[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 4/5] network: regain guest network connectivity after firewalld switch to nftables



On Wed, Jan 09, 2019 at 09:57:36PM -0500, Laine Stump wrote:
> From: Laine Stump <laine redhat com>
[..]
> diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
> new file mode 100644
> index 0000000000..1750ba2f06
> --- /dev/null
> +++ b/src/network/libvirt.zone
> @@ -0,0 +1,14 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<zone target="ACCEPT">
> +  <short>libvirt</short>
> +  <description>The default policy of "ACCEPT" allows all packets to/from interfaces in the zone to be forwarded, while the (*low priority*) reject rule blocks any traffic destined for the host, except those services explicitly listed (that list can be modified as required by the local admin). This zone is intended to be used only by libvirt virtual networks - libvirt will add the bridge devices for all new virtual networks to this zone by default.</description>
> +
> +<rule priority='127'>

The valid priority range is [-32768, 32767]. You may want to change this
to 32767 to make sure it's the lowest precedence possible.

Although, since libvirt completely controls this zone it won't matter
unless libvirt or the user adds other rich rules.

> +  <reject/>
> +</rule>
> +<service name='dhcp'/>
> +<service name='dhcpv6'/>
> +<service name='dns'/>
> +<service name='ssh'/>
> +<service name='tftp'/>
> +</zone>
> -- 
> 2.20.1
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]