firewalld 0.6.0 release

A new release of firewalld, version 0.6.0, is available.

This is a large feature release. Some new features warrant a separate blog post. As such, the release is only summarized here.

User facing features:

  • nftables backend
    This is the new default for all firewalld’s abstractions. The direct interface still supports iptables, ip6tables, and ebtables. It is configurable via FirewallBackend in /etc/firewalld/firewalld.conf - valid values are; nftables, iptables.
  • new services
    apcupsd, cockpit, distcc, etcd, finger, iSNS, llmnr, matrix, mqtt, nut, plex, rtsp, salt-master, samba-dc, slp, steam, subversion, svdrp, wbem-http, wsman
  • updated translations

A lot of development time was spent on improving continuous integration and sanity checks to give confidence in new code changes and contributions from others. This is reflected below in the list of developer focused improvements.

Developer focused improvements:

  • lots of code refactoring to abstract firewall backend
  • flake8 source code checking
  • better debug output on exceptions (tracebacks)
  • testsuite runs inside network namespaces
  • improved testsuite coverage

New dependencies for nftables backend:

  • nftables >= 0.9.0
  • linux >= 4.18

While most of the nftables backend will function with earlier versions of nftables and Linux it is not recommended. Many bugs were found and fixed in these packages while firewalld’s nftables backend was being developed. Some examples are; iptables and nftables NAT coexistence, nftables AUDIT support, nftables set ranges with timeouts.

Source available here:

firewalld 0.5.3 release

A new release of firewalld, version 0.5.3, is available.

This is a bug fix only release.

  • fix ICMP block not being present in FORWARD chain
  • allow adding entries to ipsets with timeout as indicated by firewall-cmd man page
  • add service gre with proto-gre helper to allow conntracked GRE

Source available here:

firewalld 0.5.2 release

A new release of firewalld, version 0.5.2, is available.

This is a bug fix only release.

  • fix rule deduplication causing accidental removal of rules
  • log failure to parse direct rules xml as an error
  • firewall-config: Break infinite loop when firewalld is not running
  • fix set-log-denied not taking effect
  • po: update translations

Source available here:

firewalld 0.5.1 release

A new release of firewalld, version 0.5.1, is available.

This is a bug fix only release.

  • ipXtables: fix iptables-restore wait option detection
  • python3 compatibility fixes
  • ebtables: fix missing default value to set_rule()
  • fw_zone: fix invalid reference to __icmp_block_inversion

Source available here:

firewalld 0.5.0 release

A new release of firewalld, version 0.5.0, is available.

This release is significant because it deprecates the firewallctl command. This secondary CLI is a fair maintenance burden and doesn’t provide anything useful over firewall-cmd other than aesthetics.

Regarding developer related changes, firewalld has gained autotest support. Now you can do a “make check” to run the testsuite. This has been integrated with travis-ci so every push to master and PR automatically runs the testsuite.

Major changes

  • firewallctl: mark deprecated (#261)
  • new test framework with travis-ci integration
  • SUSE ifcfg support

New services

  • nmea-0183
  • syncthing
  • monogoDB
  • upnp

Source available here: