On Fri, 2019-02-15 at 14:38 +0200, Berend De Schouwer wrote:
On Fri, 2019-02-15 at 13:05 +0100, Thomas Haller wrote:On Fri, 2019-02-15 at 12:15 +0200, Berend De Schouwer via networkmanager-list wrote:NetworkManager almost never directly configures iptables. The only place is for enabling MASQUERADING, with "ipv4.method=shared". nftables is not supported here, and optimally this could would be improved to let firewalld handle this. It's ugly that NetworkManager does this, but you are not using "ipv4.method=shared", are you?Yes, I am.
OK, then it sounds like a NetworkManager issue.
That aside, all that NetworkManager does regrading iptables/firewalld, is to call "addInterface", "changeZone", and "removeInterface" on the firewalld D-Bus API -- depending on "connection.zone" parameter in NetworkManager's connection profile.The only change seems to be the order of the rules, which indicates a race condition. So the entire interface and/or zone do get added/removed. So far, I've only seen the nat table trashed (pre/postrouting), not input/forward/output. The order can be wrong in multiple places. It's not always the same place. Does NM both call D-Bus "addInterface" *and* modify iptables manually for masquerading? If so, is there a D-Bus API to find out when FirewallD is done adding the interface?
[1] are the rules that NetworkManager configures (calling iptables directly). In the logfile (with level=TRACE, see [2]) logging you will also see: - when NetworkManager calls to firewalld. Grep for "firewall:" - when NM calls iptables. Yes, what NM does here is not optimal, possibly even wrong as you see... [1] https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/devices/nm-device.c#n10259 [2] https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/contrib/fedora/rpm/NetworkManager.conf#n28 best, Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part