[PATCH 0/8] network: firewalld: native support for NAT/routed

Michal Prívozník mprivozn at redhat.com
Tue Nov 15 10:21:33 UTC 2022 

On 11/10/22 17:31, Eric Garver wrote:
> This series further improves the firewalld backend by converting to a
> fully native implementation for NAT and routed networks. That is, there
> are no iptables rules added by libvirt when the running firewalld is
> 0.9.0 or later.
> 
> The major advantage is that firewalld users can use firewall-cmd to
> filter the VM traffic and apply their own policies.
> 
> When firewalld < 0.9.0 is present only the "libvirt" zone will be used.
> The new "libvirt-nat" and "libvirt-routed" zones are not used. This
> maintains compatibility for older distributions (e.g. Ubuntu 20.04).
> 
> Patch 1 is a bug fix for my previous series to avoid a bogus error log.
> 
> Patches 2-3 converts the routed network to native firewalld.
> 
> Patches 4-8 converts the NAT network to native firewalld. It also
> introduces the "libvirt-nat" zone.
> 
> Eric Garver (8):
>   util: virFirewallDGetPolicies: gracefully handle older firewalld
>   network: firewalld: add networkAddHybridFirewallDRules()
>   network: firewalld: use native routed networks
>   util: add virFirewallDSourceSetZone()
>   util: add virFirewallDApplyPolicyRichRules()
>   network: firewalld: add zone for NAT networks
>   network: firewalld: add policies for NAT networks
>   network: firewalld: use native NAT networks
> 
>  libvirt.spec.in                    |   2 +
>  src/libvirt_private.syms           |   2 +
>  src/network/bridge_driver_linux.c  | 193 ++++++++++++++++++++---------
>  src/network/libvirt-nat-out.policy |  13 ++
>  src/network/libvirt-nat.zone       |  10 ++
>  src/network/libvirt-to-host.policy |   1 +
>  src/network/meson.build            |  10 ++
>  src/util/virfirewalld.c            |  79 +++++++++++-
>  src/util/virfirewalld.h            |   6 +
>  9 files changed, 258 insertions(+), 58 deletions(-)
>  create mode 100644 src/network/libvirt-nat-out.policy
>  create mode 100644 src/network/libvirt-nat.zone
> 

Patches look good to me. You have my:

Reviewed-by: Michal Privoznik <mprivozn at redhat.com>

but I'll wait a bit for Laine, if he wants to express his opinion.

Michal

More information about the libvir-list mailing list