Bug 878889 - RFE: "direct only" mode for firewalld
Summary: RFE: "direct only" mode for firewalld
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Garver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-21 13:27 UTC by Matthew Miller
Modified: 2025-02-24 14:41 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Matthew Miller 2012-11-21 13:27:52 UTC
This is in response to some mailing list discussion about how firewalld can eventually completely supplant the existing scripts to load static iptables configuration.

It's ideal to have just one code path in the distribution for critical services like this. Eventually, we don't want to have to tell people "oh, to do what you want, remove firewalld and install this other thing".


So:

Firewalld should have a "direct-only" mode. When that mode is enabled, it will load a static script from from /etc/sysconfig/iptables on launch, and respond to any commands other than the "direct" api with an "in direct-only mode" error. Then, firewalld-aware applications could choose to raise a user error or to go to whatever fallback they have.

Without this, some applications which choose to use firewalld will probably eventually make it a hard requirement, and life will become very difficult for people who need to take a different approach.


Note You need to log in before you can comment on or make changes to this bug.