Luap99
commented
1 year ago We have been talking about it lately, we should definitely enable it if it works correctly.
Some outstanding work to do so:
- Figure out how to keep this backwards compatible, if we switch the default a container started before the update with iptables will no longer cleanup the rules. There is currently no logic to store this information anywhere.
- Add support for
isolateoption which changes the behaviour if networks can talk to each other (see https://github.com/containers/netavark/pull/703 for example) - Port forwarding on the local host is not working, if I run
podman run -p 80:80 -dt nginxthe port is not reachable via any local address. It is however reachable via other hosts on the same network. This is a major problem and must be fixed.
These are the things I can think of right now. And then we should run test/200-bridge-firewalld.bats and see if any test cases are failing there.
cc @mheon
mheon
https://github.com/containers/netavark/blob/9c40d1f6372a21248ebbd4edff31148ee8de54aa/src/firewall/mod.rs#L67
This section has not been updated since firewalld 1.1.x came out 16 months ago, requiring users to set
NETAVARK_FW=firewalldglobally (e.g. in /etc/environment) to properly use firewalld if present.Been testing it today along with @erig0 (firewalld lead), who requested me to open an issue with you to finalize this support.
Tested with: