From dfa06f76e3088dccf5ac56b4d7f3162830393516 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 4 Feb 2020 09:12:17 -0500 Subject: [PATCH] RHEL only: default to AllowZoneDrifting=yes --- config/firewalld.conf | 4 ++-- doc/xml/firewalld.conf.xml | 2 +- doc/xml/firewalld.dbus.xml | 2 +- src/firewall/config/__init__.py.in | 2 +- src/tests/dbus/firewalld.conf.at | 4 ++-- src/tests/functions.at | 1 + src/tests/regression/rhbz1514043.at | 5 +++++ 7 files changed, 13 insertions(+), 7 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf index 02be07b9b892..1854f3795e0a 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf @@ -65,5 +65,5 @@ AutomaticHelpers=system # Note: If "yes" packets will only drift from source based zones to interface # based zones (including the default zone). Packets never drift from interface # based zones to other interfaces based zones (including the default zone). -# Possible values; "yes", "no". Defaults to "no". -AllowZoneDrifting=no +# Possible values; "yes", "no". Defaults to "yes". +AllowZoneDrifting=yes diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml index 9d8017df3112..8dff74152cd1 100644 --- a/doc/xml/firewalld.conf.xml +++ b/doc/xml/firewalld.conf.xml @@ -158,7 +158,7 @@ to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone). - Valid values; "yes", "no". Defaults to "no". + Valid values; "yes", "no". Defaults to "yes". diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml index ea0be9cefd1c..afd2c7bba401 100644 --- a/doc/xml/firewalld.dbus.xml +++ b/doc/xml/firewalld.dbus.xml @@ -2571,7 +2571,7 @@ to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone). - Valid values; "yes", "no". Defaults to "no". + Valid values; "yes", "no". Defaults to "yes". diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in index 3926c8fdb3a3..561ea3f34325 100644 --- a/src/firewall/config/__init__.py.in +++ b/src/firewall/config/__init__.py.in @@ -128,4 +128,4 @@ FALLBACK_INDIVIDUAL_CALLS = False FALLBACK_LOG_DENIED = "off" FALLBACK_AUTOMATIC_HELPERS = "system" FALLBACK_FIREWALL_BACKEND = "iptables" -FALLBACK_ALLOW_ZONE_DRIFTING = False +FALLBACK_ALLOW_ZONE_DRIFTING = True diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at index 0884e21b6368..8ed00f84e158 100644 --- a/src/tests/dbus/firewalld.conf.at +++ b/src/tests/dbus/firewalld.conf.at @@ -3,7 +3,7 @@ FWD_START_TEST([firewalld.conf]) dnl Verify defaults over dbus. Should be inline with default firewalld.conf. IF_HOST_SUPPORTS_NFT_FIB([ DBUS_GETALL([config], [config], 0, [dnl -string "AllowZoneDrifting" : variant string "no" +string "AllowZoneDrifting" : variant string "yes" string "AutomaticHelpers" : variant string "system" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" @@ -14,7 +14,7 @@ string "LogDenied" : variant string "off" string "MinimalMark" : variant int32 100 ])], [ DBUS_GETALL([config], [config], 0, [dnl -string "AllowZoneDrifting" : variant string "no" +string "AllowZoneDrifting" : variant string "yes" string "AutomaticHelpers" : variant string "system" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" diff --git a/src/tests/functions.at b/src/tests/functions.at index 29436dbc1509..2340fb8f5565 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at @@ -146,6 +146,7 @@ m4_define([FWD_END_TEST], [ sed -i "/modprobe: ERROR:/d" ./firewalld.log sed -i "/WARNING: Failed to load nf_conntrack module/d" ./firewalld.log sed -i "/WARNING: Failed to get and parse nf_conntrack_helper setting/d" ./firewalld.log + sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log if test x"$1" != x"ignore"; then if test -n "$1"; then sed -i $1 ./firewalld.log diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at index ff2ede2ece71..7f061d86c2f1 100644 --- a/src/tests/regression/rhbz1514043.at +++ b/src/tests/regression/rhbz1514043.at @@ -1,4 +1,9 @@ FWD_START_TEST([--set-log-denied does not zero config]) + +dnl Expected test results assume this is set to "no" +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) +FWD_RELOAD + FWD_CHECK([-q --set-log-denied=all]) FWD_CHECK([-q --permanent --zone=public --add-service=samba]) FWD_RELOAD -- 2.23.0