From d1828d7c5b17b5d152acc461123565f3a32d61ce Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Wed, 6 Nov 2024 11:08:14 -0500 Subject: [PATCH] RHEL only: Default to StrictForwardPorts=yes --- config/firewalld.conf | 4 ++-- src/firewall/config/__init__.py.in | 2 +- src/tests/functions.at | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf index 800b255c77e0..93b85181c2be 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf @@ -94,8 +94,8 @@ RFC3964_IPv4=yes # allowed via firewalld. # If set to no, then docker (and podman) integrates seamlessly with firewalld. # Published container ports are implicitly allowed. -# Defaults to "no". -StrictForwardPorts=no +# Defaults to "yes". +StrictForwardPorts=yes # NftablesFlowtable # This may improve forwarded traffic throughput by enabling nftables flowtable. diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in index 4951d37cf80e..478bb7383d41 100644 --- a/src/firewall/config/__init__.py.in +++ b/src/firewall/config/__init__.py.in @@ -139,4 +139,4 @@ FALLBACK_ALLOW_ZONE_DRIFTING = False FALLBACK_NFTABLES_FLOWTABLE = "off" FALLBACK_NFTABLES_COUNTERS = False FALLBACK_NFTABLES_TABLE_OWNER = True -FALLBACK_STRICT_FORWARD_PORTS = False +FALLBACK_STRICT_FORWARD_PORTS = True diff --git a/src/tests/functions.at b/src/tests/functions.at index 500756bdacdb..621f2f6f613c 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at @@ -141,6 +141,10 @@ m4_define([FWD_START_TEST], [ AT_CHECK([if ! cp /etc/firewalld/firewalld.conf ./firewalld.conf; then exit 77; fi]) fi + dnl RHEL downstream changed the default value for this, but upstream tests + dnl expect it to be "no". + AT_CHECK([sed -i 's/^StrictForwardPorts.*/StrictForwardPorts=no/' ./firewalld.conf]) + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ AT_KEYWORDS(offline) dnl cockpit is added by default downstream, but upstream tests don't expect -- 2.45.2