Update firewalld to v1.0.0
Summary
Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes.
Owner
- Name: Eric Garver
- Email: egarver@redhat.com
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-07-14
- FESCo issue: #2634
- Tracker bug: #1982395
- Release notes tracker: #712
Detailed Description
Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the upstream blog.
Major changes:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Feedback
Benefit to Fedora
The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of ipset
s.
Scope
- Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed.
- Other developers: None. Isolated change.
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
- Most configurations will migrate. No intervention required.
- Exceptions
- configurations that utilize
tftp-client
service will have firewalld start infailed
state because the service has been removed. As noted in the upstream blog this service has never worked properly.
- configurations that utilize
- Exceptions
- Zones that users have not modified will now have intra-zone forwarding enabled.
- for this to occur the user must not have added an interface, service, port, etc. to the zone
- minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g.
FedoraWorkstation
How To Test
Testing for this rebase should revolve around integrations.
- libvirt
- verify VMs still have network access
- podman
- verify containers still have network access
- verify forwarding ports via podman still works
- NetworkManager
- verify connection sharing still works
User Experience
N/A
Dependencies
firewalld has yet to release v1.0.0. It is expected in early July.
Contingency Plan
- Contingency mechanism: revert package to v0.9.z (what f34 uses)
- Contingency deadline: July 27, 2021
- Blocks release? No
Documentation
https://firewalld.org/2021/06/the-upcoming-1-0-0
Release Notes
firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users.
Major changes:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0