From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098038; cv=none; d=zohomail.com; s=zohoarc; b=NHcmsCl1HYyxXI4WwUbNxRjBNZ73wAZDomT3ehTCKFEHLNr5HdW4haD+FsrpgHDInrZM3Hgy5oaG01trgZZFceaU1h4xdT5oqfnbFRdMvPQXtW/jt26QuYnOgUDeSdsvB/Q2LXZh0CYgOikUJkilLAsgq02jpRWDHke0uofmCbo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098038; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=IDGU5o+CPPVaJ9qkj5HAUGmWI8Ud60zloOeipC7YIMg=; b=kxgr52SGgs5id7SDK4/5UjR+R5zwnYedAZFA76U+9tA+FEfgZFDCBcHAEnGV2N83pYk/kJ5gxd8D0ulzT0EDbIL+4PiGDXplu1IocMHq4zR6a9GQ+D/Fw9qMfOBRd5VT2c6rHwuCPlN9Vu+NYdSruZNRxqeU+L5H+5XBKpIjTYE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1668098038497639.7619405818098; Thu, 10 Nov 2022 08:33:58 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-643-rwFyouzSMSWxd_GsnMWwpw-1; Thu, 10 Nov 2022 11:33:53 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 47EFB10F83B1; Thu, 10 Nov 2022 16:32:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3347140C94EB; Thu, 10 Nov 2022 16:32:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A49A21946A51; Thu, 10 Nov 2022 16:32:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D5AD01946589 for ; Thu, 10 Nov 2022 16:31:53 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id C010C40C94CF; Thu, 10 Nov 2022 16:31:53 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id A045040C94AA; Thu, 10 Nov 2022 16:31:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098037; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=IDGU5o+CPPVaJ9qkj5HAUGmWI8Ud60zloOeipC7YIMg=; b=iTU0DBJOcEfjbbtHNHyjotEJeqveOLyDoGBg9nB5Gl5kcLiTAKSK8mtLJInTjDOTcoXqL3 8LRc5U1w8EztQmiaNMoS2lQ6MC5kRMa7amyLfpk18DxO7Sb9Z37cOHwuKo/x5OtJNRzsnX n6XyTRIl0LKBS9pmgOdp1svMdfZoWYk= X-MC-Unique: rwFyouzSMSWxd_GsnMWwpw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 1/8] util: virFirewallDGetPolicies: gracefully handle older firewalld Date: Thu, 10 Nov 2022 11:31:45 -0500 Message-Id: <20221110163152.2868177-2-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098039062100001 Content-Type: text/plain; charset="utf-8"; x-default="true" If the running firewalld doesn't support getPolicies() then we fallback to the "libvirt" zone. Throwing an error log is excessive since we gracefully fallback. Avoids these logs: error : virGDBusCallMethod:242 : error from service: \ GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod Fixes: ab56f84976e0 ("util: add virFirewallDGetPolicies()") Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- src/util/virfirewalld.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index ad879164c3a8..d11e974cc2d5 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -240,6 +240,7 @@ virFirewallDGetPolicies(char ***policies, size_t *npoli= cies) GDBusConnection *sysbus =3D virGDBusGetSystemBus(); g_autoptr(GVariant) reply =3D NULL; g_autoptr(GVariant) array =3D NULL; + g_autoptr(virError) error =3D NULL; =20 *npolicies =3D 0; *policies =3D NULL; @@ -247,10 +248,12 @@ virFirewallDGetPolicies(char ***policies, size_t *npo= licies) if (!sysbus) return -1; =20 + error =3D g_new0(virError, 1); + if (virGDBusCallMethod(sysbus, &reply, G_VARIANT_TYPE("(as)"), - NULL, + error, VIR_FIREWALL_FIREWALLD_SERVICE, "/org/fedoraproject/FirewallD1", "org.fedoraproject.FirewallD1.policy", @@ -258,6 +261,12 @@ virFirewallDGetPolicies(char ***policies, size_t *npol= icies) NULL) < 0) return -1; =20 + if (error->level =3D=3D VIR_ERR_ERROR) { + if (!virGDBusErrorIsUnknownMethod(error)) + virReportErrorObject(error); + return -1; + } + g_variant_get(reply, "(@as)", &array); *policies =3D g_variant_dup_strv(array, npolicies); =20 --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668097991; cv=none; d=zohomail.com; s=zohoarc; b=EBHJw3CU/ZUv0u4eS9xvwQ3lV3Hm8q+3ZOUHB9vUthYr1XhyaeiWjX+RxqHyb0JKrq4XmTXsPej7R4yrVU18NbY0CSyn59P0PO3q2UOh7D7Hdsa0o25La2N1TBbnQmU4rpTByoLblS7rKtvcExEfR8raBYQGeg7TjGAXjy2aaV0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668097991; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=/0e0TzNW71WCVLtWHQzvos9PxlUJGp/l9EoQNlCCI9g=; b=aNaixblsa+SGpjKx641M/vE5f2S3g6EPoLDznQcsm3qqa23VN3u1qm+0uBdNU7tirX0gTzkA7Eg/6uJsR2wysGx1Zm8bfuimCSmcGjf4yuxhD3HR6Cgr9gZ72FSmm4OvhXxw9H7dulV+3woQwPS5v6SDtkavsmxKhEXk8zhvFZE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1668097991294796.2632911827775; Thu, 10 Nov 2022 08:33:11 -0800 (PST) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-576-3I40ZShzME6X-3sM_wUUsA-1; Thu, 10 Nov 2022 11:33:03 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2CC291C19FC1; Thu, 10 Nov 2022 16:32:06 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 159BB1401C20; Thu, 10 Nov 2022 16:32:06 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A94EC1946A5A; Thu, 10 Nov 2022 16:32:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 20C5C1946587 for ; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id EA0F340C94AD; Thu, 10 Nov 2022 16:31:53 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id CA95640C94AA; Thu, 10 Nov 2022 16:31:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668097990; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/0e0TzNW71WCVLtWHQzvos9PxlUJGp/l9EoQNlCCI9g=; b=Rh1pJ788Yy96MDlclp9eXC8YZLB5vm1vUxsvG+fPdO93mPW+wACMrrUxBEQfwpEhwibkQR LYa+3a9aQ9vkLz/RV2wDQx9iDUW0Q2/V/FrLa6nhZ74/3ni8y16g84FAQtY6rZtfertMEd FRTKpubSsB76XDCDnca6PQ0mfbspqnw= X-MC-Unique: 3I40ZShzME6X-3sM_wUUsA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 2/8] network: firewalld: add networkAddHybridFirewallDRules() Date: Thu, 10 Nov 2022 11:31:46 -0500 Message-Id: <20221110163152.2868177-3-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668097992766100001 Content-Type: text/plain; charset="utf-8"; x-default="true" This factors out the firewalld pieces of the iptables + firewalld backend. Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- src/network/bridge_driver_linux.c | 117 ++++++++++++++++-------------- 1 file changed, 61 insertions(+), 56 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index d9597d91beed..88a8e9c5fa27 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -801,6 +801,58 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, } =20 =20 +static int +networkAddHybridFirewallDRules(virNetworkDef *def) +{ + /* if firewalld is active, try to set the "libvirt" zone. This is + * desirable (for consistency) if firewalld is using the iptables + * backend, but is necessary (for basic network connectivity) if + * firewalld is using the nftables backend + */ + + /* if the "libvirt" zone exists, then set it. If not, and + * if firewalld is using the nftables backend, then we + * need to log an error because the combination of + * nftables + default zone means that traffic cannot be + * forwarded (and even DHCP and DNS from guest to host + * will probably no be permitted by the default zone + */ + if (virFirewallDZoneExists("libvirt")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) + return -1; + } else { + unsigned long version; + int vresult =3D virFirewallDGetVersion(&version); + + if (vresult < 0) + return -1; + + /* Support for nftables backend was added in firewalld + * 0.6.0. Support for rule priorities (required by the + * 'libvirt' zone, which should be installed by a + * libvirt package, *not* by firewalld) was not added + * until firewalld 0.7.0 (unless it was backported). + */ + if (version >=3D 6000 && + virFirewallDGetBackend() =3D=3D VIR_FIREWALLD_BACKEND_NFTABLES= ) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewalld is set to use the nftables " + "backend, but the required firewalld " + "'libvirt' zone is missing. Either set " + "the firewalld backend to 'iptables', or " + "ensure that firewalld has a 'libvirt' " + "zone by upgrading firewalld to a " + "version supporting rule priorities " + "(0.7.0+) and/or rebuilding " + "libvirt with --with-firewalld-zone")); + return -1; + } + } + + return 0; +} + + /* Add all rules for all ip addresses (and general rules) on a network */ int networkAddFirewallRules(virNetworkDef *def) { @@ -842,62 +894,15 @@ int networkAddFirewallRules(virNetworkDef *def) if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) return -1; =20 - } else { - - /* if firewalld is active, try to set the "libvirt" zone. This is - * desirable (for consistency) if firewalld is using the iptables - * backend, but is necessary (for basic network connectivity) if - * firewalld is using the nftables backend - */ - if (virFirewallDIsRegistered() =3D=3D 0) { - - /* if the "libvirt" zone exists, then set it. If not, and - * if firewalld is using the nftables backend, then we - * need to log an error because the combination of - * nftables + default zone means that traffic cannot be - * forwarded (and even DHCP and DNS from guest to host - * will probably no be permitted by the default zone - * - * Routed networks use a different zone and policy which we al= so - * need to verify exist. Probing for the policy guarantees the - * running firewalld has support for policies (firewalld >=3D = 0.9.0). - */ - if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && - virFirewallDPolicyExists("libvirt-routed-out") && - virFirewallDZoneExists("libvirt-routed")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-rou= ted") < 0) - return -1; - } else if (virFirewallDZoneExists("libvirt")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") <= 0) - return -1; - } else { - unsigned long version; - int vresult =3D virFirewallDGetVersion(&version); - - if (vresult < 0) - return -1; - - /* Support for nftables backend was added in firewalld - * 0.6.0. Support for rule priorities (required by the - * 'libvirt' zone, which should be installed by a - * libvirt package, *not* by firewalld) was not added - * until firewalld 0.7.0 (unless it was backported). - */ - if (version >=3D 6000 && - virFirewallDGetBackend() =3D=3D VIR_FIREWALLD_BACKEND_= NFTABLES) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld is set to use the nftables= " - "backend, but the required firewalld " - "'libvirt' zone is missing. Either se= t " - "the firewalld backend to 'iptables',= or " - "ensure that firewalld has a 'libvirt= ' " - "zone by upgrading firewalld to a " - "version supporting rule priorities " - "(0.7.0+) and/or rebuilding " - "libvirt with --with-firewalld-zone")= ); - return -1; - } - } + } else if (virFirewallDIsRegistered() =3D=3D 0) { + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && + virFirewallDPolicyExists("libvirt-routed-out") && + virFirewallDZoneExists("libvirt-routed")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed"= ) < 0) + return -1; + } else { + if (networkAddHybridFirewallDRules(def) < 0) + return -1; } } =20 --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098019; cv=none; d=zohomail.com; s=zohoarc; b=jFO3PMRvJuAP7M5bJQGZEN/uX5s9XPoxonMtsYZJMKvhDHdvbcVV2ILGg5BEglB7QtRnC8bh7WJ9CvD5Ay2tQGQS1vRpp+k68RZDPCKilkcTRpwLXexB+ovfqChAnPuKhIszftKfmKL2nrYJy7oFbewUcu9CMjtu3ymsSmi1/VQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098019; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=muc1gVV4QnTMJqHSPVQnrIa/tEhrQasOQUD7Z9TmVv4=; b=Bc7h2LMibV+pGngoxlqO9hFQ+pDB97HZQM/Hjwyu+nP0yaFD3aD+NZIw+gccv6Dsg0NG0HLSCruBPSyWVdyXWfDhfXOVyCKbImrUwk1nFiy1x44pljRhQpHvm5fO5T2/wXqRX4wSqGVRXIS1wBBCOJdSJTomNx1yd++OErhkQKw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1668098019789640.3274261117627; Thu, 10 Nov 2022 08:33:39 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-85-iVQyyenxNE-oYi7bPb7U2A-1; Thu, 10 Nov 2022 11:33:19 -0500 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 309DC8870AD; Thu, 10 Nov 2022 16:31:57 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 05DCA492B0F; Thu, 10 Nov 2022 16:31:56 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id ABFF8194658C; Thu, 10 Nov 2022 16:31:55 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 39AEB1946587 for ; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 1FD8040C6F73; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0089940C94AA; Thu, 10 Nov 2022 16:31:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098018; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=muc1gVV4QnTMJqHSPVQnrIa/tEhrQasOQUD7Z9TmVv4=; b=gGpiJW4QXA+SIpUfkZtidLhhNu8HLyRX7i5P0q2bC/nj5WNZmO/CFNID4TBSPUzXNRpFwr +hRCtimK144lWUTsq17f+Sr6C4ccJ6QM3pbTUEOPA5h0ielUEEf8QuBOH/l+0D9sydBtyG f7rYqUNYlxjQ457T8Ns4Yev3RUBo+hY= X-MC-Unique: iVQyyenxNE-oYi7bPb7U2A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 3/8] network: firewalld: use native routed networks Date: Thu, 10 Nov 2022 11:31:47 -0500 Message-Id: <20221110163152.2868177-4-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098020922100001 Content-Type: text/plain; charset="utf-8"; x-default="true" The firewalld backend for routed networks can now use a native implementation. The hybrid of iptables + firewalld is no longer necessary. When full native firewalld is in use there are zero iptables rules add by libvirt. This is accomplished by returning early in networkAddFirewallRules() and avoiding calls to networkSetupPrivateChains(). Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- src/network/bridge_driver_linux.c | 51 +++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 9 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 88a8e9c5fa27..42f098ff1f9b 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -133,6 +133,21 @@ networkHasRunningNetworksWithFW(virNetworkDriverState = *driver) } =20 =20 +static bool +networkUseOnlyFirewallDRules(void) +{ + if (virFirewallDIsRegistered() < 0) + return false; + + if (virFirewallDPolicyExists("libvirt-routed-out") && + virFirewallDZoneExists("libvirt-routed")) { + return true; + } + + return false; +} + + void networkPreReloadFirewallRules(virNetworkDriverState *driver, bool startup G_GNUC_UNUSED, @@ -172,6 +187,9 @@ networkPreReloadFirewallRules(virNetworkDriverState *dr= iver, return; } =20 + if (!chainInitDone && networkUseOnlyFirewallDRules()) + return; + ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); } } @@ -801,6 +819,18 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, } =20 =20 +static int +networkAddOnlyFirewallDRules(virNetworkDef *def) +{ + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < = 0) + return -1; + } + + return 0; +} + + static int networkAddHybridFirewallDRules(virNetworkDef *def) { @@ -860,6 +890,11 @@ int networkAddFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 + if (!def->bridgeZone && networkUseOnlyFirewallDRules() && + def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + return networkAddOnlyFirewallDRules(def); + } + if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; =20 @@ -895,15 +930,8 @@ int networkAddFirewallRules(virNetworkDef *def) return -1; =20 } else if (virFirewallDIsRegistered() =3D=3D 0) { - if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && - virFirewallDPolicyExists("libvirt-routed-out") && - virFirewallDZoneExists("libvirt-routed")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed"= ) < 0) - return -1; - } else { - if (networkAddHybridFirewallDRules(def) < 0) - return -1; - } + if (networkAddHybridFirewallDRules(def) < 0) + return -1; } =20 virFirewallStartTransaction(fw, 0); @@ -940,6 +968,11 @@ void networkRemoveFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 + if (!def->bridgeZone && networkUseOnlyFirewallDRules() && + def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + return; + } + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); networkRemoveChecksumFirewallRules(fw, def); =20 --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098005; cv=none; d=zohomail.com; s=zohoarc; b=mP2p5yKGeTliabyXsR/1kvjhbjopt5ZeO8ILKTSMyTioQtaUwfPqG8Xzg7YeFbnaMwTT5JVS+5gX0+mrVI1orvOkDCzffM1SBiwIdOumyU/2cD/EZUZyz1a47/7M8IfFQmmAZwS/f+0T1JSWT9jVtGN20Eenbf6GQ9nb2Nkzos8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098005; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=+rByuWBmFE5J7xBZRaplBgG81eVhXmC6fgoGb/17QjM=; b=bmXQduflkbxxvP5X3zPs/SRLVtGanVf38FgGtG9FMb7RN9vUHmkK6c9sa9zXFvCGpuEIPkcdm42AcgS5DWRTidL/EV+XO4luINAyxT0sCO91SB3aRNrxa8rVLeceZNfSVJmOVm5Z8S6G2rAwawv1iaFgnh69KlCeCczft5V4xZw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1668098005273427.54898756167927; Thu, 10 Nov 2022 08:33:25 -0800 (PST) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-6-grdHOCLuMiCKFVEijnsTSA-1; Thu, 10 Nov 2022 11:33:11 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6AFC73C40582; Thu, 10 Nov 2022 16:31:57 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 56F651400C30; Thu, 10 Nov 2022 16:31:57 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E8A601946A46; Thu, 10 Nov 2022 16:31:55 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 671B8194658F for ; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 4BD2A40C6F73; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2A2D840C94AD; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098004; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=+rByuWBmFE5J7xBZRaplBgG81eVhXmC6fgoGb/17QjM=; b=VKDEsWZz4XMj8xXWFltviQ23vmOTtAjlN6Qsb9d5Te8SBSU9uuG4G2fBGNo2u2Nn9/Yq+l U1lmTlslOu7uCn9g7GC02JsEvF7JzfXr3HniejrlYxxzPBZ9CFj6a1qP7jf0gkxdF8zdCV RvKmJ3pucg9hExcZ/Kbi2ybJ5WY1TqI= X-MC-Unique: grdHOCLuMiCKFVEijnsTSA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 4/8] util: add virFirewallDSourceSetZone() Date: Thu, 10 Nov 2022 11:31:48 -0500 Message-Id: <20221110163152.2868177-5-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098006831100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 + src/util/virfirewalld.c | 24 ++++++++++++++++++++++++ src/util/virfirewalld.h | 2 ++ 3 files changed, 27 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 97ff2a43e48a..c5882c535210 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2366,6 +2366,7 @@ virFirewallDGetZones; virFirewallDInterfaceSetZone; virFirewallDIsRegistered; virFirewallDPolicyExists; +virFirewallDSourceSetZone; virFirewallDSynchronize; virFirewallDZoneExists; =20 diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index d11e974cc2d5..07f9cdd1e485 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -451,6 +451,30 @@ virFirewallDInterfaceSetZone(const char *iface, } =20 =20 +int +virFirewallDSourceSetZone(const char *source, + const char *zone) +{ + GDBusConnection *sysbus =3D virGDBusGetSystemBus(); + g_autoptr(GVariant) message =3D NULL; + + if (!sysbus) + return -1; + + message =3D g_variant_new("(ss)", zone, source); + + return virGDBusCallMethod(sysbus, + NULL, + NULL, + NULL, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.zone", + "changeZoneOfSource", + message); +} + + void virFirewallDSynchronize(void) { diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index fa4c9e702ccb..11aad7786dfb 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -43,5 +43,7 @@ int virFirewallDApplyRule(virFirewallLayer layer, =20 int virFirewallDInterfaceSetZone(const char *iface, const char *zone); +int virFirewallDSourceSetZone(const char *source, + const char *zone); =20 void virFirewallDSynchronize(void); --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098043; cv=none; d=zohomail.com; s=zohoarc; b=cDNye+IyT3sAHk8vydIouuKzCo0Ub+xiefCKiOK64+n+WMwmgJ2OV1ogXAeV9RlJ7/yxcgR//sQgHmPzlR386wZl7Y5+K65+VApkK/J658MXD/tG3aFrUTqLuwdq4GvV64Dc2uqQ68abLKW5mSmN2XHMhYN5iaK0VM5fVEtHHq0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098043; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=s0obyDsGMS994EPSK06XyfHIsuPijt1EcpYzf8zdBs8=; b=jgNNehTeZ0LAi5PDOc+I7T7wFAl5sFqoWhZqmG0VcaH468umStJD61K9Gec77kaGNl7buGLg99H7Jv0r91jME4ZMIlIpW2jmJ9E3ixMgrBlzTUACRlO9Q2i0lq55LFCknr+vprc2Y5CjHd+95rfaUX7U6C9qdFQ1kqxoZ1ayuUE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1668098043885284.5873619360882; Thu, 10 Nov 2022 08:34:03 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-621-7w1494e4NR6fn1q2Z5Niqg-1; Thu, 10 Nov 2022 11:33:09 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 159FF18F827D; Thu, 10 Nov 2022 16:32:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id F2C90141511F; Thu, 10 Nov 2022 16:32:08 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 049791946A7A; Thu, 10 Nov 2022 16:32:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8225719465B2 for ; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 750FF40C6F73; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 55BC040C94AA; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098042; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=s0obyDsGMS994EPSK06XyfHIsuPijt1EcpYzf8zdBs8=; b=JM9oQKpJnsrgzVIUFoltl7oJhKHqycK8i7xHtgDMNlMYUtaIQeFLP8GnIYj2clFZPthGEz BP19yWmMDw41kQaFb6CP326yXtm1Jw6zNV9oWVcW746VUQEfwcr2T9d1OL+1hBDrA2yJ4U ChTsfvIHO3vO1o2YW/T9zrVcB6YMit0= X-MC-Unique: 7w1494e4NR6fn1q2Z5Niqg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 5/8] util: add virFirewallDApplyPolicyRichRules() Date: Thu, 10 Nov 2022 11:31:49 -0500 Message-Id: <20221110163152.2868177-6-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098045071100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 + src/util/virfirewalld.c | 44 ++++++++++++++++++++++++++++++++++++++++ src/util/virfirewalld.h | 4 ++++ 3 files changed, 49 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index c5882c535210..8fddb9aad11b 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2358,6 +2358,7 @@ virFirewallStartTransaction; =20 =20 # util/virfirewalld.h +virFirewallDApplyPolicyRichRules; virFirewallDApplyRule; virFirewallDGetBackend; virFirewallDGetPolicies; diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 07f9cdd1e485..9b3c1d84c48f 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -426,6 +426,50 @@ virFirewallDApplyRule(virFirewallLayer layer, return 0; } =20 +/** + * virFirewallDApplyPolicyRichRules: + * @policy: which policy to apply rules to + * @rules: rules to apply, array of strings + * @rules_count: number of rules in rules array + * + * Returns 0 on success, non-zero on failure + */ +int +virFirewallDApplyPolicyRichRules(const char *policy, + const char **rules, + size_t rules_count) +{ + GDBusConnection *sysbus =3D virGDBusGetSystemBus(); + g_autoptr(GVariant) message =3D NULL; + GVariant *array =3D NULL; + GVariantBuilder builder; + size_t i; + + if (!sysbus) + return -1; + + g_variant_builder_init(&builder, G_VARIANT_TYPE_STRING_ARRAY); + for (i =3D 0; i < rules_count; i++) { + g_variant_builder_add(&builder, "s", rules[i]); + } + array =3D g_variant_builder_end(&builder); + + g_variant_builder_init(&builder, G_VARIANT_TYPE_VARDICT); + g_variant_builder_add(&builder, "{sv}", "rich_rules", array); + + message =3D g_variant_new("(sa{sv})", policy, &builder); + + return virGDBusCallMethod(sysbus, + NULL, + NULL, + NULL, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.policy", + "setPolicySettings", + message); +} + =20 int virFirewallDInterfaceSetZone(const char *iface, diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index 11aad7786dfb..9ff4e02e1d59 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -40,6 +40,10 @@ int virFirewallDApplyRule(virFirewallLayer layer, char **args, size_t argsLen, bool ignoreErrors, char **output); +int virFirewallDApplyPolicyRichRules(const char *policy, + const char **rules, + size_t rules_count); + =20 int virFirewallDInterfaceSetZone(const char *iface, const char *zone); --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098011; cv=none; d=zohomail.com; s=zohoarc; b=acY93zA99PVRMdfME0wb6iSFj2oPIMylTCinx+ms5Ti6T9AXUaH0sUPrGEoVLTDaKrZWDCYAIeGesykXLoQwvjZa/TFBfj61M2Y0p6V6b4+Z6aIWm2VraEjPi2w2WPLFDbjIKpZy1kPXsn5tYYsIB7z9YQvmHkJT5G2AfSP3/jU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098011; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=StZNLNPOqbhRcIzn8ThQ+/FpzZQumRuNcWr55TeKhfs=; b=ig+jr5OirtL1HKXAbfS24uMDYWj5UnpBLa7hVnpJJHr2Lz96Wq/RaizFOxhvcIIc8eZACfZa8FB1AXhTTlJQv9tVmWCo4gmjd9mNsaF7LGp3OIFEQwo+w8vGtptuykjJfUN+ni612iLekHQObqwbjCs6J5INDrGBMIZ7kfgXnoQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1668098011055521.0291870234632; Thu, 10 Nov 2022 08:33:31 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-222-xig2w3QCNaytr-ebOZvRwA-1; Thu, 10 Nov 2022 11:33:21 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7F05F104D533; Thu, 10 Nov 2022 16:32:01 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6B2441400C30; Thu, 10 Nov 2022 16:32:01 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 520E81946589; Thu, 10 Nov 2022 16:32:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id BAE3719465B8 for ; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 9EF3F40C94AA; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7F0B640C6DC8; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098010; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=StZNLNPOqbhRcIzn8ThQ+/FpzZQumRuNcWr55TeKhfs=; b=MBqHGUNkzdAbaUYNf6oAOFrMauXx9tHxQz3iBrqx1ViAkOWWMIenxSnkHsUYg69b5YRXGb 3pmLjmlaS8LaATQ0MpmGL85bDIz4Wvho+W15RBURx//QG+1JppzJq6I+9uKE4ALipuBkvp K36DwvwWL1o2STPLVHtiniWE/xGMmbM= X-MC-Unique: xig2w3QCNaytr-ebOZvRwA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 6/8] network: firewalld: add zone for NAT networks Date: Thu, 10 Nov 2022 11:31:50 -0500 Message-Id: <20221110163152.2868177-7-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098012855100001 Content-Type: text/plain; charset="utf-8"; x-default="true" This zone will be used for the NAT network by default. Note that this zone definition omits "forward" aka intra-zone forwarding, because it requires firewalld >=3D 0.9.0. Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- libvirt.spec.in | 1 + src/network/libvirt-nat.zone | 10 ++++++++++ src/network/meson.build | 5 +++++ 3 files changed, 16 insertions(+) create mode 100644 src/network/libvirt-nat.zone diff --git a/libvirt.spec.in b/libvirt.spec.in index ac5bf7b8653c..6537b9385a0e 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1920,6 +1920,7 @@ exit 0 =20 %if %{with_firewalld_zone} %{_prefix}/lib/firewalld/zones/libvirt.xml +%{_prefix}/lib/firewalld/zones/libvirt-nat.xml %{_prefix}/lib/firewalld/zones/libvirt-routed.xml %{_prefix}/lib/firewalld/policies/libvirt-routed-in.xml %{_prefix}/lib/firewalld/policies/libvirt-routed-out.xml diff --git a/src/network/libvirt-nat.zone b/src/network/libvirt-nat.zone new file mode 100644 index 000000000000..6ebffb189a56 --- /dev/null +++ b/src/network/libvirt-nat.zone @@ -0,0 +1,10 @@ + + + libvirt-nat + + + This zone is intended to be used only by NAT libvirt virtual networks - + libvirt will add the bridge devices for all new virtual networks to th= is + zone by default. + + diff --git a/src/network/meson.build b/src/network/meson.build index d266bb225a64..fa18cbb8ff62 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -101,6 +101,11 @@ if conf.has('WITH_NETWORK') install_dir: prefix / 'lib' / 'firewalld' / 'zones', rename: [ 'libvirt.xml' ], ) + install_data( + 'libvirt-nat.zone', + install_dir: prefix / 'lib' / 'firewalld' / 'zones', + rename: [ 'libvirt-nat.xml' ], + ) install_data( 'libvirt-routed.zone', install_dir: prefix / 'lib' / 'firewalld' / 'zones', --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098014; cv=none; d=zohomail.com; s=zohoarc; b=Q6x4CITY5h1O3OzO66iU9GX8N5cFj/WwX2xdamqcdttxMVMHp46j5yaDLrPd58y9AmN0pAlS5O8yQ/rV88KPvIH76gkgdmdG+SrmdzLkAaGKAeESsZcJ5pxWHzizJkuBDrwtIU6JQiKGO/22X22T4LsFR+/jGKgIXmLTtbm1ILM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098014; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=H3zsjSHrsQdbadbDcjvk0u8jSKDSEJSJfoNrPR0Ac0M=; b=TswLxt3/DBgVk6PJHSGPKtUSbu5UydgVRQkUT+4vun5qlrYE022ZnL91AhCnIRVr1XKV7jP/vzMfDmU06zXC7K8hIRrI+FVaDwVUKs7/9osPhtuZT89MuxuFwLNatK9JMa96ym/CXr/Sov7lT0K2Rym0m7lMm3iMtGhe01ehAMo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1668098014675867.795774266252; Thu, 10 Nov 2022 08:33:34 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-183-4eA-832gO_-1VVYIRBfIoA-1; Thu, 10 Nov 2022 11:33:30 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0ABDB91816B; Thu, 10 Nov 2022 16:32:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB55A1400C30; Thu, 10 Nov 2022 16:32:08 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 032751946A78; Thu, 10 Nov 2022 16:32:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D42E019465B8 for ; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id C85FE40C94CE; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id A8B7B40C94D0; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098013; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=H3zsjSHrsQdbadbDcjvk0u8jSKDSEJSJfoNrPR0Ac0M=; b=dfjcw3sJYOsO3tDVOU3ico9234FzDiJXHol6l8LGradJipVm7DJCmbegOKkK95csX1itFp FrBfO0WbMI2Z0lE/ehLYD/ps+lKvCvoPE+SSBG6O1daH/GD84M5EBu5FsTi7k0MkQft8+j RsdvL0ZCH/pGfQmo6JffSgt4l6QgM9k= X-MC-Unique: 4eA-832gO_-1VVYIRBfIoA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 7/8] network: firewalld: add policies for NAT networks Date: Thu, 10 Nov 2022 11:31:51 -0500 Message-Id: <20221110163152.2868177-8-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098014942100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- libvirt.spec.in | 1 + src/network/libvirt-nat-out.policy | 13 +++++++++++++ src/network/libvirt-to-host.policy | 1 + src/network/meson.build | 5 +++++ 4 files changed, 20 insertions(+) create mode 100644 src/network/libvirt-nat-out.policy diff --git a/libvirt.spec.in b/libvirt.spec.in index 6537b9385a0e..6a852d726e55 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1922,6 +1922,7 @@ exit 0 %{_prefix}/lib/firewalld/zones/libvirt.xml %{_prefix}/lib/firewalld/zones/libvirt-nat.xml %{_prefix}/lib/firewalld/zones/libvirt-routed.xml +%{_prefix}/lib/firewalld/policies/libvirt-nat-out.xml %{_prefix}/lib/firewalld/policies/libvirt-routed-in.xml %{_prefix}/lib/firewalld/policies/libvirt-routed-out.xml %{_prefix}/lib/firewalld/policies/libvirt-to-host.xml diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-o= ut.policy new file mode 100644 index 000000000000..ed19be90c751 --- /dev/null +++ b/src/network/libvirt-nat-out.policy @@ -0,0 +1,13 @@ + + + libvirt-nat-out + + + This policy is used to allow NAT virtual machine traffic to the rest of + the network. + + + + + + diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-ho= st.policy index b20aecaf4249..a22952ea1c95 100644 --- a/src/network/libvirt-to-host.policy +++ b/src/network/libvirt-to-host.policy @@ -7,6 +7,7 @@ host. =20 + =20 diff --git a/src/network/meson.build b/src/network/meson.build index fa18cbb8ff62..34f336fa222e 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -116,6 +116,11 @@ if conf.has('WITH_NETWORK') install_dir: prefix / 'lib' / 'firewalld' / 'policies', rename: [ 'libvirt-to-host.xml' ], ) + install_data( + 'libvirt-nat-out.policy', + install_dir: prefix / 'lib' / 'firewalld' / 'policies', + rename: [ 'libvirt-nat-out.xml' ], + ) install_data( 'libvirt-routed-out.policy', install_dir: prefix / 'lib' / 'firewalld' / 'policies', --=20 2.37.3 From nobody Fri Apr 26 15:02:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1668098024; cv=none; d=zohomail.com; s=zohoarc; b=D3ODsQxI+NnLPGFZdo61s2hK6BvA/ik7tl4GtbmgYTAhGplkOoiSbJ14C/os0OsOloKKe8pH2CAqNvikg+cPkeki2O+WkhVu03ZVLFP5RdYfVHnu//0Mb7JMQfG8XH5kHB3fDTAl/IiZZQbCU1zxDLtogeaAiK9NeKESPhdQ4Yo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668098024; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Vkml5LU0KJpQjnHhBoFLouUnKWC5aFEDuaZNU17oFYg=; b=Y2mpisKNgr6z8cH1K6KmnHaY4meQ6QFOQcmIpwM6Pmsx+X4hrrmhwJxhSgtUkUv/bitGJv+oNndcW3O7gZeH3F7AMtzhgQ39i/vpK2o0RZjQfychGwAxg/b4nlB8FAG332en4kuvM48NAjKFZ+9huiS9yHcizSme34qpKTduVO0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1668098024577155.6100144722718; Thu, 10 Nov 2022 08:33:44 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-340-wfFcrHU2Ob20FSCu55X8uA-1; Thu, 10 Nov 2022 11:33:33 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A426A90A9DB; Thu, 10 Nov 2022 16:32:06 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8F75B1401C20; Thu, 10 Nov 2022 16:32:06 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 57F231946595; Thu, 10 Nov 2022 16:32:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0E02E19465B8 for ; Thu, 10 Nov 2022 16:31:55 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id F2A8F40C94AA; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) Received: from wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com (wsfd-netdev-vmhost.ntdv.lab.eng.bos.redhat.com [10.19.188.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id D2B584014CE7; Thu, 10 Nov 2022 16:31:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668098023; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Vkml5LU0KJpQjnHhBoFLouUnKWC5aFEDuaZNU17oFYg=; b=R7XbxfLSMKJsICQQoMcm2PWIE0PApGNiaPHsMbbsnVJsn4kCwbq4sJ451bbSzQkUSLQ04z HTckNo1mMKAQT9djFjpEEO92sQ22XS0K6JCVoSR40f+VPkPaiaHNyoP3WcyzT0ZFkDXfgd xfZevz3GA/G0UVKNHBih1AVtMmuYmOM= X-MC-Unique: wfFcrHU2Ob20FSCu55X8uA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Eric Garver To: libvir-list@redhat.com Subject: [PATCH 8/8] network: firewalld: use native NAT networks Date: Thu, 10 Nov 2022 11:31:52 -0500 Message-Id: <20221110163152.2868177-9-eric@garver.life> In-Reply-To: <20221110163152.2868177-1-eric@garver.life> References: <20221110163152.2868177-1-eric@garver.life> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laine Stump Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668098024967100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Use the new "libvirt-nat" zone for native NAT networks. The "libvirt" zone is still in use, but only to handle DHCP packets. Those won't be dispatched to the "libvirt-zone" because said zone is using sources (instead of interfaces). DHCP packets don't have a valid source address. The use of "libvirt" zone is necessary due to a Linux < 5.5 limitation in which nftables iifname cannot be matched in postrouting hook (i.e. masquerade). In the future, when we can assume Linux 5.5+, we can further improve this by attaching interfaces to the "libvirt-nat" zone instead of using sources. Thus making the "libvirt" zone unnecessary. Signed-off-by: Eric Garver Reviewed-by: Michal Privoznik --- src/network/bridge_driver_linux.c | 55 +++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 42f098ff1f9b..d6c7d378f5f7 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -140,7 +140,10 @@ networkUseOnlyFirewallDRules(void) return false; =20 if (virFirewallDPolicyExists("libvirt-routed-out") && - virFirewallDZoneExists("libvirt-routed")) { + virFirewallDZoneExists("libvirt-routed") && + virFirewallDPolicyExists("libvirt-nat-out") && + virFirewallDZoneExists("libvirt-nat") && + virFirewallDZoneExists("libvirt")) { return true; } =20 @@ -825,6 +828,48 @@ networkAddOnlyFirewallDRules(virNetworkDef *def) if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < = 0) return -1; + } else if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { + virNetworkIPDef *ipdef; + size_t i; + + /* The initial DHCP packets won't be dispatched to the + * libvirt-nat zone because they don't yet have an IP address. + * The libvirt-nat zone needs to use sources instead of + * interfaces because kernels < 5.5 do not support matching + * iifname in postrouting. + * + * As a workaround, add the interface to the libvirt zone. This + * will allow dhcp to function. Afterwards packets will go to + * the libvirt-nat zone. + */ + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) + return -1; + + for (i =3D 0; + (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + int prefix =3D virNetworkIPDefPrefix(ipdef); + g_autofree char *networkstr =3D NULL; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(&ipdef->add= ress, prefix, true))) + return -1; + + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) { + if (virFirewallDSourceSetZone(networkstr, "libvirt-nat") <= 0) + return -1; + if (def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) { + const char *rich_rules[] =3D {"rule family=3Dipv6 masq= uerade"}; + size_t rich_rules_count =3D sizeof(rich_rules) / sizeo= f(rich_rules[0]); + + if (virFirewallDApplyPolicyRichRules("libvirt-nat-out"= , rich_rules, rich_rules_count) < 0) + return -1; + } + } else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6= )) { + if (virFirewallDSourceSetZone(networkstr, "libvirt-routed"= ) < 0) + return -1; + } + } } =20 return 0; @@ -890,10 +935,8 @@ int networkAddFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 - if (!def->bridgeZone && networkUseOnlyFirewallDRules() && - def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + if (!def->bridgeZone && networkUseOnlyFirewallDRules()) return networkAddOnlyFirewallDRules(def); - } =20 if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -968,10 +1011,8 @@ void networkRemoveFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 - if (!def->bridgeZone && networkUseOnlyFirewallDRules() && - def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + if (!def->bridgeZone && networkUseOnlyFirewallDRules()) return; - } =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); networkRemoveChecksumFirewallRules(fw, def); --=20 2.37.3