diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index fe053f423a..c9c6fcbccc 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1999,6 +1999,10 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, if (networkSetIPv6Sysctls(obj) < 0) goto error; + /* set the firewall zone for the bridge device on the host */ + if (networkSetBridgeZone(def) < 0) + goto error; + /* Add "once per network" rules */ if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) { diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index fe7c6e193c..a6203a712e 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -333,28 +333,8 @@ int networkCheckRouteCollision(virNetworkDef *def) int -networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend, - virFirewall **fwRemoval) +networkSetBridgeZone(virNetworkDef *def) { - - networkSetupPrivateChains(firewallBackend, false); - - if (errInitV4 && - (virNetworkDefGetIPByIndex(def, AF_INET, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { - virSetError(errInitV4); - return -1; - } - - if (errInitV6 && - (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || - def->ipv6nogw)) { - virSetError(errInitV6); - return -1; - } - if (def->bridgeZone) { /* if a firewalld zone has been specified, fail/log an error @@ -370,12 +350,14 @@ networkAddFirewallRules(virNetworkDef *def, if (virFirewallDInterfaceSetZone(def->bridge, def->bridgeZone) < 0) return -1; - } else { + } else if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) { - /* if firewalld is active, try to set the "libvirt" zone. This is - * desirable (for consistency) if firewalld is using the iptables - * backend, but is necessary (for basic network connectivity) if - * firewalld is using the nftables backend + /* if firewalld is active, try to set the "libvirt" zone by + * default (forward mode='open' networks have no zone set by + * default, but we honor it if one is specified). This is + * desirable (for consistency) if firewalld is using the + * iptables backend, but is necessary (for basic network + * connectivity) if firewalld is using the nftables backend */ if (virFirewallDIsRegistered() == 0) { @@ -421,6 +403,33 @@ networkAddFirewallRules(virNetworkDef *def, } } + return 0; +} + + +int +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend, + virFirewall **fwRemoval) +{ + + networkSetupPrivateChains(firewallBackend, false); + + if (errInitV4 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { + virSetError(errInitV4); + return -1; + } + + if (errInitV6 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) { + virSetError(errInitV6); + return -1; + } + switch (firewallBackend) { case VIR_FIREWALL_BACKEND_NONE: virReportError(VIR_ERR_NO_SUPPORT, "%s", diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index 8bf3367bff..20c7a2a595 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -38,6 +38,19 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) return 0; } + +int +networkSetBridgeZone(virNetworkDef *def) +{ + if (def->bridgeZone) { + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("This platform does not support setting the bridge device zone")); + return -1; + } + return 0; +} + + int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, virFirewallBackend firewallBackend, virFirewall **fwRemoval G_GNUC_UNUSED) diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h index cd2e3fa7b5..02abdc197f 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); +int networkSetBridgeZone(virNetworkDef *def); + int networkAddFirewallRules(virNetworkDef *def, virFirewallBackend firewallBackend, virFirewall **fwRemoval);