Thanks for the informative replies. Apologies in advance, I'm more of a network user (cad/cam software developer) and not a network engineer. I hope this isn't a waste of your time.
First off, from what I've read from various sources (libvirt blogs mostly) gives me the impression that libvirt networking has in effect pulled back from network configuration due to problematic conflicts with NetworkManager, etc. Thus for example the more advanced network editing features were removed from virt-manager. Which is too bad, it looks like a lot of work was going into that. Going forward it seems guidance is to look to firewalld to tackle VM networking configuration / firewall issues. Is this correct?
Eric, I seem to be having a conceptual mental disconnect around firewalld zones which seem to be a somewhat abstract concept vs their implementation in traffic routing. I.e. I'm not clear on how to interface a libvirt VM with a zone. I'm confused about whether a zone is more of an abstraction that contains rules that effect iptables, etc when interfaces are created or does a zone create a network bridge device itself for example?
Do the commands you outline create a bridge device named libvirtToVpn that I can simply set a VM NIC device to 'bridge' and the bridge name to 'libvirtToVpn'? Is there a place where I can read up on this? I re-read the firewalld documentation introduction sections again tonight and it's just not clear. Sorry its been a 15 hour work day so far today.
Tonight I didn't get far running the commands you suggested. The second line resulted in this: # firewall-cmd --permanent --policy libvirtToVpn --priority -100 usage: see firewall-cmd man page firewall-cmd: error: unrecognized arguments: --priority -100
firewall-cmd --version 0.9.3
I'm assuming priority is a feature in v.1.0.0? I don't mind upgrading if the code is stable. I'm looking for the shortest path to a solution, am open to early-adoption as long as it's guidance towards a mainstream solution. I wonder what cloud hosts are doing today on LTS platforms, network scripts like I had hacked together before?
Thanks for your help & apologies for my confusion.
On Thu, Oct 28, 2021 at 06:38:05AM +0000, David Geise wrote:
Thanks for the informative replies. Apologies in advance, I'm more of a network user (cad/cam software developer) and not a network engineer. I hope this isn't a waste of your time.
First off, from what I've read from various sources (libvirt blogs mostly) gives me the impression that libvirt networking has in effect pulled back from network configuration due to problematic conflicts with NetworkManager, etc. Thus for example the more advanced network editing features were removed from virt-manager. Which is too bad, it looks like a lot of work was going into that. Going forward it seems guidance is to look to firewalld to tackle VM networking configuration / firewall issues. Is this correct?
You'd have to ask the libvirt team. I don't know what they recommend.
Eric, I seem to be having a conceptual mental disconnect around firewalld zones which seem to be a somewhat abstract concept vs their implementation in traffic routing.
Firewalld zones are conceptual. firewalld does not attempt to manage route tables.
I.e. I'm not clear on how to interface a libvirt VM with a zone. I'm confused about whether a zone is more of an abstraction that contains rules that effect iptables, etc when interfaces are created or does a zone create a network bridge device itself for example?
Zones are symbolic abstraction over interfaces (and source addresses). They're meant to make things easier to reason about. There is no associated bridge, routing, or otherwise.
Maybe the visual representation below will help. I included the libvirtToVpn policy that I suggested. Each box (zone or policy) is place that firewalld can attach rules.
vpn external libvirt zone zone zone +------+ +------+ +----------+ | vpn0 | | ppp0 | | libvirt0 | | | | | | | +------+ +------+ +----------+ ^ V | | | | | +------+ | +---<--<--<--| |--<--<--<--+ | | +------+ libvirtToVpn policy
Arrows '<--' represent a flow of traffic.
Zones can use interfaces and source addresses. Policies use ingress zones (e.g. libvirt) and egress zones (vpn).
Zones are implicitly a policy for the zone to the current host (i.e. iptables INPUT chain).
Do the commands you outline create a bridge device named libvirtToVpn that I can simply set a VM NIC device to 'bridge' and the bridge name to 'libvirtToVpn'?
No. libvirt itself creates a bridge and adds it to the "libvirt" firewalld zone.
Is there a place where I can read up on this? I re-read the firewalld documentation introduction sections again tonight and it's just not clear. Sorry its been a 15 hour work day so far today.
Which documents did you read? It's good to know which documents/concepts aren't clear enough.
Tonight I didn't get far running the commands you suggested. The second line resulted in this: # firewall-cmd --permanent --policy libvirtToVpn --priority -100 usage: see firewall-cmd man page firewall-cmd: error: unrecognized arguments: --priority -100
My fault. The option is `--set-priority`.
firewall-cmd --version 0.9.3
I'm assuming priority is a feature in v.1.0.0? I don't mind upgrading if the code is stable. I'm looking for the shortest path to a solution, am open to early-adoption as long as it's guidance towards a mainstream solution. I wonder what cloud hosts are doing today on LTS platforms, network scripts like I had hacked together before?
Thanks for your help & apologies for my confusion.
firewalld-users@lists.fedorahosted.org