commit 302d7f28fb9c09d624e34d9b9966a7d2974bbd3a

Author: Jiri Popelka <jpopelka@redhat.com>

Date:   Thu Aug 14 14:44:13 2014 +0200

    man: '--permanent --add-interface' vs. ZONE= in ifcfg (RHBZ#1128563)

diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml

index 44f6799..dabb9a4 100644

--- a/doc/xml/firewall-cmd.xml

+++ b/doc/xml/firewall-cmd.xml

@@ -648,8 +648,10 @@

 	      Bind interface <replaceable>interface</replaceable> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.

 	    </para>

 	    <para>

-	      As a end user you don't need this in most cases, because NetworkManager adds interfaces into zones automatically.

-	      For permanent association of interface with a zone, see 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.

+	      As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file).

+	      You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable> file.

+	      If there is such file and you add interface to zone with this <option>--add-interface</option> option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined.

+	      For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.

 	    </para>

 	  </listitem>

 	</varlistentry>

diff --git a/doc/xml/firewalld.xml b/doc/xml/firewalld.xml

index 4ccf4e3..24d7541 100644

--- a/doc/xml/firewalld.xml

+++ b/doc/xml/firewalld.xml

@@ -123,7 +123,12 @@

       firewalld provides support for zones, predefined services and ICMP types and has a separation of runtime and permanent configuration options. Permanent configuration is loaded from XML files in <filename class="directory">/usr/lib/firewalld</filename> or <filename class="directory">/etc/firewalld</filename> (see <xref linkend="directories"/>).

     </para>

     <para>

-      If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames. If firewalld gets started after the network is already up, the connections are not bound to a zone. Manually created interfaces are not bound to a zone. Please add them to a zone with <command>firewall-cmd --zone=zone --add-interface=interface</command>.

+      If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames.

+      If firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to a zone.

+      You can add them to a zone with <command>firewall-cmd [--permanent] --zone=<replaceable>zone</replaceable> --add-interface=<replaceable>interface</replaceable></command>,

+      but make sure that if there's a /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable>,

+      the zone specified there with ZONE=<replaceable>zone</replaceable>

+      is the same (or both are empty/missing for default zone), otherwise the behaviour would be undefined.

     </para>

     <refsect2>

commit f0d25a618c26dc47c552e63ac7d7c9a2c57151b7

Author: Thomas Woerner <twoerner@redhat.com>

Date:   Tue Jul 7 10:32:31 2015 +0200

    man: Interface handling with and without NetworkManager (RHBZ#1122739 RHBZ#1128563)

diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml

index 74c9e1c..8603ca8 100644

--- a/doc/xml/firewall-cmd.xml

+++ b/doc/xml/firewall-cmd.xml

@@ -660,9 +660,10 @@

 	      Bind interface <replaceable>interface</replaceable> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.

 	    </para>

 	    <para>

-	      As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file).

+	      As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file) if <replaceable>NM_CONTROLLED=no</replaceable> is not set.

 	      You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable> file.

 	      If there is such file and you add interface to zone with this <option>--add-interface</option> option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined.

+	      Please also have a look at the <citerefentry><refentrytitle>firewalld</refentrytitle><manvolnum>1</manvolnum></citerefentry> man page in the <replaceable>Concepts</replaceable> section.

 	      For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.

 	    </para>

 	  </listitem>

diff --git a/doc/xml/firewalld.xml b/doc/xml/firewalld.xml

index df26ff7..ee16cd0 100644

--- a/doc/xml/firewalld.xml

+++ b/doc/xml/firewalld.xml

@@ -123,13 +123,24 @@

       firewalld provides support for zones, predefined services and ICMP types and has a separation of runtime and permanent configuration options. Permanent configuration is loaded from XML files in <filename class="directory">/usr/lib/firewalld</filename> or <filename class="directory">/etc/firewalld</filename> (see <xref linkend="directories"/>).

     </para>

     <para>

-      If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames.

-      If firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to a zone.

-      You can add them to a zone with <command>firewall-cmd [--permanent] --zone=<replaceable>zone</replaceable> --add-interface=<replaceable>interface</replaceable></command>,

+      If NetworkManager is not in use and firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to the zone specified in the ifcfg file.

+      The interfaces will automatically be handled by the default zone.

+      firewalld will also not get notified about network device renames.

+      All this also applies to interfaces that are not controlled by NetworkManager if <replaceable>NM_CONTROLLED=no</replaceable> is set.

+    </para>

+    <para>

+      You can add these interfaces to a zone with <command>firewall-cmd [--permanent] --zone=<replaceable>zone</replaceable> --add-interface=<replaceable>interface</replaceable></command>,

       but make sure that if there's a /etc/sysconfig/network-scripts/ifcfg-<replaceable>interface</replaceable>,

       the zone specified there with ZONE=<replaceable>zone</replaceable>

       is the same (or both are empty/missing for default zone), otherwise the behaviour would be undefined.

     </para>

+    <para>

+      If firewalld gets reloaded, it will restore the interface bindings that were in place before reloading to keep interface bindings stable in the case of NetworkManager uncontrolled interfaces.

+      This mechanism is not possible in the case of a firewalld service restart.

+    </para>

+    <para>

+      It is essential to keep the ZONE= setting in the ifcfg file consistent to the binding in firewalld in the case of NetworkManager uncontrolled interfaces.

+    </para>

     <refsect2>

       <title>Zones</title>