[PATCH 7/8] network: firewalld: add policies for NAT networks

[Eric Garver]

Signed-off-by: Eric Garver <eric at garver.life>
---
 libvirt.spec.in                    |  1 +
 src/network/libvirt-nat-out.policy | 13 +++++++++++++
 src/network/libvirt-to-host.policy |  1 +
 src/network/meson.build            |  5 +++++
 4 files changed, 20 insertions(+)
 create mode 100644 src/network/libvirt-nat-out.policy

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 6537b9385a0e..6a852d726e55 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1922,6 +1922,7 @@ exit 0
 %{_prefix}/lib/firewalld/zones/libvirt.xml
 %{_prefix}/lib/firewalld/zones/libvirt-nat.xml
 %{_prefix}/lib/firewalld/zones/libvirt-routed.xml
+%{_prefix}/lib/firewalld/policies/libvirt-nat-out.xml
 %{_prefix}/lib/firewalld/policies/libvirt-routed-in.xml
 %{_prefix}/lib/firewalld/policies/libvirt-routed-out.xml
 %{_prefix}/lib/firewalld/policies/libvirt-to-host.xml
diff --git a/src/network/libvirt-nat-out.policy b/src/network/libvirt-nat-out.policy
new file mode 100644
index 000000000000..ed19be90c751
--- /dev/null
+++ b/src/network/libvirt-nat-out.policy
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+  <short>libvirt-nat-out</short>
+
+  <description>
+    This policy is used to allow NAT virtual machine traffic to the rest of
+    the network.
+  </description>
+
+  <ingress-zone name="libvirt-nat" />
+  <egress-zone name="ANY" />
+  <masquerade />
+</policy>
diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
index b20aecaf4249..a22952ea1c95 100644
--- a/src/network/libvirt-to-host.policy
+++ b/src/network/libvirt-to-host.policy
@@ -7,6 +7,7 @@
     host.
   </description>
 
+  <ingress-zone name="libvirt-nat" />
   <ingress-zone name="libvirt-routed" />
   <egress-zone name="HOST" />
 
diff --git a/src/network/meson.build b/src/network/meson.build
index fa18cbb8ff62..34f336fa222e 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -116,6 +116,11 @@ if conf.has('WITH_NETWORK')
       install_dir: prefix / 'lib' / 'firewalld' / 'policies',
       rename: [ 'libvirt-to-host.xml' ],
     )
+    install_data(
+      'libvirt-nat-out.policy',
+      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+      rename: [ 'libvirt-nat-out.xml' ],
+    )
     install_data(
       'libvirt-routed-out.policy',
       install_dir: prefix / 'lib' / 'firewalld' / 'policies',
-- 
2.37.3