Bug 878889

Summary: RFE: "direct only" mode for firewalld
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: firewalldAssignee: Eric Garver <egarver>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Miller 2012-11-21 13:27:52 UTC 
This is in response to some mailing list discussion about how firewalld can eventually completely supplant the existing scripts to load static iptables configuration.

It's ideal to have just one code path in the distribution for critical services like this. Eventually, we don't want to have to tell people "oh, to do what you want, remove firewalld and install this other thing".


So:

Firewalld should have a "direct-only" mode. When that mode is enabled, it will load a static script from from /etc/sysconfig/iptables on launch, and respond to any commands other than the "direct" api with an "in direct-only mode" error. Then, firewalld-aware applications could choose to raise a user error or to go to whatever fallback they have.

Without this, some applications which choose to use firewalld will probably eventually make it a hard requirement, and life will become very difficult for people who need to take a different approach.