Re: NetworkManager and FirewallD

On Fri, 2019-02-15 at 14:38 +0200, Berend De Schouwer wrote:
On Fri, 2019-02-15 at 13:05 +0100, Thomas Haller wrote:
On Fri, 2019-02-15 at 12:15 +0200, Berend De Schouwer via
networkmanager-list wrote:

NetworkManager almost never directly configures iptables. The only
place is for enabling MASQUERADING, with "ipv4.method=shared".
is not supported here, and optimally this could would be improved
let firewalld handle this. It's ugly that NetworkManager does this,
you are not using "ipv4.method=shared", are you?

Yes, I am.

OK, then it sounds like a NetworkManager issue.

That aside, all that NetworkManager does regrading
is to call "addInterface", "changeZone", and "removeInterface" on
firewalld D-Bus API -- depending on "" parameter in
NetworkManager's connection profile.

The only change seems to be the order of the rules, which indicates a
race condition.  So the entire interface and/or zone do get

So far, I've only seen the nat table trashed (pre/postrouting), not

The order can be wrong in multiple places.  It's not always the same

Does NM both call D-Bus "addInterface" *and* modify iptables manually
for masquerading?  If so, is there a D-Bus API to find out when
FirewallD is done adding the interface?

[1] are the rules that NetworkManager configures (calling iptables

In the logfile (with level=TRACE, see [2]) logging you will also see:

  - when NetworkManager calls to firewalld. Grep for "firewall:"

  - when NM calls iptables.

Yes, what NM does here is not optimal, possibly even wrong as you



Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]