[PATCH 3/4] network: firewalld: add policies for routed networks

Daniel P. Berrangé berrange at redhat.com
Thu May 12 18:42:43 UTC 2022 

On Wed, May 11, 2022 at 11:41:54AM -0400, Eric Garver wrote:
> Signed-off-by: Eric Garver <eric at garver.life>
> ---
>  src/network/libvirt-routed-in.policy  | 11 +++++++++++
>  src/network/libvirt-routed-out.policy | 12 ++++++++++++
>  src/network/meson.build               | 10 ++++++++++
>  3 files changed, 33 insertions(+)
>  create mode 100644 src/network/libvirt-routed-in.policy
>  create mode 100644 src/network/libvirt-routed-out.policy
> 
> diff --git a/src/network/libvirt-routed-in.policy b/src/network/libvirt-routed-in.policy
> new file mode 100644
> index 000000000000..baf8822d747c
> --- /dev/null
> +++ b/src/network/libvirt-routed-in.policy
> @@ -0,0 +1,11 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="ACCEPT">
> +  <short>libvirt-routed-out</short>
> +
> +  <description>
> +    This policy is used to allow routed traffic to the virtual machines.
> +  </description>
> +
> +  <ingress-zone name="ANY" />
> +  <egress-zone name="libvirt-routed" />
> +</policy>

Same as the NAT version of the policy so makes sense.

> diff --git a/src/network/libvirt-routed-out.policy b/src/network/libvirt-routed-out.policy
> new file mode 100644
> index 000000000000..efa0030569d6
> --- /dev/null
> +++ b/src/network/libvirt-routed-out.policy
> @@ -0,0 +1,12 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<policy target="ACCEPT">
> +  <short>libvirt-routed-out</short>
> +
> +  <description>
> +    This policy is used to allow routed virtual machine traffic to the rest of
> +    the network.
> +  </description>
> +
> +  <ingress-zone name="libvirt-routed" />
> +  <egress-zone name="ANY" />
> +</policy>

This is much more permissive than what I expected. Doesn't
this allow the VMs to have unrestricted access to anything
on the host ?

At a libvirt POV, the NAT and routed zones should be
identical, with the only difference being whether
masquerading is applied.

In terms of VM -> host, we still only want to allow the
small set of services, dns, dhcp, ssh AFAIK.



With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list