mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-22 12:35:17 +00:00
network: explicitly allow icmp/icmpv6 in libvirt zonefile
The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the following: 1) lists specific services it wants to allow, then 2) uses a lower priority <reject/> rule to block all other services to the host, and then finally, 3) relies on the zone's default "accept" policy to, accept all forwarded traffic (since forwarded traffic is ignored by the slightly higher priority <reject/> rule in (2)). I had assumed that icmp traffic was either being allowed at the top of the rules, or that it would be ignored by the <reject/> rule and passed by the default accept policy (similar to forwarded traffic), but this assumption was incorrect; the <reject/> rule does block icmp traffic. This became apparent when DHCPv6 which requires ICMPv6 in addition to udp/dhcpv6) failed to work. This all means that in order to achieve our original goal of "similar behavior to a default reject policy, but also allowing forwarded traffic", we need to add rules to allow all icmp and icmpv6 traffic to the libvirt zone, and that's what this patch does. This is a further refinement of the resolution to https://bugzilla.redhat.com/1650320 Signed-off-by: Laine Stump <laine@laine.org> Acked-by: Eric Garver <eric@garver.life>
This commit is contained in:
Laine Stump
parent
fa5db009c9
commit
41adfe8ca9
@ -15,6 +15,8 @@
|
||||
<rule priority='32767'>
|
||||
<reject/>
|
||||
</rule>
|
||||
<protocol value='icmp'/>
|
||||
<protocol value='ipv6-icmp'/>
|
||||
<service name='dhcp'/>
|
||||
<service name='dhcpv6'/>
|
||||
<service name='dns'/>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user