On Thu, Oct 28, 2021 at 06:38:05AM +0000, David Geise wrote:
Thanks for the informative replies. Apologies in advance, I'm
more of
a network user (cad/cam software developer) and not a network
engineer. I hope this isn't a waste of your time.
First off, from what I've read from various sources (libvirt blogs
mostly) gives me the impression that libvirt networking has in effect
pulled back from network configuration due to problematic conflicts
with NetworkManager, etc. Thus for example the more advanced network
editing features were removed from virt-manager. Which is too bad, it
looks like a lot of work was going into that. Going forward it seems
guidance is to look to firewalld to tackle VM networking configuration
/ firewall issues. Is this correct?
You'd have to ask the libvirt team. I don't know what they recommend.
Eric, I seem to be having a conceptual mental disconnect around
firewalld zones which seem to be a somewhat abstract concept vs their
implementation in traffic routing.
Firewalld zones are conceptual. firewalld does not attempt to manage
route tables.
I.e. I'm not clear on how to
interface a libvirt VM with a zone. I'm confused about whether a zone
is more of an abstraction that contains rules that effect iptables,
etc when interfaces are created or does a zone create a network
bridge device itself for example?
Zones are symbolic abstraction over interfaces (and source addresses).
They're meant to make things easier to reason about. There is no
associated bridge, routing, or otherwise.
Maybe the visual representation below will help. I included the
libvirtToVpn policy that I suggested. Each box (zone or policy) is place
that firewalld can attach rules.
vpn external libvirt
zone zone zone
+------+ +------+ +----------+
| vpn0 | | ppp0 | | libvirt0 |
| | | | | |
+------+ +------+ +----------+
^ V
| |
| |
| +------+ |
+---<--<--<--| |--<--<--<--+
| |
+------+
libvirtToVpn
policy
Arrows '<--' represent a flow of traffic.
Zones can use interfaces and source addresses. Policies use ingress
zones (e.g. libvirt) and egress zones (vpn).
Zones are implicitly a policy for the zone to the current host (i.e.
iptables INPUT chain).
Do the commands you outline create a bridge device named
libvirtToVpn
that I can simply set a VM NIC device to 'bridge' and the bridge name
to 'libvirtToVpn'?
No. libvirt itself creates a bridge and adds it to the "libvirt"
firewalld zone.
Is there a place where I can read up on this? I
re-read the firewalld documentation introduction sections again
tonight and it's just not clear. Sorry its been a 15 hour work day so
far today.
Which documents did you read? It's good to know which documents/concepts
aren't clear enough.
Tonight I didn't get far running the commands you suggested. The
second line resulted in this:
# firewall-cmd --permanent --policy libvirtToVpn --priority -100
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --priority -100
My fault. The option is `--set-priority`.
firewall-cmd --version
0.9.3
I'm assuming priority is a feature in v.1.0.0? I don't mind upgrading
if the code is stable. I'm looking for the shortest path to a
solution, am open to early-adoption as long as it's guidance towards a
mainstream solution. I wonder what cloud hosts are doing today on LTS
platforms, network scripts like I had hacked together before?
Thanks for your help & apologies for my confusion.