%if %{with_firewalld_zone}
%{_prefix}/lib/firewalld/zones/libvirt.xml
%{_prefix}/lib/firewalld/zones/libvirt-routed.xml
+%{_prefix}/lib/firewalld/policies/libvirt-routed-in.xml
+%{_prefix}/lib/firewalld/policies/libvirt-routed-out.xml
+%{_prefix}/lib/firewalld/policies/libvirt-to-host.xml
%endif
%files daemon-driver-nodedev
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+ <short>libvirt-routed-in</short>
+
+ <description>
+ This policy is used to allow routed traffic to the virtual machines.
+ </description>
+
+ <ingress-zone name="ANY" />
+ <egress-zone name="libvirt-routed" />
+</policy>
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="ACCEPT">
+ <short>libvirt-routed-out</short>
+
+ <description>
+ This policy is used to allow routed virtual machine traffic to the rest of
+ the network.
+ </description>
+
+ <ingress-zone name="libvirt-routed" />
+ <egress-zone name="ANY" />
+</policy>
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>
+<policy target="REJECT">
+ <short>libvirt-to-host</short>
+
+ <description>
+ This policy is used to filter traffic from virtual machines to the
+ host.
+ </description>
+
+ <ingress-zone name="libvirt-routed" />
+ <egress-zone name="HOST" />
+
+ <protocol value='icmp'/>
+ <protocol value='ipv6-icmp'/>
+ <service name='dhcp'/>
+ <service name='dhcpv6'/>
+ <service name='dns'/>
+ <service name='ssh'/>
+ <service name='tftp'/>
+</policy>
install_dir: prefix / 'lib' / 'firewalld' / 'zones',
rename: [ 'libvirt-routed.xml' ],
)
+ install_data(
+ 'libvirt-to-host.policy',
+ install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+ rename: [ 'libvirt-to-host.xml' ],
+ )
+ install_data(
+ 'libvirt-routed-out.policy',
+ install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+ rename: [ 'libvirt-routed-out.xml' ],
+ )
+ install_data(
+ 'libvirt-routed-in.policy',
+ install_dir: prefix / 'lib' / 'firewalld' / 'policies',
+ rename: [ 'libvirt-routed-in.xml' ],
+ )
endif
endif
projects / libvirt.git / commitdiff