Re: [PATCH 1/4] network: firewalld: convert to policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, May 11, 2022 at 05:15:25PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> > Convert the existing behavior into policies.
> 
> Has this split of .zone vs .policy been something firewalld
> always supported, or is it a "new" feature for some value
> of "new" ?

Policies are new in firewalld-0.9.0.
https://firewalld.org/2020/09/policy-objects-introduction

Policies supplement zones. They do not split or replace them.

> Essentially wonder if this has any historical back compat
> implications for libvirt, given the platforms we target
> (2 most recent major releases of all distros, so RHEL >= 8
>  and equiv).

The original zone definition requires firewalld >= 0.7.0. So the
versions we need to worry about with this change are 0.7.z through
0.8.z.

At least these distributions (probably non-exhaustive list) have a
firewalld version in that range:

Ubuntu:
  - focal (20.04 LTS) has 0.8.2
    - this is 3 major releases ago, but 2 LTS releases ago

--

The below distributions should be "good to go":

RHEL/Fedora:
  - RHEL-8 and RHEL-9 have >= 0.9.0.
  - f34 and later have >= 0.9.0.

Debian:
  - stable (11, bullseye) has 0.9.2.
  - oldstable (10, buster) has 0.6.3
    - defaults to iptables backend [1] so even the original zone is not
      necessary

Ubuntu:
  - jammy (22.04 LTS) has 1.1.1
  - impish (21.10) has 0.9.3

SUSE:
  - 15 SP4 has 0.9.3
  - 12 SP5 has 0.4.3.3 (too old to care)

Note: I didn't investigate rolling release distributions, e.g. Arch,
Gentoo

[1]: https://salsa.debian.org/utopia-team/firewalld/-/blob/17fc3126d6eab159f6c703c7e100345fe3450f97/debian/patches/Switch-firewall-backend-from-nftables-back-to-iptables.patch

> > 
> > This commit has no functional changes.
> > 
> > Signed-off-by: Eric Garver <eric@xxxxxxxxxxx>
> > ---
> >  src/network/libvirt-nat-out.policy | 12 ++++++++++++
> >  src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
> >  src/network/libvirt.zone           | 23 +++++------------------
> >  src/network/meson.build            | 10 ++++++++++
> >  4 files changed, 47 insertions(+), 18 deletions(-)
> >  create mode 100644 src/network/libvirt-nat-out.policy
> >  create mode 100644 src/network/libvirt-to-host.policy
> > 
> > diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
> > new file mode 100644
> > index 000000000000..7d1cf6dfb4c4
> > --- /dev/null
> > +++ b/src/network/libvirt-nat-out.policy
> > @@ -0,0 +1,12 @@
> > +<?xml version="1.0" encoding="utf-8"?>
> > +<policy target="ACCEPT">
> > +  <short>libvirt-nat-out</short>
> > +
> > +  <description>
> > +    This policy is used to allow NAT virtual machine traffic to the
> > +    rest of the network.
> > +  </description>
> > +
> > +  <ingress-zone name="libvirt" />
> > +  <egress-zone name="ANY" />
> > +</policy>
> > diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
> > new file mode 100644
> > index 000000000000..045b35d58d0d
> > --- /dev/null
> > +++ b/src/network/libvirt-to-host.policy
> > @@ -0,0 +1,20 @@
> > +<?xml version="1.0" encoding="utf-8"?>
> > +<policy target="REJECT">
> > +  <short>libvirt-to-host</short>
> > +
> > +  <description>
> > +    This policy is used to filter traffic from virtual machines to the
> > +    host.
> > +  </description>
> > +
> > +  <ingress-zone name="libvirt" />
> > +  <egress-zone name="HOST" />
> > +
> > +  <protocol value='icmp'/>
> > +  <protocol value='ipv6-icmp'/>
> > +  <service name='dhcp'/>
> > +  <service name='dhcpv6'/>
> > +  <service name='dns'/>
> > +  <service name='ssh'/>
> > +  <service name='tftp'/>
> > +</policy>
> > diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> > index b1e84b52ecc9..4c5639d8a84f 100644
> > --- a/src/network/libvirt.zone
> > +++ b/src/network/libvirt.zone
> > @@ -1,25 +1,12 @@
> >  <?xml version="1.0" encoding="utf-8"?>
> > -<zone target="ACCEPT">
> > +<zone>
> >    <short>libvirt</short>
> >  
> >    <description>
> > -    The default policy of "ACCEPT" allows all packets to/from
> > -    interfaces in the zone to be forwarded, while the (*low priority*)
> > -    reject rule blocks any traffic destined for the host, except those
> > -    services explicitly listed (that list can be modified as required
> > -    by the local admin). This zone is intended to be used only by
> > -    libvirt virtual networks - libvirt will add the bridge devices for
> > -    all new virtual networks to this zone by default.
> > +    This zone is intended to be used only by libvirt virtual networks -
> > +    libvirt will add the bridge devices for all new virtual networks to
> > +    this zone by default.
> >    </description>
> >  
> > -<rule priority='32767'>
> > -  <reject/>
> > -</rule>
> > -<protocol value='icmp'/>
> > -<protocol value='ipv6-icmp'/>
> > -<service name='dhcp'/>
> > -<service name='dhcpv6'/>
> > -<service name='dns'/>
> > -<service name='ssh'/>
> > -<service name='tftp'/>
> > +  <forward />
> >  </zone>
> > diff --git a/src/network/meson.build b/src/network/meson.build
> > index b5eff0c3ab6b..3dd342639a46 100644
> > --- a/src/network/meson.build
> > +++ b/src/network/meson.build
> > @@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK')
> >        install_dir: prefix / 'lib' / 'firewalld' / 'zones',
> >        rename: [ 'libvirt.xml' ],
> >      )
> > +    install_data(
> > +      'libvirt-to-host.policy',
> > +      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
> > +      rename: [ 'libvirt-to-host.xml' ],
> > +    )
> > +    install_data(
> > +      'libvirt-nat-out.policy',
> > +      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
> > +      rename: [ 'libvirt-nat-out.xml' ],
> > +    )
> >    endif
> >  endif
> > -- 
> > 2.33.0
> > 
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
> 





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux