Re: [PATCH 4/5] network: regain guest network connectivity after firewalld switch to nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 09, 2019 at 09:57:36PM -0500, Laine Stump wrote:
> From: Laine Stump <laine@xxxxxxxxxx>
[..]
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> new file mode 100644
> index 0000000000..1750ba2f06
> --- /dev/null
> +++ b/src/network/libvirt.zone
> @@ -0,0 +1,14 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<zone target="ACCEPT">
> +  <short>libvirt</short>
> +  <description>The default policy of "ACCEPT" allows all packets to/from interfaces in the zone to be forwarded, while the (*low priority*) reject rule blocks any traffic destined for the host, except those services explicitly listed (that list can be modified as required by the local admin). This zone is intended to be used only by libvirt virtual networks - libvirt will add the bridge devices for all new virtual networks to this zone by default.</description>
> +
> +<rule priority='127'>

The valid priority range is [-32768, 32767]. You may want to change this
to 32767 to make sure it's the lowest precedence possible.

Although, since libvirt completely controls this zone it won't matter
unless libvirt or the user adds other rich rules.

> +  <reject/>
> +</rule>
> +<service name='dhcp'/>
> +<service name='dhcpv6'/>
> +<service name='dns'/>
> +<service name='ssh'/>
> +<service name='tftp'/>
> +</zone>
> -- 
> 2.20.1
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux