From b3a0733dd88cc9192d908f43607ce91009668666 Mon Sep 17 00:00:00 2001
From: Matt Heon <mheon@redhat.com>
Date: Tue, 21 Jan 2025 14:53:16 -0500
Subject: [PATCH] Add handling for firewalld's StrictForwardPorts setting

This mostly amounts to throwing a sensible error in cases where
the setting is enabled and the user has requested ports be
forwarded.

There are no tests at present because firewalld 2.3.x is
currently restricted to Rawhide, and is required for effective
testing.

A manpage has also been added with details on how to work with
the StrictForwardPorts setting (as well as some other tidbits on
firewalld + Podman integration).

Signed-off-by: Matt Heon <mheon@redhat.com>
---
 docs/netavark-firewalld-forwarding.5.md | 85 +++++++++++++++++++++++++
 src/firewall/firewalld.rs               | 51 +++++++++++++++
 src/firewall/iptables.rs                |  2 +
 src/firewall/nft.rs                     |  2 +
 4 files changed, 140 insertions(+)
 create mode 100644 docs/netavark-firewalld-forwarding.5.md

diff --git a/docs/netavark-firewalld-forwarding.5.md b/docs/netavark-firewalld-forwarding.5.md
new file mode 100644
index 000000000..41dda0c2a
--- /dev/null
+++ b/docs/netavark-firewalld-forwarding.5.md
@@ -0,0 +1,85 @@
+% NETAVARK-FIREWALLD 5 Netavark Firewalld Interactions Man Page
+% Matthew Heon
+% January 2025
+
+## Name
+
+netavark-firewalld - description of the interaction of Netavark and firewalld
+
+## Description
+
+Netavark can be used on systems with firewalld enabled without issue.
+When using the default `nftables` or `iptables` firewall drivers, on systems where firewalld is running, firewalld will automatically be configured to allow connectivity to Podman containers.
+All subnets of Podman-managed networks will be automatically added to the `trusted` zone to allow this access.
+
+### Firewalld Driver
+
+There is also a dedicated firewalld driver in Netavark.
+This driver uses the firewalld DBus API to natively interact with firewalld.
+It can be enabled by setting `firewall_driver` to `firewalld` in `containers.conf`.
+The native firewalld driver offers better integration with firewalld, but presently suffers from several limitations.
+It does not support isolation (the `--opt isolate=` option to `podman network create`.
+It also does not currently support connections to a forwarded port of a container on the same host via public IP, only via the IPv4 localhost IP (127.0.0.1).
+
+### Strict Port Forwarding
+
+Since firewalld version 2.3.0, a new setting, `StrictForwardPorts`, has been added.
+The setting is located in `/etc/firewalld/firewalld.conf` and defaults to `no` (disabled).
+When disabled, port forwarding with Podman works as normal.
+When it is enabled (set to `yes`), port forwarding with Podman will become nonfunctional.
+Attempting to start a container or pod with the `-p` or `-P` options will return errors.
+When StrictForwardPorts is enabled, all port forwarding must be done through firewalld using the firewall-cmd tool.
+This ensures that containers cannot allow traffic through the firewall without administrator intervention.
+
+Instead, containers should be started without forwarded ports specified, and preferably with static IPs.
+
+To forward a port externally, the following command should be run, substituting the desired host and container port numbers, protocol, and the container's IP.
+```
+# firewall-cmd --permanent --zone public --add-forward-port=port={HOST_PORT_NUMBER}:proto={PROTOCOL}:toport={CONTAINER_PORT_NUMBER}:toaddr={CONTAINER_IP}
+```
+
+If the container does not have a static IP, it can be found with `podman inspect`:
+```
+# podman inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' {CONTAINER_NAME_OR_ID}
+```
+
+Once the container is stopped or removed, the rule must be manually removed with the following command:
+```
+# firewall-cmd --permanent --zone public --remove-forward-port=port={HOST_PORT_NUMBER}:proto={PROTOCOL}:toport={CONTAINER_PORT_NUMBER}:toaddr={CONTAINER_IP}
+```
+
+To also allow forwarding via IPv4 localhost (`127.0.0.1`), a firewalld policy must be added, as well as a rich rule for each port requiring localhost forwarding.
+Forwarding via IPv6 localhost is not possible due to kernel limitations.
+
+To add the policies required for IPv4 localhost forwarding, the following commands must be run.
+This is only necessary once per system.
+```
+# firewall-cmd --permanent --new-policy localhostForward
+# firewall-cmd --permanent --policy localhostForward --add-ingress-zone HOST
+# firewall-cmd --permanent --policy localhostForward --add-egress-zone ANY
+```
+
+A further rich rule for each container is required:
+```
+# firewall-cmd --permanent --policy localhostForward --add-rich-rule='rule family=ipv4 destination address=127.0.0.0/8 forward-port port={HOST_PORT_NUMBER} protocol={PROTOCOL} to-port={CONTAINER_PORT_NUMBER} to-addr={CONTAINER_IP}'
+```
+
+These rules must be manually removed when the container is stopped or removed with the following command:
+```
+# firewall-cmd --permanent --policy localhostForward --remove-rich-rule='rule family=ipv4 destination address=127.0.0.0/8 forward-port port={HOST_PORT_NUMBER} protocol={PROTOCOL} to-port={CONTAINER_PORT_NUMBER} to-addr={CONTAINER_IP}'
+```
+
+The associated `localhostForward` policy does not need to be removed.
+
+Please also note that, at present, it is not possible to access forwarded ports of a container on the same host via the host's public IP; the rich rule above must be applied instead and access must be via 127.0.0.1, not the public IP of the host.
+
+Please note that the firewalld driver presently bypasses this protection, and will still allow traffic through the firewall when `StrictForwardPorts` is enabled without manual forwarding through `firewall-cmd`.
+This may be changed in a future release.
+
+## SEE ALSO
+
+firewalld(1), firewall-cmd(1), firewalld.conf(5), podman(1), containers.conf(5)
+
+## Authors
+
+Matthew Heon <mheon@redhat.com>
diff --git a/src/firewall/firewalld.rs b/src/firewall/firewalld.rs
index e4274d2e2..0b0a992c2 100644
--- a/src/firewall/firewalld.rs
+++ b/src/firewall/firewalld.rs
@@ -706,3 +706,54 @@ pub fn rm_firewalld_if_possible(net: &ipnet::IpNet) {
         ),
     };
 }
+
+/// Check whether firewalld's StrictForwardPorts setting is enabled.
+/// Returns false if firewalld is not installed, not running, or there is any
+/// error with the process.
+pub fn is_firewalld_strict_forward_enabled() -> bool {
+    let conn = match Connection::system() {
+        Ok(conn) => conn,
+        Err(_) => return false,
+    };
+    if !is_firewalld_running(&conn) {
+        return false;
+    }
+
+    // Fetch current running config
+    match conn.call_method(
+        Some("org.fedoraproject.FirewallD1"),
+        "/org/fedoraproject/FirewallD1/config",
+        Some("org.freedesktop.DBus.Properties"),
+        "Get",
+        &("org.fedoraproject.FirewallD1.config", "StrictForwardPorts"),
+    ) {
+        Ok(b) => match b.body().deserialize() {
+            Ok(res) => return res,
+            Err(_) => return false,
+        },
+        Err(_) => {
+            // Assume any error is related to the property not existing
+            // (As it will not on older firewalld versions)
+            // Return false given that.
+            return false;
+        }
+    };
+}
+
+/// Check if firewalld's StrictForwardPorts setting is enabled and, if so,
+/// whether the container has requested any ports be forwarded. If both are true
+/// return a helpful error that port forwarding cannot be performed.
+pub fn check_can_forward_ports(setup_portfw: &PortForwardConfig) -> NetavarkResult<()> {
+    if is_firewalld_strict_forward_enabled() {
+        let mut portfw_used = setup_portfw.dns_port != 53;
+        if let Some(ports) = setup_portfw.port_mappings {
+            portfw_used = portfw_used || !ports.is_empty();
+        }
+        if portfw_used {
+            return Err(NetavarkError::msg(
+                "Port forwarding not possible as firewalld StrictForwardPorts enabled",
+            ));
+        }
+    }
+    return Ok(());
+}
diff --git a/src/firewall/iptables.rs b/src/firewall/iptables.rs
index 8baaf0112..8edef341c 100644
--- a/src/firewall/iptables.rs
+++ b/src/firewall/iptables.rs
@@ -112,6 +112,8 @@ impl firewall::FirewallDriver for IptablesDriver {
     }
 
     fn setup_port_forward(&self, setup_portfw: PortForwardConfig) -> NetavarkResult<()> {
+        firewalld::check_can_forward_ports(&setup_portfw)?;
+
         if let Some(v4) = setup_portfw.container_ip_v4 {
             let subnet_v4 = match setup_portfw.subnet_v4 {
                 Some(s) => s,
diff --git a/src/firewall/nft.rs b/src/firewall/nft.rs
index ef9722a51..ae7ce404a 100644
--- a/src/firewall/nft.rs
+++ b/src/firewall/nft.rs
@@ -558,6 +558,8 @@ impl firewall::FirewallDriver for Nftables {
         &self,
         setup_portfw: internal_types::PortForwardConfig,
     ) -> NetavarkResult<()> {
+	firewalld::check_can_forward_ports(&setup_portfw)?;
+
         let mut batch = Batch::new();
 
         let existing_rules = get_netavark_rules()?;