Bug 1302802

Summary: Rebase to the new upstream and new release
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Woerner <twoerner>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.3CC: lkuprova, martin, mjahoda, todoleza
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.4.3.2-1.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_firewalld_ rebased to version 0.4.3.2 The _firewalld_ packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following: * Performance improvements: *firewalld* starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the *iptables* restore commands. Also, the *firewall-cmd*, *firewall-offline-cmd*, *firewall-config*, and *firewall-applet* tools have been improved with performance in mind. * The improved management of connections, interfaces and sources: The user can now control zone settings for connections in *NetworkManager*. In addition, zone settings for interfaces are also controlled by *firewalld* and in the `ifcfg` file. * Default logging option: With the new `LogDenied` setting, the user can easily debug and log denied packets. * *ipset* support: *firewalld* now supports several IP sets as zone sources, within rich and direct rules. Note that, in Red Hat Enterprise Linux 7.3, *firewalld* supports only the following *ipset* types: * hash:net * hash:ip
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:02:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1304723, 1339251    
Bug Blocks: 1158586, 1322505, 1326130, 1336881    

Description Thomas Woerner 2016-01-28 16:32:46 UTC 
firewalld in RHEL-7 is still at version 0.3.9. Firewalld is now at release 0.3.14.2. Version 0.4.0 will be released very soon.

The update to 0.4.0 as a base with 0.4.1 and maybe 0.4.2 providing additional changes for RHEL-7.3 would simplify package maintainance of the RHEL-7 package a lot, as many changes have been back ported already. This results in lots of patches on top of the 0.3.9 version in the current firewalld package. Further back porting is more and more complicated.

The version 0.4.0 provides huge speeds ups for loads and reloads and enhancements like for example ipset handling and extensions of the rich rule language.
Comment 1 Thomas Woerner 2016-01-28 16:37:26 UTC 
The 0.4.0 will already provide fixes for #1147500, #1220196, #1273888, #1278281, #1281416 and #1285769
Comment 5 Thomas Woerner 2016-08-16 12:14:44 UTC 
These are the highlights of the rebase in my opinion:

1) firewalld - Performance Improvements
----------------------------------------

Problem
Higher start and restart times with complex configurations that result in thousa
nds of firewall rules.

Solution
Transaction model which groups rules together in big chunks that are applied at 
once. This has been achieved using the iptables restore commands.

Benefit
Very fast start and restart times. Also: fast appliance of changes and direct r
ules.

Reference
http://www.firewalld.org/2016/05/more-firewalld-speed-ups/

2) firewalld - Improved management of connections, interfaces and sources
--------------------------------------------------------------------------

Problem
Connections under control of NetworkManager and network service behave different
ly on service restarts of NetworkManager, the network service and also firewalld
.

Solution
Zone settings for connections under control of NetworkManager are handled within
 NetworkManager, not in firewalld. Zone settings for interfaces under control of
 the network service are handled in firewalld and also in the ifcfg file.

Benefit
More consistent zone settings for connections and interfaces.

Reference

3) firewalld - Default logging option
--------------------------------------

Problem
No simple logging of denied packets.

Solution
New LogDenied setting (all, unicast, broadcast, multicast or off)

Benefit
Simple mechanism for debugging and logging.

Reference

4) firewalld - ipset support
-----------------------------

Problem
No simple way to add white or black lists.

Solution
New support for ipsets as zone sources, in rich rules and direct rules.

Benefit
Integrated solution for ipsets with generation and update.

Reference
Comment 8 errata-xmlrpc 2016-11-03 21:02:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html