Comment # 8 on bug 1214160 from Robert Munteanu 
(In reply to James Fehlig from comment #6)
> (In reply to Robert Munteanu from comment #5)
> > Due to the default reject target of the policy I need to manually add
> > services to it in order to permit access.
> > 
> > # firewall-cmd --policy=libvirt-to-host --add-service=nfs
> 
> Adding  the 'nfs' service to the 'libvirt-to-host' policy resolved the
> dropped NFS connections?

Yes, that is correct.

> 
> > So the logged issue seems to be cosmetic.
> 
> And as you say a separate issue from the dropped NFS connections. But what
> could have caused it to suddenly appear?

Well, I take it back, it's not cosmetic. Whenever I run firewall-cmd
--set-log-denied=... commands, the error is logged and the changes I made to
the policy ( without adding --permanent ) are lost. So there is some impact
from this

# firewall-cmd --info-policy=libvirt-to-host
libvirt-to-host (active)
  priority: -1
  target: REJECT
  ingress-zones: libvirt-routed
  egress-zones: HOST
  services: dhcp dhcpv6 dns mysql nfs ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
# firewall-cmd --set-log-denied=all
success
# firewall-cmd --info-policy=libvirt-to-host
libvirt-to-host (active)
  priority: -1
  target: REJECT
  ingress-zones: libvirt-routed
  egress-zones: HOST
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

There is no hint in the console, but the journal contains the problematic
entries

Aug 14 13:10:54 vmhost002 firewalld[975]: ERROR: Calling pre func <bound method
Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True,
True, 'INIT', False, 'public', {}, [], True, True, True, False, 'all')>(())
failed: INVALID_ZONE: 'libvirt-routed' not among existing zones
Aug 14 13:10:54 vmhost002 firewalld[975]: ERROR: Calling pre func <bound method
Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True,
True, 'INIT', False, 'public', {'nf_nat_tftp': 1}, [], True, True, True, False,
'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones


>  
> > I wonder if the new policy was brought in by
> > 
> > * Tue Jul 25 2023 jfehlig@suse.com
> > - spec: Build library with support for modular daemons
> >   bsc#1213352
> > 
> > Perhaps the 'support for modular daemons' change caused the policy to be
> > pulled in, but it was not installed for me before?
> 
> That change builds the libvirt library with knowledge about how to connect
> to modular daemons, in addition to the monolithic libvirtd. It defines
> REMOTE_DRIVER_AUTOSTART_DIRECT, which is used in src/remote/remote_sockets.c
> when determining which daemon socket to connect. No packaging changes were
> introduced.
> 
> /usr/lib/firewalld/policies/libvirt-to-host.xml has been provided by the
> libvirt-daemon-driver-network package since it was introduced with commit
> 2a461957b1f in the libvirt 8.10.0 dev cycle. It was part of a larger set of
> changes that "allow incoming connections to guests on routed networks
> w/firewalld"
> 
> https://gitlab.com/libvirt/libvirt/-/commit/
> 7f7a09a2d25a668092be98ed5abfaeec572f5104

Thanks for clarifying that.

You are receiving this mail because: