docs: update news.xml for firewalld zone changes

Signed-off-by: Laine Stump <laine@laine.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2025-03-20 07:59:00 +00:00 · 2019-01-30 13:18:09 -05:00 · 2019-01-30 13:18:09 -05:00 · 62adfa6755
commit 62adfa6755
parent 30a6f91686
1 changed files with 40 additions and 0 deletions
--- a/docs/news.xml
+++ b/docs/news.xml
@ -46,6 +46,19 @@
          configuration.
        </description>
      </change>
+      <change>
+        <summary>
+          network: support setting a firewalld "zone" for virtual network bridges
+        </summary>
+        <description>
+          All libvirt virtual networks with bridges managed by libvirt
+          (i.e. those with forward mode of "nat", "route", "open", or
+          no forward mode) will now be placed in a special firewalld
+          zone called "libvirt" by default. The zone of any network
+          bridge can be changed using the <code>zone</code> attribute
+          of the network's <code>bridge</code> element.
+        </description>
+      </change>
    </section>
    <section title="Improvements">
    </section>
@ -83,6 +96,33 @@
          fully functional.
        </description>
      </change>
+      <change>
+        <summary>
+          network: fix virtual networks on systems using firewalld+nftables
+        </summary>
+        <description>
+          Because of the transitional state of firewalld's new support
+          for nftables, not all iptables features required by libvirt
+          are yet available, so libvirt must continue to use iptables
+          for its own packet filtering rules even when the firewalld
+          backend is set to use nftables. However, due to the way
+          iptables support is implemented in kernels using nftables
+          (iptables rules are converted to nftables rules and
+          processed in a separate hook from the native nftables
+          rules), guest networking was broken on hosts with firewalld
+          configured to use nftables as the backend. This has been
+          fixed by putting libvirt-managed bridges in their own
+          firewalld zone, so that guest traffic can be forwarded
+          beyond the host and host services can be exposed to guests
+          on the virtual network without opening up those same
+          services to the rest of the physical network. This means
+          that host access from virtual machines is no longer
+          controlled by the firewalld default zone (usually "public"),
+          but rather by the new firewalld zone called "libvirt"
+          (unless configured otherwise using the new zone
+          attribute of the network bridge element).
+        </description>
+      </change>
    </section>
  </release>
  <release version="v5.0.0" date="2019-01-15">