Update firewalld to v1.0.0

Summary

Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes.

Owner

• Name: Eric Garver
• Email: egarver@redhat.com

Current status

• Targeted release: Fedora Linux 35
• Last updated: 2021-07-14
• FESCo issue: #2634
• Tracker bug: #1982395
• Release notes tracker: #712

Detailed Description

Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the upstream blog.

Major changes:

• Reduced dependencies
• Intra-zone forwarding by default
• NAT rules moved to inet family (reduced rule set)
• Default target is now similar to reject
• ICMP blocks and block inversion only apply to input, not forward
• tftp-client service has been removed
• iptables backend is deprecated
• Direct interface is deprecated
• CleanupModulesOnExit defaults to no (kernel modules not unloaded)

Feedback

Benefit to Fedora

The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of ipsets.

Scope

• Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed.

• Other developers: None. Isolated change.

• Release engineering: N/A (not needed for this Change)

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with Objectives:

Upgrade/compatibility impact

• Most configurations will migrate. No intervention required.
  • Exceptions
    • configurations that utilize tftp-client service will have firewalld start in failed state because the service has been removed. As noted in the upstream blog this service has never worked properly.
• Zones that users have not modified will now have intra-zone forwarding enabled.
  • for this to occur the user must not have added an interface, service, port, etc. to the zone
  • minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g. FedoraWorkstation

How To Test

Testing for this rebase should revolve around integrations.

• libvirt
  • verify VMs still have network access
• podman
  • verify containers still have network access
  • verify forwarding ports via podman still works
• NetworkManager
  • verify connection sharing still works

User Experience

N/A

Dependencies

firewalld has yet to release v1.0.0. It is expected in early July.

Contingency Plan

• Contingency mechanism: revert package to v0.9.z (what f34 uses)
• Contingency deadline: July 27, 2021
• Blocks release? No

Documentation

https://firewalld.org/2021/06/the-upcoming-1-0-0

Release Notes

firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users.

Major changes:

• Reduced dependencies
• Intra-zone forwarding by default
• NAT rules moved to inet family (reduced rule set)
• Default target is now similar to reject
• ICMP blocks and block inversion only apply to input, not forward
• tftp-client service has been removed
• iptables backend is deprecated
• Direct interface is deprecated
• CleanupModulesOnExit defaults to no (kernel modules not unloaded)

Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0