Re: NetworkManager and FirewallD

From: Thomas Haller <thaller redhat com>
To: Berend De Schouwer <berend de schouwer gmail com>, networkmanager-list gnome org
Subject: Re: NetworkManager and FirewallD
Date: Fri, 15 Feb 2019 13:05:23 +0100

On Fri, 2019-02-15 at 12:15 +0200, Berend De Schouwer via
networkmanager-list wrote:

Hi,

I've got a connection setup with NetworkManager on Fedora 29, and
sometimes on reboot the firewall rules are re-ordered.

The firewall is managed by firewalld.  It creates a few zones, and
sometimes the rules in the zones are re-ordered.  For example, a diff
between startups:

 Chain POSTROUTING_ZONES (1 references)
 target     prot opt source               destination         
-POST_public  all  
--  0.0.0.0/0            0.0.0.0/0           [goto] 
 POST_home  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
+POST_public  all  
--  0.0.0.0/0            0.0.0.0/0           [goto] 
 POST_FedoraServer  all  
--  0.0.0.0/0            0.0.0.0/0           [goto] 

This can prevent some traffic from flowing, especially if it re-
orders
a MASQUERADING rule.

Note, in this case it actually broke some traffic swapping public &
home in both POST and PRE.

I can fix it by either re-starting NetworkManager, or by dropping the
connection and bringing it up again.  I can also break it that way.

I'm assuming it's triggered by a race condition.  It happens on a
Raspberry Pi, which is a little slower.


Is there some way to prevent this?


Hi,


TL;DR: this does not sound like a NetworkManager issue to me. Why do
you think it is. I would ask firewalld [1].


[1] https://firewalld.org/community.html


NetworkManager almost never directly configures iptables. The only
place is for enabling MASQUERADING, with "ipv4.method=shared". nftables
is not supported here, and optimally this could would be improved to
let firewalld handle this. It's ugly that NetworkManager does this, but
you are not using "ipv4.method=shared", are you?

That aside, all that NetworkManager does regrading iptables/firewalld,
is to call "addInterface", "changeZone", and "removeInterface" on the
firewalld D-Bus API -- depending on "connection.zone" parameter in
NetworkManager's connection profile.

Note that firewalld may also feed back into NetworkManager, when you
modify a zone in Firewalld persistently, then firewalld may update
"connection.zone" in NetworkManager's profile. This interaction between
the two is rather hairy, because they both might call to each other.


best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: NetworkManager and FirewallD
  - From: Berend De Schouwer

References:
- NetworkManager and FirewallD
  - From: Berend De Schouwer

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]