- Update to 1.0.2:
* fix(firewalld): check capng_apply() return code
* fix(nftables): do not log icmp block if inversion
* fix(nftables): rich: source address with netmask
* fix(fw_config): zone: on rename remove then add
* fix(io/functions): check_config against on disk conf
* fix(zone): detect same source/interface in zones
* docs(policy): fix typos
* docs(policies): fix typos (forwarded request 932169 from mrostecki)
OBS-URL: https://build.opensuse.org/request/show/932170
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=60
- Update to 1.0.2:
* fix(firewalld): check capng_apply() return code
* fix(nftables): do not log icmp block if inversion
* fix(nftables): rich: source address with netmask
* fix(fw_config): zone: on rename remove then add
* fix(io/functions): check_config against on disk conf
* fix(zone): detect same source/interface in zones
* docs(policy): fix typos
* docs(policies): fix typos
OBS-URL: https://build.opensuse.org/request/show/932169
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=117
- Update to 1.0.0:
* Reduced dependencies
* Intra-zone forwarding by default
* NAT rules moved to inet family (reduced rule set)
* Default target is now similar to reject
* ICMP blocks and block inversion only apply to input,
not forward
* tftp-client service has been removed
* iptables backend is deprecated
* Direct interface is deprecated
* CleanupModulesOnExit defaults to no
(kernel modules not unloaded)
- Add new firewalld-test package
- Move bash and zsh completions to more useful separate packages
- Clean spec file
- Move modprobe.d and autostart files out of /etc
OBS-URL: https://build.opensuse.org/request/show/910605
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=115
- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone
OBS-URL: https://build.opensuse.org/request/show/853450
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=53
- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone (forwarded request 847325 from mrostecki)
OBS-URL: https://build.opensuse.org/request/show/847328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=51
- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone
OBS-URL: https://build.opensuse.org/request/show/847325
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=107
- Update to version 0.7.5:
* release: v0.7.5
* chore(translation): merge from master
* fix(cli): add ipset type hash:mac is incompatible with the family parameter Fixes: rhbz1541077
* test(rhbz1483921): better test name
* fix(cli): add --zone is an invalid option with --direct
* fix: core: rich: Catch ValueError on non-numeric priority values
* fix: update dynamic DCE RPC ports in freeipa-trust service
* docs: replace occurrences of the term blacklist with denylist
* docs(README): add libxslt for doc generation
* test(rich): source mac with nftables backend
* fix(firewall-offline-cmd): remove instances of "[P]" in help text
* test(check-container): add support for centos8 stream
* test(functions): use IndividualCalls if host doesn't support nft rule index
* test(functions): add macro IF_HOST_SUPPORTS_NFT_RULE_INDEX
* test(dbus): better way to check IPv6_rpfilter expected value
* fix(ipset): flush the set if IndividiualCalls=yes
* test(ipv6): skip square bracket address tests if ipv6 not available
* test(gh509): only run test for nftables backend
* fix(dbus): service: don't cleanup config for old set APIs
* fix(config): bool values in dict based import/export
* fix(doc): dbus: signatures for zone tuple based APIs
* test(dbus): zone: fix zone runtime functional test title
* test(dbus): zone: fix false failure due to list order
* fix(client): addService needs to reduce tuple size
* test(direct): rule in a zone chain
* fix(direct): rule in a zone chain
* test(dbus): zone: verify runtime config APIs
* test(dbus): zone: verify permanent config APIs
* fix(systemd): Conflict with nftables.service (forwarded request 826046 from mrostecki)
OBS-URL: https://build.opensuse.org/request/show/826047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=48
- Update to version 0.7.5:
* release: v0.7.5
* chore(translation): merge from master
* fix(cli): add ipset type hash:mac is incompatible with the family parameter Fixes: rhbz1541077
* test(rhbz1483921): better test name
* fix(cli): add --zone is an invalid option with --direct
* fix: core: rich: Catch ValueError on non-numeric priority values
* fix: update dynamic DCE RPC ports in freeipa-trust service
* docs: replace occurrences of the term blacklist with denylist
* docs(README): add libxslt for doc generation
* test(rich): source mac with nftables backend
* fix(firewall-offline-cmd): remove instances of "[P]" in help text
* test(check-container): add support for centos8 stream
* test(functions): use IndividualCalls if host doesn't support nft rule index
* test(functions): add macro IF_HOST_SUPPORTS_NFT_RULE_INDEX
* test(dbus): better way to check IPv6_rpfilter expected value
* fix(ipset): flush the set if IndividiualCalls=yes
* test(ipv6): skip square bracket address tests if ipv6 not available
* test(gh509): only run test for nftables backend
* fix(dbus): service: don't cleanup config for old set APIs
* fix(config): bool values in dict based import/export
* fix(doc): dbus: signatures for zone tuple based APIs
* test(dbus): zone: fix zone runtime functional test title
* test(dbus): zone: fix false failure due to list order
* fix(client): addService needs to reduce tuple size
* test(direct): rule in a zone chain
* fix(direct): rule in a zone chain
* test(dbus): zone: verify runtime config APIs
* test(dbus): zone: verify permanent config APIs
* fix(systemd): Conflict with nftables.service
OBS-URL: https://build.opensuse.org/request/show/826046
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=102
- Update to 0.7.4
This is a bug fix only release.
However, it does reintroduce the zone drifting bug as a feature. See #258 and #441. This behavior is disabled by default.
* improvement: build: add an option to disable building documentation
* Typo in firewall-config(1)
* Fix typo in TFTP service description
* doc: README: add note about language translations
* fix: rich: source/dest only matching with mark action
* feat: AllowZoneDrifting config option
* feat: nftables: support AllowZoneDrifting=yes
* feat: ipXtables: support AllowZoneDrifting=yes
* fix: firewall-offline-cmd: Don't print warning about AllowZoneDrifting
* fix: add logrotate policy
* fix: tests: regenerate testsuite if .../{cli,python}/*.at changes
* doc: direct: add CAVEATS section
* fix: checkIP6: strip leading/trailing square brackets
* fix: nftables: remove square brackets from IPv6 addresses
* fix: ipXtables: remove square brackets from IPv6 addresses
* fix: nftables: zone dispatch with multidimensional ipsets
* fix: ipset: destroy runtime sets on reload/stop
* fix: port: support querying sub ranges
* fix: source_port: support querying sub ranges
* doc: specify accepted characters for object names
* fix: doc: address copy/paste mistakes in short/description
* fix: configure: atlocal: quote variable values
* fix: nftables: allow set intervals with concatenations
* doc: clarify --set-target values "default" vs "reject"
OBS-URL: https://build.opensuse.org/request/show/791189
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=101
