netavark icon indicating copy to clipboard operation
netavark copied to clipboard
verified publisher icon containers

Detect firewalld by default

Open p3lim opened this issue 2 years ago • 2 comments

https://github.com/containers/netavark/blob/9c40d1f6372a21248ebbd4edff31148ee8de54aa/src/firewall/mod.rs#L67

This section has not been updated since firewalld 1.1.x came out 16 months ago, requiring users to set NETAVARK_FW=firewalld globally (e.g. in /etc/environment) to properly use firewalld if present.

Been testing it today along with @erig0 (firewalld lead), who requested me to open an issue with you to finalize this support.

Tested with:

  • firewalld 1.1.1 (from Ubuntu 22.04 repos)
  • podman 4.5.1 (from kubic repos)
  • netavark 1.3.0 (from kubic repos)

p3lim avatar Jun 15 '23 13:06 p3lim

We have been talking about it lately, we should definitely enable it if it works correctly.

Some outstanding work to do so:

  • Figure out how to keep this backwards compatible, if we switch the default a container started before the update with iptables will no longer cleanup the rules. There is currently no logic to store this information anywhere.
  • Add support for isolate option which changes the behaviour if networks can talk to each other (see https://github.com/containers/netavark/pull/703 for example)
  • Port forwarding on the local host is not working, if I run podman run -p 80:80 -dt nginx the port is not reachable via any local address. It is however reachable via other hosts on the same network. This is a major problem and must be fixed.

These are the things I can think of right now. And then we should run test/200-bridge-firewalld.bats and see if any test cases are failing there.

cc @mheon

Luap99 avatar Jun 15 '23 14:06 Luap99

That all sounds correct.

Of these:

  • Backwards compatibility is tricky, but likely not particularly difficult - just need to figure out a good way of identifying if iptables is currently in use and continuing to use it if so.
  • Isolate is the most difficult. It requires a rework of the current firewalld model in use (single zone for all networks, rework into one zone per network) and the addition of support for setting inter-network trust (so that non-isolate networks can talk to each other). Lot of work here.
  • Port forwarding is a fair bit of code (need to write raw rules to accomplish the port-forward) but not really difficult, just annoying to write

mheon avatar Jun 15 '23 14:06 mheon