[PATCH 4/4] network: firewalld: add support for routed networks

Wednesday, 11 May 2022

Signed-off-by: Eric Garver <eric(a)garver.life&gt;
---
 src/network/bridge_driver_linux.c  | 6 +++++-
 src/network/libvirt-to-host.policy | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 98d2a33a1da0..2c8e43b427cb 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -859,7 +859,11 @@ int networkAddFirewallRules(virNetworkDef *def)
              * forwarded (and even DHCP and DNS from guest to host
              * will probably no be permitted by the default zone
              */
-            if (virFirewallDZoneExists("libvirt")) {
+            if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE &&
+                virFirewallDZoneExists("libvirt-routed")) {
+                if (virFirewallDInterfaceSetZone(def->bridge,
"libvirt-routed") < 0)
+                    return -1;
+            } else if (virFirewallDZoneExists("libvirt")) {
                 if (virFirewallDInterfaceSetZone(def->bridge, "libvirt")
< 0)
                     return -1;
             } else {
diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
index 045b35d58d0d..9ec489dc57b5 100644
--- a/src/network/libvirt-to-host.policy
+++ b/src/network/libvirt-to-host.policy
@@ -8,6 +8,7 @@
   </description>
 
   <ingress-zone name="libvirt" />
+  <ingress-zone name="libvirt-routed" />
   <egress-zone name="HOST" />
 
   <protocol value='icmp'/>
-- 
2.33.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH 4/4] network: firewalld: add support for routed networks