878889 – RFE: "direct only" mode for firewalld

Bug 878889 - RFE: "direct only" mode for firewalld

Summary: RFE: "direct only" mode for firewalld

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Eric Garver
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-11-21 13:27 UTC by Matthew Miller
Modified:	2017-08-17 19:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matthew Miller 2012-11-21 13:27:52 UTC

This is in response to some mailing list discussion about how firewalld can eventually completely supplant the existing scripts to load static iptables configuration.

It's ideal to have just one code path in the distribution for critical services like this. Eventually, we don't want to have to tell people "oh, to do what you want, remove firewalld and install this other thing".


So:

Firewalld should have a "direct-only" mode. When that mode is enabled, it will load a static script from from /etc/sysconfig/iptables on launch, and respond to any commands other than the "direct" api with an "in direct-only mode" error. Then, firewalld-aware applications could choose to raise a user error or to go to whatever fallback they have.

Without this, some applications which choose to use firewalld will probably eventually make it a hard requirement, and life will become very difficult for people who need to take a different approach.

Note You need to log in before you can comment on or make changes to this bug.