On 11/10/22 17:31, Eric Garver wrote: > This series further improves the firewalld backend by converting to a > fully native implementation for NAT and routed networks. That is, there > are no iptables rules added by libvirt when the running firewalld is > 0.9.0 or later. > > The major advantage is that firewalld users can use firewall-cmd to > filter the VM traffic and apply their own policies. > > When firewalld < 0.9.0 is present only the "libvirt" zone will be used. > The new "libvirt-nat" and "libvirt-routed" zones are not used. This > maintains compatibility for older distributions (e.g. Ubuntu 20.04). > > Patch 1 is a bug fix for my previous series to avoid a bogus error log. > > Patches 2-3 converts the routed network to native firewalld. > > Patches 4-8 converts the NAT network to native firewalld. It also > introduces the "libvirt-nat" zone. > > Eric Garver (8): > util: virFirewallDGetPolicies: gracefully handle older firewalld > network: firewalld: add networkAddHybridFirewallDRules() > network: firewalld: use native routed networks > util: add virFirewallDSourceSetZone() > util: add virFirewallDApplyPolicyRichRules() > network: firewalld: add zone for NAT networks > network: firewalld: add policies for NAT networks > network: firewalld: use native NAT networks > > libvirt.spec.in | 2 + > src/libvirt_private.syms | 2 + > src/network/bridge_driver_linux.c | 193 ++++++++++++++++++++--------- > src/network/libvirt-nat-out.policy | 13 ++ > src/network/libvirt-nat.zone | 10 ++ > src/network/libvirt-to-host.policy | 1 + > src/network/meson.build | 10 ++ > src/util/virfirewalld.c | 79 +++++++++++- > src/util/virfirewalld.h | 6 + > 9 files changed, 258 insertions(+), 58 deletions(-) > create mode 100644 src/network/libvirt-nat-out.policy > create mode 100644 src/network/libvirt-nat.zone > Patches look good to me. You have my: Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> but I'll wait a bit for Laine, if he wants to express his opinion. Michal
