From bccc66877af7baa95e70c4314e3016ac78c4bbc7 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 4 Feb 2020 09:12:17 -0500 Subject: [PATCH 02/22] RHEL only: default to AllowZoneDrifting=yes --- config/firewalld.conf | 4 ++-- doc/xml/firewalld.conf.xml | 2 +- doc/xml/firewalld.dbus.xml | 2 +- src/firewall/config/__init__.py.in | 2 +- src/tests/functions.at | 5 +++++ 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf index 532f0452212e..f791b2358ab8 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf @@ -71,5 +71,5 @@ RFC3964_IPv4=yes # Note: If "yes" packets will only drift from source based zones to interface # based zones (including the default zone). Packets never drift from interface # based zones to other interfaces based zones (including the default zone). -# Possible values; "yes", "no". Defaults to "no". -AllowZoneDrifting=no +# Possible values; "yes", "no". Defaults to "yes". +AllowZoneDrifting=yes diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml index fcfbfd2b68c1..c21ef87813bc 100644 --- a/doc/xml/firewalld.conf.xml +++ b/doc/xml/firewalld.conf.xml @@ -197,7 +197,7 @@ to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone). - Valid values; "yes", "no". Defaults to "no". + Valid values; "yes", "no". Defaults to "yes". diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml index b75067e12c51..d68c775ee5bf 100644 --- a/doc/xml/firewalld.dbus.xml +++ b/doc/xml/firewalld.dbus.xml @@ -2787,7 +2787,7 @@ to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone). - Valid values; "yes", "no". Defaults to "no". + Valid values; "yes", "no". Defaults to "yes". diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in index e875e849dec1..0dec7913f694 100644 --- a/src/firewall/config/__init__.py.in +++ b/src/firewall/config/__init__.py.in @@ -133,4 +133,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" FALLBACK_FIREWALL_BACKEND = "nftables" FALLBACK_FLUSH_ALL_ON_RELOAD = True FALLBACK_RFC3964_IPV4 = True -FALLBACK_ALLOW_ZONE_DRIFTING = False +FALLBACK_ALLOW_ZONE_DRIFTING = True diff --git a/src/tests/functions.at b/src/tests/functions.at index 6b1263b178dc..7ac28d514233 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at @@ -123,6 +123,11 @@ m4_define([FWD_START_TEST], [ dnl set the appropriate backend AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) + dnl Expected test results assume this is set to "no", but downstream + dnl RHEL overrides it to "yes". Override it back to "no" so we don't + dnl have to fix up all the tests when bringing them from upstream. + AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) + dnl fib matching is pretty new in nftables. Don't use rpfilter on older dnl kernels. m4_if(nftables, FIREWALL_BACKEND, [ -- 2.27.0