Bug 1188088

Summary: libvirt should change to use iptables and ebtabels after stop firewalld when libvirtd is running
Product: Red Hat Enterprise Linux 7 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED WONTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: berrange, dyuan, jiahu, mzhan, rbalakri
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-02 09:42:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luyao Huang 2015-02-02 02:51:24 UTC 
Description of problem:
libvirt should change to use iptables and ebtabels after stop firewalld when libvirtd is running

Version-Release number of selected component (if applicable):
libvirt-1.2.8-16.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.start firewalld and restart libvirtd:
# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service

# service libvirtd restart
Redirecting to /bin/systemctl restart  libvirtd.service

2.stop firewalld when libvirtd is running
# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service

3.check the libvirtd log:
2015-02-02 02:40:52.074+0000: 4262: error : virFirewallApplyRuleFirewallD:758 : internal error: Unable to apply rule 'The name org.fedoraproject.FirewallD1 was not provided by any .service files'

4.try to start a vm have nwfilter settings:
# virsh start test4
error: Failed to start domain test4
error: internal error: Unable to apply rule 'The name org.fedoraproject.FirewallD1 was not provided by any .service files'


Actual results:
libvirtd still try to use firewalld when firewalld is stop

Expected results:
dynamic change the currentBackend when FirewallD NameOwnerChanged (firewalld start/stop).

Additional info:
Comment 1 Daniel Berrangé 2015-02-02 09:42:05 UTC 
No, we really don't want to dynamically change the firewall backend. When you see Firewalld name disappear from DBus, it is not reasonable to assume the admin wants to stop using it. The name could be disappearing because the firewalld service is being restarted for some reason. If we try to fallback to plain iptables and firewalld starts again, it will cause us no end of pain. It is not common practice to change between firewalld & iptables on a host - it is something an admin will typically decide once when provisioning the host and not change after that, so optimizing for this one time only change of decision is not a good idea.