On a Fedora 42 server/cloud (not workstation) install, the firewalld config defaults to # grep ^IPv6_rpfilter /etc/firewalld/firewalld.conf IPv6_rpfilter=strict The linux-system-roles "network" role has this code [1] which attempts to restore the current config to the system default (I know, it looks a bit odd, but it's been like that for a long time). This changes the above value from "strict" to "loose". This can easily be demonstrated independently from the role with python3 -c 'from firewall.core.io.firewalld_conf import firewalld_conf; fc = firewalld_conf(None); fc = firewalld_conf(None) try: fc.read() except Exception as e: print(e) fc.filename="/etc/firewalld/firewalld.conf"; fc.write()' This makes some expected noise about "ERROR: Failed to load 'None'", as the point of the code is to *not* load an existing config file, but get the builtin default. This command changes the config to "IPv6_rpfilter=loose". This is likely related to [2], i.e. the builtin default somehow thinks its on workstation instead of server/cloud? # grep VARIANT /etc/os-release VARIANT="Cloud Edition" VARIANT_ID=cloud firewalld-2.3.0-4.fc42.noarch [1] https://github.com/linux-system-roles/firewall/blob/26af17fc4db339bb/files/get_files_checksums.sh#L59 [2] https://discussion.fedoraproject.org/t/f42-change-proposal-firewalld-ipv6-rpfilter-default-to-loose-on-workstations-self-contained/138980 Reproducible: Always
This is my bad. The Fedora only patch introduced [1] should only be applied for the workstation variants. Hopefully I can find a way to make it only apply for those variants. [1]: https://src.fedoraproject.org/rpms/firewalld/c/a44e5b20fd14befe77e2f9f1aa83f0b5f9401315?branch=rawhide
If there is no way to selectively apply the patch for workstation, then we'll drop the patch entirely. That means if firewalld reverts to the source code defaults in workstation it will use "strict" instead of "loose". That should only happen if someone/something deletes /etc/firewalld/firewalld.conf.
I'm going to simply revert the patch. It means we'll have the same issue in the reverse direction. That is, on workstation deleting firewalld.conf will cause it to use "strict" when it should use "loose". However, this is true of all the variant overrides in firewalld.conf, e.g. default zone - this includes server and the FedoraServer zone. The RPM/build is the same between variants. We cannot solve this problem via patches. For the variant differences, they're typically done via the %install sections of the RPM. In general, I do not like that we have differences is package behavior between variants. Nor do I like the deviations from upstream.
FEDORA-2025-52c77cd0fb (firewalld-2.3.0-5.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-52c77cd0fb
FEDORA-2025-e16271b0cf (firewalld-2.3.0-5.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-e16271b0cf
FEDORA-2025-52c77cd0fb (firewalld-2.3.0-5.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-e16271b0cf has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e16271b0cf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e16271b0cf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-e16271b0cf (firewalld-2.3.0-5.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.