From nobody Fri Apr 26 10:46:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1547089069285955.6756441390327; Wed, 9 Jan 2019 18:57:49 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 52231356E4; Thu, 10 Jan 2019 02:57:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 103F8608C2; Thu, 10 Jan 2019 02:57:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 37E4A181BA1A; Thu, 10 Jan 2019 02:57:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0A2vi7U032611 for ; Wed, 9 Jan 2019 21:57:44 -0500 Received: by smtp.corp.redhat.com (Postfix) id 7C8745C224; Thu, 10 Jan 2019 02:57:44 +0000 (UTC) Received: from vhost2.laine.org (ovpn-117-126.phx2.redhat.com [10.3.117.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1F1295C220; Thu, 10 Jan 2019 02:57:44 +0000 (UTC) From: Laine Stump To: libvir-list@redhat.com Date: Wed, 9 Jan 2019 21:57:33 -0500 Message-Id: <20190110025737.29755-2-laine@laine.org> In-Reply-To: <20190110025737.29755-1-laine@laine.org> References: <20190110025737.29755-1-laine@laine.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Eric Garver Subject: [libvirt] [PATCH 1/5] docs: add forgotten mentions of forward mode "open" X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 10 Jan 2019 02:57:47 +0000 (UTC) Content-Type: text/plain; charset="utf-8" A couple places in the docs didn't get updated when the forward mode "open" was added. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- docs/formatnetwork.html.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 363a72bbc9..156cfae4ec 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -107,13 +107,13 @@ may also be connected to the LAN. When defining a new network with a <forward> mode of =20 - "nat" or "route" (or an isolated network with + "nat", "route", or "open" (or an isolated network with no <forward> element), libvirt will automatically generate a unique name for the bridge device if none is given, and this name will be permanently stored in the network configuration so that that the same name will be used every time the network is started. For these types of networks - (nat, routed, and isolated), a bridge name beginning with the + (nat, route, open, and isolated), a bridge name beginning with the prefix "virbr" is recommended (and that is what is auto-generated), but not enforced. Attribute stp specifies if Spanning Tree Protocol --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 10:46:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1547089076658920.2111760516815; Wed, 9 Jan 2019 18:57:56 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6F049DF87A; Thu, 10 Jan 2019 02:57:54 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3836017C3E; Thu, 10 Jan 2019 02:57:54 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CC84A3F7D5; Thu, 10 Jan 2019 02:57:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0A2vjgJ032619 for ; Wed, 9 Jan 2019 21:57:45 -0500 Received: by smtp.corp.redhat.com (Postfix) id 157425C224; Thu, 10 Jan 2019 02:57:45 +0000 (UTC) Received: from vhost2.laine.org (ovpn-117-126.phx2.redhat.com [10.3.117.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id A60EE5C220; Thu, 10 Jan 2019 02:57:44 +0000 (UTC) From: Laine Stump To: libvir-list@redhat.com Date: Wed, 9 Jan 2019 21:57:34 -0500 Message-Id: <20190110025737.29755-3-laine@laine.org> In-Reply-To: <20190110025737.29755-1-laine@laine.org> References: <20190110025737.29755-1-laine@laine.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Eric Garver Subject: [libvirt] [PATCH 2/5] util: move all firewalld-specific stuff into its own file X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 10 Jan 2019 02:57:55 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Since I'm going to be adding at least one more firewalld-specific function, this seems like a good time to separate the code that's unique to firewalld from the more-generic "firewall" file. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- include/libvirt/virterror.h | 1 + src/libvirt_private.syms | 3 + src/util/Makefile.inc.am | 2 + src/util/virerror.c | 1 + src/util/virfirewall.c | 86 ++---------------------- src/util/virfirewalld.c | 128 ++++++++++++++++++++++++++++++++++++ src/util/virfirewalld.h | 33 ++++++++++ src/util/virfirewallpriv.h | 2 - tests/virfirewalltest.c | 1 + 9 files changed, 173 insertions(+), 84 deletions(-) create mode 100644 src/util/virfirewalld.c create mode 100644 src/util/virfirewalld.h diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h index fbbe2d5624..3c19ff5e2e 100644 --- a/include/libvirt/virterror.h +++ b/include/libvirt/virterror.h @@ -131,6 +131,7 @@ typedef enum { VIR_FROM_PERF =3D 65, /* Error from perf */ VIR_FROM_LIBSSH =3D 66, /* Error from libssh connection transpor= t */ VIR_FROM_RESCTRL =3D 67, /* Error from resource control */ + VIR_FROM_FIREWALLD =3D 68, /* Error from firewalld */ =20 # ifdef VIR_ENUM_SENTINELS VIR_ERR_DOMAIN_LAST diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index c3d6306809..583868f422 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1918,6 +1918,9 @@ virFirewallSetLockOverride; virFirewallStartRollback; virFirewallStartTransaction; =20 +# util/virfirewalld.h +virFirewallDApplyRule; +virFirewallDStatus; =20 # util/virfirmware.h virFirmwareFreeList; diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am index 4295babac3..0295a1c7d0 100644 --- a/src/util/Makefile.inc.am +++ b/src/util/Makefile.inc.am @@ -64,6 +64,8 @@ UTIL_SOURCES =3D \ util/virfirewall.c \ util/virfirewall.h \ util/virfirewallpriv.h \ + util/virfirewalld.c \ + util/virfirewalld.h \ util/virfirmware.c \ util/virfirmware.h \ util/virgettext.c \ diff --git a/src/util/virerror.c b/src/util/virerror.c index 61b47d2be0..ae1efa72d8 100644 --- a/src/util/virerror.c +++ b/src/util/virerror.c @@ -138,6 +138,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST, "Perf", /* 65 */ "Libssh transport layer", "Resource control", + "FirewallD", ) =20 =20 diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 5a0cf95a44..d5d647fcc4 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -24,12 +24,12 @@ =20 #define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW #include "virfirewallpriv.h" +#include "virfirewalld.h" #include "virerror.h" #include "virutil.h" #include "virstring.h" #include "vircommand.h" #include "virlog.h" -#include "virdbus.h" #include "virfile.h" #include "virthread.h" =20 @@ -46,11 +46,6 @@ VIR_ENUM_IMPL(virFirewallLayerCommand, VIR_FIREWALL_LAYE= R_LAST, IPTABLES_PATH, IP6TABLES_PATH); =20 -VIR_ENUM_DECL(virFirewallLayerFirewallD) -VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_FIREWALL_LAYER_LAST, - "eb", "ipv4", "ipv6") - - struct _virFirewallRule { virFirewallLayer layer; =20 @@ -152,7 +147,7 @@ virFirewallValidateBackend(virFirewallBackend backend) VIR_DEBUG("Validating backend %d", backend); if (backend =3D=3D VIR_FIREWALL_BACKEND_AUTOMATIC || backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - int rv =3D virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVI= CE); + int rv =3D virFirewallDStatus(); =20 VIR_DEBUG("Firewalld is registered ? %d", rv); if (rv < 0) { @@ -712,81 +707,8 @@ virFirewallApplyRuleFirewallD(virFirewallRulePtr rule, bool ignoreErrors, char **output) { - const char *ipv =3D virFirewallLayerFirewallDTypeToString(rule->layer); - DBusConnection *sysbus =3D virDBusGetSystemBus(); - DBusMessage *reply =3D NULL; - virError error; - int ret =3D -1; - - if (!sysbus) - return -1; - - memset(&error, 0, sizeof(error)); - - if (!ipv) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Unknown firewall layer %d"), - rule->layer); - goto cleanup; - } - - if (virDBusCallMethod(sysbus, - &reply, - &error, - VIR_FIREWALL_FIREWALLD_SERVICE, - "/org/fedoraproject/FirewallD1", - "org.fedoraproject.FirewallD1.direct", - "passthrough", - "sa&s", - ipv, - (int)rule->argsLen, - rule->args) < 0) - goto cleanup; - - if (error.level =3D=3D VIR_ERR_ERROR) { - /* - * As of firewalld-0.3.9.3-1.fc20.noarch the name and - * message fields in the error look like - * - * name=3D"org.freedesktop.DBus.Python.dbus.exceptions.DBusExce= ption" - * message=3D"COMMAND_FAILED: '/sbin/iptables --table filter --del= ete - * INPUT --in-interface virbr0 --protocol udp --destinati= on-port 53 - * --jump ACCEPT' failed: iptables: Bad rule (does a matc= hing rule - * exist in that chain?)." - * - * We'd like to only ignore DBus errors precisely related to the f= ailure - * of iptables/ebtables commands. A well designed DBus interface w= ould - * return specific named exceptions not the top level generic pyth= on dbus - * exception name. With this current scheme our only option is tod= o a - * sub-string match for 'COMMAND_FAILED' on the message. eg like - * - * if (ignoreErrors && - * STREQ(error.name, - * "org.freedesktop.DBus.Python.dbus.exceptions.DBusExce= ption") && - * STRPREFIX(error.message, "COMMAND_FAILED")) - * ... - * - * But this risks our error detecting code being broken if firewal= ld changes - * ever alter the message string, so we're avoiding doing that. - */ - if (ignoreErrors) { - VIR_DEBUG("Ignoring error '%s': '%s'", - error.str1, error.message); - } else { - virReportErrorObject(&error); - goto cleanup; - } - } else { - if (virDBusMessageRead(reply, "s", output) < 0) - goto cleanup; - } - - ret =3D 0; - - cleanup: - virResetError(&error); - virDBusMessageUnref(reply); - return ret; + /* wrapper necessary because virFirewallRule is a private struct */ + return virFirewallDApplyRule(rule->layer, rule->args, rule->argsLen, i= gnoreErrors, output); } =20 static int diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c new file mode 100644 index 0000000000..0dc2b3de08 --- /dev/null +++ b/src/util/virfirewalld.c @@ -0,0 +1,128 @@ +/* + * virfirewalld.c: support for firewalld (https://firewalld.org) + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include + +#include "virfirewall.h" +#include "virfirewalld.h" +#include "virerror.h" +#include "virutil.h" +#include "virlog.h" +#include "virdbus.h" + +#define VIR_FROM_THIS VIR_FROM_FIREWALLD + +VIR_LOG_INIT("util.firewalld"); + +VIR_ENUM_DECL(virFirewallLayerFirewallD) +VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_FIREWALL_LAYER_LAST, + "eb", "ipv4", "ipv6") + +int +virFirewallDStatus(void) +{ + return virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE); +} + + +int +virFirewallDApplyRule(virFirewallLayer layer, + char **args, size_t argsLen, + bool ignoreErrors, + char **output) +{ + const char *ipv =3D virFirewallLayerFirewallDTypeToString(layer); + DBusConnection *sysbus =3D virDBusGetSystemBus(); + DBusMessage *reply =3D NULL; + virError error; + int ret =3D -1; + + if (!sysbus) + return -1; + + memset(&error, 0, sizeof(error)); + + if (!ipv) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unknown firewall layer %d"), + layer); + goto cleanup; + } + + if (virDBusCallMethod(sysbus, + &reply, + &error, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.direct", + "passthrough", + "sa&s", + ipv, + (int)argsLen, + args) < 0) + goto cleanup; + + if (error.level =3D=3D VIR_ERR_ERROR) { + /* + * As of firewalld-0.3.9.3-1.fc20.noarch the name and + * message fields in the error look like + * + * name=3D"org.freedesktop.DBus.Python.dbus.exceptions.DBusExce= ption" + * message=3D"COMMAND_FAILED: '/sbin/iptables --table filter --del= ete + * INPUT --in-interface virbr0 --protocol udp --destinati= on-port 53 + * --jump ACCEPT' failed: iptables: Bad rule (does a matc= hing rule + * exist in that chain?)." + * + * We'd like to only ignore DBus errors precisely related to the f= ailure + * of iptables/ebtables commands. A well designed DBus interface w= ould + * return specific named exceptions not the top level generic pyth= on dbus + * exception name. With this current scheme our only option is tod= o a + * sub-string match for 'COMMAND_FAILED' on the message. eg like + * + * if (ignoreErrors && + * STREQ(error.name, + * "org.freedesktop.DBus.Python.dbus.exceptions.DBusExce= ption") && + * STRPREFIX(error.message, "COMMAND_FAILED")) + * ... + * + * But this risks our error detecting code being broken if firewal= ld changes + * ever alter the message string, so we're avoiding doing that. + */ + if (ignoreErrors) { + VIR_DEBUG("Ignoring error '%s': '%s'", + error.str1, error.message); + } else { + virReportErrorObject(&error); + goto cleanup; + } + } else { + if (virDBusMessageRead(reply, "s", output) < 0) + goto cleanup; + } + + ret =3D 0; + + cleanup: + virResetError(&error); + virDBusMessageUnref(reply); + return ret; +} diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h new file mode 100644 index 0000000000..c1c929399a --- /dev/null +++ b/src/util/virfirewalld.h @@ -0,0 +1,33 @@ +/* + * virfirewalld.h: support for firewalld (https://firewalld.org) + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#ifndef LIBVIRT_VIRFIREWALLD_H +# define LIBVIRT_VIRFIREWALLD_H + +# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1" + +int virFirewallDStatus(void); + +int virFirewallDApplyRule(virFirewallLayer layer, + char **args, size_t argsLen, + bool ignoreErrors, + char **output); + +#endif /* LIBVIRT_VIRFIREWALLD_H */ diff --git a/src/util/virfirewallpriv.h b/src/util/virfirewallpriv.h index efa94a7da4..7c31d0680d 100644 --- a/src/util/virfirewallpriv.h +++ b/src/util/virfirewallpriv.h @@ -27,8 +27,6 @@ =20 # include "virfirewall.h" =20 -# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1" - typedef enum { VIR_FIREWALL_BACKEND_AUTOMATIC, VIR_FIREWALL_BACKEND_DIRECT, diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 63b9ced820..573ab1f9cd 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -27,6 +27,7 @@ # include "vircommandpriv.h" # define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW # include "virfirewallpriv.h" +# include "virfirewalld.h" # include "virmock.h" # define LIBVIRT_VIRDBUSPRIV_H_ALLOW # include "virdbuspriv.h" --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 10:46:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1547089070388174.01268710437841; Wed, 9 Jan 2019 18:57:50 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 23E8C7FDF3; Thu, 10 Jan 2019 02:57:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E6B05608DA; Thu, 10 Jan 2019 02:57:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 80EF418433AF; Thu, 10 Jan 2019 02:57:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0A2vjRj032627 for ; Wed, 9 Jan 2019 21:57:45 -0500 Received: by smtp.corp.redhat.com (Postfix) id 9E0A15C226; Thu, 10 Jan 2019 02:57:45 +0000 (UTC) Received: from vhost2.laine.org (ovpn-117-126.phx2.redhat.com [10.3.117.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 411565C220; Thu, 10 Jan 2019 02:57:45 +0000 (UTC) From: Laine Stump To: libvir-list@redhat.com Date: Wed, 9 Jan 2019 21:57:35 -0500 Message-Id: <20190110025737.29755-4-laine@laine.org> In-Reply-To: <20190110025737.29755-1-laine@laine.org> References: <20190110025737.29755-1-laine@laine.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Eric Garver Subject: [libvirt] [PATCH 3/5] util: new function virFirewallDInterfaceSetZone() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 10 Jan 2019 02:57:48 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Sets the firewalld zone of the given interface. This function assumes that you've already called virFirewallDIsActive(), and relies on virDBusCallMethod's standard error reporting to log any errors. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/util/virfirewalld.c | 23 +++++++++++++++++++++++ src/util/virfirewalld.h | 3 +++ 3 files changed, 27 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 583868f422..346e17f535 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1920,6 +1920,7 @@ virFirewallStartTransaction; =20 # util/virfirewalld.h virFirewallDApplyRule; +virFirewallDInterfaceSetZone; virFirewallDStatus; =20 # util/virfirmware.h diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 0dc2b3de08..7c5b37a5b2 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -126,3 +126,26 @@ virFirewallDApplyRule(virFirewallLayer layer, virDBusMessageUnref(reply); return ret; } + + +int +virFirewallDInterfaceSetZone(const char *iface, + const char *zone) +{ + DBusConnection *sysbus =3D virDBusGetSystemBus(); + DBusMessage *reply =3D NULL; + + if (!sysbus) + return -1; + + return virDBusCallMethod(sysbus, + &reply, + NULL, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.zone", + "changeZoneOfInterface", + "ss", + zone, + iface); +} diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index c1c929399a..471176d652 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -30,4 +30,7 @@ int virFirewallDApplyRule(virFirewallLayer layer, bool ignoreErrors, char **output); =20 +int virFirewallDInterfaceSetZone(const char *iface, + const char *zone); + #endif /* LIBVIRT_VIRFIREWALLD_H */ --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 10:46:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1547089075672937.9306305374353; Wed, 9 Jan 2019 18:57:55 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B572113AA7; Thu, 10 Jan 2019 02:57:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7AC1065934; Thu, 10 Jan 2019 02:57:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 30F2B184B54A; Thu, 10 Jan 2019 02:57:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0A2vkvW032640 for ; Wed, 9 Jan 2019 21:57:46 -0500 Received: by smtp.corp.redhat.com (Postfix) id 331FB5C220; Thu, 10 Jan 2019 02:57:46 +0000 (UTC) Received: from vhost2.laine.org (ovpn-117-126.phx2.redhat.com [10.3.117.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id C84075C688; Thu, 10 Jan 2019 02:57:45 +0000 (UTC) From: Laine Stump To: libvir-list@redhat.com Date: Wed, 9 Jan 2019 21:57:36 -0500 Message-Id: <20190110025737.29755-5-laine@laine.org> In-Reply-To: <20190110025737.29755-1-laine@laine.org> References: <20190110025737.29755-1-laine@laine.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Eric Garver Subject: [libvirt] [PATCH 4/5] network: regain guest network connectivity after firewalld switch to nftables X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 10 Jan 2019 02:57:54 +0000 (UTC) Content-Type: text/plain; charset="utf-8" From: Laine Stump In the past (when both libvirt and firewalld used iptables), if either libvirt's rules *OR* firewalld's rules accepted a packet, it would be accepted. This was because libvirt and firewalld rules were processed by the same kernel hook. But now firewalld can use nftables for its backend, while libvirt's firewall rules are still using iptables; iptables rules are still processed, but at a different time during packet processing (i.e. during a different hook) than the firewalld nftables rules. The result is that a packet must be accepted by *BOTH* the libvirt iptables rules *AND* the firewalld nftable rules in order to be accepted. This causes pain because 1) libvirt always adds rules to permit DNS and DHCP (and sometimes TFTP) from guests to the local host. But libvirt's bridges are in firewalld's "default" zone (which is usually the zone called "public"). The public zone allows ssh, but doesn't allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the DHCP and DNS traffic, the firewalld rules dont, thus guests connected to libvirt's bridges can't acquire an IP address from DHCP, nor can they make DNS queries to the DNS server libvirt has setup on the host. 2) firewalld's higher level "rich rules" don't yet have the ability to configure the acceptance of forwarded traffic (traffic that is going somewhere beyond the host), so any traffic that needs to be forwarded is rejected by the public zone's default "reject" policy (which rejects all traffic in the zone not specifically allowed by the rules in the zone, whether that traffic is destined to be forwarded or locally received by the host). libvirt can't send "direct" nftables rules (firewalld only supports that for iptables), so we can't solve this problem by just sending explicit nftables rules instead of explicit iptables rules (which, if it could be done, would place libvirt's rules in the same hook as firewalld's native rules, and thus eliminate the need for packets to be accepted by both libvirt's and firewalld's own rules). However, we can take advantage of a quirk in firewalld zones that have a default policy of "accept" (meaning any packet that doesn't match a specific rule in the zone will be *accepted*) - this default accept will also accept forwarded traffic (not just traffic destined for the host). Putting each network's bridge in a new zone called "libvirt" which has a default policy of accept will allow the forwarded traffic to pass, but the same default accept policy that fixes forwarded traffic also causes *all* traffic from guest to host to be accepted. To solve this new problem, we can take advantage of a new feature in firewalld (currently slated for firewalld-0.7.0) - priorities for rich rules - to add a low priority rule that rejects all local traffic (but leaves alone all forwarded traffic). So, our new zone will start with a list of services that are allowed (dhcp, dns, tftp, and ssh to start, but configurable via any firewalld management application, or direct editing of the zone file in /etc/firewalld/zones/libvirt.xml), followed by a low priority rule (to reject all other traffic from guest to host), and finally with a default policy of accept (to allow forwarded traffic) After this patch, any network created by libvirt (when firewalld is enabled) will be added to the zone called "libvirt". HOWEVER, even this could be problematic - since the libvirt zone uses a very new feature in firewalld which might not yet be present in the firewalld package on the host. The best we can do is put the zone file in place, and let firewalld try to load it - if firewalld doesn't support rule priorities, it will fail to load the zone file and log an error. Since libvirtd will also be attempting to set the zone of every new interface to "libvirt", if the libvirt zone failed to load, then the call to set the zone of an interface will also fail; this is acceptable because it's a transient problem, and the failure will help alert the user that they need to also update their firewalld package. NB: This behavior *is* slightly different from behavior of previous libvirt (in the past, libvirt network behavior would be affected by the configuration of firewalld's default zone (usually "public"), but now it is affected only by the "libvirt" zone), and thus almost surely warrants a release note for any distro upgrading to libvirt 5.0 or above. Although it's unfortunate that the behavior has to change, the architecture of multiple hooks makes it impossible to *not* change behavior in some way, and the new behavior is arguably better (since it will now be possible to manage access to the host from virtual machines vs from public interfaces separately). NB2: This patch does not check whether the firewalld backend is nftables or iptables; it behaves identically in either case, which is much less confusing than getting different behavior based on the configuration of some other package (firewalld). NB3: firewalld zones can't normally be added to the runtime config of firewalld, so at package install/upgrade time we have to reload all of the firewalld permanent config for the new zone to be recognized. This is done with a call to "firewall-cmd --reload" during postinstall and postuninstall (for rpm-based distros; non-rpm distros will need to figure out a different method of triggering the reload). In the case that firewalld is inactive, firewall-cmd exits without doing anything (i.e. it doesn't start up firewalld.service if it's not already started). Resolves: https://bugzilla.redhat.com/1638342 Creates-and-Resolves: https://bugzilla.redhat.com/1650320 Signed-off-by: Laine Stump --- libvirt.spec.in | 16 ++++++++++++++++ src/network/Makefile.inc.am | 10 +++++++++- src/network/bridge_driver_linux.c | 9 +++++++++ src/network/libvirt.zone | 14 ++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 src/network/libvirt.zone diff --git a/libvirt.spec.in b/libvirt.spec.in index b04cf53eb8..5217fee6ce 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -389,6 +389,8 @@ BuildRequires: rpcgen BuildRequires: libtirpc-devel %endif =20 +BuildRequires: firewalld-filesystem + Provides: bundled(gnulib) =20 %description @@ -1352,6 +1354,16 @@ if [ -f %{_localstatedir}/lib/rpm-state/libvirt/rest= art ]; then fi rm -rf %{_localstatedir}/lib/rpm-state/libvirt || : =20 +%post daemon-driver-network +%if %{with_firewalld} + %firewalld_reload +%endif + +%postun daemon-driver-network +%if %{with_firewalld} + %firewalld_reload +%endif + %post daemon-config-network if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default= .xml ; then # see if the network used by default network creates a conflict, @@ -1590,6 +1602,10 @@ exit 0 %attr(0755, root, root) %{_libexecdir}/libvirt_leaseshelper %{_libdir}/%{name}/connection-driver/libvirt_driver_network.so =20 +%if %{with_firewalld} +%{_prefix}/lib/firewalld/zones/libvirt.xml +%endif + %files daemon-driver-nodedev %{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so =20 diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am index 508c8c0422..20d899e699 100644 --- a/src/network/Makefile.inc.am +++ b/src/network/Makefile.inc.am @@ -87,6 +87,11 @@ install-data-network: ( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \ rm -f default.xml && \ $(LN_S) ../default.xml default.xml ) +if HAVE_FIREWALLD + $(MKDIR_P) "$(DESTDIR)$(prefix)/lib/firewalld/zones" + $(INSTALL_DATA) $(srcdir)/network/libvirt.zone \ + $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml +endif HAVE_FIREWALLD =20 uninstall-data-network: rm -f $(DESTDIR)$(confdir)/qemu/networks/autostart/default.xml @@ -95,10 +100,13 @@ uninstall-data-network: rmdir "$(DESTDIR)$(confdir)/qemu/networks" || : rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||: rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||: +if HAVE_FIREWALLD + rm -f $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml +endif HAVE_FIREWALLD =20 endif WITH_NETWORK =20 -EXTRA_DIST +=3D network/default.xml +EXTRA_DIST +=3D network/default.xml network/libvirt.zone =20 .PHONY: \ install-data-network \ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index dd08222653..a32f19bcf0 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -27,6 +27,7 @@ #include "virstring.h" #include "virlog.h" #include "virfirewall.h" +#include "virfirewalld.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 @@ -638,6 +639,14 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 + + /* if firewalld is active, try to set the default "libvirt" zone, + * but ignore failure, since the version of firewalld on the host + * may have failed to load the libvirt zone + */ + if (virFirewallDStatus() >=3D 0) + ignore_value(virFirewallDInterfaceSetZone(def->bridge, "libvirt")); + fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, 0); diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone new file mode 100644 index 0000000000..1750ba2f06 --- /dev/null +++ b/src/network/libvirt.zone @@ -0,0 +1,14 @@ + + + libvirt + The default policy of "ACCEPT" allows all packets to/from i= nterfaces in the zone to be forwarded, while the (*low priority*) reject ru= le blocks any traffic destined for the host, except those services explicit= ly listed (that list can be modified as required by the local admin). This = zone is intended to be used only by libvirt virtual networks - libvirt will= add the bridge devices for all new virtual networks to this zone by defaul= t. + + + + + + + + + + --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 10:46:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1547089081581920.7199568924761; Wed, 9 Jan 2019 18:58:01 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 893C580F6C; Thu, 10 Jan 2019 02:57:59 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 51BA910A1821; Thu, 10 Jan 2019 02:57:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0F5EC3F603; Thu, 10 Jan 2019 02:57:59 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0A2vkaf032647 for ; Wed, 9 Jan 2019 21:57:46 -0500 Received: by smtp.corp.redhat.com (Postfix) id D20E55C226; Thu, 10 Jan 2019 02:57:46 +0000 (UTC) Received: from vhost2.laine.org (ovpn-117-126.phx2.redhat.com [10.3.117.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5BDEC5C220; Thu, 10 Jan 2019 02:57:46 +0000 (UTC) From: Laine Stump To: libvir-list@redhat.com Date: Wed, 9 Jan 2019 21:57:37 -0500 Message-Id: <20190110025737.29755-6-laine@laine.org> In-Reply-To: <20190110025737.29755-1-laine@laine.org> References: <20190110025737.29755-1-laine@laine.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Eric Garver Subject: [libvirt] [PATCH 5/5] network: allow configuring firewalld zone for virtual network bridge device X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 10 Jan 2019 02:58:00 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Since we're setting the zone anyway, it will be useful to allow setting a different (custom) zone for each network. This will be done by adding a "zone" attribute to the "bridge" element, e.g.: ... ... If a zone is specified in the config and it can't be honored, this will be an error. If no zone is specified and the default zone ("libvirt") can't be set, it will be ignored. (BTW, Federico Simoncelli proposed a similar patch 5 1.2 years (!!) ago, but I misunderstood its usefulness at first, and by the time I did we were both too busy to revisit it. libvirt's code has changed so much in the intervening time that it was simpler to just rewrite from scratch) Signed-off-by: Laine Stump --- docs/formatnetwork.html.in | 17 +++++++++ docs/news.xml | 40 ++++++++++++++++++++++ docs/schemas/basictypes.rng | 6 ++++ docs/schemas/network.rng | 6 ++++ src/conf/network_conf.c | 14 ++++++-- src/conf/network_conf.h | 1 + src/network/bridge_driver_linux.c | 30 ++++++++++++---- tests/networkxml2xmlin/routed-network.xml | 2 +- tests/networkxml2xmlout/routed-network.xml | 2 +- 9 files changed, 107 insertions(+), 11 deletions(-) diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 156cfae4ec..4aecdfe8e0 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -152,6 +152,23 @@ Since 1.2.11, requires kernel 3.17 or newer

+ +

+ The optional zone attribute of + the bridge element is used to specify + the firewalld + zone for the bridge of a network with forward + mode of "nat", "route", "open", or one with + no forward specified. By default, the bridges + of all virtual networks with these forward modes are placed + in the firewalld zone named "libvirt", which permits + incoming DNS, DHCP, TFTP, and SSH to the host from guests on + the network. This behavior can be changed either by + modifying the libvirt zone (using firewalld management + tools), or by placing the network in a different zone (which + will also be managed using firewalld tools). + Since 5.0.0 +

=20
mtu
diff --git a/docs/news.xml b/docs/news.xml index 8c608cdc36..d894821ed5 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -58,6 +58,19 @@ trunking configuration. + + + network: support setting a firewalld "zone" for all virtual netw= ork bridges + + + All libvirt virtual networks with bridges managed by libvirt + (i.e. those with forward mode of "nat", + "route", "open", or no forward mode) will now be placed in a + special firewalld zone called "libvirt" by default, and the + zone of any network bridge can be changed using the zone + attribute of the network's bridge element. + +
@@ -123,6 +136,33 @@
+ + + network: fix virtual networks on systems using firewalld+nftables + + + Because of the transitional state of firewalld's new support + for nftables, not all iptables features required by libvirt + are yet available, so libvirt must continue to use iptables + for its own packet filtering rules even when the firewalld + backend is set to use nftables, but due to the way iptables + support is implemented in kernels using nftables (iptables + rules are converted to nftables rules and processed in a + separate hook from the native nftables rules), guest + networking was broken on hosts with firewalld configured to + use nftables as the backend. This has been fixed by putting + libvirt-managed bridges in their own firewalld zone, so that + guest traffic can be forwarded beyond the host, and so that + host services can be exposed to guests on the virtual + network without opening up those same services to the rest + of the physical network. This means that host access from + virtual machines is no longer controlled by the firewalld + default zone (usually "public"), but rather by the new + firewalld zone called "libvirt" (unless configured otherwise + using the new zone attribute of the network + bridge element). + +
diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng index 9a63720ff7..9b3dcad4a5 100644 --- a/docs/schemas/basictypes.rng +++ b/docs/schemas/basictypes.rng @@ -279,6 +279,12 @@ =20 + + + [a-zA-Z0-9_\-]+ + + + .+ diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng index f37c422bf3..2a6e3358fd 100644 --- a/docs/schemas/network.rng +++ b/docs/schemas/network.rng @@ -58,6 +58,12 @@ =20 + + + + + + diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index e035d8aba7..b09cb1dae2 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -203,6 +203,7 @@ virNetworkDefFree(virNetworkDefPtr def) =20 VIR_FREE(def->name); VIR_FREE(def->bridge); + VIR_FREE(def->bridgeZone); VIR_FREE(def->domain); =20 virNetworkForwardDefClear(&def->forward); @@ -1684,6 +1685,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) =20 /* Parse bridge information */ def->bridge =3D virXPathString("string(./bridge[1]/@name)", ctxt); + def->bridgeZone =3D virXPathString("string(./bridge[1]/@zone)", ctxt); stp =3D virXPathString("string(./bridge[1]/@stp)", ctxt); def->stp =3D (stp && STREQ(stp, "off")) ? false : true; =20 @@ -1920,6 +1922,13 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) def->name); goto error; } + if (def->bridgeZone) { + virReportError(VIR_ERR_XML_ERROR, + _("bridge zone not allowed in %s mode (network = '%s')"), + virNetworkForwardTypeToString(def->forward.type= ), + def->name); + goto error; + } if (def->macTableManager) { virReportError(VIR_ERR_XML_ERROR, _("bridge macTableManager setting not allowed " @@ -1931,9 +1940,9 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) ATTRIBUTE_FALLTHROUGH; =20 case VIR_NETWORK_FORWARD_BRIDGE: - if (def->delay || stp) { + if (def->delay || stp || def->bridgeZone) { virReportError(VIR_ERR_XML_ERROR, - _("bridge delay/stp options only allowed in " + _("bridge delay/stp/zone options only allowed i= n " "route, nat, and isolated mode, not in %s " "(network '%s')"), virNetworkForwardTypeToString(def->forward.type= ), @@ -2508,6 +2517,7 @@ virNetworkDefFormatBuf(virBufferPtr buf, if (hasbridge || def->bridge || def->macTableManager) { virBufferAddLit(buf, "bridge); + virBufferEscapeString(buf, " zone=3D'%s'", def->bridgeZone); if (hasbridge) virBufferAsprintf(buf, " stp=3D'%s' delay=3D'%ld'", def->stp ? "on" : "off", def->delay); diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index c630674300..69ee8d7f2a 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -235,6 +235,7 @@ struct _virNetworkDef { int connections; /* # of guest interfaces connected to this network = */ =20 char *bridge; /* Name of bridge device */ + char *bridgeZone; /* name of firewalld zone for bridge (default "libv= irt" */ int macTableManager; /* enum virNetworkBridgeMACTableManager */ char *domain; int domainLocalOnly; /* enum virTristateBool: yes disables dns forward= ing */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index a32f19bcf0..8c585594d1 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -639,13 +639,29 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 - - /* if firewalld is active, try to set the default "libvirt" zone, - * but ignore failure, since the version of firewalld on the host - * may have failed to load the libvirt zone - */ - if (virFirewallDStatus() >=3D 0) - ignore_value(virFirewallDInterfaceSetZone(def->bridge, "libvirt")); + if (!def->bridgeZone) { + /* if firewalld is active and no zone has been explicitly set + * in the config, try to set the default "libvirt" zone, but + * ignore failure, since the version of firewalld on the host + * may have failed to load the libvirt zone + */ + if (virFirewallDStatus() >=3D 0) + ignore_value(virFirewallDInterfaceSetZone(def->bridge, "libvir= t")); + + } else { + /* if a zone has been specified, fail/log an error if we can't + * honor it + */ + if (virFirewallDStatus() < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("zone %s requested for network %s " + "but firewalld is not active"), + def->bridgeZone, def->name); + goto cleanup; + } + if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) + goto cleanup; + } =20 fw =3D virFirewallNew(); =20 diff --git a/tests/networkxml2xmlin/routed-network.xml b/tests/networkxml2x= mlin/routed-network.xml index ab5e15b1f6..fce01df132 100644 --- a/tests/networkxml2xmlin/routed-network.xml +++ b/tests/networkxml2xmlin/routed-network.xml @@ -1,7 +1,7 @@ local 81ff0d90-c91e-6742-64da-4a736edb9a9b - + diff --git a/tests/networkxml2xmlout/routed-network.xml b/tests/networkxml2= xmlout/routed-network.xml index 81abf06e9f..2e13cf4ffa 100644 --- a/tests/networkxml2xmlout/routed-network.xml +++ b/tests/networkxml2xmlout/routed-network.xml @@ -4,7 +4,7 @@ - + --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list