[PATCH 3/8] network: firewalld: use native routed networks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The firewalld backend for routed networks can now use a native
implementation. The hybrid of iptables + firewalld is no longer
necessary. When full native firewalld is in use there are zero iptables
rules add by libvirt.

This is accomplished by returning early in networkAddFirewallRules() and
avoiding calls to networkSetupPrivateChains().

Signed-off-by: Eric Garver <eric@xxxxxxxxxxx>
---
 src/network/bridge_driver_linux.c | 51 +++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 9 deletions(-)

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 88a8e9c5fa27..42f098ff1f9b 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -133,6 +133,21 @@ networkHasRunningNetworksWithFW(virNetworkDriverState *driver)
 }
 
 
+static bool
+networkUseOnlyFirewallDRules(void)
+{
+    if (virFirewallDIsRegistered() < 0)
+        return false;
+
+    if (virFirewallDPolicyExists("libvirt-routed-out") &&
+        virFirewallDZoneExists("libvirt-routed")) {
+        return true;
+    }
+
+    return false;
+}
+
+
 void
 networkPreReloadFirewallRules(virNetworkDriverState *driver,
                               bool startup G_GNUC_UNUSED,
@@ -172,6 +187,9 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver,
             return;
         }
 
+        if (!chainInitDone && networkUseOnlyFirewallDRules())
+            return;
+
         ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
     }
 }
@@ -801,6 +819,18 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw,
 }
 
 
+static int
+networkAddOnlyFirewallDRules(virNetworkDef *def)
+{
+    if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+        if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 networkAddHybridFirewallDRules(virNetworkDef *def)
 {
@@ -860,6 +890,11 @@ int networkAddFirewallRules(virNetworkDef *def)
     virNetworkIPDef *ipdef;
     g_autoptr(virFirewall) fw = virFirewallNew();
 
+    if (!def->bridgeZone && networkUseOnlyFirewallDRules() &&
+        def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+        return networkAddOnlyFirewallDRules(def);
+    }
+
     if (virOnce(&createdOnce, networkSetupPrivateChains) < 0)
         return -1;
 
@@ -895,15 +930,8 @@ int networkAddFirewallRules(virNetworkDef *def)
             return -1;
 
     } else if (virFirewallDIsRegistered() == 0) {
-        if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE &&
-            virFirewallDPolicyExists("libvirt-routed-out") &&
-            virFirewallDZoneExists("libvirt-routed")) {
-            if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0)
-                return -1;
-        } else {
-            if (networkAddHybridFirewallDRules(def) < 0)
-                return -1;
-        }
+        if (networkAddHybridFirewallDRules(def) < 0)
+            return -1;
     }
 
     virFirewallStartTransaction(fw, 0);
@@ -940,6 +968,11 @@ void networkRemoveFirewallRules(virNetworkDef *def)
     virNetworkIPDef *ipdef;
     g_autoptr(virFirewall) fw = virFirewallNew();
 
+    if (!def->bridgeZone && networkUseOnlyFirewallDRules() &&
+        def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+        return;
+    }
+
     virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
     networkRemoveChecksumFirewallRules(fw, def);
 
-- 
2.37.3
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux