Summary
Key changes in this release:
- Rich Rules on firewalld: The
firewall_rule
resource now creates rich rules on firewalld platforms instead of using the deprecated--direct
interface. - Flexible firewall selection: The cookbook now uses the
default['firewall']['solution']
attribute to determine the firewall solution to use instead of a hardcoded assignment for each platform. It defaults to the platform's native firewall (same as previous hardcoded values). - Firewalld 2.0.0: Platforms using firewalld 2.0.0 and later, such as RHEL 10 and Ubuntu 24.04, are now supported.
Upgrade Instructions
This release introduces breaking changes. To upgrade to this release:
- Migrate usages of the
disabled
property onfirewall
resources to theenabled
property instead. - Migrate usages of
default['firewall']['firewalld']
attributes tofirewalld_zone
resources. - Remove usages of the
:save
action fromfirewall_rule
resources. Rules are now always saved permanently. - Remove usages of the
permanent
property onfirewall_rule
resources. Rules are now always saved permanently. - Remove usages of the
disabled_zone
andenabled_zone
properties onfirewall
resources. Use thefirewalld_zone
resource to manage firewalld zone configuration. - Replace usages of the
firewall::firewalld
recipe withfirewall::default
. - Migrate usages of attributes
default['firewall']['ubuntu_iptables']
anddefault['firewall']['redhat7_iptables']
withdefault['firewall']['solution']
.
Added
- Support for firewalld 2.0.0 and the platforms that use it; RHEL 10 and Ubuntu 24.04.
priority
,ingress_priority
,egress_priority
properties added tofirewalld_zone
.
- Added
firewalld_rich_rule
resource for adding/removing rich rules to/from firewalld zones. - Support for IPv6 rules on firewalld platforms.
- Support for using any compatible firewall solution on any platform. Defaults to the operating system's default firewall solution.
Changed
- Ensure
firewalld
service remains enabled and started when installed. firewall_rule
resource now creates rich rules on firewalld platforms, instead of the using the deprecated--direct
firewalld interface.
Fixed
- Fixed:
firewall_rule
resource fails with a--zone is an invalid option with --direct
error on firewalld. - Fixed: New zones created by
firewalld_zone
unexpectedly have forwarding enabled by default. - Fixed:
firewalld_*
resources ignore properties whose value isfalse
. - Fixed:
firewalld_*
resources were not idempotent when usingports
,source_ports
, andrich_rules
properties. - Fixed:
ufw
provider doesn't ensureufw
service is enabled.
Removed
- Removed deprecated
disabled
property fromfirewall
resource. - Removed all
default['firewall']['firewalld']
attributes. Use thefirewalld_zone
resource to manage firewalld zone configuration. - Removed firewalld action
:save
fromfirewall
resource. Firewalld rules are now always added permanently. - Removed firewalld property
permanent
fromfirewall_rule
resource. Firewalld rules are now always added permanently. - Removed properties
disabled_zone
andenabled_zone
fromfirewall
resource. Use thefirewalld_zone
resource to manage firewalld zone configuration. - Removed recipe
firewall::firewalld
. Its functionality has been merged into thefirewall::default
recipe. - Removed attributes
default['firewall']['ubuntu_iptables']
anddefault['firewall']['redhat7_iptables']
. Use the newdefault['firewall']['solution']
attribute to set the desired firewall solution to use.