[Podman] Re: Networking / CNI and firewalld (iptables)
On 5/28/20 2:19 AM, Felder, Christian wrote:
Using iptables is deprecated in RHEL/CentOS 8 and unfortunately the
default policy for firewalld is hard-wired to ACCEPT as it has another concept
of using zones which I tried without success in this use-case so far. Note: The CNI is
added to trusted zone by default.
I haven't moved to CentOS 8 yet, but that's definitely something I'll
need to look at when I do. All of the versions of firewalld I've used
end the FORWARD chain with a REJECT rule that isn't limited to any
specific interface. Unless this is intentional behavior related to the
CNI interface being trusted, it seems like a bug.