On 6/15/23 11:53 AM, Hervé Werner wrote:
Hello
I'd like to revive the thread started by Eric Garver at the end of last
year that aims to bring native Firewalld support to libvirtd [1].
Currently the Firewalld configuration set up by libvirtd is based on a
quirk [2] that makes it a bit puzzling for users.
Yeah, at the time that was the only way to get libvirt's iptables rules
and firewalld's nftables-based backend working "together" on the same
system (and firewalld didn't have support for filtering forwarded
traffic, so using only firewalld wasn't an option); the commit log goes
into excruciating detail of the why, so I won't bother rehashing it here.
The aforementioned
patches implements the same configuration from a Firewalld policy which
is much more cleaner and understandable.
I'm supportive to move forward on this patch series.
I have patches that replace libvirt's iptables usage (for virtual
networks, but not for nwfilter) with nftables by adding a selectable
nftables backend to the virtual network driver:
https://listman.redhat.com/archives/libvir-list/2023-May/239720.html
and have planned to rebase Eric's series on top of that and make it into
a third selectable backend; several issues were pointed out with my
patches when I posted them though, and I haven't gotten back to revising
them yet.
I'd prefer to not push Eric's patches before mine, because that will
increase the complexity of the refactor that's needed (and also his
patches don't allow for selecting firewalld vs. iptables backend, they
just always use the firewalld backend if firewalld is active). I think
danpb had also discovered that the firewalld backend behaved differently
from the existing iptables backend in some cases involving multiple
virtual networks.
Anyway, I have two other things I need to get done, and then I'll be
back to revising my nftables patches, and incorporating Eric's firewalld
patches on top of that. If I can remember, If you want, I can Cc you
when I post new patches so you can try them out if you like.
Regards
Hervé
[1]
https://listman.redhat.com/archives/libvir-list/2022-November/235725.html <https://listman.redhat.com/archives/libvir-list/2022-November/235725.html>
[2]
https://gitlab.com/libvirt/libvirt/-/commit/3b71f2e42dc6c5453d09136578bfb868874da088 <https://gitlab.com/libvirt/libvirt/-/commit/3b71f2e42dc6c5453d09136578bfb868874da088>
