firewalld/0001-fedora-patch-to-default-to-iptables-backend.patch

From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 30 Aug 2018 16:34:19 -0400
Subject: [PATCH] fedora patch to default to iptables backend

---
 config/firewalld.conf                  |  7 -------
 src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
 src/tests/dbus/firewalld.conf.at       |  2 +-
 src/tests/functions.at                 |  4 ++--
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/config/firewalld.conf b/config/firewalld.conf
index 532f045..0f64a56 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -40,13 +40,6 @@ IndividualCalls=no
 # Default: off
 LogDenied=off
 
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
-
 # FlushAllOnReload
 # Flush all runtime rules on a reload. In previous releases some runtime
 # configuration was retained during a reload, namely; interface to zone
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 7c70921..4e83d6e 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -268,6 +268,12 @@ class firewalld_conf(object):
                     if key not in done:
                         if (key in self._config and \
                                 self._config[key] != value):
+                            # Only write FirewallBackend if it's not the default.
+                            # We will change the default in the future.
+                            if key == "FirewallBackend" and \
+                               self._config[key] == config.FALLBACK_FIREWALL_BACKEND:
+                                done.append(key)
+                                continue
                             empty = False
                             temp_file.write(u'%s=%s\n' %
                                             (key, self._config[key]))
@@ -275,6 +281,12 @@ class firewalld_conf(object):
                         elif key in self._deleted:
                             modified = True
                         else:
+                            # Only write FirewallBackend if it's not the default.
+                            # We will change the default in the future.
+                            if key == "FirewallBackend" and \
+                               value == config.FALLBACK_FIREWALL_BACKEND:
+                                done.append(key)
+                                continue
                             empty = False
                             temp_file.write(line+u"\n")
                         done.append(key)
@@ -286,6 +298,11 @@ class firewalld_conf(object):
             for (key,value) in self._config.items():
                 if key in done:
                     continue
+                # Only write FirewallBackend if it's not the default.
+                # We will change the default in the future.
+                if key == "FirewallBackend" and \
+                   value == config.FALLBACK_FIREWALL_BACKEND:
+                    continue
                 if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config
                     continue
                 if not empty:
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index cc15318..374312b 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no"
 string "AutomaticHelpers" : variant string "no"
 string "CleanupOnExit" : variant string "no"
 string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
+string "FirewallBackend" : variant string "iptables"
 string "FlushAllOnReload" : variant string "yes"
 string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
 string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 582fdcc..5a1aad1 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [
     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
         AT_KEYWORDS(offline)
     ], [
-        m4_define_default([FIREWALL_BACKEND], [nftables])
+        m4_define_default([FIREWALL_BACKEND], [iptables])
 
         AT_KEYWORDS(FIREWALL_BACKEND)
 
@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [
         AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
 
         dnl set the appropriate backend
-        AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+        AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf])
 
         dnl fib matching is pretty new in nftables. Don't use rpfilter on older
         dnl kernels.
-- 
1.8.3.1