Re: [libvirt] [PATCH 4/5] network: regain guest network connectivity after firewalld switch to nftables
On Wed, Jan 09, 2019 at 09:57:36PM -0500, Laine Stump wrote:
From: Laine Stump <laine(a)redhat.com>
[..]
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
new file mode 100644
index 0000000000..1750ba2f06
--- /dev/null
+++ b/src/network/libvirt.zone
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+ <short>libvirt</short>
+ <description>The default policy of "ACCEPT" allows all packets to/from
interfaces in the zone to be forwarded, while the (*low priority*) reject rule blocks any
traffic destined for the host, except those services explicitly listed (that list can be
modified as required by the local admin). This zone is intended to be used only by libvirt
virtual networks - libvirt will add the bridge devices for all new virtual networks to
this zone by default.</description>
+
+<rule priority='127'>
The valid priority range is [-32768, 32767]. You may want to change this
to 32767 to make sure it's the lowest precedence possible.
Although, since libvirt completely controls this zone it won't matter
unless libvirt or the user adds other rich rules.
+ <reject/>
+</rule>
+<service name='dhcp'/>
+<service name='dhcpv6'/>
+<service name='dns'/>
+<service name='ssh'/>
+<service name='tftp'/>
+</zone>
--
2.20.1