Description of problem:

Allow RHEL8 firewalld 0.9.3 to accept established and related connections with reject/drop policies

Version-Release number of selected component (if applicable):

firewalld 0.9.3

How reproducible:

1) You need to apply the following policy

firewall-cmd --new-policy out --permanent
firewall-cmd --set-target REJECT --policy out --permanent
firewall-cmd --policy out --add-egress-zone ANY --permanent
firewall-cmd --policy out --add-ingress-zone HOST --permanent

2) then try to connect from a other machine via ssh , it should be blocked

The case notes shows that the following line is missed on Redhat 8

chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state

{ established, related } accept <<-------------------- this is missing in RHEL 8.0!!!!!!!
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}



3) After inserting the line manually, the problem is fix but we need to modify the firewalld code in order to place the rule from the begining


Temporary fix
# nft insert rule inet firewalld filter_OUTPUT 'ct state { established, related }

accept'

Actual results:

The server is blocked after applying the policy

Expected results:

• All outgoing traffic should be blocked expect for the already established connections

Additional info:

We found the solution here

https://github.com/firewalld/firewalld/pull/709/commits/4581f83ea51d55ec7929d8a81ff485918a10e34e

On the case I left a note about the changes on the py scripts in order to fix the issue

case : 03398728