From nobody Thu Dec 18 23:25:23 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1751871822; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hPMpQnUzwU7QL8XSHU0kURJBKFuIGNU4nH//UVys2TH5BJx2T4o8vHe250wRYvLy2tvYikUxvkN10A2i+PFzXvqsXojyVsXYiN6TayTrBE+rtdRJmTW6W5SuwTUaPGeaWaT0KYm7tCKvTJx0cVKSR/UbrbY5zd/K3oZMG7ef17s=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1751871822;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id;
	bh=UsakEcxGIkRnYpXhN8ERBTU7jPVnTepwizFBsuXr/C4=;
	b=kKeFTbIyWp0vUzpo79x3Esaj4xK7QvEUnKrle0kQs1svdOkBEmiH/VXoNB64vLNQZ7VtZfTqAh77jz0f0mhCNbCMuFgD3X7dMeAmibmMh+TPcI5BvNFPFMNH+i7AS03tzVZ7R5vdpkRbJlUrG+8tqjx4gL3l1bGRavY6Hon8heI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1751871822227733.0716266291328;
 Mon, 7 Jul 2025 00:03:42 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 32F8C14A8; Mon,  7 Jul 2025 03:03:41 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id E3D0D147D;
	Mon,  7 Jul 2025 03:03:15 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id C3E1C145F; Mon,  7 Jul 2025 03:03:12 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 2C9881283
	for <devel@lists.libvirt.org>; Mon,  7 Jul 2025 03:03:12 -0400 (EDT)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-433-IqrY9NY7MzW_kq3_pNYchQ-1; Mon,
 07 Jul 2025 03:03:10 -0400
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id AE68718002ED
	for <devel@lists.libvirt.org>; Mon,  7 Jul 2025 07:03:09 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.45.242.10])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id ACDB93000218;
	Mon,  7 Jul 2025 07:03:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5,
	RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1751871791;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=303lK9uHNuuHtaiiZHwsjY4l2Dx+XusuXWZnbsWV+a0=;
	b=gFdmztts71OoXHE8VWkZ7X6dU9vuCJ6c5V0RzLWHc8aJ3wxBgryr96s6zlzS6HhVUaIWjG
	SXyl7FAdeN7cUvPUPmU3u+UUX3zeuz4fRwdI705va+tEwZgtnd/Fa9pase32FLyOv4biCe
	/kQDe1KzvpRZtW+qoyZ/hCEMwXhKcYM=
X-MC-Unique: IqrY9NY7MzW_kq3_pNYchQ-1
X-Mimecast-MFC-AGG-ID: IqrY9NY7MzW_kq3_pNYchQ_1751871789
To: devel@lists.libvirt.org
Subject: [PATCH] nwfilter: Remove 'qemu-announce-self' example
Date: Mon,  7 Jul 2025 09:03:06 +0200
Message-ID: 
 <b9c73f8c73c6310d3ffbf077da5183c7d9d4253a.1751871786.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 4gqmkIam9s-KcEB-4G4kY7lVDjC_EKolvexHNSIP0JQ_1751871789
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: ZDTYHXV5XFQB7EM25USFQBLTKNMPHCON
X-Message-ID-Hash: ZDTYHXV5XFQB7EM25USFQBLTKNMPHCON
X-MailFrom: pkrempa@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: Peter Krempa <pkrempa@redhat.com>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/ZDTYHXV5XFQB7EM25USFQBLTKNMPHCON/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Peter Krempa via Devel <devel@lists.libvirt.org>
Reply-To: Peter Krempa <pkrempa@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1751871825601116600
Content-Type: text/plain; charset="utf-8"

From: Peter Krempa <pkrempa@redhat.com>

The example allows packets sent by qemu after migration with broken
protocol ID. The proper self announce is handled via
'qemu-announce-self-rarp'.

The qemu bug was addressed by f8778a7785d530515b0db39 (released as
v0.13.0). As we no longer support such old qemus, and allowing broken
packets makes no sense remove the filter, and adjust the existing ones
to refer to the proper name.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/792
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
---
 docs/firewall.rst                            |  1 -
 docs/formatnwfilter.rst                      |  2 +-
 src/nwfilter/xml/clean-traffic-gateway.xml   |  2 +-
 src/nwfilter/xml/clean-traffic.xml           |  2 +-
 src/nwfilter/xml/meson.build                 |  1 -
 src/nwfilter/xml/qemu-announce-self-rarp.xml |  2 ++
 src/nwfilter/xml/qemu-announce-self.xml      | 13 -------------
 7 files changed, 5 insertions(+), 18 deletions(-)
 delete mode 100644 src/nwfilter/xml/qemu-announce-self.xml

diff --git a/docs/firewall.rst b/docs/firewall.rst
index 26474d3317..81114d2c95 100644
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@@ -285,7 +285,6 @@ useful rules:
    fb57c546-76dc-a372-513f-e8179011b48a  no-mac-spoofing
    dba10ea7-446d-76de-346f-335bd99c1d05  no-other-l2-traffic
    f5c78134-9da4-0c60-a9f0-fb37bc21ac1f  no-other-rarp-traffic
-   7637e405-4ccf-42ac-5b41-14f8d03d8cf3  qemu-announce-self
    9aed52e7-f0f3-343e-fe5c-7dcb27b594e5  qemu-announce-self-rarp

 Most of these are just building blocks. The interesting one here is
diff --git a/docs/formatnwfilter.rst b/docs/formatnwfilter.rst
index 13e9a791af..e50497aaf8 100644
--- a/docs/formatnwfilter.rst
+++ b/docs/formatnwfilter.rst
@@ -438,7 +438,7 @@ several other filters.
      <filterref filter=3D'allow-incoming-ipv4'/>
      <filterref filter=3D'no-arp-spoofing'/>
      <filterref filter=3D'no-other-l2-traffic'/>
-     <filterref filter=3D'qemu-announce-self'/>
+     <filterref filter=3D'qemu-announce-self-rarp'/>
    </filter>

 To reference another filter, the XML node ``filterref`` needs to be provid=
ed
diff --git a/src/nwfilter/xml/clean-traffic-gateway.xml b/src/nwfilter/xml/=
clean-traffic-gateway.xml
index b8c204041a..1768a67697 100644
--- a/src/nwfilter/xml/clean-traffic-gateway.xml
+++ b/src/nwfilter/xml/clean-traffic-gateway.xml
@@ -30,5 +30,5 @@
     <filterref filter=3D'no-other-l2-traffic'/>

     <!-- allow qemu to send a self-announce upon migration end -->
-    <filterref filter=3D'qemu-announce-self'/>
+    <filterref filter=3D'qemu-announce-self-rarp'/>
 </filter>
diff --git a/src/nwfilter/xml/clean-traffic.xml b/src/nwfilter/xml/clean-tr=
affic.xml
index b8cde9c560..b0530da70a 100644
--- a/src/nwfilter/xml/clean-traffic.xml
+++ b/src/nwfilter/xml/clean-traffic.xml
@@ -25,6 +25,6 @@
    <filterref filter=3D'no-other-l2-traffic'/>

    <!-- allow qemu to send a self-announce upon migration end -->
-   <filterref filter=3D'qemu-announce-self'/>
+   <filterref filter=3D'qemu-announce-self-rarp'/>

 </filter>
diff --git a/src/nwfilter/xml/meson.build b/src/nwfilter/xml/meson.build
index 0d96c54ebe..de3f205a7c 100644
--- a/src/nwfilter/xml/meson.build
+++ b/src/nwfilter/xml/meson.build
@@ -22,7 +22,6 @@ nwfilter_xml_files =3D [
   'no-other-l2-traffic.xml',
   'no-other-rarp-traffic.xml',
   'qemu-announce-self-rarp.xml',
-  'qemu-announce-self.xml',
 ]

 install_data(nwfilter_xml_files, install_dir: sysconfdir / 'libvirt' / 'nw=
filter')
diff --git a/src/nwfilter/xml/qemu-announce-self-rarp.xml b/src/nwfilter/xm=
l/qemu-announce-self-rarp.xml
index b7a848ad0f..db7b650320 100644
--- a/src/nwfilter/xml/qemu-announce-self-rarp.xml
+++ b/src/nwfilter/xml/qemu-announce-self-rarp.xml
@@ -11,4 +11,6 @@
           arpsrcmacaddr=3D'$MAC' arpdstmacaddr=3D'$MAC'
           arpsrcipaddr=3D'0.0.0.0' arpdstipaddr=3D'0.0.0.0'/>
   </rule>
+
+  <filterref filter=3D'no-other-rarp-traffic'/>
 </filter>
diff --git a/src/nwfilter/xml/qemu-announce-self.xml b/src/nwfilter/xml/qem=
u-announce-self.xml
deleted file mode 100644
index 352db500de..0000000000
--- a/src/nwfilter/xml/qemu-announce-self.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<filter name=3D'qemu-announce-self' chain=3D'root'>
-    <!-- as of 4/26/2010 qemu sends out a bogus packet with
-         wrong rarp protocol ID -->
-    <!-- accept what is being sent now -->
-    <rule action=3D'accept' direction=3D'out'>
-        <mac protocolid=3D'0x835'/>
-    </rule>
-
-    <!-- accept if it was changed to rarp -->
-    <filterref filter=3D'qemu-announce-self-rarp'/>
-    <filterref filter=3D'no-other-rarp-traffic'/>
-
-</filter>
--=20
2.49.0