network: firewalld: add policies for routed networks

Signed-off-by: Eric Garver <eric@garver.life>
Reviewed-by: Laine Stump <laine@redhat.com>
This commit is contained in:
Eric Garver 2022-09-22 11:13:23 -04:00 committed by Laine Stump
parent 722b012166
commit 2a461957b1
5 changed files with 61 additions and 0 deletions

View File

@ -1915,6 +1915,9 @@ exit 0
%if %{with_firewalld_zone} %if %{with_firewalld_zone}
%{_prefix}/lib/firewalld/zones/libvirt.xml %{_prefix}/lib/firewalld/zones/libvirt.xml
%{_prefix}/lib/firewalld/zones/libvirt-routed.xml %{_prefix}/lib/firewalld/zones/libvirt-routed.xml
%{_prefix}/lib/firewalld/policies/libvirt-routed-in.xml
%{_prefix}/lib/firewalld/policies/libvirt-routed-out.xml
%{_prefix}/lib/firewalld/policies/libvirt-to-host.xml
%endif %endif
%files daemon-driver-nodedev %files daemon-driver-nodedev

View File

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<policy target="ACCEPT">
<short>libvirt-routed-in</short>
<description>
This policy is used to allow routed traffic to the virtual machines.
</description>
<ingress-zone name="ANY" />
<egress-zone name="libvirt-routed" />
</policy>

View File

@ -0,0 +1,12 @@
<?xml version="1.0" encoding="utf-8"?>
<policy target="ACCEPT">
<short>libvirt-routed-out</short>
<description>
This policy is used to allow routed virtual machine traffic to the rest of
the network.
</description>
<ingress-zone name="libvirt-routed" />
<egress-zone name="ANY" />
</policy>

View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?>
<policy target="REJECT">
<short>libvirt-to-host</short>
<description>
This policy is used to filter traffic from virtual machines to the
host.
</description>
<ingress-zone name="libvirt-routed" />
<egress-zone name="HOST" />
<protocol value='icmp'/>
<protocol value='ipv6-icmp'/>
<service name='dhcp'/>
<service name='dhcpv6'/>
<service name='dns'/>
<service name='ssh'/>
<service name='tftp'/>
</policy>

View File

@ -106,5 +106,20 @@ if conf.has('WITH_NETWORK')
install_dir: prefix / 'lib' / 'firewalld' / 'zones', install_dir: prefix / 'lib' / 'firewalld' / 'zones',
rename: [ 'libvirt-routed.xml' ], rename: [ 'libvirt-routed.xml' ],
) )
install_data(
'libvirt-to-host.policy',
install_dir: prefix / 'lib' / 'firewalld' / 'policies',
rename: [ 'libvirt-to-host.xml' ],
)
install_data(
'libvirt-routed-out.policy',
install_dir: prefix / 'lib' / 'firewalld' / 'policies',
rename: [ 'libvirt-routed-out.xml' ],
)
install_data(
'libvirt-routed-in.policy',
install_dir: prefix / 'lib' / 'firewalld' / 'policies',
rename: [ 'libvirt-routed-in.xml' ],
)
endif endif
endif endif