On Tue, Sep 15, 2020 at 09:22:38AM -0000, Gal Anonim wrote:
After creating openvswitch bridge, there are multiple interfaces ("ovs
parts") left. To which firewalld zones they belong? (entire setup is
working - I am just researching proper configuration)
IIRC, firewalld won't see the packets on OVS ports.
ovs bridge was created via nmcli, existing interfaces (nmcli c s):
br0 - ovs-bridge
br0_p01 - ovs-port
br0_p02 - ovs-port
br0_p01_i - ovs-interface (this is the only one with IP address)
ens1 - ethernet
(ip a s) shows only ens1 and br0_p01_i interfaces.
(firewall-cmd --get-active-zones) shows all of them.
The functional interface (br0_p01_i) belongs to zone with whatever its function is
(internal, external, dmz, ...).
If IP traffic hits br0_p01_i and it gets routed then it should pass
through firewalld (and all netfilter). However, only firewalld v0.9.0 or
later support FORWARD filtering. Previous releases will simply DROP the
forwarded traffic or ACCEPT depending on the zone. For example,
"trusted" zone accepts all forwarded traffic.
See the option `--set-target` in man page firewall-cmd for more details.
All of the remaining interfaces ended up in public zone (I am
guessing NM added them to "default" zone).
Can I disable all of the filtering (by firewalld) on the ovs bridge? How?
If it's a layer 2 bridge then firewalld won't see the packets so it
won't be filtering. Unless of course kernel module br_netfilter is in
use (probably not).
Since ovs is layer 2, than in theory firewalld (which is basicly
3 filter) should not be involved at all. Than why assign, a non-layer
3 interfaces to a layer 3 firewall zone?
Good question. I don't have an answer.
NM is probably assigning them because it's hitting a generic code path.
I think it's harmless.