On 5/12/22 2:00 PM, Daniel P. Berrangé wrote:
On Wed, May 11, 2022 at 11:41:51AM -0400, Eric Garver wrote:
This series fixes routed networks when a newer firewalld (>= 1.0.0) is
present [1]. Firewalld 1.0.0 included a change that disallows implicit
forwarding between zones [2]. libvirt was relying on this behavior to
allow routed networks to function.
New firewalld policies are added. This is done to use common rules
between NAT and routed networks. Policies have been supported since
firewalld 0.9.0.
For those following along, there's a helpful description of policies
here, specifically explaining how its useful to the libvirt scenario:
https://firewalld.org/2020/09/policy-objects-introduction
...and for some further context that is probably only documented in the
discussions that we had with Eric and some other people back in 2018 or so:
Once firewalld switches to its native-nftables backend, all of its own
rules go into a separate nftables table, while libvirt's rules go into
the iptables-compatibility table called "filter". In order for a packet
to be accepted and forwarded, it must be accepted by *all* tables. (with
iptables, both firewalld and libvirt use the "filter" table, and it is
enough for the rules of one or the other to accept a packet).
At the time libvirt added support for the firewalld nftables backend,
there was no way to explicitly specify "allow forwarded traffic" in a
zone, and if the zone was "default REJECT" then all forwarded traffic
would be rejected. In order for our traffic to be accepted, we had to
make the "libvirt zone" (which is itself a part of *firewalld's* rules,
not libvirt's rules!) "default ACCEPT", and then use an at-the-time new
feature of firewalld that allowed us to specify higher priority ACCEPT
rules for the traffic we wanted accepted, then a lower priority "REJECT
ALL" rule (which would reject all traffic on the *INPUT* chain, but not
on the FORWARD chain), and then the "default ACCEPT" rule would
implicitly add rules that accepted any forwarded traffic.
Yes, in restrospect it sounds fragile. And at the time it sounded
fragile as well. Unfortunately it was the only way to make things work.
In the ensuing years, firewalld has added explicit support for
accepting/rejecting traffic on the FORWARD and OUTPUT chains, but as a
part of this, that implicit "default ACCEPT" of forwarded traffic has
been removed. And *that* is what necessitates Eric's new zone/policy
files! Whew!
