1302802 – Rebase to the new upstream and new release

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1302802 - Rebase to the new upstream and new release

Summary: Rebase to the new upstream and new release

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:	1304723 1339251
Blocks:	1158586 1322505 1326130 1336881
TreeView+	depends on / blocked

Reported:	2016-01-28 16:32 UTC by Thomas Woerner
Modified:	2019-12-16 05:20 UTC (History)
CC List:	4 users (show)
Fixed In Version:	firewalld-0.4.3.2-1.el7
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	_firewalld_ rebased to version 0.4.3.2 The _firewalld_ packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following: * Performance improvements: firewalld starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the iptables restore commands. Also, the firewall-cmd, firewall-offline-cmd, firewall-config, and firewall-applet tools have been improved with performance in mind. * The improved management of connections, interfaces and sources: The user can now control zone settings for connections in NetworkManager. In addition, zone settings for interfaces are also controlled by firewalld and in the `ifcfg` file. * Default logging option: With the new `LogDenied` setting, the user can easily debug and log denied packets. * ipset support: firewalld now supports several IP sets as zone sources, within rich and direct rules. Note that, in Red Hat Enterprise Linux 7.3, firewalld supports only the following ipset types: * hash:net * hash:ip
Clone Of:
Environment:
Last Closed:	2016-11-03 21:02:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2597	0	normal	SHIPPED_LIVE	Moderate: firewalld security, bug fix, and enhancement update	2016-11-03 12:11:47 UTC

Description Thomas Woerner 2016-01-28 16:32:46 UTC

firewalld in RHEL-7 is still at version 0.3.9. Firewalld is now at release 0.3.14.2. Version 0.4.0 will be released very soon.

The update to 0.4.0 as a base with 0.4.1 and maybe 0.4.2 providing additional changes for RHEL-7.3 would simplify package maintainance of the RHEL-7 package a lot, as many changes have been back ported already. This results in lots of patches on top of the 0.3.9 version in the current firewalld package. Further back porting is more and more complicated.

The version 0.4.0 provides huge speeds ups for loads and reloads and enhancements like for example ipset handling and extensions of the rich rule language.

Comment 1 Thomas Woerner 2016-01-28 16:37:26 UTC

The 0.4.0 will already provide fixes for #1147500, #1220196, #1273888, #1278281, #1281416 and #1285769

Comment 5 Thomas Woerner 2016-08-16 12:14:44 UTC

These are the highlights of the rebase in my opinion:

1) firewalld - Performance Improvements
----------------------------------------

Problem
Higher start and restart times with complex configurations that result in thousa
nds of firewall rules.

Solution
Transaction model which groups rules together in big chunks that are applied at 
once. This has been achieved using the iptables restore commands.

Benefit
Very fast start and restart times. Also: fast appliance of changes and direct r
ules.

Reference
http://www.firewalld.org/2016/05/more-firewalld-speed-ups/

2) firewalld - Improved management of connections, interfaces and sources
--------------------------------------------------------------------------

Problem
Connections under control of NetworkManager and network service behave different
ly on service restarts of NetworkManager, the network service and also firewalld
.

Solution
Zone settings for connections under control of NetworkManager are handled within
 NetworkManager, not in firewalld. Zone settings for interfaces under control of
 the network service are handled in firewalld and also in the ifcfg file.

Benefit
More consistent zone settings for connections and interfaces.

Reference

3) firewalld - Default logging option
--------------------------------------

Problem
No simple logging of denied packets.

Solution
New LogDenied setting (all, unicast, broadcast, multicast or off)

Benefit
Simple mechanism for debugging and logging.

Reference

4) firewalld - ipset support
-----------------------------

Problem
No simple way to add white or black lists.

Solution
New support for ipsets as zone sources, in rich rules and direct rules.

Benefit
Integrated solution for ipsets with generation and update.

Reference

Comment 8 errata-xmlrpc 2016-11-03 21:02:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html

Note You need to log in before you can comment on or make changes to this bug.