On Wed, Jan 09, 2019 at 09:57:36PM -0500, Laine Stump wrote:
> From: Laine Stump
[..]
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> new file mode 100644
> index 00..1750ba2f06
> --- /dev/null
> +++ b/src/network/libvirt.zone
> @@ -0,0 +1,14 @@
> +
> +
> + libvirt
>
On Fri, Mar 15, 2019 at 01:46:37PM -0400, Laine Stump wrote:
> On 3/12/19 7:48 AM, Pavel Hrdina wrote:
> > On Fri, Mar 08, 2019 at 11:21:37AM -0500, Laine Stump wrote:
> > > On 3/8/19 8:34 AM, John Ferlan wrote:
> > > > On 2/24/19 9:15 AM, ZhiPeng LU wrote:
> > > > > This patch adds functionality
e b/src/network/libvirt.zone
> index bf81db1b6e..b1e84b52ec 100644
> --- a/src/network/libvirt.zone
> +++ b/src/network/libvirt.zone
> @@ -15,6 +15,8 @@
>
>
>
> +
> +
>
>
>
> --
> 2.20.1
LGTM. Sorry I didn't catch it the first time around.
Acked-by: Eric Garver
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, Jan 31, 2019 at 10:10:43PM -0500, Laine Stump wrote:
> On 1/31/19 8:24 PM, Laine Stump wrote:
> > Changes from V1:
> > [...]
>
> > * make the rule's priority 32767 instead of 127.
> > [...]
>
> > +
> > +
> > +
> > +
>
>
> I found out after sending this that when I make the priority
f 0%{?fedora} >= 30 || 0%{?rhel} > 7
> +%if 0%{?fedora} >= 31 || 0%{?rhel} > 7
> %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
> %endif
>
Acked-by: Eric Garver
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, Apr 13, 2020 at 02:20:08PM -0400, Laine Stump wrote:
> On 4/9/20 8:44 AM, Eric Garver wrote:
> > On Thu, Apr 09, 2020 at 11:53:46AM +0100, Daniel P. Berrangé wrote:
> > > Copying Eric Garver as a knowledgeable maintainer of firewalld to
> > >
On Thu, Apr 09, 2020 at 11:53:46AM +0100, Daniel P. Berrangé wrote:
> Copying Eric Garver as a knowledgeable maintainer of firewalld to
> confirm a question I have
>
> On Fri, Mar 20, 2020 at 12:25:49PM +0300, nshirokovskiy wrote:
> > Hi, all.
> >
> > Some time a
Signed-off-by: Eric Garver
---
src/network/libvirt-routed-in.policy | 11 +++
src/network/libvirt-routed-out.policy | 12
src/network/libvirt-to-host.policy| 20
src/network/meson.build | 15 +++
4 files changed, 58
This zone will be used for the routed network by default.
Note that this zone definition omits "forward" aka intra-zone
forwarding, because it requires firewalld >= 0.9.0.
Signed-off-by: Eric Garver
---
src/network/libvirt-routed.zone | 10 ++
src/network/meson.build
Signed-off-by: Eric Garver
---
src/network/bridge_driver_linux.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/network/bridge_driver_linux.c
b/src/network/bridge_driver_linux.c
index 98d2a33a1da0..c96d8f624b4d 100644
--- a/src/network/bridge_driver_linux.c
Signed-off-by: Eric Garver
---
src/libvirt_private.syms | 1 +
src/util/virfirewalld.c | 31 +++
src/util/virfirewalld.h | 1 +
3 files changed, 33 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 64d932e929eb..9ea3062f75e9
Signed-off-by: Eric Garver
---
src/libvirt_private.syms | 1 +
src/util/virfirewalld.c | 41
src/util/virfirewalld.h | 1 +
3 files changed, 43 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index bfedd853268d
no impact since the added policies
allow forwarding libvirt-routed <--> ANY zone (including itself).
- add probe for policies: virFirewallDGetPolicies(),
virFirewallDPolicyExists()
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2055706
[2]: https://github.com/firewalld/firewalld/issu
On Wed, May 11, 2022 at 05:15:25PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> > Convert the existing behavior into policies.
>
> Has this split of .zone vs .policy been something firewalld
> always supported, or is it a &quo
On Thu, May 12, 2022 at 07:37:30PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:55AM -0400, Eric Garver wrote:
> > Signed-off-by: Eric Garver
> > ---
> > src/network/libvirt-routed-out.policy | 12
> > src/network/meson.build
I'm adding this text here in hopes that Mimecast no longer thinks this
email is s-p-a-m. My replies are inline below. :)
On Thu, May 12, 2022 at 07:35:03PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> > Convert the existing
On Thu, May 12, 2022 at 01:53:00PM -0400, Laine Stump wrote:
> On 5/12/22 12:53 PM, Eric Garver wrote:
> > On Wed, May 11, 2022 at 05:15:25PM +0100, Daniel P. Berrangé wrote:
> > > On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> > > > Convert the e
On Thu, May 12, 2022 at 08:04:28PM +0100, Daniel P. Berrangé wrote:
> On Thu, May 12, 2022 at 07:00:09PM +0100, Daniel P. Berrangé wrote:
> > On Wed, May 11, 2022 at 11:41:51AM -0400, Eric Garver wrote:
> > > This series fixes routed networks when a newer firewalld (>= 1.0.0
On Thu, May 12, 2022 at 07:42:43PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:54AM -0400, Eric Garver wrote:
> > Signed-off-by: Eric Garver
> > ---
> > src/network/libvirt-routed-in.policy | 11 +++
> > src/network/lib
Convert the existing behavior into policies.
This commit has no functional changes.
Signed-off-by: Eric Garver
---
src/network/libvirt-nat-out.policy | 12
src/network/libvirt-to-host.policy | 20
src/network/libvirt.zone | 23
This zone will be used for the routed network by default.
Signed-off-by: Eric Garver
---
src/network/libvirt-routed.zone | 12
src/network/meson.build | 5 +
2 files changed, 17 insertions(+)
create mode 100644 src/network/libvirt-routed.zone
diff --git a/src/network
one to use common rules
between NAT and routed networks. Policies have been supported since
firewalld 0.9.0.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2055706
[2]: https://github.com/firewalld/firewalld/issues/177
Eric Garver (4):
network: firewalld: convert to policies
network: firewalld:
Signed-off-by: Eric Garver
---
src/network/libvirt-routed-out.policy | 12
src/network/meson.build | 5 +
2 files changed, 17 insertions(+)
create mode 100644 src/network/libvirt-routed-out.policy
diff --git a/src/network/libvirt-routed-out.policy
b/src/network
Signed-off-by: Eric Garver
---
src/network/bridge_driver_linux.c | 6 +-
src/network/libvirt-to-host.policy | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/network/bridge_driver_linux.c
b/src/network/bridge_driver_linux.c
index 98d2a33a1da0..2c8e43b427cb 100644
Signed-off-by: Eric Garver
---
src/network/libvirt-routed-in.policy | 11 +++
src/network/libvirt-routed-out.policy | 12
src/network/meson.build | 10 ++
3 files changed, 33 insertions(+)
create mode 100644 src/network/libvirt-routed-in.policy
.9.0 is present.
> This patch changes the zone for routed networks from "libvirt" to
> the newly-added "libvirt-routed" zone so that incoming sessions to
> guests on routed networks are once again allowed.
>
> Resolves: https://bugzilla.redhat.com/2055706
O
Signed-off-by: Eric Garver
---
src/libvirt_private.syms | 1 +
src/util/virfirewalld.c | 31 +++
src/util/virfirewalld.h | 1 +
3 files changed, 33 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 32c8bdeb23ee..92b6062fabda
Signed-off-by: Eric Garver
---
src/libvirt_private.syms | 1 +
src/util/virfirewalld.c | 41
src/util/virfirewalld.h | 1 +
3 files changed, 43 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 25794bc2f417
Signed-off-by: Eric Garver
---
src/network/libvirt-routed-in.policy | 11 +++
src/network/libvirt-routed-out.policy | 12
src/network/libvirt-to-host.policy| 20
src/network/meson.build | 15 +++
4 files changed, 58
: https://bugzilla.redhat.com/show_bug.cgi?id=2055706
[2]: https://github.com/firewalld/firewalld/issues/177
Eric Garver (5):
util: add virFirewallDGetPolicies()
util: add virFirewallDPolicyExists()
network: firewalld: add zone for routed networks
network: firewalld: add policies for
This zone will be used for the routed network by default.
Note that this zone definition omits "forward" aka intra-zone
forwarding, because it requires firewalld >= 0.9.0.
Signed-off-by: Eric Garver
---
src/network/libvirt-routed.zone | 10 ++
src/network/meson.build
Signed-off-by: Eric Garver
---
src/network/bridge_driver_linux.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/network/bridge_driver_linux.c
b/src/network/bridge_driver_linux.c
index a0f593b06636..d9597d91beed 100644
--- a/src/network/bridge_driver_linux.c
On Tue, Nov 15, 2022 at 11:03:21AM -0500, Laine Stump wrote:
> On 11/15/22 5:21 AM, Michal Prívozník wrote:
> > On 11/10/22 17:31, Eric Garver wrote:
> > > This series further improves the firewalld backend by converting to a
> > > fully native implementation
On Tue, Nov 15, 2022 at 11:21:43AM +0100, Michal Prívozník wrote:
> On 11/10/22 17:31, Eric Garver wrote:
> > This factors out the firewalld pieces of the iptables + firewalld
> > backend.
> >
> > Signed-off-by: Eric Garver
> > ---
> >
On Tue, Nov 15, 2022 at 01:33:28PM -0500, Laine Stump wrote:
> On 11/15/22 12:55 PM, Daniel P. Berrangé wrote:
> > On Thu, Nov 10, 2022 at 11:31:44AM -0500, Eric Garver wrote:
> > > This series further improves the firewalld backend by converting to a
> > > fully na
() and
avoiding calls to networkSetupPrivateChains().
Signed-off-by: Eric Garver
---
src/network/bridge_driver_linux.c | 51 +--
1 file changed, 42 insertions(+), 9 deletions(-)
diff --git a/src/network/bridge_driver_linux.c
b/src/network/bridge_driver_linux.c
index
This zone will be used for the NAT network by default.
Note that this zone definition omits "forward" aka intra-zone
forwarding, because it requires firewalld >= 0.9.0.
Signed-off-by: Eric Garver
---
libvirt.spec.in | 1 +
src/network/libvirt-nat.zone | 10 ++
Signed-off-by: Eric Garver
---
src/libvirt_private.syms | 1 +
src/util/virfirewalld.c | 44
src/util/virfirewalld.h | 4
3 files changed, 49 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index c5882c535210
Signed-off-by: Eric Garver
---
libvirt.spec.in| 1 +
src/network/libvirt-nat-out.policy | 13 +
src/network/libvirt-to-host.policy | 1 +
src/network/meson.build| 5 +
4 files changed, 20 insertions(+)
create mode 100644 src/network/libvirt-nat
-nat" zone
instead of using sources. Thus making the "libvirt" zone unnecessary.
Signed-off-by: Eric Garver
---
src/network/bridge_driver_linux.c | 55 +++
1 file changed, 48 insertions(+), 7 deletions(-)
diff --git a/src/network/bridge_driver_
Signed-off-by: Eric Garver
---
src/libvirt_private.syms | 1 +
src/util/virfirewalld.c | 24
src/util/virfirewalld.h | 2 ++
3 files changed, 27 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 97ff2a43e48a..c5882c535210 100644
ch 1 is a bug fix for my previous series to avoid a bogus error log.
Patches 2-3 converts the routed network to native firewalld.
Patches 4-8 converts the NAT network to native firewalld. It also
introduces the "libvirt-nat" zone.
Eric Garver (8):
util: virFirewallDGetPolicies:
hod
Fixes: ab56f84976e0 ("util: add virFirewallDGetPolicies()")
Signed-off-by: Eric Garver
---
src/util/virfirewalld.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c
index ad879164c3a8..d11e974cc2d5 1
This factors out the firewalld pieces of the iptables + firewalld
backend.
Signed-off-by: Eric Garver
---
src/network/bridge_driver_linux.c | 117 --
1 file changed, 61 insertions(+), 56 deletions(-)
diff --git a/src/network/bridge_driver_linux.c
b/src/network
44 matches
Mail list logo