<span class="since">Since 1.2.11, requires kernel 3.17 or
newer</span>
</p>
+
+ <p>
+ The optional <code>zone</code> attribute of
+ the <code>bridge</code> element is used to specify
+ the <a href="https://firewalld.org">firewalld</a>
+ zone for the bridge of a network with <code>forward</code>
+ mode of "nat", "route", "open", or one with
+ no <code>forward</code> specified. By default, the bridges
+ of all virtual networks with these forward modes are placed
+ in the firewalld zone named "libvirt", which permits
+ incoming DNS, DHCP, TFTP, and SSH to the host from guests on
+ the network. This behavior can be changed either by
+ modifying the libvirt zone (using firewalld management
+ tools), or by placing the network in a different zone (which
+ will also be managed using firewalld tools).
+ <span class="since">Since 5.1.0</span>
+ </p>
</dd>
<dt><code>mtu</code></dt>
VIR_FREE(def->name);
VIR_FREE(def->bridge);
+ VIR_FREE(def->bridgeZone);
VIR_FREE(def->domain);
virNetworkForwardDefClear(&def->forward);
/* Parse bridge information */
def->bridge = virXPathString("string(./bridge[1]/@name)", ctxt);
+ def->bridgeZone = virXPathString("string(./bridge[1]/@zone)", ctxt);
stp = virXPathString("string(./bridge[1]/@stp)", ctxt);
def->stp = (stp && STREQ(stp, "off")) ? false : true;
def->name);
goto error;
}
+ if (def->bridgeZone) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("bridge zone not allowed in %s mode (network '%s')"),
+ virNetworkForwardTypeToString(def->forward.type),
+ def->name);
+ goto error;
+ }
if (def->macTableManager) {
virReportError(VIR_ERR_XML_ERROR,
_("bridge macTableManager setting not allowed "
ATTRIBUTE_FALLTHROUGH;
case VIR_NETWORK_FORWARD_BRIDGE:
- if (def->delay || stp) {
+ if (def->delay || stp || def->bridgeZone) {
virReportError(VIR_ERR_XML_ERROR,
- _("bridge delay/stp options only allowed in "
+ _("bridge delay/stp/zone options only allowed in "
"route, nat, and isolated mode, not in %s "
"(network '%s')"),
virNetworkForwardTypeToString(def->forward.type),
if (hasbridge || def->bridge || def->macTableManager) {
virBufferAddLit(buf, "<bridge");
virBufferEscapeString(buf, " name='%s'", def->bridge);
+ virBufferEscapeString(buf, " zone='%s'", def->bridgeZone);
if (hasbridge)
virBufferAsprintf(buf, " stp='%s' delay='%ld'",
def->stp ? "on" : "off", def->delay);
virFirewallPtr fw = NULL;
int ret = -1;
- /* if firewalld is active, try to set the "libvirt" zone. This is
- * desirable (for consistency) if firewalld is using the iptables
- * backend, but is necessary (for basic network connectivity) if
- * firewalld is using the nftables backend
- */
- if (virFirewallDIsRegistered() == 0) {
-
- /* if the "libvirt" zone exists, then set it. If not, and
- * if firewalld is using the nftables backend, then we
- * need to log an error because the combination of
- * nftables + default zone means that traffic cannot be
- * forwarded (and even DHCP and DNS from guest to host
- * will probably no be permitted by the default zone
+ if (def->bridgeZone) {
+
+ /* if a firewalld zone has been specified, fail/log an error
+ * if we can't honor it
+ */
+ if (virFirewallDIsRegistered() < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("zone %s requested for network %s "
+ "but firewalld is not active"),
+ def->bridgeZone, def->name);
+ goto cleanup;
+ }
+
+ if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0)
+ goto cleanup;
+
+ } else {
+
+ /* if firewalld is active, try to set the "libvirt" zone. This is
+ * desirable (for consistency) if firewalld is using the iptables
+ * backend, but is necessary (for basic network connectivity) if
+ * firewalld is using the nftables backend
*/
- if (virFirewallDZoneExists("libvirt")) {
- if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0)
- goto cleanup;
- } else {
- unsigned long version;
- int vresult = virFirewallDGetVersion(&version);
-
- if (vresult < 0)
- goto cleanup;
-
- /* Support for nftables backend was added in firewalld
- * 0.6.0. Support for rule priorities (required by the
- * 'libvirt' zone, which should be installed by a
- * libvirt package, *not* by firewalld) was not added
- * until firewalld 0.7.0 (unless it was backported).
+ if (virFirewallDIsRegistered() == 0) {
+
+ /* if the "libvirt" zone exists, then set it. If not, and
+ * if firewalld is using the nftables backend, then we
+ * need to log an error because the combination of
+ * nftables + default zone means that traffic cannot be
+ * forwarded (and even DHCP and DNS from guest to host
+ * will probably no be permitted by the default zone
*/
- if (version >= 6000 &&
- virFirewallDGetBackend() == VIR_FIREWALLD_BACKEND_NFTABLES) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("firewalld is set to use the nftables "
- "backend, but the required firewalld "
- "'libvirt' zone is missing. Either set "
- "the firewalld backend to 'iptables', or "
- "ensure that firewalld has a 'libvirt' "
- "zone by upgrading firewalld to a "
- "version supporting rule priorities "
- "(0.7.0+) and/or rebuilding "
- "libvirt with --with-firewalld-zone"));
- goto cleanup;
+ if (virFirewallDZoneExists("libvirt")) {
+ if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0)
+ goto cleanup;
+ } else {
+ unsigned long version;
+ int vresult = virFirewallDGetVersion(&version);
+
+ if (vresult < 0)
+ goto cleanup;
+
+ /* Support for nftables backend was added in firewalld
+ * 0.6.0. Support for rule priorities (required by the
+ * 'libvirt' zone, which should be installed by a
+ * libvirt package, *not* by firewalld) was not added
+ * until firewalld 0.7.0 (unless it was backported).
+ */
+ if (version >= 6000 &&
+ virFirewallDGetBackend() == VIR_FIREWALLD_BACKEND_NFTABLES) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld is set to use the nftables "
+ "backend, but the required firewalld "
+ "'libvirt' zone is missing. Either set "
+ "the firewalld backend to 'iptables', or "
+ "ensure that firewalld has a 'libvirt' "
+ "zone by upgrading firewalld to a "
+ "version supporting rule priorities "
+ "(0.7.0+) and/or rebuilding "
+ "libvirt with --with-firewalld-zone"));
+ goto cleanup;
+ }
}
}
}
projects / libvirt.git / commitdiff