Firewalld portforwarding also affects containers

[maxxberg]

Hi,

I'm trying to run podman with the native implementation for firewalld and have a problem. I hope you can help me with that.

Affected OS: Fedora 37-39
Affected Podman versions: 4.6-4.8
Affected netavark versions: 1.6-1.8

Systemwide environment variable NETAVARK_FW=firewalld is set.

Running a reverse proxy at port 80 & 443, adds the corresponding rules to the firewalld policy netavark_portfwd.
This policy has INGRESS_ZONE=ANY.

Problem: Any container, even the reverse proxy itself, trying to access an external website gets redirected to the reverse_proxy container.

My solution is to set INGESS_ZONE to the public zone, which receives all external traffic.

Is this a bug or am I doing something wrong, that netavark causes this issue?

[Luap99]

We do not recommend using firewalld driver right now, see #722.

But yes this sounds like a bug that should be fixed.