[PATCH 1/4] network: firewalld: convert to policies

Eric Garver eric at garver.life
Wed May 11 15:41:52 UTC 2022 

Convert the existing behavior into policies.

This commit has no functional changes.

Signed-off-by: Eric Garver <eric at garver.life>
---
 src/network/libvirt-nat-out.policy | 12 ++++++++++++
 src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
 src/network/libvirt.zone           | 23 +++++------------------
 src/network/meson.build            | 10 ++++++++++
 4 files changed, 47 insertions(+), 18 deletions(-)
 create mode 100644 src/network/libvirt-nat-out.policy
 create mode 100644 src/network/libvirt-to-host.policy

diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
new file mode 100644
index 000000000000..7d1cf6dfb4c4
--- /dev/null
+++ b/src/network/libvirt-nat-out.policy
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+  <short>libvirt-nat-out</short>
+
+  <description>
+    This policy is used to allow NAT virtual machine traffic to the
+    rest of the network.
+  </description>
+
+  <ingress-zone name="libvirt" />
+  <egress-zone name="ANY" />
+</policy>
diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
new file mode 100644
index 000000000000..045b35d58d0d
--- /dev/null
+++ b/src/network/libvirt-to-host.policy
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="REJECT">
+  <short>libvirt-to-host</short>
+
+  <description>
+    This policy is used to filter traffic from virtual machines to the
+    host.
+  </description>
+
+  <ingress-zone name="libvirt" />
+  <egress-zone name="HOST" />
+
+  <protocol value='icmp'/>
+  <protocol value='ipv6-icmp'/>
+  <service name='dhcp'/>
+  <service name='dhcpv6'/>
+  <service name='dns'/>
+  <service name='ssh'/>
+  <service name='tftp'/>
+</policy>
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
index b1e84b52ecc9..4c5639d8a84f 100644
--- a/src/network/libvirt.zone
+++ b/src/network/libvirt.zone
@@ -1,25 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
-<zone target="ACCEPT">
+<zone>
   <short>libvirt</short>
 
   <description>
-    The default policy of "ACCEPT" allows all packets to/from
-    interfaces in the zone to be forwarded, while the (*low priority*)
-    reject rule blocks any traffic destined for the host, except those
-    services explicitly listed (that list can be modified as required
-    by the local admin). This zone is intended to be used only by
-    libvirt virtual networks - libvirt will add the bridge devices for
-    all new virtual networks to this zone by default.
+    This zone is intended to be used only by libvirt virtual networks -
+    libvirt will add the bridge devices for all new virtual networks to
+    this zone by default.
   </description>
 
-<rule priority='32767'>
-  <reject/>
-</rule>
-<protocol value='icmp'/>
-<protocol value='ipv6-icmp'/>
-<service name='dhcp'/>
-<service name='dhcpv6'/>
-<service name='dns'/>
-<service name='ssh'/>
-<service name='tftp'/>
+  <forward />
 </zone>
diff --git a/src/network/meson.build b/src/network/meson.build
index b5eff0c3ab6b..3dd342639a46 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK')
       install_dir: prefix / 'lib' / 'firewalld' / 'zones',
       rename: [ 'libvirt.xml' ],
     )
+    install_data(
+      'libvirt-to-host.policy',
+      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+      rename: [ 'libvirt-to-host.xml' ],
+    )
+    install_data(
+      'libvirt-nat-out.policy',
+      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+      rename: [ 'libvirt-nat-out.xml' ],
+    )
   endif
 endif
-- 
2.33.0

More information about the libvir-list mailing list