firewalld 0.5.0 release

A new release of firewalld, version 0.5.0, is available.

This release is significant because it deprecates the firewallctl command. This secondary CLI is a fair maintenance burden and doesn’t provide anything useful over firewall-cmd other than aesthetics.

Regarding developer related changes, firewalld has gained autotest support. Now you can do a “make check” to run the testsuite. This has been integrated with travis-ci so every push to master and PR automatically runs the testsuite.

Major changes

  • firewallctl: mark deprecated (#261)
  • new test framework with travis-ci integration
  • SUSE ifcfg support

New services

  • nmea-0183
  • syncthing
  • monogoDB
  • upnp

Source available here:

firewalld release

The new firewalld version is available as the sixth bug fix release for 0.4.4.

Main changes

  • Reload nf_conntrack sysctls after the module is loaded
  • Updated repository and mailing list links
  • Improved IPv6 support

New services

  • docker-swarm
  • redis
  • zabbix
  • bgp
  • git
  • kprop
  • minidlna
  • NFSv3
  • murmur
  • IRC

The new firewalld version is available here:

firewalld release

The new firewalld version is available as the fifth bug fix release for 0.4.4.

The main changes are

Fix build from spec

The spec file still contained remains. These have been removed and the missing dependency for autotools has been added.

Fix –remove-service-from-zone option

The wrong option name has been used internally which resulted in the NoneType object is not iterable error.

Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules

This patch adds support to use ports with the protocols sctp and dccp if also a port id is specified. The use of sctp and dccp is now also allowed in source-ports, forward-ports, helpers and rich language rules.

The test suite has been expanded to also test the new combinations.

This fixes RHBZ#1429808

firewall-cmd: Fix –{set,get}-{short,description} for zone

The options --{set,get}-{short,description} have been used on the wrong object in firewall-cmd which resulted in a back trace.

Fixes: RHBZ#1445238

firewall.core.ipXtables: Use new wait option for restore commands if available

The iptables restore commands in the next iptables release will support the wait option. This is very useful and results in less likely collisions with iptables commands used by other services or the user.

New services

ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe

Rename extension for policy choices (server and desktop) to .policy.choice

firewalld provides a server and a desktop specific policy file. Both files are installed and the one to be used will be linked to org.fedoraproject.FirewallD1.policy. The existance of several policy files using the .policy extensionn in the policy directory could result in a policykit issue. Therefore the policy choice files are now using the extension .policy.choice.

This is done at installation time to still use autofoo targets etc. A change in firewall-offline command to fix –policy-server and –policy-desktop options has been needed for this also.

This fixes RHBZ#1449754

D-Bus interfaces: Fix GetAll for interfaces without properties

The use of GetAll on D-Bus interfaces without properties restulted in the FirewallD does not implement the interface error. This has been fixed and an empty array is returned now.

The property handling code and also the error messages are now consisent in all D-Bus interfaces of firewalld.

This fixes RHBZ#1452017

Load NAT helpers with conntrack helpers

If a conntrack helper is used, then the NAT helper will automatically be loaded also if there is a matching NAT helper. New functionality to detect NAT helpers supported by the kernel has been added. The new property nf_nat_helpers has been added to the firewalld D-Bus interface.

Fixes: RHBZ#1452681

Translation updates

The new firewalld version is available here:

firewalld release

The new firewalld version is available as the fourth bug fix release for 0.4.4.

The main changes are

Drop all references to has been shut down. The spec file and has been adapted to use the archive from the github repo instead.

Fix inconsistent order of source bindings

The order of zones has been inconsistent since the transaciton model has been introduced. This also resulted in inconsistent ordering of source bindings in the INPUT_ZONE_SOURCE chain.

The load order of zones is now preserved by using a dictionary that preserves the order of the added items.

This fixes issue #166 and RHBZ#1421222

Fix ipset overloading from /etc/firewalld/ipsets

The overloading of ipsets from /etc/firewalld/ipsets has been broken with version The check if an ipset has been applied already is used only now if ipsets are about to get modified.

This fixes RHBZ#1423941.

Fix permanent rich rules using icmp-type elements

Rich language rules using the icmp-type element have not been saved properly. The code to handle the icmp-type element in the zone writer has been missing and this has only been logged as a warning. An element without name has been created because of this. This resulted in a corrupt zone file.

The code to handle the icmp-type element has been added and the warning for an unknown element has been transformed into a FirewallError. A curruption of the zone file can not happen anymore with an unhandled element.

This fixes RHBZ#1434763.

Check if ICMP types are supported by kernel

The supported ICMP types are now gathered from the kernel to be able to check the types before trying to use them. This helps to preserve the speed with the transaction model.

This is related to RHBZ#1401978.

Show icmptypes and ipsets with type errors in permanent environment

Type errors for ipsets and icmptypes resulted in a load failure while loading the config file. The type are occuring if an invalid type is used or if the type is not supported be the kernel.

These ipsets and icmptypes have been invisible in the runtime and also in the permanent environment. This has been fixed and these items are now visible in the permanent environment to be able to edit them.

firewall-config: Show invalid ipset types

Invalid ipset types are now shown in the ipset configuration dialog in the permanent environment in a special label.

firewall-config: Deactivate modify buttons if there are no items

Deactivate the edit and remove buttons for zones, services, ipsets, icmptypes and helpers if there are no items in the list.

The new firewalld version is available here:

firewalld release

The new firewalld version is available as the third bug fix release for 0.4.4.

The main changes are

Speed up of large file loading

The loading of large config files has been optimized in the generic io handler. This results in a huge speed up for big config files.

Support for more ipset types

This is the list of ipset types that can now be managed by firewalld:

  • hash:ip
  • hash:ip,port
  • hash:ip,port,ip
  • hash:ip,port,net
  • hash:ip,mark
  • hash:net
  • hash:net,net
  • hash:net,port
  • hash:net,port,net
  • hash:net,iface
  • hash:mac

To speed up the generation and to simplifay the ipset generation in transactions, new checks have been added to be able to verify ipset entries according to the the ipset type.

Currently there is no way to define how ipsets are used as sources, therefore only a limited list of ipset types can be used as sources in zones at the moment. These are:

  • hash:ip
  • hash:ip,port
  • hash:ip,mark
  • hash:net
  • hash:net,port
  • hash:net,iface
  • hash:mac

The source and destination flags for the ipset types parts will be added with a later release.

Speed up of adding or removing entries for ipsets from files

The file import has been optimized in several places: The loading of the import file, the checks on the imported entries, the way how entres from this file are added or removed and also the way how this is then imported into firewalld.

Support icmp-type usage in rich rules

ICMP types can now be used as elements in rich language rules. With this it is possible to have more fine grained ICMP type handling with the ability to combine them with an address, logging and also an action.

Support for more icmp types

This is the list of ICMP types that can now be used by firewalld for ICMP blocking and also in rich language rules:

address-unreachable, bad-header, beyond-scope, communication-prohibited,
failed-policy, fragmentation-needed, host-precedence-violation,
host-prohibited, host-redirect, host-unknown, host-unreachable,
ip-header-bad, neighbour-advertisement, neighbour-solicitation,
network-prohibited, network-redirect, network-unknown, network-unreachable,
no-route, packet-too-big, port-unreachable, precedence-cutoff,
protocol-unreachable, reject-route, required-option-missing,
source-route-failed, tos-host-redirect, tos-host-unreachable,
tos-network-redirect, tos-network-unreachable, ttl-zero-during-reassembly,
ttl-zero-during-transit, unknown-header-type, unknown-option

Support for h323 conntrack helper

The conntrack helper h323 can now be used with enabled and disabled automatic helper assignment. The helper is not diretly usable with disabled automatic helper assignment and therefore needs to be replaced by the helpers that the netfilter kernel module provides.

For disabled automatic helper assignment: If there are no helper ports defined in a firewalld helper configuration file, then firewalld tries to replace the helper with all the helpers that are provided by the netfilter helper module in the kernel. But only with the ones where a firewalld helper configuration exists. The H.245 helper is not usable right now because of an issue in the helper code in netfilter. Therefore there is no H.245 helper provided by firewalld at the moment as there is no way to properly detect a fixed version at the moment.

New services

freeipa-trust, mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync

Code cleanup and several other bug fixes

Translation updates

The new firewalld version is available here: