[PATCH v3 0/5] network: firewalld: fix routed network

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This series fixes routed networks when a newer firewalld (>= 1.0.0) is
present [1]. Firewalld 1.0.0 included a change that disallows implicit
forwarding between zones [2]. libvirt was relying on this behavior to
allow routed networks to function.

Firewalld policies are added. Policies have been supported since
firewalld 0.9.0. If the running firewall does not support policies, then
it will fallback to the current zone only behavior.

My goal is to get libvirt to a fully native firewalld backend; no
iptables rules. This series is phase 1 of that effort. The next steps
are:

1. introduce a "libvirt-nat" zone and policies
  - the current "libvirt" zone will become obsolete
2. go full native firewalld, do not use iptables directly
  - currently a hybrid of iptables + firewalld is used

v3:
  - rebase, retest, resend
v2:
  - keep existing libvirt zone as is
  - remove "<forward />" in libvirt-routed zone because this feature
    requires firewalld >= 0.9.0. Has no impact since the added policies
    allow forwarding libvirt-routed <--> ANY zone (including itself).
  - add probe for policies: virFirewallDGetPolicies(),
    virFirewallDPolicyExists()

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2055706
[2]: https://github.com/firewalld/firewalld/issues/177

Eric Garver (5):
  util: add virFirewallDGetPolicies()
  util: add virFirewallDPolicyExists()
  network: firewalld: add zone for routed networks
  network: firewalld: add policies for routed networks
  network: firewalld: add support for routed networks

 src/libvirt_private.syms              |  2 +
 src/network/bridge_driver_linux.c     | 11 +++-
 src/network/libvirt-routed-in.policy  | 11 ++++
 src/network/libvirt-routed-out.policy | 12 +++++
 src/network/libvirt-routed.zone       | 10 ++++
 src/network/libvirt-to-host.policy    | 20 ++++++++
 src/network/meson.build               | 20 ++++++++
 src/util/virfirewalld.c               | 72 +++++++++++++++++++++++++++
 src/util/virfirewalld.h               |  2 +
 9 files changed, 159 insertions(+), 1 deletion(-)
 create mode 100644 src/network/libvirt-routed-in.policy
 create mode 100644 src/network/libvirt-routed-out.policy
 create mode 100644 src/network/libvirt-routed.zone
 create mode 100644 src/network/libvirt-to-host.policy

-- 
2.35.3
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux