "zones", "policies"
+        for io_obj_type in order:
+            io_objs = all_io_objectsio_obj_type
+            for (name, io_obj) in io_objs.items():
+                io_obj.check_config_dict(io_obj.export_config_dict(), all_io_objects)
+
     # access check
 
     def lockdown_enabled(self):
@@ -206,20 +237,18 @@
         return obj.export_config()
 
     def set_ipset_config(self, obj, conf):
+        x = copy.copy(obj)
         if obj.builtin:
-            x = copy.copy(obj)
-            x.import_config(conf)
             x.path = config.ETC_FIREWALLD_IPSETS
             x.builtin = False
             if obj.path != x.path:
                 x.default = False
-            self.add_ipset(x)
-            ipset_writer(x)
-            return x
-        else:
-            obj.import_config(conf)
-            ipset_writer(obj)
-            return obj
+
+        x.import_config(conf, self.get_all_io_objects_dict())
+        self.full_check_config({"ipsets": x})
+        self.add_ipset(x)
+        ipset_writer(x)
+        return x
 
     def new_ipset(self, name, conf):
         if name in self._ipsets or name in self._builtin_ipsets:
@@ -228,7 +257,6 @@
 
         x = IPSet()
         x.check_name(name)
-        x.import_config(conf)
         x.name = name
         x.filename = "%s.xml" % name
         x.path = config.ETC_FIREWALLD_IPSETS
@@ -236,8 +264,10 @@
         x.builtin = False
         x.default = True
 
-        ipset_writer(x)
+        x.import_config(conf, self.get_all_io_objects_dict())
+        self.full_check_config({"ipsets": x})
         self.add_ipset(x)
+        ipset_writer(x)
         return x
 
     def update_ipset_from_path(self, name):
@@ -379,20 +409,18 @@
         return obj.export_config()
 
     def set_icmptype_config(self, obj, conf):
+        x = copy.copy(obj)
         if obj.builtin:
-            x = copy.copy(obj)
-            x.import_config(conf)
             x.path = config.ETC_FIREWALLD_ICMPTYPES
             x.builtin = False
             if obj.path != x.path:
                 x.default = False
-            self.add_icmptype(x)
-            icmptype_writer(x)
-            return x
-        else:
-            obj.import_config(conf)
-            icmptype_writer(obj)
-            return obj
+
+        x.import_config(conf, self.get_all_io_objects_dict())
+        self.full_check_config({"icmptypes": x})
+        self.add_icmptype(x)
+        icmptype_writer(x)
+        return x
 
     def new_icmptype(self, name, conf):
         if name in self._icmptypes or name in self._builtin_icmptypes:
@@ -401,7 +429,6 @@
 
         x = IcmpType()
         x.check_name(name)
-        x.import_config(conf)
         x.name = name
         x.filename = "%s.xml" % name
         x.path = config.ETC_FIREWALLD_ICMPTYPES
@@ -409,8 +436,10 @@
         x.builtin = False
         x.default = True
 
-        icmptype_writer(x)
+        x.import_config(conf, self.get_all_io_objects_dict())
+        self.full_check_config({"icmptypes": x})
         self.add_icmptype(x)
+        icmptype_writer(x)
         return x
 
     def update_icmptype_from_path(self, name):
@@ -478,7 +507,7 @@
                 else:
                     # builtin hidden, no update needed
                     return (None, None)
-            
+
         # icmptype not known to firewalld, yet (timeout, ..)
         return (None, None)
 
@@ -568,36 +597,21 @@
         for i,value in enumerate(conf):
             conf_dictobj.IMPORT_EXPORT_STRUCTUREi0 = value
 
-        if obj.builtin:
-            x = copy.copy(obj)
-            x.import_config_dict(conf_dict)
-            x.path = config.ETC_FIREWALLD_SERVICES
-            x.builtin = False
-            if obj.path != x.path:
-                x.default = False
-            self.add_service(x)
-            service_writer(x)
-            return x
-        else:
-            obj.import_config_dict(conf_dict)
-            service_writer(obj)
-            return obj
+        return self.set_service_config_dict(obj, conf_dict)
 
     def set_service_config_dict(self, obj, conf):
+        x = copy.copy(obj)
         if obj.builtin:
-            x = copy.copy(obj)
-            x.import_config_dict(conf)
             x.path = config.ETC_FIREWALLD_SERVICES
             x.builtin = False
             if obj.path != x.path:
                 x.default = False
-            self.add_service(x)
-            service_writer(x)
-            return x
-        else:
-            obj.import_config_dict(conf)
-            service_writer(obj)
-            return obj
+
+        x.import_config_dict(conf, self.get_all_io_objects_dict())
+        self.full_check_config({"services": x})
+        self.add_service(x)
+        service_writer(x)
+        return x
 
     def new_service(self, name, conf):
         if name in self._services or name in self._builtin_services:
@@ -608,19 +622,7 @@
         for i,value in enumerate(conf):
             conf_dictService.IMPORT_EXPORT_STRUCTUREi0 = value

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_direct.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_direct.py Changed

@@ -64,9 +64,14 @@
     def set_permanent_config(self, obj):
         self._obj = obj
 
-    def has_configuration(self):
+    def has_runtime_configuration(self):
         if len(self._chains) + len(self._rules) + len(self._passthroughs) > 0:
             return True
+        return False
+
+    def has_configuration(self):
+        if self.has_runtime_configuration():
+            return True
         if len(self._obj.get_all_chains()) + \
            len(self._obj.get_all_rules()) + \
            len(self._obj.get_all_passthroughs()) > 0:
@@ -214,6 +219,9 @@
         else:
             transaction = use_transaction
 
+        if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
+            transaction.add_pre(self._fw.ipset.apply_ipsets, self._fw.ipset_backend)
+
         #TODO: policy="ACCEPT"
         self._chain(True, ipv, table, chain, transaction)
 
@@ -260,6 +268,9 @@
         else:
             transaction = use_transaction
 
+        if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
+            transaction.add_pre(self._fw.ipset.apply_ipsets, self._fw.ipset_backend)
+
         self._rule(True, ipv, table, chain, priority, args, transaction)
 
         if use_transaction is None:
@@ -342,6 +353,9 @@
         else:
             transaction = use_transaction
 
+        if self._fw.ipset_enabled and self._fw.ipset.omit_native_ipset():
+            transaction.add_pre(self._fw.ipset.apply_ipsets, self._fw.ipset_backend)
+
         self._passthrough(True, ipv, list(args), transaction)
 
         if use_transaction is None:

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_icmptype.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_icmptype.py Changed

@@ -21,7 +21,6 @@
 
 __all__ =  "FirewallIcmpType" 
 
-import copy
 from firewall.core.logger import log
 from firewall import errors
 from firewall.errors import FirewallError
@@ -54,7 +53,6 @@
         orig_ipvs = obj.destination
         if len(orig_ipvs) == 0:
             orig_ipvs =  "ipv4", "ipv6" 
-        ipvs = orig_ipvs:
         for ipv in orig_ipvs:
             if ipv == "ipv4":
                 if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
@@ -68,16 +66,7 @@
                 supported_icmps =  
             if obj.name.lower() not in supported_icmps:
                 log.info1("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv))
-                ipvs.remove(ipv)
-        if len(ipvs) != len(orig_ipvs):
-            if len(ipvs) < 1:
-                raise FirewallError(errors.INVALID_ICMPTYPE,
-                                    "No supported ICMP type.")
-            new_obj = copy.deepcopy(obj)
-            new_obj.destination = ipvs
-            self._icmptypesobj.name = new_obj
-        else:
-            self._icmptypesobj.name = obj
+        self._icmptypesobj.name = obj
 
     def remove_icmptype(self, icmptype):
         self.check_icmptype(icmptype)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_ipset.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_ipset.py Changed

@@ -25,7 +25,8 @@
 
 from firewall.core.logger import log
 from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts, \
-                                normalize_ipset_entry, check_entry_overlaps_existing
+                                normalize_ipset_entry, check_entry_overlaps_existing, \
+                                check_for_overlapping_entries
 from firewall.core.io.ipset import IPSet
 from firewall import errors
 from firewall.errors import FirewallError
@@ -63,11 +64,19 @@
             self.check_applied_obj(obj)
         return obj
 
+    def omit_native_ipset(self):
+        # if using nftables, we can avoid creating ipsets in the native ipset
+        # backend. But only if there aren't any direct rules.
+        if not self._fw.nftables_enabled or self._fw.direct.has_runtime_configuration():
+            return False
+
+        return True
+
     def backends(self):
         backends = 
         if self._fw.nftables_enabled:
             backends.append(self._fw.nftables_backend)
-        if self._fw.ipset_enabled:
+        if self._fw.ipset_enabled and not self.omit_native_ipset():
             backends.append(self._fw.ipset_backend)
         return backends
 
@@ -89,10 +98,10 @@
             log.debug1("Keeping ipset '%s' because of timeout option", name)
         del self._ipsetsname
 
-    def apply_ipset(self, name):
+    def apply_ipset(self, name, backends=None):
         obj = self._ipsetsname
 
-        for backend in self.backends():
+        for backend in backends if backends else self.backends():
             if backend.name == "ipset":
                 active = backend.set_get_active_terse()
 
@@ -138,13 +147,13 @@
                 else:
                     obj.applied = True
 
-    def apply_ipsets(self):
+    def apply_ipsets(self, backends=None):
         for name in self.get_ipsets():
             obj = self._ipsetsname
             obj.applied = False
 
             log.debug1("Applying ipset '%s'" % name)
-            self.apply_ipset(name)
+            self.apply_ipset(name, backends)
 
     def flush(self):
         for backend in self.backends():
@@ -242,11 +251,7 @@
     def set_entries(self, name, entries):
         obj = self.get_ipset(name, applied=True)
 
-        _entries = set()
-        for _entry in entries:
-            check_entry_overlaps_existing(_entry, _entries)
-            _entries.add(normalize_ipset_entry(_entry))
-        entries = list(_entries)
+        check_for_overlapping_entries(entries)
 
         for entry in entries:
             IPSet.check_entry(entry, obj.options, obj.type)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_policies.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_policies.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_policy.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_policy.py Changed

@@ -2,7 +2,8 @@
 #
 # SPDX-License-Identifier: GPL-2.0-or-later
 
-import time
+import copy
+
 from firewall.core.logger import log
 from firewall.functions import portStr, checkIPnMask, checkIP6nMask, \
     checkProtocol, enable_ip_forwarding, check_single_address, \
@@ -11,11 +12,10 @@
 from firewall.core.rich import Rich_Rule, Rich_Accept, \
     Rich_Service, Rich_Port, Rich_Protocol, \
     Rich_Masquerade, Rich_ForwardPort, Rich_SourcePort, Rich_IcmpBlock, \
-    Rich_IcmpType, Rich_Mark, Rich_Tcp_Mss_Clamp
+    Rich_IcmpType, Rich_Tcp_Mss_Clamp
 from firewall.core.fw_transaction import FirewallTransaction
 from firewall import errors
 from firewall.errors import FirewallError
-from firewall.fw_types import LastUpdatedOrderedDict
 from firewall.core.base import SOURCE_IPSET_TYPES
 
 class FirewallPolicy(object):
@@ -34,7 +34,9 @@
     # transaction
 
     def new_transaction(self):
-        return FirewallTransaction(self._fw)
+        t = FirewallTransaction(self._fw)
+        t.add_pre(self._fw.full_check_config)
+        return t
 
     # policies
 
@@ -52,9 +54,9 @@
     def get_active_policies_not_derived_from_zone(self):
         active_policies = 
         for policy in self.get_policies_not_derived_from_zone():
-            settings = self.get_settings(policy)
-            if (set(settings"ingress_zones") & (set(self._fw.zone.get_active_zones()) | set("HOST", "ANY"))) and \
-               (set(settings"egress_zones") & (set(self._fw.zone.get_active_zones()) | set("HOST", "ANY"))):
+            p_obj = self.get_policy(policy)
+            if (set(p_obj.ingress_zones) & (set(self._fw.zone.get_active_zones()) | set("HOST", "ANY"))) and \
+               (set(p_obj.egress_zones) & (set(self._fw.zone.get_active_zones()) | set("HOST", "ANY"))):
                 active_policies.append(policy)
 
         return active_policies
@@ -64,63 +66,14 @@
         return self._policiesp
 
     def add_policy(self, obj):
-        obj.settings = { x : LastUpdatedOrderedDict()
-                         for x in  "services", "ports",
-                                    "masquerade", "forward_ports",
-                                    "source_ports",
-                                    "icmp_blocks", "rules",
-                                    "protocols", "icmp_block_inversion",
-                                    "ingress_zones", "egress_zones"  }
-
         self._policiesobj.name = obj
-        self.copy_permanent_to_runtime(obj.name)
 
     def remove_policy(self, policy):
         obj = self._policiespolicy
         if obj.applied:
             self.unapply_policy_settings(policy)
-        obj.settings.clear()
         del self._policiespolicy
 
-    def copy_permanent_to_runtime(self, policy):
-        obj = self._policiespolicy
-
-        if obj.applied:
-            return
-
-        for args in obj.ingress_zones:
-            self.add_ingress_zone(policy, args, allow_apply=False)
-        for args in obj.egress_zones:
-            self.add_egress_zone(policy, args, allow_apply=False)
-        for args in obj.icmp_blocks:
-            self.add_icmp_block(policy, args)
-        for args in obj.forward_ports:
-            self.add_forward_port(policy, *args)
-        for args in obj.services:
-            self.add_service(policy, args)
-        for args in obj.ports:
-            try:
-                self.add_port(policy, *args)
-            except FirewallError as error:
-                if error.code in errors.ALREADY_ENABLED:
-                    log.warning(error)
-                else:
-                    raise error
-        for args in obj.protocols:
-            self.add_protocol(policy, args)
-        for args in obj.source_ports:
-            try:
-                self.add_source_port(policy, *args)
-            except FirewallError as error:
-                if error.code in errors.ALREADY_ENABLED:
-                    log.warning(error)
-                else:
-                    raise error
-        for args in obj.rules:
-            self.add_rule(policy, args)
-        if obj.masquerade:
-            self.add_masquerade(policy)
-
     def apply_policies(self, use_transaction=None):
         for policy in self.get_policies():
             p_obj = self._policiespolicy
@@ -134,20 +87,6 @@
         obj = self._policiespolicy
         obj.applied = applied
 
-    # settings
-
-    # generate settings record with sender, timeout
-    def __gen_settings(self, timeout, sender):
-        ret = {
-            "date": time.time(),
-            "sender": sender,
-            "timeout": timeout,
-        }
-        return ret
-
-    def get_settings(self, policy):
-        return self.get_policy(policy).settings
-
     def _policy_settings(self, enable, policy, use_transaction=None):
         _policy = self._fw.check_policy(policy)
         obj = self._policies_policy
@@ -167,11 +106,18 @@
                              else self._get_table_chains_for_zone_dispatch(policy):
                 self.gen_chain_rules(policy, True, table, chain, transaction)
 
-        settings = self.get_settings(policy)
         if not obj.derived_from_zone:
             self._ingress_egress_zones(enable, _policy, transaction)
-        for key in settings:
-            for args in settingskey:
+        for key in "services", "ports", "masquerade", "forward_ports",
+                    "source_ports", "icmp_blocks", "rules_str",
+                    "protocols", "icmp_block_inversion",
+                    "ingress_zones", "egress_zones":
+            args_list = getattr(self.get_policy(policy), key)
+            if isinstance(args_list, bool):
+                if not ((enable and args_list) or (not enable and args_list)):
+                    continue
+                args_list = args_list
+            for args in args_list:
                 if key == "icmp_blocks":
                     self._icmp_block(enable, _policy, args, transaction)
                 elif key == "icmp_block_inversion":
@@ -191,7 +137,7 @@
                                        transaction)
                 elif key == "masquerade":
                     self._masquerade(enable, _policy, transaction)
-                elif key == "rules":
+                elif key == "rules_str":
                     self.__rule(enable, _policy, Rich_Rule(rule_str=args),
                                 transaction)
                 elif key == "ingress_zones":
@@ -218,22 +164,7 @@
         self._policy_settings(False, policy, use_transaction=use_transaction)
 
     def get_config_with_settings_dict(self, policy):
-        """
-        :return: exported config updated with runtime settings
-        """
-        permanent = self.get_policy(policy).export_config_dict()
-        runtime = { "services": self.list_services(policy),
-                    "ports": self.list_ports(policy),
-                    "icmp_blocks": self.list_icmp_blocks(policy),
-                    "masquerade": self.query_masquerade(policy),
-                    "forward_ports": self.list_forward_ports(policy),
-                    "rich_rules": self.list_rules(policy),
-                    "protocols": self.list_protocols(policy),
-                    "source_ports": self.list_source_ports(policy),
-                    "ingress_zones": self.list_ingress_zones(policy),
-                    "egress_zones": self.list_egress_zones(policy),
-                    }
-        return self._fw.combine_runtime_with_permanent_settings(permanent, runtime)
+        return self.get_policy(policy).export_config_dict()
 
     def set_config_with_settings_dict(self, policy, settings, sender):
         # stupid wrappers to convert rich rule string to rich rule object
@@ -256,6 +187,13 @@
             "egress_zones": (self.add_egress_zone, self.remove_egress_zone),
         }
 
+        # do a full config check on a temporary object before trying to make
+        # the runtime changes
+        old_obj = self.get_policy(policy)
+        check_obj = copy.copy(old_obj)
+        check_obj.import_config_dict(settings, self._fw.get_all_io_objects_dict())
+        self._fw.full_check_config({"policies": check_obj})
+
         old_settings = self.get_config_with_settings_dict(policy)
         (add_settings, remove_settings) = self._fw.get_added_and_removed_settings(old_settings, settings)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_transaction.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_transaction.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/fw_zone.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/fw_zone.py Changed

@@ -19,18 +19,28 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-import time
 import copy
 from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET, SOURCE_IPSET_TYPES
 from firewall.core.fw_transaction import FirewallTransaction
 from firewall.core.io.policy import Policy
 from firewall.core.logger import log
-from firewall.core.rich import Rich_Service, Rich_Port, Rich_Protocol, Rich_SourcePort, Rich_ForwardPort, \
-                               Rich_IcmpBlock, Rich_IcmpType, Rich_Masquerade, Rich_Mark, Rich_Tcp_Mss_Clamp
+from firewall.core.rich import (
+    Rich_ForwardPort,
+    Rich_IcmpBlock,
+    Rich_IcmpType,
+    Rich_Mark,
+    Rich_Masquerade,
+    Rich_Port,
+    Rich_Protocol,
+    Rich_Rule,
+    Rich_Service,
+    Rich_SourcePort,
+    Rich_Tcp_Mss_Clamp
+)
+from firewall.core.fw_nm import nm_get_bus_name
 from firewall.functions import checkIPnMask, checkIP6nMask, check_mac
 from firewall import errors
 from firewall.errors import FirewallError
-from firewall.fw_types import LastUpdatedOrderedDict
 
 class FirewallZone(object):
     ZONE_POLICY_PRIORITY = 0
@@ -48,7 +58,9 @@
         self._zone_policies.clear()
 
     def new_transaction(self):
-        return FirewallTransaction(self._fw)
+        t = FirewallTransaction(self._fw)
+        t.add_pre(self._fw.full_check_config)
+        return t
 
     def policy_name_from_zones(self, fromZone, toZone):
         return "zone_{fromZone}_{toZone}".format(fromZone=fromZone, toZone=toZone)
@@ -68,7 +80,7 @@
     def get_zone_of_interface(self, interface):
         interface_id = self.__interface_id(interface)
         for zone in self._zones:
-            if interface_id in self._zoneszone.settings"interfaces":
+            if interface_id in self._zoneszone.interfaces:
                 # an interface can only be part of one zone
                 return zone
         return None
@@ -76,7 +88,7 @@
     def get_zone_of_source(self, source):
         source_id = self.__source_id(source)
         for zone in self._zones:
-            if source_id in self._zoneszone.settings"sources":
+            if source_id in self._zoneszone.sources:
                 # a source_id can only be part of one zone
                 return zone
         return None
@@ -100,10 +112,11 @@
         for setting in "services", "ports",
                         "masquerade", "forward_ports",
                         "source_ports",
-                        "icmp_blocks", "rules",
-                        "protocols":
+                        "icmp_blocks", "icmp_block_inversion",
+                        "rules_str", "protocols":
             if fromZone == z_obj.name and toZone == "HOST" and \
-               setting in "services", "ports", "source_ports", "icmp_blocks", "protocols":
+               setting in "services", "ports", "source_ports", "icmp_blocks",
+                           "icmp_block_inversion", "protocols":
                 # zone --> HOST
                 setattr(p_obj, setting, copy.deepcopy(getattr(z_obj, setting)))
             elif fromZone == "ANY" and toZone == z_obj.name and setting in "masquerade":
@@ -113,21 +126,20 @@
                  setting in "forward_ports":
                 # zone --> any zone
                 setattr(p_obj, setting, copy.deepcopy(getattr(z_obj, setting)))
-            elif setting in "rules":
+            elif setting in "rules_str":
+                p_obj.rules_str = 
                 p_obj.rules = 
-                for rule in z_obj.rules:
+                for rule_str in z_obj.rules_str:
                     current_policy = self.policy_name_from_zones(fromZone, toZone)
 
+                    rule = Rich_Rule(rule_str=rule_str)
                     if current_policy in self._rich_rule_to_policies(z_obj.name, rule):
-                        p_obj.rules.append(copy.deepcopy(rule))
+                        p_obj.rules_str.append(rule_str)
+                        p_obj.rules.append(rule)
 
         return p_obj
 
     def add_zone(self, obj):
-        obj.settings = { x : LastUpdatedOrderedDict()
-                         for x in "interfaces", "sources",
-                                   "icmp_block_inversion",
-                                   "forward" }
         self._zonesobj.name = obj
         self._zone_policiesobj.name = 
 
@@ -146,25 +158,10 @@
             self._fw.policy.add_policy(p_obj)
             self._zone_policiesobj.name.append(p_obj.name)
 
-        self.copy_permanent_to_runtime(obj.name)
-
-    def copy_permanent_to_runtime(self, zone):
-        obj = self._zoneszone
-
-        for arg in obj.interfaces:
-            self.add_interface(zone, arg, allow_apply=False)
-        for arg in obj.sources:
-            self.add_source(zone, arg, allow_apply=False)
-        if obj.forward:
-            self.add_forward(zone)
-        if obj.icmp_block_inversion:
-            self.add_icmp_block_inversion(zone)
-
     def remove_zone(self, zone):
         obj = self._zoneszone
         if obj.applied:
             self.unapply_zone_settings(zone)
-        obj.settings.clear()
         del self._zoneszone
         del self._zone_policieszone
 
@@ -241,28 +238,17 @@
                 if use_transaction is None:
                     transaction.execute(True)
 
-    # settings
-
-    # generate settings record with sender, timeout
-    def __gen_settings(self, timeout, sender):
-        ret = {
-            "date": time.time(),
-            "sender": sender,
-            "timeout": timeout,
-        }
-        return ret
-
-    def get_settings(self, zone):
-        return self.get_zone(zone).settings
-
     def _zone_settings(self, enable, zone, transaction):
-        settings = self.get_settings(zone)
-        for key in settings:
-            for args in settingskey:
+        for key in "interfaces", "sources", "forward", "icmp_block_inversion":
+            args_list = getattr(self.get_zone(zone), key)
+            if isinstance(args_list, bool):
+                args_list = args_list
+            for args in args_list:
                 if key == "interfaces":
                     self._interface(enable, zone, args, transaction)
                 elif key == "sources":
-                    self._source(enable, zone, args0, args1, transaction)
+                    ipv = self.check_source(args)
+                    self._source(enable, zone, ipv, args, transaction)
                 elif key == "icmp_block_inversion":
                     continue
                 elif key == "forward":
@@ -356,7 +342,6 @@
 
     def set_config_with_settings_dict(self, zone, settings, sender):
         # stupid wrappers to convert rich rule string to rich rule object
-        from firewall.core.rich import Rich_Rule
         def add_rule_wrapper(zone, rule_str, timeout=0, sender=None):
             self.add_rule(zone, Rich_Rule(rule_str=rule_str), timeout=0, sender=sender)
         def remove_rule_wrapper(zone, rule_str):
@@ -377,6 +362,13 @@
             "forward": (self.add_forward, self.remove_forward),
         }
 
+        # do a full config check on a temporary object before trying to make
+        # the runtime changes
+        old_obj = self.get_zone(zone)
+        check_obj = copy.copy(old_obj)
+        check_obj.import_config_dict(settings, self._fw.get_all_io_objects_dict())
+        self._fw.full_check_config({"zones": check_obj})
+
         old_settings = self.get_config_with_settings_dict(zone)
         (add_settings, remove_settings) = self._fw.get_added_and_removed_settings(old_settings, settings)
 
@@ -413,18 +405,6 @@
     def check_interface(self, interface):
         self._fw.check_interface(interface)
 
-    def interface_get_sender(self, zone, interface):
-        _zone = self._fw.check_zone(zone)
-        _obj = self._zones_zone
-        interface_id = self.__interface_id(interface)
-
-        if interface_id in _obj.settings"interfaces":
-            settings = _obj.settings"interfaces"interface_id

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/direct.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/direct.py Changed

@@ -120,16 +120,16 @@
         ( "rules",  ( "", "", "", 0,  ""  ), , ),         # a(sssias)
         # passthrough:  ipv,   arg   
         ( "passthroughs",  ( "",  "" ), , ),              # a(sas)
-        )
+    )
     DBUS_SIGNATURE = '(a(sss)a(sssias)a(sas))'
     PARSER_REQUIRED_ELEMENT_ATTRS = {
         "direct": None,
         "chain":  "ipv", "table", "chain" ,
         "rule":  "ipv", "table", "chain", "priority" ,
         "passthrough":  "ipv" 
-        }
+    }
     PARSER_OPTIONAL_ELEMENT_ATTRS = {
-        }
+    }
 
     def __init__(self, filename):
         super(Direct, self).__init__()
@@ -138,7 +138,7 @@
         self.rules = LastUpdatedOrderedDict()
         self.passthroughs = LastUpdatedOrderedDict()
 
-    def _check_config(self, conf, item, all_conf):
+    def _check_config(self, conf, item, all_conf, all_io_objects):
         pass
         # check arg lists
 
@@ -162,7 +162,7 @@
         ret.append(x)
         return tuple(ret)
 
-    def import_config(self, conf):
+    def import_config(self, conf, all_io_objects):
         self.cleanup()
         self.check_config(conf)
         for i,(element,dummy) in enumerate(self.IMPORT_EXPORT_STRUCTURE):

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/firewalld_conf.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/firewalld_conf.py Changed

@@ -65,6 +65,21 @@
             s += '%s=%s' % (key, value)
         return s
 
+    def set_defaults(self):
+        self.set("DefaultZone", config.FALLBACK_ZONE)
+        self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
+        self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
+        self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
+        self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
+        self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
+        self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
+        self.set("LogDenied", config.FALLBACK_LOG_DENIED)
+        self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
+        self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
+        self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
+        self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
+        self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
+
     # load self.filename
     def read(self):
         self.clear()
@@ -72,19 +87,7 @@
             f = open(self.filename, "r")
         except Exception as msg:
             log.error("Failed to load '%s': %s", self.filename, msg)
-            self.set("DefaultZone", config.FALLBACK_ZONE)
-            self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
-            self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
-            self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
-            self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
-            self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
-            self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
-            self.set("LogDenied", config.FALLBACK_LOG_DENIED)
-            self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
-            self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
-            self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
-            self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
-            self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
+            self.set_defaults()
             raise
 
         for line in f:

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/functions.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/functions.py Changed

@@ -35,33 +35,39 @@
 from firewall.core.io.lockdown_whitelist import LockdownWhitelist
 from firewall.core.io.firewalld_conf import firewalld_conf
 
-def check_config(fw):
+def check_on_disk_config(fw):
     fw_config = FirewallConfig(fw)
     readers = {
-        "ipset":    {"reader": ipset_reader,
-                     "add": fw_config.add_ipset,
-                     "dirs": config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS,
-                    },
-        "helper":   {"reader": helper_reader,
-                     "add": fw_config.add_helper,
-                     "dirs": config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS,
-                    },
-        "icmptype": {"reader": icmptype_reader,
-                     "add": fw_config.add_icmptype,
-                     "dirs": config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES,
-                    },
-        "service":  {"reader": service_reader,
-                     "add": fw_config.add_service,
-                     "dirs": config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES,
-                    },
-        "zone":     {"reader": zone_reader,
-                     "add": fw_config.add_zone,
-                     "dirs": config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES,
-                    },
-        "policy":   {"reader": policy_reader,
-                     "add": fw_config.add_policy_object,
-                     "dirs": config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES,
-                    },
+        "ipset": {
+            "reader": ipset_reader,
+            "add": fw_config.add_ipset,
+            "dirs": config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS,
+        },
+        "helper": {
+            "reader": helper_reader,
+            "add": fw_config.add_helper,
+            "dirs": config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS,
+        },
+        "icmptype": {
+            "reader": icmptype_reader,
+            "add": fw_config.add_icmptype,
+            "dirs": config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES,
+        },
+        "service": {
+            "reader": service_reader,
+            "add": fw_config.add_service,
+            "dirs": config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES,
+        },
+        "zone": {
+            "reader": zone_reader,
+            "add": fw_config.add_zone,
+            "dirs": config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES,
+        },
+        "policy": {
+            "reader": policy_reader,
+            "add": fw_config.add_policy_object,
+            "dirs": config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES,
+        },
     }
     for reader in readers.keys():
         for _dir in readersreader"dirs":
@@ -69,16 +75,10 @@
                 continue
             for file in sorted(os.listdir(_dir)):
                 if file.endswith(".xml"):
-                    try:
-                        obj = readersreader"reader"(file, _dir)
-                        if reader in "zone", "policy":
-                            obj.fw_config = fw_config
-                        obj.check_config(obj.export_config())
-                        readersreader"add"(obj)
-                    except FirewallError as error:
-                        raise FirewallError(error.code, "'%s': %s" % (file, error.msg))
-                    except Exception as msg:
-                        raise Exception("'%s': %s" % (file, msg))
+                    obj = readersreader"reader"(file, _dir)
+                    readersreader"add"(obj)
+    fw_config.full_check_config()
+
     if os.path.isfile(config.FIREWALLD_DIRECT):
         try:
             obj = Direct(config.FIREWALLD_DIRECT)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/helper.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/helper.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/icmptype.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/icmptype.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/io_object.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/io_object.py Changed

@@ -63,8 +63,8 @@
                 confkey = copy.deepcopy(getattr(self, key))
         return conf
 
-    def import_config(self, conf):
-        self.check_config(conf)
+    def import_config(self, conf, all_io_objects):
+        self.check_config(conf, all_io_objects)
         for i,(element,dummy) in enumerate(self.IMPORT_EXPORT_STRUCTURE):
             if isinstance(confi, list):
                 # remove duplicates without changing the order
@@ -79,8 +79,8 @@
             else:
                 setattr(self, element, copy.deepcopy(confi))
 
-    def import_config_dict(self, conf):
-        self.check_config_dict(conf)
+    def import_config_dict(self, conf, all_io_objects):
+        self.check_config_dict(conf, all_io_objects)
 
         for key in conf:
             if not hasattr(self, key):
@@ -104,25 +104,26 @@
                     errors.INVALID_NAME,
                     "'%s' is not allowed in '%s'" % ((char, name)))
 
-    def check_config(self, conf):
+    def check_config(self, conf, all_io_objects={}):
         if len(conf) != len(self.IMPORT_EXPORT_STRUCTURE):
             raise FirewallError(
                 errors.INVALID_TYPE,
                 "structure size mismatch %d != %d" % \
                 (len(conf), len(self.IMPORT_EXPORT_STRUCTURE)))
-        for i,(element,value) in enumerate(self.IMPORT_EXPORT_STRUCTURE):
-            self._check_config_structure(confi, value)
-            self._check_config(confi, element, conf)
+        conf_dict = {}
+        for i,(x,y) in enumerate(self.IMPORT_EXPORT_STRUCTURE):
+            conf_dictx = confi
+        self.check_config_dict(conf_dict, all_io_objects)
 
-    def check_config_dict(self, conf):
+    def check_config_dict(self, conf, all_io_objects):
         type_formats = dict((x0, x1) for x in self.IMPORT_EXPORT_STRUCTURE)
         for key in conf:
             if key not in x for (x,y) in self.IMPORT_EXPORT_STRUCTURE:
                 raise FirewallError(errors.INVALID_OPTION, "option '{}' is not valid".format(key))
             self._check_config_structure(confkey, type_formatskey)
-            self._check_config(confkey, key, conf)
+            self._check_config(confkey, key, conf, all_io_objects)
 
-    def _check_config(self, dummy1, dummy2, dummy3):
+    def _check_config(self, dummy1, dummy2, dummy3, dummy4):
         # to be overloaded by sub classes
         return
 
@@ -152,11 +153,11 @@
                 if not isinstance(key, type(skey)):
                     raise FirewallError(errors.INVALID_TYPE,
                                         "'%s' not of type %s, but %s" % (\
-                            key, type(skey), type(key)))
+                                            key, type(skey), type(key)))
                 if not isinstance(value, type(svalue)):
                     raise FirewallError(errors.INVALID_TYPE,
                                         "'%s' not of type %s, but %s" % (\
-                            value, type(svalue), type(value)))
+                                            value, type(svalue), type(value)))
 
     # check required elements and attributes and also optional attributes
     def parser_check_element_attrs(self, name, attrs):
@@ -288,4 +289,3 @@
     if not functions.check_address(ipv, addr):
         raise FirewallError(errors.INVALID_ADDR,
                             "'%s' is not valid %s address" % (addr, ipv))
-

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/ipset.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/ipset.py Changed

@@ -265,7 +265,7 @@
                 raise FirewallError(errors.INVALID_IPSET,
                                     "ipset type '%s' not usable" % ipset_type)
 
-    def _check_config(self, config, item, all_config):
+    def _check_config(self, config, item, all_config, all_io_objects):
         if item == "type":
             if config not in IPSET_TYPES:
                 raise FirewallError(errors.INVALID_TYPE,
@@ -292,13 +292,13 @@
                      configkey not in  "inet", "inet6" :
                     raise FirewallError(errors.INVALID_FAMILY, configkey)
 
-    def import_config(self, config):
+    def import_config(self, config, all_io_objects):
         if "timeout" in config4 and config4"timeout" != "0":
             if len(config5) != 0:
                 raise FirewallError(errors.IPSET_WITH_TIMEOUT)
         for entry in config5:
             IPSet.check_entry(entry, config4, config3)
-        super(IPSet, self).import_config(config)
+        super(IPSet, self).import_config(config, all_io_objects)
 
 # PARSER

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/lockdown_whitelist.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/lockdown_whitelist.py Changed

@@ -63,7 +63,7 @@
                 try:
                     uid = int(attrs"id")
                 except ValueError:
-                    log.error("Parse Error: %s is not a valid uid" % 
+                    log.error("Parse Error: %s is not a valid uid" %
                               attrs"id")
                     return
                 self.item.add_uid(uid)
@@ -78,7 +78,6 @@
                 log.error("Parse Error: no context")
                 return
             self.item.add_context(attrs"context")
-            
 
         else:
             log.error('Unknown XML element %s' % name)
@@ -92,20 +91,20 @@
         ( "contexts",  ""  ),   # as
         ( "users",  ""  ),      # as
         ( "uids",  0  )         # ai
-        )
+    )
     DBUS_SIGNATURE = '(asasasai)'
     ADDITIONAL_ALNUM_CHARS =  "_" 
     PARSER_REQUIRED_ELEMENT_ATTRS = {
         "whitelist": None,
         "command":  "name" ,
         "user": None,
-#        "group": None,
+        # "group": None,
         "selinux":  "context" ,
-        }
+    }
     PARSER_OPTIONAL_ELEMENT_ATTRS = {
         "user":  "id", "name" ,
-#        "group":  "id", "name" ,
-        }
+        # "group":  "id", "name" ,
+    }
 
     def __init__(self, filename):
         super(LockdownWhitelist, self).__init__()
@@ -118,10 +117,10 @@
 #        self.gids =  
 #        self.groups =  
 
-    def _check_config(self, config, item, all_config):
+    def _check_config(self, config, item, all_config, all_io_objects):
         if item in  "commands", "contexts", "users", "uids" :
             for x in config:
-                self._check_config(x, item:-1, all_config)
+                self._check_config(x, item:-1, all_config, all_io_objects)
         elif item == "command":
             if not checkCommand(config):
                 raise FirewallError(errors.INVALID_COMMAND, config)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/policy.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/policy.py Changed

@@ -10,8 +10,16 @@
 import shutil
 
 from firewall import config
-from firewall.functions import checkIP, checkIP6
-from firewall.functions import uniqify, max_policy_name_len, portStr
+from firewall.functions import (
+    checkIP,
+    checkIP6,
+    checkUINT16,
+    coalescePortRange,
+    max_policy_name_len,
+    portInPortRange,
+    portStr,
+    uniqify,
+)
 from firewall.core.base import DEFAULT_POLICY_TARGET, POLICY_TARGETS, DEFAULT_POLICY_PRIORITY
 from firewall.core.io.io_object import IO_Object, \
     IO_Object_ContentHandler, IO_Object_XMLGenerator, check_port, \
@@ -55,12 +63,27 @@
             return True
         check_port(attrs"port")
         check_tcpudp(attrs"protocol")
-        entry = (portStr(attrs"port", "-"), attrs"protocol")
-        if entry not in obj.item.ports:
-            obj.item.ports.append(entry)
+
+        # coalesce and warn about overlapping ranges
+        new_port_id = (portStr(attrs"port", "-"), attrs"protocol")
+        existing_port_ids = list(filter(lambda x: x1 == attrs"protocol", obj.item.ports))
+        for port_id in existing_port_ids:
+            if portInPortRange(new_port_id0, port_id0):
+                # the range is wholly contained already, so just warn
+                _name = obj.item.derived_from_zone if isinstance(obj.item, Policy) else obj.item.name
+                log.warning(FirewallError(errors.ALREADY_ENABLED,
+                                    "'%s:%s' already in '%s'" % (new_port_id0, attrs"protocol", _name)))
+                break # for
         else:
-            log.warning("Port '%s/%s' already set, ignoring.",
-                        attrs"port", attrs"protocol")
+            # the range can be coalesced into the existing set
+            added_ranges, removed_ranges = coalescePortRange(new_port_id0, _port for (_port, _protocol) in existing_port_ids)
+
+            for _range in removed_ranges:
+                entry = (portStr(_range, "-"), attrs"protocol")
+                obj.item.ports.remove(entry)
+            for _range in added_ranges:
+                entry = (portStr(_range, "-"), attrs"protocol")
+                obj.item.ports.append(entry)
 
     elif name == "protocol":
         if obj._rule:
@@ -77,10 +100,10 @@
             else:
                 log.warning("Protocol '%s' already set, ignoring.",
                             attrs"value")
-    
+
     elif name == "tcp-mss-clamp":
         if obj._rule:
-            if obj._rule.element:            
+            if obj._rule.element:
                 log.warning("Invalid rule: More than one element in rule '%s', ignoring.",
                             str(obj._rule))
                 obj._rule_error = True
@@ -185,12 +208,27 @@
             return True
         check_port(attrs"port")
         check_tcpudp(attrs"protocol")
-        entry = (portStr(attrs"port", "-"), attrs"protocol")
-        if entry not in obj.item.source_ports:
-            obj.item.source_ports.append(entry)
+
+        # coalesce and warn about overlapping ranges
+        new_port_id = (portStr(attrs"port", "-"), attrs"protocol")
+        existing_port_ids = list(filter(lambda x: x1 == attrs"protocol", obj.item.source_ports))
+        for port_id in existing_port_ids:
+            if portInPortRange(new_port_id0, port_id0):
+                # the range is wholly contained already, so just warn
+                _name = obj.item.derived_from_zone if isinstance(obj.item, Policy) else obj.item.name
+                log.warning(FirewallError(errors.ALREADY_ENABLED,
+                                    "'%s:%s' already in '%s'" % (new_port_id0, attrs"protocol", _name)))
+                break # for
         else:
-            log.warning("Source port '%s/%s' already set, ignoring.",
-                        attrs"port", attrs"protocol")
+            # the range can be coalesced into the existing set
+            added_ranges, removed_ranges = coalescePortRange(new_port_id0, _port for (_port, _protocol) in existing_port_ids)
+
+            for _range in removed_ranges:
+                entry = (portStr(_range, "-"), attrs"protocol")
+                obj.item.source_ports.remove(entry)
+            for _range in added_ranges:
+                entry = (portStr(_range, "-"), attrs"protocol")
+                obj.item.source_ports.append(entry)
 
     elif name == "destination":
         if not obj._rule:
@@ -253,10 +291,47 @@
                 log.warning('Invalid rule: Invalid log level')
                 obj._rule_error = True
                 return True
-        prefix = attrs"prefix" if "prefix" in attrs else None
+        prefix = None
+        if "prefix" in attrs:
+            prefix = attrs"prefix"
+            if not prefix or len(prefix) > 127:
+                log.warning('Invalid rule: Invalid log prefix')
+                obj._rule_error = True
+                return True
         obj._rule.log = rich.Rich_Log(prefix, level)
         obj._limit_ok = obj._rule.log
 
+    elif name == "nflog":
+        if not obj._rule:
+            log.warning('Invalid rule: Log outside of rule')
+            return True
+        if obj._rule.log:
+            log.warning('Invalid rule: More than one log')
+            return True
+        group = None
+        if "group" in attrs:
+            group = attrs"group"
+            if not checkUINT16(group):
+                log.warning('Invalid rule: Invalid nflog group value')
+                obj._rule_error = True
+                return True
+        prefix = None
+        if "prefix" in attrs:
+            prefix = attrs"prefix"
+            if not prefix or len(prefix) > 127:
+                log.warning('Invalid rule: Invalid nflog prefix')
+                obj._rule_error = True
+                return True
+        threshold = None
+        if "queue-size" in attrs:
+            threshold = attrs"queue-size"
+            if not checkUINT16(threshold):
+                log.warning('Invalid rule: Invalid nflog queue-size')
+                obj._rule_error = True
+                return True
+        obj._rule.log = rich.Rich_NFLog(group, prefix, threshold)
+        obj._limit_ok = obj._rule.log
+
     elif name == "audit":
         if not obj._rule:
             log.warning('Invalid rule: Audit outside of rule')
@@ -319,14 +394,16 @@
     elif name in  "accept", "reject", "drop", "mark", "log", "audit" :
         obj._limit_ok = None
 
-def common_check_config(obj, config, item, all_config):
-    if item == "services" and obj.fw_config:
-        existing_services = obj.fw_config.get_services()
+def common_check_config(obj, config, item, all_config, all_io_objects):
+    obj_type = "Policy" if isinstance(obj, Policy) else "Zone"
+
+    if item == "services" and "services" in all_io_objects:
+        existing_services = all_io_objects"services"
         for service in config:
             if service not in existing_services:
                 raise FirewallError(errors.INVALID_SERVICE,
-                                    "'%s' not among existing services" % \
-                                    service)
+                        "{} '{}': '{}' not among existing services".format(
+                            obj_type, obj.name, service))
     elif item == "ports":
         for port in config:
             check_port(port0)
@@ -334,28 +411,33 @@
     elif item == "protocols":
         for proto in config:
             check_protocol(proto)
-    elif item == "icmp_blocks" and obj.fw_config:
-        existing_icmptypes = obj.fw_config.get_icmptypes()
+    elif item == "icmp_blocks" and "icmptypes" in all_io_objects:
+        existing_icmptypes = all_io_objects"icmptypes"
         for icmptype in config:
             if icmptype not in existing_icmptypes:
-                raise FirewallError(errors.INVALID_ICMPTYPE,
-                                    "'%s' not among existing icmp types" % \
-                                    icmptype)
+                ex = FirewallError(errors.INVALID_ICMPTYPE,
+                        "{} '{}': '{}' not among existing ICMP types".format(
+                            obj_type, obj.name, icmptype))
+                if icmptype in all_io_objects.get("icmptypes_unsupported", {}):
+                    log.debug1("{} (unsupported)".format(ex))
+                else:
+                    raise ex
+
     elif item == "forward_ports":
         for fwd_port in config:
             check_port(fwd_port0)
             check_tcpudp(fwd_port1)
             if not fwd_port2 and not fwd_port3:
-                raise FirewallError(
-                    errors.INVALID_FORWARD,
-                    "'%s' is missing to-port AND to-addr " % fwd_port)
+                raise FirewallError(errors.INVALID_FORWARD,
+                    "{} '{}': '{}' is missing to-port AND to-addr ".format(

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/service.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/service.py Changed

@@ -46,13 +46,13 @@
         ( "source_ports",  ( "", "" ), , ),
         ( "includes",  "" , ),
         ( "helpers",  "", , ),
-        )
+    )
     ADDITIONAL_ALNUM_CHARS =  "_", "-" 
     PARSER_REQUIRED_ELEMENT_ATTRS = {
         "short": None,
         "description": None,
         "service": None,
-        }
+    }
     PARSER_OPTIONAL_ELEMENT_ATTRS = {
         "service":  "name", "version" ,
         "port":  "port", "protocol" ,
@@ -62,7 +62,7 @@
         "source-port":  "port", "protocol" ,
         "include":  "service" ,
         "helper":  "name" ,
-        }
+    }
 
     def __init__(self):
         super(Service, self).__init__()
@@ -89,7 +89,7 @@
         del self.includes:
         del self.helpers:
 
-    def _check_config(self, config, item, all_config):
+    def _check_config(self, config, item, all_config, all_io_objects):
         if item == "ports":
             for port in config:
                 if port0 != "":
@@ -125,6 +125,13 @@
                 if len(module) < 2:
                     raise FirewallError(errors.INVALID_MODULE, module)
 
+        elif item == "includes":
+            for include in config:
+                if include not in all_io_objects"services":
+                    raise FirewallError(errors.INVALID_SERVICE,
+                            "Service '{}': Included service '{}' not found.".format(
+                                self.name, include))
+
 # PARSER
 
 class service_ContentHandler(IO_Object_ContentHandler):

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/io/zone.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/io/zone.py Changed

@@ -58,7 +58,7 @@
         ( "source_ports",  ( "", "" ), , ),          # a(ss)
         ( "icmp_block_inversion", False ),             # b
         ( "forward", True ),                           # b
-        )
+    )
     ADDITIONAL_ALNUM_CHARS =  "_", "-", "/" 
     PARSER_REQUIRED_ELEMENT_ATTRS = {
         "short": None,
@@ -77,6 +77,7 @@
         "protocol":  "value" ,
         "source-port":  "port", "protocol" ,
         "log":  None,
+        "nflog":  None,
         "audit": None,
         "accept": None,
         "reject": None,
@@ -84,7 +85,7 @@
         "mark":  "set" ,
         "limit":  "value" ,
         "icmp-block-inversion": None,
-        }
+    }
     PARSER_OPTIONAL_ELEMENT_ATTRS = {
         "zone":  "name", "immutable", "target", "version" ,
         "masquerade":  "enabled" ,
@@ -93,9 +94,10 @@
         "source":  "address", "mac", "invert", "family", "ipset" ,
         "destination":  "address", "invert", "ipset" ,
         "log":  "prefix", "level" ,
+        "nflog":  "group", "prefix", "queue-size" ,
         "reject":  "type" ,
         "tcp-mss-clamp":  "value" ,
-        }
+    }
 
     @staticmethod
     def index_of(element):
@@ -121,7 +123,6 @@
         self.source_ports =  
         self.interfaces =  
         self.sources =  
-        self.fw_config = None # to be able to check services and a icmp_blocks
         self.rules =  
         self.rules_str =  
         self.icmp_block_inversion = False
@@ -144,7 +145,6 @@
         del self.source_ports:
         del self.interfaces:
         del self.sources:
-        self.fw_config = None # to be able to check services and a icmp_blocks
         del self.rules:
         del self.rules_str:
         self.icmp_block_inversion = False
@@ -164,48 +164,54 @@
         del conf"UNUSED"
         return conf
 
-    def _check_config(self, config, item, all_config):
-        common_check_config(self, config, item, all_config)
+    def _check_config(self, config, item, all_config, all_io_objects):
+        common_check_config(self, config, item, all_config, all_io_objects)
+
+        if self.name in all_io_objects"policies":
+            raise FirewallError(errors.NAME_CONFLICT, "Zone '{}': Can't have the same name as a policy.".format(self.name))
 
         if item == "target":
             if config not in ZONE_TARGETS:
-                raise FirewallError(errors.INVALID_TARGET, config)
+                raise FirewallError(errors.INVALID_TARGET, "Zone '{}': invalid target '{}'".format(
+                    self.name, config))
         elif item == "interfaces":
             for interface in config:
                 if not checkInterface(interface):
-                    raise FirewallError(errors.INVALID_INTERFACE, interface)
-                if self.fw_config:
-                    for zone in self.fw_config.get_zones():
-                        if zone == self.name:
-                            continue
-                        if interface in self.fw_config.get_zone(zone).interfaces:
-                            raise FirewallError(errors.INVALID_INTERFACE,
-                                    "interface '{}' already bound to zone '{}'".format(interface, zone))
+                    raise FirewallError(errors.INVALID_INTERFACE, "Zone '{}': invalid interface '{}'".format(
+                        self.name, interface))
+                for zone in all_io_objects"zones":
+                    if zone == self.name:
+                        continue
+                    if interface in all_io_objects"zones"zone.interfaces:
+                        raise FirewallError(errors.INVALID_INTERFACE,
+                                "Zone '{}': interface '{}' already bound to zone '{}'".format(
+                                    self.name, interface, zone))
         elif item == "sources":
             for source in config:
                 if not checkIPnMask(source) and not checkIP6nMask(source) and \
                    not check_mac(source) and not source.startswith("ipset:"):
-                    raise FirewallError(errors.INVALID_ADDR, source)
-                if self.fw_config:
-                    for zone in self.fw_config.get_zones():
-                        if zone == self.name:
-                            continue
-                        if source in self.fw_config.get_zone(zone).sources:
-                            raise FirewallError(errors.INVALID_ADDR,
-                                    "source '{}' already bound to zone '{}'".format(source, zone))
+                    raise FirewallError(errors.INVALID_ADDR, "Zone '{}': invalid source '{}'".format(
+                        self.name, source))
+                for zone in all_io_objects"zones":
+                    if zone == self.name:
+                        continue
+                    if source in all_io_objects"zones"zone.sources:
+                        raise FirewallError(errors.INVALID_ADDR,
+                                "Zone '{}': source '{}' already bound to zone '{}'".format(
+                                    self.name, source, zone))
 
 
     def check_name(self, name):
         super(Zone, self).check_name(name)
         if name.startswith('/'):
             raise FirewallError(errors.INVALID_NAME,
-                                "'%s' can't start with '/'" % name)
+                                "Zone '{}': name can't start with '/'".format(name))
         elif name.endswith('/'):
             raise FirewallError(errors.INVALID_NAME,
-                                "'%s' can't end with '/'" % name)
+                                "Zone '{}': name can't end with '/'".format(name))
         elif name.count('/') > 1:
             raise FirewallError(errors.INVALID_NAME,
-                                "more than one '/' in '%s'" % name)
+                                "Zone '{}': name has more than one '/'".format(name))
         else:
             if "/" in name:
                 checked_name = name:name.find('/')
@@ -213,13 +219,8 @@
                 checked_name = name
             if len(checked_name) > max_zone_name_len():
                 raise FirewallError(errors.INVALID_NAME,
-                                    "Zone of '%s' has %d chars, max is %d %s" % (
-                                    name, len(checked_name),
-                                    max_zone_name_len(),
-                                    self.combined))
-            if self.fw_config:
-                if checked_name in self.fw_config.get_policy_objects():
-                    raise FirewallError(errors.NAME_CONFLICT, "Zones can't have the same name as a policy.")
+                                    "Zone '{}': name has {} chars, max is {}".format(
+                                        name, len(checked_name), max_zone_name_len()))
 
     def combine(self, zone):
         self.combined = True

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/ipXtables.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/ipXtables.py Changed

@@ -28,7 +28,7 @@
                                check_single_address, check_address, normalizeIP6
 from firewall import config
 from firewall.errors import FirewallError, INVALID_PASSTHROUGH, INVALID_RULE, UNKNOWN_ERROR, INVALID_ADDR
-from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
+from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, Rich_NFLog, \
                                Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock, Rich_Tcp_Mss_Clamp
 from firewall.core.base import DEFAULT_ZONE_TARGET
 import string
@@ -676,7 +676,13 @@
                 default_rules"nat".append("-A %s -j %s_direct" % (chain, chain))
                 self.our_chains"nat".add("%s_direct" % chain)
 
-                if chain in  "PREROUTING", "POSTROUTING" :
+                if chain in "OUTPUT":
+                    # nat, output does not have zone dispatch
+                    for dispatch_suffix in "POLICIES_pre", "POLICIES_post":
+                        default_rules"nat".append("-N %s_%s" % (chain, dispatch_suffix))
+                        self.our_chains"nat".update(set("%s_%s" % (chain, dispatch_suffix)))
+                        default_rules"nat".append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
+                else:
                     for dispatch_suffix in "POLICIES_pre", "ZONES", "POLICIES_post":
                         default_rules"nat".append("-N %s_%s" % (chain, dispatch_suffix))
                         self.our_chains"nat".update(set("%s_%s" % (chain, dispatch_suffix)))
@@ -686,6 +692,9 @@
         default_rules"filter" = 
         self.our_chains"filter" = set()
         default_rules"filter".append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
+        if log_denied != "off":
+            default_rules"filter".append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
+        default_rules"filter".append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
         default_rules"filter".append("-A INPUT -i lo -j ACCEPT")
         default_rules"filter".append("-N INPUT_direct")
         default_rules"filter".append("-A INPUT -j INPUT_direct")
@@ -696,13 +705,13 @@
         for dispatch_suffix in "ZONES":
             default_rules"filter".append("-A INPUT -j INPUT_%s" % (dispatch_suffix))
         if log_denied != "off":
-            default_rules"filter".append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
-        default_rules"filter".append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
-        if log_denied != "off":
             default_rules"filter".append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
         default_rules"filter".append("-A INPUT -j %%REJECT%%")
 
         default_rules"filter".append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
+        if log_denied != "off":
+            default_rules"filter".append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
+        default_rules"filter".append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
         default_rules"filter".append("-A FORWARD -i lo -j ACCEPT")
         default_rules"filter".append("-N FORWARD_direct")
         default_rules"filter".append("-A FORWARD -j FORWARD_direct")
@@ -718,9 +727,6 @@
             default_rules"filter".append("-N FORWARD_%s" % (dispatch_suffix))
             self.our_chains"filter".update(set("FORWARD_%s" % (dispatch_suffix)))
         if log_denied != "off":
-            default_rules"filter".append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
-        default_rules"filter".append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
-        if log_denied != "off":
             default_rules"filter".append("-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
         default_rules"filter".append("-A FORWARD -j %%REJECT%%")
 
@@ -951,11 +957,11 @@
                 if target in DEFAULT_ZONE_TARGET, "REJECT", "%%REJECT%%" :
                     rules.append( add_del_rule, _policy, "-t", table, "%%LOGTYPE%%",
                                    "-j", "LOG", "--log-prefix",
-                                   "\"%s_REJECT: \"" % _policy )
+                                   "%s_REJECT: " % _policy )
                 if target == "DROP":
                     rules.append( add_del_rule, _policy, "-t", table, "%%LOGTYPE%%",
                                    "-j", "LOG", "--log-prefix",
-                                   "\"%s_DROP: \"" % _policy )
+                                   "%s_DROP: " % _policy )
 
         if table == "filter" and \
            target in DEFAULT_ZONE_TARGET, "ACCEPT", "REJECT", "%%REJECT%%", "DROP" :
@@ -1024,11 +1030,20 @@
         chain_suffix = self._rich_rule_chain_suffix_from_log(rich_rule)
         rule = "-t", table, add_del, "%s_%s" % (_policy, chain_suffix)
         rule += self._rich_rule_priority_fragment(rich_rule)
-        rule += rule_fragment +  "-j", "LOG" 
-        if rich_rule.log.prefix:
-            rule +=  "--log-prefix", "'%s'" % rich_rule.log.prefix 
-        if rich_rule.log.level:
-            rule +=  "--log-level", "%s" % rich_rule.log.level 
+        if type(rich_rule.log) == Rich_NFLog:
+            rule += rule_fragment +  "-j", "NFLOG" 
+            if rich_rule.log.group:
+                rule +=  "--nflog-group", rich_rule.log.group 
+            if rich_rule.log.prefix:
+                rule +=  "--nflog-prefix", "%s" % rich_rule.log.prefix 
+            if rich_rule.log.threshold:
+                rule +=  "--nflog-threshold", rich_rule.log.threshold 
+        else:
+            rule += rule_fragment +  "-j", "LOG" 
+            if rich_rule.log.prefix:
+                rule +=  "--log-prefix", "%s" % rich_rule.log.prefix 
+            if rich_rule.log.level:
+                rule +=  "--log-level", "%s" % rich_rule.log.level 
         rule += self._rule_limit(rich_rule.log.limit)
 
         return rule
@@ -1384,7 +1399,7 @@
                 rules.append( add_del, final_chain, "-t", table 
                              + rule_fragment +
                               "%%LOGTYPE%%", "-j", "LOG",
-                               "--log-prefix", "\"%s_ICMP_BLOCK: \"" % policy )
+                               "--log-prefix", "%s_ICMP_BLOCK: " % policy )
             rules.append( add_del, final_chain, "-t", table 
                          + rule_fragment +
                           "-j", final_target )
@@ -1410,7 +1425,7 @@
                 rule = rule +  "-t", table, "-p", "%%ICMP%%",
                               "%%LOGTYPE%%",
                               "-j", "LOG", "--log-prefix",
-                              "\"%s_ICMP_BLOCK: \"" % _policy 
+                              "%s_ICMP_BLOCK: " % _policy 
                 rules.append(rule)
                 rule_idx += 1
         else:
@@ -1468,16 +1483,16 @@
 
     def build_rfc3964_ipv4_rules(self):
         daddr_list = 
-                     "::0.0.0.0/96", # IPv4 compatible
-                     "::ffff:0.0.0.0/96", # IPv4 mapped
-                     "2002:0000::/24", # 0.0.0.0/8 (the system has no address assigned yet)
-                     "2002:0a00::/24", # 10.0.0.0/8 (private)
-                     "2002:7f00::/24", # 127.0.0.0/8 (loopback)
-                     "2002:ac10::/28", # 172.16.0.0/12 (private)
-                     "2002:c0a8::/32", # 192.168.0.0/16 (private)
-                     "2002:a9fe::/32", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
-                     "2002:e000::/19", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
-                     
+            "::0.0.0.0/96", # IPv4 compatible
+            "::ffff:0.0.0.0/96", # IPv4 mapped
+            "2002:0000::/24", # 0.0.0.0/8 (the system has no address assigned yet)
+            "2002:0a00::/24", # 10.0.0.0/8 (private)
+            "2002:7f00::/24", # 127.0.0.0/8 (loopback)
+            "2002:ac10::/28", # 172.16.0.0/12 (private)
+            "2002:c0a8::/32", # 192.168.0.0/16 (private)
+            "2002:a9fe::/32", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
+            "2002:e000::/19", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
+        
 
         chain_name = "RFC3964_IPv4"
         self.our_chains"filter".add(chain_name)
@@ -1491,11 +1506,12 @@
             if self._fw._log_denied in "unicast", "all":
                 rules.append("-t", "filter", "-I", chain_name,
                               "-d", daddr, "-j", "LOG",
-                              "--log-prefix", "\"RFC3964_IPv4_REJECT: \"")
+                              "--log-prefix", "RFC3964_IPv4_REJECT: ")
 
         # Inject into FORWARD and OUTPUT chains
         rules.append("-t", "filter", "-I", "OUTPUT", "4",
                       "-j", chain_name)
-        rules.append("-t", "filter", "-I", "FORWARD", "4",
+        rules.append("-t", "filter", "-I", "FORWARD",
+                      "6" if self._fw.get_log_denied() != "off" else "5",
                       "-j", chain_name)
         return rules

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/ipset.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/ipset.py Changed

@@ -309,9 +309,78 @@
     if len(entry.split(",")) > 1:
         return
 
+    try:
+        entry_network = ipaddress.ip_network(entry, strict=False)
+    except ValueError:
+        # could not parse the new IP address, maybe a MAC
+        return
+
     for itr in entries:
-        try:
-            if ipaddress.ip_network(itr, strict=False).overlaps(ipaddress.ip_network(entry, strict=False)):
-                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(itr, entry))
-        except ValueError:
-            pass
+        if entry_network.overlaps(ipaddress.ip_network(itr, strict=False)):
+            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps with existing entry '{}'".format(entry, itr))
+
+def check_for_overlapping_entries(entries):
+    """ Check if any entry overlaps any entry in the list of entries """
+    try:
+        entries = ipaddress.ip_network(x, strict=False) for x in entries
+    except ValueError:
+        # at least one entry can not be parsed
+        return
+
+    if len(entries) == 0:
+        return
+
+    # We can take advantage of some facts of IPv4Network/IPv6Network and
+    # how Python sorts the networks to quickly detect overlaps.
+    #
+    # Facts:
+    #
+    #   1. IPv{4,6}Network are normalized to remove host bits, e.g.
+    #     10.1.1.0/16 will become 10.1.0.0/16.
+    #
+    #   2. IPv{4,6}Network objects are sorted by:
+    #     a. IP address (network bits)
+    #   then
+    #     b. netmask (significant bits count)
+    #
+    # Because of the above we have these properties:
+    #
+    #   1. big networks (netA) are sorted before smaller networks (netB)
+    #      that overlap the big network (netA)
+    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.129.0/24 (netB)
+    #   2. same value addresses (network bits) are grouped together even
+    #      if the number of network bits vary. e.g. /16 vs /24
+    #     - recall that address are normalized to remove host bits
+    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.128.0/24 (netC)
+    #   3. non-overlapping networks (netD, netE) are always sorted before or
+    #      after networks that overlap (netB, netC) the current one (netA)
+    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.2.128.0/16 (netD)
+    #     - e.g. 10.1.128.0/17 (netA) sorts after 9.1.128.0/17 (netE)
+    #     - e.g. 9.1.128.0/17 (netE) sorts before 10.1.129.0/24 (netB)
+    #
+    # With this we know the sorted list looks like:
+    #
+    #   list:  netE, netA, netB, netC, netD 
+    #
+    #   netE = non-overlapping network
+    #   netA = big network
+    #   netB = smaller network that overlaps netA (subnet)
+    #   netC = smaller network that overlaps netA (subnet)
+    #   netD = non-overlapping network
+    #
+    #   If networks netB and netC exist in the list, they overlap and are
+    #   adjacent to netA.
+    #
+    # Checking for overlaps on a sorted list is thus:
+    #
+    #   1. compare adjacent elements in the list for overlaps
+    #
+    # Recall that we only need to detect a single overlap. We do not need to
+    # detect them all.
+    #
+    entries.sort()
+    prev_network = entries.pop(0)
+    for current_network in entries:
+        if prev_network.overlaps(current_network):
+            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(prev_network, current_network))
+        prev_network = current_network

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/logger.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/logger.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/modules.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/modules.py Changed

@@ -40,17 +40,20 @@
         """ get all loaded kernel modules and their dependencies """
         mods =  
         deps = { }
-        with open("/proc/modules", "r") as f:
-            for line in f:
-                if not line:
-                    break
-                line = line.strip()
-                splits = line.split()
-                mods.append(splits0)
-                if splits3 != "-":
-                    depssplits0 = splits3.split(","):-1
-                else:
-                    depssplits0 =  
+        try:
+            with open("/proc/modules", "r") as f:
+                for line in f:
+                    if not line:
+                        break
+                    line = line.strip()
+                    splits = line.split()
+                    mods.append(splits0)
+                    if splits3 != "-":
+                        depssplits0 = splits3.split(","):-1
+                    else:
+                        depssplits0 =  
+        except FileNotFoundError:
+            pass
 
         return mods, deps # loaded modules, {module:dependants}

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/nftables.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/nftables.py Changed

@@ -30,7 +30,7 @@
                             INVALID_PORT
 from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
                                Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock, \
-                               Rich_Tcp_Mss_Clamp
+                               Rich_Tcp_Mss_Clamp, Rich_NFLog
 from firewall.core.base import DEFAULT_ZONE_TARGET
 from nftables.nftables import Nftables
 
@@ -56,21 +56,21 @@
     #    "FORWARD": ("forward", 50 + NFT_HOOK_OFFSET),
     #},
     "raw": {
-    #   "PREROUTING": ("prerouting", -300 + NFT_HOOK_OFFSET),
-    #   "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET),
+        # "PREROUTING": ("prerouting", -300 + NFT_HOOK_OFFSET),
+        # "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET),
     },
     "mangle": {
         "PREROUTING": ("prerouting", -150 + NFT_HOOK_OFFSET),
-    #    "POSTROUTING": ("postrouting", -150 + NFT_HOOK_OFFSET),
-    #    "INPUT": ("input", -150 + NFT_HOOK_OFFSET),
-    #    "OUTPUT": ("output", -150 + NFT_HOOK_OFFSET),
-    #    "FORWARD": ("forward", -150 + NFT_HOOK_OFFSET),
+        # "POSTROUTING": ("postrouting", -150 + NFT_HOOK_OFFSET),
+        # "INPUT": ("input", -150 + NFT_HOOK_OFFSET),
+        # "OUTPUT": ("output", -150 + NFT_HOOK_OFFSET),
+        # "FORWARD": ("forward", -150 + NFT_HOOK_OFFSET),
     },
     "nat": {
         "PREROUTING": ("prerouting", -100 + NFT_HOOK_OFFSET),
         "POSTROUTING": ("postrouting", 100 + NFT_HOOK_OFFSET),
-    #    "INPUT": ("input", 100 + NFT_HOOK_OFFSET),
-    #    "OUTPUT": ("output", -100 + NFT_HOOK_OFFSET),
+        # "INPUT": ("input", 100 + NFT_HOOK_OFFSET),
+        "OUTPUT": ("output", -100 + NFT_HOOK_OFFSET),
     },
     "filter": {
         "PREROUTING": ("prerouting", 0 + NFT_HOOK_OFFSET),
@@ -526,15 +526,26 @@
                                                     "hook": "%s" % IPTABLES_TO_NFT_HOOK"nat"chain0,
                                                     "prio": IPTABLES_TO_NFT_HOOK"nat"chain1}}})
 
-            for dispatch_suffix in "POLICIES_pre", "ZONES", "POLICIES_post":
-                default_rules.append({"add": {"chain": {"family": "inet",
-                                                        "table": TABLE_NAME,
-                                                        "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})
-            for dispatch_suffix in "ZONES":
-                default_rules.append({"add": {"rule":  {"family": "inet",
-                                                        "table": TABLE_NAME,
-                                                        "chain": "nat_%s" % chain,
-                                                        "expr": {"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}}}})
+            if chain in "OUTPUT":
+                # nat, output does not have zone dispatch
+                for dispatch_suffix in "POLICIES_pre", "POLICIES_post":
+                    default_rules.append({"add": {"chain": {"family": "inet",
+                                                            "table": TABLE_NAME,
+                                                            "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})
+                    default_rules.append({"add": {"rule":  {"family": "inet",
+                                                            "table": TABLE_NAME,
+                                                            "chain": "nat_%s" % chain,
+                                                            "expr": {"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}}}})
+            else:
+                for dispatch_suffix in "POLICIES_pre", "ZONES", "POLICIES_post":
+                    default_rules.append({"add": {"chain": {"family": "inet",
+                                                            "table": TABLE_NAME,
+                                                            "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})
+                for dispatch_suffix in "ZONES":
+                    default_rules.append({"add": {"rule":  {"family": "inet",
+                                                            "table": TABLE_NAME,
+                                                            "chain": "nat_%s" % chain,
+                                                            "expr": {"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}}}})
 
         for chain in IPTABLES_TO_NFT_HOOK"filter".keys():
             default_rules.append({"add": {"chain": {"family": "inet",
@@ -559,22 +570,6 @@
                                                                     "op": "in",
                                                                     "right": "dnat"}},
                                                          {"accept": None}}}})
-        default_rules.append({"add": {"rule":  {"family": "inet",
-                                                "table": TABLE_NAME,
-                                                "chain": "filter_%s" % "INPUT",
-                                                "expr": {"match": {"left": {"meta": {"key": "iifname"}},
-                                                                    "op": "==",
-                                                                    "right": "lo"}},
-                                                         {"accept": None}}}})
-        for dispatch_suffix in "POLICIES_pre", "ZONES", "POLICIES_post":
-            default_rules.append({"add": {"chain": {"family": "inet",
-                                                    "table": TABLE_NAME,
-                                                    "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}})
-        for dispatch_suffix in "ZONES":
-            default_rules.append({"add": {"rule":  {"family": "inet",
-                                                    "table": TABLE_NAME,
-                                                    "chain": "filter_%s" % "INPUT",
-                                                    "expr": {"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}}}})
         if log_denied != "off":
             default_rules.append({"add": {"rule":  {"family": "inet",
                                                     "table": TABLE_NAME,
@@ -591,6 +586,22 @@
                                                                     "op": "in",
                                                                     "right": {"set": "invalid"}}},
                                                          {"drop": None}}}})
+        default_rules.append({"add": {"rule":  {"family": "inet",
+                                                "table": TABLE_NAME,
+                                                "chain": "filter_%s" % "INPUT",
+                                                "expr": {"match": {"left": {"meta": {"key": "iifname"}},
+                                                                    "op": "==",
+                                                                    "right": "lo"}},
+                                                         {"accept": None}}}})
+        for dispatch_suffix in "POLICIES_pre", "ZONES", "POLICIES_post":
+            default_rules.append({"add": {"chain": {"family": "inet",
+                                                    "table": TABLE_NAME,
+                                                    "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}})
+        for dispatch_suffix in "ZONES":
+            default_rules.append({"add": {"rule":  {"family": "inet",
+                                                    "table": TABLE_NAME,
+                                                    "chain": "filter_%s" % "INPUT",
+                                                    "expr": {"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}}}})
         if log_denied != "off":
             default_rules.append({"add": {"rule":  {"family": "inet",
                                                     "table": TABLE_NAME,
@@ -617,6 +628,22 @@
                                                                     "op": "in",
                                                                     "right": "dnat"}},
                                                          {"accept": None}}}})
+        if log_denied != "off":
+            default_rules.append({"add": {"rule":  {"family": "inet",
+                                                    "table": TABLE_NAME,
+                                                    "chain": "filter_%s" % "FORWARD",
+                                                    "expr": {"match": {"left": {"ct": {"key": "state"}},
+                                                                        "op": "in",
+                                                                        "right": {"set": "invalid"}}},
+                                                             self._pkttype_match_fragment(log_denied),
+                                                             {"log": {"prefix": "STATE_INVALID_DROP: "}}}}})
+        default_rules.append({"add": {"rule":  {"family": "inet",
+                                                "table": TABLE_NAME,
+                                                "chain": "filter_%s" % "FORWARD",
+                                                "expr": {"match": {"left": {"ct": {"key": "state"}},
+                                                                    "op": "in",
+                                                                    "right": {"set": "invalid"}}},
+                                                         {"drop": None}}}})
         default_rules.append({"add": {"rule":  {"family": "inet",
                                                 "table": TABLE_NAME,
                                                 "chain": "filter_%s" % "FORWARD",
@@ -644,22 +671,6 @@
             default_rules.append({"add": {"rule":  {"family": "inet",
                                                     "table": TABLE_NAME,
                                                     "chain": "filter_%s" % "FORWARD",
-                                                    "expr": {"match": {"left": {"ct": {"key": "state"}},
-                                                                        "op": "in",
-                                                                        "right": {"set": "invalid"}}},
-                                                             self._pkttype_match_fragment(log_denied),
-                                                             {"log": {"prefix": "STATE_INVALID_DROP: "}}}}})
-        default_rules.append({"add": {"rule":  {"family": "inet",
-                                                "table": TABLE_NAME,
-                                                "chain": "filter_%s" % "FORWARD",
-                                                "expr": {"match": {"left": {"ct": {"key": "state"}},
-                                                                    "op": "in",
-                                                                    "right": {"set": "invalid"}}},
-                                                         {"drop": None}}}})
-        if log_denied != "off":
-            default_rules.append({"add": {"rule":  {"family": "inet",
-                                                    "table": TABLE_NAME,
-                                                    "chain": "filter_%s" % "FORWARD",
                                                     "expr": self._pkttype_match_fragment(log_denied),
                                                              {"log": {"prefix": "FINAL_REJECT: "}}}}})
         default_rules.append({"add": {"rule":  {"family": "inet",
@@ -722,14 +733,37 @@
 
         ingress_fragments = 
         egress_fragments = 
-        if ingress_interfaces:
+        ingress_interfaces_without_wildcards = 
+        egress_interfaces_without_wildcards = 
+
+        # wildcard interfaces must be handled individually because the nftables
+        # backend does not allow them inside of an anonymous set
+        for ingress_interface in ingress_interfaces:
+            if ingress_interfacelen(ingress_interface)-1 == "+":
+                ingress_fragments.append({"match": {"left": {"meta": {"key": "iifname"}},
+                                                    "op": "==",
+                                                    "right": ingress_interface:len(ingress_interface)-1 + "*"}})
+            else:
+                ingress_interfaces_without_wildcards.append(ingress_interface)
+
+        for egress_interface in egress_interfaces:
+            if egress_interfacelen(egress_interface)-1 == "+":
+                egress_fragments.append({"match": {"left": {"meta": {"key": "oifname"}},
+                                                   "op": "==",
+                                                   "right": egress_interface:len(egress_interface)-1 + "*"}})
+            else:
+                egress_interfaces_without_wildcards.append(egress_interface)
+
+        if ingress_interfaces_without_wildcards:
             ingress_fragments.append({"match": {"left": {"meta": {"key": "iifname"}},
                                                 "op": "==",
-                                                "right": {"set": list(ingress_interfaces)}}})
-        if egress_interfaces:
+                                                "right": {"set": ingress_interfaces_without_wildcards}}})
+

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/rich.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/rich.py Changed

@@ -22,9 +22,9 @@
 __all__ =  "Rich_Source", "Rich_Destination", "Rich_Service", "Rich_Port",
             "Rich_Protocol", "Rich_Masquerade", "Rich_IcmpBlock",
             "Rich_IcmpType",
-            "Rich_SourcePort", "Rich_ForwardPort", "Rich_Log", "Rich_Audit",
+            "Rich_SourcePort", "Rich_ForwardPort", "Rich_Log", "Rich_NFLog",
             "Rich_Accept", "Rich_Reject", "Rich_Drop", "Rich_Mark",
-            "Rich_Limit", "Rich_Rule", "Rich_Tcp_Mss_Clamp" 
+            "Rich_Audit", "Rich_Limit", "Rich_Rule", "Rich_Tcp_Mss_Clamp" 
 
 from firewall import functions
 from firewall.core.ipset import check_ipset_name
@@ -171,6 +171,45 @@
              ' level="%s"' % (self.level) if self.level else "",
              " %s" % self.limit if self.limit else "")
 
+    def check(self):
+        if self.prefix and len(self.prefix) > 127:
+            raise FirewallError(errors.INVALID_LOG_PREFIX, "maximum accepted length of 'prefix' is 127.")
+
+        if self.level and \
+               self.level not in  "emerg", "alert", "crit", "error",
+                                       "warning", "notice", "info", "debug" :
+            raise FirewallError(errors.INVALID_LOG_LEVEL, self.level)
+
+        if self.limit is not None:
+            self.limit.check()
+
+class Rich_NFLog(object):
+    def __init__(self, group=None, prefix=None, queue_size=None, limit=None):
+        self.group = group
+        self.prefix = prefix
+        self.threshold = queue_size
+        self.limit = limit
+
+    def __str__(self):
+        return 'nflog%s%s%s%s' % \
+            (' group="%s"' % (self.group) if self.group else "",
+             ' prefix="%s"' % (self.prefix) if self.prefix else "",
+             ' queue-size="%s"' % (self.threshold) if self.threshold else "",
+             " %s" % self.limit if self.limit else "")
+
+    def check(self):
+        if self.group and not functions.checkUINT16(self.group):
+            raise FirewallError(errors.INVALID_NFLOG_GROUP, "nflog 'group' must be an integer between 0 and 65535.")
+
+        if self.prefix and len(self.prefix) > 127:
+            raise FirewallError(errors.INVALID_LOG_PREFIX, "maximum accepted length of 'prefix' is 127.")
+
+        if self.threshold and not functions.checkUINT16(self.threshold):
+            raise FirewallError(errors.INVALID_NFLOG_QUEUE, "nflog 'queue-size' must be an integer between 0 and 65535.")
+
+        if self.limit is not None:
+            self.limit.check()
+
 class Rich_Audit(object):
     def __init__(self, limit=None):
         #TODO check default level in iptables
@@ -356,13 +395,13 @@
                 if attr_name not in 'priority', 'family', 'address', 'mac', 'ipset',
                                      'invert', 'value',
                                      'port', 'protocol', 'to-port', 'to-addr',
-                                     'name', 'prefix', 'level', 'type',
+                                     'name', 'group', 'prefix', 'level', 'queue-size', 'type',
                                      'set':
                     raise FirewallError(errors.INVALID_RULE, "bad attribute '%s'" % attr_name)
             else:             # element
                 if element in 'rule', 'source', 'destination', 'protocol',
                                'service', 'port', 'icmp-block', 'icmp-type', 'masquerade',
-                               'forward-port', 'source-port', 'log', 'audit',
+                               'forward-port', 'source-port', 'log', 'nflog', 'audit',
                                'accept', 'drop', 'reject', 'mark', 'limit', 'not', 'NOT', 'EOL', 'tcp-mss-clamp':
                     if element == 'source' and self.source:
                         raise FirewallError(errors.INVALID_RULE, "more than one 'source' element")
@@ -373,8 +412,8 @@
                                      'masquerade', 'forward-port',
                                      'source-port' and self.element:
                         raise FirewallError(errors.INVALID_RULE, "more than one element. There cannot be both '%s' and '%s' in one rule." % (element, self.element))
-                    elif element == 'log' and self.log:
-                        raise FirewallError(errors.INVALID_RULE, "more than one 'log' element")
+                    elif element in 'log', 'nflog' and self.log:
+                        raise FirewallError(errors.INVALID_RULE, "more than one logging element")
                     elif element == 'audit' and self.audit:
                         raise FirewallError(errors.INVALID_RULE, "more than one 'audit' element")
                     elif element in 'accept', 'drop', 'reject', 'mark' and self.action:
@@ -505,6 +544,16 @@
                     in_elements.pop() # log
                     attrs.clear()
                     index = index -1 # return token to input
+            elif in_element == 'nflog':
+                if attr_name in 'group', 'prefix', 'queue-size':
+                    attrsattr_name = attr_value
+                elif element == 'limit':
+                    in_elements.append('limit')
+                else:
+                    self.log = Rich_NFLog(attrs.get('group'), attrs.get('prefix'), attrs.get('queue-size'), attrs.get('limit'))
+                    in_elements.pop() # nflog
+                    attrs.clear()
+                    index = index -1 # return token to input
             elif in_element == 'audit':
                 if element == 'limit':
                     in_elements.append('limit')
@@ -711,18 +760,12 @@
 
         # other element and not empty?
         elif self.element is not None:
-            raise FirewallError(errors.INVALID_RULE, "Unknown element %s" % 
+            raise FirewallError(errors.INVALID_RULE, "Unknown element %s" %
                                 type(self.element))
 
         # log
         if self.log is not None:
-            if self.log.level and \
-               self.log.level not in  "emerg", "alert", "crit", "error",
-                                       "warning", "notice", "info", "debug" :
-                raise FirewallError(errors.INVALID_LOG_LEVEL, self.log.level)
-
-            if self.log.limit is not None:
-                self.log.limit.check()
+            self.log.check()
 
         # audit
         if self.audit is not None:

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/core/watcher.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/core/watcher.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/dbus_utils.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/dbus_utils.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/errors.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/errors.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/functions.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/functions.py Changed

@@ -21,13 +21,13 @@
 
 __all__ =  "getPortID", "getPortRange", "portStr", "getServiceName",
             "checkIP", "checkIP6", "checkIPnMask", "checkIP6nMask",
-            "checkProtocol", "checkInterface", "checkUINT32",
+            "checkProtocol", "checkInterface", "checkUINT16", "checkUINT32",
             "firewalld_is_active", "tempFile", "readfile", "writefile",
             "enable_ip_forwarding", "check_port", "check_address",
             "check_single_address", "check_mac", "uniqify", "ppid_of_pid",
             "max_zone_name_len", "checkUser", "checkUid", "checkCommand",
             "checkContext", "joinArgs", "splitArgs",
-            "max_policy_name_len", "checkTcpMssClamp", 
+            "max_policy_name_len", "checkTcpMssClamp",
             "stripNonPrintableCharacters"
 
 import socket
@@ -263,7 +263,7 @@
 
 def checkIP(ip):
     """ Check IPv4 address.
-    
+
     @param ip address string
     @return True if address is valid, else False
     """
@@ -284,7 +284,7 @@
 
 def checkIP6(ip):
     """ Check IPv6 address.
-    
+
     @param ip address string
     @return True if address is valid, else False
     """
@@ -387,6 +387,16 @@
     #    return False
     return True
 
+def checkUINT16(val):
+    try:
+        x = int(val, 0)
+    except ValueError:
+        return False
+    else:
+        if x >= 0 and x <= 65535:
+            return True
+    return False
+
 def checkUINT32(val):
     try:
         x = int(val, 0)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/server/config.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/server/config.py Changed

@@ -95,21 +95,22 @@
         self.watcher.add_watch_file(config.FIREWALLD_DIRECT)
         self.watcher.add_watch_file(config.FIREWALLD_CONF)
 
-        dbus_introspection_prepare_properties(self,
-                                              config.dbus.DBUS_INTERFACE_CONFIG,
-                                              { "CleanupOnExit": "readwrite",
-                                                "CleanupModulesOnExit": "readwrite",
-                                                "IPv6_rpfilter": "readwrite",
-                                                "Lockdown": "readwrite",
-                                                "MinimalMark": "readwrite",
-                                                "IndividualCalls": "readwrite",
-                                                "LogDenied": "readwrite",
-                                                "AutomaticHelpers": "readwrite",
-                                                "FirewallBackend": "readwrite",
-                                                "FlushAllOnReload": "readwrite",
-                                                "RFC3964_IPv4": "readwrite",
-                                                "AllowZoneDrifting": "readwrite",
-                                              })
+        dbus_introspection_prepare_properties(self, config.dbus.DBUS_INTERFACE_CONFIG,
+            {
+                "CleanupOnExit": "readwrite",
+                "CleanupModulesOnExit": "readwrite",
+                "IPv6_rpfilter": "readwrite",
+                "Lockdown": "readwrite",
+                "MinimalMark": "readwrite",
+                "IndividualCalls": "readwrite",
+                "LogDenied": "readwrite",
+                "AutomaticHelpers": "readwrite",
+                "FirewallBackend": "readwrite",
+                "FlushAllOnReload": "readwrite",
+                "RFC3964_IPv4": "readwrite",
+                "AllowZoneDrifting": "readwrite",
+            }
+        )
 
     @handle_exceptions
     def _init_vars(self):
@@ -527,6 +528,13 @@
 
     @dbus_handle_exceptions
     def accessCheck(self, sender):
+        if self.config._fw._state == "FAILED":
+            raise FirewallError(errors.RUNNING_BUT_FAILED,
+                    "Changing permanent configuration is not allowed while "
+                    "firewalld is in FAILED state. The permanent "
+                    "configuration must be fixed and then firewalld "
+                    "restarted. Try `firewall-offline-cmd --check-config`.")
+
         if self.config.lockdown_enabled():
             if sender is None:
                 log.error("Lockdown not possible, sender not set.")
@@ -805,7 +813,7 @@
     def setLockdownWhitelist(self, settings, sender=None): # pylint: disable=W0613
         log.debug1("config.policies.setLockdownWhitelist(...)")
         settings = dbus_to_python(settings)
-        self.config.get_policies().lockdown_whitelist.import_config(settings)
+        self.config.get_policies().lockdown_whitelist.import_config(settings, {})
         self.config.get_policies().lockdown_whitelist.write()
         self.LockdownWhitelistUpdated()
 
@@ -1417,7 +1425,7 @@
         # returns list ipv, table, list of chains
         log.debug1("config.direct.update()")
         settings = dbus_to_python(settings)
-        self.config.get_direct().import_config(settings)
+        self.config.get_direct().import_config(settings, {})
         self.config.get_direct().write()
         self.Updated()

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/server/config_ipset.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/server/config_ipset.py Changed

@@ -27,7 +27,8 @@
     dbus_introspection_add_properties
 from firewall.core.io.ipset import IPSet
 from firewall.core.ipset import IPSET_TYPES, normalize_ipset_entry, \
-                                check_entry_overlaps_existing
+                                check_entry_overlaps_existing, \
+                                check_for_overlapping_entries
 from firewall.core.logger import log
 from firewall.server.dbus import DbusServiceObject
 from firewall.server.decorators import handle_exceptions, \
@@ -402,11 +403,8 @@
                          in_signature='as')
     @dbus_handle_exceptions
     def setEntries(self, entries, sender=None):
-        _entries = set()
-        for _entry in dbus_to_python(entries, list):
-            check_entry_overlaps_existing(_entry, _entries)
-            _entries.add(normalize_ipset_entry(_entry))
-        entries = list(_entries)
+        entries = dbus_to_python(entries, list)
+        check_for_overlapping_entries(entries)
         log.debug1("%s.setEntries('%s')", self._log_prefix,
                    ",".join(entries))
         self.parent.accessCheck(sender)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/server/config_service.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/server/config_service.py Changed

@@ -685,7 +685,7 @@
         log.debug1("%s.setIncludes('%s')", self._log_prefix, includes)
         self.parent.accessCheck(sender)
         settings = {"includes": includes:}
-        self.config.set_service_config_dict(self.obj, settings)
+        self.obj = self.config.set_service_config_dict(self.obj, settings)
         self.Updated(self.obj.name)
 
     @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
@@ -697,7 +697,7 @@
         self.parent.accessCheck(sender)
         settings = self.config.get_service_config_dict(self.obj)
         settings.setdefault("includes", ).append(include)
-        self.config.set_service_config_dict(self.obj, settings)
+        self.obj = self.config.set_service_config_dict(self.obj, settings)
         self.Updated(self.obj.name)
 
     @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
@@ -709,7 +709,7 @@
         self.parent.accessCheck(sender)
         settings = self.config.get_service_config_dict(self.obj)
         settings"includes".remove(include)
-        self.config.set_service_config_dict(self.obj, settings)
+        self.obj = self.config.set_service_config_dict(self.obj, settings)
         self.Updated(self.obj.name)
 
     @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewall/server/firewalld.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewall/server/firewalld.py Changed

@@ -44,11 +44,11 @@
     dbus_introspection_prepare_properties, \
     dbus_introspection_add_properties, \
     dbus_introspection_add_deprecated
-from firewall.core.io.functions import check_config
+from firewall.core.io.functions import check_on_disk_config
 from firewall.core.io.ipset import IPSet
 from firewall.core.io.icmptype import IcmpType
 from firewall.core.io.helper import Helper
-from firewall.core.fw_nm import nm_get_bus_name, nm_get_connection_of_interface, \
+from firewall.core.fw_nm import nm_get_connection_of_interface, \
                                 nm_set_zone_of_connection
 from firewall.core.fw_ifcfg import ifcfg_set_zone_of_interface
 from firewall import errors
@@ -333,7 +333,7 @@
     def completeReload(self, sender=None): # pylint: disable=W0613
         """Completely reload the firewall.
 
-        Completely reload the firewall: Stops firewall, unloads modules and 
+        Completely reload the firewall: Stops firewall, unloads modules and
         starts the firewall again.
         """
         log.debug1("completeReload()")
@@ -355,7 +355,7 @@
         """Check permanent configuration
         """
         log.debug1("checkPermanentConfig()")
-        check_config(self.fw)
+        check_on_disk_config(self.fw)
 
     # runtime to permanent
 
@@ -368,6 +368,13 @@
         """
         log.debug1("copyRuntimeToPermanent()")
 
+        if self.fw._state == "FAILED":
+            raise FirewallError(errors.RUNNING_BUT_FAILED,
+                    "Saving runtime to permanent is not allowed while "
+                    "firewalld is in FAILED state. The permanent "
+                    "configuration must be fixed and then firewalld "
+                    "restarted. Try `firewall-offline-cmd --check-config`.")
+
         error = False
 
         # Services or icmptypes can not be modified in runtime, but they can
@@ -443,30 +450,27 @@
         # zones
 
         config_names = self.config.getZoneNames()
-        nm_bus_name = nm_get_bus_name()
         for name in self.fw.zone.get_zones():
             conf = self.getZoneSettings2(name)
             settings = FirewallClientZoneSettings(conf)
-            if nm_bus_name is not None:
-                changed = False
-                for interface in settings.getInterfaces():
-                    if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name:
-                        log.debug1("Zone '%s': interface binding for '%s' has been added by NM, ignoring." % (name, interface))
+            changed = False
+            for interface in settings.getInterfaces():
+                if interface in self.fw._nm_assigned_interfaces:
+                    log.debug1("Zone '%s': interface binding for '%s' has been added by NM, ignoring." % (name, interface))
+                    settings.removeInterface(interface)
+                    changed = True
+            # For the remaining interfaces, attempt to let NM manage them
+            for interface in settings.getInterfaces():
+                try:
+                    connection = nm_get_connection_of_interface(interface)
+                    if connection and nm_set_zone_of_connection(name, connection):
                         settings.removeInterface(interface)
                         changed = True
-                # For the remaining interfaces, attempt to let NM manage them
-                for interface in settings.getInterfaces():
-                    try:
-                        connection = nm_get_connection_of_interface(interface)
-                        if connection and nm_set_zone_of_connection(name, connection):
-                            settings.removeInterface(interface)
-                            changed = True
-                    except Exception:
-                        pass
-
-                if changed:
-                    del conf
-                    conf = settings.getSettingsDict()
+                except Exception:
+                    pass
+
+            if changed:
+                conf = settings.getSettingsDict()
             # For the remaining try to update the ifcfg files
             for interface in settings.getInterfaces():
                 ifcfg_set_zone_of_interface(name, interface)
@@ -594,7 +598,7 @@
                          out_signature='b')
     @dbus_handle_exceptions
     def queryLockdown(self, sender=None): # pylint: disable=W0613
-        """Retuns True if lockdown is enabled
+        """Returns True if lockdown is enabled
         """
         log.debug1("policies.queryLockdown()")
         # no access check here
@@ -866,7 +870,7 @@
     @dbus_handle_exceptions
     def enablePanicMode(self, sender=None):
         """Enable panic mode.
-        
+
         All ingoing and outgoing connections and packets will be blocked.
         """
         log.debug1("enablePanicMode()")
@@ -881,7 +885,7 @@
     def disablePanicMode(self, sender=None):
         """Disable panic mode.
 
-        Enables normal mode: Allowed ingoing and outgoing connections 
+        Enables normal mode: Allowed ingoing and outgoing connections
         will not be blocked anymore
         """
         log.debug1("disablePanicMode()")
@@ -938,7 +942,7 @@
         zone = dbus_to_python(zone, str)
         log.debug1("setZoneSettings2(%s)", zone)
         self.accessCheck(sender)
-        self.fw.zone.set_config_with_settings_dict(zone, settings, sender)
+        self.fw.zone.set_config_with_settings_dict(zone, dbus_to_python(settings), sender)
         self.ZoneUpdated(zone, settings)
 
     @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sa{sv}')
@@ -962,7 +966,7 @@
         policy = dbus_to_python(policy, str)
         log.debug1("policy.setPolicySettings(%s)", policy)
         self.accessCheck(sender)
-        self.fw.policy.set_config_with_settings_dict(policy, settings, sender)
+        self.fw.policy.set_config_with_settings_dict(policy, dbus_to_python(settings), sender)
         self.PolicyUpdated(policy, settings)
 
     @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICY, signature='sa{sv}')
@@ -1894,7 +1898,7 @@
         log.debug1("zone.addMasquerade('%s')" % (zone))
         self.accessCheck(sender)
         _zone = self.fw.zone.add_masquerade(zone, timeout, sender)
-        
+
         if timeout > 0:
             tag = GLib.timeout_add_seconds(timeout, self.disableTimedMasquerade,
                                            _zone)
@@ -2137,7 +2141,7 @@
         log.debug1("zone.addIcmpBlockInversion('%s')" % (zone))
         self.accessCheck(sender)
         _zone = self.fw.zone.add_icmp_block_inversion(zone, sender)
-        
+
         self.IcmpBlockInversionAdded(_zone)
         return _zone
 
@@ -2210,7 +2214,7 @@
         self.accessCheck(sender)
         self.fw.direct.remove_chain(ipv, table, chain)
         self.ChainRemoved(ipv, table, chain)
-    
+
     @dbus_polkit_require_auth(config.dbus.PK_ACTION_DIRECT_INFO)
     @dbus_service_method_deprecated(config.dbus.DBUS_INTERFACE_DIRECT)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss',
@@ -2298,7 +2302,7 @@
         self.accessCheck(sender)
         self.fw.direct.remove_rule(ipv, table, chain, priority, args)
         self.RuleRemoved(ipv, table, chain, priority, args)
-    
+
     @dbus_polkit_require_auth(config.dbus.PK_ACTION_DIRECT)
     @dbus_service_method_deprecated(config.dbus.DBUS_INTERFACE_DIRECT)
     @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss',
@@ -2638,4 +2642,3 @@
         helper = dbus_to_python(helper, str)
         log.debug1("getHelperSettings(%s)", helper)
         return self.fw.helper.get_helper(helper).export_config()
-

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewalld -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewalld Changed

@@ -1,4 +1,4 @@
-#!/home/egarver/bin/python
+#!/opt/hostedtoolcache/Python/3.7.14/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2010-2016 Red Hat, Inc.
@@ -61,6 +61,12 @@
     parser.add_argument('--default-config',
                         help="""Path to firewalld default configuration""",
                         metavar="path")
+    parser.add_argument('--log-target',
+                        choices='mixed', 'syslog', 'file', 'console',
+                        default='mixed',
+                        help="""Log target.
+                        mixed is a backward compatible mode logging to multiple targets.
+                        The modes syslog, file or console log to one target only.""")
     parser.add_argument('--log-file',
                         help="""Path to firewalld log file""",
                         metavar="path")
@@ -68,34 +74,68 @@
 
 def setup_logging(args):
     # Set up logging capabilities
-    log.setDateFormat("%Y-%m-%d %H:%M:%S")
-    log.setFormat("%(date)s %(label)s%(message)s")
-    log.setInfoLogging("*", log.syslog,  log.FATAL, log.ERROR, log.WARNING,
-                                          log.TRACEBACK ,
-                       fmt="%(label)s%(message)s")
-    log.setDebugLogLevel(log.NO_INFO)
-    log.setDebugLogLevel(log.NO_DEBUG)
-
-    if args.debug:
-        log.setInfoLogLevel(log.INFO_MAX)
-        log.setDebugLogLevel(args.debug)
-        if args.nofork:
-            log.addInfoLogging("*", log.stdout)
-            log.addDebugLogging("*", log.stdout)
-
-    log_file = FileLog(config.FIREWALLD_LOGFILE, "a")
-    try:
-        log_file.open()
-    except IOError as e:
-        log.error("Failed to open log file '%s': %s", config.FIREWALLD_LOGFILE,
-                  str(e))
+    if config.FIREWALLD_LOGTARGET == 'syslog':
+        log.setFormat("%(label)s%(message)s")
+        log.setInfoLogging("*", log.syslog)
+        if args.debug:
+            log.setDebugLogging("*", log.syslog)
+            log.setInfoLogLevel(log.INFO_MAX)
+            log.setDebugLogLevel(args.debug)
+
+    elif config.FIREWALLD_LOGTARGET == 'file':
+        log.setDateFormat("%Y-%m-%d %H:%M:%S")
+        log.setFormat("%(date)s %(label)s%(message)s")
+        log_file = FileLog(config.FIREWALLD_LOGFILE, "a")
+        try:
+            log_file.open()
+        except IOError as e:
+            print("Failed to open log file '%s': %s", config.FIREWALLD_LOGFILE,
+                    str(e))
+        else:
+            log.setInfoLogging("*", log_file)
+            if args.debug:
+                log.setDebugLogging("*", log_file)
+                log.setInfoLogLevel(log.INFO_MAX)
+                log.setDebugLogLevel(args.debug)
+
+    elif config.FIREWALLD_LOGTARGET == 'console':
+        log.setDateFormat("%Y-%m-%d %H:%M:%S")
+        log.setFormat("%(date)s %(label)s%(message)s")
+        log.setInfoLogging("*", log.stdout)
+        if args.debug:
+            log.setDebugLogging("*", log.stdout)
+            log.setInfoLogLevel(log.INFO_MAX)
+            log.setDebugLogLevel(args.debug)
+
     else:
-        log.addInfoLogging("*", log_file,  log.FATAL, log.ERROR, log.WARNING,
-                                            log.TRACEBACK )
-        log.addDebugLogging("*", log_file)
+        log.setDateFormat("%Y-%m-%d %H:%M:%S")
+        log.setFormat("%(date)s %(label)s%(message)s")
+        log.setInfoLogging("*", log.syslog,  log.FATAL, log.ERROR, log.WARNING,
+                                            log.TRACEBACK ,
+                        fmt="%(label)s%(message)s")
+        log.setDebugLogLevel(log.NO_INFO)
+        log.setDebugLogLevel(log.NO_DEBUG)
+
         if args.debug:
-            log.addInfoLogging("*", log_file)
+            log.setInfoLogLevel(log.INFO_MAX)
+            log.setDebugLogLevel(args.debug)
+            if args.nofork:
+                log.addInfoLogging("*", log.stdout)
+                log.addDebugLogging("*", log.stdout)
+
+        log_file = FileLog(config.FIREWALLD_LOGFILE, "a")
+        try:
+            log_file.open()
+        except IOError as e:
+            log.error("Failed to open log file '%s': %s", config.FIREWALLD_LOGFILE,
+                    str(e))
+        else:
+            log.addInfoLogging("*", log_file,  log.FATAL, log.ERROR, log.WARNING,
+                                                log.TRACEBACK )
             log.addDebugLogging("*", log_file)
+            if args.debug:
+                log.addInfoLogging("*", log_file)
+                log.addDebugLogging("*", log_file)
 
 def startup(args):
     try:
@@ -197,6 +237,7 @@
     # Process the command-line arguments
     args = parse_cmdline()
 
+    config.FIREWALLD_LOGTARGET = args.log_target
     if args.log_file:
         config.FIREWALLD_LOGFILE = args.log_file

_service:tar_scm:firewalld-1.0.2.tar.gz/src/firewalld.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/firewalld.in Changed

@@ -61,6 +61,12 @@
     parser.add_argument('--default-config',
                         help="""Path to firewalld default configuration""",
                         metavar="path")
+    parser.add_argument('--log-target',
+                        choices='mixed', 'syslog', 'file', 'console',
+                        default='@DEFAULT_LOG_TARGET@',
+                        help="""Log target.
+                        mixed is a backward compatible mode logging to multiple targets.
+                        The modes syslog, file or console log to one target only.""")
     parser.add_argument('--log-file',
                         help="""Path to firewalld log file""",
                         metavar="path")
@@ -68,34 +74,68 @@
 
 def setup_logging(args):
     # Set up logging capabilities
-    log.setDateFormat("%Y-%m-%d %H:%M:%S")
-    log.setFormat("%(date)s %(label)s%(message)s")
-    log.setInfoLogging("*", log.syslog,  log.FATAL, log.ERROR, log.WARNING,
-                                          log.TRACEBACK ,
-                       fmt="%(label)s%(message)s")
-    log.setDebugLogLevel(log.NO_INFO)
-    log.setDebugLogLevel(log.NO_DEBUG)
-
-    if args.debug:
-        log.setInfoLogLevel(log.INFO_MAX)
-        log.setDebugLogLevel(args.debug)
-        if args.nofork:
-            log.addInfoLogging("*", log.stdout)
-            log.addDebugLogging("*", log.stdout)
-
-    log_file = FileLog(config.FIREWALLD_LOGFILE, "a")
-    try:
-        log_file.open()
-    except IOError as e:
-        log.error("Failed to open log file '%s': %s", config.FIREWALLD_LOGFILE,
-                  str(e))
+    if config.FIREWALLD_LOGTARGET == 'syslog':
+        log.setFormat("%(label)s%(message)s")
+        log.setInfoLogging("*", log.syslog)
+        if args.debug:
+            log.setDebugLogging("*", log.syslog)
+            log.setInfoLogLevel(log.INFO_MAX)
+            log.setDebugLogLevel(args.debug)
+
+    elif config.FIREWALLD_LOGTARGET == 'file':
+        log.setDateFormat("%Y-%m-%d %H:%M:%S")
+        log.setFormat("%(date)s %(label)s%(message)s")
+        log_file = FileLog(config.FIREWALLD_LOGFILE, "a")
+        try:
+            log_file.open()
+        except IOError as e:
+            print("Failed to open log file '%s': %s", config.FIREWALLD_LOGFILE,
+                    str(e))
+        else:
+            log.setInfoLogging("*", log_file)
+            if args.debug:
+                log.setDebugLogging("*", log_file)
+                log.setInfoLogLevel(log.INFO_MAX)
+                log.setDebugLogLevel(args.debug)
+
+    elif config.FIREWALLD_LOGTARGET == 'console':
+        log.setDateFormat("%Y-%m-%d %H:%M:%S")
+        log.setFormat("%(date)s %(label)s%(message)s")
+        log.setInfoLogging("*", log.stdout)
+        if args.debug:
+            log.setDebugLogging("*", log.stdout)
+            log.setInfoLogLevel(log.INFO_MAX)
+            log.setDebugLogLevel(args.debug)
+
     else:
-        log.addInfoLogging("*", log_file,  log.FATAL, log.ERROR, log.WARNING,
-                                            log.TRACEBACK )
-        log.addDebugLogging("*", log_file)
+        log.setDateFormat("%Y-%m-%d %H:%M:%S")
+        log.setFormat("%(date)s %(label)s%(message)s")
+        log.setInfoLogging("*", log.syslog,  log.FATAL, log.ERROR, log.WARNING,
+                                            log.TRACEBACK ,
+                        fmt="%(label)s%(message)s")
+        log.setDebugLogLevel(log.NO_INFO)
+        log.setDebugLogLevel(log.NO_DEBUG)
+
         if args.debug:
-            log.addInfoLogging("*", log_file)
+            log.setInfoLogLevel(log.INFO_MAX)
+            log.setDebugLogLevel(args.debug)
+            if args.nofork:
+                log.addInfoLogging("*", log.stdout)
+                log.addDebugLogging("*", log.stdout)
+
+        log_file = FileLog(config.FIREWALLD_LOGFILE, "a")
+        try:
+            log_file.open()
+        except IOError as e:
+            log.error("Failed to open log file '%s': %s", config.FIREWALLD_LOGFILE,
+                    str(e))
+        else:
+            log.addInfoLogging("*", log_file,  log.FATAL, log.ERROR, log.WARNING,
+                                                log.TRACEBACK )
             log.addDebugLogging("*", log_file)
+            if args.debug:
+                log.addInfoLogging("*", log_file)
+                log.addDebugLogging("*", log_file)
 
 def startup(args):
     try:
@@ -197,6 +237,7 @@
     # Process the command-line arguments
     args = parse_cmdline()
 
+    config.FIREWALLD_LOGTARGET = args.log_target
     if args.log_file:
         config.FIREWALLD_LOGFILE = args.log_file

_service:tar_scm:firewalld-1.0.2.tar.gz/src/gtk3_chooserbutton.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/gtk3_chooserbutton.py Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/icons/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/icons/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -158,16 +158,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -205,8 +203,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -354,6 +352,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/Makefile.am -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/Makefile.am Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/Makefile.in -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/Makefile.in Changed

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -153,7 +153,7 @@
   esac
 DATA = $(dist_testsuite_DATA) $(dist_testsuite_python_DATA)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/atlocal.in README
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/atlocal.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALL_LINGUAS = @ALL_LINGUAS@
@@ -164,16 +164,14 @@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 BASHCOMPLETIONDIR = @BASHCOMPLETIONDIR@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
+DEFAULT_LOG_TARGET = @DEFAULT_LOG_TARGET@
 DEFS = @DEFS@
 EBTABLES = @EBTABLES@
 EBTABLES_RESTORE = @EBTABLES_RESTORE@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-ETAGS = @ETAGS@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GETTEXT_PACKAGE = @GETTEXT_PACKAGE@
 GLIB_COMPILE_SCHEMAS = @GLIB_COMPILE_SCHEMAS@
@@ -211,8 +209,8 @@
 MKDIR_P = @MKDIR_P@
 MODPROBE = @MODPROBE@
 MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
-MSGMERGE_FOR_MSGFMT_OPTION = @MSGMERGE_FOR_MSGFMT_OPTION@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -318,7 +316,7 @@
 DISTCLEANFILES = atconfig
 testsuitedir = $(pkgdatadir)/testsuite
 dist_testsuite_SCRIPTS = $(TESTSUITE)
-dist_testsuite_DATA = README
+dist_testsuite_DATA = README.md
 testsuite_integrationdir = $(pkgdatadir)/testsuite/integration
 dist_testsuite_integration_SCRIPTS = $(TESTSUITE_INTEGRATION)
 testsuite_pythondir = $(pkgdatadir)/testsuite/python
@@ -478,6 +476,7 @@
 
 cscope cscopelist:
 
+
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/README.md Added

@@ -0,0 +1,43 @@
+# firewalld testsuite
+
+This is the firewalld testsuite. It consists of standalone autotest scripts
+that can be run from any location.
+
+# Example usage
+The tests can be run from any location. They generate output in the current
+directory so it's suggested to run them from `/tmp`. Tests must be run as root.
+
+## Standard tests
+The standard testsuite is run inside temporary network namespaces. As such
+they're non-destructive to the host and may be run while firewalld is running
+on the host.
+
+To run the tests serially:
+```sh
+cd /tmp
+```
+```sh
+/usr/share/firewalld/testsuite/testsuite
+```
+To run the tests in parallel:
+```sh
+/usr/share/firewalld/testsuite/testsuite -j4
+```
+To run a test for a specific bug use a keyword:
+```sh
+/usr/share/firewalld/testsuite/testsuite -k rhbz1404076
+```
+```sh
+/usr/share/firewalld/testsuite/testsuite -k gh366
+```
+## Integration tests
+The integration tests are destructive and require that at least firewalld and
+NetworkManager are _not_ running on the host.
+
+These tests _must_ be run serially:
+```sh
+cd /tmp
+```
+```sh
+/usr/share/firewalld/testsuite/integration/testsuite
+```
\ No newline at end of file

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/cli/firewall-cmd.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/cli/firewall-cmd.at Changed

@@ -3,8 +3,14 @@
 )
 
 FWD_START_TEST(basic options)
-    AT_KEYWORDS(panic reload)
+    AT_KEYWORDS(panic reload gh808)
+    
+    FWD_CHECK(, 2, ignore, dnl
+State: running
 
+No options specified
+usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page
+)
     FWD_CHECK(-h, 0, ignore)
     FWD_CHECK(--help, 0, ignore)
     FWD_CHECK(-V, 0, ignore)
@@ -70,8 +76,8 @@
     dnl verify zone name limits (currently 17)
     FWD_CHECK(-q --permanent --new-zone=123456789abcefghi)
     FWD_CHECK(-q --permanent --new-zone=123456789abcefghij, 116, ignore, ignore)
-FWD_END_TEST(-e '/ERROR: INVALID_TARGET: BAD/d'dnl
-              -e '/ERROR: INVALID_NAME: Zone of/d')
+FWD_END_TEST(-e '/ERROR: INVALID_TARGET: /d'dnl
+              -e '/ERROR: INVALID_NAME: /d')
 
 FWD_START_TEST(zone interfaces)
     AT_KEYWORDS(zone)
@@ -1336,8 +1342,13 @@
     rich_rule_test(rule protocol value="ah" reject)
     rich_rule_test(rule protocol value="esp" accept)
     rich_rule_test(rule protocol value="sctp" log)
+    rich_rule_test(rule protocol value="igmp" log)
     rich_rule_test(rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept)
     rich_rule_test(rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop)
+    rich_rule_test(rule family="ipv4" source address="192.168.0.0/24" service name="irc" nflog prefix="irc: " group=1000 queue-size=10 limit value="1/m" accept)
+    rich_rule_test(rule family="ipv4" source not address="192.168.0.0/24" service name="mysql" nflog prefix="mysql: " queue-size=100 limit value="2/m" drop)
+    rich_rule_test(rule family="ipv4" port port="2222" protocol="tcp" nflog prefix="port-2222: " queue-size=0 drop)
+    rich_rule_test(rule family="ipv4" port port="3333" protocol="udp" nflog prefix="port-3333: " queue-size=65535 accept)
     IF_HOST_SUPPORTS_IPV6_RULES(
     rich_rule_test(rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m")
     rich_rule_test(rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop)
@@ -1566,9 +1577,9 @@
         chain filter_INPUT {
         ct state established,related accept
         ct status dnat accept
+        ct state invalid drop
         iifname "lo" accept
         jump filter_INPUT_ZONES
-        ct state invalid drop
         reject with icmpx admin-prohibited
         }
         }
@@ -1874,7 +1885,7 @@
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED
-        LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "'DROPPED: '"
+        LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROPPED: "
         DROP all -- 0.0.0.0/0 0.0.0.0/0
     )
     IP6TABLES_LIST_RULES(filter, IN_public_pre, 0, dnl
@@ -1894,7 +1905,7 @@
         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
         ACCEPT tcp ::/0 ::/0 tcp dpt:443 ctstate NEW,UNTRACKED
         ACCEPT tcp ::/0 ::/0 tcp dpt:143 ctstate NEW,UNTRACKED
-        LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "'DROPPED: '"
+        LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "DROPPED: "
         DROP all ::/0 ::/0
     )
     FWD_CHECK(-q --runtime-to-permanent)
@@ -1968,11 +1979,18 @@
     rich_rule_test(rule family="ipv4" masquerade drop, 122) dnl masquerade & action
     rich_rule_test(rule family="ipv4" icmp-block name="redirect" accept, 122) dnl icmp-block & action
     rich_rule_test(rule forward-port port="2222" to-port="22" protocol="tcp" family="ipv4" accept, 122) dnl forward-port & action
+    rich_rule_test(rule service name="ssh" log prefix="RRClag4hrBx9XZXk+46c6QavQehyRGdy3tjs7gzc+xfSzsd2smjoQ2NCPami6zVyjHtPGziBuqSWT0KII7QbHkwjNMr9pzbcbPue9PMTb5zXlMPphDjeuDdC3QTCH9rGQHooa9LiDWr+DqNPkBs+vb8r50eb+yEQIyhQaiDrQ0sc" drop, 141) dnl bad log prefix length
+    rich_rule_test(rule protocol value="sctp" nflog group=-1 drop, 142) dnl bad nflog group
+    rich_rule_test(rule family="ipv4" service name="https" nflog queue-size=-1 drop, 143) dnl bad nflog queue-size
+    rich_rule_test(rule family="ipv6" service name="https" nflog queue-size=65536 drop, 143) dnl threshold too high for nflog queue-size
     m4_undefine(rich_rule_test)
 FWD_END_TEST(-e '/ERROR: INVALID_RULE:/d' dnl
               -e '/ERROR: INVALID_LOG_LEVEL: eror/d' dnl
               -e '/ERROR: MISSING_FAMILY/d' dnl
-              -e '/ERROR: INVALID_LIMIT: 1\/2m/d')
+              -e '/ERROR: INVALID_LIMIT: 1\/2m/d' dnl
+              -e '/ERROR: INVALID_LOG_PREFIX:/d' dnl
+              -e '/ERROR: INVALID_NFLOG_GROUP:/d' dnl
+              -e '/ERROR: INVALID_NFLOG_QUEUE:/d')
 
 FWD_START_TEST(config validation)
     AT_KEYWORDS(check_config)
@@ -1980,6 +1998,25 @@
     dnl default config
     FWD_CHECK(--check-config, 0, ignore)
 
+    dnl Add some valid optional files/config to verify their checks work too
+    AT_DATA(./direct.xml, m4_strip(dnl
+        <?xml version="1.0" encoding="utf-8"?>
+        <direct>
+          <rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-j LOG</rule>
+        </direct>
+    ))
+    AT_DATA(./lockdown-whitelist.xml, m4_strip(dnl
+        <?xml version="1.0" encoding="utf-8"?>
+        <whitelist>
+          <command name="/home/egarver/bin/python /usr/bin/firewall-config"/>
+          <selinux context="system_u:system_r:NetworkManager_t:s0"/>
+          <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
+          <user id="0"/>
+        </whitelist>
+    ))
+    FWD_RELOAD()
+    FWD_CHECK(--check-config, 0, ignore)
+
     dnl The rest of these are negative test cases.
 
     dnl firewalld.conf
@@ -2311,6 +2348,21 @@
 <?xml version="1.0" encoding="utf-8"?>
 <zone>
 <rule>
+<service name="bitcoin" />
+<log prefix="WtsDMDAMJvd24wejRBsImI2VSkBaAlo1h2TVgEmH5CpL1YjdCTnjO8mizyp4cBDNq9NXS6QAuRnq/vF5xsid1orzY4jKzaWhm5qrktZLi38jinLFixX97d5JcM9o5tSx9XwQyaHUJMmxcjKYrDQ2Pvo1KMgf4f7yDAcKJaoJiNYp" />
+</rule>
+</zone>
+)
+    FWD_CHECK(--check-config, 0, ignore, dnl
+m4_ifdef(TESTING_FIREWALL_OFFLINE_CMD, dnl
+WARNING: Invalid rule: Invalid log prefix
+WARNING: Invalid rule: Invalid log prefix
+))
+
+    AT_DATA(./zones/foobar.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<rule>
 <source address="10.0.0.1/24" />
 <log level="super_critical" />
 </rule>
@@ -2323,6 +2375,36 @@
 ))
 
     AT_DATA(./zones/foobar.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<rule family="ipv4">
+<forward-port port="1234" protocol="tcp" to-port="4321" to-addr="10.0.0.1" />
+<nflog group="65536" />
+</rule>
+</zone>
+)
+    FWD_CHECK(--check-config, 0, ignore, dnl
+m4_ifdef(TESTING_FIREWALL_OFFLINE_CMD, dnl
+WARNING: Invalid rule: Invalid nflog group value
+WARNING: Invalid rule: Invalid nflog group value
+))
+
+    AT_DATA(./zones/foobar.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<rule>
+<port port="1234" protocol="tcp" />
+<nflog queue-size="-1" />
+</rule>
+</zone>
+)
+    FWD_CHECK(--check-config, 0, ignore, dnl
+m4_ifdef(TESTING_FIREWALL_OFFLINE_CMD, dnl
+WARNING: Invalid rule: Invalid nflog queue-size
+WARNING: Invalid rule: Invalid nflog queue-size
+))
+
+    AT_DATA(./zones/foobar.xml, dnl
 <?xml version="1.0" encoding="utf-8"?>
 <zone>
 <rule family="ipv4">

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/features/features.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/features.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/features/forward_ports.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/forward_ports.at Changed

@@ -194,3 +194,83 @@
 )
 
 FWD_END_TEST(-e '/ERROR: INVALID_FORWARD/d' -e '/ERROR: INVALID_ZONE/d')
+
+
+FWD_START_TEST(forward ports (OUTPUT))
+AT_KEYWORDS(policy forward_port rhbz2039542)
+
+FWD_CHECK(--permanent --new-policy=foobar, 0, ignore)
+FWD_CHECK(--permanent --new-zone localhost, 0, ignore)
+FWD_RELOAD
+
+dnl ingress-zone=HOST, egress-zone=ANY to DNAT outgoing packets
+dnl podman uses this to redirect from host to containers.
+dnl
+FWD_CHECK(--permanent --policy foobar --add-ingress-zone HOST, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --add-egress-zone ANY, 0, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222, 106, ignore, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222:toaddr=10.0.0.1, 0, ignore, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444', 106, ignore, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444 to-addr=10.44.44.44', 0, ignore, ignore)
+FWD_CHECK(            --policy foobar --add-ingress-zone HOST, 0, ignore)
+FWD_CHECK(            --policy foobar --add-egress-zone ANY, 0, ignore)
+FWD_CHECK(            --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222, 106, ignore, ignore)
+FWD_CHECK(            --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222:toaddr=10.0.0.1, 0, ignore, ignore)
+FWD_CHECK(            --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444', 106, ignore, ignore)
+FWD_CHECK(            --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444 to-addr=10.44.44.44', 0, ignore, ignore)
+NFT_LIST_RULES(inet, nat_OUT_policy_foobar_allow, 0, dnl
+    table inet firewalld {
+        chain nat_OUT_policy_foobar_allow {
+            meta nfproto ipv4 tcp dport 22 dnat ip to 10.0.0.1:2222
+            meta nfproto ipv4 udp dport 444 dnat ip to 10.44.44.44:4444
+        }
+    }
+)
+IPTABLES_LIST_RULES(nat, OUT_foobar_allow, 0, dnl
+    DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.0.0.1:2222
+    DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:444 to:10.44.44.44:4444
+)
+
+FWD_CHECK(--permanent --policy foobar --remove-ingress-zone HOST, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --remove-egress-zone ANY, 0, ignore)
+FWD_CHECK(            --policy foobar --remove-ingress-zone HOST, 0, ignore)
+FWD_CHECK(            --policy foobar --remove-egress-zone ANY, 0, ignore)
+
+dnl ingress-zone=HOST, egress-zone=zone
+dnl podman uses this to redirect from host to containers.
+dnl
+FWD_CHECK(--permanent --zone localhost --add-source 127.0.0.0/8, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --add-ingress-zone HOST, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --add-egress-zone localhost, 0, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222, 106, ignore, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222:toaddr=10.0.0.1, 0, ignore, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444', 106, ignore, ignore)
+FWD_CHECK(--permanent --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444 to-addr=10.44.44.44', 0, ignore, ignore)
+FWD_CHECK(            --zone localhost --add-source 127.0.0.0/8, 0, ignore)
+FWD_CHECK(            --policy foobar --add-ingress-zone HOST, 0, ignore)
+FWD_CHECK(            --policy foobar --add-egress-zone localhost, 0, ignore)
+FWD_CHECK(            --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222, 106, ignore, ignore)
+FWD_CHECK(            --policy=foobar --add-forward-port port=22:proto=tcp:toport=2222:toaddr=10.0.0.1, 0, ignore, ignore)
+FWD_CHECK(            --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444', 106, ignore, ignore)
+FWD_CHECK(            --policy=foobar --add-rich-rule='rule family=ipv4 forward-port port=444 protocol=udp to-port=4444 to-addr=10.44.44.44', 0, ignore, ignore)
+NFT_LIST_RULES(inet, nat_OUT_policy_foobar_allow, 0, dnl
+    table inet firewalld {
+        chain nat_OUT_policy_foobar_allow {
+            meta nfproto ipv4 tcp dport 22 dnat ip to 10.0.0.1:2222
+            meta nfproto ipv4 udp dport 444 dnat ip to 10.44.44.44:4444
+        }
+    }
+)
+IPTABLES_LIST_RULES(nat, OUT_foobar_allow, 0, dnl
+    DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.0.0.1:2222
+    DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:444 to:10.44.44.44:4444
+)
+
+FWD_CHECK(--permanent --zone localhost --remove-source 127.0.0.0/8, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --remove-ingress-zone HOST, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --remove-egress-zone localhost, 0, ignore)
+FWD_CHECK(            --zone localhost --remove-source 127.0.0.0/8, 0, ignore)
+FWD_CHECK(            --policy foobar --remove-ingress-zone HOST, 0, ignore)
+FWD_CHECK(            --policy foobar --remove-egress-zone localhost, 0, ignore)
+
+FWD_END_TEST(-e '/ERROR: INVALID_FORWARD/d' -e '/ERROR: INVALID_ZONE/d')

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/ipset.at Added

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/ipset_defer_native_ipset_creation.at Added

@@ -0,0 +1,108 @@
+m4_if(iptables, FIREWALL_BACKEND, ,  dnl NOT iptables
+FWD_START_TEST(ipset defer native creation)
+AT_KEYWORDS(ipset direct rhbz2122678)
+CHECK_IPTABLES()
+
+FWD_CHECK(--permanent --new-ipset foobar --type hash:net, 0, ignore)
+FWD_CHECK(--permanent --ipset foobar --add-entry 10.0.0.0/24, 0, ignore)
+FWD_RELOAD()
+
+dnl should not exist until a --direct rule is used
+IPSET_LIST_SET_ALWAYS(foobar, 1, ignore, ignore)
+dnl but nftables sets should always exist (assuming FirewallBackend==nftables)
+NFT_LIST_SET(foobar, 0, dnl
+table inet firewalld {
+    set foobar {
+        type ipv4_addr
+        flags interval
+        elements = { 10.0.0.0/24 }
+    }
+}
+)
+
+dnl adding entries should update nftables, but not native ipset because no
+dnl --direct rules
+FWD_CHECK(            --ipset foobar --add-entry 10.1.1.0/24, 0, ignore)
+IPSET_LIST_SET_ALWAYS(foobar, 1, ignore, ignore)
+NFT_LIST_SET(foobar, 0, dnl
+table inet firewalld {
+    set foobar {
+        type ipv4_addr
+        flags interval
+        elements = { 10.0.0.0/24, 10.1.1.0/24 }
+    }
+}
+)
+
+dnl Doesn't matter if the --direct rule uses the ipset or not. firewalld does
+dnl zero semantic checking of direct rules.
+FWD_CHECK(--direct --add-rule ipv4 filter INPUT_direct 0 -j ACCEPT, 0, ignore)
+IPSET_LIST_SET_ALWAYS(foobar, 0, dnl
+Name: foobar
+Type: hash:net
+Members:
+10.0.0.0/24
+10.1.1.0/24
+)
+
+dnl verify new elements added if direct in use
+FWD_CHECK(--ipset foobar --add-entry 10.2.2.0/24, 0, ignore)
+IPSET_LIST_SET_ALWAYS(foobar, 0, dnl
+Name: foobar
+Type: hash:net
+Members:
+10.0.0.0/24
+10.1.1.0/24
+10.2.2.0/24
+)
+NFT_LIST_SET(foobar, 0, dnl
+table inet firewalld {
+    set foobar {
+        type ipv4_addr
+        flags interval
+        elements = { 10.0.0.0/24, 10.1.1.0/24,
+        10.2.2.0/24 }
+    }
+}
+)
+
+dnl make sure it gets cleaned up on a reload
+FWD_CHECK(--permanent --delete-ipset foobar, 0, ignore)
+FWD_RELOAD()
+IPSET_LIST_SET_ALWAYS(foobar, 1, ignore, ignore)
+NFT_LIST_SET(foobar, 1, ignore, ignore)
+
+dnl verify adding passthrough triggers creation
+FWD_CHECK(--permanent --new-ipset foobar --type hash:net, 0, ignore)
+FWD_CHECK(--permanent --ipset foobar --add-entry 10.0.0.0/24, 0, ignore)
+FWD_RELOAD()
+IPSET_LIST_SET_ALWAYS(foobar, 1, ignore, ignore)
+FWD_CHECK(--direct --add-passthrough ipv4 -t filter -A INPUT -j ACCEPT, 0, ignore)
+IPSET_LIST_SET_ALWAYS(foobar, 0, dnl
+Name: foobar
+Type: hash:net
+Members:
+10.0.0.0/24
+)
+
+dnl make sure it gets cleaned up on a reload
+FWD_CHECK(--permanent --delete-ipset foobar, 0, ignore)
+FWD_RELOAD()
+IPSET_LIST_SET_ALWAYS(foobar, 1, ignore, ignore)
+NFT_LIST_SET(foobar, 1, ignore, ignore)
+
+dnl verify adding chain triggers creation
+FWD_CHECK(--permanent --new-ipset foobar --type hash:net, 0, ignore)
+FWD_CHECK(--permanent --ipset foobar --add-entry 10.0.0.0/24, 0, ignore)
+FWD_RELOAD()
+IPSET_LIST_SET_ALWAYS(foobar, 1, ignore, ignore)
+FWD_CHECK(--direct --add-chain ipv4 filter foobar, 0, ignore)
+IPSET_LIST_SET_ALWAYS(foobar, 0, dnl
+Name: foobar
+Type: hash:net
+Members:
+10.0.0.0/24
+)
+
+FWD_END_TEST()
+)

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/features/policy.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/policy.at Changed

@@ -50,6 +50,12 @@
     <source-port port="1234" protocol="udp" />
     <log prefix="LOG: " level="warning" />
 </rule>
+<rule>
+    <source-port port="1234" protocol="tcp" />
+    <nflog group="1" prefix="NFLOG: " queue-size="10">
+        <limit value="5/m" />
+    </nflog>
+</rule>
 <rule family="ipv6">
     <protocol value="ipv6-icmp" />
     <audit />
@@ -614,6 +620,179 @@
   egress-zones: HOST
 )
 
+dnl Verify basic layout for dispatch. These are common amongst all policy types
+dnl and exist even if zero policies are active.
+dnl
+dnl (raw, output): only iptables uses raw for conntrack helpers
+IPTABLES_LIST_RULES(raw, PREROUTING, 0, dnl
+PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(raw, PREROUTING, 0, dnl
+PREROUTING_direct all ::/0 ::/0
+PREROUTING_ZONES all ::/0 ::/0
+)
+dnl (nat, prerouting)
+NFT_LIST_RULES(inet, nat_PREROUTING, 0, dnl
+    table inet firewalld {
+        chain nat_PREROUTING {
+            jump nat_PREROUTING_ZONES
+        }
+    }
+)
+IPTABLES_LIST_RULES(nat, PREROUTING, 0, dnl
+PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(nat, PREROUTING, 0, dnl
+PREROUTING_direct all ::/0 ::/0
+PREROUTING_ZONES all ::/0 ::/0
+)
+dnl (nat, output)
+dnl No zones dispatch, so directly dispatch policies
+NFT_LIST_RULES(inet, nat_OUTPUT, 0, dnl
+    table inet firewalld {
+        chain nat_OUTPUT {
+            jump nat_OUTPUT_POLICIES_pre
+            jump nat_OUTPUT_POLICIES_post
+        }
+    }
+)
+IPTABLES_LIST_RULES(nat, OUTPUT, 0, dnl
+OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
+OUTPUT_POLICIES_pre all -- 0.0.0.0/0 0.0.0.0/0
+OUTPUT_POLICIES_post all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(nat, OUTPUT, 0, dnl
+OUTPUT_direct all ::/0 ::/0
+OUTPUT_POLICIES_pre all ::/0 ::/0
+OUTPUT_POLICIES_post all ::/0 ::/0
+)
+dnl (nat, postrouting)
+NFT_LIST_RULES(inet, nat_POSTROUTING, 0, dnl
+    table inet firewalld {
+        chain nat_POSTROUTING {
+            jump nat_POSTROUTING_ZONES
+        }
+    }
+)
+IPTABLES_LIST_RULES(nat, POSTROUTING, 0, dnl
+POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(nat, POSTROUTING, 0, dnl
+POSTROUTING_direct all ::/0 ::/0
+POSTROUTING_ZONES all ::/0 ::/0
+)
+dnl (mangle, prerouting)
+NFT_LIST_RULES(inet, mangle_PREROUTING, 0, dnl
+    table inet firewalld {
+        chain mangle_PREROUTING {
+            jump mangle_PREROUTING_ZONES
+        }
+    }
+)
+IPTABLES_LIST_RULES(mangle, PREROUTING, 0, dnl
+PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+)
+dnl IPv6_rpfilter is in mangle for iptables, nftables is in (filter,
+dnl prerouting)
+IP6TABLES_LIST_RULES(mangle, PREROUTING, 0, dnl
+ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
+ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
+DROP all ::/0 ::/0 rpfilter validmark invert
+PREROUTING_direct all ::/0 ::/0
+PREROUTING_ZONES all ::/0 ::/0
+)
+dnl (filter, input)
+NFT_LIST_RULES(inet, filter_INPUT, 0, dnl
+    table inet firewalld {
+        chain filter_INPUT {
+            ct state established,related accept
+            ct status dnat accept
+            ct state invalid drop
+            iifname "lo" accept
+            jump filter_INPUT_ZONES
+            reject with icmpx admin-prohibited
+        }
+    }
+)
+IPTABLES_LIST_RULES(filter, INPUT, 0, dnl
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
+INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+)
+IP6TABLES_LIST_RULES(filter, INPUT, 0, dnl
+ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+DROP all ::/0 ::/0 ctstate INVALID
+ACCEPT all ::/0 ::/0
+INPUT_direct all ::/0 ::/0
+INPUT_ZONES all ::/0 ::/0
+REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+)
+dnl (filter, forward)
+NFT_LIST_RULES(inet, filter_FORWARD, 0, dnl
+    table inet firewalld {
+        chain filter_FORWARD {
+            ct state established,related accept
+            ct status dnat accept
+            ct state invalid drop
+            iifname "lo" accept
+            ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+            jump filter_FORWARD_ZONES
+            reject with icmpx admin-prohibited
+        }
+    }
+)
+IPTABLES_LIST_RULES(filter, FORWARD, 0, dnl
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0                                 
+FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
+FORWARD_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+)
+IP6TABLES_LIST_RULES(filter, FORWARD, 0, dnl
+ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+DROP all ::/0 ::/0 ctstate INVALID
+ACCEPT all ::/0 ::/0
+FORWARD_direct all ::/0 ::/0
+RFC3964_IPv4 all ::/0 ::/0
+FORWARD_ZONES all ::/0 ::/0
+REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+)
+dnl (filter, output)
+NFT_LIST_RULES(inet, filter_OUTPUT, 0, dnl
+    table inet firewalld {
+        chain filter_OUTPUT {
+            ct state established,related accept
+            oifname "lo" accept
+            ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+            jump filter_OUTPUT_POLICIES_pre
+            jump filter_OUTPUT_POLICIES_post
+        }
+    }
+)
+IPTABLES_LIST_RULES(filter, OUTPUT, 0, dnl
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
+OUTPUT_POLICIES_pre all -- 0.0.0.0/0 0.0.0.0/0
+OUTPUT_POLICIES_post all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(filter, OUTPUT, 0, dnl
+ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
+ACCEPT all ::/0 ::/0
+OUTPUT_direct all ::/0 ::/0
+RFC3964_IPv4 all ::/0 ::/0
+OUTPUT_POLICIES_pre all ::/0 ::/0
+OUTPUT_POLICIES_post all ::/0 ::/0
+)
+
 dnl Verify zone --> HOST is dispatched correctly (INPUT).
 dnl
 FWD_CHECK(--policy=foobar --add-ingress-zone="public", 0, ignore)
@@ -713,6 +892,17 @@
 )
 IP6TABLES_LIST_RULES(nat, POSTROUTING_POLICIES_pre, 0, dnl
 )
+dnl (nat, output)
+NFT_LIST_RULES(inet, nat_OUTPUT_POLICIES_pre, 0, dnl
+    table inet firewalld {

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/features/rfc3964_ipv4.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/rfc3964_ipv4.at Changed

@@ -10,11 +10,11 @@
     chain filter_FORWARD {
     ct state established,related accept
     ct status dnat accept
+    ct state invalid log prefix "STATE_INVALID_DROP: "
+    ct state invalid drop
     iifname "lo" accept
     ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 addr-unreachable
     jump filter_FORWARD_ZONES
-    ct state invalid log prefix "STATE_INVALID_DROP: "
-    ct state invalid drop
     log prefix "FINAL_REJECT: "
     reject with icmpx admin-prohibited
     }
@@ -53,12 +53,12 @@
 )
 IP6TABLES_LIST_RULES(filter, FORWARD, 0, dnl
     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+    DROP all ::/0 ::/0 ctstate INVALID
     ACCEPT all ::/0 ::/0
     FORWARD_direct all ::/0 ::/0
     RFC3964_IPv4 all ::/0 ::/0
     FORWARD_ZONES all ::/0 ::/0
-    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
-    DROP all ::/0 ::/0 ctstate INVALID
     LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
     REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
 )
@@ -79,10 +79,10 @@
     chain filter_FORWARD {
     ct state established,related accept
     ct status dnat accept
-    iifname "lo" accept
-    jump filter_FORWARD_ZONES
     ct state invalid log prefix "STATE_INVALID_DROP: "
     ct state invalid drop
+    iifname "lo" accept
+    jump filter_FORWARD_ZONES
     log prefix "FINAL_REJECT: "
     reject with icmpx admin-prohibited
     }
@@ -102,11 +102,11 @@
 IP6TABLES_LIST_RULES(filter, RFC3964_IPv4, 1, ignore, ignore)
 IP6TABLES_LIST_RULES(filter, FORWARD, 0, dnl
     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+    DROP all ::/0 ::/0 ctstate INVALID
     ACCEPT all ::/0 ::/0
     FORWARD_direct all ::/0 ::/0
     FORWARD_ZONES all ::/0 ::/0
-    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
-    DROP all ::/0 ::/0 ctstate INVALID
     LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
     REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
 )

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/features/rich_rules.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/rich_rules.at Changed

@@ -279,12 +279,42 @@
 )
 IPTABLES_LIST_RULES(filter, IN_foobar_post, 0, dnl
     ACCEPT all -- 10.10.10.15 0.0.0.0/0
-    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "'LOG: '"
+    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "LOG: "
     AUDIT all -- 0.0.0.0/0 0.0.0.0/0 AUDIT accept
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
 )
 IP6TABLES_LIST_RULES(filter, IN_foobar_post, 0, dnl
-    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "'LOG: '"
+    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "LOG: "
+    AUDIT all ::/0 ::/0 AUDIT accept
+    ACCEPT all ::/0 ::/0
+)
+FWD_CHECK(--permanent --policy foobar --remove-rich-rule='rule priority=32000 log prefix="LOG: " level="warning"', 0, ignore)
+FWD_CHECK(--permanent --policy foobar --remove-rich-rule='rule priority=32001 audit accept', 0, ignore)
+FWD_RELOAD
+
+dnl nflog/audit action
+dnl
+FWD_CHECK(--permanent --policy foobar --add-rich-rule='rule priority=32000 nflog prefix="NFLOG: " queue-size=10', 0, ignore)
+FWD_CHECK(--permanent --policy foobar --add-rich-rule='rule priority=32001 audit accept', 0, ignore)
+FWD_RELOAD
+NFT_LIST_RULES(inet, filter_IN_policy_foobar_post, 0, dnl
+    table inet firewalld {
+        chain filter_IN_policy_foobar_post {
+            ip saddr 10.10.10.15 accept
+            log prefix "NFLOG: " group 0 queue-threshold 10
+            log level audit
+            accept
+        }
+    }
+)
+IPTABLES_LIST_RULES(filter, IN_foobar_post, 0, dnl
+    ACCEPT all -- 10.10.10.15 0.0.0.0/0
+    NFLOG all -- 0.0.0.0/0 0.0.0.0/0 nflog-prefix "NFLOG: " nflog-threshold 10
+    AUDIT all -- 0.0.0.0/0 0.0.0.0/0 AUDIT accept
+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(filter, IN_foobar_post, 0, dnl
+    NFLOG all ::/0 ::/0 nflog-prefix "NFLOG: " nflog-threshold 10
     AUDIT all ::/0 ::/0 AUDIT accept
     ACCEPT all ::/0 ::/0
 )

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/features/service_include.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/service_include.at Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/startup_failsafe.at Added

@@ -0,0 +1,122 @@
+IF_BACKEND_IS_DEFAULT(
+
+FWD_START_TEST(startup failsafe - invalid xml)
+AT_KEYWORDS(failsafe)
+dnl invalid XML
+AT_CHECK(mkdir -p ./zones)
+AT_DATA(./zones/broken.xml, 
+<zone>
+<service name="ssh" />
+<boguselement foo="bar" />
+</zone>
+)
+FWD_RESTART(251)
+FWD_CHECK(--state, 251, ignore, ignore)
+
+dnl we should be able to make runtime changes
+FWD_CHECK(--zone public --add-service https, 0, ignore)
+NFT_LIST_RULES(inet, filter_IN_public_allow, 0, dnl
+    table inet firewalld {
+        chain filter_IN_public_allow {
+            tcp dport 22 ct state new,untracked accept
+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+            tcp dport 443 ct state new,untracked accept
+        }
+    }
+)
+
+dnl --runtime-to-permanent is disallowed while operating in FAILED state.
+FWD_CHECK(--runtime-to-permanent, 251, ignore, ignore)
+
+dnl --permanent is disallowed while operating in FAILED state.
+FWD_CHECK(--permanent --add-service https, 251, ignore, ignore)
+FWD_CHECK(--permanent --policy allow-host-ipv6 --add-service https, 251, ignore, ignore)
+FWD_CHECK(--permanent --service ssh --add-port=666/tcp, 251, ignore, ignore)
+FWD_CHECK(--permanent --icmptype redirect --remove-destination=ipv4, 251, ignore, ignore)
+FWD_CHECK(--permanent --helper tftp --add-port=44/tcp, 251, ignore, ignore)
+FWD_CHECK(--permanent --new-ipset foobar --type=hash:ip, 251, ignore, ignore)
+
+FWD_END_TEST(ignore)
+
+dnl invalid port
+FWD_START_TEST(startup failsafe - bad zone)
+AT_KEYWORDS(failsafe)
+AT_CHECK(mkdir -p ./zones)
+AT_DATA(./zones/broken.xml, 
+<zone>
+<port port="1234" />
+</zone>
+)
+FWD_RESTART(251)
+FWD_CHECK(--state, 251, ignore, ignore)
+FWD_END_TEST(ignore)
+
+dnl invalid source
+FWD_START_TEST(startup failsafe - bad policy)
+AT_KEYWORDS(failsafe)
+AT_CHECK(mkdir -p ./policies)
+AT_DATA(./policies/broken.xml, 
+<policy>
+<source ipset="doesnotexist" />
+</policy>
+)
+FWD_RESTART(251)
+FWD_CHECK(--state, 251, ignore, ignore)
+FWD_END_TEST(ignore)
+
+dnl non-existent service
+FWD_START_TEST(startup failsafe - non-existent service)
+AT_KEYWORDS(failsafe)
+AT_CHECK(mkdir -p ./zones)
+AT_DATA(./zones/broken.xml, 
+<zone>
+<service name="doesnotexist" />
+</zone>
+)
+FWD_RESTART(251)
+FWD_CHECK(--state, 251, ignore, ignore)
+FWD_END_TEST(ignore)
+
+dnl non-existent icmptype
+FWD_START_TEST(startup failsafe - non-existent icmptype)
+AT_KEYWORDS(failsafe)
+AT_CHECK(mkdir -p ./zones)
+AT_DATA(./zones/broken.xml, 
+<zone>
+<icmp-block name="doesnotexist" />
+</zone>
+)
+FWD_RESTART(251)
+FWD_CHECK(--state, 251, ignore, ignore)
+FWD_END_TEST(ignore)
+
+dnl broken direct rule (runtime backend failure)
+FWD_START_TEST(startup failsafe - bad direct)
+AT_KEYWORDS(failsafe)
+CHECK_IPTABLES()
+AT_DATA(./direct.xml, 
+<direct>
+<rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-s 192.168.1.0/24 -j doesnotexist</rule>
+</direct>
+)
+FWD_RESTART(251)
+FWD_CHECK(--state, 251, ignore, ignore)
+FWD_END_TEST(ignore)
+
+dnl broken stock config
+dnl results in a full shutdown
+FWD_START_TEST(startup failsafe - broken stock config)
+FWD_STOP_FIREWALLD()
+AT_CHECK(mkdir -p ./default_config/zones)
+AT_DATA(./default_config/zones/broken.xml, 
+<zone>
+<icmp-block name="doesnotexist" />
+</zone>
+)
+export FIREWALLD_DEFAULT_CONFIG="./default_config"
+FWD_START_FIREWALLD(252)
+sleep 5 dnl wait on it to be fully shut down
+FWD_CHECK(--state, 252, ignore, ignore)
+FWD_END_TEST(ignore)
+
+) # IF_BACKEND_IS_DEFAULT

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/features/zone_combine.at Added

@@ -0,0 +1,173 @@
+FWD_START_TEST(zone - combine)
+AT_KEYWORDS(zone)
+
+dnl Zone combining is pretty weird. All the XML files in the directory will be
+dnl combined for the runtime config, but in the permanent config they'll be
+dnl present individually.
+
+AT_CHECK(mkdir -p ./zones/combined)
+AT_DATA(./zones/combined/zone1.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<service name="ssh" />
+</zone>
+)
+AT_DATA(./zones/combined/zone2.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<service name="https" />
+</zone>
+)
+AT_DATA(./zones/combined/zone3.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<port port="12345" protocol="tcp" />
+</zone>
+)
+FWD_RELOAD()
+
+FWD_CHECK(--get-zones, 0, dnl
+block combined dmz drop external home internal public trusted work
+)
+FWD_CHECK(--zone combined --list-all | TRIM_WHITESPACE, 0, dnl
+combined
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services: https ssh
+ports: 12345/tcp
+protocols:
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+
+FWD_CHECK(--permanent --get-zones, 0, dnl
+block combined/zone1 combined/zone2 combined/zone3 dmz drop external home internal public trusted work
+)
+FWD_CHECK(--permanent --zone combined/zone1 --list-all | TRIM_WHITESPACE, 0, dnl
+combined/zone1
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services: ssh
+ports:
+protocols:
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+FWD_CHECK(--permanent --zone combined/zone2 --list-all | TRIM_WHITESPACE, 0, dnl
+combined/zone2
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services: https
+ports:
+protocols:
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+FWD_CHECK(--permanent --zone combined/zone3 --list-all | TRIM_WHITESPACE, 0, dnl
+combined/zone3
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services:
+ports: 12345/tcp
+protocols:
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+
+dnl verify we can modify the combined runtime config
+dnl
+FWD_CHECK(--zone combined --add-protocol icmp, 0, ignore)
+FWD_CHECK(--zone combined --list-all | TRIM_WHITESPACE, 0, dnl
+combined
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services: https ssh
+ports: 12345/tcp
+protocols: icmp
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+
+dnl verify we can modify the individual zones in the permanent config
+dnl
+FWD_CHECK(--permanent --zone combined/zone2 --add-protocol icmp, 0, ignore)
+FWD_CHECK(--permanent --zone combined/zone1 --list-all | TRIM_WHITESPACE, 0, dnl
+combined/zone1
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services: ssh
+ports:
+protocols:
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+FWD_CHECK(--permanent --zone combined/zone2 --list-all | TRIM_WHITESPACE, 0, dnl
+combined/zone2
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services: https
+ports:
+protocols: icmp
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+FWD_CHECK(--permanent --zone combined/zone3 --list-all | TRIM_WHITESPACE, 0, dnl
+combined/zone3
+target: default
+icmp-block-inversion: no
+interfaces:
+sources:
+services:
+ports: 12345/tcp
+protocols:
+forward: no
+masquerade: no
+forward-ports:
+source-ports:
+icmp-blocks:
+rich rules:
+)
+
+FWD_END_TEST()

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/functions.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/functions.at Changed

@@ -16,6 +16,9 @@
         FIREWALLD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
     fi
 
+    dnl limit data (and heap) to catch unexpected increases in memory usage
+    ulimit -d $(expr 1024 \* 100)
+
     NS_CMD(firewalld $FIREWALLD_ARGS &)
     if test $? -ne 0; then
         AT_FAIL_IF(:)
@@ -23,9 +26,13 @@
     echo "$!" > firewalld.pid
 
     dnl Give it some time for the dbus interface to come up
+    WANTED_CODE="$1"
     up=0
     for I in 1 2 3 4 5 6 7 8 9 0; do
-        if NS_CMD(firewall-cmd --state); then
+        NS_CMD(firewall-cmd --state)
+        RC=$?
+        echo "exit code = ${RC}"
+        if test ${RC} -eq ${WANTED_CODE:-0}; then
             up=1
             break
         fi
@@ -46,6 +53,9 @@
 logging
 #level=DEBUG
 #domains=ALL
+
+keyfile
+unmanaged-devices=*,except:type:dummy,except:type:ovs-bridge,except:type:ovs-port,except:type:ovs-interface
 )
 
     NM_ARGS="--no-daemon --config ./NetworkManager.conf"
@@ -83,8 +93,8 @@
 )
 
 m4_define(FWD_RESTART, 
-    FWD_STOP_FIREWALLD
-    FWD_START_FIREWALLD
+    FWD_STOP_FIREWALLD()
+    FWD_START_FIREWALLD($1)
 )
 
 m4_define(FWD_START_TEST, 
@@ -131,10 +141,10 @@
         )
 
         dnl dummy wrapper for trap syntax
-        function kill_firewalld() {
+        kill_firewalld() {
             FWD_STOP_FIREWALLD
         }
-        function kill_networkmanager() {
+        kill_networkmanager() {
             if test -f networkmanager.pid; then
                 STOP_NETWORKMANAGER
             fi
@@ -370,9 +380,16 @@
     )
 )
 
-m4_define(IPTABLES_LIST_RULES_NORMALIZE, dnl
+m4_define(IPXTABLES_LIST_RULES_NORMALIZE, dnl
     TRIM_WHITESPACE | dnl
-    tail -n +3 dnl
+    tail -n +3 | dnl
+    dnl iptables-1.8.8 changed output of some protocols
+    dnl commit b6196c7504d4 ("xshared: Prefer xtables_chain_protos lookup over getprotoent")
+    sed -e 's/ ipv6-icmp$ -$/ icmpv6\1/g' dnl
+)
+
+m4_define(IPTABLES_LIST_RULES_NORMALIZE, dnl
+    IPXTABLES_LIST_RULES_NORMALIZE() dnl
 )
 
 m4_define(IPTABLES_LIST_RULES_ALWAYS, 
@@ -389,8 +406,7 @@
 )
 
 m4_define(IP6TABLES_LIST_RULES_NORMALIZE, dnl
-    TRIM_WHITESPACE | dnl
-    tail -n +3 dnl
+    IPXTABLES_LIST_RULES_NORMALIZE() dnl
 )
 
 m4_define(IP6TABLES_LIST_RULES_ALWAYS, 
@@ -444,7 +460,7 @@
     awk 'NR <= 3; NR > 3 {print | "sort"}' dnl
 )
 
-m4_define(IPSET_LIST_SET, 
+m4_define(IPSET_LIST_SET_ALWAYS, 
     m4_ifdef(TESTING_FIREWALL_OFFLINE_CMD, , 
         if $IPSET list >/dev/null 2>&1; then
             NS_CHECK(PIPESTATUS0($IPSET list $1, IPSET_LIST_SET_NORMALIZE),
@@ -453,6 +469,12 @@
     )
 )
 
+m4_define(IPSET_LIST_SET, 
+    m4_if(iptables, FIREWALL_BACKEND, 
+        IPSET_LIST_SET_ALWAYS($1, $2, $3, $4, $5, $6)
+    )
+)
+
 m4_define(NFT_LIST_SET_NORMALIZE, dnl
     TRIM_WHITESPACE dnl
 )
@@ -668,3 +690,21 @@
         NS_CHECK(nft delete table inet firewalld_check_rule_index)
     , $1)
 )
+
+dnl check for NetworkManager's OVS support
+dnl skip the test if it's not present
+m4_define(CHECK_NM_CAPABILITY_OVS, 
+    AT_SKIP_IF(! NS_CMD(which busctl >/dev/null 2>&1))
+    NS_CHECK(busctl get-property \
+                     org.freedesktop.NetworkManager \
+                     /org/freedesktop/NetworkManager \
+                     org.freedesktop.NetworkManager \
+                     Capabilities | \
+              grep -q '^au 0-9 *\<2\>' \
+              || exit 77 # 77 skips, see AT_CHECK
+    )
+)
+
+m4_define(IF_BACKEND_IS_DEFAULT, 
+    m4_if(nftables, FIREWALL_BACKEND, $1, )
+)

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/failsafe.at Added

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/failsafe_missing_iptables.at Added

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/gh976.at Added

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/integration/networkmanager.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/networkmanager.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/integration/rhbz1773809.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/rhbz1773809.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/integration/rhbz1928860.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/rhbz1928860.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/integration/testsuite -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/testsuite Changed

@@ -1,7 +1,7 @@
 #! /bin/sh
-# Generated from testsuite.at by GNU Autoconf 2.71.
+# Generated from integration/testsuite.at by GNU Autoconf 2.69.
 #
-# Copyright (C) 2009-2017, 2020-2021 Free Software Foundation, Inc.
+# Copyright (C) 2009-2012 Free Software Foundation, Inc.
 #
 # This test suite is free software; the Free Software Foundation gives
 # unlimited permission to copy, distribute and modify it.
@@ -11,16 +11,14 @@
 
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
-as_nop=:
-if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
-then :
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
-else $as_nop
+else
   case `(set -o) 2>/dev/null` in #(
   *posix*) :
     set -o posix ;; #(
@@ -30,46 +28,46 @@
 fi
 
 
-
-# Reset variables that may have inherited troublesome values from
-# the environment.
-
-# IFS needs to be set, to space, tab, and newline, in precisely that order.
-# (If _AS_PATH_WALK were called with IFS unset, it would have the
-# side effect of setting IFS to empty, thus disabling word splitting.)
-# Quoting is to prevent editors from complaining about space-tab.
 as_nl='
 '
 export as_nl
-IFS=" ""	$as_nl"
-
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# Ensure predictable behavior from utilities with locale-dependent output.
-LC_ALL=C
-export LC_ALL
-LANGUAGE=C
-export LANGUAGE
-
-# We cannot yet rely on "unset" to work, but we need these variables
-# to be unset--not just set to an empty or harmless value--now, to
-# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh).  This construct
-# also avoids known problems related to "unset" and subshell syntax
-# in other old shells (e.g. bash 2.01 and pdksh 5.2.14).
-for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH
-do eval test \${$as_var+y} \
-  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
-done
-
-# Ensure that fds 0, 1, and 2 are open.
-if (exec 3>&0) 2>/dev/null; then :; else exec 0</dev/null; fi
-if (exec 3>&1) 2>/dev/null; then :; else exec 1>/dev/null; fi
-if (exec 3>&2)            ; then :; else exec 2>/dev/null; fi
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
+  else
+    as_echo_body='eval expr "X$1" : "X\$.*\$"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in #(
+      *"$as_nl"*)
+	expr "X$arg" : "X\$.*\$$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\$.*\$"`;;
+      esac;
+      expr "X$arg" : "X\$.*\$" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
+  fi
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
 
 # The user is always right.
-if ${PATH_SEPARATOR+false} :; then
+if test "${PATH_SEPARATOR+set}" != set; then
   PATH_SEPARATOR=:
   (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
     (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
@@ -78,6 +76,13 @@
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" ""	$as_nl"
+
 # Find who we are.  Look in the path if we contain no directory separator.
 as_myself=
 case $0 in #((
@@ -86,12 +91,8 @@
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
-  case $as_dir in #(((
-    '') as_dir=./ ;;
-    */) ;;
-    *) as_dir=$as_dir/ ;;
-  esac
-    test -r "$as_dir$0" && as_myself=$as_dir$0 && break
+  test -z "$as_dir" && as_dir=.
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
   done
 IFS=$as_save_IFS
 
@@ -103,22 +104,40 @@
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   exit 1
 fi
 
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 if test "x$CONFIG_SHELL" = x; then
-  as_bourne_compatible="as_nop=:
-if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
-then :
+  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '\${1+\"\$@\"}'='\"\$@\"'
   setopt NO_GLOB_SUBST
-else \$as_nop
+else
   case \`(set -o) 2>/dev/null\` in #(
   *posix*) :
     set -o posix ;; #(
@@ -138,53 +157,42 @@
 as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
 as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
 as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
-if ( set x; as_fn_ret_success y && test x = \"\$1\" )
-then :
+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 
-else \$as_nop
+else
   exitcode=1; echo positional parameters were not saved.
 fi
 test x\$exitcode = x0 || exit 1
-blah=\$(echo \$(echo blah))

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/integration/testsuite.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/integration/testsuite.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/package.m4 -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/package.m4 Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/python/firewalld_config.py -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/python/firewalld_config.py Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/build_policy_split_wildcard.at Added

@@ -0,0 +1,56 @@
+FWD_START_TEST(build policy split wildcards)
+AT_KEYWORDS(gh892 policy)
+
+dnl Setting up policy and adding interfaces that will remain for the duration of 
+dnl the tests
+dnl
+FWD_CHECK(--permanent --new-policy=foobar, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --add-ingress-zone internal, 0, ignore)
+FWD_CHECK(--permanent --policy foobar --add-egress-zone public, 0, ignore)
+FWD_CHECK(--permanent --zone internal --add-interface foobar0, 0, ignore)
+FWD_CHECK(--permanent --zone internal --add-interface foobar1, 0, ignore)
+FWD_CHECK(--permanent --zone public --add-interface foobar2, 0, ignore)
+FWD_CHECK(--permanent --zone public --add-interface foobar3, 0, ignore)
+FWD_RELOAD
+
+dnl Checking when the internal zone (iifname) is the only one with a wildcard
+dnl
+FWD_CHECK(--zone internal --add-interface tun+, 0, ignore)
+NFT_LIST_RULES(inet, filter_FORWARD_POLICIES_pre, 0, dnl
+    table inet firewalld {
+        chain filter_FORWARD_POLICIES_pre {
+            iifname "tun*" oifname { "foobar2", "foobar3" } jump filter_FWD_policy_foobar
+            iifname { "foobar0", "foobar1" } oifname { "foobar2", "foobar3" } jump filter_FWD_policy_foobar
+        }
+    }
+)
+FWD_CHECK(--zone internal --remove-interface tun+, 0, ignore)
+
+
+dnl Checking when the public zone (oifname) is the only one with a wildcard
+dnl
+FWD_CHECK(--zone public --add-interface tun+, 0, ignore)
+NFT_LIST_RULES(inet, filter_FORWARD_POLICIES_pre, 0, dnl
+    table inet firewalld {
+        chain filter_FORWARD_POLICIES_pre {
+            iifname { "foobar0", "foobar1" } oifname "tun*" jump filter_FWD_policy_foobar
+            iifname { "foobar0", "foobar1" } oifname { "foobar2", "foobar3" } jump filter_FWD_policy_foobar
+        }
+    }
+)
+
+dnl Checking when they are both wildcards
+dnl
+FWD_CHECK(--zone internal --add-interface net+, 0, ignore)
+NFT_LIST_RULES(inet, filter_FORWARD_POLICIES_pre, 0, dnl
+    table inet firewalld {
+        chain filter_FORWARD_POLICIES_pre {
+            iifname "net*" oifname "tun*" jump filter_FWD_policy_foobar
+            iifname "net*" oifname { "foobar2", "foobar3" } jump filter_FWD_policy_foobar
+            iifname { "foobar0", "foobar1" } oifname "tun*" jump filter_FWD_policy_foobar
+            iifname { "foobar0", "foobar1" } oifname { "foobar2", "foobar3" } jump filter_FWD_policy_foobar
+        }
+    }
+)
+
+FWD_END_TEST

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh1011.at Added

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/gh258.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh258.at Changed

@@ -16,9 +16,9 @@
         chain filter_INPUT {
             ct state established,related accept
             ct status dnat accept
+            ct state invalid drop
             iifname "lo" accept
             jump filter_INPUT_ZONES
-            ct state invalid drop
             reject with icmpx admin-prohibited
         }
     }
@@ -39,10 +39,10 @@
         chain filter_FORWARD {
             ct state established,related accept
             ct status dnat accept
+            ct state invalid drop
             iifname "lo" accept
             ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
             jump filter_FORWARD_ZONES
-            ct state invalid drop
             reject with icmpx admin-prohibited
         }
     }
@@ -132,10 +132,10 @@
 
 IPTABLES_LIST_RULES(filter, INPUT, 0, dnl
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
     INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
     INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
-    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
 )
 IPTABLES_LIST_RULES(filter, INPUT_ZONES, 0,
@@ -146,10 +146,10 @@
 )
 IPTABLES_LIST_RULES(filter, FORWARD, 0, dnl
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
     FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
     FORWARD_ZONES all -- 0.0.0.0/0 0.0.0.0/0
-    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
 )
 IPTABLES_LIST_RULES(filter, FORWARD_ZONES, 0,
@@ -201,10 +201,10 @@
 
 IP6TABLES_LIST_RULES(filter, INPUT, 0, dnl
     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+    DROP all ::/0 ::/0 ctstate INVALID
     ACCEPT all ::/0 ::/0
     INPUT_direct all ::/0 ::/0
     INPUT_ZONES all ::/0 ::/0
-    DROP all ::/0 ::/0 ctstate INVALID
     REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
 )
 IP6TABLES_LIST_RULES(filter, INPUT_ZONES, 0,
@@ -215,11 +215,11 @@
 )
 IP6TABLES_LIST_RULES(filter, FORWARD, 0, dnl
     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+    DROP all ::/0 ::/0 ctstate INVALID
     ACCEPT all ::/0 ::/0
     FORWARD_direct all ::/0 ::/0
     RFC3964_IPv4 all ::/0 ::/0
     FORWARD_ZONES all ::/0 ::/0
-    DROP all ::/0 ::/0 ctstate INVALID
     REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
 )
 IP6TABLES_LIST_RULES(filter, FORWARD_ZONES, 0,

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/gh290.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh290.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/gh696.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh696.at Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh874.at Added

@@ -0,0 +1,25 @@
+FWD_START_TEST(policy masquerade w/ ingress interface)
+AT_KEYWORDS(policy zone masquerade gh874)
+
+FWD_CHECK(--permanent --new-zone foobar_zone, 0, ignore)
+FWD_CHECK(--permanent --new-policy foobar_policy, 0, ignore)
+FWD_CHECK(--permanent --policy foobar_policy --add-masquerade, 0, ignore)
+FWD_CHECK(--permanent --policy foobar_policy --add-ingress-zone foobar_zone, 0, ignore)
+FWD_CHECK(--permanent --policy foobar_policy --add-egress-zone ANY, 0, ignore)
+FWD_RELOAD()
+
+dnl It's invalid to use masquerade when a zone in the ingress_zones list has
+dnl assigned interfaces. This is due to the underlying firewalls (nftables,
+dnl iptables) not supporting matching iifname in postrouting hooks.
+dnl
+FWD_CHECK(--permanent --zone foobar_zone --add-interface foobar0, 112, ignore, ignore)
+
+dnl make sure the on-disk config check also fails
+dnl
+NS_CHECK(sed -i '2a \
+<interface name="foobar" />
+' ./zones/foobar_zone.xml
+)
+FWD_CHECK(--check-config, 112, ignore, ignore)
+
+FWD_END_TEST(ignore)

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh881.at Added

@@ -0,0 +1,59 @@
+FWD_START_TEST(ipset entry overlap detect perf)
+AT_KEYWORDS(ipset gh881)
+
+dnl build a large ipset
+dnl
+AT_DATA(./deny_cidr, )
+NS_CHECK(sh -c '
+for I in $(seq 250); do
+  for J in $(seq 250); do
+    echo "10.${I}.${J}.0/24" >> ./deny_cidr
+  done
+done
+')
+NS_CHECK(echo "10.254.0.0/16" >> ./deny_cidr)
+
+dnl verify non-overlapping does not error
+dnl
+FWD_CHECK(--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000, 0, ignore)
+NS_CHECK(time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 0, ignore, ignore)
+
+dnl still no overlap
+dnl
+AT_DATA(./deny_cidr, 
+9.0.0.0/8
+11.1.0.0/16
+)
+NS_CHECK(time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 0, ignore, ignore)
+
+dnl verify overlap detection actually detects an overlap
+dnl
+AT_DATA(./deny_cidr, 
+10.1.0.0/16
+10.2.0.0/16
+10.250.0.0/16
+)
+NS_CHECK(time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 136, ignore, ignore)
+
+AT_DATA(./deny_cidr, 
+10.253.0.0/16
+10.253.128.0/17
+)
+NS_CHECK(time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 136, ignore, ignore)
+
+AT_DATA(./deny_cidr, 
+10.1.1.1/32
+)
+NS_CHECK(time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 136, ignore, ignore)
+
+AT_DATA(./deny_cidr, 
+10.0.0.0/8
+10.0.0.0/25
+)
+NS_CHECK(time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 136, ignore, ignore)
+
+dnl empty file, no additions, but previous ones will remain
+AT_DATA(./deny_cidr, )
+FWD_CHECK(--permanent --ipset=deny_set --add-entries-from-file=./deny_cidr, 0, ignore, ignore)
+
+FWD_END_TEST()

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/gh940.at Added

@@ -0,0 +1,98 @@
+FWD_START_TEST(log prefix)
+AT_KEYWORDS(policy gh940)
+
+AT_CHECK(sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf)
+AT_CHECK(sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf)
+
+AT_CHECK(mkdir -p ./policies)
+AT_DATA(./policies/log-denied.xml, dnl
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="DROP" priority="0">
+<short>log-denied</short>
+<description>log denied policy</description>
+<ingress-zone name="ANY" />
+<egress-zone name="HOST" />
+<icmp-block name="echo-request" />
+<rule>
+    <port port="6667" protocol="tcp" />
+    <log prefix="Dropped IRC Packet: " level="warning" />
+    <drop />
+</rule>
+</policy>
+)
+FWD_CHECK(--check-config, 0, ignore, ignore)
+FWD_RELOAD
+
+
+NFT_LIST_RULES(inet, filter_IN_policy_log-denied, 0, dnl
+    table inet firewalld {
+        chain filter_IN_policy_log-denied {
+            jump filter_IN_policy_log-denied_pre
+            jump filter_IN_policy_log-denied_log
+            jump filter_IN_policy_log-denied_deny
+            jump filter_IN_policy_log-denied_allow
+            jump filter_IN_policy_log-denied_post
+            log prefix "filter_IN_policy_log-denied_DROP: "
+            drop
+        }
+    }
+)
+
+IPTABLES_LIST_RULES(filter, IN_log-denied, 0, dnl
+    IN_log-denied_pre all -- 0.0.0.0/0 0.0.0.0/0
+    IN_log-denied_log all -- 0.0.0.0/0 0.0.0.0/0
+    IN_log-denied_deny all -- 0.0.0.0/0 0.0.0.0/0
+    IN_log-denied_allow all -- 0.0.0.0/0 0.0.0.0/0
+    IN_log-denied_post all -- 0.0.0.0/0 0.0.0.0/0
+    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "IN_log-denied_DROP: "
+    DROP all -- 0.0.0.0/0 0.0.0.0/0
+)
+IP6TABLES_LIST_RULES(filter, IN_log-denied, 0, dnl
+    IN_log-denied_pre all ::/0 ::/0
+    IN_log-denied_log all ::/0 ::/0
+    IN_log-denied_deny all ::/0 ::/0
+    IN_log-denied_allow all ::/0 ::/0
+    IN_log-denied_post all ::/0 ::/0
+    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "IN_log-denied_DROP: "
+    DROP all ::/0 ::/0
+)
+
+NFT_LIST_RULES(inet, filter_IN_policy_log-denied_deny, 0, dnl
+    table inet firewalld {
+        chain filter_IN_policy_log-denied_deny {
+            icmp echo-request log prefix "filter_log-denied_ICMP_BLOCK: "
+            icmp echo-request reject with icmpx admin-prohibited
+            icmpv6 echo-request log prefix "filter_log-denied_ICMP_BLOCK: "
+            icmpv6 echo-request reject with icmpx admin-prohibited
+            tcp dport 6667 ct state new,untracked drop
+        }
+    }
+)
+
+IPTABLES_LIST_RULES(filter, IN_log-denied_deny, 0, dnl
+    LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG flags 0 level 4 prefix "log-denied_ICMP_BLOCK: "
+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
+    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 ctstate NEW,UNTRACKED
+)
+IP6TABLES_LIST_RULES(filter, IN_log-denied_deny, 0, dnl
+    LOG icmpv6 ::/0 ::/0 ipv6-icmptype 128 LOG flags 0 level 4 prefix "log-denied_ICMP_BLOCK: "
+    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
+    DROP tcp ::/0 ::/0 tcp dpt:6667 ctstate NEW,UNTRACKED
+)
+
+NFT_LIST_RULES(inet, filter_IN_policy_log-denied_log, 0, dnl
+    table inet firewalld {
+        chain filter_IN_policy_log-denied_log {
+            tcp dport 6667 ct state new,untracked log prefix "Dropped IRC Packet: "
+        }
+    }
+)
+
+IPTABLES_LIST_RULES(filter, IN_log-denied_log, 0, dnl
+    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 ctstate NEW,UNTRACKED LOG flags 0 level 4 prefix "Dropped IRC Packet: "
+)
+IP6TABLES_LIST_RULES(filter, IN_log-denied_log, 0, dnl
+    LOG tcp ::/0 ::/0 tcp dpt:6667 ctstate NEW,UNTRACKED LOG flags 0 level 4 prefix "Dropped IRC Packet: "
+)
+
+FWD_END_TEST

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/regression.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/regression.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/rhbz1498923.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/rhbz1498923.at Changed

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/rhbz1514043.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/rhbz1514043.at Changed

@@ -14,10 +14,10 @@
         chain filter_INPUT {
             ct state established,related accept
             ct status dnat accept
-            iifname "lo" accept
-            jump filter_INPUT_ZONES
             ct state invalid log prefix "STATE_INVALID_DROP: "
             ct state invalid drop
+            iifname "lo" accept
+            jump filter_INPUT_ZONES
             log prefix "FINAL_REJECT: "
             reject with icmpx admin-prohibited
         }
@@ -28,11 +28,11 @@
         chain filter_FORWARD {
             ct state established,related accept
             ct status dnat accept
+            ct state invalid log prefix "STATE_INVALID_DROP: "
+            ct state invalid drop
             iifname "lo" accept
             ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 addr-unreachable
             jump filter_FORWARD_ZONES
-            ct state invalid log prefix "STATE_INVALID_DROP: "
-            ct state invalid drop
             log prefix "FINAL_REJECT: "
             reject with icmpx admin-prohibited
         }
@@ -41,42 +41,42 @@
 
 IPTABLES_LIST_RULES(filter, INPUT, 0, dnl
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
     INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
     INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
-    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
-    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
 )
 IPTABLES_LIST_RULES(filter, FORWARD, 0, dnl
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
     FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
     FORWARD_ZONES all -- 0.0.0.0/0 0.0.0.0/0
-    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
-    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
     LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
 )
 IP6TABLES_LIST_RULES(filter, INPUT, 0, dnl
     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+    DROP all ::/0 ::/0 ctstate INVALID
     ACCEPT all ::/0 ::/0
     INPUT_direct all ::/0 ::/0
     INPUT_ZONES all ::/0 ::/0
-    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
-    DROP all ::/0 ::/0 ctstate INVALID
     LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
     REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
 )
 IP6TABLES_LIST_RULES(filter, FORWARD, 0, dnl
     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+    DROP all ::/0 ::/0 ctstate INVALID
     ACCEPT all ::/0 ::/0
     FORWARD_direct all ::/0 ::/0
     RFC3964_IPv4 all ::/0 ::/0
     FORWARD_ZONES all ::/0 ::/0
-    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
-    DROP all ::/0 ::/0 ctstate INVALID
     LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
     REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
 )

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/regression/rhbz1871298.at -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/rhbz1871298.at Changed

_service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/regression/service_includes_for_builtin.at Added

@@ -0,0 +1,29 @@
+FWD_START_TEST(service include for built-in)
+AT_KEYWORDS(dbus service service_includes_for_builtin service_includes_for_built-in)
+
+dnl get a built-in (anything outside of /etc/firewalld) service
+dnl
+DBUS_CHECK(config, config.getServiceByName, "ssh", 0, stdout)
+SERVICE_OBJ=$(sed -e "s/.*config\/service\/$^'\+$'.*/\1/" ./stdout)
+export SERVICE_OBJ
+
+dnl literally copy/paste from src/tests/dbus/service.at, but this copy is
+dnl against a built-in service
+dnl
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.getIncludes, , 0, dnl
+(@as ,)
+)
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.setIncludes, '"https", "http"', 0, ignore)
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.getIncludes, , 0, dnl
+('https', 'http',)
+)
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.addInclude, '"http"', 0, ignore)
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.queryInclude, '"http"', 0, dnl
+(true,)
+)
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.removeInclude, '"http"', 0, ignore)
+DBUS_CHECK(config/service/${SERVICE_OBJ}, config.service.queryInclude, '"http"', 0, dnl
+(false,)
+)
+
+FWD_END_TEST()

_service:tar_scm:firewalld-1.0.2.tar.gz/src/tests/testsuite -> _service:tar_scm:firewalld-1.2.1.tar.gz/src/tests/testsuite Changed

@@ -1,7 +1,7 @@
 #! /bin/sh
-# Generated from testsuite.at by GNU Autoconf 2.71.
+# Generated from testsuite.at by GNU Autoconf 2.69.
 #
-# Copyright (C) 2009-2017, 2020-2021 Free Software Foundation, Inc.
+# Copyright (C) 2009-2012 Free Software Foundation, Inc.
 #
 # This test suite is free software; the Free Software Foundation gives
 # unlimited permission to copy, distribute and modify it.
@@ -11,16 +11,14 @@
 
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
-as_nop=:
-if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
-then :
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
-else $as_nop
+else
   case `(set -o) 2>/dev/null` in #(
   *posix*) :
     set -o posix ;; #(
@@ -30,46 +28,46 @@
 fi
 
 
-
-# Reset variables that may have inherited troublesome values from
-# the environment.
-
-# IFS needs to be set, to space, tab, and newline, in precisely that order.
-# (If _AS_PATH_WALK were called with IFS unset, it would have the
-# side effect of setting IFS to empty, thus disabling word splitting.)
-# Quoting is to prevent editors from complaining about space-tab.
 as_nl='
 '
 export as_nl
-IFS=" ""	$as_nl"
-
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# Ensure predictable behavior from utilities with locale-dependent output.
-LC_ALL=C
-export LC_ALL
-LANGUAGE=C
-export LANGUAGE
-
-# We cannot yet rely on "unset" to work, but we need these variables
-# to be unset--not just set to an empty or harmless value--now, to
-# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh).  This construct
-# also avoids known problems related to "unset" and subshell syntax
-# in other old shells (e.g. bash 2.01 and pdksh 5.2.14).
-for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH
-do eval test \${$as_var+y} \
-  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
-done
-
-# Ensure that fds 0, 1, and 2 are open.
-if (exec 3>&0) 2>/dev/null; then :; else exec 0</dev/null; fi
-if (exec 3>&1) 2>/dev/null; then :; else exec 1>/dev/null; fi
-if (exec 3>&2)            ; then :; else exec 2>/dev/null; fi
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
+  else
+    as_echo_body='eval expr "X$1" : "X\$.*\$"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in #(
+      *"$as_nl"*)
+	expr "X$arg" : "X\$.*\$$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\$.*\$"`;;
+      esac;
+      expr "X$arg" : "X\$.*\$" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
+  fi
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
 
 # The user is always right.
-if ${PATH_SEPARATOR+false} :; then
+if test "${PATH_SEPARATOR+set}" != set; then
   PATH_SEPARATOR=:
   (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
     (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
@@ -78,6 +76,13 @@
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" ""	$as_nl"
+
 # Find who we are.  Look in the path if we contain no directory separator.
 as_myself=
 case $0 in #((
@@ -86,12 +91,8 @@
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
-  case $as_dir in #(((
-    '') as_dir=./ ;;
-    */) ;;
-    *) as_dir=$as_dir/ ;;
-  esac
-    test -r "$as_dir$0" && as_myself=$as_dir$0 && break
+  test -z "$as_dir" && as_dir=.
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
   done
 IFS=$as_save_IFS
 
@@ -103,22 +104,40 @@
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   exit 1
 fi
 
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 if test "x$CONFIG_SHELL" = x; then
-  as_bourne_compatible="as_nop=:
-if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
-then :
+  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
   # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '\${1+\"\$@\"}'='\"\$@\"'
   setopt NO_GLOB_SUBST
-else \$as_nop
+else
   case \`(set -o) 2>/dev/null\` in #(
   *posix*) :
     set -o posix ;; #(
@@ -138,53 +157,42 @@
 as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
 as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
 as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
-if ( set x; as_fn_ret_success y && test x = \"\$1\" )
-then :
+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 
-else \$as_nop
+else
   exitcode=1; echo positional parameters were not saved.
 fi
 test x\$exitcode = x0 || exit 1
-blah=\$(echo \$(echo blah))

Changes of Revision 2