[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1042903: bookworm-pu: package firewalld/1.3.3-1~deb12u1



Sorry, forgot the attach the actual files.


diff --git a/src/firewall-applet b/src/firewall-applet
index 52f4544f..a4ece273 100755
--- a/src/firewall-applet
+++ b/src/firewall-applet
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2010-2015 Red Hat, Inc.
@@ -20,15 +20,21 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-import sys
-from PyQt5 import QtGui, QtCore, QtWidgets
+try:
+    from PyQt6 import QtGui, QtCore, QtWidgets
+    from PyQt6.QtGui import QAction
+    from dbus.mainloop.pyqt6 import DBusQtMainLoop
+except (ImportError, ModuleNotFoundError):
+    from PyQt5 import QtGui, QtCore, QtWidgets
+    from PyQt5.QtWidgets import QAction
+    from dbus.mainloop.pyqt5 import DBusQtMainLoop
 
 import gi
 gi.require_version('Notify', '0.7')
 from gi.repository import Notify
 
+import sys
 import os
-from dbus.mainloop.pyqt5 import DBusQtMainLoop
 import functools
 
 from firewall import config
@@ -58,7 +64,9 @@ def search_app(app):
     return None
 
 NM_CONNECTION_EDITOR = ""
-for binary in [ "/usr/bin/nm-connection-editor",
+for binary in [ "/usr/bin/systemsettings",
+                    "/bin/systemsettings",
+                "/usr/bin/nm-connection-editor",
                     "/bin/nm-connection-editor",
                 "/usr/bin/kde5-nm-connection-editor",
                     "/bin/kde5-nm-connection-editor",
@@ -102,9 +110,9 @@ class ZoneInterfaceEditor(QtWidgets.QDialog):
         self.fill_zone_combo()
         vbox.addWidget(self.combo)
 
-        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
-                                           | QtWidgets.QDialogButtonBox.Cancel)
-        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+                                           | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
         buttonBox.accepted.connect(self.ok)
         buttonBox.rejected.connect(self.hide)
         vbox.addWidget(buttonBox)
@@ -252,9 +260,9 @@ class ShieldsEditor(QtWidgets.QDialog):
 
         vbox.addLayout(grid)
 
-        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
-                                           | QtWidgets.QDialogButtonBox.Cancel)
-        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+                                           | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
         buttonBox.accepted.connect(self.ok)
         buttonBox.rejected.connect(self.hide)
         vbox.addWidget(buttonBox)
@@ -357,8 +365,8 @@ class AboutDialog(QtWidgets.QDialog):
         vbox2.addWidget(QtWidgets.QLabel(version))
 
         label = QtWidgets.QLabel("<a href=\"%s\">%s</a>" % (url, url))
-        label.setTextFormat(QtCore.Qt.RichText)
-        label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction)
+        label.setTextFormat(QtCore.Qt.TextFormat.RichText)
+        label.setTextInteractionFlags(QtCore.Qt.TextInteractionFlag.TextBrowserInteraction)
         label.setOpenExternalLinks(True)
 
         vbox2.addWidget(label)
@@ -394,7 +402,7 @@ class AboutDialog(QtWidgets.QDialog):
 
         vbox.addWidget(tabs)
 
-        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close)
+        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Close)
         buttonBox.rejected.connect(self.hide)
         vbox.addWidget(buttonBox)
 
@@ -452,47 +460,47 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
 
         # urgencies
 
-        self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon,
-                           "information": QtWidgets.QSystemTrayIcon.Information,
-                           "warning": QtWidgets.QSystemTrayIcon.Warning,
-                           "critical": QtWidgets.QSystemTrayIcon.Critical }
+        self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.MessageIcon.NoIcon,
+                           "information": QtWidgets.QSystemTrayIcon.MessageIcon.Information,
+                           "warning": QtWidgets.QSystemTrayIcon.MessageIcon.Warning,
+                           "critical": QtWidgets.QSystemTrayIcon.MessageIcon.Critical }
 
         # actions
 
-        self.shieldsupAction = QtWidgets.QAction(escape(_("Shields Up")),
+        self.shieldsupAction = QAction(escape(_("Shields Up")),
                                              self)
         self.shieldsupAction.setCheckable(True)
         self.shieldsupAction.setChecked(False)
         self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb)
 
-        self.notificationsAction = QtWidgets.QAction(
+        self.notificationsAction = QAction(
             escape(_("Enable Notifications")), self)
         self.notificationsAction.setCheckable(True)
         self.notificationsAction.setChecked(False)
         self.notificationsAction.triggered.connect(self.notification_changed_cb)
 
-        self.settingsAction = QtWidgets.QAction(
+        self.settingsAction = QAction(
             escape(_("Edit Firewall Settings...")), self)
         self.settingsAction.triggered.connect(self.configure_cb)
 
-        self.changeZonesAction = QtWidgets.QAction(
+        self.changeZonesAction = QAction(
             escape(_("Change Zones of Connections...")), self)
         self.changeZonesAction.triggered.connect(self.nm_connection_editor)
 
-        self.shieldsAction = QtWidgets.QAction(
+        self.shieldsAction = QAction(
             escape(_("Configure Shields UP/Down Zones...")), self)
         self.shieldsAction.triggered.connect(self.configure_shields)
 
-        self.panicAction = QtWidgets.QAction(
+        self.panicAction = QAction(
             escape(_("Block all network traffic")), self)
         self.panicAction.setCheckable(True)
         self.panicAction.setChecked(False)
         self.panicAction.triggered.connect(self.panic_mode_cb)
 
-        self.aboutAction = QtWidgets.QAction(escape(_("About")), self)
-        self.aboutAction.triggered.connect(self.about_dialog.exec_)
+        self.aboutAction = QAction(escape(_("About")), self)
+        self.aboutAction.triggered.connect(self.about_dialog.exec)
 
-        #self.quitAction = QtWidgets.QAction(escape(_("Quit")), self,
+        #self.quitAction = QAction(escape(_("Quit")), self,
         #                                triggered=self.quit)
 
         self.connectionsAction = QtWidgets.QWidgetAction(self)
@@ -682,12 +690,12 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
             connection_name = connections[connection][1]
             if zone == "":
                 _binding = _("{entry} (Default Zone: {default_zone})")
-                action = QtWidgets.QAction(
+                action = QAction(
                     escape(
                         _binding.format(default_zone=self.default_zone,
                                         entry=connection_name)), self)
             else:
-                action = QtWidgets.QAction(
+                action = QAction(
                     escape(binding.format(zone=zone, entry=connection_name)), self)
             action.triggered.connect(functools.partial(
                 self.zone_connection_editor, connection, connection_name, zone))
@@ -699,7 +707,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
         # add other interfaces
         for interface in sorted(interfaces):
             zone = interfaces[interface]
-            action = QtWidgets.QAction(
+            action = QAction(
                 escape(binding.format(zone=zone, entry=interface)), self)
             action.triggered.connect(functools.partial(
                 self.zone_interface_editor, interface, zone))
@@ -710,7 +718,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
 
         for source in sorted(sources):
             zone = sources[source]
-            action = QtWidgets.QAction(
+            action = QAction(
                 escape(binding.format(zone=zone, entry=source)), self)
             action.triggered.connect(functools.partial(
                 self.zone_source_editor, source, zone))
@@ -920,12 +928,17 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
             return
 
         if uuid:
-            if "kde-" in NM_CONNECTION_EDITOR:
+            if "systemsettings" in NM_CONNECTION_EDITOR:
+                os.system("%s kcm_networkmanagement --args Uuid=%s &" % (NM_CONNECTION_EDITOR, uuid))
+            elif "kde-" in NM_CONNECTION_EDITOR:
                 os.system("%s %s &" % (NM_CONNECTION_EDITOR, uuid))
             else:
                 os.system("%s --edit=%s &" % (NM_CONNECTION_EDITOR, uuid))
         else:
-            os.system("%s &" % NM_CONNECTION_EDITOR)
+            if "systemsettings" in NM_CONNECTION_EDITOR:
+                os.system("%s kcm_networkmanagement &" % NM_CONNECTION_EDITOR)
+            else:
+                os.system("%s &" % NM_CONNECTION_EDITOR)
 
     def warning(self, text):
         QtWidgets.QMessageBox.warning(None, escape(self.name), text)
@@ -1119,4 +1132,4 @@ app.setQuitOnLastWindowClosed(False)
 
 applet = TrayApplet()
 applet.show()
-sys.exit(app.exec_())
+sys.exit(app.exec())
diff --git a/src/firewall-applet.in b/src/firewall-applet.in
index 894ab05b..7176e1c0 100755
--- a/src/firewall-applet.in
+++ b/src/firewall-applet.in
@@ -20,15 +20,21 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-import sys
-from PyQt5 import QtGui, QtCore, QtWidgets
+try:
+    from PyQt6 import QtGui, QtCore, QtWidgets
+    from PyQt6.QtGui import QAction
+    from dbus.mainloop.pyqt6 import DBusQtMainLoop
+except (ImportError, ModuleNotFoundError):
+    from PyQt5 import QtGui, QtCore, QtWidgets
+    from PyQt5.QtWidgets import QAction
+    from dbus.mainloop.pyqt5 import DBusQtMainLoop
 
 import gi
 gi.require_version('Notify', '0.7')
 from gi.repository import Notify
 
+import sys
 import os
-from dbus.mainloop.pyqt5 import DBusQtMainLoop
 import functools
 
 from firewall import config
@@ -58,7 +64,9 @@ def search_app(app):
     return None
 
 NM_CONNECTION_EDITOR = ""
-for binary in [ "/usr/bin/nm-connection-editor",
+for binary in [ "/usr/bin/systemsettings",
+                    "/bin/systemsettings",
+                "/usr/bin/nm-connection-editor",
                     "/bin/nm-connection-editor",
                 "/usr/bin/kde5-nm-connection-editor",
                     "/bin/kde5-nm-connection-editor",
@@ -102,9 +110,9 @@ class ZoneInterfaceEditor(QtWidgets.QDialog):
         self.fill_zone_combo()
         vbox.addWidget(self.combo)
 
-        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
-                                           | QtWidgets.QDialogButtonBox.Cancel)
-        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+                                           | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
         buttonBox.accepted.connect(self.ok)
         buttonBox.rejected.connect(self.hide)
         vbox.addWidget(buttonBox)
@@ -252,9 +260,9 @@ class ShieldsEditor(QtWidgets.QDialog):
 
         vbox.addLayout(grid)
 
-        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
-                                           | QtWidgets.QDialogButtonBox.Cancel)
-        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+                                           | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+        self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
         buttonBox.accepted.connect(self.ok)
         buttonBox.rejected.connect(self.hide)
         vbox.addWidget(buttonBox)
@@ -357,8 +365,8 @@ class AboutDialog(QtWidgets.QDialog):
         vbox2.addWidget(QtWidgets.QLabel(version))
 
         label = QtWidgets.QLabel("<a href=\"%s\">%s</a>" % (url, url))
-        label.setTextFormat(QtCore.Qt.RichText)
-        label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction)
+        label.setTextFormat(QtCore.Qt.TextFormat.RichText)
+        label.setTextInteractionFlags(QtCore.Qt.TextInteractionFlag.TextBrowserInteraction)
         label.setOpenExternalLinks(True)
 
         vbox2.addWidget(label)
@@ -394,7 +402,7 @@ class AboutDialog(QtWidgets.QDialog):
 
         vbox.addWidget(tabs)
 
-        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close)
+        buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Close)
         buttonBox.rejected.connect(self.hide)
         vbox.addWidget(buttonBox)
 
@@ -452,47 +460,47 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
 
         # urgencies
 
-        self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon,
-                           "information": QtWidgets.QSystemTrayIcon.Information,
-                           "warning": QtWidgets.QSystemTrayIcon.Warning,
-                           "critical": QtWidgets.QSystemTrayIcon.Critical }
+        self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.MessageIcon.NoIcon,
+                           "information": QtWidgets.QSystemTrayIcon.MessageIcon.Information,
+                           "warning": QtWidgets.QSystemTrayIcon.MessageIcon.Warning,
+                           "critical": QtWidgets.QSystemTrayIcon.MessageIcon.Critical }
 
         # actions
 
-        self.shieldsupAction = QtWidgets.QAction(escape(_("Shields Up")),
+        self.shieldsupAction = QAction(escape(_("Shields Up")),
                                              self)
         self.shieldsupAction.setCheckable(True)
         self.shieldsupAction.setChecked(False)
         self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb)
 
-        self.notificationsAction = QtWidgets.QAction(
+        self.notificationsAction = QAction(
             escape(_("Enable Notifications")), self)
         self.notificationsAction.setCheckable(True)
         self.notificationsAction.setChecked(False)
         self.notificationsAction.triggered.connect(self.notification_changed_cb)
 
-        self.settingsAction = QtWidgets.QAction(
+        self.settingsAction = QAction(
             escape(_("Edit Firewall Settings...")), self)
         self.settingsAction.triggered.connect(self.configure_cb)
 
-        self.changeZonesAction = QtWidgets.QAction(
+        self.changeZonesAction = QAction(
             escape(_("Change Zones of Connections...")), self)
         self.changeZonesAction.triggered.connect(self.nm_connection_editor)
 
-        self.shieldsAction = QtWidgets.QAction(
+        self.shieldsAction = QAction(
             escape(_("Configure Shields UP/Down Zones...")), self)
         self.shieldsAction.triggered.connect(self.configure_shields)
 
-        self.panicAction = QtWidgets.QAction(
+        self.panicAction = QAction(
             escape(_("Block all network traffic")), self)
         self.panicAction.setCheckable(True)
         self.panicAction.setChecked(False)
         self.panicAction.triggered.connect(self.panic_mode_cb)
 
-        self.aboutAction = QtWidgets.QAction(escape(_("About")), self)
-        self.aboutAction.triggered.connect(self.about_dialog.exec_)
+        self.aboutAction = QAction(escape(_("About")), self)
+        self.aboutAction.triggered.connect(self.about_dialog.exec)
 
-        #self.quitAction = QtWidgets.QAction(escape(_("Quit")), self,
+        #self.quitAction = QAction(escape(_("Quit")), self,
         #                                triggered=self.quit)
 
         self.connectionsAction = QtWidgets.QWidgetAction(self)
@@ -682,12 +690,12 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
             connection_name = connections[connection][1]
             if zone == "":
                 _binding = _("{entry} (Default Zone: {default_zone})")
-                action = QtWidgets.QAction(
+                action = QAction(
                     escape(
                         _binding.format(default_zone=self.default_zone,
                                         entry=connection_name)), self)
             else:
-                action = QtWidgets.QAction(
+                action = QAction(
                     escape(binding.format(zone=zone, entry=connection_name)), self)
             action.triggered.connect(functools.partial(
                 self.zone_connection_editor, connection, connection_name, zone))
@@ -699,7 +707,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
         # add other interfaces
         for interface in sorted(interfaces):
             zone = interfaces[interface]
-            action = QtWidgets.QAction(
+            action = QAction(
                 escape(binding.format(zone=zone, entry=interface)), self)
             action.triggered.connect(functools.partial(
                 self.zone_interface_editor, interface, zone))
@@ -710,7 +718,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
 
         for source in sorted(sources):
             zone = sources[source]
-            action = QtWidgets.QAction(
+            action = QAction(
                 escape(binding.format(zone=zone, entry=source)), self)
             action.triggered.connect(functools.partial(
                 self.zone_source_editor, source, zone))
@@ -920,12 +928,17 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
             return
 
         if uuid:
-            if "kde-" in NM_CONNECTION_EDITOR:
+            if "systemsettings" in NM_CONNECTION_EDITOR:
+                os.system("%s kcm_networkmanagement --args Uuid=%s &" % (NM_CONNECTION_EDITOR, uuid))
+            elif "kde-" in NM_CONNECTION_EDITOR:
                 os.system("%s %s &" % (NM_CONNECTION_EDITOR, uuid))
             else:
                 os.system("%s --edit=%s &" % (NM_CONNECTION_EDITOR, uuid))
         else:
-            os.system("%s &" % NM_CONNECTION_EDITOR)
+            if "systemsettings" in NM_CONNECTION_EDITOR:
+                os.system("%s kcm_networkmanagement &" % NM_CONNECTION_EDITOR)
+            else:
+                os.system("%s &" % NM_CONNECTION_EDITOR)
 
     def warning(self, text):
         QtWidgets.QMessageBox.warning(None, escape(self.name), text)
@@ -1119,4 +1132,4 @@ app.setQuitOnLastWindowClosed(False)
 
 applet = TrayApplet()
 applet.show()
-sys.exit(app.exec_())
+sys.exit(app.exec())
diff --git a/src/firewall-cmd b/src/firewall-cmd
index 51b7badf..9e03a51c 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2009-2016 Red Hat, Inc.
diff --git a/src/firewall-config b/src/firewall-config
index b91d1f12..1fb26934 100755
--- a/src/firewall-config
+++ b/src/firewall-config
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2011-2015 Red Hat, Inc.
@@ -3750,7 +3750,8 @@ class FirewallConfig(object):
                 or self.richRuleDialogDestinationInvertCheck.get_active()):
             rule.destination = rich.Rich_Destination(
                 self.richRuleDialogDestinationChooser.get_text(),
-                self.richRuleDialogDestinationInvertCheck.get_active())
+                None,
+                invert=self.richRuleDialogDestinationInvertCheck.get_active())
 
         # log
         if self.richRuleDialogLogCheck.is_sensitive() and \
diff --git a/src/firewall-config.in b/src/firewall-config.in
index 29d4d667..8aa58394 100755
--- a/src/firewall-config.in
+++ b/src/firewall-config.in
@@ -3750,7 +3750,8 @@ class FirewallConfig(object):
                 or self.richRuleDialogDestinationInvertCheck.get_active()):
             rule.destination = rich.Rich_Destination(
                 self.richRuleDialogDestinationChooser.get_text(),
-                self.richRuleDialogDestinationInvertCheck.get_active())
+                None,
+                invert=self.richRuleDialogDestinationInvertCheck.get_active())
 
         # log
         if self.richRuleDialogLogCheck.is_sensitive() and \
diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd
index b333598a..1483aac5 100755
--- a/src/firewall-offline-cmd
+++ b/src/firewall-offline-cmd
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2009-2016 Red Hat, Inc.
diff --git a/src/firewall/config/__init__.py b/src/firewall/config/__init__.py
index 602b226a..8f709337 100644
--- a/src/firewall/config/__init__.py
+++ b/src/firewall/config/__init__.py
@@ -40,7 +40,7 @@ APPLET_NAME = 'firewall-applet'
 DATADIR = '/usr/share/' + DAEMON_NAME
 CONFIG_GLADE_NAME = CONFIG_NAME + '.glade'
 COPYRIGHT = '(C) 2010-2017 Red Hat, Inc.'
-VERSION = '1.3.0'
+VERSION = '1.3.3'
 AUTHORS = [
     "Thomas Woerner <twoerner@redhat.com>",
     "Jiri Popelka <jpopelka@redhat.com>",
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 14180e45..e9db1c6f 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -1095,6 +1095,7 @@ class Firewall(object):
         _omit_native_ipset = self.ipset.omit_native_ipset()
 
         # must stash this. The value may change after _start()
+        old_firewall_backend = self._firewall_backend
         flush_all = self._flush_all_on_reload
 
         if not flush_all:
@@ -1114,6 +1115,7 @@ class Firewall(object):
             self.set_policy("DROP")
 
         # stop
+        self.flush()
         self.cleanup()
 
         start_exception = None
@@ -1196,6 +1198,19 @@ class Firewall(object):
         if not self._panic:
             self.set_policy("ACCEPT")
 
+        # If the FirewallBackend changed, then we must also cleanup the policy
+        # for the old backend that was set to DROP above.
+        if not self._panic and old_firewall_backend != self._firewall_backend:
+            if old_firewall_backend == "nftables":
+                for rule in self.nftables_backend.build_set_policy_rules("ACCEPT"):
+                    self.nftables_backend.set_rule(rule, self._log_denied)
+            else:
+                for rule in self.ip4tables_backend.build_set_policy_rules("ACCEPT"):
+                    self.ip4tables_backend.set_rule(rule, self._log_denied)
+                if self.ip6tables_enabled:
+                    for rule in self.ip6tables_backend.build_set_policy_rules("ACCEPT"):
+                        self.ip6tables_backend.set_rule(rule, self._log_denied)
+
         if start_exception:
             self._state = "FAILED"
             raise start_exception
diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
index 0e38dd47..9ff8f500 100644
--- a/src/firewall/core/fw_nm.py
+++ b/src/firewall/core/fw_nm.py
@@ -186,6 +186,22 @@ def nm_get_interfaces_in_zone(zone):
 
     return interfaces
 
+def nm_get_device_by_ip_iface(interface):
+    """Get device from NM which has the given IP interface
+    @param interface name
+    @returns NM.Device instance or None
+    """
+    check_nm_imported()
+
+    for device in nm_get_client().get_devices():
+        ip_iface = device.get_ip_iface()
+        if ip_iface is None:
+            continue
+        if ip_iface == interface:
+            return device
+
+    return None
+
 def nm_get_connection_of_interface(interface):
     """Get connection from NM that is using the interface
     @param interface name
@@ -193,7 +209,7 @@ def nm_get_connection_of_interface(interface):
     """
     check_nm_imported()
 
-    device = nm_get_client().get_device_by_iface(interface)
+    device = nm_get_device_by_ip_iface(interface)
     if device is None:
         return None
 
diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py
index 0f86695d..ff6ac07a 100644
--- a/src/firewall/core/fw_policy.py
+++ b/src/firewall/core/fw_policy.py
@@ -1327,7 +1327,21 @@ class FirewallPolicy(object):
                 "ipset '%s' with type '%s' not usable as source" % \
                 (name, _type))
 
-    def _rule_prepare(self, enable, policy, rule, transaction):
+    def _rule_prepare(self, enable, policy, rule, transaction, included_services=None):
+        # First apply any services this service may include
+        if type(rule.element) == Rich_Service:
+            svc = self._fw.service.get_service(rule.element.name)
+            if included_services is None:
+                included_services = [rule.element.name]
+            for include in svc.includes:
+                if include in included_services:
+                    continue
+                self.check_service(include)
+                included_services.append(include)
+                _rule = copy.deepcopy(rule)
+                _rule.element.name = include
+                self._rule_prepare(enable, policy, _rule, transaction, included_services=included_services)
+
         ipvs = []
         if rule.family:
             ipvs = [ rule.family ]
@@ -1806,8 +1820,7 @@ class FirewallPolicy(object):
         elif "ANY" in obj.ingress_zones:
             # any --> zone
             return [("nat", "POSTROUTING")]
-        else:
-            return FirewallError("Invalid policy: %s" % (policy))
+        raise FirewallError(errors.INVALID_POLICY, "Invalid policy: %s" % (policy))
 
     def policy_base_chain_name(self, policy, table, policy_prefix, isSNAT=False):
         obj = self._fw.policy.get_policy(policy)
@@ -1865,4 +1878,4 @@ class FirewallPolicy(object):
                     return "PRE_" + suffix
             elif table in ["mangle", "raw"]:
                 return "PRE_" + suffix
-        return FirewallError("Can't convert policy to chain name: %s, %s, %s" % (policy, table, isSNAT))
+        raise FirewallError(errors.INVALID_POLICY, "Can't convert policy to chain name: %s, %s, %s" % (policy, table, isSNAT))
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 0dfb3609..cdf08089 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -845,7 +845,7 @@ class FirewallZone(object):
         elif rule.element is None:
             return [self.policy_name_from_zones(zone, "HOST")]
         else:
-            raise FirewallError("Rich rule type (%s) not handled." % (type(rule.element)))
+            raise FirewallError(errors.INVALID_RULE, "Rich rule type (%s) not handled." % (type(rule.element)))
 
     def add_rule(self, zone, rule, timeout=0, sender=None):
         for p_name in self._rich_rule_to_policies(zone, rule):
diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
index 66d4b9ec..0a24e0f6 100644
--- a/src/firewall/core/io/policy.py
+++ b/src/firewall/core/io/policy.py
@@ -109,7 +109,7 @@ def common_startElement(obj, name, attrs):
                 obj._rule_error = True
                 return True
             _value="pmtu"
-            if "value" in attrs:
+            if "value" in attrs and attrs["value"] not in [None, "None"]:
                 _value = attrs["value"]
             obj._rule.element = rich.Rich_Tcp_Mss_Clamp(_value)
         else:
@@ -591,7 +591,8 @@ def common_writer(obj, handler):
                 attrs["value"] = rule.element.value
             elif type(rule.element) == rich.Rich_Tcp_Mss_Clamp:
                 element = "tcp-mss-clamp"
-                attrs["value"] = rule.element.value
+                if rule.element.value and rule.element.value != "pmtu":
+                    attrs["value"] = rule.element.value
             elif type(rule.element) == rich.Rich_Masquerade:
                 element = "masquerade"
             elif type(rule.element) == rich.Rich_IcmpBlock:
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 08f611a5..ef894971 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -772,6 +772,15 @@ class nftables(object):
                 egress_fragments.append(self._rule_addr_fragment("daddr", dst))
 
         def _generate_policy_dispatch_rule(ingress_fragment, egress_fragment):
+            if ingress_fragment and egress_fragment:
+                # The IP families must be the same
+                #
+                if "payload" in ingress_fragment["match"]["left"] and \
+                   "payload" in egress_fragment["match"]["left"] and \
+                   ingress_fragment["match"]["left"]["payload"]["protocol"] != \
+                   egress_fragment["match"]["left"]["payload"]["protocol"]:
+                    return None
+
             expr_fragments = []
             if ingress_fragment:
                 expr_fragments.append(ingress_fragment)
@@ -1100,8 +1109,8 @@ class nftables(object):
                 "table": TABLE_NAME,
                 "chain": "%s_%s_%s" % (table, _policy, chain_suffix),
                 "expr": expr_fragments +
-                        [{"log": log_options},
-                         self._rich_rule_limit_fragment(rich_rule.log.limit)]}
+                        [self._rich_rule_limit_fragment(rich_rule.log.limit),
+                         {"log": log_options}]}
         rule.update(self._rich_rule_priority_fragment(rich_rule))
         return {add_del: {"rule": rule}}
 
@@ -1118,8 +1127,8 @@ class nftables(object):
                 "table": TABLE_NAME,
                 "chain": "%s_%s_%s" % (table, _policy, chain_suffix),
                 "expr": expr_fragments +
-                        [{"log": {"level": "audit"}},
-                         self._rich_rule_limit_fragment(rich_rule.audit.limit)]}
+                        [self._rich_rule_limit_fragment(rich_rule.audit.limit),
+                         {"log": {"level": "audit"}}]}
         rule.update(self._rich_rule_priority_fragment(rich_rule))
         return {add_del: {"rule": rule}}
 
@@ -1748,7 +1757,7 @@ class nftables(object):
             elif format == "mark":
                 fragments.append({"meta": {"key": "mark"}})
             else:
-                raise FirewallError("Unsupported ipset type for match fragment: %s" % (format))
+                raise FirewallError(INVALID_TYPE, "Unsupported ipset type for match fragment: %s" % (format))
 
         return {"match": {"left": {"concat": fragments} if len(type_format) > 1 else fragments[0],
                           "op": "!=" if invert else "==",
@@ -1851,6 +1860,15 @@ class nftables(object):
         rules = []
         rules.extend(self.build_set_create_rules(set_name, type_name, create_options))
         rules.extend(self.build_set_flush_rules(set_name))
+
+        # avoid large memory usage by chunking the entries
+        chunk = 0
         for entry in entries:
             rules.extend(self.build_set_add_rules(set_name, entry))
-        self.set_rules(rules, self._fw.get_log_denied())
+            chunk += 1
+            if chunk >= 1000:
+                self.set_rules(rules, self._fw.get_log_denied())
+                rules.clear()
+                chunk = 0
+        else:
+            self.set_rules(rules, self._fw.get_log_denied())
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 574a23d3..211c094d 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -136,7 +136,10 @@ class Rich_Tcp_Mss_Clamp(object):
         self.value = value
 
     def __str__(self):
-        return 'tcp-mss-clamp value="%s"' % (self.value)
+        if self.value:
+            return 'tcp-mss-clamp value="%s"' % (self.value)
+        else:
+            return 'tcp-mss-clamp'
 
 class Rich_ForwardPort(object):
     def __init__(self, port, protocol, to_port, to_address):
diff --git a/src/firewalld b/src/firewalld
index 5cbf0894..79f5d442 100755
--- a/src/firewalld
+++ b/src/firewalld
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2010-2016 Red Hat, Inc.

Attachment: firewalld.debdiff.gz
Description: application/gzip

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


Reply to: