From nobody Tue Feb 10 08:27:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 154898433563537.31534465452364; Thu, 31 Jan 2019 17:25:35 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C3237CDDEC; Fri, 1 Feb 2019 01:25:33 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7B38F60C45; Fri, 1 Feb 2019 01:25:33 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 266263F606; Fri, 1 Feb 2019 01:25:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x111PEZ3002460 for ; Thu, 31 Jan 2019 20:25:14 -0500 Received: by smtp.corp.redhat.com (Postfix) id EE73E19742; Fri, 1 Feb 2019 01:25:13 +0000 (UTC) Received: from vhost2.laine.org (ovpn-117-140.phx2.redhat.com [10.3.117.140]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7D6A919741; Fri, 1 Feb 2019 01:25:13 +0000 (UTC) From: Laine Stump To: libvir-list@redhat.com Date: Thu, 31 Jan 2019 20:24:57 -0500 Message-Id: <20190201012458.25703-7-laine@laine.org> In-Reply-To: <20190201012458.25703-1-laine@laine.org> References: <20190201012458.25703-1-laine@laine.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: Eric Garver Subject: [libvirt] [PATCH v2 6/7] network: allow configuring firewalld zone for virtual network bridge device X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 01 Feb 2019 01:25:34 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Since we're setting the zone anyway, it will be useful to allow setting a different (custom) zone for each network. This will be done by adding a "zone" attribute to the "bridge" element, e.g.: ... ... If a zone is specified in the config and it can't be honored, this will be an error. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- Change from V1: move news.xml additions to a separate patch, as requested. docs/firewall.html.in | 5 +++++ docs/formatnetwork.html.in | 17 +++++++++++++++++ docs/schemas/basictypes.rng | 6 ++++++ docs/schemas/network.rng | 6 ++++++ src/conf/network_conf.c | 14 ++++++++++++-- src/conf/network_conf.h | 1 + src/network/bridge_driver_linux.c | 19 +++++++++++++++++++ tests/networkxml2xmlin/routed-network.xml | 2 +- tests/networkxml2xmlout/routed-network.xml | 2 +- 9 files changed, 68 insertions(+), 4 deletions(-) diff --git a/docs/firewall.html.in b/docs/firewall.html.in index 5d584e582e..e86ab0d974 100644 --- a/docs/firewall.html.in +++ b/docs/firewall.html.in @@ -151,6 +151,11 @@ MASQUERADE all -- * * 192.168.122.0/24 = !192.168.122.0/24 iptables rules regardless of which backend is in use by firewalld.

+

+ NB: It is possible to manually set the firewalld zone for a + network's interface with the "zone" attribute of the network's + "bridge" element. +

NB: Prior to libvirt 5.1.0, the firewalld "libvirt" zone did not exist, and prior to firewalld 0.7.0 a feature crucial to making diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 156cfae4ec..509cca9e8b 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -152,6 +152,23 @@ Since 1.2.11, requires kernel 3.17 or newer

+ +

+ The optional zone attribute of + the bridge element is used to specify + the firewalld + zone for the bridge of a network with forward + mode of "nat", "route", "open", or one with + no forward specified. By default, the bridges + of all virtual networks with these forward modes are placed + in the firewalld zone named "libvirt", which permits + incoming DNS, DHCP, TFTP, and SSH to the host from guests on + the network. This behavior can be changed either by + modifying the libvirt zone (using firewalld management + tools), or by placing the network in a different zone (which + will also be managed using firewalld tools). + Since 5.1.0 +

=20
mtu
diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng index 9a63720ff7..9b3dcad4a5 100644 --- a/docs/schemas/basictypes.rng +++ b/docs/schemas/basictypes.rng @@ -279,6 +279,12 @@ =20 + + + [a-zA-Z0-9_\-]+ + + + .+ diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng index f37c422bf3..2a6e3358fd 100644 --- a/docs/schemas/network.rng +++ b/docs/schemas/network.rng @@ -58,6 +58,12 @@ =20 + + + + + + diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index e035d8aba7..b09cb1dae2 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -203,6 +203,7 @@ virNetworkDefFree(virNetworkDefPtr def) =20 VIR_FREE(def->name); VIR_FREE(def->bridge); + VIR_FREE(def->bridgeZone); VIR_FREE(def->domain); =20 virNetworkForwardDefClear(&def->forward); @@ -1684,6 +1685,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) =20 /* Parse bridge information */ def->bridge =3D virXPathString("string(./bridge[1]/@name)", ctxt); + def->bridgeZone =3D virXPathString("string(./bridge[1]/@zone)", ctxt); stp =3D virXPathString("string(./bridge[1]/@stp)", ctxt); def->stp =3D (stp && STREQ(stp, "off")) ? false : true; =20 @@ -1920,6 +1922,13 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) def->name); goto error; } + if (def->bridgeZone) { + virReportError(VIR_ERR_XML_ERROR, + _("bridge zone not allowed in %s mode (network = '%s')"), + virNetworkForwardTypeToString(def->forward.type= ), + def->name); + goto error; + } if (def->macTableManager) { virReportError(VIR_ERR_XML_ERROR, _("bridge macTableManager setting not allowed " @@ -1931,9 +1940,9 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) ATTRIBUTE_FALLTHROUGH; =20 case VIR_NETWORK_FORWARD_BRIDGE: - if (def->delay || stp) { + if (def->delay || stp || def->bridgeZone) { virReportError(VIR_ERR_XML_ERROR, - _("bridge delay/stp options only allowed in " + _("bridge delay/stp/zone options only allowed i= n " "route, nat, and isolated mode, not in %s " "(network '%s')"), virNetworkForwardTypeToString(def->forward.type= ), @@ -2508,6 +2517,7 @@ virNetworkDefFormatBuf(virBufferPtr buf, if (hasbridge || def->bridge || def->macTableManager) { virBufferAddLit(buf, "bridge); + virBufferEscapeString(buf, " zone=3D'%s'", def->bridgeZone); if (hasbridge) virBufferAsprintf(buf, " stp=3D'%s' delay=3D'%ld'", def->stp ? "on" : "off", def->delay); diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index c630674300..673f70cc68 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -235,6 +235,7 @@ struct _virNetworkDef { int connections; /* # of guest interfaces connected to this network = */ =20 char *bridge; /* Name of bridge device */ + char *bridgeZone; /* name of firewalld zone for bridge */ int macTableManager; /* enum virNetworkBridgeMACTableManager */ char *domain; int domainLocalOnly; /* enum virTristateBool: yes disables dns forward= ing */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 9d2e6877ae..b10d0a6c4d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -671,6 +671,24 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 + if (def->bridgeZone) { + + /* if a firewalld zone has been specified, fail/log an error + * if we can't honor it + */ + if (virFirewallDIsRegistered() < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("zone %s requested for network %s " + "but firewalld is not active"), + def->bridgeZone, def->name); + goto cleanup; + } + + if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) + goto cleanup; + + } else { + /* if firewalld is active, try to set the "libvirt" zone. This is * desirable (for consistency) if firewalld is using the iptables * backend, but is necessary (for basic network connectivity) if @@ -717,6 +735,7 @@ int networkAddFirewallRules(virNetworkDefPtr def) } } } + } =20 fw =3D virFirewallNew(); =20 diff --git a/tests/networkxml2xmlin/routed-network.xml b/tests/networkxml2x= mlin/routed-network.xml index ab5e15b1f6..fce01df132 100644 --- a/tests/networkxml2xmlin/routed-network.xml +++ b/tests/networkxml2xmlin/routed-network.xml @@ -1,7 +1,7 @@ local 81ff0d90-c91e-6742-64da-4a736edb9a9b - + diff --git a/tests/networkxml2xmlout/routed-network.xml b/tests/networkxml2= xmlout/routed-network.xml index 81abf06e9f..2e13cf4ffa 100644 --- a/tests/networkxml2xmlout/routed-network.xml +++ b/tests/networkxml2xmlout/routed-network.xml @@ -4,7 +4,7 @@ - + --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list