From nobody Sat Feb  7 05:54:48 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725556207399586.7624439894353;
 Thu, 5 Sep 2024 10:10:07 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 4C2F9176E; Thu,  5 Sep 2024 13:10:06 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 820071789;
	Thu,  5 Sep 2024 13:08:16 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id BBE061750; Thu,  5 Sep 2024 13:08:07 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id EC70C1622
	for <devel@lists.libvirt.org>; Thu,  5 Sep 2024 13:08:06 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-588-rWCKCNkBMpu1F6q5M1JSnw-1; Thu,
 05 Sep 2024 13:08:05 -0400
Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 7AB27195608C
	for <devel@lists.libvirt.org>; Thu,  5 Sep 2024 17:08:04 +0000 (UTC)
Received: from vhost3.router.laine.org (unknown [10.22.16.247])
	by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id C75DD1956094
	for <devel@lists.libvirt.org>; Thu,  5 Sep 2024 17:08:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: ***
X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725556086;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=J5H3b10OGXdSMxgI8+KG2VY5NVpKSYEjXn1Q9Uoatu0=;
	b=SXn3MjmyLKp9HTkx57E2PXDSzYvYOgFQcEb8jAplx9ntwGJSlI8gguZFidGhIQ3e7RHMZu
	UjrqxJMiJw4HoPgPKUdbi16cFUNsB5aYv/6MBU7I4PvFly+S7e+eYVgrHlJQ1YR7mxOhHl
	BxrK1Sl8SVH0ALcUmnGtWWv8J6cJuK4=
X-MC-Unique: rWCKCNkBMpu1F6q5M1JSnw-1
From: Laine Stump <laine@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH 5/5] network: *un*set the firewalld zone while shutting down a
 network
Date: Thu,  5 Sep 2024 13:07:59 -0400
Message-ID: <20240905170759.864299-6-laine@redhat.com>
In-Reply-To: <20240905170759.864299-1-laine@redhat.com>
References: <20240905170759.864299-1-laine@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 5LAALJ4NGLHZEMYZFKLATIIIJ2UOZPJK
X-Message-ID-Hash: 5LAALJ4NGLHZEMYZFKLATIIIJ2UOZPJK
X-MailFrom: laine@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/5LAALJ4NGLHZEMYZFKLATIIIJ2UOZPJK/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725556207742116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

When a bridge device for a virtual network had been placed in a
firewalld zone while starting the network, then even after the network
is shut down and the bridge device is deleted, its name will show up in
the list of interfaces for whichever zone it had been in.

Usually this isn't a problem, but in the case of forward mode=3D'open',
someone might start the network once with a zone specified, then
shut down the network, remove vthe zone from its config, and start it
again; in this case the bridge device would come up using the zone
from the previous time it was started.

The solution to this is to remove the interface from whatever zone it
is in as the network is being shut down. There is no downside to doing
this, since the device is going to be deleted anyway. Note that
forward mode=3D'bridge' uses a bridge device that was created outside of
libvirt, and libvirt won't be deleting that bridge, so we take care to
not unset the zone in that case.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
---
 src/libvirt_private.syms             |  1 +
 src/network/bridge_driver.c          |  4 ++++
 src/network/bridge_driver_linux.c    | 14 ++++++++++++++
 src/network/bridge_driver_nop.c      |  6 ++++++
 src/network/bridge_driver_platform.h |  2 ++
 src/util/virfirewalld.c              | 23 +++++++++++++++++++++++
 src/util/virfirewalld.h              |  2 ++
 7 files changed, 52 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index af40e5dca3..f15d16c292 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2451,6 +2451,7 @@ virFirewallDGetPolicies;
 virFirewallDGetVersion;
 virFirewallDGetZones;
 virFirewallDInterfaceSetZone;
+virFirewallDInterfaceUnsetZone;
 virFirewallDIsRegistered;
 virFirewallDPolicyExists;
 virFirewallDSynchronize;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 3504d512a0..e457c3bf5e 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2085,6 +2085,8 @@ networkStartNetworkVirtual(virNetworkDriverState *dri=
ver,
         def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN)
         networkRemoveFirewallRules(obj);
=20
+    networkUnsetBridgeZone(def);
+
     virNetworkObjUnrefMacMap(obj);
=20
     ignore_value(virNetDevBridgeDelete(def->bridge));
@@ -2123,6 +2125,8 @@ networkShutdownNetworkVirtual(virNetworkObj *obj)
     if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN)
         networkRemoveFirewallRules(obj);
=20
+    networkUnsetBridgeZone(def);
+
     ignore_value(virNetDevBridgeDelete(def->bridge));
=20
     /* See if its still alive and really really kill it */
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_=
linux.c
index af758d4f3d..3b3608c085 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -392,6 +392,20 @@ networkSetBridgeZone(virNetworkDef *def)
 }
=20
=20
+void
+networkUnsetBridgeZone(virNetworkDef *def)
+{
+    /* If there is a libvirt-managed bridge device remove it from any
+     * zone it had been placed in as a part of deleting the bridge.
+     * DO NOT CALL THIS FOR 'bridge' forward mode, since that
+     * bridge is not managed by libvirt.
+     */
+    if (def->bridge && def->forward.type !=3D VIR_NETWORK_FORWARD_BRIDGE
+        && virFirewallDIsRegistered() =3D=3D 0) {
+        virFirewallDInterfaceUnsetZone(def->bridge);
+    }
+}
+
 int
 networkAddFirewallRules(virNetworkDef *def,
                         virFirewallBackend firewallBackend,
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no=
p.c
index 20c7a2a595..180ff30134 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -51,6 +51,12 @@ networkSetBridgeZone(virNetworkDef *def)
 }
=20
=20
+void
+networkUnsetBridgeZone(virNetworkDef *def)
+{
+}
+
+
 int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
                             virFirewallBackend firewallBackend,
                             virFirewall **fwRemoval G_GNUC_UNUSED)
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv=
er_platform.h
index 02abdc197f..a0291532a1 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -38,4 +38,6 @@ int networkAddFirewallRules(virNetworkDef *def,
                             virFirewallBackend firewallBackend,
                             virFirewall **fwRemoval);
=20
+void networkUnsetBridgeZone(virNetworkDef *def);
+
 void networkRemoveFirewallRules(virNetworkObj *obj);
diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c
index 827e201dbb..4aec33ac45 100644
--- a/src/util/virfirewalld.c
+++ b/src/util/virfirewalld.c
@@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface,
 }
=20
=20
+int
+virFirewallDInterfaceUnsetZone(const char *iface)
+{
+    GDBusConnection *sysbus =3D virGDBusGetSystemBus();
+    g_autoptr(GVariant) message =3D NULL;
+
+    if (!sysbus)
+        return -1;
+
+    message =3D g_variant_new("(ss)", "", iface);
+
+    return virGDBusCallMethod(sysbus,
+                             NULL,
+                             NULL,
+                             NULL,
+                             VIR_FIREWALL_FIREWALLD_SERVICE,
+                             "/org/fedoraproject/FirewallD1",
+                             "org.fedoraproject.FirewallD1.zone",
+                             "removeInterface",
+                             message);
+}
+
+
 void
 virFirewallDSynchronize(void)
 {
diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h
index 0e94d3507b..0dbe66d435 100644
--- a/src/util/virfirewalld.h
+++ b/src/util/virfirewalld.h
@@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer,
 int virFirewallDInterfaceSetZone(const char *iface,
                                  const char *zone);
=20
+int virFirewallDInterfaceUnsetZone(const char *iface);
+
 void virFirewallDSynchronize(void);
--=20
2.46.0