firewalld 0.8.1 release
A new release of firewalld, version 0.8.1, is available.
This is a big fix only release.
- fix: CLI: service: also output helpers for service info
- fix: reload: let NM interface assignments override permanent config
- tests: support running in containers, “make check-container”
- tests: add integration tests, e.g. network-manager
Source available here:
- Tarball: firewalld-0.8.1.tar.gz
- SHA256: ae21e813e1a185335603fdd02a6df386ae0574f54b44a6f7d75b08c7ae30843b
- Complete changelog on github: 0.8.0 to 0.8.1
firewalld 0.8.0 release
A new release of firewalld, version 0.8.0, is available.
This is a feature release. It also includes all bug fixes since v0.7.0.
New features:
- nftables: convert to libnftables JSON interface
This completely converts firewalld to using the libnftables JSON interface.
Firewalld no longer makes calls to the
nft
binary. It drastically improves rule application times and reliability by applying rules in large transactions. - service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”.
- allow custom helpers using standard helper modules (rhbz 1733066)
- testsuite is now shipped in the dist tarball
Statistics since v0.7.0:
- 100 commits
- 74 files changed, 3593 insertions(+), 2163 deletions(-)
Source available here:
- Tarball: firewalld-0.8.0.tar.gz
- SHA256: a1835af972b0f3b6053ae6d8c63e24515d29de151f41b466ac0fd954cab60f1b
- Complete changelog on github: 0.7.0 to 0.8.0
firewalld 0.6.5 release
A new release of firewalld, version 0.6.5, is available.
This is a bug fix only release.
- fix: do not allow zone drifting
- fix: test/regression/gh258: add missing keyword for rhbz 1713823
- fix: rich rule destination with services
- fix: test/regression/pr323: skip if GRE module doesn’t exist
- fix: direct: removeRules() was mistakenly removing all rules
- Revert “fix: ipXtables: using “mangle” in zone not dependent on “nat””
- fix: guarantee zone source dispatch is sorted by zone name
- fix: nftables: fix zone dispatch using ipset sources in nat chains
- doc: add –default-config and –system-config
- fix: –add-masquerade should only affect ipv4
- fix: nftables: –forward-ports should only affect IPv4
- fix: direct: removeRules() not removing all rules in chain
- fix: allow custom helpers using standard helper modules
- fix: service: usage of helpers with ‘-‘ in name
- fix: Revert “ebtables: drop support for broute table”
- fix: ebtables: don’t use tables that aren’t available
- Change-interface can accept permanent option
Source available here:
- Tarball: firewalld-0.6.5.tar.gz
- SHA256: a2bbec0d8fed3bfc186f1ccc6b543dd94106f8cd431dd56a635272e431f54b91
- Complete changelog on github: 0.6.4 to 0.6.5
firewalld 0.7.2 release
A new release of firewalld, version 0.7.2, is available.
This is a bug fix only release.
- fix: direct: removeRules() was mistakenly removing all rules
- fix: guarantee zone source dispatch is sorted by zone name
- fix: nftables: fix zone dispatch using ipset sources in nat chains
- doc: add –default-config and –system-config
- fix: –add-masquerade should only affect ipv4
- fix: nftables: –forward-ports should only affect IPv4
- fix: direct: removeRules() not removing all rules in chain
- dbus: service: fix service includes individual APIs
- fix: allow custom helpers using standard helper modules
- fix: service: usage of helpers with ‘-‘ in name
- fix: Revert “ebtables: drop support for broute table”
- fix: ebtables: don’t use tables that aren’t available
- fix: fw: initialize _rfc3964_ipv4
Source available here:
- Tarball: firewalld-0.7.2.tar.gz
- SHA256: fbd1b72b3c4b4d0c20659f664b2ba36175364ffbb9cebf3bdfaf9b5e6983be77
- Complete changelog on github: 0.7.1 to 0.7.2
libnftables JSON
A future firewalld feature release (0.8.0) will contain a significant change to
the nftables backend. In the past firewalld has always called the nft
binary.
As of git commit
1582c5dd736a
firewalld will instead use the libnftables
library. This is the same library
that nft uses internally. All the communication with the library is a through
a thin python wrapper and uses structured JSON. This means firewalld never
calls the nft binary.
Why it’s good
Outside of using structured JSON there are a couple other advantages:
- faster rule application
firewalld used to make a call to nft for every rule. With libnftables it’s now passing large blobs of JSON that can contain hundreds of rules. This reduces the numbers of round trips to the kernel and yields a significant performance improvement. - no fork()ing
Each call to nft would be a matter of forking a new process and waiting on the result. With libnftables there is no more forking. - atomic transactions
Internally firewalld builds a set of changes and attempts to apply them all at once. The old nft backend still had to call nft once for every rule so this transaction wasn’t atomic and there were small periods of time between the rules being applied. This time frame is small, but can cause real issues in some scenarios. With libnftables the rules are applied in an “all or nothing” manner. Either they all take effect at once or not at all.
What it looks like
From the user’s perspective nothing has changed. With the exception that firewalld now has a new dependency.
From a developer’s point of view rule generation looks quite different. Instead of building strings that are identical to the nft CLI firewalld needs to generate a python dictionary containing other dictionaries and lists. This will then be converted to JSON before being passed to libnftables.
For example the following is an example rule from before libnftables.
"add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))
And here is the equivalent python dictionary.
{"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
"chain": "filter_%s" % "INPUT",
"expr": [{"match": {"left": {"ct": {"key": "state"}},
"op": "in",
"right": {"set": ["established", "related"]}}},
{"accept": None}]}}}
It’s a definitely more verbose, but the nested dictionaries are easier to work with.
You can learn more about libnftables JSON by reading the man page
libnftables-json(5)
. It covers the basics and the full syntax.
python-nftables
As briefly mentioned above, firewalld uses a thin python wrapper around
libnftables. This is shipped with the nftables package and is being referred to
as python-nftables
by the firewalld developers.
Requirements
Short answer: nftables >= 0.9.3
Long answer:
With this change firewalld has new dependencies; libnftables
, and
python-nftables
. Currently both libnftables and python-nftables are shipped
with the standard nftables package. Distribution packagers shouldn’t have to
change much. It really amounts to calling the nftables configure script with
--with-python --with-json
.
libnftables has been around for awhile, but due to bug fixes and other changes
the firewalld developers are claiming the libnftables backend only works with
nftables >= 0.9.3
.