+++ This bug was initially created as a clone of Bug #1650320 +++ The workaround in Bug 1638864 to get traffic flowing in libvirt virtual networks after firewalld switched its backend to nftables has the side effect that *all* traffic from guests to the virtualization host is allowed (i.e. there is no way to allow *only* dhcp, dns, and ssh, for example - the guests will have access to any service that is listening on the host). This is obviously a security concern. In order to fix this problem, libvirt needs to take advantage of a new feature in firewalld - prioritized rich rules (see Bug 1648497) - the libvirt firewalld zone will: 1) have a default policy of "accept" (as it does now) 2) explicitly list the host services that virtual guests are allowed to access 3) include a low priority rich rule that rejects "everything" (1) implicitly sets up rules that allow forwarded traffic, while (3) rejects all traffic to the host that wasn't explicitly allowed by the rules in (2) (but *doesn't* reject forwarded traffic). --- Additional comment from Laine Stump on 2019-02-01 01:28:12 UTC --- V2 posted upstream: https://www.redhat.com/archives/libvir-list/2019-February/msg00000.html --- Additional comment from Laine Stump on 2019-02-01 19:27:34 UTC --- Pushed upstream: commit 4bf0f390ed57307050a213f3f6364061f2717b00 Author: Laine Stump <laine> Date: Fri Jan 25 23:46:18 2019 -0500 configure: change HAVE_FIREWALLD to WITH_FIREWALLD commit d8393b56e21708c219acc9bcd24a9c22ead4a3b4 Author: Laine Stump <laine> Date: Wed Jan 9 14:11:32 2019 -0500 util: move all firewalld-specific stuff into its own files commit 3bba4825c291e51a8cd4d497d6e919ac2ee96ff0 Author: Laine Stump <laine> Date: Wed Jan 9 14:40:51 2019 -0500 util: new virFirewallD APIs + docs commit 3b71f2e42dc6c5453d09136578bfb868874da088 Author: Laine Stump <laine> Date: Fri Jan 25 23:52:37 2019 -0500 configure: selectively install a firewalld 'libvirt' zone commit ae05211a360077f56883cd0a6c0f82ed57f746cb Author: Laine Stump <laine> Date: Mon Oct 15 20:31:02 2018 -0400 network: set firewalld zone of bridges to "libvirt" zone when appropriate commit 30a6f9168634f8ce269f1ef294c4a18d9c95939c Author: Laine Stump <laine> Date: Wed Jan 9 16:51:31 2019 -0500 network: allow configuring firewalld zone for virtual network bridge device commit 62adfa675522685178eb76794bacf4c701be177a (HEAD -> master, origin/master, origin/HEAD) Author: Laine Stump <laine> Date: Wed Jan 30 13:18:09 2019 -0500 docs: update news.xml for firewalld zone changes [...] commit 7c9dcfed5ae6d5874ea0e67e47a6871707b8446a (HEAD -> master, origin/master, origin/HEAD) Author: Laine Stump <laine> Date: Sat Feb 2 23:21:42 2019 -0500 util: remove test code accidentally committed to virFirewallDZoneExists Just before pushing the series containing commit 3bba4825 I had added a "return true" to the top of virFirewallDZoneExists() to measure the impact of calling that function once per network during startup. I found that the effect was minimal, but forgot to remove the "return true" before pushing. This unfortunately causes a failure to start networks on systems that have a firewalld version that doesn't support our libvirt zone file (i.e. pretty much everyone). This patch removes the unintended line.
Test the scenarios in bug 1650320#c23, and finished one round of auto job, no regression found, move the bug to be verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1293