[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile

Laine Stump posted 1 patch 5 years, 1 month ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190214194622.18595-1-laine@laine.org
src/network/libvirt.zone | 2 ++
1 file changed, 2 insertions(+)
[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
Posted by Laine Stump 5 years, 1 month ago
The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
following:

1) lists specific services it wants to allow, then

2) uses a lower priority <reject/> rule to block all other services to
   the host, and then finally,

3) relies on the zone's default "accept" policy to, accept all
   forwarded traffic (since forwarded traffic is ignored by the
   slightly higher priority <reject/> rule in (2)).

I had assumed that icmp traffic was either being allowed at the top of
the rules, or that it would be ignored by the <reject/> rule and
passed by the default accept policy (similar to forwarded traffic),
but this assumption was incorrect; the <reject/> rule does block icmp
traffic. This became apparent when DHCPv6 which requires ICMPv6 in
addition to udp/dhcpv6) failed to work.

This all means that in order to achieve our original goal of "similar
behavior to a default reject policy, but also allowing forwarded
traffic", we need to add rules to allow all icmp and icmpv6 traffic to
the libvirt zone, and that's what this patch does.

This is a further refinement of the resolution to
https://bugzilla.redhat.com/1650320

Signed-off-by: Laine Stump <laine@laine.org>
---
 src/network/libvirt.zone | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
index bf81db1b6e..b1e84b52ec 100644
--- a/src/network/libvirt.zone
+++ b/src/network/libvirt.zone
@@ -15,6 +15,8 @@
 <rule priority='32767'>
   <reject/>
 </rule>
+<protocol value='icmp'/>
+<protocol value='ipv6-icmp'/>
 <service name='dhcp'/>
 <service name='dhcpv6'/>
 <service name='dns'/>
-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
Posted by Eric Garver 5 years, 1 month ago
On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote:
> The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
> following:
> 
> 1) lists specific services it wants to allow, then
> 
> 2) uses a lower priority <reject/> rule to block all other services to
>    the host, and then finally,
> 
> 3) relies on the zone's default "accept" policy to, accept all
>    forwarded traffic (since forwarded traffic is ignored by the
>    slightly higher priority <reject/> rule in (2)).
> 
> I had assumed that icmp traffic was either being allowed at the top of
> the rules, or that it would be ignored by the <reject/> rule and
> passed by the default accept policy (similar to forwarded traffic),
> but this assumption was incorrect; the <reject/> rule does block icmp
> traffic. This became apparent when DHCPv6 which requires ICMPv6 in
> addition to udp/dhcpv6) failed to work.
> 
> This all means that in order to achieve our original goal of "similar
> behavior to a default reject policy, but also allowing forwarded
> traffic", we need to add rules to allow all icmp and icmpv6 traffic to
> the libvirt zone, and that's what this patch does.
> 
> This is a further refinement of the resolution to
> https://bugzilla.redhat.com/1650320
> 
> Signed-off-by: Laine Stump <laine@laine.org>
> ---
>  src/network/libvirt.zone | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> index bf81db1b6e..b1e84b52ec 100644
> --- a/src/network/libvirt.zone
> +++ b/src/network/libvirt.zone
> @@ -15,6 +15,8 @@
>  <rule priority='32767'>
>    <reject/>
>  </rule>
> +<protocol value='icmp'/>
> +<protocol value='ipv6-icmp'/>
>  <service name='dhcp'/>
>  <service name='dhcpv6'/>
>  <service name='dns'/>
> -- 
> 2.20.1

LGTM. Sorry I didn't catch it the first time around.

Acked-by: Eric Garver <eric@garver.life>

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
Posted by Daniel P. Berrangé 5 years, 1 month ago
On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote:
> The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
> following:
> 
> 1) lists specific services it wants to allow, then
> 
> 2) uses a lower priority <reject/> rule to block all other services to
>    the host, and then finally,
> 
> 3) relies on the zone's default "accept" policy to, accept all
>    forwarded traffic (since forwarded traffic is ignored by the
>    slightly higher priority <reject/> rule in (2)).
> 
> I had assumed that icmp traffic was either being allowed at the top of
> the rules, or that it would be ignored by the <reject/> rule and
> passed by the default accept policy (similar to forwarded traffic),
> but this assumption was incorrect; the <reject/> rule does block icmp
> traffic. This became apparent when DHCPv6 which requires ICMPv6 in
> addition to udp/dhcpv6) failed to work.
> 
> This all means that in order to achieve our original goal of "similar
> behavior to a default reject policy, but also allowing forwarded
> traffic", we need to add rules to allow all icmp and icmpv6 traffic to
> the libvirt zone, and that's what this patch does.
> 
> This is a further refinement of the resolution to
> https://bugzilla.redhat.com/1650320
> 
> Signed-off-by: Laine Stump <laine@laine.org>
> ---
>  src/network/libvirt.zone | 2 ++
>  1 file changed, 2 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list