From nobody Sat Feb 7 08:58:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1725556107940847.2277333885455; Thu, 5 Sep 2024 10:08:27 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B58D617B6; Thu, 5 Sep 2024 13:08:26 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 37932175A; Thu, 5 Sep 2024 13:08:08 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E7F941754; Thu, 5 Sep 2024 13:08:04 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DEF421750 for ; Thu, 5 Sep 2024 13:08:03 -0400 (EDT) Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-433-0zDlFP1ZMkuVUF2aqu_9pw-1; Thu, 05 Sep 2024 13:08:02 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 97A0D1955F44 for ; Thu, 5 Sep 2024 17:08:01 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.247]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D44651956086 for ; Thu, 5 Sep 2024 17:08:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725556083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=c/ehIsgm2hwGS+aiMMxorJJJvfno1jxYwXZzRwDWwK0=; b=BUfx1VBCTFDTtj4ecdIOr+rkmWQR/loc9dU3NoLex33W8kn03qZCg3mykFJmjycWZ1e6pb hQmPkTNVSQghQAXiV2xiDd2rsXmrugPdCQk6tFXCSoD/BGXPmK4SfoGP1QY3LKXdeFAXwp Eb1kaE+XlulW+L33647bnLmtCyfneT0= X-MC-Unique: 0zDlFP1ZMkuVUF2aqu_9pw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 1/5] network: permit when a network has no IP address Date: Thu, 5 Sep 2024 13:07:55 -0400 Message-ID: <20240905170759.864299-2-laine@redhat.com> In-Reply-To: <20240905170759.864299-1-laine@redhat.com> References: <20240905170759.864299-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: JHPMC74DEND6M2ZWDQGO7GMYKCXQ7VIE X-Message-ID-Hash: JHPMC74DEND6M2ZWDQGO7GMYKCXQ7VIE X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1725556109787116600 Content-Type: text/plain; charset="utf-8"; x-default="true" The whole point of is to supress libvirt from adding any firewall rules for a network, and someone might want to create a network with no IP address (i.e. they don't want the guests to have connectivity to the host via this interface) and no firewall rules (they don't want any, or they want to add their own). So there's no reason to fail when a network has and also has no IP address. Kind-of-Resolves: https://gitlab.com/libvirt/libvirt/-/issues/588 Signed-off-by: Laine Stump Reviewed-by: Martin Kletzander --- src/conf/network_conf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 5cf419acf1..3383906c58 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -1789,7 +1789,6 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt, =20 case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_NAT: - case VIR_NETWORK_FORWARD_OPEN: /* It's pointless to specify L3 forwarding without specifying * the network we're on. */ @@ -1806,7 +1805,9 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt, def->name); return NULL; } + break; =20 + case VIR_NETWORK_FORWARD_OPEN: if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_OPEN && def->forw= ard.nifs) { /* an open network by definition can't place any restrictions * on what traffic is allowed or where it goes, so specifying --=20 2.46.0 From nobody Sat Feb 7 08:58:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1725556140500616.5884782954737; Thu, 5 Sep 2024 10:09:00 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 71D2F175B; Thu, 5 Sep 2024 13:08:59 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id C91FB17E8; Thu, 5 Sep 2024 13:08:10 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6A04E1752; Thu, 5 Sep 2024 13:08:05 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id CB6001751 for ; Thu, 5 Sep 2024 13:08:04 -0400 (EDT) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-156-cnxw63baM62LL6m8aGlO7Q-1; Thu, 05 Sep 2024 13:08:02 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 21C5019560AB for ; Thu, 5 Sep 2024 17:08:02 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.247]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 969A01956094 for ; Thu, 5 Sep 2024 17:08:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725556084; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Xn/y6lvuGnrka1pu3dtgDzublL/uU40jFjhyxBvvLl8=; b=iq2d3mx6oF5DKasMSKOLViBqRflANJeh70BRlgwHwQjYDkITehwFLJyyId/e79Q96BZoSJ Ygr5q6VW5gfPqKtOFtvK4mG4hg1gKaP+SWkW6+ahyK6d6NL/nQkCVcU8TUvhLq2B+n/fle OfWvW7Jnz/GsRTpiyxcWVyfniv3jTj8= X-MC-Unique: cnxw63baM62LL6m8aGlO7Q-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 2/5] network: belatedly update an error message Date: Thu, 5 Sep 2024 13:07:56 -0400 Message-ID: <20240905170759.864299-3-laine@redhat.com> In-Reply-To: <20240905170759.864299-1-laine@redhat.com> References: <20240905170759.864299-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: W3DSVYSMQLYTZYX6BSUIATLMC3Q4WJFO X-Message-ID-Hash: W3DSVYSMQLYTZYX6BSUIATLMC3Q4WJFO X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1725556141277116600 Content-Type: text/plain; charset="utf-8"; x-default="true" The 'open' forward type probably hadn't yet been added when this message was written. Signed-off-by: Laine Stump Reviewed-by: Martin Kletzander --- src/conf/network_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 3383906c58..5fadaf35e9 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -1851,7 +1851,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt, case VIR_NETWORK_FORWARD_BRIDGE: if (def->delay || stp || def->bridgeZone) { virReportError(VIR_ERR_XML_ERROR, - _("bridge delay/stp/zone options only allowed i= n route, nat, and isolated mode, not in %1$s (network '%2$s')"), + _("bridge delay/stp/zone options only allowed i= n open, route, nat, and isolated mode, not in %1$s (network '%2$s')"), virNetworkForwardTypeToString(def->forward.type= ), def->name); return NULL; --=20 2.46.0 From nobody Sat Feb 7 08:58:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1725556167921726.8731330869668; Thu, 5 Sep 2024 10:09:27 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D763D17FC; Thu, 5 Sep 2024 13:09:26 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 6FBFB177E; Thu, 5 Sep 2024 13:08:12 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E83B11751; Thu, 5 Sep 2024 13:08:05 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 5817A1622 for ; Thu, 5 Sep 2024 13:08:05 -0400 (EDT) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-272-XIuWLPjZORaqUfG2fpXMmA-1; Thu, 05 Sep 2024 13:08:03 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 1E59219560B4 for ; Thu, 5 Sep 2024 17:08:03 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.247]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 604511956086 for ; Thu, 5 Sep 2024 17:08:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725556085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Oi+owi1lNOHpKZXAu2szi1YSHcBnxQMfo2bP3dGofnk=; b=eNuzxGIO92xO0AhcMiXd6Ek8eEJprTvBWmJz0kbXrC2fDpwpirLvQZwTFdGQmzbNXy6SMv OdRbZ8KhLPTuBTbdK4H3UUU9/Eav3vnwk940vUznIM51+jEPzegVe+1f9bnecW/7wl7C5Z PyjPwRPAMshS4nJDo1lMSnLXcB9zua4= X-MC-Unique: XIuWLPjZORaqUfG2fpXMmA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 3/5] network: support setting firewalld zone for bridge device of open networks Date: Thu, 5 Sep 2024 13:07:57 -0400 Message-ID: <20240905170759.864299-4-laine@redhat.com> In-Reply-To: <20240905170759.864299-1-laine@redhat.com> References: <20240905170759.864299-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: E7MGXIJF2YEBLOP5DQJJXFDJWCZRKXQM X-Message-ID-Hash: E7MGXIJF2YEBLOP5DQJJXFDJWCZRKXQM X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1725556169772116600 Content-Type: text/plain; charset="utf-8"; x-default="true" The bit of code that sets the firewalld zone was previously a part of the function networkAddFirewallRules(), which is not called for networks with . Setting the 'libvirt' zone for the bridge device of virtual networks that also add firewall rules is usually necessary in order to get the expected traffic through without modifying firewalld's default zone (which would be a bad idea, because that would affect all the other host interfaces set to the default zone), but in general we would *not* want the bridge device for a mode=3D'open' virtual network to be automatically placed in the "libvirt" zone, a user might want to *explicitly* set some other firewalld zone for mode=3D'open' networks. We enable this by moving the code that sets the firewalld zone into a separate function that is called for all forward modes that use a bridge device created by libvirt (nat, route, isolated, open). If no zone is specified, then the bridge device will be in whatever zone interfaces are put in by default, but if the element has a "zone" attribute, then the new bridge device will be placed in the specified zone. NB: This function is only called when the network is started, and *not* when the firewall rules of an active network are reloaded at virtnetworkd restart time, because the firewalld zone of an interface isn't something that gets inadvertantly changed as a part of some other unrelated action (e.g. all iptables rules are cleared by a firewalld restart, including those rules added by libvirt), and so we don't need to be re-setting it all the time. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/215 Signed-off-by: Laine Stump Reviewed-by: Martin Kletzander --- src/network/bridge_driver.c | 4 ++ src/network/bridge_driver_linux.c | 61 ++++++++++++++++------------ src/network/bridge_driver_nop.c | 13 ++++++ src/network/bridge_driver_platform.h | 2 + 4 files changed, 54 insertions(+), 26 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 915211d1b5..3504d512a0 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1957,6 +1957,10 @@ networkStartNetworkVirtual(virNetworkDriverState *dr= iver, if (networkSetIPv6Sysctls(obj) < 0) goto error; =20 + /* set the firewall zone for the bridge device on the host */ + if (networkSetBridgeZone(def) < 0) + goto error; + /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0= ) { diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index fe7c6e193c..a6203a712e 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -333,28 +333,8 @@ int networkCheckRouteCollision(virNetworkDef *def) =20 =20 int -networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval) +networkSetBridgeZone(virNetworkDef *def) { - - networkSetupPrivateChains(firewallBackend, false); - - if (errInitV4 && - (virNetworkDefGetIPByIndex(def, AF_INET, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { - virSetError(errInitV4); - return -1; - } - - if (errInitV6 && - (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || - def->ipv6nogw)) { - virSetError(errInitV6); - return -1; - } - if (def->bridgeZone) { =20 /* if a firewalld zone has been specified, fail/log an error @@ -370,12 +350,14 @@ networkAddFirewallRules(virNetworkDef *def, if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) return -1; =20 - } else { + } else if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) { =20 - /* if firewalld is active, try to set the "libvirt" zone. This is - * desirable (for consistency) if firewalld is using the iptables - * backend, but is necessary (for basic network connectivity) if - * firewalld is using the nftables backend + /* if firewalld is active, try to set the "libvirt" zone by + * default (forward mode=3D'open' networks have no zone set by + * default, but we honor it if one is specified). This is + * desirable (for consistency) if firewalld is using the + * iptables backend, but is necessary (for basic network + * connectivity) if firewalld is using the nftables backend */ if (virFirewallDIsRegistered() =3D=3D 0) { =20 @@ -421,6 +403,33 @@ networkAddFirewallRules(virNetworkDef *def, } } =20 + return 0; +} + + +int +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend, + virFirewall **fwRemoval) +{ + + networkSetupPrivateChains(firewallBackend, false); + + if (errInitV4 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { + virSetError(errInitV4); + return -1; + } + + if (errInitV6 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) { + virSetError(errInitV6); + return -1; + } + switch (firewallBackend) { case VIR_FIREWALL_BACKEND_NONE: virReportError(VIR_ERR_NO_SUPPORT, "%s", diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 8bf3367bff..20c7a2a595 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -38,6 +38,19 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC= _UNUSED) return 0; } =20 + +int +networkSetBridgeZone(virNetworkDef *def) +{ + if (def->bridgeZone) { + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("This platform does not support setting the bridg= e device zone")); + return -1; + } + return 0; +} + + int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index cd2e3fa7b5..02abdc197f 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup); =20 int networkCheckRouteCollision(virNetworkDef *def); =20 +int networkSetBridgeZone(virNetworkDef *def); + int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval); --=20 2.46.0 From nobody Sat Feb 7 08:58:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1725556186768441.1378681491666; Thu, 5 Sep 2024 10:09:46 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id BF0FE1756; Thu, 5 Sep 2024 13:09:45 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B2A96179A; Thu, 5 Sep 2024 13:08:15 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 94DCD1751; Thu, 5 Sep 2024 13:08:06 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 291E7174F for ; Thu, 5 Sep 2024 13:08:06 -0400 (EDT) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-312-zw5AqezAO1m9S-9XiqMtUw-1; Thu, 05 Sep 2024 13:08:04 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A39CB1956069 for ; Thu, 5 Sep 2024 17:08:03 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.247]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 19663195608A for ; Thu, 5 Sep 2024 17:08:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725556085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=es5u3aGXElneWHtKGYimkgR9XXZNwH8bGy76tDUstyg=; b=V8Md0GQ0Da+l8cBEehjfJlrgMfTu9i/I7UAyjLDeJ08RktRuRhCl3Qos/AV9Z3y5cnMtHp urtBNoZcCrOr7MDSX3HMKAU9W+U5TzdRs91hu8glCWLvqVqfFFH4iHx4j56E0L2XsifVbW nFWEH7AU51xhXryiAGABzRV4cPas7Wk= X-MC-Unique: zw5AqezAO1m9S-9XiqMtUw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 4/5] network: remove firewalld version check from networkSetBridgeZone() Date: Thu, 5 Sep 2024 13:07:58 -0400 Message-ID: <20240905170759.864299-5-laine@redhat.com> In-Reply-To: <20240905170759.864299-1-laine@redhat.com> References: <20240905170759.864299-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: THENMRUSGDJYLY3NLCNWGJL4CHE3OIH2 X-Message-ID-Hash: THENMRUSGDJYLY3NLCNWGJL4CHE3OIH2 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1725556187623116600 Content-Type: text/plain; charset="utf-8"; x-default="true" At the time the version check in this function was written, there were still several supported versions of some distros that were using a version of firewalld too old to support the "rich rule priorities" used by the 'libvirt' zone that we installed for firewalld. Today the newest distro that has a version of firewalld < 0.7.0 is RHEL7/CentOS7, so we can remove the complexity and if the libvirt zone is missing simply say "the libvirt zone is missing". Signed-off-by: Laine Stump Reviewed-by: Martin Kletzander --- src/network/bridge_driver_linux.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index a6203a712e..af758d4f3d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -381,24 +381,9 @@ networkSetBridgeZone(virNetworkDef *def) if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") <= 0) return -1; } else { - unsigned long long version; - int vresult =3D virFirewallDGetVersion(&version); - - if (vresult < 0) - return -1; - - /* Support for nftables backend was added in firewalld - * 0.6.0. Support for rule priorities (required by the - * 'libvirt' zone, which should be installed by a - * libvirt package, *not* by firewalld) was not added - * until firewalld 0.7.0 (unless it was backported). - */ - if (version >=3D 6000 && - virFirewallDGetBackend() =3D=3D VIR_FIREWALLD_BACKEND_= NFTABLES) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld is set to use the nftables= backend, but the required firewalld 'libvirt' zone is missing. Either set = the firewalld backend to 'iptables', or ensure that firewalld has a 'libvir= t' zone by upgrading firewalld to a version supporting rule priorities (0.7= .0+) and/or rebuilding libvirt with --with-firewalld-zone")); - return -1; - } + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewalld can't find the 'libvirt' zone = that should have been installed with libvirt")); + return -1; } } } --=20 2.46.0 From nobody Sat Feb 7 08:58:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1725556207399586.7624439894353; Thu, 5 Sep 2024 10:10:07 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4C2F9176E; Thu, 5 Sep 2024 13:10:06 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 820071789; Thu, 5 Sep 2024 13:08:16 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id BBE061750; Thu, 5 Sep 2024 13:08:07 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id EC70C1622 for ; Thu, 5 Sep 2024 13:08:06 -0400 (EDT) Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-588-rWCKCNkBMpu1F6q5M1JSnw-1; Thu, 05 Sep 2024 13:08:05 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7AB27195608C for ; Thu, 5 Sep 2024 17:08:04 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.247]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C75DD1956094 for ; Thu, 5 Sep 2024 17:08:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725556086; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J5H3b10OGXdSMxgI8+KG2VY5NVpKSYEjXn1Q9Uoatu0=; b=SXn3MjmyLKp9HTkx57E2PXDSzYvYOgFQcEb8jAplx9ntwGJSlI8gguZFidGhIQ3e7RHMZu UjrqxJMiJw4HoPgPKUdbi16cFUNsB5aYv/6MBU7I4PvFly+S7e+eYVgrHlJQ1YR7mxOhHl BxrK1Sl8SVH0ALcUmnGtWWv8J6cJuK4= X-MC-Unique: rWCKCNkBMpu1F6q5M1JSnw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 5/5] network: *un*set the firewalld zone while shutting down a network Date: Thu, 5 Sep 2024 13:07:59 -0400 Message-ID: <20240905170759.864299-6-laine@redhat.com> In-Reply-To: <20240905170759.864299-1-laine@redhat.com> References: <20240905170759.864299-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 5LAALJ4NGLHZEMYZFKLATIIIJ2UOZPJK X-Message-ID-Hash: 5LAALJ4NGLHZEMYZFKLATIIIJ2UOZPJK X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1725556207742116600 Content-Type: text/plain; charset="utf-8"; x-default="true" When a bridge device for a virtual network had been placed in a firewalld zone while starting the network, then even after the network is shut down and the bridge device is deleted, its name will show up in the list of interfaces for whichever zone it had been in. Usually this isn't a problem, but in the case of forward mode=3D'open', someone might start the network once with a zone specified, then shut down the network, remove vthe zone from its config, and start it again; in this case the bridge device would come up using the zone from the previous time it was started. The solution to this is to remove the interface from whatever zone it is in as the network is being shut down. There is no downside to doing this, since the device is going to be deleted anyway. Note that forward mode=3D'bridge' uses a bridge device that was created outside of libvirt, and libvirt won't be deleting that bridge, so we take care to not unset the zone in that case. Signed-off-by: Laine Stump Reviewed-by: Martin Kletzander --- src/libvirt_private.syms | 1 + src/network/bridge_driver.c | 4 ++++ src/network/bridge_driver_linux.c | 14 ++++++++++++++ src/network/bridge_driver_nop.c | 6 ++++++ src/network/bridge_driver_platform.h | 2 ++ src/util/virfirewalld.c | 23 +++++++++++++++++++++++ src/util/virfirewalld.h | 2 ++ 7 files changed, 52 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index af40e5dca3..f15d16c292 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2451,6 +2451,7 @@ virFirewallDGetPolicies; virFirewallDGetVersion; virFirewallDGetZones; virFirewallDInterfaceSetZone; +virFirewallDInterfaceUnsetZone; virFirewallDIsRegistered; virFirewallDPolicyExists; virFirewallDSynchronize; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 3504d512a0..e457c3bf5e 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2085,6 +2085,8 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) networkRemoveFirewallRules(obj); =20 + networkUnsetBridgeZone(def); + virNetworkObjUnrefMacMap(obj); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); @@ -2123,6 +2125,8 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) networkRemoveFirewallRules(obj); =20 + networkUnsetBridgeZone(def); + ignore_value(virNetDevBridgeDelete(def->bridge)); =20 /* See if its still alive and really really kill it */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index af758d4f3d..3b3608c085 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -392,6 +392,20 @@ networkSetBridgeZone(virNetworkDef *def) } =20 =20 +void +networkUnsetBridgeZone(virNetworkDef *def) +{ + /* If there is a libvirt-managed bridge device remove it from any + * zone it had been placed in as a part of deleting the bridge. + * DO NOT CALL THIS FOR 'bridge' forward mode, since that + * bridge is not managed by libvirt. + */ + if (def->bridge && def->forward.type !=3D VIR_NETWORK_FORWARD_BRIDGE + && virFirewallDIsRegistered() =3D=3D 0) { + virFirewallDInterfaceUnsetZone(def->bridge); + } +} + int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 20c7a2a595..180ff30134 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -51,6 +51,12 @@ networkSetBridgeZone(virNetworkDef *def) } =20 =20 +void +networkUnsetBridgeZone(virNetworkDef *def) +{ +} + + int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index 02abdc197f..a0291532a1 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -38,4 +38,6 @@ int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval); =20 +void networkUnsetBridgeZone(virNetworkDef *def); + void networkRemoveFirewallRules(virNetworkObj *obj); diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 827e201dbb..4aec33ac45 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface, } =20 =20 +int +virFirewallDInterfaceUnsetZone(const char *iface) +{ + GDBusConnection *sysbus =3D virGDBusGetSystemBus(); + g_autoptr(GVariant) message =3D NULL; + + if (!sysbus) + return -1; + + message =3D g_variant_new("(ss)", "", iface); + + return virGDBusCallMethod(sysbus, + NULL, + NULL, + NULL, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.zone", + "removeInterface", + message); +} + + void virFirewallDSynchronize(void) { diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index 0e94d3507b..0dbe66d435 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer, int virFirewallDInterfaceSetZone(const char *iface, const char *zone); =20 +int virFirewallDInterfaceUnsetZone(const char *iface); + void virFirewallDSynchronize(void); --=20 2.46.0