From Fedora Project Wiki
(Add trackers)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Change Proposal Name =
= Update firewalld to v1.0.0 =
Rebase firewalld to upstream v1.0.0.


== Summary ==
== Summary ==
Line 23: Line 18:
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->
-->


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF35]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 44: Line 38:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2634 #2634]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/1982395 #1982395]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/712 #712]


== Detailed Description ==
== Detailed Description ==
Line 165: Line 159:
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->
-->
N/A


== Dependencies ==
== Dependencies ==
Line 170: Line 165:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
firewalld has yet to release v1.0.0. It is expected in early July.


== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: revert package to v0.9.z (what f34 uses)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: July 27, 2021 <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 


== Documentation ==
== Documentation ==
Line 186: Line 180:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
https://firewalld.org/2021/06/the-upcoming-1-0-0


== Release Notes ==
== Release Notes ==
Line 194: Line 188:
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
-->
-->
firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users.
Major changes:
* Reduced dependencies
* Intra-zone forwarding by default
* NAT rules moved to inet family (reduced rule set)
* Default target is now similar to reject
* ICMP blocks and block inversion only apply to input, not forward
* tftp-client service has been removed
* iptables backend is deprecated
* Direct interface is deprecated
* CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0

Latest revision as of 18:55, 14 July 2021


Update firewalld to v1.0.0

Summary

Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes.

Owner

Current status

Detailed Description

Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the upstream blog.

Major changes:

  • Reduced dependencies
  • Intra-zone forwarding by default
  • NAT rules moved to inet family (reduced rule set)
  • Default target is now similar to reject
  • ICMP blocks and block inversion only apply to input, not forward
  • tftp-client service has been removed
  • iptables backend is deprecated
  • Direct interface is deprecated
  • CleanupModulesOnExit defaults to no (kernel modules not unloaded)

Feedback

Benefit to Fedora

The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of ipsets.

Scope

  • Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed.
  • Other developers: None. Isolated change.
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

  • Most configurations will migrate. No intervention required.
    • Exceptions
      • configurations that utilize tftp-client service will have firewalld start in failed state because the service has been removed. As noted in the upstream blog this service has never worked properly.
  • Zones that users have not modified will now have intra-zone forwarding enabled.
    • for this to occur the user must not have added an interface, service, port, etc. to the zone
    • minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g. FedoraWorkstation

How To Test

Testing for this rebase should revolve around integrations.

  • libvirt
    • verify VMs still have network access
  • podman
    • verify containers still have network access
    • verify forwarding ports via podman still works
  • NetworkManager
    • verify connection sharing still works

User Experience

N/A

Dependencies

firewalld has yet to release v1.0.0. It is expected in early July.

Contingency Plan

  • Contingency mechanism: revert package to v0.9.z (what f34 uses)
  • Contingency deadline: July 27, 2021
  • Blocks release? No

Documentation

https://firewalld.org/2021/06/the-upcoming-1-0-0

Release Notes

firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users.

Major changes:

  • Reduced dependencies
  • Intra-zone forwarding by default
  • NAT rules moved to inet family (reduced rule set)
  • Default target is now similar to reject
  • ICMP blocks and block inversion only apply to input, not forward
  • tftp-client service has been removed
  • iptables backend is deprecated
  • Direct interface is deprecated
  • CleanupModulesOnExit defaults to no (kernel modules not unloaded)

Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/firewalld-1.0.0&oldid=619473"