mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-27 06:55:18 +00:00
7f7a09a2d2
Prior to firewalld version 1.0.0, the default action of ACCEPT in the "libvirt" zone (subsequently overridden with a lower priority "REJECT" action) would result in an implicit rule that allowed incoming sessions through the zone; libvirt relied on this implicit rule to permit incoming connections to guests that were connected via a libvirt "routed" network. Starting in firewalld 1.0.0, the rules generated for this same zonefile changed such that incoming sessions through the libvirt zone were no longer allowed, breaking the longstanding convention that they should be allowed (only for routed networks). However, beginning with firewalld 0.9.0, a zone can explicitly allow/block forwarded traffic (by adding a "policy" to the zone that specifies what happens to packets that are going in one zone and out another zone). This patch changes the zone for routed networks from "libvirt" to the newly-added "libvirt-routed" zone that uses the new policy functionality to once again allow incoming sessions to guests on routed networks. (If firewalld is < 0.9.0, then the policy file won't be read at all, so firewalld won't log any error, and libvirt will just use the old setup that takes advantage of the implicit forwarding rules). Resolves: https://bugzilla.redhat.com/2055706 Signed-off-by: Eric Garver <eric@garver.life> Reviewed-by: Laine Stump <laine@redhat.com>