On 2020-06-24 22:34, Eric Garver wrote:
On Thu, Jun 18, 2020 at 05:47:21AM +0800, Ed Greshko wrote:
On 2020-06-18 04:32, Eric Garver wrote:
[..]
Even that wouldn't explain why, with the middle system 3 interfaces being 192.168.122.1/192.168.1.18/192.168.2.127  I can't ssh to 192.168.1.142 from 2.116 with the FW up.

The 192.168.1.0/24 network wasn't shown in your diagram. If it's part of the "public" zone, then that makes sense. firewalld will block the forwarded traffic. The next firewalld feature release has a new feature to allow intra zone forwarding [1].

Yes, I didn't put that network in the diagram since it seemed to me irrelevant to the initial problem/question.

I can see how the new feature would affect an ssh from .2.116 to .1.142 since both enp2s0 and wlp4s0
are both in the public zone.

[egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
libvirt
  interfaces: virbr0
public
  interfaces: enp2s0 wlp4s0

But, the original problem I'm trying to resolve is ssh (or any traffic) from .2.116 to  .122.152 which would
be between the public and libvirt zones.



[1]: https://firewalld.org/2020/04/intra-zone-forwarding

Is there a roadmap for the next release?


Seems like you have two issues here:

 1) libvirt's iptables rules are blocking public --> VM traffic
    - this must be addressed via libvirt

But, I get no log messages when I set --set-log-denied=all.  Shouldn't those be logged?

And, why did this all work prior to 6/5?