11:53 a.m.
On Wed, May 11, 2022 at 05:15:25PM +0100, Daniel P. Berrangé wrote:
On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> Convert the existing behavior into policies.
Has this split of .zone vs .policy been something firewalld
always supported, or is it a "new" feature for some value
of "new" ?
Policies are new in firewalld-0.9.0.
https://firewalld.org/2020/09/policy-objects-introduction
Policies supplement zones. They do not split or replace them.
Essentially wonder if this has any historical back compat
implications for libvirt, given the platforms we target
(2 most recent major releases of all distros, so RHEL >= 8
and equiv).
The original zone definition requires firewalld >= 0.7.0. So the
versions we need to worry about with this change are 0.7.z through
0.8.z.
At least these distributions (probably non-exhaustive list) have a
firewalld version in that range:
Ubuntu:
- focal (20.04 LTS) has 0.8.2
- this is 3 major releases ago, but 2 LTS releases ago
--
The below distributions should be "good to go":
RHEL/Fedora:
- RHEL-8 and RHEL-9 have >= 0.9.0.
- f34 and later have >= 0.9.0.
Debian:
- stable (11, bullseye) has 0.9.2.
- oldstable (10, buster) has 0.6.3
- defaults to iptables backend [1] so even the original zone is not
necessary
Ubuntu:
- jammy (22.04 LTS) has 1.1.1
- impish (21.10) has 0.9.3
SUSE:
- 15 SP4 has 0.9.3
- 12 SP5 has 0.4.3.3 (too old to care)
Note: I didn't investigate rolling release distributions, e.g. Arch,
Gentoo
[1]:
https://salsa.debian.org/utopia-team/firewalld/-/blob/17fc3126d6eab159f6c...
>
> This commit has no functional changes.
>
> Signed-off-by: Eric Garver <eric(a)garver.life>
> ---
> src/network/libvirt-nat-out.policy | 12 ++++++++++++
> src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
> src/network/libvirt.zone | 23 +++++------------------
> src/network/meson.build | 10 ++++++++++
> 4 files changed, 47 insertions(+), 18 deletions(-)
> create mode 100644 src/network/libvirt-nat-out.policy
> create mode 100644 src/network/libvirt-to-host.policy
>
> diff --git a/src/network/libvirt-nat-out.policy
b/src/network/libvirt-nat-out.policy
> new file mode 100644
> index 000000000000..7d1cf6dfb4c4
> --- /dev/null
> +++ b/src/network/libvirt-nat-out.policy
> @@ -0,0 +1,12 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="ACCEPT">
> + <short>libvirt-nat-out</short>
> +
> + <description>
> + This policy is used to allow NAT virtual machine traffic to the
> + rest of the network.
> + </description>
> +
> + <ingress-zone name="libvirt" />
> + <egress-zone name="ANY" />
> +</policy>
> diff --git a/src/network/libvirt-to-host.policy
b/src/network/libvirt-to-host.policy
> new file mode 100644
> index 000000000000..045b35d58d0d
> --- /dev/null
> +++ b/src/network/libvirt-to-host.policy
> @@ -0,0 +1,20 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="REJECT">
> + <short>libvirt-to-host</short>
> +
> + <description>
> + This policy is used to filter traffic from virtual machines to the
> + host.
> + </description>
> +
> + <ingress-zone name="libvirt" />
> + <egress-zone name="HOST" />
> +
> + <protocol value='icmp'/>
> + <protocol value='ipv6-icmp'/>
> + <service name='dhcp'/>
> + <service name='dhcpv6'/>
> + <service name='dns'/>
> + <service name='ssh'/>
> + <service name='tftp'/>
> +</policy>
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> index b1e84b52ecc9..4c5639d8a84f 100644
> --- a/src/network/libvirt.zone
> +++ b/src/network/libvirt.zone
> @@ -1,25 +1,12 @@
> <?xml version="1.0" encoding="utf-8"?>
> -<zone target="ACCEPT">
> +<zone>
> <short>libvirt</short>
>
> <description>
> - The default policy of "ACCEPT" allows all packets to/from
> - interfaces in the zone to be forwarded, while the (*low priority*)
> - reject rule blocks any traffic destined for the host, except those
> - services explicitly listed (that list can be modified as required
> - by the local admin). This zone is intended to be used only by
> - libvirt virtual networks - libvirt will add the bridge devices for
> - all new virtual networks to this zone by default.
> + This zone is intended to be used only by libvirt virtual networks -
> + libvirt will add the bridge devices for all new virtual networks to
> + this zone by default.
> </description>
>
> -<rule priority='32767'>
> - <reject/>
> -</rule>
> -<protocol value='icmp'/>
> -<protocol value='ipv6-icmp'/>
> -<service name='dhcp'/>
> -<service name='dhcpv6'/>
> -<service name='dns'/>
> -<service name='ssh'/>
> -<service name='tftp'/>
> + <forward />
> </zone>
> diff --git a/src/network/meson.build b/src/network/meson.build
> index b5eff0c3ab6b..3dd342639a46 100644
> --- a/src/network/meson.build
> +++ b/src/network/meson.build
> @@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK')
> install_dir: prefix / 'lib' / 'firewalld' / 'zones',
> rename: [ 'libvirt.xml' ],
> )
> + install_data(
> + 'libvirt-to-host.policy',
> + install_dir: prefix / 'lib' / 'firewalld' /
'policies',
> + rename: [ 'libvirt-to-host.xml' ],
> + )
> + install_data(
> + 'libvirt-nat-out.policy',
> + install_dir: prefix / 'lib' / 'firewalld' /
'policies',
> + rename: [ 'libvirt-nat-out.xml' ],
> + )
> endif
> endif
> --
> 2.33.0
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|