The detailed explanation of this is in Patch 4/5. Basically, when
firewalld enables their new nftables backend, libvirt virtual networks
lose all ability to forward packets from guests out to the physical
network, and can only communicate with the host itself as much as
firewalld's "public" zone will allow (which isn't much, and doesn't
include DHCP or DNS).

Laine Stump (5):
  docs: add forgotten mentions of forward mode "open"
  util: move all firewalld-specific stuff into its own file
  util: new function virFirewallDInterfaceSetZone()
  network: regain guest network connectivity after firewalld switch to
    nftables
  network: allow configuring firewalld zone for virtual network bridge
    device

 docs/formatnetwork.html.in                 |  21 ++-
 docs/news.xml                              |  40 ++++++
 docs/schemas/basictypes.rng                |   6 +
 docs/schemas/network.rng                   |   6 +
 include/libvirt/virterror.h                |   1 +
 libvirt.spec.in                            |  16 +++
 src/conf/network_conf.c                    |  14 +-
 src/conf/network_conf.h                    |   1 +
 src/libvirt_private.syms                   |   4 +
 src/network/Makefile.inc.am                |  10 +-
 src/network/bridge_driver_linux.c          |  25 ++++
 src/network/libvirt.zone                   |  14 ++
 src/util/Makefile.inc.am                   |   2 +
 src/util/virerror.c                        |   1 +
 src/util/virfirewall.c                     |  86 +-----------
 src/util/virfirewalld.c                    | 151 +++++++++++++++++++++
 src/util/virfirewalld.h                    |  36 +++++
 src/util/virfirewallpriv.h                 |   2 -
 tests/networkxml2xmlin/routed-network.xml  |   2 +-
 tests/networkxml2xmlout/routed-network.xml |   2 +-
 tests/virfirewalltest.c                    |   1 +
 21 files changed, 350 insertions(+), 91 deletions(-)
 create mode 100644 src/network/libvirt.zone
 create mode 100644 src/util/virfirewalld.c
 create mode 100644 src/util/virfirewalld.h

-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to