This series further improves the firewalld backend by converting to a fully native implementation for NAT and routed networks. That is, there are no iptables rules added by libvirt when the running firewalld is 0.9.0 or later. The major advantage is that firewalld users can use firewall-cmd to filter the VM traffic and apply their own policies. When firewalld < 0.9.0 is present only the "libvirt" zone will be used. The new "libvirt-nat" and "libvirt-routed" zones are not used. This maintains compatibility for older distributions (e.g. Ubuntu 20.04). Patch 1 is a bug fix for my previous series to avoid a bogus error log. Patches 2-3 converts the routed network to native firewalld. Patches 4-8 converts the NAT network to native firewalld. It also introduces the "libvirt-nat" zone. Eric Garver (8): util: virFirewallDGetPolicies: gracefully handle older firewalld network: firewalld: add networkAddHybridFirewallDRules() network: firewalld: use native routed networks util: add virFirewallDSourceSetZone() util: add virFirewallDApplyPolicyRichRules() network: firewalld: add zone for NAT networks network: firewalld: add policies for NAT networks network: firewalld: use native NAT networks libvirt.spec.in | 2 + src/libvirt_private.syms | 2 + src/network/bridge_driver_linux.c | 193 ++++++++++++++++++++--------- src/network/libvirt-nat-out.policy | 13 ++ src/network/libvirt-nat.zone | 10 ++ src/network/libvirt-to-host.policy | 1 + src/network/meson.build | 10 ++ src/util/virfirewalld.c | 79 +++++++++++- src/util/virfirewalld.h | 6 + 9 files changed, 258 insertions(+), 58 deletions(-) create mode 100644 src/network/libvirt-nat-out.policy create mode 100644 src/network/libvirt-nat.zone -- 2.37.3
