From 2a461957b1f4d06ef59221006f8e01a5dccebde8 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 22 Sep 2022 11:13:23 -0400
Subject: [PATCH] network: firewalld: add policies for routed networks

Signed-off-by: Eric Garver <eric@garver.life>
Reviewed-by: Laine Stump <laine@redhat.com>
---
 libvirt.spec.in                       |  3 +++
 src/network/libvirt-routed-in.policy  | 11 +++++++++++
 src/network/libvirt-routed-out.policy | 12 ++++++++++++
 src/network/libvirt-to-host.policy    | 20 ++++++++++++++++++++
 src/network/meson.build               | 15 +++++++++++++++
 5 files changed, 61 insertions(+)
 create mode 100644 src/network/libvirt-routed-in.policy
 create mode 100644 src/network/libvirt-routed-out.policy
 create mode 100644 src/network/libvirt-to-host.policy

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 794dd43c59..5ea9ef2912 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1915,6 +1915,9 @@ exit 0
 %if %{with_firewalld_zone}
 %{_prefix}/lib/firewalld/zones/libvirt.xml
 %{_prefix}/lib/firewalld/zones/libvirt-routed.xml
+%{_prefix}/lib/firewalld/policies/libvirt-routed-in.xml
+%{_prefix}/lib/firewalld/policies/libvirt-routed-out.xml
+%{_prefix}/lib/firewalld/policies/libvirt-to-host.xml
 %endif
 
 %files daemon-driver-nodedev
diff --git a/src/network/libvirt-routed-in.policy b/src/network/libvirt-routed-in.policy
new file mode 100644
index 0000000000..dd691efbb6
--- /dev/null
+++ b/src/network/libvirt-routed-in.policy
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+  <short>libvirt-routed-in</short>
+
+  <description>
+    This policy is used to allow routed traffic to the virtual machines.
+  </description>
+
+  <ingress-zone name="ANY" />
+  <egress-zone name="libvirt-routed" />
+</policy>
diff --git a/src/network/libvirt-routed-out.policy b/src/network/libvirt-routed-out.policy
new file mode 100644
index 0000000000..efa0030569
--- /dev/null
+++ b/src/network/libvirt-routed-out.policy
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+  <short>libvirt-routed-out</short>
+
+  <description>
+    This policy is used to allow routed virtual machine traffic to the rest of
+    the network.
+  </description>
+
+  <ingress-zone name="libvirt-routed" />
+  <egress-zone name="ANY" />
+</policy>
diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy
new file mode 100644
index 0000000000..b20aecaf42
--- /dev/null
+++ b/src/network/libvirt-to-host.policy
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="REJECT">
+  <short>libvirt-to-host</short>
+
+  <description>
+    This policy is used to filter traffic from virtual machines to the
+    host.
+  </description>
+
+  <ingress-zone name="libvirt-routed" />
+  <egress-zone name="HOST" />
+
+  <protocol value='icmp'/>
+  <protocol value='ipv6-icmp'/>
+  <service name='dhcp'/>
+  <service name='dhcpv6'/>
+  <service name='dns'/>
+  <service name='ssh'/>
+  <service name='tftp'/>
+</policy>
diff --git a/src/network/meson.build b/src/network/meson.build
index a38dc147ac..d266bb225a 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -106,5 +106,20 @@ if conf.has('WITH_NETWORK')
       install_dir: prefix / 'lib' / 'firewalld' / 'zones',
       rename: [ 'libvirt-routed.xml' ],
     )
+    install_data(
+      'libvirt-to-host.policy',
+      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+      rename: [ 'libvirt-to-host.xml' ],
+    )
+    install_data(
+      'libvirt-routed-out.policy',
+      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+      rename: [ 'libvirt-routed-out.xml' ],
+    )
+    install_data(
+      'libvirt-routed-in.policy',
+      install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+      rename: [ 'libvirt-routed-in.xml' ],
+    )
   endif
 endif