firewalld 0.6.5 release

Oct 1, 2019 • Eric Garver

A new release of firewalld, version 0.6.5, is available.

This is a bug fix only release.

  • fix: do not allow zone drifting
  • fix: test/regression/gh258: add missing keyword for rhbz 1713823
  • fix: rich rule destination with services
  • fix: test/regression/pr323: skip if GRE module doesn’t exist
  • fix: direct: removeRules() was mistakenly removing all rules
  • Revert “fix: ipXtables: using “mangle” in zone not dependent on “nat””
  • fix: guarantee zone source dispatch is sorted by zone name
  • fix: nftables: fix zone dispatch using ipset sources in nat chains
  • doc: add –default-config and –system-config
  • fix: –add-masquerade should only affect ipv4
  • fix: nftables: –forward-ports should only affect IPv4
  • fix: direct: removeRules() not removing all rules in chain
  • fix: allow custom helpers using standard helper modules
  • fix: service: usage of helpers with ‘-‘ in name
  • fix: Revert “ebtables: drop support for broute table”
  • fix: ebtables: don’t use tables that aren’t available
  • Change-interface can accept permanent option

Source available here:

firewalld 0.7.2 release

Oct 1, 2019 • Eric Garver

A new release of firewalld, version 0.7.2, is available.

This is a bug fix only release.

  • fix: direct: removeRules() was mistakenly removing all rules
  • fix: guarantee zone source dispatch is sorted by zone name
  • fix: nftables: fix zone dispatch using ipset sources in nat chains
  • doc: add –default-config and –system-config
  • fix: –add-masquerade should only affect ipv4
  • fix: nftables: –forward-ports should only affect IPv4
  • fix: direct: removeRules() not removing all rules in chain
  • dbus: service: fix service includes individual APIs
  • fix: allow custom helpers using standard helper modules
  • fix: service: usage of helpers with ‘-‘ in name
  • fix: Revert “ebtables: drop support for broute table”
  • fix: ebtables: don’t use tables that aren’t available
  • fix: fw: initialize _rfc3964_ipv4

Source available here:

libnftables JSON

Sep 13, 2019 • Eric Garver

A future firewalld feature release (0.8.0) will contain a significant change to the nftables backend. In the past firewalld has always called the nft binary. As of git commit 1582c5dd736a firewalld will instead use the libnftables library. This is the same library that nft uses internally. All the communication with the library is a through a thin python wrapper and uses structured JSON. This means firewalld never calls the nft binary.

Why it’s good

Outside of using structured JSON there are a couple other advantages:

  • faster rule application
    firewalld used to make a call to nft for every rule. With libnftables it’s now passing large blobs of JSON that can contain hundreds of rules. This reduces the numbers of round trips to the kernel and yields a significant performance improvement.
  • no fork()ing
    Each call to nft would be a matter of forking a new process and waiting on the result. With libnftables there is no more forking.
  • atomic transactions
    Internally firewalld builds a set of changes and attempts to apply them all at once. The old nft backend still had to call nft once for every rule so this transaction wasn’t atomic and there were small periods of time between the rules being applied. This time frame is small, but can cause real issues in some scenarios. With libnftables the rules are applied in an “all or nothing” manner. Either they all take effect at once or not at all.

What it looks like

From the user’s perspective nothing has changed. With the exception that firewalld now has a new dependency.

From a developer’s point of view rule generation looks quite different. Instead of building strings that are identical to the nft CLI firewalld needs to generate a python dictionary containing other dictionaries and lists. This will then be converted to JSON before being passed to libnftables.

For example the following is an example rule from before libnftables.

"add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))

And here is the equivalent python dictionary.

{"add": {"rule":  {"family": "inet",
                   "table": TABLE_NAME,
                   "chain": "filter_%s" % "INPUT",
                   "expr": [{"match": {"left": {"ct": {"key": "state"}},
                                       "op": "in",
                                       "right": {"set": ["established", "related"]}}},
                            {"accept": None}]}}}

It’s a definitely more verbose, but the nested dictionaries are easier to work with.

You can learn more about libnftables JSON by reading the man page libnftables-json(5). It covers the basics and the full syntax.

python-nftables

As briefly mentioned above, firewalld uses a thin python wrapper around libnftables. This is shipped with the nftables package and is being referred to as python-nftables by the firewalld developers.

Requirements

Short answer: nftables >= 0.9.3

Long answer:

With this change firewalld has new dependencies; libnftables, and python-nftables. Currently both libnftables and python-nftables are shipped with the standard nftables package. Distribution packagers shouldn’t have to change much. It really amounts to calling the nftables configure script with --with-python --with-json.

libnftables has been around for awhile, but due to bug fixes and other changes the firewalld developers are claiming the libnftables backend only works with nftables >= 0.9.3.

firewalld 0.7.1 release

Jul 22, 2019 • Eric Garver

A new release of firewalld, version 0.7.1, is available.

This is a bug fix only release.

  • fix: firewall-offline-cmd: service: use dict based APIs
  • fix: client: service: use dict based dbus APIs
  • fix: dbus: new dict based APIs for services
  • fix: dbus: add missing APIs for service includes
  • fix: dbus: fix service API break
  • fix: CLI: show service includes with –info-service

Source available here:

firewalld 0.7.0 release

Jun 11, 2019 • Eric Garver

A new release of firewalld, version 0.7.0, is available.

This is a feature release. It also includes all bug fixes since v0.6.0.

New features:

  • Rich Rule Priorities
  • Service Definition Includes
    Service definitions can now include lines like: <include service="https"/> which will include all the ports, etc from the https service.
  • RFC3964 IPv4 filtering
    A new option RFC3964_IPv4 in firewalld.conf is available. It does filtering based on RFC3964 in regards to IPv4 addresses. This functionality was traditionally in network-scripts.
  • FlushAllOnReload
    A new option FlushAllOnReload in firewalld.conf is available. Older releases retained some settings (direct rules, interface to zone assignments) during a --reload. With the introduction of this configuration option that is no longer the case. Old behavior can be restored by setting FlushAllOnReload=no.
  • 15 new service definitions

Statistics since v0.6.0:

  • 266 commits
  • 111 files changed, 4752 insertions(+), 1986 deletions(-)

Source available here:

  • Tarball: firewalld-0.7.0.tar.gz
  • SHA256: da872394ecdc6584fbcefb8044a9a5492f9a3176e864e31b3b082d0b79e5e755
    Note: This release tarball was updated due to missing distfiles. Old hash was bef3e555d99fba51487095e6977aed7cfd582a7ab8505e6d7335e6e833ea42a1.
  • Complete changelog on github: 0.6.0 to 0.7.0