Firewalld 2.0 Released With Faster Forwarding Performance Via NFTables Flowtable
The Firewalld open-source firewall daemon has been in development since 2011 while only two years ago did it reach the Firewalld 1.0 milestone. Thus it was a bit surprising to find Firewalld 2.0 being released today.
The Firewalld 2.0 release is motivated by a change to disallow zone drifting. The fix is around addressing an issue where firewall policies could end up violating the rule of "packets ingress one and only one zone." The change is explained in this commit.
Firewalld 2.0 also adds support for NFTables flowtable, which is a software fast-path that can significantly improve forwarding performance. Firewalld with NftablesFlowtable enabled has increased iperf performance with network forwarding by around 59%. More details on this feature via the Firewalld.org blog. Firewalld 2.0 also adds a new zone priorities feature.
Firewalld 2.0 also does away with the TFTP client service. Firewalld's TFTP client service was for accessing Trivial File Transfer Protocol servers but it turned out to not actually work in practice. The service "never actually worked" when being added to a zone. Instead TFTP users are recommended to setup a policy instead such as:
Firewalld 2.0 also adds support for service files to handle firewall configurations for many games ranging from Anno 1800 to 0 A.D. to Minecraft, Stellaris, SuperTuxKart, and many others. There are also service files added for the Zabbix Java Gateway, Zabbix Web Service, OpenTelemetry, and others.
Downloads and more details on Firewalld 2.0 via GitHub.
The Firewalld 2.0 release is motivated by a change to disallow zone drifting. The fix is around addressing an issue where firewall policies could end up violating the rule of "packets ingress one and only one zone." The change is explained in this commit.
Firewalld 2.0 also adds support for NFTables flowtable, which is a software fast-path that can significantly improve forwarding performance. Firewalld with NftablesFlowtable enabled has increased iperf performance with network forwarding by around 59%. More details on this feature via the Firewalld.org blog. Firewalld 2.0 also adds a new zone priorities feature.
Firewalld 2.0 also does away with the TFTP client service. Firewalld's TFTP client service was for accessing Trivial File Transfer Protocol servers but it turned out to not actually work in practice. The service "never actually worked" when being added to a zone. Instead TFTP users are recommended to setup a policy instead such as:
# firewall-cmd --permanent --new-policy hostTftpTraffic
# firewall-cmd --permanent --policy hostTftpTraffic --add-ingress-zone HOST
# firewall-cmd --permanent --policy hostTftpTraffic --add-egress-zone ANY
# firewall-cmd --permanent --policy hostTftpTraffic --add-service tftp
Firewalld 2.0 also adds support for service files to handle firewall configurations for many games ranging from Anno 1800 to 0 A.D. to Minecraft, Stellaris, SuperTuxKart, and many others. There are also service files added for the Zabbix Java Gateway, Zabbix Web Service, OpenTelemetry, and others.
Downloads and more details on Firewalld 2.0 via GitHub.
15 Comments