[PATCH 2/8] network: firewalld: add networkAddHybridFirewallDRules()
Eric Garver
eric at garver.life
Thu Nov 10 16:31:46 UTC 2022
This factors out the firewalld pieces of the iptables + firewalld
backend.
Signed-off-by: Eric Garver <eric at garver.life>
---
src/network/bridge_driver_linux.c | 117 ++++++++++++++++--------------
1 file changed, 61 insertions(+), 56 deletions(-)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index d9597d91beed..88a8e9c5fa27 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -801,6 +801,58 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw,
}
+static int
+networkAddHybridFirewallDRules(virNetworkDef *def)
+{
+ /* if firewalld is active, try to set the "libvirt" zone. This is
+ * desirable (for consistency) if firewalld is using the iptables
+ * backend, but is necessary (for basic network connectivity) if
+ * firewalld is using the nftables backend
+ */
+
+ /* if the "libvirt" zone exists, then set it. If not, and
+ * if firewalld is using the nftables backend, then we
+ * need to log an error because the combination of
+ * nftables + default zone means that traffic cannot be
+ * forwarded (and even DHCP and DNS from guest to host
+ * will probably no be permitted by the default zone
+ */
+ if (virFirewallDZoneExists("libvirt")) {
+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0)
+ return -1;
+ } else {
+ unsigned long version;
+ int vresult = virFirewallDGetVersion(&version);
+
+ if (vresult < 0)
+ return -1;
+
+ /* Support for nftables backend was added in firewalld
+ * 0.6.0. Support for rule priorities (required by the
+ * 'libvirt' zone, which should be installed by a
+ * libvirt package, *not* by firewalld) was not added
+ * until firewalld 0.7.0 (unless it was backported).
+ */
+ if (version >= 6000 &&
+ virFirewallDGetBackend() == VIR_FIREWALLD_BACKEND_NFTABLES) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld is set to use the nftables "
+ "backend, but the required firewalld "
+ "'libvirt' zone is missing. Either set "
+ "the firewalld backend to 'iptables', or "
+ "ensure that firewalld has a 'libvirt' "
+ "zone by upgrading firewalld to a "
+ "version supporting rule priorities "
+ "(0.7.0+) and/or rebuilding "
+ "libvirt with --with-firewalld-zone"));
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+
/* Add all rules for all ip addresses (and general rules) on a network */
int networkAddFirewallRules(virNetworkDef *def)
{
@@ -842,62 +894,15 @@ int networkAddFirewallRules(virNetworkDef *def)
if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0)
return -1;
- } else {
-
- /* if firewalld is active, try to set the "libvirt" zone. This is
- * desirable (for consistency) if firewalld is using the iptables
- * backend, but is necessary (for basic network connectivity) if
- * firewalld is using the nftables backend
- */
- if (virFirewallDIsRegistered() == 0) {
-
- /* if the "libvirt" zone exists, then set it. If not, and
- * if firewalld is using the nftables backend, then we
- * need to log an error because the combination of
- * nftables + default zone means that traffic cannot be
- * forwarded (and even DHCP and DNS from guest to host
- * will probably no be permitted by the default zone
- *
- * Routed networks use a different zone and policy which we also
- * need to verify exist. Probing for the policy guarantees the
- * running firewalld has support for policies (firewalld >= 0.9.0).
- */
- if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE &&
- virFirewallDPolicyExists("libvirt-routed-out") &&
- virFirewallDZoneExists("libvirt-routed")) {
- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0)
- return -1;
- } else if (virFirewallDZoneExists("libvirt")) {
- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0)
- return -1;
- } else {
- unsigned long version;
- int vresult = virFirewallDGetVersion(&version);
-
- if (vresult < 0)
- return -1;
-
- /* Support for nftables backend was added in firewalld
- * 0.6.0. Support for rule priorities (required by the
- * 'libvirt' zone, which should be installed by a
- * libvirt package, *not* by firewalld) was not added
- * until firewalld 0.7.0 (unless it was backported).
- */
- if (version >= 6000 &&
- virFirewallDGetBackend() == VIR_FIREWALLD_BACKEND_NFTABLES) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("firewalld is set to use the nftables "
- "backend, but the required firewalld "
- "'libvirt' zone is missing. Either set "
- "the firewalld backend to 'iptables', or "
- "ensure that firewalld has a 'libvirt' "
- "zone by upgrading firewalld to a "
- "version supporting rule priorities "
- "(0.7.0+) and/or rebuilding "
- "libvirt with --with-firewalld-zone"));
- return -1;
- }
- }
+ } else if (virFirewallDIsRegistered() == 0) {
+ if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE &&
+ virFirewallDPolicyExists("libvirt-routed-out") &&
+ virFirewallDZoneExists("libvirt-routed")) {
+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0)
+ return -1;
+ } else {
+ if (networkAddHybridFirewallDRules(def) < 0)
+ return -1;
}
}
--
2.37.3
More information about the libvir-list
mailing list