From Fedora Project Wiki
< Changes
(Add trackers) |
|||
| (13 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= | = Update firewalld to v1.0.0 = | ||
== Summary == | == Summary == | ||
| Line 23: | Line 18: | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
--> | --> | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF35]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
| Line 44: | Line 38: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/2634 #2634] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/1982395 #1982395] | ||
* Release notes tracker: | * Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/712 #712] | ||
== Detailed Description == | == Detailed Description == | ||
| Line 95: | Line 89: | ||
https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | ||
--> | --> | ||
The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. | The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of `ipset`s. | ||
== Scope == | == Scope == | ||
| Line 144: | Line 138: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Testing for this rebase should revolve around integrations. | |||
* libvirt | |||
** verify VMs still have network access | |||
* podman | |||
** verify containers still have network access | |||
** verify forwarding ports via podman still works | |||
* NetworkManager | |||
** verify connection sharing still works | |||
== User Experience == | == User Experience == | ||
| Line 157: | Line 159: | ||
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | ||
--> | --> | ||
N/A | |||
== Dependencies == | == Dependencies == | ||
| Line 162: | Line 165: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
firewalld has yet to release v1.0.0. It is expected in early July. | |||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: | * Contingency mechanism: revert package to v0.9.z (what f34 uses) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
* Contingency deadline: | * Contingency deadline: July 27, 2021 <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? | * Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== Documentation == | == Documentation == | ||
| Line 178: | Line 180: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
https://firewalld.org/2021/06/the-upcoming-1-0-0 | |||
== Release Notes == | == Release Notes == | ||
| Line 186: | Line 188: | ||
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | ||
--> | --> | ||
firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users. | |||
Major changes: | |||
* Reduced dependencies | |||
* Intra-zone forwarding by default | |||
* NAT rules moved to inet family (reduced rule set) | |||
* Default target is now similar to reject | |||
* ICMP blocks and block inversion only apply to input, not forward | |||
* tftp-client service has been removed | |||
* iptables backend is deprecated | |||
* Direct interface is deprecated | |||
* CleanupModulesOnExit defaults to no (kernel modules not unloaded) | |||
Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0 | |||
Latest revision as of 18:55, 14 July 2021
Update firewalld to v1.0.0
Summary
Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes.
Owner
- Name: Eric Garver
- Email: egarver@redhat.com
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-07-14
- FESCo issue: #2634
- Tracker bug: #1982395
- Release notes tracker: #712
Detailed Description
Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the upstream blog.
Major changes:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Feedback
Benefit to Fedora
The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of ipsets.
Scope
- Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed.
- Other developers: None. Isolated change.
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
- Most configurations will migrate. No intervention required.
- Exceptions
- configurations that utilize
tftp-clientservice will have firewalld start infailedstate because the service has been removed. As noted in the upstream blog this service has never worked properly.
- configurations that utilize
- Exceptions
- Zones that users have not modified will now have intra-zone forwarding enabled.
- for this to occur the user must not have added an interface, service, port, etc. to the zone
- minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g.
FedoraWorkstation
How To Test
Testing for this rebase should revolve around integrations.
- libvirt
- verify VMs still have network access
- podman
- verify containers still have network access
- verify forwarding ports via podman still works
- NetworkManager
- verify connection sharing still works
User Experience
N/A
Dependencies
firewalld has yet to release v1.0.0. It is expected in early July.
Contingency Plan
- Contingency mechanism: revert package to v0.9.z (what f34 uses)
- Contingency deadline: July 27, 2021
- Blocks release? No
Documentation
https://firewalld.org/2021/06/the-upcoming-1-0-0
Release Notes
firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users.
Major changes:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0