2039542 – [RFE] Add support for forward-ports in policies with ingress-zones=HOST and egress-zones={ANY, source based zone}

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2039542 - [RFE] Add support for forward-ports in policies with ingress-zones=HOST and egress-zones={ANY, source based zone}

Summary: [RFE] Add support for forward-ports in policies with ingress-zones=HOST and e...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-06-06
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Garver
QA Contact:	Tomas Dolezal
Docs Contact:	Jaroslav Klech
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-11 21:54 UTC by Matthew Heon
Modified:	2022-11-15 13:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:	firewalld-1.1.1-2.el9
Doc Type:	Enhancement
Doc Text:	.The `firewalld` service can forward NAT packets originating from the local host to a different host and port You can forward packets sent from the localhost that runs the `firewalld` service to a different destination port and IP address. The functionality is useful, for example, to forward ports on the `loopback` device to a container or a virtual machine. Prior to this change, `firewalld` could only forward ports when it received a packet that originated from another host. For more details and an illustrative configuration, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters#proc_using-dnat-to-forward-https-traffic-to-a-different-host_using-and-configuring-firewalld[Using DNAT to forward HTTPS traffic to a different host].
Clone Of:
Environment:
Last Closed:	2022-11-15 11:22:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-107497	0	None	None	None	2022-01-11 21:56:15 UTC
Red Hat Product Errata	RHBA-2022:8389	0	None	None	None	2022-11-15 11:22:58 UTC

Description Matthew Heon 2022-01-11 21:54:35 UTC

Description of problem:

Please add support for firewalld policies with ingress/egress zone set to HOST.

Podman's new network stack, Netavark, uses firewalld (where available) to (among other things) forward ports from the host to containers using firewalld policies and the `forward_ports` API. This is presently working for traffic coming from outside the host, but not for traffic from localhost which attempts to reach the forwarded ports. This functionality is required to prevent regressions from Podman's current network stack. A policy with both ingress-zone and egress-zone set to HOST will allow traffic from localhost to access these forwarded ports.

We intend on working around this via direct iptables rules until this feature is available.

Version-Release number of selected component (if applicable):

Any

How reproducible:

100%

Steps to Reproduce:
N/A

Actual results:
Traffic from localhost is not forwarded

Expected results:
Traffic from localhost is forwarded

Additional info:

Comment 4 Eric Garver 2022-01-14 13:51:59 UTC

Upstream commits:

54738f2db549 ("test(policy): verify top level policy dispatch")
48983a25f153 ("test(policy): support OUTPUT forward ports")
c5d5be227e3f ("feat(policy): support OUTPUT forward ports")

Comment 27 errata-xmlrpc 2022-11-15 11:22:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8389

Note You need to log in before you can comment on or make changes to this bug.