On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> Convert the existing behavior into policies.
Has this split of .zone vs .policy been something firewalld
always supported, or is it a "new" feature for some value
of "new" ?
Essentially wonder if this has any historical back compat
implications for libvirt, given the platforms we target
(2 most recent major releases of all distros, so RHEL >= 8
and equiv).
>
> This commit has no functional changes.
>
> Signed-off-by: Eric Garver <eric@xxxxxxxxxxx>
> ---
> src/network/libvirt-nat-out.policy | 12 ++++++++++++
> src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
> src/network/libvirt.zone | 23 +++++------------------
> src/network/meson.build | 10 ++++++++++
> 4 files changed, 47 insertions(+), 18 deletions(-)
> create mode 100644 src/network/libvirt-nat-out.policy
> create mode 100644 src/network/libvirt-to-host.policy
>
> diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
> new file mode 100644
> index 000000000000..7d1cf6dfb4c4
> --- /dev/null
> +++ b/src/network/libvirt-nat-out.policy
> @@ -0,0 +1,12 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="ACCEPT">
> + <short>libvirt-nat-out</short>
> +
> + <description>
> + This policy is used to allow NAT virtual machine traffic to the
> + rest of the network.
> + </description>
> +
> + <ingress-zone name="libvirt" />
> + <egress-zone name="ANY" />
> +</policy>
> diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
> new file mode 100644
> index 000000000000..045b35d58d0d
> --- /dev/null
> +++ b/src/network/libvirt-to-host.policy
> @@ -0,0 +1,20 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="REJECT">
> + <short>libvirt-to-host</short>
> +
> + <description>
> + This policy is used to filter traffic from virtual machines to the
> + host.
> + </description>
> +
> + <ingress-zone name="libvirt" />
> + <egress-zone name="HOST" />
> +
> + <protocol value='icmp'/>
> + <protocol value='ipv6-icmp'/>
> + <service name='dhcp'/>
> + <service name='dhcpv6'/>
> + <service name='dns'/>
> + <service name='ssh'/>
> + <service name='tftp'/>
> +</policy>
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> index b1e84b52ecc9..4c5639d8a84f 100644
> --- a/src/network/libvirt.zone
> +++ b/src/network/libvirt.zone
> @@ -1,25 +1,12 @@
> <?xml version="1.0" encoding="utf-8"?>
> -<zone target="ACCEPT">
> +<zone>
> <short>libvirt</short>
>
> <description>
> - The default policy of "ACCEPT" allows all packets to/from
> - interfaces in the zone to be forwarded, while the (*low priority*)
> - reject rule blocks any traffic destined for the host, except those
> - services explicitly listed (that list can be modified as required
> - by the local admin). This zone is intended to be used only by
> - libvirt virtual networks - libvirt will add the bridge devices for
> - all new virtual networks to this zone by default.
> + This zone is intended to be used only by libvirt virtual networks -
> + libvirt will add the bridge devices for all new virtual networks to
> + this zone by default.
> </description>
>
> -<rule priority='32767'>
> - <reject/>
> -</rule>
> -<protocol value='icmp'/>
> -<protocol value='ipv6-icmp'/>
> -<service name='dhcp'/>
> -<service name='dhcpv6'/>
> -<service name='dns'/>
> -<service name='ssh'/>
> -<service name='tftp'/>
> + <forward />
> </zone>
> diff --git a/src/network/meson.build b/src/network/meson.build
> index b5eff0c3ab6b..3dd342639a46 100644
> --- a/src/network/meson.build
> +++ b/src/network/meson.build
> @@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK')
> install_dir: prefix / 'lib' / 'firewalld' / 'zones',
> rename: [ 'libvirt.xml' ],
> )
> + install_data(
> + 'libvirt-to-host.policy',
> + install_dir: prefix / 'lib' / 'firewalld' / 'policies',
> + rename: [ 'libvirt-to-host.xml' ],
> + )
> + install_data(
> + 'libvirt-nat-out.policy',
> + install_dir: prefix / 'lib' / 'firewalld' / 'policies',
> + rename: [ 'libvirt-nat-out.xml' ],
> + )
> endif
> endif
> --
> 2.33.0
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
