On Fri, Feb 07, 2025 at 11:09:35AM +0000, Daniel P. Berrangé wrote: > On Thu, Jan 30, 2025 at 12:47:41PM -0800, Andrea Bolognani wrote: > > If things really work the way you describe them, it sounds like an > > unsolvable problem indeed. Any scenario in which all possible > > components need to be aware of each other obviously doesn't scale. > > That's not quite the case. libvirt shouldn't need to know about docker, > and vica-verca. docker & libvirt both need to know about the base > OS' choice of firewall mgmt tool (ufw, firewalld, initscripts, etc) > and support whichever the base OS has used. A decent number of > variations, but not a combinatorial expansion at least. If we can restrict the number of external components that we have to be mindful of to just firewall implementations, then things don't sound quite as bleak. Still quite a lot of work ahead. I'm wondering though, are we sure that e.g. Docker is doing the same thing? My understanding is that if we go through firewalld but they still add rules directly then we're screwed regardless. > > Have the nftables maintainers expressed their opinion about this? > > Surely they would have considered how to make filtering work without > > forcing extremely tight coupling. > > Usage is a decision for userspace and I believe the firewalld > maintainers would expect everyone to directly use firewalld's > APIs to achieve their goals and not go behind its back with > native calls. So the nftables design basically demands that an additional layer is added on top? > > I'll note that the nwfilter driver not having an nftables backend is > > another, if secondary, reason to stick with iptables by default. The > > main goal for most people is to create a deployment that's completely > > free of the legacy userspace, and if some other driver is going to > > drag it in anyway, a big part of the benefit is immediately lost... > > The nwfilter driver is not a big deal as its firewall rules are entirely > self-contained and attached to the vnetXXX devices which no other tool > will be trying to put rules on, so there's no expected clash & I've > never heard any reported. That's not what I meant. Some people are just very eager to not have iptables installed at all on their machines for whatever reason, and as long as one of the drivers can only use iptables as the backend that's much harder to achieve. -- Andrea Bolognani / Red Hat / Virtualization
