firewalld 0.6.4 release

A new release of firewalld, version 0.6.4, is available.

This is a bug fix only release.

  • treewide: fix over indentation (flake8 E117)
  • test: travis: add another test matrix for omitting ip6tables
  • chore: travis: split test matrix by keywords
  • chore: tests: add AT_KEYWORDS for firewall-offline-cmd
  • improvement: tests: Use AT_KEYWORDS for backends
  • fix: tests: guard occurrences of IPv6
  • fix: tests/functions: ignore warnings about missing ip6tables
  • test: add macro IF_IPV6_SUPPORTED
  • test: add macro HOST_SUPPORTS_IP6TABLES
  • test: pass IPTABLES make variables down to autotest
  • fix: avoid calling backends that aren’t available
  • fix: tests/regression/rhbz1601610: ignore warning about version mismatch
  • fix: tests/regression/pr323: don’t check for nf_nat_proto_gre
  • fix: do not flush entire ruleset in CHECK_NAT_COEXISTENCE
  • fix: propagate exception if backend fails with IndividualCalls=yes
  • fix: tests nftables: constant set compat between releases
  • fix: document –check-config option
  • fix: tests/nftables: compatibility with numeric output changes
  • test/functions: Strip nft hook and policy from output
  • tests/functions: normalize nft list rule output
  • fix: on reload, set policy before cleanup
  • fix: tests/regression/gh453: guarantee automatic helpers disabled
  • test: add macro CHECK_NFT_CT_HELPER()
  • test: add test to check for nftables helper objects
  • fix: nftables: make helpers work by creating ct helper objects
  • fix: ipXtables: using “mangle” in zone not dependent on “nat”
  • fix: ipXtables: don’t use tables that aren’t available
  • test: add tests for rich rule mark action
  • fix: nftables rich rule mark not marking every packet
  • rich rules: fix Rich_Mark logic
  • test: add coverage for gh #482
  • fix: rich rule forward-port deletion after reload
  • tests/regression: coverage for enabling IP forwarding via forward-ports
  • fw_zone: forward-ports: only enable IP forwarding if toaddr used
  • doc: note that masquerade will enable IP forwarding
  • doc: note that forward-port may enable IP forwarding
  • fix issue #457
  • ipXtables: Avoid inserting rules with index
  • ipXtables: simplify rpfilter rule generation
  • tests/functions: normalize ebtables inversion output
  • tests/firewall-cmd: Coverage for interface wildcarding
  • nftables: Allow interfaces with wildcards
  • tests/firewall-cmd: remove redundant checks for TESTING_FIREWALL_OFFLINE_CMD
  • tests/functions: for list macros skip if testing firewall-offline-cmd
  • tests/functions: m4_strip expected output
  • tests/functions: implement a better m4_strip()
  • tests/regression/rhbz1601610: modify test to satisfy buggy kernel versions
  • ipset: fix set apply if IndividualCalls=yes
  • nftables: fix ipv6 rich rule forward-ports
  • nftables: fix rich rule masquerade
  • fw_zone: fix IPv6 rich rule forward-port without toaddr
  • fw_zone: fix rich rule masquerading
  • firewalld.spec: enforce nftables version requirements
  • firewalld.spec: fix packaging of appdata
  • nftables: fix panic mode not filtering output packets
  • services/steam-streaming: update udp ports
  • zanata: use version stable-0.6
  • update translations
  • rich rules: fix mark action
  • tests/regression/rhbz1571957: exercise log-denied=broadcast
  • ipXtables/nftables: Fix “object has no attribute ‘_log_denied’”
  • config/lockdown-whitelist: Don’t auto add “-Es” to interpreter

Source available here:


Rich Rule Priorities

Rich Rule Priorities

Recently firewalld gained support for a priority field in the rich rule syntax. It allows fine grained control over rich rules and their execution order. This enables using rich rules in ways not possible before.

Why is it needed?

One issue with current rich rules is that they are organized based on their rule action. Log always occurs before deny. Deny always occurs before allow. This has led to confusion from users as this implicitly reorders rules. It also made it impossible to add a catch-all rich rule to deny traffic.

More information on this can be found in the firewalld.richlanguage man page in the section “Information about logging and actions”.

What does it look like?

The syntax modifications add a new priority field. This can be any number between -32768 and 32767, where lower numbers have higher precedence. This range is large enough to allow automatic rule generation from scripts or other entities.

Example:

# firewall-cmd --add-rich-rule='rule priority=1234 service name="mdns" allow'

Based on the priority rules are organized into different chains.

  • If priority < 0, the rule goes into a chain with the suffix _pre.
  • If priority > 0, the rule goes into a chain with the suffix _post.
  • If priority == 0, the rule goes into a chain ( _log, _deny, _allow ) based on their action. This is the same behavior as rich rules before priority support.

Inside these sub-chains rules are sorted according to their priority value. If they have the same priority value, then it’s undefined in what order they will be executed.

Putting it all together a zone’s set of chains now looks like below:

# nft list chain inet firewalld filter_IN_public
table inet firewalld {
        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }
}

A couple key points from this layout:

  • _pre can occur before normal log rules.
  • _post execution always occurs after firewalld’s other primitives (services, ports, etc). This makes it a good place for catch-all type rules.
  • _pre and _post chains may contain rich rules with any type of action (accept, deny, log, audit, etc)

Examples (use cases)

Below are some examples, but they don’t even scratch the surface of what’s possible now that rich rules support arbitrary ordering.

Log all traffic not caught by other rules

Using a very low precedence rich rule you can log all traffic that has not yet been denied or accepted. This is useful to flag any unexpected traffic. It can also be a way to implement the zone level equivalent to –log-denied.

# firewall-cmd --add-rich-rule='rule priority=32767 log prefix="UNEXPECTED: " limit value="5/m"'

This results in the following:

# nft list chain inet firewalld filter_IN_public_post
table inet firewalld {
        chain filter_IN_public_post {
                log prefix "UNEXPECTED: " limit rate 5/minute
        }
}

Special policy for subset of traffic

To mimic a policy for only a subset of source addresses you can use a low precedence rule.

# firewall-cmd --add-rich-rule='rule family="ipv4" priority=32767 source address="10.1.1.0/24" reject'

This results in the following:

# nft list chain inet firewalld filter_IN_public_post
table inet firewalld {
		chain filter_IN_public_post {
				ip saddr 10.1.1.0/24 reject
		}
}

Allow a service for a subset of sources

This example allows a service for a subset of sources, then logs and denies it for everyone else.

# firewall-cmd --add-rich-rule='rule family="ipv4" priority=-100 source address="10.1.1.0/24" service name="ssh" accept'
# firewall-cmd --add-rich-rule='rule priority=-99 service name="ssh" log'
# firewall-cmd --add-rich-rule='rule priority=-98 service name="ssh" reject'

This results in the following:

# nft list chain inet firewalld filter_IN_public_pre
table inet firewalld {
        chain filter_IN_public_pre {
                ip saddr 10.1.1.0/24 tcp dport 22 ct state new,untracked accept
                tcp dport 22 ct state new,untracked log
                tcp dport 22 ct state new,untracked reject
        }
}

Compatibility

To maintain compatibility rich rules that have a priority == 0 or an absent priority will behave as they’ve done in the past. They’ll be sorted into the _log, _deny, and _allow chains based on their action.

When will they be available?

Rich rules with priority support will be available in the next minor firewalld release, which will most likely be v0.7.0. However, the feature may be backported to distributions that do that sort of thing.


firewalld 0.6.3 release

A new release of firewalld, version 0.6.3, is available.

This is a bug fix only release.

  • nftables: fix reject statement in “block” zone
  • shell-completion: bash: don’t check firewalld state
  • firewalld: fix –runtime-to-permanent if NM not in use.
  • firewall-cmd: sort –list-protocols output
  • firewall-cmd: sort –list-services output
  • tests/regression/icmp_block_in_forward_chain: fix for newer nftables version
  • command: sort services/protocols in –list-all output
  • services: add audit
  • nftables: fix rich rule log/audit being added to wrong chain
  • tests/firewall-cmd: rich rule coverage for simple source/dest match
  • nftables: fix destination checks not allowing masks
  • firewall/core/io/*.py: Let SAX handle the encoding of XML files (#395)
  • fw_zone: expose _ipset_match_flags()
  • tests/firewall-cmd: exercise multiple interfaces and zones
  • fw_transaction: On clear zone transaction, must clear fw and other zones
  • Fix translating labels (#392)
  • tests/functions: fix macro to dump ipset

Source available here:


firewalld 0.6.2 release

A new release of firewalld, version 0.6.2, is available.

This is a bug fix only release.

  • nftables: fix log-denied with values other than “all” or “off”
  • fw_ipset: raise FirewallError if backend command fails
  • ipset: only use “-exist” on restore
  • fw_ipset: fix duplicate add of ipset entries
  • *tables: For opened ports/protocols/etc match ct state new,untracked
  • nftables: fix rich rules ports/protocols/source ports not considering ct state
  • ports: allow querying a single port added by range
  • fw_zone: fix services with multiple destination IP versions
  • fw_zone: consider destination for protocols
  • firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False
  • nftables: fix rich rule audit log
  • fw: if failure occurs during startup set state to FAILED
  • services/high-availability: open all 8 ports used knetd/corosync

Source available here:


firewalld 0.5.5 release

A new release of firewalld, version 0.5.5, is available.

This is a bug fix only release.

  • fw: if startup fails on reload, reapply non-perm config that survives reload
  • fw: If direct rules fail to apply add a “Direct” label to error msg
  • firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False
  • update translations

Source available here: