From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 30 Aug 2018 16:34:19 -0400
Subject: [PATCH] fedora patch to default to iptables backend

---
 config/firewalld.conf                  |  7 -------
 src/firewall/config/__init__.py.in     |  2 +-
 src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
 src/tests/dbus/firewalld.conf.at       |  2 +-
 src/tests/functions.at                 |  4 ++--
 5 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa50c53..63df409bf567 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -55,10 +55,3 @@ LogDenied=off
 # will be used. Possible values are: yes, no and system.
 # Default: system
 AutomaticHelpers=system
-
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be32077e1..cff7c3fe9025 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
 FALLBACK_INDIVIDUAL_CALLS = False
 FALLBACK_LOG_DENIED = "off"
 FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad693c1..6264f45a1913 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -240,6 +240,12 @@ class firewalld_conf(object):
                     if key not in done:
                         if (key in self._config and \
                                 self._config[key] != value):
+                            # Only write FirewallBackend if it's not the default.
+                            # We will change the default in the future.
+                            if key == "FirewallBackend" and \
+                               self._config[key] == config.FALLBACK_FIREWALL_BACKEND:
+                                done.append(key)
+                                continue
                             empty = False
                             temp_file.write(u'%s=%s\n' %
                                             (key, self._config[key]))
@@ -247,6 +253,12 @@ class firewalld_conf(object):
                         elif key in self._deleted:
                             modified = True
                         else:
+                            # Only write FirewallBackend if it's not the default.
+                            # We will change the default in the future.
+                            if key == "FirewallBackend" and \
+                               value == config.FALLBACK_FIREWALL_BACKEND:
+                                done.append(key)
+                                continue
                             empty = False
                             temp_file.write(line+u"\n")
                         done.append(key)
@@ -258,6 +270,11 @@ class firewalld_conf(object):
             for (key,value) in self._config.items():
                 if key in done:
                     continue
+                # Only write FirewallBackend if it's not the default.
+                # We will change the default in the future.
+                if key == "FirewallBackend" and \
+                   value == config.FALLBACK_FIREWALL_BACKEND:
+                    continue
                 if not empty:
                     temp_file.write(u"\n")
                     empty = True
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de10af..44e649111ffb 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl
 string "AutomaticHelpers" : variant string "system"
 string "CleanupOnExit" : variant string "no"
 string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
+string "FirewallBackend" : variant string "iptables"
 m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
 string "IPv6_rpfilter" : variant string "no"],[dnl
 string "IPv6_rpfilter" : variant string "yes"])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 3b79a9f31305..dd7b43d9dac6 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [
     fi
 
     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
-        m4_define_default([FIREWALL_BACKEND], [nftables])
+        m4_define_default([FIREWALL_BACKEND], [iptables])
 
         dnl don't unload modules or bother cleaning up, the namespace will be deleted
         AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
 
         dnl set the appropriate backend
-        AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+        AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf])
 
         dnl fib matching is pretty new in nftables. Don't use rpfilter on older
         dnl kernels.
-- 
2.18.0