Re: How can I control iptables/nftables rules addition on libvirtd host on Debian 12 ?

On Fri, Feb 07, 2025 at 02:59:05PM +0000, Daniel P. Berrangé wrote: > On Fri, Feb 07, 2025 at 06:39:50AM -0800, Andrea Bolognani wrote: > > I'm wondering though, are we sure that e.g. Docker is doing the same > > thing? My understanding is that if we go through firewalld but they > > still add rules directly then we're screwed regardless. > > Yes, we can't solve it alone, if other apps still use direct rules, > *and* their direct rules are applying broad DROP/REJECT rules. > > I don't know what docker adds, but if they're similar to libvirt > their rules would be merely about opening holes, or restricting > traffic on their own managed bridges, rather than blocking traffic > broadly. In that case, docker would still be doomed by not using > firewalld directly, but libvirt would be OK. I'm not sure what Docker does either, but I can tell you for sure that, at least on Debian, switching libvirt to the nftables backend when Docker is installed makes guest connectivity break completely. Even if that turned out to be Docker's fault for not playing nice, the fact would remain that we can't default to a configuration that doesn't work when paired with such popular software.