[PATCH 0/4] network: firewalld: fix routed network

Eric Garver eric at garver.life
Thu May 12 20:08:53 UTC 2022 

On Thu, May 12, 2022 at 08:04:28PM +0100, Daniel P. Berrangé wrote:
> On Thu, May 12, 2022 at 07:00:09PM +0100, Daniel P. Berrangé wrote:
> > On Wed, May 11, 2022 at 11:41:51AM -0400, Eric Garver wrote:
> > > This series fixes routed networks when a newer firewalld (>= 1.0.0) is
> > > present [1]. Firewalld 1.0.0 included a change that disallows implicit
> > > forwarding between zones [2]. libvirt was relying on this behavior to
> > > allow routed networks to function.
> > > 
> > > New firewalld policies are added. This is done to use common rules
> > > between NAT and routed networks. Policies have been supported since
> > > firewalld 0.9.0.
> > 
> > For those following along, there's a helpful description of policies
> > here, specifically explaining how its useful to the libvirt scenario:
> > 
> >   https://firewalld.org/2020/09/policy-objects-introduction
> 
> In reviewing these patches I've come to realize I'm still not
> confident I'm understanding the interaction between traffic
> we're managing at the firewalld  zones/policies.

It's confusing because it's a combination of iptables (libvirt) and
firewalld (nftables). And they filter independently. Think of it as
having to pass through two firewalls.

Hopefully I got it all correct below.

> For illustration let me assume the following setup:
> [
>    * Remote host on LAN (remote host IP 10.0.0.2)
> 
>    * eth0 public facing ethernet on the LAN (local host IP 10.0.0.5)
> 
>    * virbr0 isolated bridge device (local host IP 192.168.122.1)
> 
>    * vnet0 TAP device for a guest (guest IP 192.168.122.5)
> 
> 
>    Remote host            Local host
> 
>   +----------+    LAN   +----------+   IP forward  +---------------+
>   | 10.0.0.2 | -------- | 10.0.0.5 | --------------| 192.168.122.1 |
>   | eth0     |          |  eth0    |   w/ NAT      |  virbr0       |
>   +----------+          +----------+               +---------------+
>                                                          |
> 							 | bridge port
>                                                          |
>                                                    +---------------+
>                                                    | 192.168.122.5 |
> 						   | host: vnet0   |
> 						   | guest: eth0   |
> 						   +---------------+
> 
> IIUC zones are
> 
>    * 'libvirt' containing 'virbr0'
>    * 'FedoraWorkstation' containing 'eth0'
> 
> Is 'vnet0' in a zone or not ?

No. Only the bridge interface is added to the zone. The vnet* interfaces
don't have addresses.

> 
> 
> Traffic flows
> 
> 
>    * LAN Remote host (10.0.0.2) -> local host (10.0.0.5)
> 
>      Normal traffic nothing to do with libvirt
> 
>      Rules in <zone> FedoraWorkstation apply

True.

> 
>    * LAN Remote host (10.0.0.2) -> guest (192.168.122.5)
> 
>      IP layer forwarding via eth0 (with conntrack match for NAT zone)
> 
>      ingress=FedoraWorkstation
>      egress=libvirt
> 
>      Rules in <policy> libvirt-host-in apply ?

False. There are no explicit firewalld rules for this.

Existing connections would be implicitly allowed by a top-level "ct
state" match in FORWARD.

> 
>    * Local host (192.168.122.1) -> guest (192.168.122.5)
> 
>      Rules in <zone> libvirt apply ?

False. No rules explicit rules apply.

Firewalld allows outbound by default.

> 
>    * Local host (10.0.0.5) -> guest (192.168.122.5)
> 
>      NB, shouldn't happen as traffic should have originated
>      from 192.168.122.1 instead.
> 
>      ingress=FedoraWorkstation
>      egress=libvirt
> 
>      Rules in <policy> libvirt-host-in apply ?

False. There are no explicit firewalld rules for this.

New connections would be denied. Existing (originating from VM) would be
allowed.

> 
>    * Guest (192.168.122.5) -> Local host (192.168.122.1)
> 
>      Rules in <zone> libvirt apply ?
> 
>      Need to allow dhcp, dns, ssh. Feels like this
>      should still be rules in the <zone> ?

True. This is handled by the current zone definition.

This series moves them into libvirt-to-host. You used the name
libvirt-host-in, which may be a better name for the policy. :)

> 
>    * Guest (192.168.122.5) -> Local host (10.0.0.5)
> 
>      NB, shouldn't happen as guest generally won't be
>      aware of host's eth0 IP address.
> 
>      ingress=libvirt
>      egress=FedoraWorkstation
> 
>      Rules in <policy> libvirt-nat-out apply ?
> 
>      Should not allow anything special related to virt,
>      as dhcp/dns stuff should only be serviced from virbr0.
>      So the libvirt-nat-out policy feels wrong for this
>      case.

False. I think this is still considered INPUT traffic since it's going
to the local network stack.

So the "libvirt" zone and libvirt-to-host would apply.

Would be

        ingress=libvirt
        egress=HOST

> 
>    * Guest (192.168.122.5) -> LAN remote host (10.0.0.2)
> 
>      ingress=libvirt
>      egress=FedoraWorkstation
> 
>      Rules in <policy> libvirt-nat-out apply ?
> 
>      Need to allow all traffic

True.

> 
> Is the above right, or any I getting mixed up somewhere ?

Answered all inline.

More information about the libvir-list mailing list