commit 302d7f28fb9c09d624e34d9b9966a7d2974bbd3a Author: Jiri Popelka Date: Thu Aug 14 14:44:13 2014 +0200 man: '--permanent --add-interface' vs. ZONE= in ifcfg (RHBZ#1128563) diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml index 44f6799..dabb9a4 100644 --- a/doc/xml/firewall-cmd.xml +++ b/doc/xml/firewall-cmd.xml @@ -648,8 +648,10 @@ Bind interface interface to zone zone. If zone is omitted, default zone will be used. - As a end user you don't need this in most cases, because NetworkManager adds interfaces into zones automatically. - For permanent association of interface with a zone, see 'How to set or change a zone for a connection?' in firewalld.zones5. + As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to option from ifcfg-interface file). + You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-interface file. + If there is such file and you add interface to zone with this option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined. + For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in firewalld.zones5. diff --git a/doc/xml/firewalld.xml b/doc/xml/firewalld.xml index 4ccf4e3..24d7541 100644 --- a/doc/xml/firewalld.xml +++ b/doc/xml/firewalld.xml @@ -123,7 +123,12 @@ firewalld provides support for zones, predefined services and ICMP types and has a separation of runtime and permanent configuration options. Permanent configuration is loaded from XML files in /usr/lib/firewalld or /etc/firewalld (see ). - If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames. If firewalld gets started after the network is already up, the connections are not bound to a zone. Manually created interfaces are not bound to a zone. Please add them to a zone with firewall-cmd --zone=zone --add-interface=interface. + If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames. + If firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to a zone. + You can add them to a zone with firewall-cmd [--permanent] --zone=zone --add-interface=interface, + but make sure that if there's a /etc/sysconfig/network-scripts/ifcfg-interface, + the zone specified there with ZONE=zone + is the same (or both are empty/missing for default zone), otherwise the behaviour would be undefined. commit f0d25a618c26dc47c552e63ac7d7c9a2c57151b7 Author: Thomas Woerner Date: Tue Jul 7 10:32:31 2015 +0200 man: Interface handling with and without NetworkManager (RHBZ#1122739 RHBZ#1128563) diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml index 74c9e1c..8603ca8 100644 --- a/doc/xml/firewall-cmd.xml +++ b/doc/xml/firewall-cmd.xml @@ -660,9 +660,10 @@ Bind interface interface to zone zone. If zone is omitted, default zone will be used. - As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to option from ifcfg-interface file). + As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to option from ifcfg-interface file) if NM_CONTROLLED=no is not set. You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If there is such file and you add interface to zone with this option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined. + Please also have a look at the firewalld1 man page in the Concepts section. For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in firewalld.zones5. diff --git a/doc/xml/firewalld.xml b/doc/xml/firewalld.xml index df26ff7..ee16cd0 100644 --- a/doc/xml/firewalld.xml +++ b/doc/xml/firewalld.xml @@ -123,13 +123,24 @@ firewalld provides support for zones, predefined services and ICMP types and has a separation of runtime and permanent configuration options. Permanent configuration is loaded from XML files in /usr/lib/firewalld or /etc/firewalld (see ). - If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames. - If firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to a zone. - You can add them to a zone with firewall-cmd [--permanent] --zone=zone --add-interface=interface, + If NetworkManager is not in use and firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to the zone specified in the ifcfg file. + The interfaces will automatically be handled by the default zone. + firewalld will also not get notified about network device renames. + All this also applies to interfaces that are not controlled by NetworkManager if NM_CONTROLLED=no is set. + + + You can add these interfaces to a zone with firewall-cmd [--permanent] --zone=zone --add-interface=interface, but make sure that if there's a /etc/sysconfig/network-scripts/ifcfg-interface, the zone specified there with ZONE=zone is the same (or both are empty/missing for default zone), otherwise the behaviour would be undefined. + + If firewalld gets reloaded, it will restore the interface bindings that were in place before reloading to keep interface bindings stable in the case of NetworkManager uncontrolled interfaces. + This mechanism is not possible in the case of a firewalld service restart. + + + It is essential to keep the ZONE= setting in the ifcfg file consistent to the binding in firewalld in the case of NetworkManager uncontrolled interfaces. + Zones