diff options
| author | Bill Nottingham <notting@redhat.com> | 2012-03-13 17:26:07 -0400 |
|---|---|---|
| committer | Bill Nottingham <notting@redhat.com> | 2012-03-13 17:26:07 -0400 |
| commit | bf931d4f660af978eef8652ad275fcb7bab0e749 (patch) | |
| tree | 2a27b1d35d6bcbcef57156bbd5d57eda4c868a8f | |
| parent | 9ff2a34af83f786802644b69794ce01fe0dfb0d9 (diff) | |
| download | initscripts-bf931d4f660af978eef8652ad275fcb7bab0e749.tar initscripts-bf931d4f660af978eef8652ad275fcb7bab0e749.tar.gz initscripts-bf931d4f660af978eef8652ad275fcb7bab0e749.tar.bz2 initscripts-bf931d4f660af978eef8652ad275fcb7bab0e749.tar.xz initscripts-bf931d4f660af978eef8652ad275fcb7bab0e749.zip | |
Add support for firewalld zones. (#802415, from <jpopelka@redhat.com>)
ZONE in an ifcfg file describes the zone an interface should belong to.
Zones can be configured in the firewalld configuration file.
When interfaces are brought up, tell firewalld, if running, to add them
to the proper zone. Similarly, remove them when they're brought down.
Modified from a patch from Jiri Popelka.
| -rw-r--r-- | sysconfig.txt | 4 | ||||
| -rwxr-xr-x | sysconfig/network-scripts/ifdown-post | 5 | ||||
| -rwxr-xr-x | sysconfig/network-scripts/ifup-post | 5 |
3 files changed, 14 insertions, 0 deletions
diff --git a/sysconfig.txt b/sysconfig.txt index 3e135d3f..a64bb59b 100644 --- a/sysconfig.txt +++ b/sysconfig.txt @@ -606,6 +606,10 @@ Files in /etc/sysconfig/network-scripts/ NM_CONTROLLED=yes|no If set to 'no', NetworkManager will ignore this connection/device. Defaults to 'yes'. + ZONE= + Network zone (trust level) of this connection. + If not set, default zone (specified in /etc/firewalld/firewalld.conf) + is used. To see all available zones, run 'firewall-cmd --get-zones'. For dynamic addressing (BOOTPROTO=dhcp) only DEVICE needs to be set; all the rest will be determined by the boot protocol. diff --git a/sysconfig/network-scripts/ifdown-post b/sysconfig/network-scripts/ifdown-post index 0a1b938a..d37b59da 100755 --- a/sysconfig/network-scripts/ifdown-post +++ b/sysconfig/network-scripts/ifdown-post @@ -46,6 +46,11 @@ if ! check_default_route ; then fi fi +# Inform firewall +if [ -x /usr/bin/firewall-cmd -a "${REALDEVICE}" != "lo" ]; then + /usr/bin/firewall-cmd --remove --interface=${DEVICE} > /dev/null 2>&1 +fi + # Notify programs that have requested notification do_netreport diff --git a/sysconfig/network-scripts/ifup-post b/sysconfig/network-scripts/ifup-post index 29af56b7..fec96c88 100755 --- a/sysconfig/network-scripts/ifup-post +++ b/sysconfig/network-scripts/ifup-post @@ -93,6 +93,11 @@ if [ "$2" = "boot" -a \ fi fi +# Inform firewall which network zone (empty means default) this interface belongs to +if [ -x /usr/bin/firewall-cmd -a "${REALDEVICE}" != "lo" ]; then + /usr/bin/firewall-cmd --zone=${ZONE} --change --interface=${DEVICE} > /dev/null 2>&1 +fi + # Notify programs that have requested notification do_netreport |