Bug 2039542

Summary: [RFE] Add support for forward-ports in policies with ingress-zones=HOST and egress-zones={ANY, source based zone}
Product: Red Hat Enterprise Linux 9 Reporter: Matthew Heon <mheon>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: unspecified Docs Contact: Jaroslav Klech <jklech>
Priority: unspecified    
Version: 9.1CC: jklech, jpeska, todoleza
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided, Triaged, Upstream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-1.1.1-2.el9 Doc Type: Enhancement
Doc Text:
.The `firewalld` service can forward NAT packets originating from the local host to a different host and port You can forward packets sent from the localhost that runs the `firewalld` service to a different destination port and IP address. The functionality is useful, for example, to forward ports on the `loopback` device to a container or a virtual machine. Prior to this change, `firewalld` could only forward ports when it received a packet that originated from another host. For more details and an illustrative configuration, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters#proc_using-dnat-to-forward-https-traffic-to-a-different-host_using-and-configuring-firewalld[Using DNAT to forward HTTPS traffic to a different host].
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:22:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2022-06-06   

Description Matthew Heon 2022-01-11 21:54:35 UTC 
Description of problem:

Please add support for firewalld policies with ingress/egress zone set to HOST.

Podman's new network stack, Netavark, uses firewalld (where available) to (among other things) forward ports from the host to containers using firewalld policies and the `forward_ports` API. This is presently working for traffic coming from outside the host, but not for traffic from localhost which attempts to reach the forwarded ports. This functionality is required to prevent regressions from Podman's current network stack. A policy with both ingress-zone and egress-zone set to HOST will allow traffic from localhost to access these forwarded ports.

We intend on working around this via direct iptables rules until this feature is available.

Version-Release number of selected component (if applicable):

Any

How reproducible:

100%

Steps to Reproduce:
N/A

Actual results:
Traffic from localhost is not forwarded

Expected results:
Traffic from localhost is forwarded

Additional info:
Comment 4 Eric Garver 2022-01-14 13:51:59 UTC 
Upstream commits:

54738f2db549 ("test(policy): verify top level policy dispatch")
48983a25f153 ("test(policy): support OUTPUT forward ports")
c5d5be227e3f ("feat(policy): support OUTPUT forward ports")
Comment 27 errata-xmlrpc 2022-11-15 11:22:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8389