firewalld: rebase firewalld.conf to firewalld 2.3.0-1

roles/firewalld/templates/firewalld.conf.j2

@@ -18,22 +18,28 @@ CleanupOnExit=yes
 # Default: no
 CleanupModulesOnExit=no
 
-# Lockdown
-# If set to enabled, firewall changes with the D-Bus interface will be limited
-# to applications that are listed in the lockdown whitelist.
-# The lockdown whitelist file is lockdown-whitelist.xml
-# Default: no
-Lockdown=no
-
 # IPv6_rpfilter
-# Performs a reverse path filter test on a packet for IPv6. If a reply to the
-# packet would be sent via the same interface that the packet arrived on, the
-# packet will match and be accepted, otherwise dropped.
+# Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704.
+# Possible values:
+#   - strict: Performs "strict" filtering as per RFC 3704. This check
+#             verifies that the in ingress interface is the same interface
+#             that would be used to send a packet reply to the source. That
+#             is, ingress == egress.      
+#   - loose: Performs "loose" filtering as per RFC 3704. This check only
+#            verifies that there is a route back to the source through any
+#            interface; even if it's not the same one on which the packet
+#            arrived.
+#   - strict-forward: This is almost identical to "strict", but does not perform
+#                     RPF for packets targeted to the host (INPUT).
+#   - loose-forward: This is almost identical to "loose", but does not perform
+#                    RPF for packets targeted to the host (INPUT).
+#   - no: RPF is completely disabled.
+#
 # The rp_filter for IPv4 is controlled using sysctl.
 # Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
 # for details.
-# Default: yes
-IPv6_rpfilter=yes
+# Default: strict
+IPv6_rpfilter=strict
 
 # IndividualCalls
 # Do not use combined -restore calls, but individual calls. This increases the
@@ -81,6 +87,16 @@ ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
 # Defaults to "yes".
 RFC3964_IPv4=yes
 
+# StrictForwardPorts
+# If set to yes, the generated destination NAT (DNAT) rules will NOT accept
+# traffic that was DNAT'd by other entities, e.g. docker. Firewalld will be
+# strict and not allow published container ports until they're explicitly
+# allowed via firewalld.
+# If set to no, then docker (and podman) integrates seamlessly with firewalld.
+# Published container ports are implicitly allowed.
+# Defaults to "no".
+StrictForwardPorts=no
+
 # NftablesFlowtable
 # This may improve forwarded traffic throughput by enabling nftables flowtable.
 # It is a software fastpath and avoids calling nftables rule evaluation for
@@ -95,3 +111,11 @@ NftablesFlowtable=off
 # debugging and comes with a small performance cost.
 # Defaults to "no".
 NftablesCounters=no
+
+# NftablesTableOwner
+# If set to yes, the generated nftables rule set will be owned exclusively by
+# firewalld. This prevents other entities from mistakenly (or maliciously)
+# modifying firewalld's rule set. If you intentionally modify firewalld's
+# rules, then you will have to set this to "no".
+# Defaults to "yes".
+NftablesTableOwner=yes