Status of firewalld support

[lahwaacz]

I noticed that containers.conf(5) says:

Current supported drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is experimental at the moment and not recommend outside of testing). In the future we are planning to add support for a "nftables" driver.

However, this seems to be outdated since netavark already has a nftables backend. There is also an open issue to detect firewalld by default.

So is firewalld still considered experimental? What functionality is still missing?

Also, does netavark actually use the firewall_driver option from containers.conf or is it only configurable with the NETAVARK_FW environment variable?

[mheon]

Hi,

Firewalld support has major issues with port forwarding. These were being worked on in #885 but that stalled due to needed changes in firewalld itself. I believe those have landed, so I'm going to start working on that again and try and get it merged.

Once it does merge, the situation is still not perfect. The way the firewalld driver is structured at the moment, isolation between networks is impossible; a major rewrite of our firewalld implementation will be necessary to allow this (each network will have to become a separate zone). I am hesitant to call firewalld fully functional and supported until this happens, given it will likely be a breaking format change (though not a serious one; you'd just have to firewall-cmd --reload after upgrading to a Netavark with the rewrite).

We use both the containers.conf option and environment variable. If both are present, the environment variable takes precedence.