From Fedora Project Wiki
Line 176: Line 176:


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: revert package to v0.9.z (what f34 uses)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: July 27, 2021 <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 


== Documentation ==
== Documentation ==

Revision as of 19:43, 25 June 2021

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
Guidance
For details on how to fill out this form, see the documentation.


Change Proposal Name

Rebase firewalld to upstream v1.0.0.

Summary

Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes.

Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-06-25
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the upstream blog.

Major changes:

  • Reduced dependencies
  • Intra-zone forwarding by default
  • NAT rules moved to inet family (reduced rule set)
  • Default target is now similar to reject
  • ICMP blocks and block inversion only apply to input, not forward
  • tftp-client service has been removed
  • iptables backend is deprecated
  • Direct interface is deprecated
  • CleanupModulesOnExit defaults to no (kernel modules not unloaded)

Feedback

Benefit to Fedora

The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of ipsets.

Scope

  • Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed.
  • Other developers: None. Isolated change.
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

  • Most configurations will migrate. No intervention required.
    • Exceptions
      • configurations that utilize tftp-client service will have firewalld start in failed state because the service has been removed. As noted in the upstream blog this service has never worked properly.
  • Zones that users have not modified will now have intra-zone forwarding enabled.
    • for this to occur the user must not have added an interface, service, port, etc. to the zone
    • minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g. FedoraWorkstation

How To Test

Testing for this rebase should revolve around integrations.

  • libvirt
    • verify VMs still have network access
  • podman
    • verify containers still have network access
    • verify forwarding ports via podman still works
  • NetworkManager
    • verify connection sharing still works

User Experience

N/A

Dependencies

firewalld has yet to release v1.0.0. It is expected in early July.

Contingency Plan

  • Contingency mechanism: revert package to v0.9.z (what f34 uses)
  • Contingency deadline: July 27, 2021
  • Blocks release? No

Documentation

N/A (not a System Wide Change)

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/firewalld-1.0.0&oldid=617775"