https://bugzilla.suse.com/show_bug.cgi?id=1214160 https://bugzilla.suse.com/show_bug.cgi?id=1214160#c8 --- Comment #8 from Robert Munteanu <rombert@apache.org> --- (In reply to James Fehlig from comment #6)

(In reply to Robert Munteanu from comment #5)

...

Due to the default reject target of the policy I need to manually add services to it in order to permit access.

# firewall-cmd --policy=libvirt-to-host --add-service=nfs

Adding the 'nfs' service to the 'libvirt-to-host' policy resolved the dropped NFS connections?

Yes, that is correct.

...

So the logged issue seems to be cosmetic.

And as you say a separate issue from the dropped NFS connections. But what could have caused it to suddenly appear?

Well, I take it back, it's not cosmetic. Whenever I run firewall-cmd --set-log-denied=... commands, the error is logged and the changes I made to the policy ( without adding --permanent ) are lost. So there is some impact from this # firewall-cmd --info-policy=libvirt-to-host libvirt-to-host (active) priority: -1 target: REJECT ingress-zones: libvirt-routed egress-zones: HOST services: dhcp dhcpv6 dns mysql nfs ssh tftp ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: # firewall-cmd --set-log-denied=all success # firewall-cmd --info-policy=libvirt-to-host libvirt-to-host (active) priority: -1 target: REJECT ingress-zones: libvirt-routed egress-zones: HOST services: dhcp dhcpv6 dns ssh tftp ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: There is no hint in the console, but the journal contains the problematic entries Aug 14 13:10:54 vmhost002 firewalld[975]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 14 13:10:54 vmhost002 firewalld[975]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {'nf_nat_tftp': 1}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones

...

I wonder if the new policy was brought in by

* Tue Jul 25 2023 jfehlig@suse.com - spec: Build library with support for modular daemons bsc#1213352

Perhaps the 'support for modular daemons' change caused the policy to be pulled in, but it was not installed for me before?

That change builds the libvirt library with knowledge about how to connect to modular daemons, in addition to the monolithic libvirtd. It defines REMOTE_DRIVER_AUTOSTART_DIRECT, which is used in src/remote/remote_sockets.c when determining which daemon socket to connect. No packaging changes were introduced.

/usr/lib/firewalld/policies/libvirt-to-host.xml has been provided by the libvirt-daemon-driver-network package since it was introduced with commit 2a461957b1f in the libvirt 8.10.0 dev cycle. It was part of a larger set of changes that "allow incoming connections to guests on routed networks w/firewalld"

https://gitlab.com/libvirt/libvirt/-/commit/ 7f7a09a2d25a668092be98ed5abfaeec572f5104

Thanks for clarifying that. -- You are receiving this mail because: You are on the CC list for the bug.