From nobody Sun Apr 28 16:16:22 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1550173610173233.84764631127484;
 Thu, 14 Feb 2019 11:46:50 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 1D0BCA7894;
	Thu, 14 Feb 2019 19:46:40 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B0F6B600C4;
	Thu, 14 Feb 2019 19:46:36 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id D936C3F7CD;
	Thu, 14 Feb 2019 19:46:32 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x1EJkUCq019764 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 14 Feb 2019 14:46:31 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id B3D6F17114; Thu, 14 Feb 2019 19:46:30 +0000 (UTC)
Received: from vhost2.laine.org (ovpn-118-13.phx2.redhat.com [10.3.118.13])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 5716E5C54B;
	Thu, 14 Feb 2019 19:46:26 +0000 (UTC)
From: Laine Stump <laine@laine.org>
To: libvir-list@redhat.com
Date: Thu, 14 Feb 2019 14:46:22 -0500
Message-Id: <20190214194622.18595-1-laine@laine.org>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Cc: Eric Garver <egarver@redhat.com>
Subject: [libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt
	zonefile
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]);
 Thu, 14 Feb 2019 19:46:48 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
following:

1) lists specific services it wants to allow, then

2) uses a lower priority <reject/> rule to block all other services to
   the host, and then finally,

3) relies on the zone's default "accept" policy to, accept all
   forwarded traffic (since forwarded traffic is ignored by the
   slightly higher priority <reject/> rule in (2)).

I had assumed that icmp traffic was either being allowed at the top of
the rules, or that it would be ignored by the <reject/> rule and
passed by the default accept policy (similar to forwarded traffic),
but this assumption was incorrect; the <reject/> rule does block icmp
traffic. This became apparent when DHCPv6 which requires ICMPv6 in
addition to udp/dhcpv6) failed to work.

This all means that in order to achieve our original goal of "similar
behavior to a default reject policy, but also allowing forwarded
traffic", we need to add rules to allow all icmp and icmpv6 traffic to
the libvirt zone, and that's what this patch does.

This is a further refinement of the resolution to
https://bugzilla.redhat.com/1650320

Signed-off-by: Laine Stump <laine@laine.org>
Acked-by: Eric Garver <eric@garver.life>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/network/libvirt.zone | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
index bf81db1b6e..b1e84b52ec 100644
--- a/src/network/libvirt.zone
+++ b/src/network/libvirt.zone
@@ -15,6 +15,8 @@
 <rule priority=3D'32767'>
   <reject/>
 </rule>
+<protocol value=3D'icmp'/>
+<protocol value=3D'ipv6-icmp'/>
 <service name=3D'dhcp'/>
 <service name=3D'dhcpv6'/>
 <service name=3D'dns'/>
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list