Dropped firewalld-selinux sub package as the required patch is now part of selinux-policy.


  • New firewalld-selinux sub package delivering the SELinux policy module for firewalld (#1396765) (#1394625) (#1394578) (#1394573) (#1394569)
  • New firewalld release 0.4.4.2:
  • firewalld.spec: Added helpers and ipsets paths to firewalld-filesystem
  • firewall.core.fw_nm: create NMClient lazily
  • Do not use hard-coded path for modinfo, use autofoo to detect it
  • firewall.core.io.ifcfg: Dropped invalid option warning with bad format string
  • firewall.core.io.ifcfg: Properly handle quoted ifcfg values
  • firewall.core.fw_zone: Do not reset ZONE with ifdown
  • Updated translations from zanata
  • firewall-config: Extra grid at bottom to visualize firewalld settings

Support Recognition of Automatic Helper Assignment Setting

Automatic helper assignment has been disabled in kernel 4.7. firewalld version 0.4.4 is now able to recognize this and to create rules if automatic helper assignment has been turned off to make conntrack helpers work again. If automatic helper assignment is turned on, then firewalld will behave as before.

For more information about the use of netfilter conntrack helper, please have a look at http://www.firewalld.org/2016/10/automatic-helper-assignment

Firewall-applet is now using Qt5

The firewall applet has been ported from Qt4 to Qt5.

Fixes LogDenied for zone reject targets

The logging rules for LogDenied have been placed after the reject rules for zones using the reject targets. The logging rules are now placed before these reject rules to fix logging.

Does not abort transaction on failed ipv6_rpfilter rules

The existing transaction will be executed before trying to add the rules for ipv6_rpfilter and a new transaction will be used to apply the ipv6_rpfiler rules. If this transaction fails, a warning is printed out and the remaining rules are applied with the next transaction.

Enhancements for the command line tools

The command line tools are now more consistent with errors and error codes in sequence options. The NOT_AUTHORIZED error is now also working.

New services

The services cfengine, condor-collector and smtp-submission have been added.

firewall-config: Use proper source check in sourceDialog (issue #162)

firewallctl: Use sys.excepthook to force exception_handler usage always

firewallctl: Support helpers

Several other enhancements and fixes


  • Fix CVE-2016-5410: Firewall configuration can be modified by any logged in user
  • firewall/server/firewalld: Make getXSettings and getLogDenied CONFIG_INFO
  • Update AppData configuration file.
  • tests/firewalld_rich.py: Use new import structure and FirewallClient classes
  • tests/firewalld_direct.py: Use new import structure
  • tests: firewalld_direct: Fix assert to check for True instead of False
  • tests: firewalld_config: Fix expected value when querying the zone target
  • tests: firewalld_config: Use real nf_conntrack modules
  • firewalld.spec: Added comment about make call for %build
  • firewall-config: Use also width_request and height_request with default size
  • Updated firewall-config screenshot
  • firewall-cmd: Fixed typo in help output (#1367171)
  • test-suite: Ignore stderr to get default zone also for missing firewalld.conf
  • firewall.core.logger: Warnings should be printed to stderr per default
  • firewall.core.fw_nm: Ignore NetworkManager if NM.Client connect fails
  • firewall-cmd, firewallctl: Gracefully fail if SystemBus can not be aquired
  • firewall.client: Generate new DBUS_ERROR if SystemBus can not be aquired
  • test-suite: Do not fail on ALREADY_ENABLED --add-destination tests
  • firewall.command: ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET are warnings
  • doc/xml/firewalld.dbus.xml: Removed undefined reference
  • doc/xml/transform-html.xsl.in: Fixed references in the document
  • doc/xml/firewalld.{dbus,zone}.xml: Embed programlisting in para
  • doc/xml/transform-html.xsl.in: Enhanced html formatting closer to the man page
  • firewall: core: fw_nm: Instantiate the NM client only once
  • firewall/core/io/*.py: Do not traceback on a general sax parsing issue
  • firewall-offline-cmd: Fix --{add,remove}-entries-from-file
  • firewall-cmd: Add missing action to fix --{add,remove}-entries-from-file
  • firewall.core.prog: Do not output stderr, but return it in the error case
  • firewall.core.io.ifcfg.py: Fix ifcfg file reader and writer (#1362171)
  • config/firewall.service.in: use KillMode=mixed
  • config/firewalld.service.in: use network-pre.target
  • firewall-config: Add missing gettext.textdomain call to fix translations
  • Add UDP to transmission-client.xml service
  • tests/firewall-[offline-]cmd_test.sh: Hide errors and warnings
  • firewall.client: Fix ALREADY_ENABLED errors in icmptype destination calls
  • firewall.client: Fix NOT_ENABLED errors in icmptype destination calls
  • firewall.client: Use {ALREADY,NOT}_ENABLED errors in icmptype destination calls
  • firewall.command: Add the removed FirewallError handling to the action (a17ce50)
  • firewall.command: Do not use query methods for sequences and also single options
  • Add missing information about MAC and ipset sources to man pages and help output
  • firewalld.spec: Add BuildRequires for libxslt to enable rebuild of man pages
  • firewall[-offline]-cmd, firewallctl, firewall.command: Use sys.{stdout,stderr}
  • firewallctl: Fix traceback if not connected to firewalld
  • firewall-config: Initialize value in on_richRuleDialogElementChooser_clicked
  • firewall.command: Convert errors to string for Python3
  • firewall.command: Get proper firewall error code from D-BusExceptions
  • firewall-cmd: Fixed traceback without args
  • Add missing service files to Makefile.am
  • shell-completion: Add shell completion support for --{get,set}--{description,short}
This update has been submitted for testing by than. 2 years ago
This update has obsoleted [firewalld-0.4.4.2-1.fc23](https://bodhi.fedoraproject.org/updates/FEDORA-2016-b566ecf579), and has inherited its bugs and notes. 2 years ago
This update has been pushed to testing. 2 years ago
User Icon filiperosset commented & provided feedback 2 years ago
karma

no regressions noted

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes 2 years ago

Please login to add feedback.

Metadata
Type
security
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
2 years ago
in testing
2 years ago
BZ#1297235 samba browsing blocked even with the samba-client service enabled, works with connection/interface in 'trusted' zone
0
0
BZ#1358380 firewall-cmd crashes if /run/dbus/system_bus_socket does not exist
0
0
BZ#1361589 firewall-config error when using pt-BR language
0
0
BZ#1363741 firewall-cmd ipset --add-entries-from-file regression
0
0
BZ#1367381 CVE-2016-5410 firewalld: Firewall configuration can be modified by any logged in user [fedora-all]
0
0
BZ#1380168 Firewalld cause any ftp client to get "host unknown" when go in passive mode connecting with ip address
0
0
BZ#1390961 firewalld does not allow connections to VPN PPTP server
0
0
BZ#1394569 Samba service rules broken
0
0
BZ#1394573 firewall-config missing kernel feature nf_conntrack_netbios_ns
0
0
BZ#1394578 Firewalld not respecting samba rule
0
0
BZ#1394625 cannot enable FTP service via firewalld/firewall-applet
0
0
BZ#1396765 firewall-cmd --add-service=samba doesn't work
0
0

Automated Test Results