[Pkg-utopia-maintainers] Bug#909574: Bug#909574: firewalld: FirewallBackend=nftables breaks NAT networks in libvirt

[Eric Garver]

On Sat, Nov 10, 2018 at 05:00:21PM +0100, Michael Biebl wrote:
> Hi
> 
> Am 10.11.18 um 15:47 schrieb Ralf Jung:
> > According to https://bugzilla.redhat.com/show_bug.cgi?id=1638342, Fedora changed
> > the default for FirewallBackend back until libvirt works with
> > FirewallBackend=nftables.  Might be worth doing that in Debian as well?
> 
> I was under the impression that switching back to nftables would break
> other use cases,

I'm not aware of any such scenarios caused by switching.

> so I'm a between a rock and a hard place, it's not even possible to
> make the test-suite pass with the iptables backend.

The upstream testsuite runs tests for both backends. Perhaps there is a
separate issue causing tests to fail.

> I'd really like to get input from upstream (CCed Eric) on this matter
> whether they really consider the nftables backend not ready yet.

We consider it ready. However, there are clearly some integration
issues. In the past projects have not fully integrated, but instead
side-stepped firewalld by injecting their own iptables rules.

Regarding libvirt, a short term fix we've used elsewhere is for the
libvirt package to provide it's own zone definition with interfaces
virbr0, etc. attached to that zone. The zone also uses the "accept"
policy/target. This allows the VM traffic to pass through firewalld as
firewalld just accepts everything. The major downside to this is that VM
-> Host traffic is not filtered - we're still working on a solution for
that, but it will require work on libvirt's side as well.

Upstream report here:

   https://github.com/firewalld/firewalld/issues/397

> If so, imho the best course of action would be if upstream switches the
> default back.

That won't happen. Firewalld moved to nftables for good reasons. The
iptables backend is still fully supported even though it's not the
default.