Resolves: https://bugzilla.redhat.com/1638342 Creates-and-Resolves: https://bugzilla.redhat.com/1650320 V1: https://www.redhat.com/archives/libvir-list/2019-January/msg00227.html The detailed explanation of this is in Patch 4/7 and 5/7. Basically, when firewalld enables their new nftables backend, libvirt virtual networks lose all ability to forward packets from guests out to the physical network, and can only communicate with the host itself as much as firewalld's "public" zone will allow (which isn't much, and doesn't include DHCP or DNS). I *think* I've addressed everything in Daniel and John's review comments. In particular, I've made installation of the libvirt zone file optional, and if the libvirt zone is missing, I only log an error if the firewalld backend is set to nftables. Laine Stump (7): configure: change HAVE_FIREWALLD to WITH_FIREWALLD util: move all firewalld-specific stuff into its own files util: new virFirewallD APIs + docs configure: selectively install a firewalld 'libvirt' zone network: set firewalld zone of bridges to "libvirt" zone when appropriate network: allow configuring firewalld zone for virtual network bridge device docs: update news.xml for firewalld zone changes configure.ac | 3 + docs/firewall.html.in | 38 +++ docs/formatnetwork.html.in | 17 + docs/news.xml | 40 +++ docs/schemas/basictypes.rng | 6 + docs/schemas/network.rng | 6 + include/libvirt/virterror.h | 1 + libvirt.spec.in | 31 ++ m4/virt-firewalld-zone.m4 | 45 +++ m4/virt-firewalld.m4 | 4 +- src/conf/network_conf.c | 14 +- src/conf/network_conf.h | 1 + src/libvirt_private.syms | 10 + src/network/Makefile.inc.am | 10 +- src/network/bridge_driver.c | 6 +- src/network/bridge_driver_linux.c | 67 ++++ src/network/libvirt.zone | 23 ++ src/nwfilter/nwfilter_driver.c | 6 +- src/util/Makefile.inc.am | 3 + src/util/virerror.c | 3 +- src/util/virfirewall.c | 86 +---- src/util/virfirewalld.c | 373 +++++++++++++++++++++ src/util/virfirewalld.h | 46 +++ src/util/virfirewalldpriv.h | 30 ++ src/util/virfirewallpriv.h | 2 - tests/networkxml2xmlin/routed-network.xml | 2 +- tests/networkxml2xmlout/routed-network.xml | 2 +- tests/virfirewalltest.c | 2 + 28 files changed, 779 insertions(+), 98 deletions(-) create mode 100644 m4/virt-firewalld-zone.m4 create mode 100644 src/network/libvirt.zone create mode 100644 src/util/virfirewalld.c create mode 100644 src/util/virfirewalld.h create mode 100644 src/util/virfirewalldpriv.h -- 2.20.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
