diff --git a/configure.ac b/configure.ac
index 808884f2f7af736980409f47f3d839142cb63b7b..4dcdd120699bf1c8e7da5c387ceee408ec1ac6db 100644
--- a/configure.ac
+++ b/configure.ac
@@ -246,6 +246,7 @@ LIBVIRT_ARG_CAPNG
LIBVIRT_ARG_CURL
LIBVIRT_ARG_DBUS
LIBVIRT_ARG_FIREWALLD
+LIBVIRT_ARG_FIREWALLD_ZONE
LIBVIRT_ARG_FUSE
LIBVIRT_ARG_GLUSTER
LIBVIRT_ARG_HAL
@@ -286,6 +287,7 @@ LIBVIRT_CHECK_DBUS
LIBVIRT_CHECK_DEVMAPPER
LIBVIRT_CHECK_DLOPEN
LIBVIRT_CHECK_FIREWALLD
+LIBVIRT_CHECK_FIREWALLD_ZONE
LIBVIRT_CHECK_FUSE
LIBVIRT_CHECK_GLUSTER
LIBVIRT_CHECK_GNUTLS
@@ -1000,6 +1002,7 @@ LIBVIRT_RESULT_CURL
LIBVIRT_RESULT_DBUS
LIBVIRT_RESULT_DLOPEN
LIBVIRT_RESULT_FIREWALLD
+LIBVIRT_RESULT_FIREWALLD_ZONE
LIBVIRT_RESULT_FUSE
LIBVIRT_RESULT_GLUSTER
LIBVIRT_RESULT_GNUTLS
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 879e315f49c0bff9ee23181a13af32e8ff190ee5..c0e538d92d4ca16ad8657a203399690c8ac61c41 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -82,6 +82,7 @@
%define with_sanlock 0%{!?_without_sanlock:0}
%define with_numad 0%{!?_without_numad:0}
%define with_firewalld 0%{!?_without_firewalld:0}
+%define with_firewalld_zone 0%{!?_without_firewalld_zone:0}
%define with_libssh2 0%{!?_without_libssh2:0}
%define with_wireshark 0%{!?_without_wireshark:0}
%define with_libssh 0%{!?_without_libssh:0}
@@ -136,6 +137,11 @@
%define with_firewalld 1
+%if 0%{?fedora} >= 30 || 0%{?rhel} > 7
+ %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
+%endif
+
+
# fuse is used to provide virtualized /proc for LXC
%if %{with_lxc}
%define with_fuse 0%{!?_without_fuse:1}
@@ -395,6 +401,10 @@ BuildRequires: rpcgen
BuildRequires: libtirpc-devel
%endif
+%if %{with_firewalld_zone}
+BuildRequires: firewalld-filesystem
+%endif
+
Provides: bundled(gnulib)
%description
@@ -1093,6 +1103,12 @@ exit 1
%define arg_firewalld --without-firewalld
%endif
+%if %{with_firewalld_zone}
+ %define arg_firewalld_zone --with-firewalld-zone
+%else
+ %define arg_firewalld_zone --without-firewalld-zone
+%endif
+
%if %{with_wireshark}
%define arg_wireshark --with-wireshark-dissector
%else
@@ -1191,6 +1207,7 @@ rm -f po/stamp-po
--with-dtrace \
--with-driver-modules \
%{?arg_firewalld} \
+ %{?arg_firewalld_zone} \
%{?arg_wireshark} \
--without-pm-utils \
--with-nss-plugin \
@@ -1358,6 +1375,16 @@ if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
fi
rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
+%post daemon-driver-network
+%if %{with_firewalld}
+ %firewalld_reload
+%endif
+
+%postun daemon-driver-network
+%if %{with_firewalld}
+ %firewalld_reload
+%endif
+
%post daemon-config-network
if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then
# see if the network used by default network creates a conflict,
@@ -1596,6 +1623,10 @@ exit 0
%attr(0755, root, root) %{_libexecdir}/libvirt_leaseshelper
%{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
+%if %{with_firewalld_zone}
+%{_prefix}/lib/firewalld/zones/libvirt.xml
+%endif
+
%files daemon-driver-nodedev
%{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so
diff --git a/m4/virt-firewalld-zone.m4 b/m4/virt-firewalld-zone.m4
new file mode 100644
index 0000000000000000000000000000000000000000..b67d1a0b2fb58cd80e563d0b786bc66e4a13e48e
--- /dev/null
+++ b/m4/virt-firewalld-zone.m4
@@ -0,0 +1,45 @@
+dnl firewalld_zone check - whether or not to install the firewall "libvirt" zone
+dnl
+dnl Copyright (C) 2019 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library. If not, see
+dnl .
+dnl
+
+AC_DEFUN([LIBVIRT_ARG_FIREWALLD_ZONE], [
+ LIBVIRT_ARG_WITH([FIREWALLD_ZONE], [Whether to install firewalld libvirt zone], [check])
+])
+
+AC_DEFUN([LIBVIRT_CHECK_FIREWALLD_ZONE], [
+ AC_REQUIRE([LIBVIRT_CHECK_FIREWALLD])
+ AC_MSG_CHECKING([for whether to install firewalld libvirt zone])
+
+ if test "x$with_firewalld_zone" = "xcheck" ; then
+ with_firewalld_zone=$with_firewalld
+ fi
+
+ if test "x$with_firewalld_zone" = "xyes" ; then
+ if test "x$with_firewalld" != "xyes" ; then
+ AC_MSG_ERROR([You must have firewalld support enabled to enable firewalld-zone])
+ fi
+ AC_DEFINE_UNQUOTED([WITH_FIREWALLD_ZONE], [1], [whether firewalld libvirt zone is installed])
+ fi
+
+ AM_CONDITIONAL([WITH_FIREWALLD_ZONE], [test "x$with_firewalld_zone" != "xno"])
+ AC_MSG_RESULT($with_firewalld_zone)
+])
+
+AC_DEFUN([LIBVIRT_RESULT_FIREWALLD_ZONE], [
+ LIBVIRT_RESULT([firewalld-zone], [$with_firewalld_zone])
+])
diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am
index 508c8c04227788ec0a4211b955f80dabbf175ded..cbaaa7ea68eb9a34cb6fdd08af600ea40d7cc050 100644
--- a/src/network/Makefile.inc.am
+++ b/src/network/Makefile.inc.am
@@ -87,6 +87,11 @@ install-data-network:
( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
rm -f default.xml && \
$(LN_S) ../default.xml default.xml )
+if WITH_FIREWALLD_ZONE
+ $(MKDIR_P) "$(DESTDIR)$(prefix)/lib/firewalld/zones"
+ $(INSTALL_DATA) $(srcdir)/network/libvirt.zone \
+ $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
+endif WITH_FIREWALLD_ZONE
uninstall-data-network:
rm -f $(DESTDIR)$(confdir)/qemu/networks/autostart/default.xml
@@ -95,10 +100,13 @@ uninstall-data-network:
rmdir "$(DESTDIR)$(confdir)/qemu/networks" || :
rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||:
rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||:
+if WITH_FIREWALLD_ZONE
+ rm -f $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
+endif WITH_FIREWALLD_ZONE
endif WITH_NETWORK
-EXTRA_DIST += network/default.xml
+EXTRA_DIST += network/default.xml network/libvirt.zone
.PHONY: \
install-data-network \
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
new file mode 100644
index 0000000000000000000000000000000000000000..bf81db1b6ebfd254ed40a95eacc10e61c28810c6
--- /dev/null
+++ b/src/network/libvirt.zone
@@ -0,0 +1,23 @@
+
+
+ libvirt
+
+
+ The default policy of "ACCEPT" allows all packets to/from
+ interfaces in the zone to be forwarded, while the (*low priority*)
+ reject rule blocks any traffic destined for the host, except those
+ services explicitly listed (that list can be modified as required
+ by the local admin). This zone is intended to be used only by
+ libvirt virtual networks - libvirt will add the bridge devices for
+ all new virtual networks to this zone by default.
+
+
+
+
+
+
+
+
+
+
+