[PATCH 1/4] network: firewalld: convert to policies

Daniel P. Berrangé berrange at redhat.com
Wed May 11 16:15:25 UTC 2022 

On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> Convert the existing behavior into policies.

Has this split of .zone vs .policy been something firewalld
always supported, or is it a "new" feature for some value
of "new" ?

Essentially wonder if this has any historical back compat
implications for libvirt, given the platforms we target
(2 most recent major releases of all distros, so RHEL >= 8
 and equiv).

> 
> This commit has no functional changes.
> 
> Signed-off-by: Eric Garver <eric at garver.life>
> ---
>  src/network/libvirt-nat-out.policy | 12 ++++++++++++
>  src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
>  src/network/libvirt.zone           | 23 +++++------------------
>  src/network/meson.build            | 10 ++++++++++
>  4 files changed, 47 insertions(+), 18 deletions(-)
>  create mode 100644 src/network/libvirt-nat-out.policy
>  create mode 100644 src/network/libvirt-to-host.policy
> 
> diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
> new file mode 100644
> index 000000000000..7d1cf6dfb4c4
> --- /dev/null
> +++ b/src/network/libvirt-nat-out.policy
> @@ -0,0 +1,12 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="ACCEPT">
> +  <short>libvirt-nat-out</short>
> +
> +  <description>
> +    This policy is used to allow NAT virtual machine traffic to the
> +    rest of the network.
> +  </description>
> +
> +  <ingress-zone name="libvirt" />
> +  <egress-zone name="ANY" />
> +</policy>
> diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
> new file mode 100644
> index 000000000000..045b35d58d0d
> --- /dev/null
> +++ b/src/network/libvirt-to-host.policy
> @@ -0,0 +1,20 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="REJECT">
> +  <short>libvirt-to-host</short>
> +
> +  <description>
> +    This policy is used to filter traffic from virtual machines to the
> +    host.
> +  </description>
> +
> +  <ingress-zone name="libvirt" />
> +  <egress-zone name="HOST" />
> +
> +  <protocol value='icmp'/>
> +  <protocol value='ipv6-icmp'/>
> +  <service name='dhcp'/>
> +  <service name='dhcpv6'/>
> +  <service name='dns'/>
> +  <service name='ssh'/>
> +  <service name='tftp'/>
> +</policy>
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> index b1e84b52ecc9..4c5639d8a84f 100644
> --- a/src/network/libvirt.zone
> +++ b/src/network/libvirt.zone
> @@ -1,25 +1,12 @@
>  <?xml version="1.0" encoding="utf-8"?>
> -<zone target="ACCEPT">
> +<zone>
>    <short>libvirt</short>
>  
>    <description>
> -    The default policy of "ACCEPT" allows all packets to/from
> -    interfaces in the zone to be forwarded, while the (*low priority*)
> -    reject rule blocks any traffic destined for the host, except those
> -    services explicitly listed (that list can be modified as required
> -    by the local admin). This zone is intended to be used only by
> -    libvirt virtual networks - libvirt will add the bridge devices for
> -    all new virtual networks to this zone by default.
> +    This zone is intended to be used only by libvirt virtual networks -
> +    libvirt will add the bridge devices for all new virtual networks to
> +    this zone by default.
>    </description>
>  
> -<rule priority='32767'>
> -  <reject/>
> -</rule>
> -<protocol value='icmp'/>
> -<protocol value='ipv6-icmp'/>
> -<service name='dhcp'/>
> -<service name='dhcpv6'/>
> -<service name='dns'/>
> -<service name='ssh'/>
> -<service name='tftp'/>
> +  <forward />
>  </zone>
> diff --git a/src/network/meson.build b/src/network/meson.build
> index b5eff0c3ab6b..3dd342639a46 100644
> --- a/src/network/meson.build
> +++ b/src/network/meson.build
> @@ -100,5 +100,15 @@ if conf.has('WITH_NETWORK')
>        install_dir: prefix / 'lib' / 'firewalld' / 'zones',
>        rename: [ 'libvirt.xml' ],
>      )
> +    install_data(
> +      'libvirt-to-host.policy',
> +      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
> +      rename: [ 'libvirt-to-host.xml' ],
> +    )
> +    install_data(
> +      'libvirt-nat-out.policy',
> +      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
> +      rename: [ 'libvirt-nat-out.xml' ],
> +    )
>    endif
>  endif
> -- 
> 2.33.0
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list