network: a different implementation of *un*setting firewalld zone when network is destroyed

(this is a remake of commit v10.7.0-78-g200f60b2e1, which was reverted
due to a regression in another patch it was dependent on. The new
implementation just adds the call to virFirewallDInterfaceUnsetZone()
into the existing networkRemoveFirewallRules() (but only if we had set
a zone when the network was first started).

Replaces: 200f60b2e1
Resolves: https://issues.redhat.com/browse/RHEL-61576
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
This commit is contained in:
Laine Stump 2024-10-04 18:43:02 -04:00
parent cb4e38d4b1
commit c0ba3ed69d
4 changed files with 51 additions and 7 deletions

View File

@ -2452,6 +2452,7 @@ virFirewallDGetPolicies;
virFirewallDGetVersion; virFirewallDGetVersion;
virFirewallDGetZones; virFirewallDGetZones;
virFirewallDInterfaceSetZone; virFirewallDInterfaceSetZone;
virFirewallDInterfaceUnsetZone;
virFirewallDIsRegistered; virFirewallDIsRegistered;
virFirewallDPolicyExists; virFirewallDPolicyExists;
virFirewallDSynchronize; virFirewallDSynchronize;

View File

@ -459,14 +459,15 @@ networkRemoveFirewallRules(virNetworkObj *obj)
} else { } else {
if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) { if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) {
/* No information about firewall rules in the network status, /* No information about firewall rules in the network status,
* so we assume the old iptables-based rules from 10.2.0 and * so we assume the old iptables-based rules from 10.2.0 and
* earlier. * earlier.
*/ */
VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name); VIR_DEBUG("No firewall info in status of network '%s', assuming old-style iptables", def->name);
iptablesRemoveFirewallRules(def); iptablesRemoveFirewallRules(def);
return;
} } else {
/* fwRemoval info was stored in the network status, so use that to /* fwRemoval info was stored in the network status, so use that to
* remove the firewall * remove the firewall
@ -474,4 +475,21 @@ networkRemoveFirewallRules(virNetworkObj *obj)
VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name); VIR_DEBUG("Removing firewall rules of network '%s' using commands saved in status", def->name);
virFirewallApply(fw); virFirewallApply(fw);
} }
}
/* all forward modes could have had a zone set, even 'open' mode
* iff it was specified in the config. firewalld preserves the
* name of an interface in a zone's list even after the interface
* has been deleted, which is problematic if the next use of that
* same interface name wants *no* zone set. To avoid this, we must
* "unset" the zone if we set it when the network was started.
*/
if (virFirewallDIsRegistered() == 0 &&
(def->forward.type != VIR_NETWORK_FORWARD_OPEN ||
def->bridgeZone)) {
VIR_DEBUG("unsetting zone for '%s' (current zone is '%s')",
def->bridge, def->bridgeZone);
virFirewallDInterfaceUnsetZone(def->bridge);
}
} }

View File

@ -449,6 +449,29 @@ virFirewallDInterfaceSetZone(const char *iface,
} }
int
virFirewallDInterfaceUnsetZone(const char *iface)
{
GDBusConnection *sysbus = virGDBusGetSystemBus();
g_autoptr(GVariant) message = NULL;
if (!sysbus)
return -1;
message = g_variant_new("(ss)", "", iface);
return virGDBusCallMethod(sysbus,
NULL,
NULL,
NULL,
VIR_FIREWALL_FIREWALLD_SERVICE,
"/org/fedoraproject/FirewallD1",
"org.fedoraproject.FirewallD1.zone",
"removeInterface",
message);
}
void void
virFirewallDSynchronize(void) virFirewallDSynchronize(void)
{ {

View File

@ -46,4 +46,6 @@ int virFirewallDApplyRule(virFirewallLayer layer,
int virFirewallDInterfaceSetZone(const char *iface, int virFirewallDInterfaceSetZone(const char *iface,
const char *zone); const char *zone);
int virFirewallDInterfaceUnsetZone(const char *iface);
void virFirewallDSynchronize(void); void virFirewallDSynchronize(void);