network: *un*set the firewalld zone while shutting down a network

When a bridge device for a virtual network had been placed in a firewalld zone while starting the network, then even after the network is shut down and the bridge device is deleted, its name will still show up in the list of interfaces for whichever zone it had been in, and this setting will persist through the next time a device with the same name is created (until a zone is once again explicitly set, or the device is removed via a firewalld API call). Usually this isn't a problem, but in the case of forward mode='open', someone might start the network once with a zone specified, then shut down the network, remove the zone from its config, and start it again; in this case the bridge device would come up using the zone from the previous time it was started. The solution to this is to remove the interface from whatever zone it is in as the network is being shut down. There is no downside to doing this, since the device is going to be deleted anyway. Note that forward mode='bridge' uses a bridge device that was created outside of libvirt, and libvirt won't be deleting that bridge, so we take care to not unset the zone in that case. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2025-03-20 07:59:00 +00:00 · 2024-09-04 15:17:25 -04:00 · 2024-09-04 15:17:25 -04:00 · 200f60b2e1
commit 200f60b2e1
parent 1a3778fe0a
7 changed files with 52 additions and 0 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -2451,6 +2451,7 @@ virFirewallDGetPolicies;
 virFirewallDGetVersion;
 virFirewallDGetZones;
 virFirewallDInterfaceSetZone;
+virFirewallDInterfaceUnsetZone;
 virFirewallDIsRegistered;
 virFirewallDPolicyExists;
 virFirewallDSynchronize;
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@ -2127,6 +2127,8 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
        def->forward.type != VIR_NETWORK_FORWARD_OPEN)
        networkRemoveFirewallRules(obj);

+    networkUnsetBridgeZone(def);
+
    virNetworkObjUnrefMacMap(obj);

    ignore_value(virNetDevBridgeDelete(def->bridge));
@ -2165,6 +2167,8 @@ networkShutdownNetworkVirtual(virNetworkObj *obj)
    if (def->forward.type != VIR_NETWORK_FORWARD_OPEN)
        networkRemoveFirewallRules(obj);

+    networkUnsetBridgeZone(def);
+
    ignore_value(virNetDevBridgeDelete(def->bridge));

    /* See if its still alive and really really kill it */
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@ -392,6 +392,20 @@ networkSetBridgeZone(virNetworkDef *def)
 }


+void
+networkUnsetBridgeZone(virNetworkDef *def)
+{
+    /* If there is a libvirt-managed bridge device remove it from any
+     * zone it had been placed in as a part of deleting the bridge.
+     * DO NOT CALL THIS FOR 'bridge' forward mode, since that
+     * bridge is not managed by libvirt.
+     */
+    if (def->bridge && def->forward.type != VIR_NETWORK_FORWARD_BRIDGE
+        && virFirewallDIsRegistered() == 0) {
+        virFirewallDInterfaceUnsetZone(def->bridge);
+    }
+}
+
 int
 networkAddFirewallRules(virNetworkDef *def,
                        virFirewallBackend firewallBackend,
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@ -51,6 +51,12 @@ networkSetBridgeZone(virNetworkDef *def)
 }


+void
+networkUnsetBridgeZone(virNetworkDef *def G_GNUC_UNUSED)
+{
+}
+
+
 int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
                            virFirewallBackend firewallBackend,
                            virFirewall **fwRemoval G_GNUC_UNUSED)
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@ -38,4 +38,6 @@ int networkAddFirewallRules(virNetworkDef *def,
                            virFirewallBackend firewallBackend,
                            virFirewall **fwRemoval);

+void networkUnsetBridgeZone(virNetworkDef *def);
+
 void networkRemoveFirewallRules(virNetworkObj *obj);
--- a/src/util/virfirewalld.c
+++ b/src/util/virfirewalld.c
@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface,
 }


+int
+virFirewallDInterfaceUnsetZone(const char *iface)
+{
+    GDBusConnection *sysbus = virGDBusGetSystemBus();
+    g_autoptr(GVariant) message = NULL;
+
+    if (!sysbus)
+        return -1;
+
+    message = g_variant_new("(ss)", "", iface);
+
+    return virGDBusCallMethod(sysbus,
+                             NULL,
+                             NULL,
+                             NULL,
+                             VIR_FIREWALL_FIREWALLD_SERVICE,
+                             "/org/fedoraproject/FirewallD1",
+                             "org.fedoraproject.FirewallD1.zone",
+                             "removeInterface",
+                             message);
+}
+
+
 void
 virFirewallDSynchronize(void)
 {
--- a/src/util/virfirewalld.h
+++ b/src/util/virfirewalld.h
@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer,
 int virFirewallDInterfaceSetZone(const char *iface,
                                 const char *zone);

+int virFirewallDInterfaceUnsetZone(const char *iface);
+
 void virFirewallDSynchronize(void);