[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile

[Eric Garver]

On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote:
> The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
> following:
> 
> 1) lists specific services it wants to allow, then
> 
> 2) uses a lower priority <reject/> rule to block all other services to
>    the host, and then finally,
> 
> 3) relies on the zone's default "accept" policy to, accept all
>    forwarded traffic (since forwarded traffic is ignored by the
>    slightly higher priority <reject/> rule in (2)).
> 
> I had assumed that icmp traffic was either being allowed at the top of
> the rules, or that it would be ignored by the <reject/> rule and
> passed by the default accept policy (similar to forwarded traffic),
> but this assumption was incorrect; the <reject/> rule does block icmp
> traffic. This became apparent when DHCPv6 which requires ICMPv6 in
> addition to udp/dhcpv6) failed to work.
> 
> This all means that in order to achieve our original goal of "similar
> behavior to a default reject policy, but also allowing forwarded
> traffic", we need to add rules to allow all icmp and icmpv6 traffic to
> the libvirt zone, and that's what this patch does.
> 
> This is a further refinement of the resolution to
> https://bugzilla.redhat.com/1650320
> 
> Signed-off-by: Laine Stump <laine at laine.org>
> ---
>  src/network/libvirt.zone | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> index bf81db1b6e..b1e84b52ec 100644
> --- a/src/network/libvirt.zone
> +++ b/src/network/libvirt.zone
> @@ -15,6 +15,8 @@
>  <rule priority='32767'>
>    <reject/>
>  </rule>
> +<protocol value='icmp'/>
> +<protocol value='ipv6-icmp'/>
>  <service name='dhcp'/>
>  <service name='dhcpv6'/>
>  <service name='dns'/>
> -- 
> 2.20.1

LGTM. Sorry I didn't catch it the first time around.

Acked-by: Eric Garver <eric at garver.life>