From Fedora Project Wiki
Line 186: Line 186:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
https://firewalld.org/2021/06/the-upcoming-1-0-0


== Release Notes ==
== Release Notes ==

Revision as of 19:43, 25 June 2021

Important.png
Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
Idea.png
Guidance
For details on how to fill out this form, see the documentation.


Change Proposal Name

Rebase firewalld to upstream v1.0.0.

Summary

Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes.

Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-06-25
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the upstream blog.

Major changes:

  • Reduced dependencies
  • Intra-zone forwarding by default
  • NAT rules moved to inet family (reduced rule set)
  • Default target is now similar to reject
  • ICMP blocks and block inversion only apply to input, not forward
  • tftp-client service has been removed
  • iptables backend is deprecated
  • Direct interface is deprecated
  • CleanupModulesOnExit defaults to no (kernel modules not unloaded)

Feedback

Benefit to Fedora

The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of ipsets.

Scope

  • Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed.
  • Other developers: None. Isolated change.
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

  • Most configurations will migrate. No intervention required.
    • Exceptions
      • configurations that utilize tftp-client service will have firewalld start in failed state because the service has been removed. As noted in the upstream blog this service has never worked properly.
  • Zones that users have not modified will now have intra-zone forwarding enabled.
    • for this to occur the user must not have added an interface, service, port, etc. to the zone
    • minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g. FedoraWorkstation

How To Test

Testing for this rebase should revolve around integrations.

  • libvirt
    • verify VMs still have network access
  • podman
    • verify containers still have network access
    • verify forwarding ports via podman still works
  • NetworkManager
    • verify connection sharing still works

User Experience

N/A

Dependencies

firewalld has yet to release v1.0.0. It is expected in early July.

Contingency Plan

  • Contingency mechanism: revert package to v0.9.z (what f34 uses)
  • Contingency deadline: July 27, 2021
  • Blocks release? No

Documentation

https://firewalld.org/2021/06/the-upcoming-1-0-0

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/firewalld-1.0.0&oldid=617776"