From nobody Mon Dec 15 09:41:46 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1729564437562986.6726071764843; Mon, 21 Oct 2024 19:33:57 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 708DD18A1; Mon, 21 Oct 2024 22:33:56 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id C1DE71807; Mon, 21 Oct 2024 22:32:56 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C2A46182D; Mon, 21 Oct 2024 22:32:51 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 3A8D51792 for ; Mon, 21 Oct 2024 22:32:48 -0400 (EDT) Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-513-jj_eO37dNpi6daWJRn7QtA-1; Mon, 21 Oct 2024 22:32:46 -0400 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6B70A19560B4 for ; Tue, 22 Oct 2024 02:32:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.80.87]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id F3CE3195605F for ; Tue, 22 Oct 2024 02:32:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1729564367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QuDLmn9z8Aijnp+ph8X3x52ZIa9GByHJervTeq4Lz/8=; b=jWIppSyEMp2QGc1V38rzQ3/31SEYxmvc0py0wKxjBwa7J1C3N5UQtjbw/g1K7K96eOLtrQ 0XHk5MdctUjWfdddPSeelF8VG8QYxHtSVZSxNJnt6zx+YkxrbXUiSkT+s8WMqc1vBBAXco sWmf6VcfFvrfI6GJfNwPSZWpGl3Cgho= X-MC-Unique: jj_eO37dNpi6daWJRn7QtA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 1/2] network: ignore/don't log errors when unsetting firewalld zone Date: Mon, 21 Oct 2024 22:32:42 -0400 Message-ID: <20241022023243.235120-2-laine@redhat.com> In-Reply-To: <20241022023243.235120-1-laine@redhat.com> References: <20241022023243.235120-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 2RSCYJAVLHHJZBYEDHJUQZOKWBMVFFUJ X-Message-ID-Hash: 2RSCYJAVLHHJZBYEDHJUQZOKWBMVFFUJ X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1729564439540116600 Content-Type: text/plain; charset="utf-8"; x-default="true" The most common "error" when trying to unset the firewalld zone of an interface is for firewalld to tell us that the interface already isn't in any zone. Since this is what we want, no need to alarm the user by logging it as an error. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko --- src/util/virfirewalld.c | 33 ++++++++++++++++++++++----------- src/util/virfirewalld.h | 2 +- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index ca61ed5ac0..0a886780ad 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -449,26 +449,37 @@ virFirewallDInterfaceSetZone(const char *iface, } =20 =20 -int +void virFirewallDInterfaceUnsetZone(const char *iface) { GDBusConnection *sysbus =3D virGDBusGetSystemBus(); g_autoptr(GVariant) message =3D NULL; + g_autoptr(virError) error =3D NULL; =20 if (!sysbus) - return -1; + return; + + /* we are sending virGDBusCallMethod an error object so that it + * will put the error message there rather than logging it, + * because we want to ignore any error as it doesn't matter - the + * most common "error" is to inform us that the interface is + * already not in any zone, and that is of course just fine, since + * that's what we're trying to do anyway. If there is an error, + * we'll just throw it away without logging it anywhere. + */ + error =3D g_new0(virError, 1); =20 message =3D g_variant_new("(ss)", "", iface); =20 - return virGDBusCallMethod(sysbus, - NULL, - NULL, - NULL, - VIR_FIREWALL_FIREWALLD_SERVICE, - "/org/fedoraproject/FirewallD1", - "org.fedoraproject.FirewallD1.zone", - "removeInterface", - message); + virGDBusCallMethod(sysbus, + NULL, + NULL, + error, + VIR_FIREWALL_FIREWALLD_SERVICE, + "/org/fedoraproject/FirewallD1", + "org.fedoraproject.FirewallD1.zone", + "removeInterface", + message); } =20 =20 diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index 0dbe66d435..43803ee89a 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -46,6 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer, int virFirewallDInterfaceSetZone(const char *iface, const char *zone); =20 -int virFirewallDInterfaceUnsetZone(const char *iface); +void virFirewallDInterfaceUnsetZone(const char *iface); =20 void virFirewallDSynchronize(void); --=20 2.47.0 From nobody Mon Dec 15 09:41:46 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 172956441891173.57290737289577; Mon, 21 Oct 2024 19:33:38 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id DCF411898; Mon, 21 Oct 2024 22:33:37 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B7F7918BF; Mon, 21 Oct 2024 22:32:54 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8B81A16F9; Mon, 21 Oct 2024 22:32:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9341417C9 for ; Mon, 21 Oct 2024 22:32:48 -0400 (EDT) Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-501-IHZNjGdNN6W0o8xqloxHAQ-1; Mon, 21 Oct 2024 22:32:47 -0400 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 29A251955D94 for ; Tue, 22 Oct 2024 02:32:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.80.87]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id AA66C195605F for ; Tue, 22 Oct 2024 02:32:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1729564368; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rgaWWK25rRtjsQRDD/NJC4Ujp+npj/IspHcuwEHXLRU=; b=iZyzgMx7TjvT5bLNQiq8xa8Miy0RPM2uC06K0nFUXFAWJOh+7mEbohWm1YjKgrcldatHWu TavjMXEOnfCCygpckWRBVn+z0giEAmws8tI00UYxG1HyydAS3ezcJ4A0YNY70+stWXyZOm 5s+4G01gh4WizsYbF8jDSAewhVPig0k= X-MC-Unique: IHZNjGdNN6W0o8xqloxHAQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH 2/2] network: don't unset the firewalld zone if it's going to be immediately re-set Date: Mon, 21 Oct 2024 22:32:43 -0400 Message-ID: <20241022023243.235120-3-laine@redhat.com> In-Reply-To: <20241022023243.235120-1-laine@redhat.com> References: <20241022023243.235120-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: RRH5M6IIOK362B2TZ5IDDWHJDFDNM4VG X-Message-ID-Hash: RRH5M6IIOK362B2TZ5IDDWHJDFDNM4VG X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1729564419480116600 Content-Type: text/plain; charset="utf-8"; x-default="true" Any time the firewalld zone for an interface is set, by definition that removes it from any previous zone that it was in, so there is really no point in unsetting the zone if it's just going to be immediately set again. (incoming "weave" - it meanders a bit, but then ties together into a point. Bigly.) This is useful because when firewalld reloads its rules, 3 things happen: 1) firewalld flushes *all* firewall rules (including those added by libvirt) 2) firewalld unsets the zones for all interfaces (including those set by libvirt) 3) firewalld re-adds its own rules, and sets the zone for all the interfaces it manages 4) firewalld sends a dbus message that libvirt is watching for, and when libvirt receives that message, it reloads all of the libvirt-generated rules, and also re-sets the firewalld zone for the bridge interfaces managed by libvirt. libvirt accomplishes step 4 by a) calling networkRemoveFirewallRules(), and then b) calling networkAddFirewallRules(). But (because it is useful in other contexts) networkRemoveFirewallRules() will attempt to *unset* the zone for each bridge interface, and when firewalld receives this request, it will that the bridge interface *has no zone* (because it was unset by firewalld in step (2) above), and thus logs an error message. There is no way for libvirt to suppress an error message that is logged by firewalld when a request to firewalld fails. But what libvirt *can* do is realize that in these cases, the firewalld zone is about to be set again anyway, and so we don't need to call firewalld to unset the zone in the first place. This patch handles that by adding a bool unsetZone to the arguments of networkRemoveFirewallRules(); most calls to networkRemoveFirewallRules() have unsetZone=3Dtrue, but in two cases where the zone is about to be reset, networkRemoveFirewallRules() is called with unsetZone=3Dfalse, which prevents the call to virFirewallDInterfaceUnsetZone() and thus avoids the unnecessary (and confusing to users!) error message that would have been logged by firewalld. (see - that weave ended up sewed together, right?) Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko --- src/network/bridge_driver.c | 8 ++++---- src/network/bridge_driver_linux.c | 10 ++++++---- src/network/bridge_driver_nop.c | 4 +++- src/network/bridge_driver_platform.h | 3 ++- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 550759881a..d408f17de7 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1752,7 +1752,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * and this functionality is also handled by * networkAdd/RemoveFirewallRules() */ - networkRemoveFirewallRules(obj); + networkRemoveFirewallRules(obj, false); ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= , &fwRemoval)); virNetworkObjSetFwRemoval(obj, fwRemoval); saveStatus =3D true; @@ -2129,7 +2129,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, ignore_value(virNetDevSetOnline(def->bridge, false)); =20 if (firewalRulesAdded) - networkRemoveFirewallRules(obj); + networkRemoveFirewallRules(obj, true); =20 virNetworkObjUnrefMacMap(obj); =20 @@ -2166,7 +2166,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) =20 ignore_value(virNetDevSetOnline(def->bridge, false)); =20 - networkRemoveFirewallRules(obj); + networkRemoveFirewallRules(obj, true); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -3332,7 +3332,7 @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(obj); + networkRemoveFirewallRules(obj, false); needFirewallRefresh =3D true; break; default: diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 6c3ec403a4..86f6a5915f 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -447,7 +447,8 @@ networkAddFirewallRules(virNetworkDef *def, =20 =20 void -networkRemoveFirewallRules(virNetworkObj *obj) +networkRemoveFirewallRules(virNetworkObj *obj, + bool unsetZone) { virNetworkDef *def =3D virNetworkObjGetDef(obj); virFirewall *fw; @@ -484,9 +485,10 @@ networkRemoveFirewallRules(virNetworkObj *obj) * same interface name wants *no* zone set. To avoid this, we must * "unset" the zone if we set it when the network was started. */ - if (virFirewallDIsRegistered() =3D=3D 0 && - (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN || - def->bridgeZone)) { + if (unsetZone + && virFirewallDIsRegistered() =3D=3D 0 + && (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN + || def->bridgeZone)) { =20 VIR_DEBUG("unsetting zone for '%s' (current zone is '%s')", def->bridge, def->bridgeZone); diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 8bf3367bff..59fc0e3c96 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -56,6 +56,8 @@ int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNU= SED, return 0; } =20 -void networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED) +void +networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED, + bool unsetZone G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index cd2e3fa7b5..6a393c9733 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -36,4 +36,5 @@ int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval); =20 -void networkRemoveFirewallRules(virNetworkObj *obj); +void networkRemoveFirewallRules(virNetworkObj *obj, + bool unsetZone); --=20 2.47.0