From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 30 Aug 2018 16:34:19 -0400 Subject: [PATCH] fedora patch to default to iptables backend --- config/firewalld.conf | 7 ------- src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++ src/tests/dbus/firewalld.conf.at | 2 +- src/tests/functions.at | 4 ++-- 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf index 532f045..0f64a56 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf @@ -40,13 +40,6 @@ IndividualCalls=no # Default: off LogDenied=off -# FirewallBackend -# Selects the firewall backend implementation. -# Choices are: -# - nftables (default) -# - iptables (iptables, ip6tables, ebtables and ipset) -FirewallBackend=nftables - # FlushAllOnReload # Flush all runtime rules on a reload. In previous releases some runtime # configuration was retained during a reload, namely; interface to zone diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py index 7c70921..4e83d6e 100644 --- a/src/firewall/core/io/firewalld_conf.py +++ b/src/firewall/core/io/firewalld_conf.py @@ -268,6 +268,12 @@ class firewalld_conf(object): if key not in done: if (key in self._config and \ self._config[key] != value): + # Only write FirewallBackend if it's not the default. + # We will change the default in the future. + if key == "FirewallBackend" and \ + self._config[key] == config.FALLBACK_FIREWALL_BACKEND: + done.append(key) + continue empty = False temp_file.write(u'%s=%s\n' % (key, self._config[key])) @@ -275,6 +281,12 @@ class firewalld_conf(object): elif key in self._deleted: modified = True else: + # Only write FirewallBackend if it's not the default. + # We will change the default in the future. + if key == "FirewallBackend" and \ + value == config.FALLBACK_FIREWALL_BACKEND: + done.append(key) + continue empty = False temp_file.write(line+u"\n") done.append(key) @@ -286,6 +298,11 @@ class firewalld_conf(object): for (key,value) in self._config.items(): if key in done: continue + # Only write FirewallBackend if it's not the default. + # We will change the default in the future. + if key == "FirewallBackend" and \ + value == config.FALLBACK_FIREWALL_BACKEND: + continue if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config continue if not empty: diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at index cc15318..374312b 100644 --- a/src/tests/dbus/firewalld.conf.at +++ b/src/tests/dbus/firewalld.conf.at @@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no" string "AutomaticHelpers" : variant string "no" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" -string "FirewallBackend" : variant string "nftables" +string "FirewallBackend" : variant string "iptables" string "FlushAllOnReload" : variant string "yes" string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"]) string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"]) diff --git a/src/tests/functions.at b/src/tests/functions.at index 582fdcc..5a1aad1 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at @@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ AT_KEYWORDS(offline) ], [ - m4_define_default([FIREWALL_BACKEND], [nftables]) + m4_define_default([FIREWALL_BACKEND], [iptables]) AT_KEYWORDS(FIREWALL_BACKEND) @@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [ AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) dnl set the appropriate backend - AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) + AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf]) dnl fib matching is pretty new in nftables. Don't use rpfilter on older dnl kernels. -- 1.8.3.1