libvirt/src
Laine Stump 3b71f2e42d configure: selectively install a firewalld 'libvirt' zone
In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.

But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.

This causes pain because

1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)

2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).

libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).

However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).

Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).

But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).

So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).

This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.

Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.

So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.

These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.

NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).

Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-01 12:08:37 -05:00
..
access Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
admin Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
bhyve bhyve: implement support for commandline args 2019-01-27 14:54:52 +04:00
conf conf: fix enum convertor function for feature capability errors 2019-01-31 10:54:22 +00:00
cpu Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
cpu_map cpu_map: Add support for arch-capabilities feature 2019-01-10 16:39:57 +01:00
esx Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
hyperv hyperv: use "is None" not "== None" for PEP-8 compliance 2019-01-31 10:38:43 +00:00
interface Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
keycodemapdb@16e5b07876
libxl locking: Use virDomainLockImage[Attach|Detach] instead of *Disk 2019-01-30 17:20:38 +01:00
locking storage: Rework virStorageBackendSCSISerial 2019-02-01 10:30:45 -05:00
logging logging: ensure pending I/O is drained before reading position 2018-12-18 14:49:59 +00:00
lxc security: Remove disk labeling functions and fix callers 2019-01-30 17:20:38 +01:00
network configure: selectively install a firewalld 'libvirt' zone 2019-02-01 12:08:37 -05:00
node_device Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
nwfilter configure: change HAVE_FIREWALLD to WITH_FIREWALLD 2019-02-01 12:08:37 -05:00
openvz src: Fix a few unmarked_diagnostics issues 2019-01-08 17:18:31 +01:00
phyp lib: Use more of VIR_STEAL_PTR() 2019-01-28 14:46:58 +01:00
qemu qemu: Rework setting process affinity 2019-02-01 12:53:46 +01:00
remote remote: remove variable whose value is a constant 2019-01-31 10:38:30 +00:00
rpc rpc: virNetClientNew: fix socket leak on error path 2019-01-18 14:01:27 +03:00
secret Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
security security: dac: Relabel /dev/sev in the namespace 2019-02-01 12:40:22 +01:00
storage storage: Fetch a unique key for vHBA/NPIV LUNs 2019-02-01 10:39:19 -05:00
test lib: Use more of VIR_STEAL_PTR() 2019-01-28 14:46:58 +01:00
util util: new virFirewallD APIs + docs 2019-02-01 12:08:37 -05:00
vbox src: Fix a few unmarked_diagnostics issues 2019-01-08 17:18:31 +01:00
vmware Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
vmx Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
vz lib: Use more of VIR_STEAL_PTR() 2019-01-28 14:46:58 +01:00
xenapi Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
xenconfig Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
admin_protocol-structs
check-aclperms.pl
check-aclrules.pl
check-driverimpls.pl
check-drivername.pl
check-symfile.pl
check-symsorting.pl
datatypes.c src: Fix memory leak in virNWFilterBindingDispose 2018-07-21 09:23:54 -04:00
datatypes.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-hypervisor.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-interface.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-network.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-nodedev.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-nwfilter.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-secret.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-state.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-storage.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver-stream.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
driver.c
driver.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
dtrace2systemtap.pl Remove all Author(s): lines from source file headers 2018-12-13 16:08:38 +00:00
internal.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
libvirt_admin_private.syms
libvirt_admin_public.syms admin: Introduce virAdmConnectSetLoggingFilters 2016-12-15 10:36:23 +01:00
libvirt_atomic.syms
libvirt_driver_modules.syms
libvirt_esx.syms
libvirt_internal.h Enforce a standard header file guard symbol name 2018-12-14 10:47:13 +00:00
libvirt_libssh2.syms
libvirt_libssh.syms
libvirt_linux.syms
libvirt_lxc.syms
libvirt_openvz.syms
libvirt_private.syms util: new virFirewallD APIs + docs 2019-02-01 12:08:37 -05:00
libvirt_probes.d Forget last daemon/ dir artefacts 2018-07-27 15:44:38 +02:00
libvirt_public.syms lib: Introduce virDomainSetIOThreadParams 2018-11-19 07:26:40 -05:00
libvirt_qemu_probes.d
libvirt_qemu.syms
libvirt_remote.syms
libvirt_sasl.syms
libvirt_vmware.syms
libvirt_vmx.syms
libvirt_xenconfig.syms
libvirt-admin.c Remove all Author(s): lines from source file headers 2018-12-13 16:08:38 +00:00
libvirt-admin.conf
libvirt-domain-snapshot.c
libvirt-domain.c lib: domain: Emphasise that users should wait for block job READY state via events 2019-01-29 17:11:02 +01:00
libvirt-host.c
libvirt-interface.c
libvirt-lxc.c Remove all Author(s): lines from source file headers 2018-12-13 16:08:38 +00:00
libvirt-lxc.pc.in
libvirt-network.c
libvirt-nodedev.c
libvirt-nwfilter.c nwfilter: Add extra verbiage for binding create/delete 2018-08-24 08:45:19 -04:00
libvirt-qemu.c Remove all Author(s): lines from source file headers 2018-12-13 16:08:38 +00:00
libvirt-qemu.pc.in
libvirt-secret.c
libvirt-storage.c src: storage: Provide a better explanation of virStoragePoolSetAutostart 2018-08-22 09:46:10 +02:00
libvirt-stream.c
libvirt.c Remove even more Author(s): lines from source files 2019-01-03 13:24:18 +01:00
libvirt.conf
libvirt.pc.in
lock_protocol-structs
lxc_monitor_protocol-structs
lxc_protocol-structs
Makefile.am src: Don't use double-colon rules 2019-01-16 10:19:48 +01:00
qemu_protocol-structs
README Drop UML driver 2018-12-17 17:52:46 +01:00
remote_protocol-structs lib: Introduce virDomainSetIOThreadParams 2018-11-19 07:26:40 -05:00
virkeepaliveprotocol-structs
virnetprotocol-structs

       libvirt library code README
       ===========================

The directory provides the bulk of the libvirt codebase. Everything
except for the libvirtd daemon and client tools. The build uses a
large number of libtool convenience libraries - one for each child
directory, and then links them together for the final libvirt.so,
although some bits get linked directly to libvirtd daemon instead.

The files directly in this directory are supporting the public API
entry points & data structures.

There are two core shared modules to be aware of:

 * util/  - a collection of shared APIs that can be used by any
            code. This directory is always in the include path
            for all things built

 * conf/  - APIs for parsing / manipulating all the official XML
            files used by the public API. This directory is only
            in the include path for driver implementation modules

 * vmx/   - VMware VMX config handling (used by esx/ and vmware/)


Then there are the hypervisor implementations:

 * bhyve         - bhyve - The BSD Hypervisor
 * esx/          - VMware ESX and GSX support using vSphere API over SOAP
 * hyperv/       - Microsoft Hyper-V support using WinRM
 * lxc/          - Linux Native Containers
 * openvz/       - OpenVZ containers using cli tools
 * phyp/         - IBM Power Hypervisor using CLI tools over SSH
 * qemu/         - QEMU / KVM using qemu CLI/monitor
 * remote/       - Generic libvirt native RPC client
 * test/         - A "mock" driver for testing
 * vbox/         - Virtual Box using native API
 * vmware/       - VMware Workstation and Player using the vmrun tool
 * xen/          - Xen using hypercalls, XenD SEXPR & XenStore
 * xenapi/       - Xen using libxenserver


Finally some secondary drivers that are shared for several HVs.
Currently these are used by LXC, OpenVZ, QEMU and Xen drivers.
The ESX, Hyper-V, Power Hypervisor, Remote, Test & VirtualBox drivers all
implement the secondary drivers directly

 * cpu/          - CPU feature management
 * interface/    - Host network interface management
 * network/      - Virtual NAT networking
 * nwfilter/     - Network traffic filtering rules
 * node_device/  - Host device enumeration
 * secret/       - Secret management
 * security/     - Mandatory access control drivers
 * storage/      - Storage management drivers


Since both the hypervisor and secondary drivers can be built as
dlopen()able modules, it is *FORBIDDEN* to have build dependencies
between these directories. Drivers are only allowed to depend on
the public API, and the internal APIs in the util/ and conf/
directories