RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1302802 - Rebase to the new upstream and new release
Summary: Rebase to the new upstream and new release
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: Tomas Dolezal
Mirek Jahoda
Depends On: 1304723 1339251
Blocks: 1158586 1322505 1326130 1336881
TreeView+ depends on / blocked
Reported: 2016-01-28 16:32 UTC by Thomas Woerner
Modified: 2019-12-16 05:20 UTC (History)
4 users (show)

Fixed In Version: firewalld-
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_firewalld_ rebased to version The _firewalld_ packages have been upgraded to upstream version which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following: * Performance improvements: *firewalld* starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the *iptables* restore commands. Also, the *firewall-cmd*, *firewall-offline-cmd*, *firewall-config*, and *firewall-applet* tools have been improved with performance in mind. * The improved management of connections, interfaces and sources: The user can now control zone settings for connections in *NetworkManager*. In addition, zone settings for interfaces are also controlled by *firewalld* and in the `ifcfg` file. * Default logging option: With the new `LogDenied` setting, the user can easily debug and log denied packets. * *ipset* support: *firewalld* now supports several IP sets as zone sources, within rich and direct rules. Note that, in Red Hat Enterprise Linux 7.3, *firewalld* supports only the following *ipset* types: * hash:net * hash:ip
Clone Of:
Last Closed: 2016-11-03 21:02:13 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2597 0 normal SHIPPED_LIVE Moderate: firewalld security, bug fix, and enhancement update 2016-11-03 12:11:47 UTC

Description Thomas Woerner 2016-01-28 16:32:46 UTC
firewalld in RHEL-7 is still at version 0.3.9. Firewalld is now at release Version 0.4.0 will be released very soon.

The update to 0.4.0 as a base with 0.4.1 and maybe 0.4.2 providing additional changes for RHEL-7.3 would simplify package maintainance of the RHEL-7 package a lot, as many changes have been back ported already. This results in lots of patches on top of the 0.3.9 version in the current firewalld package. Further back porting is more and more complicated.

The version 0.4.0 provides huge speeds ups for loads and reloads and enhancements like for example ipset handling and extensions of the rich rule language.

Comment 1 Thomas Woerner 2016-01-28 16:37:26 UTC
The 0.4.0 will already provide fixes for #1147500, #1220196, #1273888, #1278281, #1281416 and #1285769

Comment 5 Thomas Woerner 2016-08-16 12:14:44 UTC
These are the highlights of the rebase in my opinion:

1) firewalld - Performance Improvements

Higher start and restart times with complex configurations that result in thousa
nds of firewall rules.

Transaction model which groups rules together in big chunks that are applied at 
once. This has been achieved using the iptables restore commands.

Very fast start and restart times. Also: fast appliance of changes and direct r


2) firewalld - Improved management of connections, interfaces and sources

Connections under control of NetworkManager and network service behave different
ly on service restarts of NetworkManager, the network service and also firewalld

Zone settings for connections under control of NetworkManager are handled within
 NetworkManager, not in firewalld. Zone settings for interfaces under control of
 the network service are handled in firewalld and also in the ifcfg file.

More consistent zone settings for connections and interfaces.


3) firewalld - Default logging option

No simple logging of denied packets.

New LogDenied setting (all, unicast, broadcast, multicast or off)

Simple mechanism for debugging and logging.


4) firewalld - ipset support

No simple way to add white or black lists.

New support for ipsets as zone sources, in rich rules and direct rules.

Integrated solution for ipsets with generation and update.


Comment 8 errata-xmlrpc 2016-11-03 21:02:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.