feat(firewalld.conf): support configuration of AllowZoneDrifting

firewalld/files/firewalld.conf

@@ -95,3 +95,18 @@ FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
 # Defaults to "yes".
 RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
 {%- endif %}
+{%- if firewalld.get('AllowZoneDrifting', False) %}
+
+# AllowZoneDrifting
+# Older versions of firewalld had undocumented behavior known as "zone
+# drifting". This allowed packets to ingress multiple zones - this is a
+# violation of zone based firewalls. However, some users rely on this behavior
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
+# desire such behavior. It's disabled by default for security reasons. Note: If
+# "yes" packets will only drift from source based zones to interface based
+# zones (including the default zone). Packets never drift from interface based
+# zones to other interfaces based zones (including the default zone). Valid
+# values; "yes", "no".
+# Defaults to "no".
+AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}
+{%- endif %}

pillar.example

@@ -10,6 +10,7 @@ firewalld:
   FirewallBackend: 'nftables'
   FlushAllOnReload: 'yes'
   RFC3964_IPv4: 'yes'
+  AllowZoneDrifting: 'no'
 
   ipset:
     manage: true

test/integration/default/controls/yaml_dump_spec.rb

@@ -5,6 +5,7 @@
 
   yaml_dump = "---\n"
   yaml_dump += <<~YAML_DUMP.chomp
+    AllowZoneDrifting: 'no'
     AutomaticHelpers: system
     FirewallBackend: nftables
     FlushAllOnReload: 'yes'