Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect firewalld by default #722

Open
p3lim opened this issue Jun 15, 2023 · 2 comments
Open

Detect firewalld by default #722

p3lim opened this issue Jun 15, 2023 · 2 comments

Comments

@p3lim
Copy link

p3lim commented Jun 15, 2023

netavark/src/firewall/mod.rs

Line 67 in 9c40d1f

// Until firewalld 1.1.0 with support for self-port forwarding lands:

This section has not been updated since firewalld 1.1.x came out 16 months ago, requiring users to set NETAVARK_FW=firewalld globally (e.g. in /etc/environment) to properly use firewalld if present.

Been testing it today along with @erig0 (firewalld lead), who requested me to open an issue with you to finalize this support.

Tested with:

  • firewalld 1.1.1 (from Ubuntu 22.04 repos)
  • podman 4.5.1 (from kubic repos)
  • netavark 1.3.0 (from kubic repos)
@Luap99
Copy link
Member

Luap99 commented Jun 15, 2023

We have been talking about it lately, we should definitely enable it if it works correctly.

Some outstanding work to do so:

  • Figure out how to keep this backwards compatible, if we switch the default a container started before the update with iptables will no longer cleanup the rules. There is currently no logic to store this information anywhere.
  • Add support for isolate option which changes the behaviour if networks can talk to each other (see feature: isolation among all netavark bridge  #703 for example)
  • Port forwarding on the local host is not working, if I run podman run -p 80:80 -dt nginx the port is not reachable via any local address. It is however reachable via other hosts on the same network. This is a major problem and must be fixed.

These are the things I can think of right now. And then we should run test/200-bridge-firewalld.bats and see if any test cases are failing there.

cc @mheon

@mheon
Copy link
Member

mheon commented Jun 15, 2023

That all sounds correct.

Of these:

  • Backwards compatibility is tricky, but likely not particularly difficult - just need to figure out a good way of identifying if iptables is currently in use and continuing to use it if so.
  • Isolate is the most difficult. It requires a rework of the current firewalld model in use (single zone for all networks, rework into one zone per network) and the addition of support for setting inter-network trust (so that non-isolate networks can talk to each other). Lot of work here.
  • Port forwarding is a fair bit of code (need to write raw rules to accomplish the port-forward) but not really difficult, just annoying to write

@Luap99 Luap99 mentioned this issue Sep 29, 2023
Closed
@Luap99 Luap99 mentioned this issue Jan 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@p3lim @mheon @Luap99