firewalld in RHEL-7 is still at version 0.3.9. Firewalld is now at release 0.3.14.2. Version 0.4.0 will be released very soon. The update to 0.4.0 as a base with 0.4.1 and maybe 0.4.2 providing additional changes for RHEL-7.3 would simplify package maintainance of the RHEL-7 package a lot, as many changes have been back ported already. This results in lots of patches on top of the 0.3.9 version in the current firewalld package. Further back porting is more and more complicated. The version 0.4.0 provides huge speeds ups for loads and reloads and enhancements like for example ipset handling and extensions of the rich rule language.
The 0.4.0 will already provide fixes for #1147500, #1220196, #1273888, #1278281, #1281416 and #1285769
These are the highlights of the rebase in my opinion: 1) firewalld - Performance Improvements ---------------------------------------- Problem Higher start and restart times with complex configurations that result in thousa nds of firewall rules. Solution Transaction model which groups rules together in big chunks that are applied at once. This has been achieved using the iptables restore commands. Benefit Very fast start and restart times. Also: fast appliance of changes and direct r ules. Reference http://www.firewalld.org/2016/05/more-firewalld-speed-ups/ 2) firewalld - Improved management of connections, interfaces and sources -------------------------------------------------------------------------- Problem Connections under control of NetworkManager and network service behave different ly on service restarts of NetworkManager, the network service and also firewalld . Solution Zone settings for connections under control of NetworkManager are handled within NetworkManager, not in firewalld. Zone settings for interfaces under control of the network service are handled in firewalld and also in the ifcfg file. Benefit More consistent zone settings for connections and interfaces. Reference 3) firewalld - Default logging option -------------------------------------- Problem No simple logging of denied packets. Solution New LogDenied setting (all, unicast, broadcast, multicast or off) Benefit Simple mechanism for debugging and logging. Reference 4) firewalld - ipset support ----------------------------- Problem No simple way to add white or black lists. Solution New support for ipsets as zone sources, in rich rules and direct rules. Benefit Integrated solution for ipsets with generation and update. Reference
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2597.html