|
Packit |
a8ec6b |
README for firewalld
|
|
Packit |
a8ec6b |
====================
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
firewalld provides a dynamically managed firewall with support for network or
|
|
Packit |
a8ec6b |
firewall zones to define the trust level of network connections or interfaces.
|
|
Packit |
a8ec6b |
It has support for IPv4, IPv6 firewall settings and for ethernet bridges and a
|
|
Packit |
a8ec6b |
separation of runtime and permanent configuration options. It also provides an
|
|
Packit |
a8ec6b |
interface for services or applications to add ip*tables and ebtables rules
|
|
Packit |
a8ec6b |
directly.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Development
|
|
Packit |
a8ec6b |
-----------
|
|
Packit |
a8ec6b |
To check out the source repository, you can use:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
git clone https://github.com/firewalld/firewalld.git
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
This will create a local copy of the repository.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Language Translations
|
|
Packit |
a8ec6b |
---------------------
|
|
Packit |
a8ec6b |
Firewalld uses GNU gettext for localization support. Translations can be done
|
|
Packit |
a8ec6b |
using Fedora's Weblate instance [1]. Translations are periodically merged into
|
|
Packit |
a8ec6b |
the main firewalld repository.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
[1] https://translate.stg.fedoraproject.org/projects/firewalld/
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Working With The Source Repository
|
|
Packit |
a8ec6b |
----------------------------------
|
|
Packit |
a8ec6b |
Install the following requirements or packages:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
desktop-file-utils: /usr/bin/desktop-file-install
|
|
Packit |
a8ec6b |
gettext
|
|
Packit |
a8ec6b |
intltool
|
|
Packit |
a8ec6b |
glib2: /usr/bin/glib-compile-schemas
|
|
Packit |
a8ec6b |
glib2-devel: /usr/share/aclocal/gsettings.m4
|
|
Packit |
a8ec6b |
systemd-units
|
|
Packit |
a8ec6b |
iptables
|
|
Packit |
a8ec6b |
ebtables
|
|
Packit |
a8ec6b |
ipset
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
For use with Python 3:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
python3-dbus
|
|
Packit |
a8ec6b |
python3-slip-dbus
|
|
Packit |
a8ec6b |
python3-decorator
|
|
Packit |
a8ec6b |
python3-gobject
|
|
Packit |
a8ec6b |
python3-nftables (nftables >= 0.9.3)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
For use with Python 2:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
dbus-python
|
|
Packit |
a8ec6b |
python-slip-dbus (http://fedorahosted.org/python-slip)
|
|
Packit |
a8ec6b |
python-decorator
|
|
Packit |
a8ec6b |
pygobject3-base (non-cairo parts of pygobject3)
|
|
Packit |
a8ec6b |
python-nftables (nftables >= 0.9.3)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
To be able to create man pages and documentation from docbook files:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
docbook-style-xsl
|
|
Packit Service |
e87779 |
libxslt
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Use the usual autoconf/automake incantation to generate makefiles
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
./autogen.sh
|
|
Packit |
a8ec6b |
./configure
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
You can use a specific python interpreter by passing the PYTHON variable. This
|
|
Packit |
a8ec6b |
is also used by the testsuite.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
./configure PYTHON=/path/to/python3
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Use
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
to create the documentation and to update the po files.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Use
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make check
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
to run the testsuite. Tests are run inside network namespaces and do not
|
|
Packit |
a8ec6b |
interfere with the host's running firewalld. They can also be run in parallel
|
|
Packit |
a8ec6b |
by passing flags to autotest.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make check TESTSUITEFLAGS="-j4"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
The testsuite also uses keywords to allow running a subset of tests that
|
|
Packit |
a8ec6b |
exercise a specific area.
|
|
Packit |
a8ec6b |
For example:
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make check TESTSUITEFLAGS="-k rich -j4"
|
|
Packit |
a8ec6b |
24: rich rules audit ok
|
|
Packit |
a8ec6b |
25: rich rules priority ok
|
|
Packit |
a8ec6b |
26: rich rules bad ok
|
|
Packit |
a8ec6b |
53: rich rules audit ok
|
|
Packit |
a8ec6b |
23: rich rules good ok
|
|
Packit |
a8ec6b |
55: rich rules bad ok
|
|
Packit |
a8ec6b |
74: remove forward-port after reload ok
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
You can get a list of tests and keywords
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make -C src/tests check TESTSUITEFLAGS="-l"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Or just the keywords
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make -C src/tests check TESTSUITEFLAGS="-l" \
|
|
Packit |
a8ec6b |
|awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
|
|
Packit |
a8ec6b |
|tr ' ' '\n' |sort |uniq
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
There are integration tests. Currently this includes NetworkManager. These may
|
|
Packit |
a8ec6b |
be _destructive_ to the host. Run them in a disposable VM or container.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make check-integration
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
There is also a check-container target that will run the testsuite inside
|
|
Packit |
a8ec6b |
various podman/docker containers. This is useful for coverage of multiple
|
|
Packit |
a8ec6b |
distributions. It also runs tests that may be destructive to the host such as
|
|
Packit |
a8ec6b |
integration tests.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
make check-container TESTSUITEFLAGS="-j4"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
RPM package
|
|
Packit |
a8ec6b |
-----------
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
For Fedora and RHEL based distributions, there is a spec file in the source
|
|
Packit |
a8ec6b |
repo named firewalld.spec. This should be usable for Fedora versions >= 16 and
|
|
Packit |
a8ec6b |
RHEL >= 7.
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Links
|
|
Packit |
a8ec6b |
-----
|
|
Packit |
a8ec6b |
Homepage: http://firewalld.org
|
|
Packit |
a8ec6b |
Report a bug: https://github.com/firewalld/firewalld/issues
|
|
Packit |
a8ec6b |
Git repo browser: https://github.com/firewalld/firewalld
|
|
Packit |
a8ec6b |
Git repo: https://github.com/firewalld/firewalld.git
|
|
Packit |
a8ec6b |
Documentation: http://firewalld.org/documentation/
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Mailing lists
|
|
Packit |
a8ec6b |
-------------
|
|
Packit |
a8ec6b |
For usage: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org/
|
|
Packit |
a8ec6b |
For development: https://lists.fedorahosted.org/archives/list/firewalld-devel@lists.fedorahosted.org/
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
Directory Structure
|
|
Packit |
a8ec6b |
-------------------
|
|
Packit |
a8ec6b |
config/ Configuration files
|
|
Packit |
a8ec6b |
config/icmptypes/ Predefined ICMP types
|
|
Packit |
a8ec6b |
config/services/ Predefined services
|
|
Packit |
a8ec6b |
config/zones/ Predefined zones
|
|
Packit |
a8ec6b |
config/ipsets/ Predefined ipsets
|
|
Packit |
a8ec6b |
doc/ Documentation
|
|
Packit |
a8ec6b |
doc/man/ Base directory for man pages
|
|
Packit |
a8ec6b |
doc/man/man1/ Man(1) pages
|
|
Packit |
a8ec6b |
doc/man/man5/ Man(5) pages
|
|
Packit |
a8ec6b |
po/ Translations
|
|
Packit |
a8ec6b |
shell-completion/ Base directory for auto completion scripts
|
|
Packit |
a8ec6b |
src/ Source tree
|
|
Packit |
a8ec6b |
src/firewall/ Import tree for the sevice and all applications
|
|
Packit |
a8ec6b |
src/icons/ Icons in the sizes: 16, 22, 24, 32, 48 and scalable
|
|
Packit |
a8ec6b |
src/tests/ Testsuite
|