From 2361184479832ac8f2754822e1e5d4de55c4898c Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 14 Nov 2018 11:42:17 -0500
Subject: [PATCH 1/4] remove ability to use nftables backend

---
 config/firewalld.conf                  |  7 -------
 configure.ac                           | 10 ----------
 doc/xml/firewalld.conf.xml             | 14 --------------
 doc/xml/firewalld.dbus.xml             | 10 ----------
 src/firewall/config/__init__.py.in     |  3 +--
 src/firewall/core/fw.py                |  5 -----
 src/firewall/core/io/firewalld_conf.py | 11 +----------
 src/firewall/server/config.py          | 19 +++----------------
 src/tests/dbus/firewalld.conf.at       |  2 --
 src/tests/functions.at                 |  3 ---
 src/tests/testsuite.at                 |  2 +-
 11 files changed, 6 insertions(+), 80 deletions(-)

diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa50c53..63df409bf567 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -55,10 +55,3 @@ LogDenied=off
 # will be used. Possible values are: yes, no and system.
 # Default: system
 AutomaticHelpers=system
-
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
diff --git a/configure.ac b/configure.ac
index db9a39f92def..d1c365e29986 100644
--- a/configure.ac
+++ b/configure.ac
@@ -147,16 +147,6 @@ if test "x$IPSET" = "x"; then
 fi
 AC_SUBST(IPSET)
 
-AC_ARG_WITH([nft],
-       AS_HELP_STRING([--with-nft], [Path to nft (nftables) executable]),
-       [NFT=$withval
-       AC_MSG_NOTICE([Using for nft: $NFT])],
-       [AC_PATH_PROG([NFT], [nft], [], [$FW_TOOLS_PATH])])
-if test "x$NFT" = "x"; then
-    AC_MSG_ERROR([nft was not found in $FW_TOOLS_PATH])
-fi
-AC_SUBST(NFT)
-
 #############################################################
 
 AC_SUBST([GETTEXT_PACKAGE], '[PKG_NAME]')
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index df4b9521fd71..afb94b90937f 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -144,20 +144,6 @@
 	</listitem>
       </varlistentry>
 
-        <varlistentry>
-            <term><option>FirewallBackend</option></term>
-            <listitem>
-                <para>
-                Selects the firewall backend implementation. Possible values
-                are; <replaceable>nftables</replaceable> (default), or
-                <replaceable>iptables</replaceable>. This applies to all
-                firewalld primitives. The only exception is direct and
-                passthrough rules which always use the traditional iptables,
-                ip6tables, and ebtables backends.
-                </para>
-	        </listitem>
-        </varlistentry>
-
     </variablelist>
 
   </refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 8352f96cc057..ec82d4cad077 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2582,16 +2582,6 @@
               </para>
             </listitem>
           </varlistentry>
-          <varlistentry id="FirewallD1.config.Properties.FirewallBackend">
-            <term>FirewallBackend - s - (rw)</term>
-            <listitem>
-              <para>
-                Selects the firewalld backend for all rules except the direct
-                interface. Valid options are; nftables, iptables. Default in
-                nftables.
-              </para>
-            </listitem>
-          </varlistentry>
           <varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter">
             <term><parameter>IPv6_rpfilter</parameter> - s - (rw)</term>
             <listitem><para>Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.</para></listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be32077e1..20e4979062d8 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -118,7 +118,6 @@ COMMANDS = {
 
 LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
 AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
-FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
 
 # fallbacks: will be overloaded by firewalld.conf
 FALLBACK_ZONE = "public"
@@ -129,4 +128,4 @@ FALLBACK_IPV6_RPFILTER = True
 FALLBACK_INDIVIDUAL_CALLS = False
 FALLBACK_LOG_DENIED = "off"
 FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 9be13a5c1313..abb25f0c3e72 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -293,11 +293,6 @@ class Firewall(object):
                     log.debug1("AutomaticHelpers is set to '%s'",
                                self._automatic_helpers)
 
-            if self._firewalld_conf.get("FirewallBackend"):
-                self._firewall_backend = self._firewalld_conf.get("FirewallBackend")
-                log.debug1("FirewallBackend is set to '%s'",
-                           self._firewall_backend)
-
         self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
 
         self._select_firewall_backend(self._firewall_backend)
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad693c1..9aee2dc6f9b7 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -30,7 +30,7 @@ from firewall.functions import b2u, u2b, PY2
 
 valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", 
                "IPv6_rpfilter", "IndividualCalls", "LogDenied",
-               "AutomaticHelpers", "FirewallBackend" ]
+               "AutomaticHelpers" ]
 
 class firewalld_conf(object):
     def __init__(self, filename):
@@ -79,7 +79,6 @@ class firewalld_conf(object):
             self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
             self.set("LogDenied", config.FALLBACK_LOG_DENIED)
             self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
-            self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
             raise
 
         for line in f:
@@ -175,14 +174,6 @@ class firewalld_conf(object):
                             config.FALLBACK_AUTOMATIC_HELPERS)
             self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS))
 
-        value = self.get("FirewallBackend")
-        if not value or value.lower() not in config.FIREWALL_BACKEND_VALUES:
-            if value is not None:
-                log.warning("FirewallBackend '%s' is not valid, using default "
-                            "value %s", value if value else '',
-                            config.FALLBACK_FIREWALL_BACKEND)
-            self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND))
-
     # save to self.filename if there are key/value changes
     def write(self):
         if len(self._config) < 1:
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index dfc562b537eb..011052a9cabf 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -105,7 +105,6 @@ class FirewallDConfig(slip.dbus.service.Object):
                                                 "IndividualCalls": "readwrite",
                                                 "LogDenied": "readwrite",
                                                 "AutomaticHelpers": "readwrite",
-                                                "FirewallBackend": "readwrite",
                                               })
 
     @handle_exceptions
@@ -485,7 +484,7 @@ class FirewallDConfig(slip.dbus.service.Object):
     def _get_property(self, prop):
         if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
                          "Lockdown", "IPv6_rpfilter", "IndividualCalls",
-                         "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+                         "LogDenied", "AutomaticHelpers" ]:
             raise dbus.exceptions.DBusException(
                 "org.freedesktop.DBus.Error.InvalidArgs: "
                 "Property '%s' does not exist" % prop)
@@ -526,10 +525,6 @@ class FirewallDConfig(slip.dbus.service.Object):
             if value is None:
                 value = config.FALLBACK_AUTOMATIC_HELPERS
             return dbus.String(value)
-        elif prop == "FirewallBackend":
-            if value is None:
-                value = config.FALLBACK_FIREWALL_BACKEND
-            return dbus.String(value)
 
     @dbus_handle_exceptions
     def _get_dbus_property(self, prop):
@@ -549,8 +544,6 @@ class FirewallDConfig(slip.dbus.service.Object):
             return dbus.String(self._get_property(prop))
         elif prop == "AutomaticHelpers":
             return dbus.String(self._get_property(prop))
-        elif prop == "FirewallBackend":
-            return dbus.String(self._get_property(prop))
         else:
             raise dbus.exceptions.DBusException(
                 "org.freedesktop.DBus.Error.InvalidArgs: "
@@ -590,7 +583,7 @@ class FirewallDConfig(slip.dbus.service.Object):
         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
             for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
                        "Lockdown", "IPv6_rpfilter", "IndividualCalls",
-                       "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+                       "LogDenied", "AutomaticHelpers" ]:
                 ret[x] = self._get_property(x)
         elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
                                  config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -616,8 +609,7 @@ class FirewallDConfig(slip.dbus.service.Object):
         if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
             if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
                                   "IPv6_rpfilter", "IndividualCalls",
-                                  "LogDenied", "AutomaticHelpers",
-                                  "FirewallBackend" ]:
+                                  "LogDenied", "AutomaticHelpers" ]:
                 if property_name == "MinimalMark":
                     try:
                         int(new_value)
@@ -646,11 +638,6 @@ class FirewallDConfig(slip.dbus.service.Object):
                         raise FirewallError(errors.INVALID_VALUE,
                                             "'%s' for %s" % \
                                             (new_value, property_name))
-                if property_name == "FirewallBackend":
-                    if new_value not in config.FIREWALL_BACKEND_VALUES:
-                        raise FirewallError(errors.INVALID_VALUE,
-                                            "'%s' for %s" % \
-                                            (new_value, property_name))
                 self.config.get_firewalld_conf().set(property_name, new_value)
                 self.config.get_firewalld_conf().write()
                 self.PropertiesChanged(interface_name,
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de10af..3887d7ee4a7d 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -5,7 +5,6 @@ DBUS_GETALL([config], [config], 0, [dnl
 string "AutomaticHelpers" : variant string "system"
 string "CleanupOnExit" : variant string "no"
 string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
 m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
 string "IPv6_rpfilter" : variant string "no"],[dnl
 string "IPv6_rpfilter" : variant string "yes"])
@@ -29,7 +28,6 @@ _helper([Lockdown], [string:"yes"], [variant string "yes"])
 _helper([LogDenied], [string:"all"], [variant string "all"])
 _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
 _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
-_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
 _helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
 dnl Note: DefaultZone is RO
 m4_undefine([_helper])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f8ab929118e5..b95324847e5c 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -70,9 +70,6 @@ m4_define([FWD_START_TEST], [
         dnl don't unload modules or bother cleaning up, the namespace will be deleted
         AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
 
-        dnl set the appropriate backend
-        AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
-
         dnl fib matching is pretty new in nftables. Don't use rpfilter on older
         dnl kernels.
         m4_if(nftables, FIREWALL_BACKEND, [
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 2943d7460919..68d18c9018b8 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -10,7 +10,7 @@ m4_include([functions.at])
 m4_include([firewall-offline-cmd.at])
 m4_include([dbus.at])
 
-m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
+m4_foreach([FIREWALL_BACKEND], [[iptables]], [
     m4_include([firewall-cmd.at])
     m4_include([regression.at])
     m4_include([python.at])
-- 
2.18.0