At the time the version check in this function was written, there were still several supported versions of some distros that were using a version of firewalld too old to support the "rich rule priorities" used by the 'libvirt' zone that we installed for firewalld. Today the newest distro that has a version of firewalld < 0.7.0 is RHEL7/CentOS7, so we can remove the complexity and if the libvirt zone is missing simply say "the libvirt zone is missing".
Signed-off-by: Laine Stump <[email protected]> --- src/network/bridge_driver_linux.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index a6203a712e..af758d4f3d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -381,24 +381,9 @@ networkSetBridgeZone(virNetworkDef *def) if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) return -1; } else { - unsigned long long version; - int vresult = virFirewallDGetVersion(&version); - - if (vresult < 0) - return -1; - - /* Support for nftables backend was added in firewalld - * 0.6.0. Support for rule priorities (required by the - * 'libvirt' zone, which should be installed by a - * libvirt package, *not* by firewalld) was not added - * until firewalld 0.7.0 (unless it was backported). - */ - if (version >= 6000 && - virFirewallDGetBackend() == VIR_FIREWALLD_BACKEND_NFTABLES) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld is set to use the nftables backend, but the required firewalld 'libvirt' zone is missing. Either set the firewalld backend to 'iptables', or ensure that firewalld has a 'libvirt' zone by upgrading firewalld to a version supporting rule priorities (0.7.0+) and/or rebuilding libvirt with --with-firewalld-zone")); - return -1; - } + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewalld can't find the 'libvirt' zone that should have been installed with libvirt")); + return -1; } } } -- 2.46.0
