[PATCH v3 5/5] network: firewalld: add support for routed networks

Mon Oct 24 18:44:59 UTC 2022

On Mon, Oct 24, 2022 at 09:38:17AM -0400, Laine Stump wrote:
> Hey Eric!
> 
> I *finally* set things up to test this adequately, and it all looks good and
> is operating properly. The one nit I found with the content of the patches
> was that the new zone/policy files weren't added to the specfile, so I've
> done that.

Thanks! Sorry I missed it.

> I'm now ready to push all the patches, but wanted to put more explanation
> into this final patch that turns it all on. Does the following sound okay to
> you?:
> 
> network: firewalld: allow incoming connections to guests on routed networks
> 
> Prior to firewalld version 0.9.0, the default action of ACCEPT in the

s/0.9.0/1.0.0/

> "libvirt" zone (subsequently overridden with a lower priority "REJECT"
> action) would result in an implicit rule that allowed incoming sessions
> through the zone; libvirt relied on this implicit rule to permit
> incoming connections to guests that were connected via a libvirt
> "routed" network.
> 
> Starting in firewalld 0.9.0, the rules generated for this same

s/0.9.0/1.0.0/

> zonefile changed such that incoming sessions through the libvirt zone
> were no longer allowed, breaking the longstanding convention that they
> should be allowed (only for routed networks).

The behavior changed in firewalld 1.0.0. However, the new zone,
"libvirt-routed", will be active when firewalld >= 0.9.0 is present.

> This patch changes the zone for routed networks from "libvirt" to
> the newly-added "libvirt-routed" zone so that incoming sessions to
> guests on routed networks are once again allowed.
> 
> Resolves: https://bugzilla.redhat.com/2055706

Otherwise, lgtm.

Thanks again.
Eric.

> 
> "
> 
> On 9/22/22 11:13 AM, Eric Garver wrote:
> > Signed-off-by: Eric Garver <eric at garver.life>
> > ---
> >   src/network/bridge_driver_linux.c | 11 ++++++++++-
> >   1 file changed, 10 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> > index a0f593b06636..d9597d91beed 100644
> > --- a/src/network/bridge_driver_linux.c
> > +++ b/src/network/bridge_driver_linux.c
> > @@ -857,8 +857,17 @@ int networkAddFirewallRules(virNetworkDef *def)
> >                * nftables + default zone means that traffic cannot be
> >                * forwarded (and even DHCP and DNS from guest to host
> >                * will probably no be permitted by the default zone
> > +             *
> > +             * Routed networks use a different zone and policy which we also
> > +             * need to verify exist. Probing for the policy guarantees the
> > +             * running firewalld has support for policies (firewalld >= 0.9.0).
> >                */
> > -            if (virFirewallDZoneExists("libvirt")) {
> > +            if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE &&
> > +                virFirewallDPolicyExists("libvirt-routed-out") &&
> > +                virFirewallDZoneExists("libvirt-routed")) {
> > +                if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0)
> > +                    return -1;
> > +            } else if (virFirewallDZoneExists("libvirt")) {
> >                   if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0)
> >                       return -1;
> >               } else {
> 