firewalld 0.8.1 release

Jan 7, 2020 • Eric Garver

A new release of firewalld, version 0.8.1, is available.

This is a big fix only release.

fix: CLI: service: also output helpers for service info
fix: reload: let NM interface assignments override permanent config
tests: support running in containers, “make check-container”
tests: add integration tests, e.g. network-manager

Source available here:

Tarball: firewalld-0.8.1.tar.gz
SHA256: ae21e813e1a185335603fdd02a6df386ae0574f54b44a6f7d75b08c7ae30843b
Complete changelog on github: 0.8.0 to 0.8.1

firewalld 0.8.0 release

Nov 5, 2019 • Eric Garver

A new release of firewalld, version 0.8.0, is available.

This is a feature release. It also includes all bug fixes since v0.7.0.

New features:

nftables: convert to libnftables JSON interface This completely converts firewalld to using the libnftables JSON interface. Firewalld no longer makes calls to the nft binary. It drastically improves rule application times and reliability by applying rules in large transactions.
service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”.
allow custom helpers using standard helper modules (rhbz 1733066)
testsuite is now shipped in the dist tarball

Statistics since v0.7.0:

100 commits
74 files changed, 3593 insertions(+), 2163 deletions(-)

Source available here:

Tarball: firewalld-0.8.0.tar.gz
SHA256: a1835af972b0f3b6053ae6d8c63e24515d29de151f41b466ac0fd954cab60f1b
Complete changelog on github: 0.7.0 to 0.8.0

firewalld 0.6.5 release

Oct 1, 2019 • Eric Garver

A new release of firewalld, version 0.6.5, is available.

This is a bug fix only release.

fix: do not allow zone drifting
fix: test/regression/gh258: add missing keyword for rhbz 1713823
fix: rich rule destination with services
fix: test/regression/pr323: skip if GRE module doesn’t exist
fix: direct: removeRules() was mistakenly removing all rules
Revert “fix: ipXtables: using “mangle” in zone not dependent on “nat””
fix: guarantee zone source dispatch is sorted by zone name
fix: nftables: fix zone dispatch using ipset sources in nat chains
doc: add –default-config and –system-config
fix: –add-masquerade should only affect ipv4
fix: nftables: –forward-ports should only affect IPv4
fix: direct: removeRules() not removing all rules in chain
fix: allow custom helpers using standard helper modules
fix: service: usage of helpers with ‘-‘ in name
fix: Revert “ebtables: drop support for broute table”
fix: ebtables: don’t use tables that aren’t available
Change-interface can accept permanent option

Source available here:

Tarball: firewalld-0.6.5.tar.gz
SHA256: a2bbec0d8fed3bfc186f1ccc6b543dd94106f8cd431dd56a635272e431f54b91
Complete changelog on github: 0.6.4 to 0.6.5

firewalld 0.7.2 release

Oct 1, 2019 • Eric Garver

A new release of firewalld, version 0.7.2, is available.

This is a bug fix only release.

fix: direct: removeRules() was mistakenly removing all rules
fix: guarantee zone source dispatch is sorted by zone name
fix: nftables: fix zone dispatch using ipset sources in nat chains
doc: add –default-config and –system-config
fix: –add-masquerade should only affect ipv4
fix: nftables: –forward-ports should only affect IPv4
fix: direct: removeRules() not removing all rules in chain
dbus: service: fix service includes individual APIs
fix: allow custom helpers using standard helper modules
fix: service: usage of helpers with ‘-‘ in name
fix: Revert “ebtables: drop support for broute table”
fix: ebtables: don’t use tables that aren’t available
fix: fw: initialize _rfc3964_ipv4

Source available here:

Tarball: firewalld-0.7.2.tar.gz
SHA256: fbd1b72b3c4b4d0c20659f664b2ba36175364ffbb9cebf3bdfaf9b5e6983be77
Complete changelog on github: 0.7.1 to 0.7.2

libnftables JSON

Sep 13, 2019 • Eric Garver

A future firewalld feature release (0.8.0) will contain a significant change to the nftables backend. In the past firewalld has always called the nft binary. As of git commit 1582c5dd736a firewalld will instead use the libnftables library. This is the same library that nft uses internally. All the communication with the library is a through a thin python wrapper and uses structured JSON. This means firewalld never calls the nft binary.

Why it’s good

Outside of using structured JSON there are a couple other advantages:

faster rule application
firewalld used to make a call to nft for every rule. With libnftables it’s now passing large blobs of JSON that can contain hundreds of rules. This reduces the numbers of round trips to the kernel and yields a significant performance improvement.
no fork()ing
Each call to nft would be a matter of forking a new process and waiting on the result. With libnftables there is no more forking.
atomic transactions
Internally firewalld builds a set of changes and attempts to apply them all at once. The old nft backend still had to call nft once for every rule so this transaction wasn’t atomic and there were small periods of time between the rules being applied. This time frame is small, but can cause real issues in some scenarios. With libnftables the rules are applied in an “all or nothing” manner. Either they all take effect at once or not at all.

What it looks like

From the user’s perspective nothing has changed. With the exception that firewalld now has a new dependency.

From a developer’s point of view rule generation looks quite different. Instead of building strings that are identical to the nft CLI firewalld needs to generate a python dictionary containing other dictionaries and lists. This will then be converted to JSON before being passed to libnftables.

For example the following is an example rule from before libnftables.

"add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))

And here is the equivalent python dictionary.

{"add": {"rule":  {"family": "inet",
                   "table": TABLE_NAME,
                   "chain": "filter_%s" % "INPUT",
                   "expr": [{"match": {"left": {"ct": {"key": "state"}},
                                       "op": "in",
                                       "right": {"set": ["established", "related"]}}},
                            {"accept": None}]}}}

It’s a definitely more verbose, but the nested dictionaries are easier to work with.

You can learn more about libnftables JSON by reading the man page libnftables-json(5). It covers the basics and the full syntax.

python-nftables

As briefly mentioned above, firewalld uses a thin python wrapper around libnftables. This is shipped with the nftables package and is being referred to as python-nftables by the firewalld developers.

Requirements

Short answer: nftables >= 0.9.3

Long answer:

With this change firewalld has new dependencies; libnftables, and python-nftables. Currently both libnftables and python-nftables are shipped with the standard nftables package. Distribution packagers shouldn’t have to change much. It really amounts to calling the nftables configure script with --with-python --with-json.

libnftables has been around for awhile, but due to bug fixes and other changes the firewalld developers are claiming the libnftables backend only works with nftables >= 0.9.3.