Add configurability to Netavark firewall driver

closes #1338 Signed-off-by: Chetan Giradkar <[email protected]>
containers · Nov 24, 2023 · 35fe3a7 · 35fe3a7
1 parent e2da7be
commit 35fe3a7
Show file tree

Hide file tree

Showing 8 changed files with 35 additions and 0 deletions.
diff --git a/libnetwork/netavark/exec.go b/libnetwork/netavark/exec.go
@@ -86,6 +86,9 @@ func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, re
 	if n.dnsBindPort != 0 {
 		env = append(env, "NETAVARK_DNS_PORT="+strconv.Itoa(int(n.dnsBindPort)))
 	}
+	if n.defaultFirewall != "" {
+		env = append(env, "NETAVARK_FW="+n.defaultFirewall)
+	}
 	return n.execBinary(n.netavarkBinary, append(n.getCommonNetavarkOptions(needPlugin), args...), stdin, result, env)
 }
 

diff --git a/libnetwork/netavark/network.go b/libnetwork/netavark/network.go
@@ -36,6 +36,9 @@ type netavarkNetwork struct {
 	// aardvarkBinary is the path to the aardvark binary.
 	aardvarkBinary string
 
+	// defaultFirewall sets the firewall to use
+	defaultFirewall string
+
 	// defaultNetwork is the name for the default network.
 	defaultNetwork string
 	// defaultSubnet is the default subnet for the default network.
@@ -79,6 +82,9 @@ type InitConfig struct {
 	// NetworkRunDir is where temporary files are stored, i.e.the ipam db, aardvark config
 	NetworkRunDir string
 
+	// defaultFirewall sets the firewall to use
+	DefaultFirewall string
+
 	// DefaultNetwork is the name for the default network.
 	DefaultNetwork string
 	// DefaultSubnet is the default subnet for the default network.
@@ -146,6 +152,7 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		aardvarkBinary:     conf.AardvarkBinary,
 		networkRootless:    unshare.IsRootless(),
 		ipamDBPath:         filepath.Join(conf.NetworkRunDir, "ipam.db"),
+		defaultFirewall:    conf.DefaultFirewall,
 		defaultNetwork:     defaultNetworkName,
 		defaultSubnet:      defaultNet,
 		defaultsubnetPools: defaultSubnetPools,

diff --git a/libnetwork/network/interface.go b/libnetwork/network/interface.go
@@ -82,6 +82,7 @@ func NetworkBackend(store storage.Store, conf *config.Config, syslog bool) (type
 			NetavarkBinary:     netavarkBin,
 			AardvarkBinary:     aardvarkBin,
 			PluginDirs:         conf.Network.NetavarkPluginDirs.Get(),
+			DefaultFirewall:    conf.Network.DefaultFirewall,
 			DefaultNetwork:     conf.Network.DefaultNetwork,
 			DefaultSubnet:      conf.Network.DefaultSubnet,
 			DefaultsubnetPools: conf.Network.DefaultSubnetPools,

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -567,6 +567,9 @@ type NetworkConfig struct {
 	// NetavarkPluginDirs is a list of directories which contain netavark plugins.
 	NetavarkPluginDirs attributedstring.Slice `toml:"netavark_plugin_dirs,omitempty"`
 
+	// DefaultFirewall is the default firewall
+	DefaultFirewall string `toml:"default_firewall,omitempty"`
+
 	// DefaultNetwork is the network name of the default network
 	// to attach pods to.
 	DefaultNetwork string `toml:"default_network,omitempty"`

diff --git a/pkg/config/config_local_test.go b/pkg/config/config_local_test.go
@@ -124,6 +124,18 @@ var _ = Describe("Config Local", func() {
 		gomega.Expect(config2.Network.DNSBindPort).To(gomega.Equal(uint16(1153)))
 	})
 
+	It("test firewall", func() {
+		// Given
+		config, err := New(nil)
+		gomega.Expect(err).To(gomega.BeNil())
+		gomega.Expect(config.Network.DefaultFirewall).To(gomega.Equal("iptables"))
+		// When
+		config2, err := NewConfig("testdata/containers_default.conf")
+		// Then
+		gomega.Expect(err).To(gomega.BeNil())
+		gomega.Expect(config2.Network.DNSBindPort).To(gomega.Equal("iptables"))
+	})
+
 	It("parse pasta_options", func() {
 		// Given
 		config, err := New(nil)

diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
@@ -340,6 +340,11 @@ default_sysctls = [
 #  "/usr/lib/netavark",
 #]
 
+# The default firewall to be used
+#
+#default_firewall = iptables
+
+
 # The network name of the default network to attach pods to.
 #
 #default_network = "podman"

diff --git a/pkg/config/default.go b/pkg/config/default.go
@@ -253,6 +253,7 @@ func defaultConfig() (*Config, error) {
 			Volumes:             attributedstring.Slice{},
 		},
 		Network: NetworkConfig{
+			DefaultFirewall:           "iptables",
 			DefaultNetwork:            "podman",
 			DefaultSubnet:             DefaultSubnet,
 			DefaultSubnetPools:        DefaultSubnetPools,

diff --git a/pkg/config/testdata/containers_default.conf b/pkg/config/testdata/containers_default.conf
@@ -121,6 +121,9 @@ default_subnet_pools = [{"base" = "10.89.0.0/16", "size" = 24}, {"base" = "10.90
 
 default_rootless_network_cmd = "pasta"
 
+# firewall to be used by default
+default_firewall = "iptables"
+
 # dns port for netavark/aardvark
 dns_bind_port = 1153