Re: [PATCH 1/4] network: firewalld: convert to policies

Convert the existing behavior into policies.

This commit has no functional changes. Signed-off-by: Eric Garver <eric(a)garver.life&gt; --- src/network/libvirt-nat-out.policy | 12 ++++++++++++ src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++ src/network/libvirt.zone | 23 +++++------------------ src/network/meson.build | 10 ++++++++++ 4 files changed, 47 insertions(+), 18 deletions(-) create mode 100644 src/network/libvirt-nat-out.policy create mode 100644 src/network/libvirt-to-host.policy diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy new file mode 100644 index 000000000000..7d1cf6dfb4c4 --- /dev/null +++ b/src/network/libvirt-nat-out.policy @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy target="ACCEPT"> + <short>libvirt-nat-out</short> + + <description> + This policy is used to allow NAT virtual machine traffic to the + rest of the network. + </description> + + <ingress-zone name="libvirt" /> + <egress-zone name="ANY" /> +</policy> diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy new file mode 100644 index 000000000000..045b35d58d0d --- /dev/null +++ b/src/network/libvirt-to-host.policy @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy target="REJECT"> + <short>libvirt-to-host</short> + + <description> + This policy is used to filter traffic from virtual machines to the + host. + </description> + + <ingress-zone name="libvirt" /> + <egress-zone name="HOST" /> + + <protocol value='icmp'/> + <protocol value='ipv6-icmp'/> + <service name='dhcp'/> + <service name='dhcpv6'/> + <service name='dns'/> + <service name='ssh'/> + <service name='tftp'/> +</policy> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone index b1e84b52ecc9..4c5639d8a84f 100644 --- a/src/network/libvirt.zone +++ b/src/network/libvirt.zone @@ -1,25 +1,12 @@ <?xml version="1.0" encoding="utf-8"?> -<zone target="ACCEPT"> +<zone> <short>libvirt</short> <description> - The default policy of "ACCEPT" allows all packets to/from - interfaces in the zone to be forwarded, while the (*low priority*) - reject rule blocks any traffic destined for the host, except those - services explicitly listed (that list can be modified as required - by the local admin). This zone is intended to be used only by - libvirt virtual networks - libvirt will add the bridge devices for - all new virtual networks to this zone by default. + This zone is intended to be used only by libvirt virtual networks - + libvirt will add the bridge devices for all new virtual networks to + this zone by default. </description> -<rule priority='32767'> - <reject/> -</rule> -<protocol value='icmp'/> -<protocol value='ipv6-icmp'/> -<service name='dhcp'/> -<service name='dhcpv6'/> -<service name='dns'/> -<service name='ssh'/> -<service name='tftp'/> + <forward /> </zone> diff --git a/src/network/meson.build b/src/network/meson.build index b5eff0c3ab6b..3dd342639a46 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK') install_dir: prefix / 'lib' / 'firewalld' / 'zones', rename: [ 'libvirt.xml' ], ) + install_data( + 'libvirt-to-host.policy', + install_dir: prefix / 'lib' / 'firewalld' / 'policies', + rename: [ 'libvirt-to-host.xml' ], + ) + install_data( + 'libvirt-nat-out.policy', + install_dir: prefix / 'lib' / 'firewalld' / 'policies', + rename: [ 'libvirt-nat-out.xml' ], + ) endif endif -- 2.33.0