[libvirt] [PATCH v2 0/7] network: fix networking for firewalld+nftables

Laine Stump laine at laine.org
Fri Feb 1 01:24:51 UTC 2019 

Resolves: https://bugzilla.redhat.com/1638342
Creates-and-Resolves: https://bugzilla.redhat.com/1650320

V1: https://www.redhat.com/archives/libvir-list/2019-January/msg00227.html

The detailed explanation of this is in Patch 4/7 and 5/7. Basically,
when firewalld enables their new nftables backend, libvirt virtual
networks lose all ability to forward packets from guests out to the
physical network, and can only communicate with the host itself as
much as firewalld's "public" zone will allow (which isn't much, and
doesn't include DHCP or DNS).

I *think* I've addressed everything in Daniel and John's review
comments. In particular, I've made installation of the libvirt zone
file optional, and if the libvirt zone is missing, I only log an error
if the firewalld backend is set to nftables.

Laine Stump (7):
  configure: change HAVE_FIREWALLD to WITH_FIREWALLD
  util: move all firewalld-specific stuff into its own files
  util: new virFirewallD APIs + docs
  configure: selectively install a firewalld 'libvirt' zone
  network: set firewalld zone of bridges to "libvirt" zone when
    appropriate
  network: allow configuring firewalld zone for virtual network bridge
    device
  docs: update news.xml for firewalld zone changes

 configure.ac                               |   3 +
 docs/firewall.html.in                      |  38 +++
 docs/formatnetwork.html.in                 |  17 +
 docs/news.xml                              |  40 +++
 docs/schemas/basictypes.rng                |   6 +
 docs/schemas/network.rng                   |   6 +
 include/libvirt/virterror.h                |   1 +
 libvirt.spec.in                            |  31 ++
 m4/virt-firewalld-zone.m4                  |  45 +++
 m4/virt-firewalld.m4                       |   4 +-
 src/conf/network_conf.c                    |  14 +-
 src/conf/network_conf.h                    |   1 +
 src/libvirt_private.syms                   |  10 +
 src/network/Makefile.inc.am                |  10 +-
 src/network/bridge_driver.c                |   6 +-
 src/network/bridge_driver_linux.c          |  67 ++++
 src/network/libvirt.zone                   |  23 ++
 src/nwfilter/nwfilter_driver.c             |   6 +-
 src/util/Makefile.inc.am                   |   3 +
 src/util/virerror.c                        |   3 +-
 src/util/virfirewall.c                     |  86 +----
 src/util/virfirewalld.c                    | 373 +++++++++++++++++++++
 src/util/virfirewalld.h                    |  46 +++
 src/util/virfirewalldpriv.h                |  30 ++
 src/util/virfirewallpriv.h                 |   2 -
 tests/networkxml2xmlin/routed-network.xml  |   2 +-
 tests/networkxml2xmlout/routed-network.xml |   2 +-
 tests/virfirewalltest.c                    |   2 +
 28 files changed, 779 insertions(+), 98 deletions(-)
 create mode 100644 m4/virt-firewalld-zone.m4
 create mode 100644 src/network/libvirt.zone
 create mode 100644 src/util/virfirewalld.c
 create mode 100644 src/util/virfirewalld.h
 create mode 100644 src/util/virfirewalldpriv.h

-- 
2.20.1

More information about the libvir-list mailing list