device: use the nm-shared firewalld zone in shared mode

When the interface is in IPv4 or IPv6 shared mode and the user didn't specify an explicit zone, use the nm-shared one. Note that masquerade is still done through iptables direct calls because at the moment it is not possible for a firewalld zone to do masquerade based on the input interface. The firewalld zone is needed on systems where firewalld is using the nftables backend and the 'iptables' binary uses the iptables API (instead of the nftables one). On such systems, even if the traffic is allowed in iptables by our direct rules, it can still be dropped in nftables by firewalld. (cherry picked from commit 3e2b723532) (cherry picked from commit 13438e041a)
2026-01-16 17:01:22 +01:00 · 2020-05-08 09:12:33 +02:00 · 2020-05-08 09:12:33 +02:00 · 1dcdd1e8dd
commit 1dcdd1e8dd
parent 5baaf9c871
2 changed files with 28 additions and 1 deletions
--- a/16
+++ b/16
@ -1,3 +1,19 @@
+================================================
+NetworkManager-1.22.12
+Overview of changes since NetworkManager-1.22.10
+================================================
+
+This is a new stable release of NetworkManager.  Notable changes include:
+
+* Add a new build option 'firewalld-zone'; when enabled,
+  NetworkManager installs a firewalld zone for connection sharing and
+  puts interfaces using IPv4 or IPv6 shared mode in this zone during
+  activation. The option is enabled by default.
+  Note that NetworkManager still calls to iptables to enable
+  masquerading and open needed ports for DHCP and DNS. The new option
+  is useful on systems using firewalld with the nftables backend,
+  where the iptables rules would not be sufficient.
+
 ===============================================
 NetworkManager-1.22.10
 Overview of changes since NetworkManager-1.22.8
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@ -10805,6 +10805,7 @@ fw_change_zone (NMDevice *self)
 	NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
 	NMConnection *applied_connection;
 	NMSettingConnection *s_con;
+	const char *zone;

 	nm_assert (priv->fw_state >= FIREWALL_STATE_INITIALIZED);

@ -10822,9 +10823,19 @@ fw_change_zone (NMDevice *self)
 	if (G_UNLIKELY (!priv->fw_mgr))
 		priv->fw_mgr = g_object_ref (nm_firewall_manager_get ());

+	zone = nm_setting_connection_get_zone (s_con);
+#if WITH_FIREWALLD_ZONE
+	if (!zone || zone[0] == '\0') {
+		if (   nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET),
+		                  NM_SETTING_IP4_CONFIG_METHOD_SHARED)
+		    || nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET6),
+		                  NM_SETTING_IP6_CONFIG_METHOD_SHARED))
+			zone = "nm-shared";
+	}
+#endif
 	priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_mgr,
 	                                                        nm_device_get_ip_iface (self),
-	                                                        nm_setting_connection_get_zone (s_con),
+	                                                        zone,
 	                                                        FALSE, /* change zone */
 	                                                        fw_change_zone_cb,
 	                                                        self);