Eric Garver

How about something like `--get-active-configuration` ? I'm not sure how this should be formatted. Maybe similar to the existing CLI output, but all of it would be appended together.

> > In general, the options available to firewall-offline-cmd are mostly the same to firewall-cmd. It'd be nice if the completion scripts could be common. > > Would you like...

> while I change the backend from nftables to iptables, there are no memory leaks, and the /etc/firewalld/zones/public.xml had no change. When firewalld uses the `iptables` backend it will execute...

Hi, since b7faa74d this no longer occurs. This occurs because of `--direct` rules which may use `iptables` and `ebtables`. But since the above commit it is avoided until `--direct` rules...

> @erig0 Hi，I found that the introduction of this modification did not take effect. It has not been release yet. The next feature release will have https://github.com/firewalld/firewalld/commit/b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87.

Hrm. The commit was specifically about avoiding the iptables flush. Perhaps `iptables.ko` is still loaded due to firewalld probing it when it starts up. Is it really a problem that...

> FTR: With #32 resolved, a [policy object](https://firewalld.org/2020/09/policy-objects-introduction) can be used to achieve the correct result like this (assuming netbios broadcasts should be activated in zone `home`): > > ```...

I was mistaken. I thought `samba` also had netbios. You're correct that `netbios-ns` is sufficient.

Firewalld already drops capabilities/privileges. See commit fb0532e8a200b15b7e83077aec380c35c0695475 and 13801962073f478c68d818b314091badcf8b5614. IMO, systemd sandboxing should be done by the downstream (distribution) at their discretion. Firewalld ships a basic systemd service definition.

> Is that desirable to reimplement dropping capabilities, instead of dropping them via systemd? Is the use-case to support non-systemd systems? Yes. Not every distribution uses systemd. > With systemd,...