device: use the nm-shared firewalld zone in shared mode

When the interface is in IPv4 or IPv6 shared mode and the user didn't specify an explicit zone, use the nm-shared one. Note that masquerade is still done through iptables direct calls because at the moment it is not possible for a firewalld zone to do masquerade based on the input interface. The firewalld zone is needed on systems where firewalld is using the nftables backend and the 'iptables' binary uses the iptables API (instead of the nftables one). On such systems, even if the traffic is allowed in iptables by our direct rules, it can still be dropped in nftables by firewalld.
2026-01-04 19:10:17 +01:00 · 2020-05-08 09:12:33 +02:00 · 2020-05-08 09:12:33 +02:00 · 3e2b723532
commit 3e2b723532
parent c8b5bf402d
2 changed files with 20 additions and 1 deletions
--- a/8
+++ b/8
@ -8,6 +8,14 @@ The API is subject to change and not guaranteed to be compatible
 with the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!

+* Add a new build option 'firewalld-zone'; when enabled,
+  NetworkManager installs a firewalld zone for connection sharing and
+  puts interfaces using IPv4 or IPv6 shared mode in this zone during
+  activation. The option is enabled by default.
+  Note that NetworkManager still calls to iptables to enable
+  masquerading and open needed ports for DHCP and DNS. The new option
+  is useful on systems using firewalld with the nftables backend,
+  where the iptables rules would not be sufficient.
 * Add MUD URL property for connection profiles (RFC 8520) and set it
  for DHCP and DHCPv6 requests.
 * IPv6 SLAAC: improved the reaction of IPv6 SLAAC to renumbering events:
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@ -11156,6 +11156,7 @@ fw_change_zone (NMDevice *self)
 	NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
 	NMConnection *applied_connection;
 	NMSettingConnection *s_con;
+	const char *zone;

 	nm_assert (priv->fw_state >= FIREWALL_STATE_INITIALIZED);

@ -11173,9 +11174,19 @@ fw_change_zone (NMDevice *self)
 	if (G_UNLIKELY (!priv->fw_mgr))
 		priv->fw_mgr = g_object_ref (nm_firewall_manager_get ());

+	zone = nm_setting_connection_get_zone (s_con);
+#if WITH_FIREWALLD_ZONE
+	if (!zone || zone[0] == '\0') {
+		if (   nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET),
+		                  NM_SETTING_IP4_CONFIG_METHOD_SHARED)
+		    || nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET6),
+		                  NM_SETTING_IP6_CONFIG_METHOD_SHARED))
+			zone = "nm-shared";
+	}
+#endif
 	priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_mgr,
 	                                                        nm_device_get_ip_iface (self),
-	                                                        nm_setting_connection_get_zone (s_con),
+	                                                        zone,
 	                                                        FALSE, /* change zone */
 	                                                        fw_change_zone_cb,
 	                                                        self);