rpms/libvirt
7
0
Fork 1
Code Issues Pull Requests Releases Activity
ffdd260aa7
libvirt/SOURCES/libvirt-network-explicitly-allow-icmp-icmpv6-in-libvirt-zonefile.patch
CentOS Sources ffdd260aa7 import libvirt-4.5.0-42.module+el8.2.0+6024+15a2423f
2021-09-10 11:57:18 +00:00

62 lines
2.2 KiB
Diff
Raw Blame History

From f649b1f8a050402bbd1d28ee78e1522121347977 Mon Sep 17 00:00:00 2001
Message-Id: <f649b1f8a050402bbd1d28ee78e1522121347977@dist-git>
From: Laine Stump <laine@laine.org>
Date: Thu, 14 Feb 2019 15:26:55 -0500
Subject: [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
following:
1) lists specific services it wants to allow, then
2) uses a lower priority <reject/> rule to block all other services to
the host, and then finally,
3) relies on the zone's default "accept" policy to, accept all
forwarded traffic (since forwarded traffic is ignored by the
slightly higher priority <reject/> rule in (2)).
I had assumed that icmp traffic was either being allowed at the top of
the rules, or that it would be ignored by the <reject/> rule and
passed by the default accept policy (similar to forwarded traffic),
but this assumption was incorrect; the <reject/> rule does block icmp
traffic. This became apparent when DHCPv6 which requires ICMPv6 in
addition to udp/dhcpv6) failed to work.
This all means that in order to achieve our original goal of "similar
behavior to a default reject policy, but also allowing forwarded
traffic", we need to add rules to allow all icmp and icmpv6 traffic to
the libvirt zone, and that's what this patch does.
This is a further refinement of the resolution to
https://bugzilla.redhat.com/1650320
Signed-off-by: Laine Stump <laine@laine.org>
Acked-by: Eric Garver <eric@garver.life>
(cherry picked from commit 41adfe8ca932e9fa34cd1b3f238c17b52e6b3888)
Message-Id: <20190214202655.22715-1-laine@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
src/network/libvirt.zone | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
index bf81db1b6e..b1e84b52ec 100644
--- a/src/network/libvirt.zone
+++ b/src/network/libvirt.zone
@@ -15,6 +15,8 @@
<rule priority='32767'>
<reject/>
</rule>
+<protocol value='icmp'/>
+<protocol value='ipv6-icmp'/>
<service name='dhcp'/>
<service name='dhcpv6'/>
<service name='dns'/>
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink