-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default rules conflict with DHCP #35
Comments
Only dhcpdv6-client is enabled by default in the firewall, as this is essential for mostly all clients using IPv6. |
The problem is that this breaks systemd-nspwan containers: The default policy needs to not break systemd on ve-* interfaces. |
I agree there's a conflict, but I'd like to note it goes beyond DHCP. Containers launched with (The default config for systemd-networkd enables ipv4 masquerading for this). After allowing access to DHCP in firewalld, you get an address, but internet-bound packets are rejected as "administratively prohibited":
|
I think this issue could be closed. |
Firewalld upstream is not going to allow DHCP server by default. That can either be done statically by the distribution, or at runtime by the container startup.
Firewalld filters forwarded packets by default. You can add the container's interface to the |
It looks like the default rules conflict with
systemd-networkd
's builtin DHCP server.How to reproduce:
Run a system with:
Launch a new
systemd-nspawn
container withveth
networking:systemd-nspawn --network-veth -bxD /var/lib/machines/centos7.1-base
What should happen:
systemd-nspawn
creates the network interfaceve-centos71-b
systemd-networkd
running on the host picks up the network interface and configures it according to the configuration below (including running a minimal DHCP server to hand out IP configurations to containers):systemd-networkd
running in the container configures the interfacehost0
inside the container based on the configuration below:What happens instead:
host0
interface in the container never receives a DHCP configuration from the DHCP server running on the host because the requests/responses are blocked byfirewalld
on the hostStopping
firewalld
temporarily "fixes" the issue and shows thatfirewalld
is the "culprit" in this case.Although I'm not quite sure yet, how the policy would have to look like exactly, I think this should be probably covered by
firewalld
's default configuration.The text was updated successfully, but these errors were encountered: