From d507c1cfd3c52207d49e796459c348b1c76f61c0 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Sat, 3 Jul 2021 14:43:19 +0200
Subject: [PATCH] Update firewalld configuration

Update the firewalld configuration as of 0.9.4.
MinimalMark/AutomaticHelpers options are deprecated and ignored. New
otions added.
---
 roles/firewalld/templates/firewalld.conf.j2 | 45 +++++++++++++--------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/roles/firewalld/templates/firewalld.conf.j2 b/roles/firewalld/templates/firewalld.conf.j2
index b53c0aa50..127422210 100644
--- a/roles/firewalld/templates/firewalld.conf.j2
+++ b/roles/firewalld/templates/firewalld.conf.j2
@@ -5,12 +5,6 @@
 # Default: public
 DefaultZone=public
 
-# Minimal mark
-# Marks up to this minimum are free for use for example in the direct 
-# interface. If more free marks are needed, increase the minimum
-# Default: 100
-MinimalMark=100
-
 # Clean up on exit
 # If set to no or false the firewall configuration will not get cleaned up
 # on exit or stop of firewalld
@@ -26,7 +20,7 @@ Lockdown=no
 
 # IPv6_rpfilter
 # Performs a reverse path filter test on a packet for IPv6. If a reply to the
-# packet would be sent via the same interface that the packet arrived on, the 
+# packet would be sent via the same interface that the packet arrived on, the
 # packet will match and be accepted, otherwise dropped.
 # The rp_filter for IPv4 is controlled using sysctl.
 # Default: yes
@@ -46,19 +40,36 @@ IndividualCalls=no
 # Default: off
 LogDenied=off
 
-# AutomaticHelpers
-# For the secure use of iptables and connection tracking helpers it is
-# recommended to turn AutomaticHelpers off. But this might have side effects on
-# other services using the netfilter helpers as the sysctl setting in
-# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
-# With the system setting, the default value set in the kernel or with sysctl
-# will be used. Possible values are: yes, no and system.
-# Default: system
-AutomaticHelpers=system
-
 # FirewallBackend
 # Selects the firewall backend implementation.
 # Choices are:
 #	- nftables (default)
 #	- iptables (iptables, ip6tables, ebtables and ipset)
 FirewallBackend=nftables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+FlushAllOnReload=yes
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+# correspond to IPv4 addresses that should not be routed over the public
+# internet.
+# Defaults to "yes".
+RFC3964_IPv4=yes
+
+# AllowZoneDrifting
+# Older versions of firewalld had undocumented behavior known as "zone
+# drifting". This allowed packets to ingress multiple zones - this is a
+# violation of zone based firewalls. However, some users rely on this behavior
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
+# desire such behavior. It's disabled by default for security reasons.
+# Note: If "yes" packets will only drift from source based zones to interface
+# based zones (including the default zone). Packets never drift from interface
+# based zones to other interfaces based zones (including the default zone).
+# Possible values; "yes", "no". Defaults to "no".
+AllowZoneDrifting=no
-- 
GitLab