libvirt/docs
Laine Stump ae05211a36 network: set firewalld zone of bridges to "libvirt" zone when appropriate
This patch restores broken guest network connectivity after a host
firewalld is switched to using an nftables backend. It does this by
adding libvirt networks' bridge interfaces to the new "libvirt" zone
in firewalld.

After this patch, the bridge interface of any network created by
libvirt (when firewalld is active) will be added to the firewalld
zone called "libvirt" if it exists (regardless of the firewalld
backend setting). This behavior does *not* depend on whether or not
libvirt has installed the libvirt zone file (set with
"--with[out]-firewalld-zone" during the configure phase of the package
build).

If the libvirt zone doesn't exist (either because the package was
configured to not install it, or possibly it was installed, but
firewalld doesn't support rule priorities, resulting in a parse
error), the bridge will remain in firewalld's default zone, which
could be innocuous (in the case that the firewalld backend is
iptables, guest networking will still function properly with the
bridge in the default zone), or it could be disastrous (if the
firewalld backend is nftables, we can be assured that guest networking
will fail). In order to be unobtrusive in the former case, and
informative in the latter, when the libvirt zone doesn't exist we
then check the firewalld version to see if it's new enough to support
the nftables backend, and then if the backend is actually set to
nftables, before logging an error (and failing the net-start
operation, since the network couldn't possibly work anyway).

When the libvirt zone is used, network behavior is *slightly*
different from behavior of previous libvirt. In the past, libvirt
network behavior would be affected by the configuration of firewalld's
default zone (usually "public"), but now it is affected only by the
"libvirt" zone), and thus almost surely warrants a release note for
any distro upgrading to libvirt 5.1 or above. Although it's
unfortunate that we have to deal with a mandatory behavior change, the
architecture of multiple hooks makes it impossible to *not* change
behavior in some way, and the new behavior is arguably better (since
it will now be possible to manage access to the host from virtual
machines vs from public interfaces separately).

Creates-and-Resolves: https://bugzilla.redhat.com/1650320
Resolves: https://bugzilla.redhat.com/1638342
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-01 12:08:37 -05:00
..
devhelp Remove all Author(s): lines from source file headers 2018-12-13 16:08:38 +00:00
fonts docs: Add monospaced Overpass fonts 2016-11-21 13:15:12 +01:00
html
internals qemu: use line breaks in command line args written to log 2018-12-17 15:02:11 +00:00
js docs: rewrite content on front page to be more useful 2016-11-11 12:15:05 +00:00
logos docs: add master SVG for libvirt logo 2016-11-11 09:31:10 +00:00
schemas storage: change custom namespace URIs to drop '/source' component 2019-01-31 12:34:05 +00:00
32favicon.png
404.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
acl.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
aclpolkit.html.in Drop UML driver 2018-12-17 17:52:46 +01:00
android-chrome-192x192.png docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
android-chrome-256x256.png docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
api_extension.html.in docs: api_extension: Update paths in the examples 2018-08-28 17:21:39 +02:00
api.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
apibuild.py docs: Format bit shift and hex notation for bitwise flag enums 2019-01-31 12:02:35 +01:00
apple-touch-icon.png docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
apps.html.in Add Virtlyst web application to apps.html 2018-06-07 17:20:32 -04:00
architecture.fig
architecture.gif
architecture.html.in docs: remove mention of legacy Xen driver 2018-04-09 11:38:47 -06:00
auditlog.html.in conf: Audit TPM emulator device at domain startup 2018-06-06 10:48:41 -04:00
auth.html.in docs: use JavaScript based PolicyKit .rules files 2019-01-21 18:45:27 +00:00
bindings.html.in docs: introduce libvirt-dbus binding 2018-03-23 12:59:56 +01:00
browserconfig.xml docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
bugs.html.in docs: remove mention of legacy Xen driver 2018-04-09 11:38:47 -06:00
cgroups.html.in docs: Update how we create cgroup directory names 2018-08-13 11:53:53 +02:00
compiling.html.in Forget last daemon/ dir artefacts 2018-07-27 15:44:38 +02:00
contact.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
contribute.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
csharp.html.in docs: update all GIT repo examples to use https:// protocol 2018-03-21 14:48:01 +00:00
dbus.html.in docs: introduce libvirt-dbus binding 2018-03-23 12:59:56 +01:00
devguide.html.in docs: update all GIT repo examples to use https:// protocol 2018-03-21 14:48:01 +00:00
docs.html.in docs: introduce libvirt-dbus binding 2018-03-23 12:59:56 +01:00
downloads.html.in docs: remove git snapshot download links 2018-06-07 16:55:52 +01:00
drivers.html.in Drop UML driver 2018-12-17 17:52:46 +01:00
drvbhyve.html.in docs: bhyve: document commandline element 2019-01-27 15:07:11 +04:00
drvesx.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
drvhyperv.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvlxc.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
drvnodedev.html.in docs: documentation for vfio-ccw passthrough 2018-05-14 12:27:47 -04:00
drvopenvz.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvphyp.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvqemu.html.in qemu: conf: Remove /dev/sev from the default cgroup device acl list 2019-02-01 12:39:41 +01:00
drvremote.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvtest.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvvbox.html.in docs: Update vbox driver documentation. 2017-11-07 17:50:15 -05:00
drvvirtuozzo.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvvmware.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
drvxen.html.in libxl: drop support for Xen < 4.6 2018-09-14 11:47:08 -06:00
errors.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
favicon-16x16.png docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
favicon-32x32.png docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
favicon.ico docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
firewall.html.in network: set firewalld zone of bridges to "libvirt" zone when appropriate 2019-02-01 12:08:37 -05:00
format.html.in docs: remove bogus 'shape' attribute on links 2017-08-02 17:00:11 +01:00
formatcaps.html.in Drop UML driver 2018-12-17 17:52:46 +01:00
formatdomain.html.in conf: Introduce 'readonly' element into xml for NVDIMM memory 2019-01-02 09:00:34 -05:00
formatdomaincaps.html.in Drop UML driver 2018-12-17 17:52:46 +01:00
formatnetwork.html.in docs: add forgotten mentions of forward mode "open" 2019-01-25 11:04:29 -05:00
formatnode.html.in nodedev: add switchdev to NIC capabilities 2017-09-18 08:32:24 -04:00
formatnwfilter.html.in Drop UML driver 2018-12-17 17:52:46 +01:00
formatsecret.html.in storage: Disallow create/resize of qcow2 encrypted images 2018-06-26 14:02:43 -04:00
formatsnapshot.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
formatstorage.html.in storage: change custom namespace URIs to drop '/source' component 2019-01-31 12:34:05 +00:00
formatstorageencryption.html.in storage: Disallow create/resize of qcow2 encrypted images 2018-06-26 14:02:43 -04:00
genaclperms.pl perl: Don't hardcode interpreter path 2017-09-19 16:04:53 +02:00
generic.css docs: Use Overpass Mono as the monospace font 2016-11-21 14:04:05 +01:00
goals.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
governance.html.in docs/governance: Clarify the version number of the LGPL 2019-01-25 14:04:20 +01:00
hacking.html.in util: Improve virStrncpy() implementation 2018-07-23 14:27:37 +02:00
hooks.html.in hooks: Fix a wrong description 2017-11-15 13:52:13 +01:00
hvsupport.pl driver: introduce a driver method for probing default URIs 2018-04-12 16:52:02 +01:00
index.html.in docs: index.html.in: Fix a typo in "virtualization platforms" link 2018-04-17 09:44:12 +02:00
index.py python: Remove space around = in keyword args 2018-03-20 12:13:35 +00:00
internals.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
java.html.in docs: update all GIT repo examples to use https:// protocol 2018-03-21 14:48:01 +00:00
libvirt-daemon-arch.fig
libvirt-daemon-arch.png
libvirt-driver-arch.fig
libvirt-driver-arch.png
libvirt-object-model.fig
libvirt-object-model.png
libvirt-virConnect-example.fig
libvirt-virConnect-example.png
libvirt.css docs: css: Make docs page wider while still accomodating narrow screens 2019-01-31 12:03:32 +01:00
locking-lockd.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
locking-sanlock.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
locking.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
logging.html.in Replace QEmu with QEMU 2018-04-01 17:42:29 +02:00
main.css docs: make website responsive for mobile devices 2017-08-07 14:44:40 +01:00
Makefile.am docs: api_extension: Remove example patches 2018-08-24 16:23:01 +02:00
manifest.json docs: Fix syntax-check error 2017-08-02 15:00:28 -04:00
migration-managed-direct.fig
migration-managed-direct.png
migration-managed-p2p.fig
migration-managed-p2p.png
migration-native.fig
migration-native.png
migration-tunnel.fig
migration-tunnel.png
migration-unmanaged-direct.fig
migration-unmanaged-direct.png
migration.html.in migration.html: Clarify configuration file handling docs 2017-12-08 15:50:52 +01:00
mobile.css docs: make website responsive for mobile devices 2017-08-07 14:44:40 +01:00
mstile-150x150.png docs: add full set of "favicon" files to support modern clients 2017-08-02 17:00:11 +01:00
newapi.xsl docs: Format bit shift and hex notation for bitwise flag enums 2019-01-31 12:02:35 +01:00
news-2005.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2006.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2007.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2008.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2009.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2010.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2011.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2012.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2013.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2014.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2015.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-2016.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news-ascii.xsl NEWS: Improve building pipeline 2017-01-10 19:37:53 +01:00
news-html.xsl Use https:// links for most sites 2017-10-16 10:22:34 +01:00
news.rng docs: Move news.rng out of docs/schemas 2017-04-05 09:51:51 +02:00
news.xml docs: news: Update the release notes with the SEV permission fix 2019-02-01 17:30:33 +01:00
node.fig
node.gif
nss.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
page.xsl docs: Fix indentation of inlined JavaScript snippet 2018-02-19 17:32:20 +01:00
pci-hotplug.html.in docs: remove legacy XHTML <!DOCTYPE> declaration 2018-02-28 17:51:03 +00:00
php.html.in docs: update all GIT repo examples to use https:// protocol 2018-03-21 14:48:01 +00:00
platforms.html.in docs: fix repology link for qemu-kvm package 2018-10-23 16:16:36 +01:00
python.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
reformat-news.py Remove all Author(s): lines from source file headers 2018-12-13 16:08:38 +00:00
remote.html.in xen: encourage use of xen:///system URI as preferred format 2018-04-12 16:52:01 +01:00
search.php.code.in maint: Replace tabs with spaces in all source files in repo 2017-10-18 13:25:10 +02:00
search.php.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
secureusage.html.in docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
securityprocess.html.in docs: link to security.libvirt.org website 2018-03-16 17:05:56 +00:00
site.xsl docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
storage.html.in docs: Add more iscsi-direct references to storage pages 2019-01-24 18:07:33 -05:00
structures.fig
subsite.xsl docs: switch to using HTML5 doctype declaration 2017-08-02 17:00:11 +01:00
support.html.in docs: Grammar and spelling fixes 2018-05-03 12:40:37 +01:00
testapi.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
testsuites.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
testtck.html.in Use https:// links for most sites 2017-10-16 10:22:34 +01:00
uri.html.in xen: encourage use of xen:///system URI as preferred format 2018-04-12 16:52:01 +01:00
virshcmdref.html.in docs: update all GIT repo examples to use https:// protocol 2018-03-21 14:48:01 +00:00
windows.html.in docs: remove mention of legacy Xen driver 2018-04-09 11:38:47 -06:00
wrapstring.xsl