[PATCH 0/8] network: firewalld: native support for NAT/routed
Laine Stump
laine at redhat.com
Tue Nov 15 18:33:28 UTC 2022
On 11/15/22 12:55 PM, Daniel P. Berrangé wrote:
> On Thu, Nov 10, 2022 at 11:31:44AM -0500, Eric Garver wrote:
>> This series further improves the firewalld backend by converting to a
>> fully native implementation for NAT and routed networks. That is, there
>> are no iptables rules added by libvirt when the running firewalld is
>> 0.9.0 or later.
>>
>> The major advantage is that firewalld users can use firewall-cmd to
>> filter the VM traffic and apply their own policies.
>>
>> When firewalld < 0.9.0 is present only the "libvirt" zone will be used.
>> The new "libvirt-nat" and "libvirt-routed" zones are not used. This
>> maintains compatibility for older distributions (e.g. Ubuntu 20.04).
>
> Testing this I'm noticing problematic behaviour even with the
> existing iptables impl.
>
> Specifically, if you have 2 different virtual networks, VMs on
> the distinct virtual networks are not supposed to be able to
> talk to each other. And yet, even with the existing iptables
> impl this is not blocked, and I'm wondering if this is a
> consequence of the 'iptables' impl being switched to nft.
Between two routed networks it should allow traffic, but not between two
NATed networks, or from routed to NAT. Unless I crossed a wire in my
testing setup, I had tested this before pushing Eric's last patches
(which fixed incoming traffic to routed networks).
I'll check it again.
>
> With this pure firewalld impl, I'm not sure how we can stop this
> cross-network traffic, given that all the virtual network sget
> put in the same zone.
Interesting point. Yeah, can't have that.
More information about the libvir-list
mailing list