[PATCH 3/4] network: firewalld: add policies for routed networks

Eric Garver eric at garver.life
Thu May 12 18:56:28 UTC 2022 

On Thu, May 12, 2022 at 07:42:43PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:54AM -0400, Eric Garver wrote:
> > Signed-off-by: Eric Garver <eric at garver.life>
> > ---
> >  src/network/libvirt-routed-in.policy  | 11 +++++++++++
> >  src/network/libvirt-routed-out.policy | 12 ++++++++++++
> >  src/network/meson.build               | 10 ++++++++++
> >  3 files changed, 33 insertions(+)
> >  create mode 100644 src/network/libvirt-routed-in.policy
> >  create mode 100644 src/network/libvirt-routed-out.policy
> > 
> > diff --git a/src/network/libvirt-routed-in.policy b/src/network/libvirt-routed-in.policy
> > new file mode 100644
> > index 000000000000..baf8822d747c
> > --- /dev/null
> > +++ b/src/network/libvirt-routed-in.policy
> > @@ -0,0 +1,11 @@
> > +<?xml version="1.0" encoding="utf-8"?>
> > +<policy target="ACCEPT">
> > +  <short>libvirt-routed-out</short>
> > +
> > +  <description>
> > +    This policy is used to allow routed traffic to the virtual machines.
> > +  </description>
> > +
> > +  <ingress-zone name="ANY" />
> > +  <egress-zone name="libvirt-routed" />
> > +</policy>
> 
> Same as the NAT version of the policy so makes sense.
> 
> > diff --git a/src/network/libvirt-routed-out.policy b/src/network/libvirt-routed-out.policy
> > new file mode 100644
> > index 000000000000..efa0030569d6
> > --- /dev/null
> > +++ b/src/network/libvirt-routed-out.policy
> > @@ -0,0 +1,12 @@
> > +<?xml version="1.0" encoding="utf-8"?>
> > +<policy target="ACCEPT">
> > +  <short>libvirt-routed-out</short>
> > +
> > +  <description>
> > +    This policy is used to allow routed virtual machine traffic to the rest of
> > +    the network.
> > +  </description>
> > +
> > +  <ingress-zone name="libvirt-routed" />
> > +  <egress-zone name="ANY" />
> > +</policy>
> 
> This is much more permissive than what I expected. Doesn't
> this allow the VMs to have unrestricted access to anything
> on the host ?

No. ANY means any zone. i.e. FORWARD.

There is another symbolic zone, HOST, that is used for INPUT.

> At a libvirt POV, the NAT and routed zones should be
> identical, with the only difference being whether
> masquerading is applied.

I think the additional difference is that routed allows connections
originating from outside (world -> libvirt) to the VMs. There is no "in"
policy for NAT for the same reason - they should always be denied.

In both NAT and routed, connections originating from VMs allow the
return path implicitly via conntrack state.

> In terms of VM -> host, we still only want to allow the
> small set of services, dns, dhcp, ssh AFAIK.

Right, that's covered by the libvirt-to-host policy and is common
between the NAT and routed networks.

> 
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
>

More information about the libvir-list mailing list