From bccc66877af7baa95e70c4314e3016ac78c4bbc7 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Tue, 4 Feb 2020 09:12:17 -0500

Subject: [PATCH 02/22] RHEL only: default to AllowZoneDrifting=yes

---

 config/firewalld.conf              | 4 ++--

 doc/xml/firewalld.conf.xml         | 2 +-

 doc/xml/firewalld.dbus.xml         | 2 +-

 src/firewall/config/__init__.py.in | 2 +-

 src/tests/functions.at             | 5 +++++

 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/config/firewalld.conf b/config/firewalld.conf

index 532f0452212e..f791b2358ab8 100644

--- a/config/firewalld.conf

+++ b/config/firewalld.conf

@@ -71,5 +71,5 @@ RFC3964_IPv4=yes

 # Note: If "yes" packets will only drift from source based zones to interface

 # based zones (including the default zone). Packets never drift from interface

 # based zones to other interfaces based zones (including the default zone).

-# Possible values; "yes", "no". Defaults to "no".

-AllowZoneDrifting=no

+# Possible values; "yes", "no". Defaults to "yes".

+AllowZoneDrifting=yes

diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml

index fcfbfd2b68c1..c21ef87813bc 100644

--- a/doc/xml/firewalld.conf.xml

+++ b/doc/xml/firewalld.conf.xml

@@ -197,7 +197,7 @@

                 to interface based zones (including the default zone). Packets

                 never drift from interface based zones to other interfaces

                 based zones (including the default zone).

-                Valid values; "yes", "no". Defaults to "no".

+                Valid values; "yes", "no". Defaults to "yes".

                 </para>

             </listitem>

         </varlistentry>

diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml

index b75067e12c51..d68c775ee5bf 100644

--- a/doc/xml/firewalld.dbus.xml

+++ b/doc/xml/firewalld.dbus.xml

@@ -2787,7 +2787,7 @@

                 to interface based zones (including the default zone). Packets

                 never drift from interface based zones to other interfaces

                 based zones (including the default zone).

-                Valid values; "yes", "no". Defaults to "no".

+                Valid values; "yes", "no". Defaults to "yes".

             </para></listitem>

           </varlistentry>

           <varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">

diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in

index e875e849dec1..0dec7913f694 100644

--- a/src/firewall/config/__init__.py.in

+++ b/src/firewall/config/__init__.py.in

@@ -133,4 +133,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"

 FALLBACK_FIREWALL_BACKEND = "nftables"

 FALLBACK_FLUSH_ALL_ON_RELOAD = True

 FALLBACK_RFC3964_IPV4 = True

-FALLBACK_ALLOW_ZONE_DRIFTING = False

+FALLBACK_ALLOW_ZONE_DRIFTING = True

diff --git a/src/tests/functions.at b/src/tests/functions.at

index 6b1263b178dc..7ac28d514233 100644

--- a/src/tests/functions.at

+++ b/src/tests/functions.at

@@ -123,6 +123,11 @@ m4_define([FWD_START_TEST], [

         dnl set the appropriate backend

         AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])

+        dnl Expected test results assume this is set to "no", but downstream

+        dnl RHEL overrides it to "yes". Override it back to "no" so we don't

+        dnl have to fix up all the tests when bringing them from upstream.

+        AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])

+

         dnl fib matching is pretty new in nftables. Don't use rpfilter on older

         dnl kernels.

         m4_if(nftables, FIREWALL_BACKEND, [

-- 

2.27.0