On Thu, Nov 10, 2022 at 11:31:44AM -0500, Eric Garver wrote: > This series further improves the firewalld backend by converting to a > fully native implementation for NAT and routed networks. That is, there > are no iptables rules added by libvirt when the running firewalld is > 0.9.0 or later. > > The major advantage is that firewalld users can use firewall-cmd to > filter the VM traffic and apply their own policies. > > When firewalld < 0.9.0 is present only the "libvirt" zone will be used. > The new "libvirt-nat" and "libvirt-routed" zones are not used. This > maintains compatibility for older distributions (e.g. Ubuntu 20.04). Testing this I'm noticing problematic behaviour even with the existing iptables impl. Specifically, if you have 2 different virtual networks, VMs on the distinct virtual networks are not supposed to be able to talk to each other. And yet, even with the existing iptables impl this is not blocked, and I'm wondering if this is a consequence of the 'iptables' impl being switched to nft. With this pure firewalld impl, I'm not sure how we can stop this cross-network traffic, given that all the virtual network sget put in the same zone. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|