On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote: > The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the > following: > > 1) lists specific services it wants to allow, then > > 2) uses a lower priority <reject/> rule to block all other services to > the host, and then finally, > > 3) relies on the zone's default "accept" policy to, accept all > forwarded traffic (since forwarded traffic is ignored by the > slightly higher priority <reject/> rule in (2)). > > I had assumed that icmp traffic was either being allowed at the top of > the rules, or that it would be ignored by the <reject/> rule and > passed by the default accept policy (similar to forwarded traffic), > but this assumption was incorrect; the <reject/> rule does block icmp > traffic. This became apparent when DHCPv6 which requires ICMPv6 in > addition to udp/dhcpv6) failed to work. > > This all means that in order to achieve our original goal of "similar > behavior to a default reject policy, but also allowing forwarded > traffic", we need to add rules to allow all icmp and icmpv6 traffic to > the libvirt zone, and that's what this patch does. > > This is a further refinement of the resolution to > https://bugzilla.redhat.com/1650320 > > Signed-off-by: Laine Stump <laine@xxxxxxxxx> > --- > src/network/libvirt.zone | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone > index bf81db1b6e..b1e84b52ec 100644 > --- a/src/network/libvirt.zone > +++ b/src/network/libvirt.zone > @@ -15,6 +15,8 @@ > <rule priority='32767'> > <reject/> > </rule> > +<protocol value='icmp'/> > +<protocol value='ipv6-icmp'/> > <service name='dhcp'/> > <service name='dhcpv6'/> > <service name='dns'/> > -- > 2.20.1 LGTM. Sorry I didn't catch it the first time around. Acked-by: Eric Garver <eric@xxxxxxxxxxx>
