[PATCH 1/4] network: firewalld: convert to policies

Eric Garver eric at garver.life
Thu May 12 19:38:36 UTC 2022 

I'm adding this text here in hopes that Mimecast no longer thinks this
email is s-p-a-m. My replies are inline below. :)

On Thu, May 12, 2022 at 07:35:03PM +0100, Daniel P. Berrangé wrote:
> On Wed, May 11, 2022 at 11:41:52AM -0400, Eric Garver wrote:
> > Convert the existing behavior into policies.
> > 
> > This commit has no functional changes.
> > 
> > Signed-off-by: Eric Garver <eric at garver.life>
> > ---
> >  src/network/libvirt-nat-out.policy | 12 ++++++++++++
> >  src/network/libvirt-to-host.policy | 20 ++++++++++++++++++++
> >  src/network/libvirt.zone           | 23 +++++------------------
> >  src/network/meson.build            | 10 ++++++++++
> >  4 files changed, 47 insertions(+), 18 deletions(-)
> >  create mode 100644 src/network/libvirt-nat-out.policy
> >  create mode 100644 src/network/libvirt-to-host.policy
> > 
> > diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
> > new file mode 100644
> > index 000000000000..7d1cf6dfb4c4
> > --- /dev/null
> > +++ b/src/network/libvirt-nat-out.policy
> > @@ -0,0 +1,12 @@
> > +<?xml version="1.0" encoding="utf-8"?>
> > +<policy target="ACCEPT">
> > +  <short>libvirt-nat-out</short>
> > +
> > +  <description>
> > +    This policy is used to allow NAT virtual machine traffic to the
> > +    rest of the network.
> > +  </description>
> > +
> > +  <ingress-zone name="libvirt" />
> > +  <egress-zone name="ANY" />
> > +</policy>
> 
> The 'libvirt' zone contains the host bridge device (virbr0, IP address
> 192.168.122.1). The VMs are implicitly in 'libvirt' zone because their
> TAP devices are members of virbr0.
> 
> So this policy allows traffic originating in the VMs to forwarded to
> any other zone.
> 
> IIUC, it would also allow traffic originating from the host via the
> virbr0 device to forward to any other zone. In practice the only
> traffic originating on the host from virbr0, should be traffic
> destined for the guest.

No. That's OUTPUT traffic and would require a policy with
ingress-zones=HOST.

ANY excludes HOST (INPUT, OUTPUT).

> Is it possible to force traffic on host destined for the LAN to
> originate in virbr0, and forward with NAT, instead of just
> originating in eth0 and get onto the LAN without forwarding ?
> If it is possible, do we actually care ?

I don't think it's possible. But I'm not certain.

The traffic should be OUTPUT.

> > diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
> > new file mode 100644
> > index 000000000000..045b35d58d0d
> > --- /dev/null
> > +++ b/src/network/libvirt-to-host.policy
> > @@ -0,0 +1,20 @@
> > +<?xml version="1.0" encoding="utf-8"?>
> > +<policy target="REJECT">
> > +  <short>libvirt-to-host</short>
> > +
> > +  <description>
> > +    This policy is used to filter traffic from virtual machines to the
> > +    host.
> > +  </description>
> > +
> > +  <ingress-zone name="libvirt" />
> > +  <egress-zone name="HOST" />
> > +
> > +  <protocol value='icmp'/>
> > +  <protocol value='ipv6-icmp'/>
> > +  <service name='dhcp'/>
> > +  <service name='dhcpv6'/>
> > +  <service name='dns'/>
> > +  <service name='ssh'/>
> > +  <service name='tftp'/>
> > +</policy>
> 
> So this applies to traffic originating in the VM, and destined
> for the host. I'm fuzzy on exactly what "HOST" expands to in
> our context.

That's correct.

If egress-zones=HOST, then it's equivalent to INPUT.
If ingress-zones=HOST, then it's equivalent to OUTPUT.

> IIUC 'policy' rules apply to traffic transitting between zones,
> but we shouldn't have any zone transits involved.

libvirt zone --> public zone (uplink)

That should occur for the default config as "public" is the default zone
for unassigned traffic.

> virbr0 is in the 'libvirt' zones and VM TAP devs are part of
> virbr0. So traffic VM -> host should be entirely within the
> libvirt zone, never transitting zones.

Right. The above policy is libvirt --> HOST. Internally the
services/ports/etc added to a zone are implemented as a policy identical
to above. They're functionally equivalent.

The real reason I moved these rules into a policy is so they could be
common with the routed network.

> Does this use of "HOST", for example allow traffic from the
> VMs to connect to the host via its public IP address on eth0,
> instead of via its private IP on virbr0 which is what we
> want ?

I think so, but a quick look at the iptables rules generated by libvirt
look like they also allow it.

Chain INPUT (policy ACCEPT 471K packets, 200M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 472K  200M LIBVIRT_INP  all  --  any    any     anywhere             anywhere            

LIBVIRT_INP is non-terminal, so they would be accepted by the INPUT policy (see
the counters?).

> > diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> > index b1e84b52ecc9..4c5639d8a84f 100644
> > --- a/src/network/libvirt.zone
> > +++ b/src/network/libvirt.zone
> > @@ -1,25 +1,12 @@
> >  <?xml version="1.0" encoding="utf-8"?>
> > -<zone target="ACCEPT">
> > +<zone>
> >    <short>libvirt</short>
> >  
> >    <description>
> > -    The default policy of "ACCEPT" allows all packets to/from
> > -    interfaces in the zone to be forwarded, while the (*low priority*)
> > -    reject rule blocks any traffic destined for the host, except those
> > -    services explicitly listed (that list can be modified as required
> > -    by the local admin). This zone is intended to be used only by
> > -    libvirt virtual networks - libvirt will add the bridge devices for
> > -    all new virtual networks to this zone by default.
> > +    This zone is intended to be used only by libvirt virtual networks -
> > +    libvirt will add the bridge devices for all new virtual networks to
> > +    this zone by default.
> >    </description>
> >  
> > -<rule priority='32767'>
> > -  <reject/>
> > -</rule>
> > -<protocol value='icmp'/>
> > -<protocol value='ipv6-icmp'/>
> > -<service name='dhcp'/>
> > -<service name='dhcpv6'/>
> > -<service name='dns'/>
> > -<service name='ssh'/>
> > -<service name='tftp'/>
> > +  <forward />
> 
> What does '<forward/>' do - i'm not actually finding it mentioned
> in the zone docs at

It's INTRA-zone forwarding. Equivalent to LIBVIRT_FWX.
https://firewalld.org/2020/04/intra-zone-forwarding

i.e. forward between interfaces in the same zone.

iptables equivalent generated by libvirt:

Chain LIBVIRT_FWX (1 references)
pkts bytes target     prot opt in     out     source destination         
0     0 ACCEPT     all  --  virbr0 virbr0  anywhere  anywhere    


>   https://firewalld.org/documentation/man-pages/firewalld.zone.html
> 
> >  </zone>
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
>

More information about the libvir-list mailing list