On Thu, May 12, 2022 at 07:42:43PM +0100, Daniel P. Berrangé wrote: > On Wed, May 11, 2022 at 11:41:54AM -0400, Eric Garver wrote: > > Signed-off-by: Eric Garver <eric@xxxxxxxxxxx> > > --- > > src/network/libvirt-routed-in.policy | 11 +++++++++++ > > src/network/libvirt-routed-out.policy | 12 ++++++++++++ > > src/network/meson.build | 10 ++++++++++ > > 3 files changed, 33 insertions(+) > > create mode 100644 src/network/libvirt-routed-in.policy > > create mode 100644 src/network/libvirt-routed-out.policy > > > > diff --git a/src/network/libvirt-routed-in.policy b/src/network/libvirt-routed-in.policy > > new file mode 100644 > > index 000000000000..baf8822d747c > > --- /dev/null > > +++ b/src/network/libvirt-routed-in.policy > > @@ -0,0 +1,11 @@ > > +<?xml version="1.0" encoding="utf-8"?> > > +<policy target="ACCEPT"> > > + <short>libvirt-routed-out</short> > > + > > + <description> > > + This policy is used to allow routed traffic to the virtual machines. > > + </description> > > + > > + <ingress-zone name="ANY" /> > > + <egress-zone name="libvirt-routed" /> > > +</policy> > > Same as the NAT version of the policy so makes sense. > > > diff --git a/src/network/libvirt-routed-out.policy b/src/network/libvirt-routed-out.policy > > new file mode 100644 > > index 000000000000..efa0030569d6 > > --- /dev/null > > +++ b/src/network/libvirt-routed-out.policy > > @@ -0,0 +1,12 @@ > > +<?xml version="1.0" encoding="utf-8"?> > > +<policy target="ACCEPT"> > > + <short>libvirt-routed-out</short> > > + > > + <description> > > + This policy is used to allow routed virtual machine traffic to the rest of > > + the network. > > + </description> > > + > > + <ingress-zone name="libvirt-routed" /> > > + <egress-zone name="ANY" /> > > +</policy> > > This is much more permissive than what I expected. Doesn't > this allow the VMs to have unrestricted access to anything > on the host ? No. ANY means any zone. i.e. FORWARD. There is another symbolic zone, HOST, that is used for INPUT. > At a libvirt POV, the NAT and routed zones should be > identical, with the only difference being whether > masquerading is applied. I think the additional difference is that routed allows connections originating from outside (world -> libvirt) to the VMs. There is no "in" policy for NAT for the same reason - they should always be denied. In both NAT and routed, connections originating from VMs allow the return path implicitly via conntrack state. > In terms of VM -> host, we still only want to allow the > small set of services, dns, dhcp, ssh AFAIK. Right, that's covered by the libvirt-to-host policy and is common between the NAT and routed networks. > > > With regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| >