1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH v2 0/7] network: fix networking for firewalld+nftables

Laine Stump posted 7 patches 5 years, 2 months ago
Failed in applying to current master (apply log)
configure.ac                               |   3 +
docs/firewall.html.in                      |  38 +++
docs/formatnetwork.html.in                 |  17 +
docs/news.xml                              |  40 +++
docs/schemas/basictypes.rng                |   6 +
docs/schemas/network.rng                   |   6 +
include/libvirt/virterror.h                |   1 +
libvirt.spec.in                            |  31 ++
m4/virt-firewalld-zone.m4                  |  45 +++
m4/virt-firewalld.m4                       |   4 +-
src/conf/network_conf.c                    |  14 +-
src/conf/network_conf.h                    |   1 +
src/libvirt_private.syms                   |  10 +
src/network/Makefile.inc.am                |  10 +-
src/network/bridge_driver.c                |   6 +-
src/network/bridge_driver_linux.c          |  67 ++++
src/network/libvirt.zone                   |  23 ++
src/nwfilter/nwfilter_driver.c             |   6 +-
src/util/Makefile.inc.am                   |   3 +
src/util/virerror.c                        |   3 +-
src/util/virfirewall.c                     |  86 +----
src/util/virfirewalld.c                    | 373 +++++++++++++++++++++
src/util/virfirewalld.h                    |  46 +++
src/util/virfirewalldpriv.h                |  30 ++
src/util/virfirewallpriv.h                 |   2 -
tests/networkxml2xmlin/routed-network.xml  |   2 +-
tests/networkxml2xmlout/routed-network.xml |   2 +-
tests/virfirewalltest.c                    |   2 +
28 files changed, 779 insertions(+), 98 deletions(-)
create mode 100644 m4/virt-firewalld-zone.m4
create mode 100644 src/network/libvirt.zone
create mode 100644 src/util/virfirewalld.c
create mode 100644 src/util/virfirewalld.h
create mode 100644 src/util/virfirewalldpriv.h
[libvirt] [PATCH v2 0/7] network: fix networking for firewalld+nftables
Posted by Laine Stump 5 years, 2 months ago 
Resolves: https://bugzilla.redhat.com/1638342
Creates-and-Resolves: https://bugzilla.redhat.com/1650320

V1: https://www.redhat.com/archives/libvir-list/2019-January/msg00227.html

The detailed explanation of this is in Patch 4/7 and 5/7. Basically,
when firewalld enables their new nftables backend, libvirt virtual
networks lose all ability to forward packets from guests out to the
physical network, and can only communicate with the host itself as
much as firewalld's "public" zone will allow (which isn't much, and
doesn't include DHCP or DNS).

I *think* I've addressed everything in Daniel and John's review
comments. In particular, I've made installation of the libvirt zone
file optional, and if the libvirt zone is missing, I only log an error
if the firewalld backend is set to nftables.

Laine Stump (7):
  configure: change HAVE_FIREWALLD to WITH_FIREWALLD
  util: move all firewalld-specific stuff into its own files
  util: new virFirewallD APIs + docs
  configure: selectively install a firewalld 'libvirt' zone
  network: set firewalld zone of bridges to "libvirt" zone when
    appropriate
  network: allow configuring firewalld zone for virtual network bridge
    device
  docs: update news.xml for firewalld zone changes

 configure.ac                               |   3 +
 docs/firewall.html.in                      |  38 +++
 docs/formatnetwork.html.in                 |  17 +
 docs/news.xml                              |  40 +++
 docs/schemas/basictypes.rng                |   6 +
 docs/schemas/network.rng                   |   6 +
 include/libvirt/virterror.h                |   1 +
 libvirt.spec.in                            |  31 ++
 m4/virt-firewalld-zone.m4                  |  45 +++
 m4/virt-firewalld.m4                       |   4 +-
 src/conf/network_conf.c                    |  14 +-
 src/conf/network_conf.h                    |   1 +
 src/libvirt_private.syms                   |  10 +
 src/network/Makefile.inc.am                |  10 +-
 src/network/bridge_driver.c                |   6 +-
 src/network/bridge_driver_linux.c          |  67 ++++
 src/network/libvirt.zone                   |  23 ++
 src/nwfilter/nwfilter_driver.c             |   6 +-
 src/util/Makefile.inc.am                   |   3 +
 src/util/virerror.c                        |   3 +-
 src/util/virfirewall.c                     |  86 +----
 src/util/virfirewalld.c                    | 373 +++++++++++++++++++++
 src/util/virfirewalld.h                    |  46 +++
 src/util/virfirewalldpriv.h                |  30 ++
 src/util/virfirewallpriv.h                 |   2 -
 tests/networkxml2xmlin/routed-network.xml  |   2 +-
 tests/networkxml2xmlout/routed-network.xml |   2 +-
 tests/virfirewalltest.c                    |   2 +
 28 files changed, 779 insertions(+), 98 deletions(-)
 create mode 100644 m4/virt-firewalld-zone.m4
 create mode 100644 src/network/libvirt.zone
 create mode 100644 src/util/virfirewalld.c
 create mode 100644 src/util/virfirewalld.h
 create mode 100644 src/util/virfirewalldpriv.h

-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.