@erig0 erig0 released this Oct 11, 2018 · 121 commits to master since this release

Assets 2

This is a bug fix only release.

  • nftables: fix reject statement in "block" zone
  • shell-completion: bash: don't check firewalld state
  • firewalld: fix --runtime-to-permanent if NM not in use.
  • firewall-cmd: sort --list-protocols output
  • firewall-cmd: sort --list-services output
  • tests/regression/icmp_block_in_forward_chain: fix for newer nftables version
  • command: sort services/protocols in --list-all output
  • services: add audit
  • nftables: fix rich rule log/audit being added to wrong chain
  • tests/firewall-cmd: rich rule coverage for simple source/dest match
  • nftables: fix destination checks not allowing masks
  • firewall/core/io/*.py: Let SAX handle the encoding of XML files (#395)
  • fw_zone: expose _ipset_match_flags()
  • tests/firewall-cmd: exercise multiple interfaces and zones
  • fw_transaction: On clear zone transaction, must clear fw and other zones
  • Fix translating labels (#392)
  • tests/functions: fix macro to dump ipset

@erig0 erig0 released this Sep 19, 2018 · 121 commits to master since this release

Assets 2

This is a bug fix only release.

  • nftables: fix log-denied with values other than "all" or "off"
  • fw_ipset: raise FirewallError if backend command fails
  • ipset: only use "-exist" on restore
  • fw_ipset: fix duplicate add of ipset entries
  • *tables: For opened ports/protocols/etc match ct state new,untracked
  • nftables: fix rich rules ports/protocols/source ports not considering ct state
  • ports: allow querying a single port added by range
  • fw_zone: fix services with multiple destination IP versions
  • fw_zone: consider destination for protocols
  • firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False
  • nftables: fix rich rule audit log
  • fw: if failure occurs during startup set state to FAILED
  • services/high-availability: open all 8 ports used knetd/corosync

@erig0 erig0 released this Sep 13, 2018 · 336 commits to master since this release

Assets 2

This is a bug fix only release.

  • fw: if startup fails on reload, reapply non-perm config that survives reload
  • fw: If direct rules fail to apply add a "Direct" label to error msg
  • firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False
  • update translations

@erig0 erig0 released this Aug 16, 2018 · 336 commits to master since this release

Assets 2

This is a bug fix only release.

  • update translations
  • fw: if failure occurs during startup set state to FAILED
  • fw_direct: avoid log for untracked passthrough queries
  • firewall-config: fix some untranslated strings
  • Rich Rule Masquerade inverted source-destination in Forward Chain
  • don't forward interface to zone requests to NM for generated interfaces
  • firewall-cmd: add --check-config option
  • firewall-offline-cmd: add --check-config option
  • ipset: check type when parsing ipset definition
  • firewall-config: Add ipv6-icmp to the protocol dropdown box
  • core: logger: Remove world-readable bit from logfile
  • IPv6 rpfilter: explicitly allow neighbor solicitation

@erig0 erig0 released this Aug 9, 2018 · 121 commits to master since this release

Assets 2

This is a bug fix only release.

  • Correct source/destination in rich rule masquerade
  • Only modify ifcfg files for permanent configuration changes
  • Fix a backtrace when calling common_reverse_rule()
  • man firewalld.conf: Show nftables is the default FirewallBackend
  • firewall-config: fix some untranslated strings that caused a UI bug causing rich rules to not be modify-able
  • services/steam-streaming: replace unicode quotation with ASCII apostrophe
  • fw_direct: avoid log for untracked passthrough queries
  • fixed many issues if iptables is actually iptables-nft
  • Use preferred location for AppData files
  • ipXtables: fix ICMP block inversion with set-log-denied
  • fixes ICMP block inversion with set-log-denied with IndividualCalls=yes
  • nftables: fix set-log-denied if target is not ACCEPT
  • fw_direct: strip _direct chain suffix if using nftables

Improved interactions with NetworkManager:

  • For generated NetworkManager connections, don't forward request to NetworkManager
  • For non-permanent interface to zone assigments don't involve NetworkManager
  • Query NetworkManager for permanent interface assignments

testsuite fixes:

  • tests/functions: Remove bashism
  • installcheck: pass PYTHON to testsuite, fixes python tests on distro with mixed python versions
  • testsuite: avoid multiple inclusion warning
  • testsuite: Only enable debug output if testsuite ran with debug flag

@erig0 erig0 released this Jul 6, 2018 · 121 commits to master since this release

Assets 2

This is a large release with the below updates.

User features:

  • nftables backend
    This is the new default for all firewalld's abstractions. The direct interface still supports iptables, ip6tables, and ebtables. It is configurable via FirewallBackend in /etc/firewalld.conf - valid values are; nftables, iptables.
  • new services: iSNS, mqtt, slp, distcc, salt-master, wsman, finger, nut, svdrp, subversion, apcupsd, etcd, wbem-http, llmnr, rtsp, cockpit, steam, samba-dc, matrix, plex
  • updated translations

Developer features:

  • flake8 source code checking
  • better debug output (tracebacks)
  • various testsuite improvements

New requirements:

  • kernel >= 4.18
  • nftables >= 4.9.0

@erig0 erig0 released this May 11, 2018 · 336 commits to master since this release

Assets 2

This is a bug fix only release.

  • fix ICMP block not being present in FORWARD chain
  • allow adding entries to ipsets with timeout as indicated by firewall-cmd man page
  • add service gre with proto-gre helper to allow conntracked GRE
Pre-release

@erig0 erig0 released this May 1, 2018 · 202 commits to master since this release

Assets 2

Warning: This is an alpha release!

This is a large release with the below updates.

User features:

  • nftables backend
    This is the new default for all firewalld's abstractions. The direct interface still supports iptables, ip6tables, and ebtables. It is configurable via FirewallBackend in /etc/firewalld.conf - valid values are; nftables, iptables. There are a few known issues as noted in commit b630abd.
  • new services: iSNS, mqtt, slp, distcc, salt-master, wsman, finger, nut, svdrp, subversion, apcupsd, etcd, wbem-http, llmnr
  • updated translations

Developer features:

  • flake8 source code checking
  • better debug output (tracebacks)
  • various testsuite improvements

@erig0 erig0 released this Mar 13, 2018 · 336 commits to master since this release

Assets 2

This is a bug fix only release.

  • fix rule deduplication causing accidental removal of rules
  • log failure to parse direct rules xml as an error
  • firewall-config: Break infinite loop when firewalld is not running
  • fix set-log-denied not taking effect
  • po: update translations

@erig0 erig0 released this Jan 30, 2018 · 336 commits to master since this release

Assets 2

This is a bug fix only release.

  • ipXtables: fix iptables-restore wait option detection
  • python3 compatibility fixes
  • ebtables: fix missing default value to set_rule()
  • fw_zone: fix invalid reference to __icmp_block_inversion