[PATCH 0/4] network: firewalld: fix routed network

Laine Stump laine at redhat.com
Thu May 12 18:21:03 UTC 2022 

On 5/12/22 2:00 PM, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:51AM -0400, Eric Garver wrote:
>> This series fixes routed networks when a newer firewalld (>= 1.0.0) is
>> present [1]. Firewalld 1.0.0 included a change that disallows implicit
>> forwarding between zones [2]. libvirt was relying on this behavior to
>> allow routed networks to function.
>>
>> New firewalld policies are added. This is done to use common rules
>> between NAT and routed networks. Policies have been supported since
>> firewalld 0.9.0.
> 
> For those following along, there's a helpful description of policies
> here, specifically explaining how its useful to the libvirt scenario:
> 
>    https://firewalld.org/2020/09/policy-objects-introduction

...and for some further context that is probably only documented in the 
discussions that we had with Eric and some other people back in 2018 or so:

Once firewalld switches to its native-nftables backend, all of its own 
rules go into a separate nftables table, while libvirt's rules go into 
the iptables-compatibility table called "filter". In order for a packet 
to be accepted and forwarded, it must be accepted by *all* tables. (with 
iptables, both firewalld and libvirt use the "filter" table, and it is 
enough for the rules of one or the other to accept a packet).

At the time libvirt added support for the firewalld nftables backend, 
there was no way to explicitly specify "allow forwarded traffic" in a 
zone, and if the zone was "default REJECT" then all forwarded traffic 
would be rejected. In order for our traffic to be accepted, we had to 
make the "libvirt zone" (which is itself a part of *firewalld's* rules, 
not libvirt's rules!) "default ACCEPT", and then use an at-the-time new 
feature of firewalld that allowed us to specify higher priority ACCEPT 
rules for the traffic we wanted accepted, then a lower priority "REJECT 
ALL" rule (which would reject all traffic on the *INPUT* chain, but not 
on the FORWARD chain), and then the "default ACCEPT" rule would 
implicitly add rules that accepted any forwarded traffic.

Yes, in restrospect it sounds fragile. And at the time it sounded 
fragile as well. Unfortunately it was the only way to make things work.

In the ensuing years, firewalld has added explicit support for 
accepting/rejecting traffic on the FORWARD and OUTPUT chains, but as a 
part of this, that implicit "default ACCEPT" of forwarded traffic has 
been removed. And *that* is what necessitates Eric's new zone/policy 
files! Whew!

More information about the libvir-list mailing list