Hello,
the firewalld version 0.4.0 will be released soon now.
These are the highlights of the 0.4.0 release:
- Speedups by using the {ip|ip6|eb}tables restore commands. - Source MAC support for source bindings and in rich rules. - ipset support for source bindings and in rich rules. - Several bug fixes and other enhancements. - Some doc changes. - firewall-applet has been extended to support the complete functionality of the old gtk applet with an additional config file /etc/firewall/applet.conf to store global defaults.
Please give it a try and report bugs you are running into.
You can clone the GIT tree from github: https://github.com/t-woerner/firewalld.git or you can download a zip file at https://github.com/t-woerner/firewalld.
To create a test rpm for Fedora from the (GIT) tree use the command "./autogen.sh && make test-rpm" in the top firewalld directory.
On Fedora you will need also the latest selinux-policy update to allow the use of the restore commands with input created by firewalld:
F-24: http://koji.fedoraproject.org/koji/buildinfo?buildID=705822 F-23: http://koji.fedoraproject.org/koji/buildinfo?buildID=705823 F-22: http://koji.fedoraproject.org/koji/buildinfo?buildID=705824
You will most likely need to update these packages: selinux-policy, selinux-policy-devel, selinux-policy-sandbox and selinux-policy-targeted
If the use of the {ip,ip6,eb}tables-restore commands is not working for you, then you can set IndividualCalls=yes in the firewalld.conf file in /etc/firewalld. This is also good for debugging. The use of the -restore commands has a down-side: The locks for xtables and ebtables are not used by the -restore commands.
Regards, Thomas
Here is the complete list of changes:
- firewalld: Fixed 'pid_file' referenced before assignment (RHBZ#1233232) - Fix typos in firewall-cmd helptext - firewall-applet: Fix Ok button sensitivity in dialogs - firewall-applet: Fix blink, blink-count and show-inactive settings - firewall-applet: Enable global applet settings, reload user settings if changed - firewall-applet: Added shields up/down handling and editor - firewall-applet: Reworked about dialog to have a more common look - config/applet.conf: Added defaults for shields-up/down, fixed blink default - doc/xml/firewall-applet.xml: Adaption to new firewall-applet version - config/xmlschema*.xsd: No fixed order of items in xml config files - config/xmlschema/check.sh: Enhance flow and error handling, more verbose - firewalld.conf: Fixed bool fallback handling for missing settings (RHBZ#1239326) - config/xmlschema/check.sh: Install script in the same directory as schema files - man: Interface handling with and without NetworkManager (RHBZ#1122739 RHBZ#1128563) - fw.py._start: Fix reload with runtime rules, but no direct.xml (RHBZ#1183008) - firewall-applet,-config: Additional fix for PermissionDenied excpetion with NM (RHBZ#1190520, RHBZ#1227413) - firewall-applet: Use own watcher to fix qsettings reload in all cases - firewall-applet: Use the error icon also if blink is deactivated - add ceph services - firewall-cmd: Zones with source bindings are also active - firewalld.spec: Require python3-gobject-base for fedora >= 23 and rhel
= 8
- firewalld.spec: Fix rhel defines: No python3 for rhel-7 - ipsec.service: add NAT-Traversal port - firewall-config: Use proper store in nm_signal_receiver - firewall-cmd_test: masquerade with destination is supported since 0.3.14 - New protocols support in zones and services - fw_zone: Missing patch for new protocol usage in services - firewall-cmd (bash-completion): Added support for new protocol options - Use gi.require_version() to avoid PyGIWarning seen with Gtk-3.17 - services: add pulseaudio - add docker registry services - Handle source bindings in the same way as interface bindings - firewall.server.fw_zone: Fix get_config_with_settings for protocol support in zones - firewall-cmd: New info options to print information about zones, services and icmptypes (RHBZ#1147500) - firewalld: Only use DEFAULT_ZONE_TARGET in firewalld itself, use "default" externally - firewall-config: Fix for zone editor to use proper target (RHBZ#1251057) - client.py: Show full traceback in excption handler for code issues - firewall-config: masquerade with destination is supported since 0.3.14 - firewall-config: Fixed gtk_list_store_set_sort_column_id errors - firewall-config: Adapt glade file to newer glade syntax - config: Fixed year in COPYRIGHT - gtk3_chooserbutton: New is_sensitive and get_sensitive methods - firewall/functions: New check_mac function - firewall/errors: New INVALID_MAC error - firewall/core/rich: Add support for MAC sources in Rich_Source - firewall/core/io/zone: New support for MAC sources - firewall/core/fw_zone: New support for MAC sources in rich rules and as source bindings - Man pages: Add information about MAC sources - firewall-config: New support for MAC sources in rich rules and as source bindings - firewalld.dbus.xml: Several fixes - Fix reload after default zone change to newly introduced zone (RHBZ#1273888) - Fix removal of destination addresses for services in permanent view (RHBZ#1278281) - Additional fix for removal of destination addresses for services in permanent view (RHBZ#1278281) - Add requirement for dbus-x11 for firewall-config and firewall-applet (RHBZ#1281416) - fw_direct cleanup: Remove unused imports - New ipset directories in /etc/firewalld and /usr/lib/firewalld - New ipset dbus interface and path definitions, increased dbus interface revision - New ipset file handler and parser - ipset handler - Fix MAC handling, always uppercase MAC addresses - New errors for ipsets: INVALID_IPSET, INVALID_ENTRY and IPSET_WITH_TIMEOUT - New FirewallIPSet class for use in fw and fw_config - New ipset usage in fw and fw_config - New ipset support in rich rule source - New ipset support in zones - functions: New function check_ipset - New ipset D-Bus interface - New ipset support in FirewallClient - org.fedoraproject.FirewallConfig.gschema.xml: New show-ipsets - firewall-cmd: New support for ipsets - firewall-config: New support for ipsets - New firewalld.ipset man page - firewalld.richlanguage: Document ipset support in rich rules - firewalld.spec: New requires for ipset - firewalld.service: conflict with ipset.service - errors: Adding lost BUILTIN_IPSET - README: Add information about ipset - firewalld.dbus man page: Add ipset interfaces, .. - firewalld.dbus man page: Added missing builting properties for zone, service and icmptype - firewall.core.io.zone: Fix address attribute usage in writer - firewall-config: Properly initialy ipset variable in richRuleDialog_getRule - Fix MAC handling, always uppercase MAC addresses (2) - IPSet: Fix family check for IPv6 addresses - FirewallClient: Added lost getEntries method - gtk3_chooserbutton: Fixed connect return value, added disconnect - FirewallZone: Apply ipset hash:mac sources - shell-completion/bash/firewall-cmd: Add support for --remove-rules option - Fix issue #61: Not masquerading loopback - Fixed issue #54: New zone does not limit zone name len - Fixed issue #47: Log to syslog/journald without timestamp - firewall-config: Use sourceDialog to manage source bindings - FirewallIPSet: Dropped mostly unused applied attribute, code cleanup - src/Makefile.am: Ship and install ipset files in the firewall tree - firewall-cmd: Renamed --list-ipsets to --get-ipsts for consistency reasons - firewall-cmd: Moved checks for ipset options to the proper place - firewall-cmd: Use __print_zone_info for all zone info prints - src/firewall/core/ipXtables.py: Cleanup - src/firewall/core/fw_test.py: New support for ipset - firewall-offline-cmd help: Removed [--permanent] from protocol options - firewall-offline-cmd: Add support for --info-[zone|service|icmptype] option - firewall-offline-cmd: New support for ipset options - src/firewall/core/ebtabes.py: Remove dangling ebtables lock file - src/tests/firewall-cmd_test.sh: Added tests for ipsets - src/firewall/core/io/zone.py: zone_ContentHandler: Fixed protocol use outside of rich rules - src/firewall/core/prog.py: Added stdin option to runProg - firewalld: Create temporary directory in /run/firewalld at start if it does not exist - ipXtables, ebtables: New support for set_rules methods usind -restore commands - firewall/core/fw.py: Unify handle_rules methods, removed handle_rules2 - firewall/core/fw_zone.py: Added ipset destination matches for POSTROUTING and FORWARD - Extra quote strings that could contain spaces, needed for use in -restore commands - firewall/core/fw.py: New rules method, handle several rules at once - New firewalld config setting IndividualCalls - firewall/core/fw.py: Use individual calls setting, enable use of restore commands - firewalld.conf(5): Added information about new IndividualCalls setting
On 16.12.2015 19:11, Thomas Woerner wrote:
Hello,
the firewalld version 0.4.0 will be released soon now.
You can clone the GIT tree from github: https://github.com/t-woerner/firewalld.git or you can download a zip file at https://github.com/t-woerner/firewalld.
To create a test rpm for Fedora from the (GIT) tree use the command "./autogen.sh && make test-rpm" in the top firewalld directory.
Or (F23/rawhide) # dnf copr enable jpopelka/firewalld && dnf update
-- Jiri
firewalld-users@lists.stg.fedorahosted.org