[PATCH 4/4] network: firewalld: add support for routed networks

Eric Garver eric at garver.life
Wed May 11 15:41:56 UTC 2022


Signed-off-by: Eric Garver <eric at garver.life>
---
 src/network/bridge_driver_linux.c  | 6 +++++-
 src/network/libvirt-to-host.policy | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 98d2a33a1da0..2c8e43b427cb 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -859,7 +859,11 @@ int networkAddFirewallRules(virNetworkDef *def)
              * forwarded (and even DHCP and DNS from guest to host
              * will probably no be permitted by the default zone
              */
-            if (virFirewallDZoneExists("libvirt")) {
+            if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE &&
+                virFirewallDZoneExists("libvirt-routed")) {
+                if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0)
+                    return -1;
+            } else if (virFirewallDZoneExists("libvirt")) {
                 if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0)
                     return -1;
             } else {
diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
index 045b35d58d0d..9ec489dc57b5 100644
--- a/src/network/libvirt-to-host.policy
+++ b/src/network/libvirt-to-host.policy
@@ -8,6 +8,7 @@
   </description>
 
   <ingress-zone name="libvirt" />
+  <ingress-zone name="libvirt-routed" />
   <egress-zone name="HOST" />
 
   <protocol value='icmp'/>
-- 
2.33.0



More information about the libvir-list mailing list