Bug ID 1214160
Summary libvirt-routed firewalld zone not functional
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.5
Hardware x86-64
OS openSUSE Leap 15.5
Status NEW
Severity Normal
Priority P5 - None
Component Virtualization:Other
Assignee virt-bugs@suse.de
Reporter rombert@apache.org
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

After a recent update of my virtual machines host (sorry for being fuzzy) I
started seeing connections being dropped between the VMs and the host,
specifically NFS.

The interfaces are assigned to the libvirt-routed interface contributed by
libvirt-daemon-driver-network.

# firewall-cmd --get-active-zones
(...)
libvirt-routed
  interfaces: kubic-net-br virbr1

# rpm -qf /usr/lib/firewalld/zones/libvirt-routed.xml 
libvirt-daemon-driver-network-9.0.0-150500.6.11.1.x86_64

Once enabling firewalld dropped packages logging I see log entries such as

Aug 10 13:08:02 vmhost002 kernel: "filter_IN_policy_libvirt-to-host_REJECT:
"IN=virbr1 OUT= MAC=52:54:00:33:68:12:52:54:00:ce:5c:25:08:00 SRC=10.25.1.6
DST=10.25.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54291 DF PROTO=TCP SPT=943
DPT=2049 WINDOW=64240 RES=0x00 SYN URGP=0 

The nfs service should be allowed

# firewall-cmd --info-zone=libvirt-routed  | grep services
  services: http mountd mysql nfs rpc-bind

# firewall-cmd --info-service=nfs
nfs
  ports: 2049/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
  includes: 
  helpers:

What is worrying me and pointing to a bug are the following messages from the
system journal which point to the firewalld zone not being functional

Aug 09 13:12:36 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound
method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True,
True, True, 'RUNNING', False, 'public', {'nf_nat_tftp': 4}, [], True, True,
True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among
existing zones
Aug 09 13:12:36 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound
method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True,
True, True, 'RUNNING', False, 'public', {'nf_nat_tftp': 4}, [], True, True,
True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among
existing zones
Aug 09 13:13:33 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound
method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True,
True, True, 'INIT', False, 'public', {}, [], True, True, True, False,
'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones
Aug 09 13:13:33 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound
method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True,
True, True, 'INIT', False, 'public', {'nf_nat_tftp': 1}, [], True, True, True,
False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing
zones

Happy to provide more information if needed.

You are receiving this mail because: