[libvirt] [PATCH v2 0/7] network: fix networking for firewalld+nftables

Thursday, 31 January 2019

Resolves: https://bugzilla.redhat.com/1638342
Creates-and-Resolves: https://bugzilla.redhat.com/1650320

V1: https://www.redhat.com/archives/libvir-list/2019-January/msg00227.html

The detailed explanation of this is in Patch 4/7 and 5/7. Basically,
when firewalld enables their new nftables backend, libvirt virtual
networks lose all ability to forward packets from guests out to the
physical network, and can only communicate with the host itself as
much as firewalld's "public" zone will allow (which isn't much, and
doesn't include DHCP or DNS).

I *think* I've addressed everything in Daniel and John's review
comments. In particular, I've made installation of the libvirt zone
file optional, and if the libvirt zone is missing, I only log an error
if the firewalld backend is set to nftables.

Laine Stump (7):
  configure: change HAVE_FIREWALLD to WITH_FIREWALLD
  util: move all firewalld-specific stuff into its own files
  util: new virFirewallD APIs + docs
  configure: selectively install a firewalld 'libvirt' zone
  network: set firewalld zone of bridges to "libvirt" zone when
    appropriate
  network: allow configuring firewalld zone for virtual network bridge
    device
  docs: update news.xml for firewalld zone changes

 configure.ac                               |   3 +
 docs/firewall.html.in                      |  38 +++
 docs/formatnetwork.html.in                 |  17 +
 docs/news.xml                              |  40 +++
 docs/schemas/basictypes.rng                |   6 +
 docs/schemas/network.rng                   |   6 +
 include/libvirt/virterror.h                |   1 +
 libvirt.spec.in                            |  31 ++
 m4/virt-firewalld-zone.m4                  |  45 +++
 m4/virt-firewalld.m4                       |   4 +-
 src/conf/network_conf.c                    |  14 +-
 src/conf/network_conf.h                    |   1 +
 src/libvirt_private.syms                   |  10 +
 src/network/Makefile.inc.am                |  10 +-
 src/network/bridge_driver.c                |   6 +-
 src/network/bridge_driver_linux.c          |  67 ++++
 src/network/libvirt.zone                   |  23 ++
 src/nwfilter/nwfilter_driver.c             |   6 +-
 src/util/Makefile.inc.am                   |   3 +
 src/util/virerror.c                        |   3 +-
 src/util/virfirewall.c                     |  86 +----
 src/util/virfirewalld.c                    | 373 +++++++++++++++++++++
 src/util/virfirewalld.h                    |  46 +++
 src/util/virfirewalldpriv.h                |  30 ++
 src/util/virfirewallpriv.h                 |   2 -
 tests/networkxml2xmlin/routed-network.xml  |   2 +-
 tests/networkxml2xmlout/routed-network.xml |   2 +-
 tests/virfirewalltest.c                    |   2 +
 28 files changed, 779 insertions(+), 98 deletions(-)
 create mode 100644 m4/virt-firewalld-zone.m4
 create mode 100644 src/network/libvirt.zone
 create mode 100644 src/util/virfirewalld.c
 create mode 100644 src/util/virfirewalld.h
 create mode 100644 src/util/virfirewalldpriv.h

-- 
2.20.1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH v2 0/7] network: fix networking for firewalld+nftables