root / manifests / rules / qemu.pp @ 0b2ccdda
Historique | Voir | Annoter | Télécharger (4,25 ko)
| 1 | cd2a3cbf | Nacho Barrientos | # @summary Bridged network configuration for qemu/libvirt |
|---|---|---|---|
| 2 | # |
||
| 3 | # This class configures the typical firewall setup that libvirt |
||
| 4 | # creates. Depending on your requirements you can switch on and off |
||
| 5 | # several aspects, for instance if you don't do DHCP to your guests |
||
| 6 | # you can disable the rules that accept DHCP traffic on the host or if |
||
| 7 | # you don't want your guests to talk to hosts outside you can disable |
||
| 8 | # forwarding and/or masquerading for IPv4 traffic. |
||
| 9 | # |
||
| 10 | # @param interface |
||
| 11 | # Interface name used by the bridge. |
||
| 12 | # |
||
| 13 | # @param network_v4 |
||
| 14 | # The IPv4 network prefix used in the virtual network. |
||
| 15 | # |
||
| 16 | # @param network_v6 |
||
| 17 | # The IPv6 network prefix used in the virtual network. |
||
| 18 | # |
||
| 19 | # @param dns |
||
| 20 | # Allow DNS traffic from the guests to the host. |
||
| 21 | # |
||
| 22 | # @param dhcpv4 |
||
| 23 | # Allow DHCPv4 traffic from the guests to the host. |
||
| 24 | # |
||
| 25 | # @param forward_traffic |
||
| 26 | # Allow forwarded traffic (out all, in related/established) |
||
| 27 | # generated by the virtual network. |
||
| 28 | # |
||
| 29 | # @param internal_traffic |
||
| 30 | # Allow guests in the virtual network to talk to each other. |
||
| 31 | # |
||
| 32 | # @param masquerade |
||
| 33 | # Do NAT masquerade on all IPv4 traffic generated by guests |
||
| 34 | # to external networks. |
||
| 35 | class nftables::rules::qemu ( |
||
| 36 | String[1] $interface = 'virbr0', |
||
| 37 | Stdlib::IP::Address::V4::CIDR $network_v4 = '192.168.122.0/24', |
||
| 38 | Optional[Stdlib::IP::Address::V6::CIDR] $network_v6 = undef, |
||
| 39 | Boolean $dns = true, |
||
| 40 | Boolean $dhcpv4 = true, |
||
| 41 | Boolean $forward_traffic = true, |
||
| 42 | Boolean $internal_traffic = true, |
||
| 43 | Boolean $masquerade = true, |
||
| 44 | ) {
|
||
| 45 | if $dns {
|
||
| 46 | nftables::rule {
|
||
| 47 | 'default_in-qemu_udp_dns': |
||
| 48 | content => "iifname \"${interface}\" udp dport 53 accept";
|
||
| 49 | 'default_in-qemu_tcp_dns': |
||
| 50 | content => "iifname \"${interface}\" tcp dport 53 accept";
|
||
| 51 | } |
||
| 52 | } |
||
| 53 | |||
| 54 | if $dhcpv4 {
|
||
| 55 | nftables::rule {
|
||
| 56 | 'default_in-qemu_dhcpv4': |
||
| 57 | content => "iifname \"${interface}\" meta l4proto udp udp dport 67 accept";
|
||
| 58 | # The rule below is created by libvirt. It should not be necessary here |
||
| 59 | # as it should be accepted by the conntrack rules in OUTPUT. |
||
| 60 | #'default_out-qemu_dhcpv4': |
||
| 61 | # content => "oifname \"${interface}\" meta l4proto udp udp dport 68 accept";
|
||
| 62 | } |
||
| 63 | } |
||
| 64 | |||
| 65 | if $forward_traffic {
|
||
| 66 | nftables::rule {
|
||
| 67 | 'default_fwd-qemu_oip_v4': |
||
| 68 | content => "oifname \"${interface}\" ip daddr ${network_v4} ct state related,established accept";
|
||
| 69 | 'default_fwd-qemu_iip_v4': |
||
| 70 | content => "iifname \"${interface}\" ip saddr ${network_v4} accept";
|
||
| 71 | } |
||
| 72 | if $network_v6 {
|
||
| 73 | nftables::rule {
|
||
| 74 | 'default_fwd-qemu_oip_v6': |
||
| 75 | content => "oifname \"${interface}\" ip6 daddr ${network_v6} ct state related,established accept";
|
||
| 76 | 'default_fwd-qemu_iip_v6': |
||
| 77 | content => "iifname \"${interface}\" ip6 saddr ${network_v6} accept";
|
||
| 78 | } |
||
| 79 | } |
||
| 80 | } |
||
| 81 | |||
| 82 | if $internal_traffic {
|
||
| 83 | nftables::rule {
|
||
| 84 | 'default_fwd-qemu_io_internal': |
||
| 85 | content => "iifname \"${interface}\" oifname \"${interface}\" accept",
|
||
| 86 | } |
||
| 87 | } |
||
| 88 | |||
| 89 | # Libvirt rejects all the remaining forwarded traffic passing |
||
| 90 | # through the virtual interface. This is not necessary here because |
||
| 91 | # of the default policy in default_fwd. |
||
| 92 | |||
| 93 | if $masquerade {
|
||
| 94 | nftables::rule {
|
||
| 95 | 'POSTROUTING-qemu_ignore_multicast': |
||
| 96 | fcb79d73 | Ben Morrice | table => "ip-${nftables::nat_table_name}",
|
| 97 | cd2a3cbf | Nacho Barrientos | content => "ip saddr ${network_v4} ip daddr 224.0.0.0/24 return";
|
| 98 | 'POSTROUTING-qemu_ignore_broadcast': |
||
| 99 | fcb79d73 | Ben Morrice | table => "ip-${nftables::nat_table_name}",
|
| 100 | cd2a3cbf | Nacho Barrientos | content => "ip saddr ${network_v4} ip daddr 255.255.255.255 return";
|
| 101 | 'POSTROUTING-qemu_masq_tcp': |
||
| 102 | fcb79d73 | Ben Morrice | table => "ip-${nftables::nat_table_name}",
|
| 103 | cd2a3cbf | Nacho Barrientos | content => "meta l4proto tcp ip saddr ${network_v4} ip daddr != ${network_v4} masquerade to :1024-65535";
|
| 104 | 'POSTROUTING-qemu_masq_udp': |
||
| 105 | fcb79d73 | Ben Morrice | table => "ip-${nftables::nat_table_name}",
|
| 106 | cd2a3cbf | Nacho Barrientos | content => "meta l4proto udp ip saddr ${network_v4} ip daddr != ${network_v4} masquerade to :1024-65535";
|
| 107 | 'POSTROUTING-qemu_masq_ip': |
||
| 108 | fcb79d73 | Ben Morrice | table => "ip-${nftables::nat_table_name}",
|
| 109 | cd2a3cbf | Nacho Barrientos | content => "ip saddr ${network_v4} ip daddr != ${network_v4} masquerade";
|
| 110 | } |
||
| 111 | } |
||
| 112 | } |