firewalld 0.5.1 release

Jan 30, 2018 • Eric Garver

A new release of firewalld, version 0.5.1, is available.

This is a bug fix only release.

ipXtables: fix iptables-restore wait option detection
python3 compatibility fixes
ebtables: fix missing default value to set_rule()
fw_zone: fix invalid reference to __icmp_block_inversion

Source available here:

Tarball: firewalld-0.5.1.tar.gz
SHA256: 267878f1774df84173bb0103c1d50c208109d0d5a032c23811081ed39cacd0ec
Complete changelog on github: 0.5.0 to 0.5.1

firewalld 0.5.0 release

Jan 25, 2018 • Eric Garver

A new release of firewalld, version 0.5.0, is available.

This release is significant because it deprecates the firewallctl command. This secondary CLI is a fair maintenance burden and doesn’t provide anything useful over firewall-cmd other than aesthetics.

Regarding developer related changes, firewalld has gained autotest support. Now you can do a “make check” to run the testsuite. This has been integrated with travis-ci so every push to master and PR automatically runs the testsuite.

Major changes

firewallctl: mark deprecated (#261)
new test framework with travis-ci integration
SUSE ifcfg support

New services

nmea-0183
syncthing
monogoDB
upnp

Source available here:

Tarball: firewalld-0.5.0.tar.gz
SHA256: ecd3adb714fe2ead77253d505cf430c6c640f2c088f2a779c0459f399629ab38
Complete changelog on github: 0.4.4.6 to 0.5.0

firewalld 0.4.4.6 release

Nov 14, 2017 • Eric Garver

The new firewalld version 0.4.4.6 is available as the sixth bug fix release for 0.4.4.

Main changes

Reload nf_conntrack sysctls after the module is loaded
Updated repository and mailing list links
Improved IPv6 support

New services

docker-swarm
redis
zabbix
bgp
git
kprop
minidlna
NFSv3
murmur
IRC

The new firewalld version 0.4.4.6 is available here:

Tarball: firewalld-0.4.4.6.tar.gz
SHA256: a7bf9dd341f3f4c261fa8a8e217160ec815e9dbf32edc25aed44719a2273e94e
Source repository on github: v0.4.4.6
Complete changelog on github: 0.4.4.5 to 0.4.4.6

firewalld 0.4.4.5 release

Jun 6, 2017 • Thomas Woerner

The new firewalld version 0.4.4.5 is available as the fifth bug fix release for 0.4.4.

The main changes are

Fix build from spec

The spec file still contained fedorahosted.org remains. These have been removed and the missing dependency for autotools has been added.

Fix –remove-service-from-zone option

The wrong option name has been used internally which resulted in the NoneType object is not iterable error.

Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules

This patch adds support to use ports with the protocols sctp and dccp if also a port id is specified. The use of sctp and dccp is now also allowed in source-ports, forward-ports, helpers and rich language rules.

The test suite has been expanded to also test the new combinations.

This fixes RHBZ#1429808

firewall-cmd: Fix –{set,get}-{short,description} for zone

The options --{set,get}-{short,description} have been used on the wrong object in firewall-cmd which resulted in a back trace.

Fixes: RHBZ#1445238

firewall.core.ipXtables: Use new wait option for restore commands if available

The iptables restore commands in the next iptables release will support the wait option. This is very useful and results in less likely collisions with iptables commands used by other services or the user.

New services

ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe

Rename extension for policy choices (server and desktop) to .policy.choice

firewalld provides a server and a desktop specific policy file. Both files are installed and the one to be used will be linked to org.fedoraproject.FirewallD1.policy. The existance of several policy files using the .policy extensionn in the policy directory could result in a policykit issue. Therefore the policy choice files are now using the extension .policy.choice.

This is done at installation time to still use autofoo targets etc. A change in firewall-offline command to fix –policy-server and –policy-desktop options has been needed for this also.

This fixes RHBZ#1449754

D-Bus interfaces: Fix GetAll for interfaces without properties

The use of GetAll on D-Bus interfaces without properties restulted in the FirewallD does not implement the interface error. This has been fixed and an empty array is returned now.

The property handling code and also the error messages are now consisent in all D-Bus interfaces of firewalld.

This fixes RHBZ#1452017

Load NAT helpers with conntrack helpers

If a conntrack helper is used, then the NAT helper will automatically be loaded also if there is a matching NAT helper. New functionality to detect NAT helpers supported by the kernel has been added. The new property nf_nat_helpers has been added to the firewalld D-Bus interface.

Fixes: RHBZ#1452681

Translation updates

The new firewalld version 0.4.4.5 is available here:

Tarball: firewalld-0.4.4.5.tar.gz
SHA256: 89419316e829a2cb086142acc4b1aeba45f20ecddf0ca236db5faf8ec8d12601
Source repository on github: v0.4.4.5
Complete changelog on github: 0.4.4.4 to 0.4.4.5

firewalld 0.4.4.4 release

Mar 27, 2017 • Thomas Woerner

The new firewalld version 0.4.4.4 is available as the fourth bug fix release for 0.4.4.

The main changes are

Drop all references to fedorahosted.org

fedorahosted.org has been shut down. The spec file and Makefile.am has been adapted to use the archive from the github repo instead.

Fix inconsistent order of source bindings

The order of zones has been inconsistent since the transaciton model has been introduced. This also resulted in inconsistent ordering of source bindings in the INPUT_ZONE_SOURCE chain.

The load order of zones is now preserved by using a dictionary that preserves the order of the added items.

This fixes issue #166 and RHBZ#1421222

Fix ipset overloading from /etc/firewalld/ipsets

The overloading of ipsets from /etc/firewalld/ipsets has been broken with version 0.4.4.3. The check if an ipset has been applied already is used only now if ipsets are about to get modified.

This fixes RHBZ#1423941.

Fix permanent rich rules using icmp-type elements

Rich language rules using the icmp-type element have not been saved properly. The code to handle the icmp-type element in the zone writer has been missing and this has only been logged as a warning. An element without name has been created because of this. This resulted in a corrupt zone file.

The code to handle the icmp-type element has been added and the warning for an unknown element has been transformed into a FirewallError. A curruption of the zone file can not happen anymore with an unhandled element.

This fixes RHBZ#1434763.

Check if ICMP types are supported by kernel

The supported ICMP types are now gathered from the kernel to be able to check the types before trying to use them. This helps to preserve the speed with the transaction model.

This is related to RHBZ#1401978.

Show icmptypes and ipsets with type errors in permanent environment

Type errors for ipsets and icmptypes resulted in a load failure while loading the config file. The type are occuring if an invalid type is used or if the type is not supported be the kernel.

These ipsets and icmptypes have been invisible in the runtime and also in the permanent environment. This has been fixed and these items are now visible in the permanent environment to be able to edit them.

firewall-config: Show invalid ipset types

Invalid ipset types are now shown in the ipset configuration dialog in the permanent environment in a special label.

firewall-config: Deactivate modify buttons if there are no items

Deactivate the edit and remove buttons for zones, services, ipsets, icmptypes and helpers if there are no items in the list.

The new firewalld version 0.4.4.4 is available here:

Tarball: firewalld-0.4.4.4.tar.gz
SHA256: 8726bb7c15c180191b81764072041bebd371664fcbc25a0eafffc35c707b3df9
Source repository on github: v0.4.4.4
Complete changelog on github: 0.4.4.3 to 0.4.4.4