From nobody Sat Feb 7 03:34:46 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1728274835609632.09499699503; Sun, 6 Oct 2024 21:20:35 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 831A315F6; Mon, 7 Oct 2024 00:20:34 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id AF21E1578; Mon, 7 Oct 2024 00:19:51 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D00871382; Mon, 7 Oct 2024 00:19:47 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 5195E1368 for ; Mon, 7 Oct 2024 00:19:47 -0400 (EDT) Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-549-o3zCk8kyOH2-Zyp10X8vPA-1; Mon, 07 Oct 2024 00:19:44 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E5A8B1955D91 for ; Mon, 7 Oct 2024 04:19:43 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.32.80]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7C20F1956088 for ; Mon, 7 Oct 2024 04:19:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728274787; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xFRYpc9nzv6qJThJaJSYoTrgODjOpsh1W788/sbfkzc=; b=Wmf1x1Pn66p9AT+qej7cRHLJzqJAccPSQWTqI67rqFCAKBiewIEhl7/ngfz0cs5drPLwxt UrXCSiguz17K1MJ5Rn5JAVXC/SpmA+hcMjN0kywcpvv4FI74bbLwl54Tdqpq8hb14fGn9o EvfNIG0iF2/qWMJ5gbwP6ih8BkOloW8= X-MC-Unique: o3zCk8kyOH2-Zyp10X8vPA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 1/5] Revert "network: *un*set the firewalld zone while shutting down a network" Date: Mon, 7 Oct 2024 00:19:37 -0400 Message-ID: <20241007041941.1873363-2-laine@redhat.com> In-Reply-To: <20241007041941.1873363-1-laine@redhat.com> References: <20241007041941.1873363-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: Q3KF4PHIRAVORALR3QSFPT2LOZDDUFNY X-Message-ID-Hash: Q3KF4PHIRAVORALR3QSFPT2LOZDDUFNY X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1728274835826116600 Content-Type: text/plain; charset="utf-8"; x-default="true" This reverts commit 200f60b2e12e68d618f6d59f0173bb507b678838. The same functionality will be re-added in a different way in an upcoming patch. Signed-off-by: Laine Stump Signed-off-by: Laine Stump Reviewed-by: Jiri Denemark --- src/libvirt_private.syms | 1 - src/network/bridge_driver.c | 4 ---- src/network/bridge_driver_linux.c | 14 -------------- src/network/bridge_driver_nop.c | 6 ------ src/network/bridge_driver_platform.h | 2 -- src/util/virfirewalld.c | 23 ----------------------- src/util/virfirewalld.h | 2 -- 7 files changed, 52 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index e09fb98596..cafb41166b 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2452,7 +2452,6 @@ virFirewallDGetPolicies; virFirewallDGetVersion; virFirewallDGetZones; virFirewallDInterfaceSetZone; -virFirewallDInterfaceUnsetZone; virFirewallDIsRegistered; virFirewallDPolicyExists; virFirewallDSynchronize; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 74ba59b4e9..c9c6fcbccc 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2127,8 +2127,6 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) networkRemoveFirewallRules(obj); =20 - networkUnsetBridgeZone(def); - virNetworkObjUnrefMacMap(obj); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); @@ -2167,8 +2165,6 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) networkRemoveFirewallRules(obj); =20 - networkUnsetBridgeZone(def); - ignore_value(virNetDevBridgeDelete(def->bridge)); =20 /* See if its still alive and really really kill it */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 3b3608c085..af758d4f3d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -392,20 +392,6 @@ networkSetBridgeZone(virNetworkDef *def) } =20 =20 -void -networkUnsetBridgeZone(virNetworkDef *def) -{ - /* If there is a libvirt-managed bridge device remove it from any - * zone it had been placed in as a part of deleting the bridge. - * DO NOT CALL THIS FOR 'bridge' forward mode, since that - * bridge is not managed by libvirt. - */ - if (def->bridge && def->forward.type !=3D VIR_NETWORK_FORWARD_BRIDGE - && virFirewallDIsRegistered() =3D=3D 0) { - virFirewallDInterfaceUnsetZone(def->bridge); - } -} - int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 831a5a5010..20c7a2a595 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -51,12 +51,6 @@ networkSetBridgeZone(virNetworkDef *def) } =20 =20 -void -networkUnsetBridgeZone(virNetworkDef *def G_GNUC_UNUSED) -{ -} - - int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index a0291532a1..02abdc197f 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -38,6 +38,4 @@ int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval); =20 -void networkUnsetBridgeZone(virNetworkDef *def); - void networkRemoveFirewallRules(virNetworkObj *obj); diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 4aec33ac45..827e201dbb 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -449,29 +449,6 @@ virFirewallDInterfaceSetZone(const char *iface, } =20 =20 -int -virFirewallDInterfaceUnsetZone(const char *iface) -{ - GDBusConnection *sysbus =3D virGDBusGetSystemBus(); - g_autoptr(GVariant) message =3D NULL; - - if (!sysbus) - return -1; - - message =3D g_variant_new("(ss)", "", iface); - - return virGDBusCallMethod(sysbus, - NULL, - NULL, - NULL, - VIR_FIREWALL_FIREWALLD_SERVICE, - "/org/fedoraproject/FirewallD1", - "org.fedoraproject.FirewallD1.zone", - "removeInterface", - message); -} - - void virFirewallDSynchronize(void) { diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index 0dbe66d435..0e94d3507b 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -46,6 +46,4 @@ int virFirewallDApplyRule(virFirewallLayer layer, int virFirewallDInterfaceSetZone(const char *iface, const char *zone); =20 -int virFirewallDInterfaceUnsetZone(const char *iface); - void virFirewallDSynchronize(void); --=20 2.46.1 From nobody Sat Feb 7 03:34:46 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1728274861716196.01566597122473; Sun, 6 Oct 2024 21:21:01 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 914B01546; Mon, 7 Oct 2024 00:21:00 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 18803148B; Mon, 7 Oct 2024 00:19:55 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id F37A81368; Mon, 7 Oct 2024 00:19:47 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 6A0B01375 for ; Mon, 7 Oct 2024 00:19:47 -0400 (EDT) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-620-mAsu4sH6PUe_kg5I6cl3fg-1; Mon, 07 Oct 2024 00:19:45 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9BA161944D3A for ; Mon, 7 Oct 2024 04:19:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.32.80]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 308DB1956088 for ; Mon, 7 Oct 2024 04:19:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728274787; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yS9pp4fOduWmE6fQ3Gf7w9fCfCENsY7QwHRUPrhvQYU=; b=SnGtJfpKCUXVlj78QHGVX1deHKDOFUckChwcm8rXc+3nb/B8CM7o3Q0rHJvfAcUrRXLs+S diBeNXVe6kILqk91bB68NqVkBLYaD3nCpNFgrBh4N0dTER0d+rMaU3UCbivaDuV1ftpKrs Lfl7nTB6Dw0dcPzJzojdZ6asl9jV69g= X-MC-Unique: mAsu4sH6PUe_kg5I6cl3fg-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 2/5] Revert "network: support setting firewalld zone for bridge device of open networks" Date: Mon, 7 Oct 2024 00:19:38 -0400 Message-ID: <20241007041941.1873363-3-laine@redhat.com> In-Reply-To: <20241007041941.1873363-1-laine@redhat.com> References: <20241007041941.1873363-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: KZZOMBIV5RBXJ26XTMADOT7Z7NTQ2UPY X-Message-ID-Hash: KZZOMBIV5RBXJ26XTMADOT7Z7NTQ2UPY X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1728274862072116600 Content-Type: text/plain; charset="utf-8"; x-default="true" This reverts commit 1a72b83d566df952033529001b0f88a66d7f4393. That patch had made the incorrect assumption that the firewalld zone of a bridge would not be changed/removed when firewalld reloaded its rules (e.g. with "killall -HUP firewalld"). It turns out my memory was faulty, and this *does* remove the bridge interface's zone, which results in guest networking failure after a firewalld reload, until the virtual network is restarted. The functionality reverted as a result of this patch reversion will be added back in an upcoming patch that keeps the zone setting in networkAddFirewallRules() (rather than moving it into a separate function) so that it is called every time the network's firewall rules are reloaded (including the reload that happens in response to a reload notification from firewalld). Signed-off-by: Laine Stump Signed-off-by: Laine Stump Reviewed-by: Jiri Denemark --- src/network/bridge_driver.c | 4 -- src/network/bridge_driver_linux.c | 61 ++++++++++++---------------- src/network/bridge_driver_nop.c | 13 ------ src/network/bridge_driver_platform.h | 2 - 4 files changed, 26 insertions(+), 54 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index c9c6fcbccc..fe053f423a 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1999,10 +1999,6 @@ networkStartNetworkVirtual(virNetworkDriverState *dr= iver, if (networkSetIPv6Sysctls(obj) < 0) goto error; =20 - /* set the firewall zone for the bridge device on the host */ - if (networkSetBridgeZone(def) < 0) - goto error; - /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0= ) { diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index af758d4f3d..5981e3bd19 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -333,8 +333,28 @@ int networkCheckRouteCollision(virNetworkDef *def) =20 =20 int -networkSetBridgeZone(virNetworkDef *def) +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend, + virFirewall **fwRemoval) { + + networkSetupPrivateChains(firewallBackend, false); + + if (errInitV4 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { + virSetError(errInitV4); + return -1; + } + + if (errInitV6 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) { + virSetError(errInitV6); + return -1; + } + if (def->bridgeZone) { =20 /* if a firewalld zone has been specified, fail/log an error @@ -350,14 +370,12 @@ networkSetBridgeZone(virNetworkDef *def) if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) return -1; =20 - } else if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) { + } else { =20 - /* if firewalld is active, try to set the "libvirt" zone by - * default (forward mode=3D'open' networks have no zone set by - * default, but we honor it if one is specified). This is - * desirable (for consistency) if firewalld is using the - * iptables backend, but is necessary (for basic network - * connectivity) if firewalld is using the nftables backend + /* if firewalld is active, try to set the "libvirt" zone. This is + * desirable (for consistency) if firewalld is using the iptables + * backend, but is necessary (for basic network connectivity) if + * firewalld is using the nftables backend */ if (virFirewallDIsRegistered() =3D=3D 0) { =20 @@ -388,33 +406,6 @@ networkSetBridgeZone(virNetworkDef *def) } } =20 - return 0; -} - - -int -networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval) -{ - - networkSetupPrivateChains(firewallBackend, false); - - if (errInitV4 && - (virNetworkDefGetIPByIndex(def, AF_INET, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { - virSetError(errInitV4); - return -1; - } - - if (errInitV6 && - (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || - def->ipv6nogw)) { - virSetError(errInitV6); - return -1; - } - switch (firewallBackend) { case VIR_FIREWALL_BACKEND_NONE: virReportError(VIR_ERR_NO_SUPPORT, "%s", diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 20c7a2a595..8bf3367bff 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -38,19 +38,6 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC= _UNUSED) return 0; } =20 - -int -networkSetBridgeZone(virNetworkDef *def) -{ - if (def->bridgeZone) { - virReportError(VIR_ERR_NO_SUPPORT, "%s", - _("This platform does not support setting the bridg= e device zone")); - return -1; - } - return 0; -} - - int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index 02abdc197f..cd2e3fa7b5 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -32,8 +32,6 @@ void networkPostReloadFirewallRules(bool startup); =20 int networkCheckRouteCollision(virNetworkDef *def); =20 -int networkSetBridgeZone(virNetworkDef *def); - int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval); --=20 2.46.1 From nobody Sat Feb 7 03:34:46 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1728274898820414.86934510420895; Sun, 6 Oct 2024 21:21:38 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id BFD1114F7; Mon, 7 Oct 2024 00:21:37 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id E8EB3149D; Mon, 7 Oct 2024 00:19:56 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 80B471392; Mon, 7 Oct 2024 00:19:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A6B4211D9 for ; Mon, 7 Oct 2024 00:19:48 -0400 (EDT) Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-553--CIjSW7RPXG2bCfPQv1hZg-1; Mon, 07 Oct 2024 00:19:46 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5211D19560AF for ; Mon, 7 Oct 2024 04:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.32.80]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D959C1956088 for ; Mon, 7 Oct 2024 04:19:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728274788; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6mJYVd5TRZWVoLqS+iRWNyo4qT+QAwK5V9rgZTVlpWs=; b=BvvAQxbXxBQ7DLy4fdcfm+kUZtcJImgvGuzfNz0goAD5kg+Q5EgohwTTiq5fLs5fsp7w+x MnQxEco3kOc8n4q/Oe91Mr8mwcyzDEgSjJWIv9QEwww9G22DOXrM7FlDMrkxVWKQjlR4vC 74hwGKVfUUCmWrL6uNBUokDu1FPs2RI= X-MC-Unique: -CIjSW7RPXG2bCfPQv1hZg-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 3/5] network: call network(Add|Remove)FirewallRules() for forward mode='open' Date: Mon, 7 Oct 2024 00:19:39 -0400 Message-ID: <20241007041941.1873363-4-laine@redhat.com> In-Reply-To: <20241007041941.1873363-1-laine@redhat.com> References: <20241007041941.1873363-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: VN5IV25ODKLVS5JV4V6XEQRRIJFBLCVR X-Message-ID-Hash: VN5IV25ODKLVS5JV4V6XEQRRIJFBLCVR X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1728274900304116600 Content-Type: text/plain; charset="utf-8"; x-default="true" Previously networkAddFirewallRules() and networkRemoveFirewallRules() were only called if the forward mode was none, 'route', or 'nat', so those functions didn't check the forward mode. Although their current contents shouldn't be executed for forward mode=3D'open', soon they will have extra functionality that should be executed for all the current forward modes and also mode=3D'open'. This patch modifies all places either of the functions are called to make sure they are called for mode=3D'open' in addition to current modes (by either adding 'case ..._OPEN:' to the case of a switch statement, or just removing an 'if (mode !=3D ...OPEN)' around the calls; to balance out for that, it puts the entirety of the contents of both functions inside if (mode !=3D ...OPEN) to retain current behavior. (an upcoming patch will add code outside that if clause). debug log messages were also added to make it easier to test that the right thing is being done in all cases. Signed-off-by: Laine Stump Reviewed-by: Jiri Denemark --- src/network/bridge_driver.c | 26 ++--- src/network/bridge_driver_linux.c | 175 +++++++++++++++++------------- 2 files changed, 110 insertions(+), 91 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index fe053f423a..f604b2695c 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1735,10 +1735,15 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, case VIR_NETWORK_FORWARD_NONE: case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: - /* Only three of the L3 network types that are configured by - * libvirt need to have iptables rules reloaded. The 4th L3 - * network type, forward=3D'open', doesn't need this because it - * has no iptables rules. + case VIR_NETWORK_FORWARD_OPEN: + /* even 'open' forward type networks need to call + * networkAdd/RemoveFirewallRules() in spite of the fact + * that, by definition, libvirt doesn't add any firewall + * rules for those networks.. This is because libvirt + * *does* support explicitly naming (in the config) a + * firewalld zone the network's bridge should be added to, + * and this functionality is also handled by + * networkAdd/RemoveFirewallRules() */ networkRemoveFirewallRules(obj); ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= , &fwRemoval)); @@ -1746,7 +1751,6 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, saveStatus =3D true; break; =20 - case VIR_NETWORK_FORWARD_OPEN: case VIR_NETWORK_FORWARD_BRIDGE: case VIR_NETWORK_FORWARD_PRIVATE: case VIR_NETWORK_FORWARD_VEPA: @@ -2000,10 +2004,8 @@ networkStartNetworkVirtual(virNetworkDriverState *dr= iver, goto error; =20 /* Add "once per network" rules */ - if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0= ) { + if (networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) goto error; - } =20 virNetworkObjSetFwRemoval(obj, fwRemoval); firewalRulesAdded =3D true; @@ -2119,8 +2121,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, if (devOnline) ignore_value(virNetDevSetOnline(def->bridge, false)); =20 - if (firewalRulesAdded && - def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) + if (firewalRulesAdded) networkRemoveFirewallRules(obj); =20 virNetworkObjUnrefMacMap(obj); @@ -2158,8 +2159,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) =20 ignore_value(virNetDevSetOnline(def->bridge, false)); =20 - if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(obj); + networkRemoveFirewallRules(obj); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -3307,6 +3307,7 @@ networkUpdate(virNetworkPtr net, case VIR_NETWORK_FORWARD_NONE: case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: + case VIR_NETWORK_FORWARD_OPEN: switch (section) { case VIR_NETWORK_SECTION_FORWARD: case VIR_NETWORK_SECTION_FORWARD_INTERFACE: @@ -3325,7 +3326,6 @@ networkUpdate(virNetworkPtr net, } break; =20 - case VIR_NETWORK_FORWARD_OPEN: case VIR_NETWORK_FORWARD_BRIDGE: case VIR_NETWORK_FORWARD_PRIVATE: case VIR_NETWORK_FORWARD_VEPA: diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 5981e3bd19..31feec9c9f 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -337,90 +337,101 @@ networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval) { + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_OPEN) { =20 - networkSetupPrivateChains(firewallBackend, false); + VIR_DEBUG("No firewall rules to add for mode=3D'open' network '%s'= ", def->name); =20 - if (errInitV4 && - (virNetworkDefGetIPByIndex(def, AF_INET, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { - virSetError(errInitV4); - return -1; - } + } else { =20 - if (errInitV6 && - (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || - def->ipv6nogw)) { - virSetError(errInitV6); - return -1; - } + VIR_DEBUG("Adding firewall rules for mode=3D'%s' network '%s' usin= g %s", + virNetworkForwardTypeToString(def->forward.type), + def->name, + virFirewallBackendTypeToString(firewallBackend)); =20 - if (def->bridgeZone) { + networkSetupPrivateChains(firewallBackend, false); =20 - /* if a firewalld zone has been specified, fail/log an error - * if we can't honor it - */ - if (virFirewallDIsRegistered() < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("zone %1$s requested for network %2$s but fir= ewalld is not active"), - def->bridgeZone, def->name); + if (errInitV4 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { + virSetError(errInitV4); return -1; } =20 - if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) + if (errInitV6 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) { + virSetError(errInitV6); return -1; + } =20 - } else { + if (def->bridgeZone) { =20 - /* if firewalld is active, try to set the "libvirt" zone. This is - * desirable (for consistency) if firewalld is using the iptables - * backend, but is necessary (for basic network connectivity) if - * firewalld is using the nftables backend - */ - if (virFirewallDIsRegistered() =3D=3D 0) { - - /* if the "libvirt" zone exists, then set it. If not, and - * if firewalld is using the nftables backend, then we - * need to log an error because the combination of - * nftables + default zone means that traffic cannot be - * forwarded (and even DHCP and DNS from guest to host - * will probably no be permitted by the default zone - * - * Routed networks use a different zone and policy which we al= so - * need to verify exist. Probing for the policy guarantees the - * running firewalld has support for policies (firewalld >=3D = 0.9.0). + /* if a firewalld zone has been specified, fail/log an error + * if we can't honor it */ - if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && - virFirewallDPolicyExists("libvirt-routed-out") && - virFirewallDZoneExists("libvirt-routed")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-rou= ted") < 0) - return -1; - } else if (virFirewallDZoneExists("libvirt")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") <= 0) - return -1; - } else { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld can't find the 'libvirt' zone = that should have been installed with libvirt")); + if (virFirewallDIsRegistered() < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("zone %1$s requested for network %2$s but= firewalld is not active"), + def->bridgeZone, def->name); return -1; } + + if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone)= < 0) + return -1; + + } else { + + /* if firewalld is active, try to set the "libvirt" zone. This= is + * desirable (for consistency) if firewalld is using the iptab= les + * backend, but is necessary (for basic network connectivity) = if + * firewalld is using the nftables backend + */ + if (virFirewallDIsRegistered() =3D=3D 0) { + + /* if the "libvirt" zone exists, then set it. If not, and + * if firewalld is using the nftables backend, then we + * need to log an error because the combination of + * nftables + default zone means that traffic cannot be + * forwarded (and even DHCP and DNS from guest to host + * will probably no be permitted by the default zone + * + * Routed networks use a different zone and policy which w= e also + * need to verify exist. Probing for the policy guarantees= the + * running firewalld has support for policies (firewalld >= =3D 0.9.0). + */ + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && + virFirewallDPolicyExists("libvirt-routed-out") && + virFirewallDZoneExists("libvirt-routed")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt= -routed") < 0) + return -1; + } else if (virFirewallDZoneExists("libvirt")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt= ") < 0) + return -1; + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewalld can't find the 'libvirt' z= one that should have been installed with libvirt")); + return -1; + } + } } - } =20 - switch (firewallBackend) { - case VIR_FIREWALL_BACKEND_NONE: - virReportError(VIR_ERR_NO_SUPPORT, "%s", - _("No firewall backend is available")); - return -1; + switch (firewallBackend) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("No firewall backend is available")); + return -1; =20 - case VIR_FIREWALL_BACKEND_IPTABLES: - return iptablesAddFirewallRules(def, fwRemoval); + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesAddFirewallRules(def, fwRemoval); =20 - case VIR_FIREWALL_BACKEND_NFTABLES: - return nftablesAddFirewallRules(def, fwRemoval); + case VIR_FIREWALL_BACKEND_NFTABLES: + return nftablesAddFirewallRules(def, fwRemoval); =20 - case VIR_FIREWALL_BACKEND_LAST: - virReportEnumRangeError(virFirewallBackend, firewallBackend); - return -1; + case VIR_FIREWALL_BACKEND_LAST: + virReportEnumRangeError(virFirewallBackend, firewallBackend); + return -1; + } } return 0; } @@ -429,21 +440,29 @@ networkAddFirewallRules(virNetworkDef *def, void networkRemoveFirewallRules(virNetworkObj *obj) { + virNetworkDef *def =3D virNetworkObjGetDef(obj); virFirewall *fw; =20 - if ((fw =3D virNetworkObjGetFwRemoval(obj)) =3D=3D NULL) { - /* No information about firewall rules in the network status, - * so we assume the old iptables-based rules from 10.2.0 and - * earlier. + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_OPEN) { + + VIR_DEBUG("No firewall rules to remove for mode=3D'open' network '= %s'", def->name); + + } else { + + if ((fw =3D virNetworkObjGetFwRemoval(obj)) =3D=3D NULL) { + /* No information about firewall rules in the network status, + * so we assume the old iptables-based rules from 10.2.0 and + * earlier. + */ + VIR_DEBUG("No firewall info in status of network '%s', assumin= g old-style iptables", def->name); + iptablesRemoveFirewallRules(def); + return; + } + + /* fwRemoval info was stored in the network status, so use that to + * remove the firewall */ - VIR_DEBUG("No firewall info in network status, assuming old-style = iptables"); - iptablesRemoveFirewallRules(virNetworkObjGetDef(obj)); - return; + VIR_DEBUG("Removing firewall rules of network '%s' using commands = saved in status", def->name); + virFirewallApply(fw); } - - /* fwRemoval info was stored in the network status, so use that to - * remove the firewall - */ - VIR_DEBUG("Removing firewall rules with commands saved in network stat= us"); - virFirewallApply(fw); } --=20 2.46.1 From nobody Sat Feb 7 03:34:46 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1728274927384495.93238318532474; Sun, 6 Oct 2024 21:22:07 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4160353E; Mon, 7 Oct 2024 00:22:06 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B9C0E15FF; Mon, 7 Oct 2024 00:19:58 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id DCE301392; Mon, 7 Oct 2024 00:19:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 4701C1368 for ; Mon, 7 Oct 2024 00:19:49 -0400 (EDT) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-562-9FjWihwWMwKx7TUi0VawFQ-1; Mon, 07 Oct 2024 00:19:46 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 05E1B19772F4 for ; Mon, 7 Oct 2024 04:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.32.80]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8EC6C1956088 for ; Mon, 7 Oct 2024 04:19:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728274789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wRKua2NRmesSPkU83DmX5b6p7HtG8CSGaVcCWoXccFQ=; b=QNJajCX8TdGrUPW+CD9uVkvKjvp1Qv8UvyovwEDSRIq1HNbzs7ZeuHVvpgb5Jnd5632pQn V9TIPd2DzfcStF5KgQu6jTsq9W3EKveUjIdSRs570v/vF/zZlCPp9Nv82YA1lOIrnj6AOU T0s51wsyoW/eZBlSikN+c0dp/96RmGg= X-MC-Unique: 9FjWihwWMwKx7TUi0VawFQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 4/5] network: a different way of supporting firewalld zone for mode='open' networks Date: Mon, 7 Oct 2024 00:19:40 -0400 Message-ID: <20241007041941.1873363-5-laine@redhat.com> In-Reply-To: <20241007041941.1873363-1-laine@redhat.com> References: <20241007041941.1873363-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 3O5DXCX64MBPGUJO6CVIFH365Y2GQDT5 X-Message-ID-Hash: 3O5DXCX64MBPGUJO6CVIFH365Y2GQDT5 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1728274928253116600 Content-Type: text/plain; charset="utf-8"; x-default="true" Now that networkAddFirewallRules and networkRemoveFirewallRules() are being called for mode=3D'open' networks, we just need to move the code that sets the zone outside of the if (mode !=3D ...OPEN) clause, so that it's done for all forward modes, with the exception of setting the implied 'libvirt*' zones, which are set when no zone is specified for all forward modes *except* 'open'. This was previously done in commit v10.7.0-76-g1a72b83d56, but in a manner that caused the zone to be unset whenever firewalld reloaded its rules. That patch was reverted, and this new better patch takes its place. Replaces: 1a72b83d566df952033529001b0f88a66d7f4393 Resolves: https://issues.redhat.com/browse/RHEL-61576 Re-Resolves: https://gitlab.com/libvirt/libvirt/-/issues/215 Signed-off-by: Laine Stump Reviewed-by: Jiri Denemark --- src/network/bridge_driver_linux.c | 111 ++++++++++++++++-------------- 1 file changed, 60 insertions(+), 51 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 31feec9c9f..8956d38ab1 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -337,6 +337,64 @@ networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval) { + /* If firewalld is running on the system, a firewalld zone is + * always set for the bridge device of all bridge-based managed + * networks of all forward modes *except* 'open', which is only + * set if specifically requested in the config. + */ + if (def->bridgeZone) { + + /* if a firewalld zone has been specified, fail/log an error + * if we can't honor it + */ + if (virFirewallDIsRegistered() < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("zone %1$s requested for network %2$s but fir= ewalld is not active"), + def->bridgeZone, def->name); + return -1; + } + + if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) + return -1; + + } else if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) { + + /* if firewalld is active, try to set the "libvirt" zone by + * default (forward mode=3D'open' networks have no zone set by + * default, but we honor it if one is specified). This is + * desirable (for consistency) if firewalld is using the + * iptables backend, but is necessary (for basic network + * connectivity) if firewalld is using the nftables backend + */ + if (virFirewallDIsRegistered() =3D=3D 0) { + + /* if the "libvirt" zone exists, then set it. If not, and + * if firewalld is using the nftables backend, then we + * need to log an error because the combination of + * nftables + default zone means that traffic cannot be + * forwarded (and even DHCP and DNS from guest to host + * will probably no be permitted by the default zone + * + * Routed networks use a different zone and policy which we al= so + * need to verify exist. Probing for the policy guarantees the + * running firewalld has support for policies (firewalld >=3D = 0.9.0). + */ + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && + virFirewallDPolicyExists("libvirt-routed-out") && + virFirewallDZoneExists("libvirt-routed")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-rou= ted") < 0) + return -1; + } else if (virFirewallDZoneExists("libvirt")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") <= 0) + return -1; + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewalld can't find the 'libvirt' zone = that should have been installed with libvirt")); + return -1; + } + } + } + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_OPEN) { =20 VIR_DEBUG("No firewall rules to add for mode=3D'open' network '%s'= ", def->name); @@ -348,6 +406,7 @@ networkAddFirewallRules(virNetworkDef *def, def->name, virFirewallBackendTypeToString(firewallBackend)); =20 + /* one-time (per system boot) initialization */ networkSetupPrivateChains(firewallBackend, false); =20 if (errInitV4 && @@ -365,57 +424,7 @@ networkAddFirewallRules(virNetworkDef *def, return -1; } =20 - if (def->bridgeZone) { - - /* if a firewalld zone has been specified, fail/log an error - * if we can't honor it - */ - if (virFirewallDIsRegistered() < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("zone %1$s requested for network %2$s but= firewalld is not active"), - def->bridgeZone, def->name); - return -1; - } - - if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone)= < 0) - return -1; - - } else { - - /* if firewalld is active, try to set the "libvirt" zone. This= is - * desirable (for consistency) if firewalld is using the iptab= les - * backend, but is necessary (for basic network connectivity) = if - * firewalld is using the nftables backend - */ - if (virFirewallDIsRegistered() =3D=3D 0) { - - /* if the "libvirt" zone exists, then set it. If not, and - * if firewalld is using the nftables backend, then we - * need to log an error because the combination of - * nftables + default zone means that traffic cannot be - * forwarded (and even DHCP and DNS from guest to host - * will probably no be permitted by the default zone - * - * Routed networks use a different zone and policy which w= e also - * need to verify exist. Probing for the policy guarantees= the - * running firewalld has support for policies (firewalld >= =3D 0.9.0). - */ - if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE && - virFirewallDPolicyExists("libvirt-routed-out") && - virFirewallDZoneExists("libvirt-routed")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt= -routed") < 0) - return -1; - } else if (virFirewallDZoneExists("libvirt")) { - if (virFirewallDInterfaceSetZone(def->bridge, "libvirt= ") < 0) - return -1; - } else { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld can't find the 'libvirt' z= one that should have been installed with libvirt")); - return -1; - } - } - } - + /* now actually add the rules */ switch (firewallBackend) { case VIR_FIREWALL_BACKEND_NONE: virReportError(VIR_ERR_NO_SUPPORT, "%s", --=20 2.46.1 From nobody Sat Feb 7 03:34:46 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1728274956970569.6692926390194; Sun, 6 Oct 2024 21:22:36 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D9B22B0D; Mon, 7 Oct 2024 00:22:35 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 0F6D815A3; Mon, 7 Oct 2024 00:20:01 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8BD4414D2; Mon, 7 Oct 2024 00:19:50 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id CCC4911D9 for ; Mon, 7 Oct 2024 00:19:49 -0400 (EDT) Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-571-1pngAqX5OD28wqgvUPFwqw-1; Mon, 07 Oct 2024 00:19:47 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B929719560BF for ; Mon, 7 Oct 2024 04:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.32.80]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4C1C91956088 for ; Mon, 7 Oct 2024 04:19:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728274789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QIRGpGeNr4axJfDuGTzqGW0fWI+QW2xeH2TqV/jAwCA=; b=CZpRPe6wfpEnSm0Vn9MAcxQEs2qwy+QK885eh1aWl5WmQOxa3QVvpSCSNQoUP0drc+Va+m +yxs7VeVB2Mtp6oXLmxf49nIcbGisxTV6cKsl6i/qacy0lfIbycCrihcbtwHPdQ5HRuDJ2 F6tpyUBIhFpdURf3qRXq8CZ/8Aqzmd4= X-MC-Unique: 1pngAqX5OD28wqgvUPFwqw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 5/5] network: a different implementation of *un*setting firewalld zone when network is destroyed Date: Mon, 7 Oct 2024 00:19:41 -0400 Message-ID: <20241007041941.1873363-6-laine@redhat.com> In-Reply-To: <20241007041941.1873363-1-laine@redhat.com> References: <20241007041941.1873363-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: WKTBHTSZYS4HE5XIJT4WDXZKY24UY4KX X-Message-ID-Hash: WKTBHTSZYS4HE5XIJT4WDXZKY24UY4KX X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1728274958350116600 Content-Type: text/plain; charset="utf-8"; x-default="true" (this is a remake of commit v10.7.0-78-g200f60b2e1, which was reverted due to a regression in another patch it was dependent on. The new implementation just adds the call to virFirewallDInterfaceUnsetZone() into the existing networkRemoveFirewallRules() (but only if we had set a zone when the network was first started). Replaces: 200f60b2e12e68d618f6d59f0173bb507b678838 Resolves: https://issues.redhat.com/browse/RHEL-61576 Signed-off-by: Laine Stump Reviewed-by: Jiri Denemark --- src/libvirt_private.syms | 1 + src/network/bridge_driver_linux.c | 29 +++++++++++++++++++++++------ src/util/virfirewalld.c | 23 +++++++++++++++++++++++ src/util/virfirewalld.h | 2 ++ 4 files changed, 49 insertions(+), 6 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index cafb41166b..e09fb98596 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2452,6 +2452,7 @@ virFirewallDGetPolicies; virFirewallDGetVersion; virFirewallDGetZones; virFirewallDInterfaceSetZone; +virFirewallDInterfaceUnsetZone; virFirewallDIsRegistered; virFirewallDPolicyExists; virFirewallDSynchronize; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 8956d38ab1..bafa9e26f9 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -459,19 +459,36 @@ networkRemoveFirewallRules(virNetworkObj *obj) } else { =20 if ((fw =3D virNetworkObjGetFwRemoval(obj)) =3D=3D NULL) { + /* No information about firewall rules in the network status, * so we assume the old iptables-based rules from 10.2.0 and * earlier. */ VIR_DEBUG("No firewall info in status of network '%s', assumin= g old-style iptables", def->name); iptablesRemoveFirewallRules(def); - return; + + } else { + + /* fwRemoval info was stored in the network status, so use tha= t to + * remove the firewall + */ + VIR_DEBUG("Removing firewall rules of network '%s' using comma= nds saved in status", def->name); + virFirewallApply(fw); } + } =20 - /* fwRemoval info was stored in the network status, so use that to - * remove the firewall - */ - VIR_DEBUG("Removing firewall rules of network '%s' using commands = saved in status", def->name); - virFirewallApply(fw); + /* all forward modes could have had a zone set, even 'open' mode + * iff it was specified in the config. firewalld preserves the + * name of an interface in a zone's list even after the interface + * has been deleted, which is problematic if the next use of that + * same interface name wants *no* zone set. To avoid this, we must + * "unset" the zone if we set it when the network was started. + */ + if (virFirewallDIsRegistered() =3D=3D 0 + && !(def->forward.type =3D=3D VIR_NETWORK_FORWARD_OPEN && def->bri= dgeZone =3D=3D NULL)) { + + VIR_DEBUG("unsetting zone for '%s' (current zone is '%s')", + def->bridge, def->bridgeZone); + virFirewallDInterfaceUnsetZone(def->bridge); } } diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 827e201dbb..ca61ed5ac0 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface, } =20 =20 +int +virFirewallDInterfaceUnsetZone(const char *iface) +{ + GDBusConnection *sysbus =3D virGDBusGetSystemBus(); + g_autoptr(GVariant) message =3D NULL; + + if (!sysbus) + return -1; + + message =3D g_variant_new("(ss)", "", iface); + + return virGDBusCallMethod(sysbus, + NULL, + NULL, + NULL, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.zone", + "removeInterface", + message); +} + + void virFirewallDSynchronize(void) { diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index 0e94d3507b..0dbe66d435 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer, int virFirewallDInterfaceSetZone(const char *iface, const char *zone); =20 +int virFirewallDInterfaceUnsetZone(const char *iface); + void virFirewallDSynchronize(void); --=20 2.46.1