Bug 1302802 - Rebase to the new upstream and new release
Rebase to the new upstream and new release
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld (Show other bugs)
7.3
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Thomas Woerner
Tomas Dolezal
Mirek Jahoda
: Rebase
Depends On: 1304723 1339251
Blocks: 1158586 1322505 1326130 1336881
  Show dependency treegraph
 
Reported: 2016-01-28 11:32 EST by Thomas Woerner
Modified: 2017-02-24 13:10 EST (History)
4 users (show)

See Also:
Fixed In Version: firewalld-0.4.3.2-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_firewalld_ rebased to version 0.4.3.2 The _firewalld_ packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following: * Performance improvements: *firewalld* starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the *iptables* restore commands. Also, the *firewall-cmd*, *firewall-offline-cmd*, *firewall-config*, and *firewall-applet* tools have been improved with performance in mind. * The improved management of connections, interfaces and sources: The user can now control zone settings for connections in *NetworkManager*. In addition, zone settings for interfaces are also controlled by *firewalld* and in the `ifcfg` file. * Default logging option: With the new `LogDenied` setting, the user can easily debug and log denied packets. * *ipset* support: *firewalld* now supports ipsets used as zone sources, within rich and direct rules.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 17:02:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas Woerner 2016-01-28 11:32:46 EST
firewalld in RHEL-7 is still at version 0.3.9. Firewalld is now at release 0.3.14.2. Version 0.4.0 will be released very soon.

The update to 0.4.0 as a base with 0.4.1 and maybe 0.4.2 providing additional changes for RHEL-7.3 would simplify package maintainance of the RHEL-7 package a lot, as many changes have been back ported already. This results in lots of patches on top of the 0.3.9 version in the current firewalld package. Further back porting is more and more complicated.

The version 0.4.0 provides huge speeds ups for loads and reloads and enhancements like for example ipset handling and extensions of the rich rule language.
Comment 1 Thomas Woerner 2016-01-28 11:37:26 EST
The 0.4.0 will already provide fixes for #1147500, #1220196, #1273888, #1278281, #1281416 and #1285769
Comment 5 Thomas Woerner 2016-08-16 08:14:44 EDT
These are the highlights of the rebase in my opinion:

1) firewalld - Performance Improvements
----------------------------------------

Problem
Higher start and restart times with complex configurations that result in thousa
nds of firewall rules.

Solution
Transaction model which groups rules together in big chunks that are applied at 
once. This has been achieved using the iptables restore commands.

Benefit
Very fast start and restart times. Also: fast appliance of changes and direct r
ules.

Reference
http://www.firewalld.org/2016/05/more-firewalld-speed-ups/

2) firewalld - Improved management of connections, interfaces and sources
--------------------------------------------------------------------------

Problem
Connections under control of NetworkManager and network service behave different
ly on service restarts of NetworkManager, the network service and also firewalld
.

Solution
Zone settings for connections under control of NetworkManager are handled within
 NetworkManager, not in firewalld. Zone settings for interfaces under control of
 the network service are handled in firewalld and also in the ifcfg file.

Benefit
More consistent zone settings for connections and interfaces.

Reference

3) firewalld - Default logging option
--------------------------------------

Problem
No simple logging of denied packets.

Solution
New LogDenied setting (all, unicast, broadcast, multicast or off)

Benefit
Simple mechanism for debugging and logging.

Reference

4) firewalld - ipset support
-----------------------------

Problem
No simple way to add white or black lists.

Solution
New support for ipsets as zone sources, in rich rules and direct rules.

Benefit
Integrated solution for ipsets with generation and update.

Reference
Comment 8 errata-xmlrpc 2016-11-03 17:02:13 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html

Note You need to log in before you can comment on or make changes to this bug.