https://fedoraproject.org/wiki/Changes/firewalld-1.0.0 == Summary == Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes. == Owner == * Name: [[User:erig0| Eric Garver]] * Email: egarver@xxxxxxxxxx == Detailed Description == Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the [https://firewalld.org/2021/06/the-upcoming-1-0-0 upstream blog]. Major changes: * Reduced dependencies * Intra-zone forwarding by default * NAT rules moved to inet family (reduced rule set) * Default target is now similar to reject * ICMP blocks and block inversion only apply to input, not forward * tftp-client service has been removed * iptables backend is deprecated * Direct interface is deprecated * CleanupModulesOnExit defaults to no (kernel modules not unloaded) == Benefit to Fedora == The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of `ipset`s. == Scope == * Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed. * Other developers: None. Isolated change. * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == * Most configurations will migrate. No intervention required. ** Exceptions *** configurations that utilize `tftp-client` service will have firewalld start in `failed` state because the service has been removed. As noted in the upstream blog this service has ''never'' worked properly. * Zones that users have not modified will now have intra-zone forwarding enabled. ** for this to occur the user must ''not'' have added an interface, service, port, etc. to the zone ** minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g. `FedoraWorkstation` == How To Test == Testing for this rebase should revolve around integrations. * libvirt ** verify VMs still have network access * podman ** verify containers still have network access ** verify forwarding ports via podman still works * NetworkManager ** verify connection sharing still works == User Experience == N/A == Dependencies == firewalld has yet to release v1.0.0. It is expected in early July. == Contingency Plan == * Contingency mechanism: revert package to v0.9.z (what f34 uses) * Contingency deadline: July 27, 2021 * Blocks release? No == Documentation == https://firewalld.org/2021/06/the-upcoming-1-0-0 == Release Notes == firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users. Major changes: * Reduced dependencies * Intra-zone forwarding by default * NAT rules moved to inet family (reduced rule set) * Default target is now similar to reject * ICMP blocks and block inversion only apply to input, not forward * tftp-client service has been removed * iptables backend is deprecated * Direct interface is deprecated * CleanupModulesOnExit defaults to no (kernel modules not unloaded) Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0 -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
