mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-31 18:15:25 +00:00
network: a different implementation of *un*setting firewalld zone when network is destroyed
(this is a remake of commit v10.7.0-78-g200f60b2e1, which was reverted
due to a regression in another patch it was dependent on. The new
implementation just adds the call to virFirewallDInterfaceUnsetZone()
into the existing networkRemoveFirewallRules() (but only if we had set
a zone when the network was first started).
Replaces: 200f60b2e1
Resolves: https://issues.redhat.com/browse/RHEL-61576
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
This commit is contained in:
parent
cb4e38d4b1
commit
c0ba3ed69d
@ -2452,6 +2452,7 @@ virFirewallDGetPolicies;
|
|||||||
virFirewallDGetVersion;
|
virFirewallDGetVersion;
|
||||||
virFirewallDGetZones;
|
virFirewallDGetZones;
|
||||||
virFirewallDInterfaceSetZone;
|
virFirewallDInterfaceSetZone;
|
||||||
|
virFirewallDInterfaceUnsetZone;
|
||||||
virFirewallDIsRegistered;
|
virFirewallDIsRegistered;
|
||||||
virFirewallDPolicyExists;
|
virFirewallDPolicyExists;
|
||||||
virFirewallDSynchronize;
|
virFirewallDSynchronize;
|
||||||
|
@ -459,14 +459,15 @@ networkRemoveFirewallRules(virNetworkObj *obj)
|
|||||||
} else {
|
} else {
|
||||||
|
|
||||||
if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) {
|
if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) {
|
||||||
|
|
||||||
/* No information about firewall rules in the network status,
|
/* No information about firewall rules in the network status,
|
||||||
* so we assume the old iptables-based rules from 10.2.0 and
|
* so we assume the old iptables-based rules from 10.2.0 and
|
||||||
* earlier.
|
* earlier.
|
||||||
*/
|
*/
|
||||||
VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name);
|
VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name);
|
||||||
iptablesRemoveFirewallRules(def);
|
iptablesRemoveFirewallRules(def);
|
||||||
return;
|
|
||||||
}
|
} else {
|
||||||
|
|
||||||
/* fwRemoval info was stored in the network status, so use that to
|
/* fwRemoval info was stored in the network status, so use that to
|
||||||
* remove the firewall
|
* remove the firewall
|
||||||
@ -474,4 +475,21 @@ networkRemoveFirewallRules(virNetworkObj *obj)
|
|||||||
VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name);
|
VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name);
|
||||||
virFirewallApply(fw);
|
virFirewallApply(fw);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* all forward modes could have had a zone set, even 'open' mode
|
||||||
|
* iff it was specified in the config. firewalld preserves the
|
||||||
|
* name of an interface in a zone's list even after the interface
|
||||||
|
* has been deleted, which is problematic if the next use of that
|
||||||
|
* same interface name wants *no* zone set. To avoid this, we must
|
||||||
|
* "unset" the zone if we set it when the network was started.
|
||||||
|
*/
|
||||||
|
if (virFirewallDIsRegistered() == 0 &&
|
||||||
|
(def->forward.type != VIR_NETWORK_FORWARD_OPEN ||
|
||||||
|
def->bridgeZone)) {
|
||||||
|
|
||||||
|
VIR_DEBUG("unsetting zone for '%s' (current zone is '%s')",
|
||||||
|
def->bridge, def->bridgeZone);
|
||||||
|
virFirewallDInterfaceUnsetZone(def->bridge);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int
|
||||||
|
virFirewallDInterfaceUnsetZone(const char *iface)
|
||||||
|
{
|
||||||
|
GDBusConnection *sysbus = virGDBusGetSystemBus();
|
||||||
|
g_autoptr(GVariant) message = NULL;
|
||||||
|
|
||||||
|
if (!sysbus)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
message = g_variant_new("(ss)", "", iface);
|
||||||
|
|
||||||
|
return virGDBusCallMethod(sysbus,
|
||||||
|
NULL,
|
||||||
|
NULL,
|
||||||
|
NULL,
|
||||||
|
VIR_FIREWALL_FIREWALLD_SERVICE,
|
||||||
|
"/org/fedoraproject/FirewallD1",
|
||||||
|
"org.fedoraproject.FirewallD1.zone",
|
||||||
|
"removeInterface",
|
||||||
|
message);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
virFirewallDSynchronize(void)
|
virFirewallDSynchronize(void)
|
||||||
{
|
{
|
||||||
|
@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer,
|
|||||||
int virFirewallDInterfaceSetZone(const char *iface,
|
int virFirewallDInterfaceSetZone(const char *iface,
|
||||||
const char *zone);
|
const char *zone);
|
||||||
|
|
||||||
|
int virFirewallDInterfaceUnsetZone(const char *iface);
|
||||||
|
|
||||||
void virFirewallDSynchronize(void);
|
void virFirewallDSynchronize(void);
|
||||||
|
Loading…
Reference in New Issue
Block a user