[PATCH 0/8] network: firewalld: native support for NAT/routed

[Eric Garver]

On Tue, Nov 15, 2022 at 01:33:28PM -0500, Laine Stump wrote:
> On 11/15/22 12:55 PM, Daniel P. Berrangé wrote:
> > On Thu, Nov 10, 2022 at 11:31:44AM -0500, Eric Garver wrote:
> > > This series further improves the firewalld backend by converting to a
> > > fully native implementation for NAT and routed networks. That is, there
> > > are no iptables rules added by libvirt when the running firewalld is
> > > 0.9.0 or later.
> > > 
> > > The major advantage is that firewalld users can use firewall-cmd to
> > > filter the VM traffic and apply their own policies.
> > > 
> > > When firewalld < 0.9.0 is present only the "libvirt" zone will be used.
> > > The new "libvirt-nat" and "libvirt-routed" zones are not used. This
> > > maintains compatibility for older distributions (e.g. Ubuntu 20.04).
> > 
> > Testing this I'm noticing problematic behaviour even with the
> > existing iptables impl.
> > 
> > Specifically, if you have 2 different virtual networks, VMs on
> > the distinct virtual networks are not supposed to be able to
> > talk to each other. And yet, even with the existing iptables
> > impl this is not blocked, and I'm wondering if this is a
> > consequence of the 'iptables' impl being switched to nft.
> 
> Between two routed networks it should allow traffic, but not between two
> NATed networks, or from routed to NAT. Unless I crossed a wire in my testing
> setup, I had tested this before pushing Eric's last patches (which fixed
> incoming traffic to routed networks).
> 
> I'll check it again.

If it's not currently being blocked then it can be, e.g. adding a policy
to reject "libvirt-nat" --> "libvirt-routed".

> > With this pure firewalld impl, I'm not sure how we can stop this
> > cross-network traffic, given that all the virtual network sget
> > put in the same zone.
> 
> Interesting point. Yeah, can't have that.