The detailed explanation of this is in Patch 4/5. Basically, when
firewalld enables their new nftables backend, libvirt virtual networks
lose all ability to forward packets from guests out to the physical
network, and can only communicate with the host itself as much as
firewalld's "public" zone will allow (which isn't much, and doesn't
include DHCP or DNS).
Laine Stump (5):
docs: add forgotten mentions of forward mode "open"
util: move all firewalld-specific stuff into its own file
util: new function virFirewallDInterfaceSetZone()
network: regain guest network connectivity after firewalld switch to
nftables
network: allow configuring firewalld zone for virtual network bridge
device
docs/formatnetwork.html.in | 21 ++-
docs/news.xml | 40 ++++++
docs/schemas/basictypes.rng | 6 +
docs/schemas/network.rng | 6 +
include/libvirt/virterror.h | 1 +
libvirt.spec.in | 16 +++
src/conf/network_conf.c | 14 +-
src/conf/network_conf.h | 1 +
src/libvirt_private.syms | 4 +
src/network/Makefile.inc.am | 10 +-
src/network/bridge_driver_linux.c | 25 ++++
src/network/libvirt.zone | 14 ++
src/util/Makefile.inc.am | 2 +
src/util/virerror.c | 1 +
src/util/virfirewall.c | 86 +-----------
src/util/virfirewalld.c | 151 +++++++++++++++++++++
src/util/virfirewalld.h | 36 +++++
src/util/virfirewallpriv.h | 2 -
tests/networkxml2xmlin/routed-network.xml | 2 +-
tests/networkxml2xmlout/routed-network.xml | 2 +-
tests/virfirewalltest.c | 1 +
21 files changed, 350 insertions(+), 91 deletions(-)
create mode 100644 src/network/libvirt.zone
create mode 100644 src/util/virfirewalld.c
create mode 100644 src/util/virfirewalld.h
--
2.20.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
