On Fri, Feb 07, 2025 at 07:44:02AM -0800, Andrea Bolognani wrote: > On Fri, Feb 07, 2025 at 02:59:05PM +0000, Daniel P. Berrangé wrote: > > On Fri, Feb 07, 2025 at 06:39:50AM -0800, Andrea Bolognani wrote: > > > I'm wondering though, are we sure that e.g. Docker is doing the same > > > thing? My understanding is that if we go through firewalld but they > > > still add rules directly then we're screwed regardless. > > > > Yes, we can't solve it alone, if other apps still use direct rules, > > *and* their direct rules are applying broad DROP/REJECT rules. > > > > I don't know what docker adds, but if they're similar to libvirt > > their rules would be merely about opening holes, or restricting > > traffic on their own managed bridges, rather than blocking traffic > > broadly. In that case, docker would still be doomed by not using > > firewalld directly, but libvirt would be OK. > > I'm not sure what Docker does either, but I can tell you for sure > that, at least on Debian, switching libvirt to the nftables backend > when Docker is installed makes guest connectivity break completely. > > Even if that turned out to be Docker's fault for not playing nice, > the fact would remain that we can't default to a configuration that > doesn't work when paired with such popular software. Would be interesting to know what docker was doing to break it, as it might be something silly that's overlooked & easily fixed. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
