diff --git a/firewalld/files/firewalld.conf b/firewalld/files/firewalld.conf index c989717..2e209cd 100644 --- a/firewalld/files/firewalld.conf +++ b/firewalld/files/firewalld.conf @@ -95,3 +95,18 @@ FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }} # Defaults to "yes". RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }} {%- endif %} +{%- if firewalld.get('AllowZoneDrifting', False) %} + +# AllowZoneDrifting +# Older versions of firewalld had undocumented behavior known as "zone +# drifting". This allowed packets to ingress multiple zones - this is a +# violation of zone based firewalls. However, some users rely on this behavior +# to have a "catch-all" zone, e.g. the default zone. You can enable this if you +# desire such behavior. It's disabled by default for security reasons. Note: If +# "yes" packets will only drift from source based zones to interface based +# zones (including the default zone). Packets never drift from interface based +# zones to other interfaces based zones (including the default zone). Valid +# values; "yes", "no". +# Defaults to "no". +AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }} +{%- endif %} diff --git a/pillar.example b/pillar.example index 3f64319..e68b767 100644 --- a/pillar.example +++ b/pillar.example @@ -10,6 +10,7 @@ firewalld: FirewallBackend: 'nftables' FlushAllOnReload: 'yes' RFC3964_IPv4: 'yes' + AllowZoneDrifting: 'no' ipset: manage: true diff --git a/test/integration/default/controls/yaml_dump_spec.rb b/test/integration/default/controls/yaml_dump_spec.rb index b2f5d6a..5c4b391 100644 --- a/test/integration/default/controls/yaml_dump_spec.rb +++ b/test/integration/default/controls/yaml_dump_spec.rb @@ -5,6 +5,7 @@ control 'firewalld `map.jinja` YAML dump' do yaml_dump = "---\n" yaml_dump += <<~YAML_DUMP.chomp + AllowZoneDrifting: 'no' AutomaticHelpers: system FirewallBackend: nftables FlushAllOnReload: 'yes'