configure: selectively install a firewalld 'libvirt' zone

In the past (when both libvirt and firewalld used iptables), if either
libvirt's rules *OR* firewalld's rules accepted a packet, it would
be accepted. This was because libvirt and firewalld rules were
processed during the same kernel hook, and a single ACCEPT result
would terminate the rule traversal and cause the packet to be
accepted.

But now firewalld can use nftables for its backend, while libvirt's
firewall rules are still using iptables; iptables rules are still
processed, but at a different time during packet processing
(i.e. during a different hook) than the firewalld nftables rules. The
result is that a packet must be accepted by *BOTH* the libvirt
iptables rules *AND* the firewalld nftable rules in order to be
accepted.

This causes pain because

1) libvirt always adds rules to permit DNS and DHCP (and sometimes
TFTP) from guests to the host network's bridge interface. But
libvirt's bridges are in firewalld's "default" zone (which is usually
the zone called "public"). The public zone allows ssh, but doesn't
allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the
DHCP and DNS traffic, the firewalld rules (now processed during a
different hook) dont, thus guests connected to libvirt's bridges can't
acquire an IP address from DHCP, nor can they make DNS queries to the
DNS server libvirt has setup on the host. (This could be solved by
modifying the default firewalld zone to allow DNS and DHCP, but that
would open *all* interfaces in the default zone to those services,
which is most likely not what the host's admin wants.)

2) Even though libvirt adds iptables rules to allow forwarded traffic
to pass the iptables hook, firewalld's higher level "rich rules" don't
yet have the ability to configure the acceptance of forwarded traffic
(traffic that is going somewhere beyond the host), so any traffic that
needs to be forwarded from guests to the network beyond the host is
rejected during the nftables hook by the default zone's "default
reject" policy (which rejects all traffic in the zone not specifically
allowed by the rules in the zone, whether that traffic is destined to
be forwarded or locally received by the host).

libvirt can't send "direct" nftables rules (firewalld only supports
direct/passthrough rules for iptables), so we can't solve this problem
by just sending explicit nftables rules instead of explicit iptables
rules (which, if it could be done, would place libvirt's rules in the
same hook as firewalld's native rules, and thus eliminate the need for
packets to be accepted by both libvirt's and firewalld's own rules).

However, we can take advantage of a quirk in firewalld zones that have
a default policy of "accept" (meaning any packet that doesn't match a
specific rule in the zone will be *accepted*) - this default accept will
also accept forwarded traffic (not just traffic destined for the host).

Of course we don't want to modify firewalld's default zone in that
way, because that would affect the filtering of traffic coming into
the host from other interfaces using that zone. Instead, we will
create a new zone called "libvirt". The libvirt zone will have a
default policy of accept so that forwarded traffic can pass and list
specific services that will be allowed into the host from guests (DNS,
DHCP, SSH, and TFTP).

But the same default accept policy that fixes forwarded traffic also
causes *all* traffic from guest to host to be accepted. To close this
new hole, the libvirt zone can take advantage of a new feature in
firewalld (currently slated for firewalld-0.7.0) - priorities for rich
rules - to add a low priority rule that rejects all local traffic (but
leaves alone all forwarded traffic).

So, our new zone will start with a list of services that are allowed
(dhcp, dns, tftp, and ssh to start, but configurable via any firewalld
management application, or direct editing of the zone file in
/etc/firewalld/zones/libvirt.xml), followed by a low priority
<reject/> rule (to reject all other traffic from guest to host), and
finally with a default policy of accept (to allow forwarded traffic).

This patch only creates the zonefile for the new zone, and implements
a configure.ac option to selectively enable/disable installation of
the new zone. A separate patch contains the necessary code to actually
place bridge interfaces in the libvirt zone.

Why do we need a configure option to disable installation of the new
libvirt zone? It uses a new firewalld attribute that sets the priority
of a rich rule; this feature first appears in firewalld-0.7.0 (unless
it has been backported to am earlier firewalld by a downstream
maintainer). If the file were installed on a system with firewalld
that didn't support rule priorities, firewalld would log an error
every time it restarted, causing confusion and lots of extra bug
reports.

So we add two new configure.ac switches to avoid polluting the system
logs with this error on systems that don't support rule priorities -
"--with-firewalld-zone" and "--without-firewalld-zone". A package
builder can use these to include/exclude the libvirt zone file in the
installation. If firewalld is enabled (--with-firewalld), the default
is --with-firewalld-zone, but it can be disabled during configure
(using --without-firewalld-zone). Targets that are using a firewalld
version too old to support the rule priority setting in the libvirt
zone file can simply add --without-firewalld-zone to their configure
commandline.

These switches only affect whether or not the libvirt zone file is
*installed* in /usr/lib/firewalld/zones, but have no effect on whether
or not libvirt looks for a zone called libvirt and tries to use it.

NB: firewalld zones can only be added to the permanent config of
firewalld, and won't be loaded/enabled until firewalld is restarted,
so at package install/upgrade time we have to restart firewalld. For
rpm-based distros, this is done in the libvirt.spec file by calling
the %firewalld_restart rpm macro, which is a part of the
firewalld-filesystem package. (For distros that don't use rpm
packages, the command "firewalld-cmd --reload" will have the same
effect).

Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/configure.ac b/configure.ac
index 808884f2f7af736980409f47f3d839142cb63b7b..4dcdd120699bf1c8e7da5c387ceee408ec1ac6db 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -246,6 +246,7 @@ LIBVIRT_ARG_CAPNG
 LIBVIRT_ARG_CURL
 LIBVIRT_ARG_DBUS
 LIBVIRT_ARG_FIREWALLD
+LIBVIRT_ARG_FIREWALLD_ZONE
 LIBVIRT_ARG_FUSE
 LIBVIRT_ARG_GLUSTER
 LIBVIRT_ARG_HAL
@@ -286,6 +287,7 @@ LIBVIRT_CHECK_DBUS
 LIBVIRT_CHECK_DEVMAPPER
 LIBVIRT_CHECK_DLOPEN
 LIBVIRT_CHECK_FIREWALLD
+LIBVIRT_CHECK_FIREWALLD_ZONE
 LIBVIRT_CHECK_FUSE
 LIBVIRT_CHECK_GLUSTER
 LIBVIRT_CHECK_GNUTLS
@@ -1000,6 +1002,7 @@ LIBVIRT_RESULT_CURL
 LIBVIRT_RESULT_DBUS
 LIBVIRT_RESULT_DLOPEN
 LIBVIRT_RESULT_FIREWALLD
+LIBVIRT_RESULT_FIREWALLD_ZONE
 LIBVIRT_RESULT_FUSE
 LIBVIRT_RESULT_GLUSTER
 LIBVIRT_RESULT_GNUTLS

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 879e315f49c0bff9ee23181a13af32e8ff190ee5..c0e538d92d4ca16ad8657a203399690c8ac61c41 100644 (file)
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -82,6 +82,7 @@
 %define with_sanlock       0%{!?_without_sanlock:0}
 %define with_numad         0%{!?_without_numad:0}
 %define with_firewalld     0%{!?_without_firewalld:0}
+%define with_firewalld_zone 0%{!?_without_firewalld_zone:0}
 %define with_libssh2       0%{!?_without_libssh2:0}
 %define with_wireshark     0%{!?_without_wireshark:0}
 %define with_libssh        0%{!?_without_libssh:0}
@@ -136,6 +137,11 @@
 
 %define with_firewalld 1
 
+%if 0%{?fedora} >= 30 || 0%{?rhel} > 7
+    %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
+%endif
+
+
 # fuse is used to provide virtualized /proc for LXC
 %if %{with_lxc}
     %define with_fuse      0%{!?_without_fuse:1}
@@ -395,6 +401,10 @@ BuildRequires: rpcgen
 BuildRequires: libtirpc-devel
 %endif
 
+%if %{with_firewalld_zone}
+BuildRequires: firewalld-filesystem
+%endif
+
 Provides: bundled(gnulib)
 
 %description
@@ -1093,6 +1103,12 @@ exit 1
     %define arg_firewalld --without-firewalld
 %endif
 
+%if %{with_firewalld_zone}
+    %define arg_firewalld_zone --with-firewalld-zone
+%else
+    %define arg_firewalld_zone --without-firewalld-zone
+%endif
+
 %if %{with_wireshark}
     %define arg_wireshark --with-wireshark-dissector
 %else
@@ -1191,6 +1207,7 @@ rm -f po/stamp-po
            --with-dtrace \
            --with-driver-modules \
            %{?arg_firewalld} \
+           %{?arg_firewalld_zone} \
            %{?arg_wireshark} \
            --without-pm-utils \
            --with-nss-plugin \
@@ -1358,6 +1375,16 @@ if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
 fi
 rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
 
+%post daemon-driver-network
+%if %{with_firewalld}
+    %firewalld_reload
+%endif
+
+%postun daemon-driver-network
+%if %{with_firewalld}
+    %firewalld_reload
+%endif
+
 %post daemon-config-network
 if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then
     # see if the network used by default network creates a conflict,
@@ -1596,6 +1623,10 @@ exit 0
 %attr(0755, root, root) %{_libexecdir}/libvirt_leaseshelper
 %{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
 
+%if %{with_firewalld_zone}
+%{_prefix}/lib/firewalld/zones/libvirt.xml
+%endif
+
 %files daemon-driver-nodedev
 %{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so
 

diff --git a/m4/virt-firewalld-zone.m4 b/m4/virt-firewalld-zone.m4
new file mode 100644 (file)
index 0000000..b67d1a0
--- /dev/null
+++ b/m4/virt-firewalld-zone.m4
@@ -0,0 +1,45 @@
+dnl firewalld_zone check - whether or not to install the firewall "libvirt" zone
+dnl
+dnl Copyright (C) 2019 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([LIBVIRT_ARG_FIREWALLD_ZONE], [
+  LIBVIRT_ARG_WITH([FIREWALLD_ZONE], [Whether to install firewalld libvirt zone], [check])
+])
+
+AC_DEFUN([LIBVIRT_CHECK_FIREWALLD_ZONE], [
+  AC_REQUIRE([LIBVIRT_CHECK_FIREWALLD])
+  AC_MSG_CHECKING([for whether to install firewalld libvirt zone])
+
+  if test "x$with_firewalld_zone" = "xcheck" ; then
+    with_firewalld_zone=$with_firewalld
+  fi
+
+  if test "x$with_firewalld_zone" = "xyes" ; then
+    if test "x$with_firewalld" != "xyes" ; then
+      AC_MSG_ERROR([You must have firewalld support enabled to enable firewalld-zone])
+    fi
+    AC_DEFINE_UNQUOTED([WITH_FIREWALLD_ZONE], [1], [whether firewalld libvirt zone is installed])
+  fi
+
+  AM_CONDITIONAL([WITH_FIREWALLD_ZONE], [test "x$with_firewalld_zone" != "xno"])
+  AC_MSG_RESULT($with_firewalld_zone)
+])
+
+AC_DEFUN([LIBVIRT_RESULT_FIREWALLD_ZONE], [
+  LIBVIRT_RESULT([firewalld-zone], [$with_firewalld_zone])
+])

diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am
index 508c8c04227788ec0a4211b955f80dabbf175ded..cbaaa7ea68eb9a34cb6fdd08af600ea40d7cc050 100644 (file)
--- a/src/network/Makefile.inc.am
+++ b/src/network/Makefile.inc.am
@@ -87,6 +87,11 @@ install-data-network:
        ( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
          rm -f default.xml && \
          $(LN_S) ../default.xml default.xml )
+if WITH_FIREWALLD_ZONE
+       $(MKDIR_P) "$(DESTDIR)$(prefix)/lib/firewalld/zones"
+       $(INSTALL_DATA) $(srcdir)/network/libvirt.zone \
+         $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
+endif WITH_FIREWALLD_ZONE
 
 uninstall-data-network:
        rm -f $(DESTDIR)$(confdir)/qemu/networks/autostart/default.xml
@@ -95,10 +100,13 @@ uninstall-data-network:
        rmdir "$(DESTDIR)$(confdir)/qemu/networks" || :
        rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||:
        rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||:
+if WITH_FIREWALLD_ZONE
+       rm -f  $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
+endif WITH_FIREWALLD_ZONE
 
 endif WITH_NETWORK
 
-EXTRA_DIST += network/default.xml
+EXTRA_DIST += network/default.xml network/libvirt.zone
 
 .PHONY: \
        install-data-network \

diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
new file mode 100644 (file)
index 0000000..bf81db1
--- /dev/null
+++ b/src/network/libvirt.zone
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>libvirt</short>
+
+  <description>
+    The default policy of "ACCEPT" allows all packets to/from
+    interfaces in the zone to be forwarded, while the (*low priority*)
+    reject rule blocks any traffic destined for the host, except those
+    services explicitly listed (that list can be modified as required
+    by the local admin). This zone is intended to be used only by
+    libvirt virtual networks - libvirt will add the bridge devices for
+    all new virtual networks to this zone by default.
+  </description>
+
+<rule priority='32767'>
+  <reject/>
+</rule>
+<service name='dhcp'/>
+<service name='dhcpv6'/>
+<service name='dns'/>
+<service name='ssh'/>
+<service name='tftp'/>
+</zone>