rpms/firewalld
7
0
Fork 0
Code Issues Pull Requests Releases Activity

default to iptables backend

Browse Source 
Resolves: rhbz 1623868
This commit is contained in:
Eric Garver 2018-08-31 10:57:15 -04:00
parent cab87bda0c
commit 7c611c49f7
2 changed files with 121 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
0001-fedora-patch-to-default-to-iptables-backend.patch Normal file
View File

@ -0,0 +1,116 @@
From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 30 Aug 2018 16:34:19 -0400
Subject: [PATCH] fedora patch to default to iptables backend
---
config/firewalld.conf | 7 -------
src/firewall/config/__init__.py.in | 2 +-
src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
src/tests/dbus/firewalld.conf.at | 2 +-
src/tests/functions.at | 4 ++--
5 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa50c53..63df409bf567 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -55,10 +55,3 @@ LogDenied=off
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system
-
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be32077e1..cff7c3fe9025 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad693c1..6264f45a1913 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -240,6 +240,12 @@ class firewalld_conf(object):
if key not in done:
if (key in self._config and \
self._config[key] != value):
+ # Only write FirewallBackend if it's not the default.
+ # We will change the default in the future.
+ if key == "FirewallBackend" and \
+ self._config[key] == config.FALLBACK_FIREWALL_BACKEND:
+ done.append(key)
+ continue
empty = False
temp_file.write(u'%s=%s\n' %
(key, self._config[key]))
@@ -247,6 +253,12 @@ class firewalld_conf(object):
elif key in self._deleted:
modified = True
else:
+ # Only write FirewallBackend if it's not the default.
+ # We will change the default in the future.
+ if key == "FirewallBackend" and \
+ value == config.FALLBACK_FIREWALL_BACKEND:
+ done.append(key)
+ continue
empty = False
temp_file.write(line+u"\n")
done.append(key)
@@ -258,6 +270,11 @@ class firewalld_conf(object):
for (key,value) in self._config.items():
if key in done:
continue
+ # Only write FirewallBackend if it's not the default.
+ # We will change the default in the future.
+ if key == "FirewallBackend" and \
+ value == config.FALLBACK_FIREWALL_BACKEND:
+ continue
if not empty:
temp_file.write(u"\n")
empty = True
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de10af..44e649111ffb 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl
string "AutomaticHelpers" : variant string "system"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
+string "FirewallBackend" : variant string "iptables"
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
string "IPv6_rpfilter" : variant string "no"],[dnl
string "IPv6_rpfilter" : variant string "yes"])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 3b79a9f31305..dd7b43d9dac6 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [
fi
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- m4_define_default([FIREWALL_BACKEND], [nftables])
+ m4_define_default([FIREWALL_BACKEND], [iptables])
dnl don't unload modules or bother cleaning up, the namespace will be deleted
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
dnl set the appropriate backend
- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+ AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf])
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
dnl kernels.
--
2.18.0

6
firewalld.spec
View File

@ -1,13 +1,14 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld Name: firewalld
Version: 0.6.1 Version: 0.6.1
Release: 1%{?dist} Release: 2%{?dist}
URL: http://www.firewalld.org URL: http://www.firewalld.org
License: GPLv2+ License: GPLv2+
Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: FedoraServer.xml Source1: FedoraServer.xml
Source2: FedoraWorkstation.xml Source2: FedoraWorkstation.xml
Patch0: firewalld-0.2.6-MDNS-default.patch Patch0: firewalld-0.2.6-MDNS-default.patch
Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -270,6 +271,9 @@ fi
%{_mandir}/man1/firewall-config*.1* %{_mandir}/man1/firewall-config*.1*
%changelog %changelog
* Fri Aug 10 2018 Eric Garver <egarver@redhat.com> - 0.6.1-2
- default to iptables backend
* Fri Aug 10 2018 Eric Garver <egarver@redhat.com> - 0.6.1-1 * Fri Aug 10 2018 Eric Garver <egarver@redhat.com> - 0.6.1-1
- rebase package to v0.6.1 - rebase package to v0.6.1