https://bugzilla.suse.com/show_bug.cgi?id=1214160 Bug ID: 1214160 Summary: libvirt-routed firewalld zone not functional Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: x86-64 OS: openSUSE Leap 15.5 Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Other Assignee: virt-bugs@suse.de Reporter: rombert@apache.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- After a recent update of my virtual machines host (sorry for being fuzzy) I started seeing connections being dropped between the VMs and the host, specifically NFS. The interfaces are assigned to the libvirt-routed interface contributed by libvirt-daemon-driver-network. # firewall-cmd --get-active-zones (...) libvirt-routed interfaces: kubic-net-br virbr1 # rpm -qf /usr/lib/firewalld/zones/libvirt-routed.xml libvirt-daemon-driver-network-9.0.0-150500.6.11.1.x86_64 Once enabling firewalld dropped packages logging I see log entries such as Aug 10 13:08:02 vmhost002 kernel: "filter_IN_policy_libvirt-to-host_REJECT: "IN=virbr1 OUT= MAC=52:54:00:33:68:12:52:54:00:ce:5c:25:08:00 SRC=10.25.1.6 DST=10.25.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54291 DF PROTO=TCP SPT=943 DPT=2049 WINDOW=64240 RES=0x00 SYN URGP=0 The nfs service should be allowed # firewall-cmd --info-zone=libvirt-routed | grep services services: http mountd mysql nfs rpc-bind # firewall-cmd --info-service=nfs nfs ports: 2049/tcp protocols: source-ports: modules: destination: includes: helpers: What is worrying me and pointing to a bug are the following messages from the system journal which point to the firewalld zone not being functional Aug 09 13:12:36 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'RUNNING', False, 'public', {'nf_nat_tftp': 4}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 09 13:12:36 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'RUNNING', False, 'public', {'nf_nat_tftp': 4}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 09 13:13:33 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 09 13:13:33 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {'nf_nat_tftp': 1}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Happy to provide more information if needed. -- You are receiving this mail because: You are on the CC list for the bug.