[libvirt] [PATCH 4/5] network: regain guest network connectivity after firewalld switch to nftables
Eric Garver
egarver at redhat.com
Mon Jan 14 21:09:23 UTC 2019
On Wed, Jan 09, 2019 at 09:57:36PM -0500, Laine Stump wrote:
> From: Laine Stump <laine at redhat.com>
[..]
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> new file mode 100644
> index 0000000000..1750ba2f06
> --- /dev/null
> +++ b/src/network/libvirt.zone
> @@ -0,0 +1,14 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<zone target="ACCEPT">
> + <short>libvirt</short>
> + <description>The default policy of "ACCEPT" allows all packets to/from interfaces in the zone to be forwarded, while the (*low priority*) reject rule blocks any traffic destined for the host, except those services explicitly listed (that list can be modified as required by the local admin). This zone is intended to be used only by libvirt virtual networks - libvirt will add the bridge devices for all new virtual networks to this zone by default.</description>
> +
> +<rule priority='127'>
The valid priority range is [-32768, 32767]. You may want to change this
to 32767 to make sure it's the lowest precedence possible.
Although, since libvirt completely controls this zone it won't matter
unless libvirt or the user adds other rich rules.
> + <reject/>
> +</rule>
> +<service name='dhcp'/>
> +<service name='dhcpv6'/>
> +<service name='dns'/>
> +<service name='ssh'/>
> +<service name='tftp'/>
> +</zone>
> --
> 2.20.1
>
More information about the libvir-list
mailing list