On Thu, May 12, 2022 at 07:00:09PM +0100, Daniel P. Berrangé wrote: > On Wed, May 11, 2022 at 11:41:51AM -0400, Eric Garver wrote: > > This series fixes routed networks when a newer firewalld (>= 1.0.0) is > > present [1]. Firewalld 1.0.0 included a change that disallows implicit > > forwarding between zones [2]. libvirt was relying on this behavior to > > allow routed networks to function. > > > > New firewalld policies are added. This is done to use common rules > > between NAT and routed networks. Policies have been supported since > > firewalld 0.9.0. > > For those following along, there's a helpful description of policies > here, specifically explaining how its useful to the libvirt scenario: > > https://firewalld.org/2020/09/policy-objects-introduction In reviewing these patches I've come to realize I'm still not confident I'm understanding the interaction between traffic we're managing at the firewalld zones/policies. For illustration let me assume the following setup: [ * Remote host on LAN (remote host IP 10.0.0.2) * eth0 public facing ethernet on the LAN (local host IP 10.0.0.5) * virbr0 isolated bridge device (local host IP 192.168.122.1) * vnet0 TAP device for a guest (guest IP 192.168.122.5) Remote host Local host +----------+ LAN +----------+ IP forward +---------------+ | 10.0.0.2 | -------- | 10.0.0.5 | --------------| 192.168.122.1 | | eth0 | | eth0 | w/ NAT | virbr0 | +----------+ +----------+ +---------------+ | | bridge port | +---------------+ | 192.168.122.5 | | host: vnet0 | | guest: eth0 | +---------------+ IIUC zones are * 'libvirt' containing 'virbr0' * 'FedoraWorkstation' containing 'eth0' Is 'vnet0' in a zone or not ? Traffic flows * LAN Remote host (10.0.0.2) -> local host (10.0.0.5) Normal traffic nothing to do with libvirt Rules in <zone> FedoraWorkstation apply * LAN Remote host (10.0.0.2) -> guest (192.168.122.5) IP layer forwarding via eth0 (with conntrack match for NAT zone) ingress=FedoraWorkstation egress=libvirt Rules in <policy> libvirt-host-in apply ? * Local host (192.168.122.1) -> guest (192.168.122.5) Rules in <zone> libvirt apply ? * Local host (10.0.0.5) -> guest (192.168.122.5) NB, shouldn't happen as traffic should have originated from 192.168.122.1 instead. ingress=FedoraWorkstation egress=libvirt Rules in <policy> libvirt-host-in apply ? * Guest (192.168.122.5) -> Local host (192.168.122.1) Rules in <zone> libvirt apply ? Need to allow dhcp, dns, ssh. Feels like this should still be rules in the <zone> ? * Guest (192.168.122.5) -> Local host (10.0.0.5) NB, shouldn't happen as guest generally won't be aware of host's eth0 IP address. ingress=libvirt egress=FedoraWorkstation Rules in <policy> libvirt-nat-out apply ? Should not allow anything special related to virt, as dhcp/dns stuff should only be serviced from virbr0. So the libvirt-nat-out policy feels wrong for this case. * Guest (192.168.122.5) -> LAN remote host (10.0.0.2) ingress=libvirt egress=FedoraWorkstation Rules in <policy> libvirt-nat-out apply ? Need to allow all traffic Is the above right, or any I getting mixed up somewhere ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
