On Fri, Feb 07, 2025 at 02:59:05PM +0000, Daniel P. Berrangé wrote:
> On Fri, Feb 07, 2025 at 06:39:50AM -0800, Andrea Bolognani wrote:
> > I'm wondering though, are we sure that e.g. Docker is doing the same
> > thing? My understanding is that if we go through firewalld but they
> > still add rules directly then we're screwed regardless.
>
> Yes, we can't solve it alone, if other apps still use direct rules,
> *and* their direct rules are applying broad DROP/REJECT rules.
>
> I don't know what docker adds, but if they're similar to libvirt
> their rules would be merely about opening holes, or restricting
> traffic on their own managed bridges, rather than blocking traffic
> broadly. In that case, docker would still be doomed by not using
> firewalld directly, but libvirt would be OK.
I'm not sure what Docker does either, but I can tell you for sure
that, at least on Debian, switching libvirt to the nftables backend
when Docker is installed makes guest connectivity break completely.
Even if that turned out to be Docker's fault for not playing nice,
the fact would remain that we can't default to a configuration that
doesn't work when paired with such popular software.
Things are different in Fedora because there's a clear indication
that Podman and firewalld should be used instead of Docker and ufw.
Debian is not nearly as opinionated as that.
> > Some people are just very eager to not have
> > iptables installed at all on their machines for whatever reason, and
> > as long as one of the drivers can only use iptables as the backend
> > that's much harder to achieve.
>
> RPM has choice deps eg "requires: nftables or iptables", but in the
> end we didn't use that in Fedora - we just left the default choice as
> the mandatory dep and didn't add a dep for the non-default. Can't quite
> remeber
Debian can do that too. The result is the same, because there is no
choice when it comes to the nwfilter driver: iptables is the only
available backend.
So:
# echo n \
| dnf --setopt=install_weak_deps=False install \
libvirt-daemon-driver-network \
2>&1 | grep iptables
iptables-libs x86_64 1.8.10-15.fc41
where iptables-libs is there only because dnsmasq requires it, but:
# echo n \
| dnf --setopt=install_weak_deps=False install \
libvirt-daemon-driver-nwfilter \
2>&1 | grep iptables
iptables-legacy x86_64 1.8.10-15.fc41
iptables-legacy-libs x86_64 1.8.10-15.fc41
iptables-libs x86_64 1.8.10-15.fc41
And so obviously:
# echo n \
| dnf --setopt=install_weak_deps=False install \
libvirt-daemon-kvm \
2>&1 | grep iptables
iptables-legacy x86_64 1.8.10-15.fc41
iptables-legacy-libs x86_64 1.8.10-15.fc41
iptables-libs x86_64 1.8.10-15.fc41
In other words, the only way to avoid iptables getting installed is
to go out of your way and ensure that the nwfilter driver is left
out.
I'm not sure why iptables-legacy is considered instead of
iptables-nft, but that's another topic.
--
Andrea Bolognani / Red Hat / Virtualization
