} else {
if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) {
+
/* No information about firewall rules in the network status,
* so we assume the old iptables-based rules from 10.2.0 and
* earlier.
*/
VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name);
iptablesRemoveFirewallRules(def);
- return;
+
+ } else {
+
+ /* fwRemoval info was stored in the network status, so use that to
+ * remove the firewall
+ */
+ VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name);
+ virFirewallApply(fw);
}
+ }
- /* fwRemoval info was stored in the network status, so use that to
- * remove the firewall
- */
- VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name);
- virFirewallApply(fw);
+ /* all forward modes could have had a zone set, even 'open' mode
+ * iff it was specified in the config. firewalld preserves the
+ * name of an interface in a zone's list even after the interface
+ * has been deleted, which is problematic if the next use of that
+ * same interface name wants *no* zone set. To avoid this, we must
+ * "unset" the zone if we set it when the network was started.
+ */
+ if (virFirewallDIsRegistered() == 0 &&
+ (def->forward.type != VIR_NETWORK_FORWARD_OPEN ||
+ def->bridgeZone)) {
+
+ VIR_DEBUG("unsetting zone for '%s' (current zone is '%s')",
+ def->bridge, def->bridgeZone);
+ virFirewallDInterfaceUnsetZone(def->bridge);
}
}
}
+int
+virFirewallDInterfaceUnsetZone(const char *iface)
+{
+ GDBusConnection *sysbus = virGDBusGetSystemBus();
+ g_autoptr(GVariant) message = NULL;
+
+ if (!sysbus)
+ return -1;
+
+ message = g_variant_new("(ss)", "", iface);
+
+ return virGDBusCallMethod(sysbus,
+ NULL,
+ NULL,
+ NULL,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1",
+ "org.fedoraproject.FirewallD1.zone",
+ "removeInterface",
+ message);
+}
+
+
void
virFirewallDSynchronize(void)
{
projects / libvirt.git / commitdiff