Convert the existing behavior into policies.
This commit has no functional changes.
Signed-off-by: Eric Garver <eric@xxxxxxxxxxx>
---
src/network/libvirt-nat-out.policy | 12 ++++++++++++
src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
src/network/libvirt.zone | 23 +++++------------------
src/network/meson.build | 10 ++++++++++
4 files changed, 47 insertions(+), 18 deletions(-)
create mode 100644 src/network/libvirt-nat-out.policy
create mode 100644 src/network/libvirt-to-host.policy
diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
new file mode 100644
index 000000000000..7d1cf6dfb4c4
--- /dev/null
+++ b/src/network/libvirt-nat-out.policy
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+ <short>libvirt-nat-out</short>
+
+ <description>
+ This policy is used to allow NAT virtual machine traffic to the
+ rest of the network.
+ </description>
+
+ <ingress-zone name="libvirt" />
+ <egress-zone name="ANY" />
+</policy>
diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
new file mode 100644
index 000000000000..045b35d58d0d
--- /dev/null
+++ b/src/network/libvirt-to-host.policy
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="REJECT">
+ <short>libvirt-to-host</short>
+
+ <description>
+ This policy is used to filter traffic from virtual machines to the
+ host.
+ </description>
+
+ <ingress-zone name="libvirt" />
+ <egress-zone name="HOST" />
+
+ <protocol value='icmp'/>
+ <protocol value='ipv6-icmp'/>
+ <service name='dhcp'/>
+ <service name='dhcpv6'/>
+ <service name='dns'/>
+ <service name='ssh'/>
+ <service name='tftp'/>
+</policy>
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
index b1e84b52ecc9..4c5639d8a84f 100644
--- a/src/network/libvirt.zone
+++ b/src/network/libvirt.zone
@@ -1,25 +1,12 @@
<?xml version="1.0" encoding="utf-8"?>
-<zone target="ACCEPT">
+<zone>
<short>libvirt</short>
<description>
- The default policy of "ACCEPT" allows all packets to/from
- interfaces in the zone to be forwarded, while the (*low priority*)
- reject rule blocks any traffic destined for the host, except those
- services explicitly listed (that list can be modified as required
- by the local admin). This zone is intended to be used only by
- libvirt virtual networks - libvirt will add the bridge devices for
- all new virtual networks to this zone by default.
+ This zone is intended to be used only by libvirt virtual networks -
+ libvirt will add the bridge devices for all new virtual networks to
+ this zone by default.
</description>
-<rule priority='32767'>
- <reject/>
-</rule>
-<protocol value='icmp'/>
-<protocol value='ipv6-icmp'/>
-<service name='dhcp'/>
-<service name='dhcpv6'/>
-<service name='dns'/>
-<service name='ssh'/>
-<service name='tftp'/>
+ <forward />
</zone>
diff --git a/src/network/meson.build b/src/network/meson.build
index b5eff0c3ab6b..3dd342639a46 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK')
install_dir: prefix / 'lib' / 'firewalld' / 'zones',
rename: [ 'libvirt.xml' ],
)
+ install_data(
+ 'libvirt-to-host.policy',
+ install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+ rename: [ 'libvirt-to-host.xml' ],
+ )
+ install_data(
+ 'libvirt-nat-out.policy',
+ install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+ rename: [ 'libvirt-nat-out.xml' ],
+ )
endif
endif
--
2.33.0
