From 8303e10ece79829a2abbb61f4e353ae17d995797 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 27 Mar 2020 14:25:47 -0400
Subject: [PATCH] doc: clarify --set-target values "default" vs "reject"
Fixes: #590
(cherry picked from commit 1249b741781d424e03844b35a4545db69a282dfb)
(cherry picked from commit 48a80a871b3e6be9abcc195c12b2860b4958c32b)
---
doc/xml/firewall-cmd.xml.in | 36 ++++++++++++++++++++++++++++++++++++
doc/xml/firewall-offline-cmd.xml | 38 +++++++++++++++++++++++++++++++++++++-
2 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index cd4aa47addb2..661bbdfe0c47 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -482,6 +482,42 @@
<para>
Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
</para>
+ <para>
+ <literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
+ <orderedlist>
+ <listitem><para>ICMP explicitly allowed</para>
+ <para>
+ At the end of the zone's ruleset ICMP packets are explicitly allowed.
+ </para>
+ </listitem>
+
+ <listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
+ <para>
+ In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
+ </para>
+ <para>
+ For a forwarded packet that ingresses zoneA and egresses zoneB:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
+ </listitem>
+ <listitem>
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem><para>Zone drifting from source-based zone to interface-based zone</para>
+ <para>
+ This only applies if <option>AllowZoneDrifting</option> is enabled. See <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ <para>
+ If a packet ingresses a source-based zone with a <replaceable>target</replaceable> of <literal>default</literal>, it may still enter an interface-based zone (including the default zone).
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
index aeaf3dc0ebd5..9406833ed74d 100644
--- a/doc/xml/firewall-offline-cmd.xml
+++ b/doc/xml/firewall-offline-cmd.xml
@@ -572,7 +572,43 @@
<term><option>--zone</option>=<replaceable>zone</replaceable> <option>--set-target</option>=<replaceable>zone</replaceable></term>
<listitem>
<para>
- Set the target of a permanent zone.
+ Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
+ </para>
+ <para>
+ <literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
+ <orderedlist>
+ <listitem><para>ICMP explicitly allowed</para>
+ <para>
+ At the end of the zone's ruleset ICMP packets are explicitly allowed.
+ </para>
+ </listitem>
+
+ <listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
+ <para>
+ In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
+ </para>
+ <para>
+ For a forwarded packet that ingresses zoneA and egresses zoneB:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
+ </listitem>
+ <listitem>
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem><para>Zone drifting from source-based zone to interface-based zone</para>
+ <para>
+ This only applies if <option>AllowZoneDrifting</option> is enabled. See <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ <para>
+ If a packet ingresses a source-based zone with a <replaceable>target</replaceable> of <literal>default</literal>, it may still enter an interface-based zone (including the default zone).
+ </para>
+ </listitem>
+ </orderedlist>
</para>
</listitem>
</varlistentry>
--
1.8.3.1