3 changed files with 44 additions and 53 deletions
--- a/tcpcrypt-firewalld.xml
+++ b/tcpcrypt-firewalld.xml
@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<direct>
+  <chain ipv="ipv4" table="raw" chain="tcpcrypt"/>
+  <rule ipv="ipv4" table="raw" chain="tcpcrypt" priority="0">
+    -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666</rule>
+  <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-j tcpcrypt</rule>
+
+  <chain ipv="ipv4" table="mangle" chain="tcpcrypt"/>
+  <rule ipv="ipv4" table="mangle" chain="tcpcrypt" priority="0">
+    -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666</rule>
+  <rule ipv="ipv4" table="mangle" chain="POSTROUTING" priority="0">-j tcpcrypt</rule>
+</direct>
--- a/tcpcrypt.spec
+++ b/tcpcrypt.spec
@ -4,14 +4,14 @@
 Summary: Opportunistically encrypt TCP connections
 Name: tcpcrypt
 Version: 0.5
-Release: 19%{?dist}
-# Automatically converted from old format: BSD - review is highly recommended.
-License: LicenseRef-Callaway-BSD
+Release: 6%{?dist}
+License: BSD
 Url: http://tcpcrypt.org/
 Source0: http://tcpcrypt.org//%{name}-%{version}.tar.gz
 SOURCE1: tmpfiles-tcpcrypt.conf
 SOURCE2: tcpcryptd.service
 SOURCE3: tcpcryptd-firewall
+SOURCE4: tcpcrypt-firewalld.xml
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 BuildRequires: make
 BuildRequires:  gcc
@ -22,6 +22,9 @@ BuildRequires: systemd
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
+Requires(pre): shadow-utils
+# we need to require it to install our file
+Requires: firewalld

 %description
 Provides a protocol that attempts to encrypt (almost) all of your
@ -46,11 +49,6 @@ Contains libraries used by tcpcryptd server and tcpcrypt-aware applications
 %prep
 %autosetup

-# Create a sysusers.d config file
-cat >tcpcrypt.sysusers.conf <<EOF
-u tcpcryptd - 'tcpcrypt daemon account' /var/run/tcpcryptd -
-EOF
-
 %build
 sh bootstrap.sh
 %configure --disable-static --disable-rpath
@ -64,8 +62,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}/run/tcpcryptd
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/tcpcrypt.conf
 mkdir -p %{buildroot}%{_unitdir}
 install -m 0755 %{SOURCE2} %{buildroot}/%{_unitdir}/tcpcryptd.service
-
-install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.conf
+# install firewalld policy needed for tracking and marking packets
+install -D -m 0644 %{SOURCE4} %{buildroot}/%{_prefix}/lib/firewalld/services/tcpcryptd.xml

 %files libs
 %doc README.markdown
@ -82,8 +80,8 @@ install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.co
 %{_mandir}/man8/*
 %attr(0644,root,root) %{_tmpfilesdir}/tcpcrypt.conf
 %attr(0644,root,root) %{_unitdir}/tcpcryptd.service
+%attr(0644,root,root) %{_prefix}/lib/firewalld/services/tcpcryptd.xml
 %attr(0755,tcpcryptd,tcpcryptd) %dir /run/tcpcryptd
-%{_sysusersdir}/tcpcrypt.conf

 %files devel
 %{_libdir}/libtcpcrypt.so
@ -92,6 +90,11 @@ install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.co

 %ldconfig_scriptlets libs

+%pre
+getent group tcpcryptd >/dev/null || groupadd -r tcpcryptd
+getent passwd tcpcryptd >/dev/null || \
+useradd -r -g tcpcryptd -d /var/run/tcpcryptd -s /sbin/nologin \
+-c "tcpcrypt daemon account" tcpcryptd || exit 0

 %post
 %systemd_post tcpcryptd.service
@ -103,45 +106,6 @@ install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.co
 %systemd_postun_with_restart tcpcryptd.service

 %changelog
-* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.5-18
- Add sysusers.d config file to allow rpm to create users/groups automatically
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Wed Sep 04 2024 Miroslav Suchý <msuchy@redhat.com> - 0.5-16
- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu Feb 23 2023 Eric Garver <eric@garver.life> - 0.5-12
- remove bash-isms from tcpcryptd-firewall
-
-* Thu Feb 23 2023 Eric Garver <eric@garver.life> - 0.5-11
- remove broken firewalld service definition
-
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.5-7
- Rebuilt with OpenSSL 3.0.0
-
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

--- a/21
+++ b/21
@ -1,7 +1,20 @@
 #!/bin/sh

-# use iptables manually
-if [ "$1" = "start" ]
+# Check if we need to use firewalld or will handle rules directly with iptables
+
+
+systemctl status firewalld.service >/dev/null
+RETVAL=$?
+if [ $RETVAL  -eq 0 ]
+then
+   # use firewalld
+   firewall-cmd --reload
+   firewall-cmd --direct --get-rules ipv4 raw tcpcrypt
+   firewall-cmd --direct --get-rules ipv4 mangle tcpcrypt
+else
+   # use iptables manually
+
+if [ "$1" == "start" ]
 then
 	iptables -t raw -N tcpcrypt
 	iptables -t raw -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
@ -13,7 +26,7 @@ then
 
 	# launch `tcpcryptd` with `-x 0x10`
 fi
-if [ "$1" = "stop" ]
+if [ "$1" == "stop" ]
 then
 	iptables -t raw -F tcpcrypt
 	iptables -t raw -D PREROUTING -j tcpcrypt
@ -21,3 +34,5 @@ then
 	iptables -t mangle -F tcpcrypt
 	iptables -t mangle -D PREROUTING -j tcpcrypt
 fi
+
+fi