SHA256
1
0
forked from pool/firewalld

- Restore nftables as default backend (bsc#1102761). nftables and

iptables can co-exist but the 'nat' table had a bug which was fixed
  in kernel-4.18.

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=78
This commit is contained in:
Markos Chandras 2018-08-15 13:33:29 +00:00 committed by Git OBS Bridge
parent fb97f07a3e
commit d850d0365e
3 changed files with 4 additions and 68 deletions

View File

@ -1,59 +0,0 @@
From dbbf60a4bb0c7edc83cd8bae2177d96842ad9034 Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Mon, 13 Aug 2018 22:31:04 +0300
Subject: [PATCH] firewall: backend: Switch default backend to 'iptables'
Switch default backend to 'iptables'. Some packages (eg docker)
are not able to work well with nftables right now, so lets stick
with iptables as default backend.
Link: https://bugzilla.suse.com/show_bug.cgi?id=1102761
Signed-off-by: Markos Chandras <mchandras@suse.de>
---
config/firewalld.conf | 6 +++---
doc/xml/firewalld.conf.xml | 4 ++--
src/firewall/config/__init__.py.in | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa5..e6afde19 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -59,6 +59,6 @@ AutomaticHelpers=system
# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
+# - nftables
+# - iptables (default)
+FirewallBackend=iptables
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index df4b9521..fee0d3ca 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -149,8 +149,8 @@
<listitem>
<para>
Selects the firewall backend implementation. Possible values
- are; <replaceable>nftables</replaceable> (default), or
- <replaceable>iptables</replaceable>. This applies to all
+ are; <replaceable>nftables</replaceable>, or
+ <replaceable>iptables</replaceable> (default). This applies to all
firewalld primitives. The only exception is direct and
passthrough rules which always use the traditional iptables,
ip6tables, and ebtables backends.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be320..cff7c3fe 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
--
2.16.4

View File

@ -1,10 +1,9 @@
-------------------------------------------------------------------
Mon Aug 13 19:08:39 UTC 2018 - mchandras@suse.de
Mon Aug 15 13:08:39 UTC 2018 - mchandras@suse.de
- Also switch firewall backend fallback to 'iptables' (bsc#1102761)
This ensures that existing configuration files will keep working
even if FirewallBackend option is missing.
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Restore nftables as default backend (bsc#1102761). nftables and
iptables can co-exist but the 'nat' table had a bug which was fixed
in kernel-4.18.
-------------------------------------------------------------------
Fri Aug 10 06:23:35 UTC 2018 - mchandras@suse.de

View File

@ -28,8 +28,6 @@ License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Url: http://www.firewalld.org
Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: desktop-file-utils
@ -112,8 +110,6 @@ firewalld.
%prep
%setup -q
# bsc#1102761 - switch to iptables as default
%patch0 -p1
# bsc#1078223
rm config/services/high-availability.xml