Skip to content

Support masquerading on the libvirt firewall zone. #3431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Support masquerading on the libvirt firewall zone. #3431

wants to merge 1 commit into from
+34 −0

Conversation

@bogdando
Copy link
Contributor

@bogdando bogdando commented Oct 22, 2025
edited
Loading

Defaults to False. May be useful in hybrid setups, where a full
routing solution is not needed, and outbound only traffic is sufficient

JIRA: OSPRH-18909

@bogdando bogdando requested review from abays and hjensas October 22, 2025 11:40
@bogdando bogdando requested a review from a team as a code owner October 22, 2025 11:40
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 22, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@bogdando bogdando requested review from a team, jirimacku, jparoly and tosky as code owners October 22, 2025 13:21
@evallesp
Copy link
Contributor

Could you clean up the MR so we can remove do-not-merge/contains-merge-commits tag and proceed with the review.
Thanks!

@bogdando
Copy link
Contributor Author

Could you clean up the MR so we can remove do-not-merge/contains-merge-commits tag and proceed with the review. Thanks!

done

evallesp
evallesp previously approved these changes Oct 22, 2025
View reviewed changes
Copy link
Contributor

@evallesp evallesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hjensas
Copy link
Contributor

hjensas commented Oct 22, 2025

I don't think this will solve the problem, masquerading only works for connection initiated behind the interface that masqurades traffic. In this case the BMC needs to connect from the outside to the OCP nodes, so the OCP nodes must be bridged onto the physical network and have IP addresses from the physical network with no masquerading.

@bogdando
Copy link
Contributor Author

PTAL

@bogdando
Copy link
Contributor Author

bogdando commented Oct 23, 2025
edited
Loading

I don't think this will solve the problem, masquerading only works for connection initiated behind the interface that masqurades traffic. In this case the BMC needs to connect from the outside to the OCP nodes, so the OCP nodes must be bridged onto the physical network and have IP addresses from the physical network with no masquerading.

@hjensas but this made the curl command working on ocp master nodes, where it wasn't previously working.
@abays am i right?

PS. in the setup we were debugging, "OCP nodes must be bridged onto the physical network and have IP addresses from the physical network" that was exactly the case. Contoller-0 VM did work just fine w/o masquarading. But OCP masters, while having the same bridging config, were not behaving the same way, until we've added that libvirt zone masquerading

@bogdando
Support masquerading on the libvirt firewall zone.
28b26c8 
Defaults to False. May be useful in hybrid setups, where a full
routing solution is not needed, and outbound only traffic is sufficient

Signed-off-by: Bohdan Dobrelia <[email protected]>
@bogdando
Copy link
Contributor Author

I don't think this will solve the problem, masquerading only works for connection initiated behind the interface that masqurades traffic. In this case the BMC needs to connect from the outside to the OCP nodes, so the OCP nodes must be bridged onto the physical network and have IP addresses from the physical network with no masquerading.

@hjensas but this made the curl command working on ocp master nodes, where it wasn't previously working. @abays am i right?

PS. in the setup we were debugging, "OCP nodes must be bridged onto the physical network and have IP addresses from the physical network" that was exactly the case. Contoller-0 VM did work just fine w/o masquarading. But OCP masters, while having the same bridging config, were not behaving the same way, until we've added that libvirt zone masquerading

I have adjusted the commit msg, thanks!

danpawlik
danpawlik reviewed Oct 24, 2025
View reviewed changes
roles/libvirt_manager/tasks/deploy_layout.yml
state: enabled

- name: Enable masquerading for libvirt traffic
when: cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade | default(false) | bool
Copy link
Contributor

@danpawlik danpawlik Oct 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to set default because it is in defaults/main.yml

danpawlik
danpawlik reviewed Oct 24, 2025
View reviewed changes
roles/libvirt_manager/tasks/ocp_layout.yml
state: enabled

- name: Enable masquerading for libvirt traffic
when: cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade | default(false) | bool
Copy link
Contributor

@danpawlik danpawlik Oct 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to set default because it is in defaults/main.yml

@bogdando
Copy link
Contributor Author

bogdando commented Oct 24, 2025
edited
Loading

with a full routing solution, there is no longer need in this a half-measure

@bogdando bogdando closed this Oct 24, 2025
@bogdando bogdando deleted the hybrid_setups branch October 24, 2025 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danpawlik danpawlik danpawlik left review comments

@evallesp evallesp evallesp left review comments

@abays abays Awaiting requested review from abays

@hjensas hjensas Awaiting requested review from hjensas

@tosky tosky Awaiting requested review from tosky

@jparoly jparoly Awaiting requested review from jparoly

@jirimacku jirimacku Awaiting requested review from jirimacku

Assignees

No one assigned

Labels

Ready For Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bogdando @evallesp @hjensas @danpawlik