|
 |
9c6c51 |
From f649b1f8a050402bbd1d28ee78e1522121347977 Mon Sep 17 00:00:00 2001
|
|
|
9c6c51 |
Message-Id: <f649b1f8a050402bbd1d28ee78e1522121347977@dist-git>
|
|
|
9c6c51 |
From: Laine Stump <laine@laine.org>
|
|
|
9c6c51 |
Date: Thu, 14 Feb 2019 15:26:55 -0500
|
|
|
9c6c51 |
Subject: [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
|
|
|
9c6c51 |
MIME-Version: 1.0
|
|
|
9c6c51 |
Content-Type: text/plain; charset=UTF-8
|
|
|
9c6c51 |
Content-Transfer-Encoding: 8bit
|
|
|
9c6c51 |
|
|
|
9c6c51 |
The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
|
|
|
9c6c51 |
following:
|
|
|
9c6c51 |
|
|
|
9c6c51 |
1) lists specific services it wants to allow, then
|
|
|
9c6c51 |
|
|
|
9c6c51 |
2) uses a lower priority <reject/> rule to block all other services to
|
|
|
9c6c51 |
the host, and then finally,
|
|
|
9c6c51 |
|
|
|
9c6c51 |
3) relies on the zone's default "accept" policy to, accept all
|
|
|
9c6c51 |
forwarded traffic (since forwarded traffic is ignored by the
|
|
|
9c6c51 |
slightly higher priority <reject/> rule in (2)).
|
|
|
9c6c51 |
|
|
|
9c6c51 |
I had assumed that icmp traffic was either being allowed at the top of
|
|
|
9c6c51 |
the rules, or that it would be ignored by the <reject/> rule and
|
|
|
9c6c51 |
passed by the default accept policy (similar to forwarded traffic),
|
|
|
9c6c51 |
but this assumption was incorrect; the <reject/> rule does block icmp
|
|
|
9c6c51 |
traffic. This became apparent when DHCPv6 which requires ICMPv6 in
|
|
|
9c6c51 |
addition to udp/dhcpv6) failed to work.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
This all means that in order to achieve our original goal of "similar
|
|
|
9c6c51 |
behavior to a default reject policy, but also allowing forwarded
|
|
|
9c6c51 |
traffic", we need to add rules to allow all icmp and icmpv6 traffic to
|
|
|
9c6c51 |
the libvirt zone, and that's what this patch does.
|
|
|
9c6c51 |
|
|
|
9c6c51 |
This is a further refinement of the resolution to
|
|
|
9c6c51 |
https://bugzilla.redhat.com/1650320
|
|
|
9c6c51 |
|
|
|
9c6c51 |
Signed-off-by: Laine Stump <laine@laine.org>
|
|
|
9c6c51 |
Acked-by: Eric Garver <eric@garver.life>
|
|
|
9c6c51 |
(cherry picked from commit 41adfe8ca932e9fa34cd1b3f238c17b52e6b3888)
|
|
|
9c6c51 |
Message-Id: <20190214202655.22715-1-laine@redhat.com>
|
|
|
9c6c51 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
9c6c51 |
---
|
|
|
9c6c51 |
src/network/libvirt.zone | 2 ++
|
|
|
9c6c51 |
1 file changed, 2 insertions(+)
|
|
|
9c6c51 |
|
|
|
9c6c51 |
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
|
|
|
9c6c51 |
index bf81db1b6e..b1e84b52ec 100644
|
|
|
9c6c51 |
--- a/src/network/libvirt.zone
|
|
|
9c6c51 |
+++ b/src/network/libvirt.zone
|
|
|
9c6c51 |
@@ -15,6 +15,8 @@
|
|
|
9c6c51 |
<rule priority='32767'>
|
|
|
9c6c51 |
<reject/>
|
|
|
9c6c51 |
</rule>
|
|
|
9c6c51 |
+<protocol value='icmp'/>
|
|
|
9c6c51 |
+<protocol value='ipv6-icmp'/>
|
|
|
9c6c51 |
<service name='dhcp'/>
|
|
|
9c6c51 |
<service name='dhcpv6'/>
|
|
|
9c6c51 |
<service name='dns'/>
|
|
|
9c6c51 |
--
|
|
|
9c6c51 |
2.20.1
|
|
|
9c6c51 |
|