diff --git a/NEWS b/NEWS index 2b87553835..c63f24581a 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,14 @@ The API is subject to change and not guaranteed to be compatible with the later release. USE AT YOUR OWN RISK. NOT RECOMMENDED FOR PRODUCTION USE! +* Add a new build option 'firewalld-zone'; when enabled, + NetworkManager installs a firewalld zone for connection sharing and + puts interfaces using IPv4 or IPv6 shared mode in this zone during + activation. The option is enabled by default. + Note that NetworkManager still calls to iptables to enable + masquerading and open needed ports for DHCP and DNS. The new option + is useful on systems using firewalld with the nftables backend, + where the iptables rules would not be sufficient. * Add MUD URL property for connection profiles (RFC 8520) and set it for DHCP and DHCPv6 requests. * IPv6 SLAAC: improved the reaction of IPv6 SLAAC to renumbering events: diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c index de72b1d15a..66eea16ce4 100644 --- a/src/devices/nm-device.c +++ b/src/devices/nm-device.c @@ -11156,6 +11156,7 @@ fw_change_zone (NMDevice *self) NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self); NMConnection *applied_connection; NMSettingConnection *s_con; + const char *zone; nm_assert (priv->fw_state >= FIREWALL_STATE_INITIALIZED); @@ -11173,9 +11174,19 @@ fw_change_zone (NMDevice *self) if (G_UNLIKELY (!priv->fw_mgr)) priv->fw_mgr = g_object_ref (nm_firewall_manager_get ()); + zone = nm_setting_connection_get_zone (s_con); +#if WITH_FIREWALLD_ZONE + if (!zone || zone[0] == '\0') { + if ( nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET), + NM_SETTING_IP4_CONFIG_METHOD_SHARED) + || nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET6), + NM_SETTING_IP6_CONFIG_METHOD_SHARED)) + zone = "nm-shared"; + } +#endif priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_mgr, nm_device_get_ip_iface (self), - nm_setting_connection_get_zone (s_con), + zone, FALSE, /* change zone */ fw_change_zone_cb, self);