Re: [PATCH 0/8] network: firewalld: native support for NAT/routed

On 11/15/22 12:55 PM, Daniel P. Berrangé wrote: > On Thu, Nov 10, 2022 at 11:31:44AM -0500, Eric Garver wrote: > > This series further improves the firewalld backend by converting to a > > fully native implementation for NAT and routed networks. That is, there > > are no iptables rules added by libvirt when the running firewalld is > > 0.9.0 or later. > > > > The major advantage is that firewalld users can use firewall-cmd to > > filter the VM traffic and apply their own policies. > > > > When firewalld < 0.9.0 is present only the "libvirt" zone will be used. > > The new "libvirt-nat" and "libvirt-routed" zones are not used. This > > maintains compatibility for older distributions (e.g. Ubuntu 20.04). > > Testing this I'm noticing problematic behaviour even with the > existing iptables impl. > > Specifically, if you have 2 different virtual networks, VMs on > the distinct virtual networks are not supposed to be able to > talk to each other. And yet, even with the existing iptables > impl this is not blocked, and I'm wondering if this is a > consequence of the 'iptables' impl being switched to nft. Between two routed networks it should allow traffic, but not between two NATed networks, or from routed to NAT. Unless I crossed a wire in my testing setup, I had tested this before pushing Eric's last patches (which fixed incoming traffic to routed networks). I'll check it again.

> With this pure firewalld impl, I'm not sure how we can stop this > cross-network traffic, given that all the virtual network sget > put in the same zone. Interesting point. Yeah, can't have that.