Merge pull request #1750 from cgiradkar/1338-Firewall

Add configurability to Netavark firewall driver

docs/containers.conf.5.md

@@ -449,6 +449,14 @@ and __$HOME/.config/cni/net.d__ as rootless.
 For the netavark backend "/etc/containers/networks" is used as root
 and "$graphroot/networks" as rootless.
 
+**firewall_driver**=""
+
+The firewall driver to be used by netavark.
+The default is empty which means netavark will pick one accordingly. Current supported 
+drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+experimental at the moment and not recommend outside of testing). In the future we are
+planning to add support for a "nftables" driver.
+
 **dns_bind_port**=53
 
 Port to use for dns forwarding daemon with netavark in rootful bridge

libnetwork/netavark/exec.go

@@ -86,6 +86,9 @@ func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, re
 	if n.dnsBindPort != 0 {
 		env = append(env, "NETAVARK_DNS_PORT="+strconv.Itoa(int(n.dnsBindPort)))
 	}
+	if n.firewallDriver != "" {
+		env = append(env, "NETAVARK_FW="+n.firewallDriver)
+	}
 	return n.execBinary(n.netavarkBinary, append(n.getCommonNetavarkOptions(needPlugin), args...), stdin, result, env)
 }
 

libnetwork/netavark/network.go

@@ -36,6 +36,9 @@ type netavarkNetwork struct {
 	// aardvarkBinary is the path to the aardvark binary.
 	aardvarkBinary string
 
+	// firewallDriver sets the firewall driver to use
+	firewallDriver string
+
 	// defaultNetwork is the name for the default network.
 	defaultNetwork string
 	// defaultSubnet is the default subnet for the default network.
@@ -79,6 +82,9 @@ type InitConfig struct {
 	// NetworkRunDir is where temporary files are stored, i.e.the ipam db, aardvark config
 	NetworkRunDir string
 
+	// FirewallDriver sets the firewall driver to use
+	FirewallDriver string
+
 	// DefaultNetwork is the name for the default network.
 	DefaultNetwork string
 	// DefaultSubnet is the default subnet for the default network.
@@ -146,6 +152,7 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		aardvarkBinary:     conf.AardvarkBinary,
 		networkRootless:    unshare.IsRootless(),
 		ipamDBPath:         filepath.Join(conf.NetworkRunDir, "ipam.db"),
+		firewallDriver:     conf.FirewallDriver,
 		defaultNetwork:     defaultNetworkName,
 		defaultSubnet:      defaultNet,
 		defaultsubnetPools: defaultSubnetPools,

libnetwork/network/interface.go

@@ -82,6 +82,7 @@ func NetworkBackend(store storage.Store, conf *config.Config, syslog bool) (type
 			NetavarkBinary:     netavarkBin,
 			AardvarkBinary:     aardvarkBin,
 			PluginDirs:         conf.Network.NetavarkPluginDirs.Get(),
+			FirewallDriver:     conf.Network.FirewallDriver,
 			DefaultNetwork:     conf.Network.DefaultNetwork,
 			DefaultSubnet:      conf.Network.DefaultSubnet,
 			DefaultsubnetPools: conf.Network.DefaultSubnetPools,

pkg/config/config.go

@@ -567,6 +567,9 @@ type NetworkConfig struct {
 	// NetavarkPluginDirs is a list of directories which contain netavark plugins.
 	NetavarkPluginDirs attributedstring.Slice `toml:"netavark_plugin_dirs,omitempty"`
 
+	// FirewallDriver is the firewall driver to be used
+	FirewallDriver string `toml:"firewall_driver,omitempty"`
+
 	// DefaultNetwork is the network name of the default network
 	// to attach pods to.
 	DefaultNetwork string `toml:"default_network,omitempty"`

pkg/config/config_local_test.go

@@ -124,6 +124,18 @@ var _ = Describe("Config Local", func() {
 		gomega.Expect(config2.Network.DNSBindPort).To(gomega.Equal(uint16(1153)))
 	})
 
+	It("test firewall", func() {
+		// Given
+		config, err := New(nil)
+		gomega.Expect(err).To(gomega.BeNil())
+		gomega.Expect(config.Network.FirewallDriver).To(gomega.Equal(string("")))
+		// When
+		config2, err := NewConfig("testdata/containers_default.conf")
+		// Then
+		gomega.Expect(err).To(gomega.BeNil())
+		gomega.Expect(config2.Network.FirewallDriver).To(gomega.Equal("none"))
+	})
+
 	It("parse pasta_options", func() {
 		// Given
 		config, err := New(nil)

pkg/config/containers.conf

@@ -340,6 +340,14 @@ default_sysctls = [
 #  "/usr/lib/netavark",
 #]
 
+# The firewall driver to be used by netavark.
+# The default is empty which means netavark will pick one accordingly. Current supported 
+# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+# experimental at the moment and not recommend outside of testing). In the future we are
+# planning to add support for a "nftables" driver.
+#firewall_driver = ""
+
+
 # The network name of the default network to attach pods to.
 #
 #default_network = "podman"

pkg/config/default.go

@@ -253,6 +253,7 @@ func defaultConfig() (*Config, error) {
 			Volumes:             attributedstring.Slice{},
 		},
 		Network: NetworkConfig{
+			FirewallDriver:            "",
 			DefaultNetwork:            "podman",
 			DefaultSubnet:             DefaultSubnet,
 			DefaultSubnetPools:        DefaultSubnetPools,

pkg/config/testdata/containers_default.conf

@@ -121,6 +121,9 @@ default_subnet_pools = [{"base" = "10.89.0.0/16", "size" = 24}, {"base" = "10.90
 
 default_rootless_network_cmd = "pasta"
 
+# firewall driver to be used by default
+firewall_driver = "none"
+
 # dns port for netavark/aardvark
 dns_bind_port = 1153