From nobody Fri Dec 19 16:07:30 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1751885489; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VeiT/WDPJXzjSFV4v3Bcz5+D7op9OX9wLo7XoGlCogbs43s37dGRDlh3uT8rBs42/MG+CKM3HcNUHEV76wijXD8JxHnJfQqCHMAmkeuysUwFrq7tfLjX7a1l4oGwBh+DB8H8TE7kUGzb7adMVFfrvQewE3K1QTUcZFlJi+mmcFw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1751885489;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id;
	bh=tXH8GesSRjFuNWv6kdOnkb397yC34cnceDO9E7zirQ8=;
	b=BSePAXO66aAZT8YWvIh+n3hi4K6JVAcMLI+IuPKeDSz0igGmCehFAzqua+3o4TNpOxaMU6pTXzL6Zp5I9VUjZbp1OMLiZw8EhsW10JXk4/zqQlkA2L70O+aQ6wPTbhhfpIoIyNynsrXJiWZJY9rhJxDQeQkXMlNMET/q811rvPg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1751885489377954.885364573482;
 Mon, 7 Jul 2025 03:51:29 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 6152914C5; Mon,  7 Jul 2025 06:51:28 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 4F5DD1433;
	Mon,  7 Jul 2025 06:51:03 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 104B9C98; Mon,  7 Jul 2025 06:51:00 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 761EF608
	for <devel@lists.libvirt.org>; Mon,  7 Jul 2025 06:50:59 -0400 (EDT)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-557-FYf7TLqaPDyAN0xuzWXf_Q-1; Mon,
 07 Jul 2025 06:50:58 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 40FFB18011EF
	for <devel@lists.libvirt.org>; Mon,  7 Jul 2025 10:50:57 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.45.242.10])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 3FEFA19560AD;
	Mon,  7 Jul 2025 10:50:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5,
	RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1751885459;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=o7m0Or9zD9B+BWa5a0z8gz1krPFe+f0sJUvr8O/rCJM=;
	b=MLTBL57dxCBj+cFsWWP3OL31/+Tcll3FrUubiVWxSwp7iyC7c5onNH1weTGx612c7uotsT
	7UW6/cvgQ/lNIS58mY7UMx/mzuylQb2RF+yAbXCKiDMF/I0x3lVUeAbWfP9FNfaF2EjYah
	dxhrxt+4j/l+EnjttqB+qgZYofDhKl4=
X-MC-Unique: FYf7TLqaPDyAN0xuzWXf_Q-1
X-Mimecast-MFC-AGG-ID: FYf7TLqaPDyAN0xuzWXf_Q_1751885457
To: devel@lists.libvirt.org
Subject: [PATCH v2] nwfilter: Remove 'qemu-announce-self' example
Date: Mon,  7 Jul 2025 12:50:53 +0200
Message-ID: 
 <720cf734e82ae7eb40ad060b40dda8ee3266d479.1751885414.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 8a0KbQXa7L56yk7Uy7cecBvljaVxPIUhiSUZ8-klA4Y_1751885457
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 5CZ2JBDKUKYKPIJGZRWGOK6RG6D2Z6PA
X-Message-ID-Hash: 5CZ2JBDKUKYKPIJGZRWGOK6RG6D2Z6PA
X-MailFrom: pkrempa@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: Peter Krempa <pkrempa@redhat.com>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/5CZ2JBDKUKYKPIJGZRWGOK6RG6D2Z6PA/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Peter Krempa via Devel <devel@lists.libvirt.org>
Reply-To: Peter Krempa <pkrempa@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1751885490998116600
Content-Type: text/plain; charset="utf-8"

From: Peter Krempa <pkrempa@redhat.com>

The example allows packets sent by qemu after migration with broken
protocol ID. The proper self announce is handled via
'qemu-announce-self-rarp'.

The qemu bug was addressed by f8778a7785d530515b0db39 (released as
v0.13.0). As we no longer support such old qemus, and allowing broken
packets makes no sense. Remove the rule and make it into an alias of
'qemu-announce-self-rarp' to preserve compatibility. Adjust the existing
examples to use only the proper rule.t

Closes: https://gitlab.com/libvirt/libvirt/-/issues/792
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
v2:
 - keep the old rule as alias
 - update comment to say that it's no longer needed

 docs/firewall.rst                            |  1 -
 docs/formatnwfilter.rst                      |  2 +-
 src/nwfilter/xml/clean-traffic-gateway.xml   |  2 +-
 src/nwfilter/xml/clean-traffic.xml           |  2 +-
 src/nwfilter/xml/qemu-announce-self-rarp.xml |  2 ++
 src/nwfilter/xml/qemu-announce-self.xml      | 14 ++++----------
 6 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/docs/firewall.rst b/docs/firewall.rst
index 26474d3317..81114d2c95 100644
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@@ -285,7 +285,6 @@ useful rules:
    fb57c546-76dc-a372-513f-e8179011b48a  no-mac-spoofing
    dba10ea7-446d-76de-346f-335bd99c1d05  no-other-l2-traffic
    f5c78134-9da4-0c60-a9f0-fb37bc21ac1f  no-other-rarp-traffic
-   7637e405-4ccf-42ac-5b41-14f8d03d8cf3  qemu-announce-self
    9aed52e7-f0f3-343e-fe5c-7dcb27b594e5  qemu-announce-self-rarp

 Most of these are just building blocks. The interesting one here is
diff --git a/docs/formatnwfilter.rst b/docs/formatnwfilter.rst
index 13e9a791af..e50497aaf8 100644
--- a/docs/formatnwfilter.rst
+++ b/docs/formatnwfilter.rst
@@ -438,7 +438,7 @@ several other filters.
      <filterref filter=3D'allow-incoming-ipv4'/>
      <filterref filter=3D'no-arp-spoofing'/>
      <filterref filter=3D'no-other-l2-traffic'/>
-     <filterref filter=3D'qemu-announce-self'/>
+     <filterref filter=3D'qemu-announce-self-rarp'/>
    </filter>

 To reference another filter, the XML node ``filterref`` needs to be provid=
ed
diff --git a/src/nwfilter/xml/clean-traffic-gateway.xml b/src/nwfilter/xml/=
clean-traffic-gateway.xml
index b8c204041a..1768a67697 100644
--- a/src/nwfilter/xml/clean-traffic-gateway.xml
+++ b/src/nwfilter/xml/clean-traffic-gateway.xml
@@ -30,5 +30,5 @@
     <filterref filter=3D'no-other-l2-traffic'/>

     <!-- allow qemu to send a self-announce upon migration end -->
-    <filterref filter=3D'qemu-announce-self'/>
+    <filterref filter=3D'qemu-announce-self-rarp'/>
 </filter>
diff --git a/src/nwfilter/xml/clean-traffic.xml b/src/nwfilter/xml/clean-tr=
affic.xml
index b8cde9c560..b0530da70a 100644
--- a/src/nwfilter/xml/clean-traffic.xml
+++ b/src/nwfilter/xml/clean-traffic.xml
@@ -25,6 +25,6 @@
    <filterref filter=3D'no-other-l2-traffic'/>

    <!-- allow qemu to send a self-announce upon migration end -->
-   <filterref filter=3D'qemu-announce-self'/>
+   <filterref filter=3D'qemu-announce-self-rarp'/>

 </filter>
diff --git a/src/nwfilter/xml/qemu-announce-self-rarp.xml b/src/nwfilter/xm=
l/qemu-announce-self-rarp.xml
index b7a848ad0f..db7b650320 100644
--- a/src/nwfilter/xml/qemu-announce-self-rarp.xml
+++ b/src/nwfilter/xml/qemu-announce-self-rarp.xml
@@ -11,4 +11,6 @@
           arpsrcmacaddr=3D'$MAC' arpdstmacaddr=3D'$MAC'
           arpsrcipaddr=3D'0.0.0.0' arpdstipaddr=3D'0.0.0.0'/>
   </rule>
+
+  <filterref filter=3D'no-other-rarp-traffic'/>
 </filter>
diff --git a/src/nwfilter/xml/qemu-announce-self.xml b/src/nwfilter/xml/qem=
u-announce-self.xml
index 352db500de..73b77804cf 100644
--- a/src/nwfilter/xml/qemu-announce-self.xml
+++ b/src/nwfilter/xml/qemu-announce-self.xml
@@ -1,13 +1,7 @@
 <filter name=3D'qemu-announce-self' chain=3D'root'>
-    <!-- as of 4/26/2010 qemu sends out a bogus packet with
-         wrong rarp protocol ID -->
-    <!-- accept what is being sent now -->
-    <rule action=3D'accept' direction=3D'out'>
-        <mac protocolid=3D'0x835'/>
-    </rule>
-
-    <!-- accept if it was changed to rarp -->
+  <!-- This rule originally allowed protocol '0x835' which qemu originally=
 used.
+    As this bug in qemu was fixed and libvirt no longer supports such old =
qemu
+    versions this now is just a shim refering to 'qemu-announce-self-rarp'=
 to
+    preserve compatibility if someone used this rule directly -->
     <filterref filter=3D'qemu-announce-self-rarp'/>
-    <filterref filter=3D'no-other-rarp-traffic'/>
-
 </filter>
--=20
2.49.0