On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote: > The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the > following: > > 1) lists specific services it wants to allow, then > > 2) uses a lower priority <reject/> rule to block all other services to > the host, and then finally, > > 3) relies on the zone's default "accept" policy to, accept all > forwarded traffic (since forwarded traffic is ignored by the > slightly higher priority <reject/> rule in (2)). > > I had assumed that icmp traffic was either being allowed at the top of > the rules, or that it would be ignored by the <reject/> rule and > passed by the default accept policy (similar to forwarded traffic), > but this assumption was incorrect; the <reject/> rule does block icmp > traffic. This became apparent when DHCPv6 which requires ICMPv6 in > addition to udp/dhcpv6) failed to work. > > This all means that in order to achieve our original goal of "similar > behavior to a default reject policy, but also allowing forwarded > traffic", we need to add rules to allow all icmp and icmpv6 traffic to > the libvirt zone, and that's what this patch does. > > This is a further refinement of the resolution to > https://bugzilla.redhat.com/1650320 > > Signed-off-by: Laine Stump <laine@xxxxxxxxx> > --- > src/network/libvirt.zone | 2 ++ > 1 file changed, 2 insertions(+) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
