From 1dcdd1e8dd5feb0039776fdc7aeb7c90314a17ef Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Fri, 8 May 2020 09:12:33 +0200 Subject: [PATCH] device: use the nm-shared firewalld zone in shared mode When the interface is in IPv4 or IPv6 shared mode and the user didn't specify an explicit zone, use the nm-shared one. Note that masquerade is still done through iptables direct calls because at the moment it is not possible for a firewalld zone to do masquerade based on the input interface. The firewalld zone is needed on systems where firewalld is using the nftables backend and the 'iptables' binary uses the iptables API (instead of the nftables one). On such systems, even if the traffic is allowed in iptables by our direct rules, it can still be dropped in nftables by firewalld. (cherry picked from commit 3e2b723532a0fa390b533eccb72084adf3911c9c) (cherry picked from commit 13438e041a1132218163876cded94dba934b999a) --- NEWS | 16 ++++++++++++++++ src/devices/nm-device.c | 13 ++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index c1d5cb21a0..6cc58251d0 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,19 @@ +================================================ +NetworkManager-1.22.12 +Overview of changes since NetworkManager-1.22.10 +================================================ + +This is a new stable release of NetworkManager. Notable changes include: + +* Add a new build option 'firewalld-zone'; when enabled, + NetworkManager installs a firewalld zone for connection sharing and + puts interfaces using IPv4 or IPv6 shared mode in this zone during + activation. The option is enabled by default. + Note that NetworkManager still calls to iptables to enable + masquerading and open needed ports for DHCP and DNS. The new option + is useful on systems using firewalld with the nftables backend, + where the iptables rules would not be sufficient. + =============================================== NetworkManager-1.22.10 Overview of changes since NetworkManager-1.22.8 diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c index 1464776335..1a57f5c7ac 100644 --- a/src/devices/nm-device.c +++ b/src/devices/nm-device.c @@ -10805,6 +10805,7 @@ fw_change_zone (NMDevice *self) NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self); NMConnection *applied_connection; NMSettingConnection *s_con; + const char *zone; nm_assert (priv->fw_state >= FIREWALL_STATE_INITIALIZED); @@ -10822,9 +10823,19 @@ fw_change_zone (NMDevice *self) if (G_UNLIKELY (!priv->fw_mgr)) priv->fw_mgr = g_object_ref (nm_firewall_manager_get ()); + zone = nm_setting_connection_get_zone (s_con); +#if WITH_FIREWALLD_ZONE + if (!zone || zone[0] == '\0') { + if ( nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET), + NM_SETTING_IP4_CONFIG_METHOD_SHARED) + || nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET6), + NM_SETTING_IP6_CONFIG_METHOD_SHARED)) + zone = "nm-shared"; + } +#endif priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_mgr, nm_device_get_ip_iface (self), - nm_setting_connection_get_zone (s_con), + zone, FALSE, /* change zone */ fw_change_zone_cb, self);