Wrong firewalld rule generated when publishing ports on specified ip

[karuboniru]

When specifying -p 10.52.0.2:1111:1111 to podman, my intention was to forward traffic coming from 10.52.0.2:1111 to container:1111. While when using firewalld as backend, the generated rule is

port=1111:proto=tcp:toport=1111:toaddr=10.52.0.2

which will forward any traffic to port 1111 to 10.52.0.2:1111

---

I think in this case, we should use rich rule in netavark_portfwd zone like

rule destination address="10.52.0.2" forward-port port=1111 protocol=tcp to-port=1111 to-addr="container-ip"

instead of the forward-ports rule.

---

rpm -q netavark podman
netavark-1.9.0-1.fc39.x86_64
podman-4.8.2-1.fc39.x86_64

---

reproduce

# podman run -p 10.52.0.2:1111:1111 -it --rm --log-level debug alpine
....
[DEBUG netavark::firewall::firewalld] Port is ("1111", "tcp", "1111", "10.52.0.2")
....

# firewall-cmd --info-policy=netavark_portfwd
netavark_portfwd (active)
  priority: -1
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: ANY
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
	port=1111:proto=tcp:toport=1111:toaddr=10.52.0.2
  source-ports: 
  icmp-blocks: 
  rich rules: 

[Luap99]

Thanks for the report, yes this looks like a valid bug. However please keep in mind that we do not recommend using the firewalld driver (at the moment), see https://github.com/containers/netavark/issues/722 for more problems

[baude]

@mheon can this be scoped up into your firewalld work ?

[mheon]

This is definitely part of the remaining work for firewalld