root / manifests / rules / qemu.pp @ c94658e1
Historique | Voir | Annoter | Télécharger (4,13 ko)
| 1 |
# @summary Bridged network configuration for qemu/libvirt |
|---|---|
| 2 |
# |
| 3 |
# This class configures the typical firewall setup that libvirt |
| 4 |
# creates. Depending on your requirements you can switch on and off |
| 5 |
# several aspects, for instance if you don't do DHCP to your guests |
| 6 |
# you can disable the rules that accept DHCP traffic on the host or if |
| 7 |
# you don't want your guests to talk to hosts outside you can disable |
| 8 |
# forwarding and/or masquerading for IPv4 traffic. |
| 9 |
# |
| 10 |
# @param interface |
| 11 |
# Interface name used by the bridge. |
| 12 |
# |
| 13 |
# @param network_v4 |
| 14 |
# The IPv4 network prefix used in the virtual network. |
| 15 |
# |
| 16 |
# @param network_v6 |
| 17 |
# The IPv6 network prefix used in the virtual network. |
| 18 |
# |
| 19 |
# @param dns |
| 20 |
# Allow DNS traffic from the guests to the host. |
| 21 |
# |
| 22 |
# @param dhcpv4 |
| 23 |
# Allow DHCPv4 traffic from the guests to the host. |
| 24 |
# |
| 25 |
# @param forward_traffic |
| 26 |
# Allow forwarded traffic (out all, in related/established) |
| 27 |
# generated by the virtual network. |
| 28 |
# |
| 29 |
# @param internal_traffic |
| 30 |
# Allow guests in the virtual network to talk to each other. |
| 31 |
# |
| 32 |
# @param masquerade |
| 33 |
# Do NAT masquerade on all IPv4 traffic generated by guests |
| 34 |
# to external networks. |
| 35 |
class nftables::rules::qemu ( |
| 36 |
String[1] $interface = 'virbr0', |
| 37 |
Stdlib::IP::Address::V4::CIDR $network_v4 = '192.168.122.0/24', |
| 38 |
Optional[Stdlib::IP::Address::V6::CIDR] $network_v6 = undef, |
| 39 |
Boolean $dns = true, |
| 40 |
Boolean $dhcpv4 = true, |
| 41 |
Boolean $forward_traffic = true, |
| 42 |
Boolean $internal_traffic = true, |
| 43 |
Boolean $masquerade = true, |
| 44 |
) {
|
| 45 |
if $dns {
|
| 46 |
nftables::rule {
|
| 47 |
'default_in-qemu_udp_dns': |
| 48 |
content => "iifname \"${interface}\" udp dport 53 accept";
|
| 49 |
'default_in-qemu_tcp_dns': |
| 50 |
content => "iifname \"${interface}\" tcp dport 53 accept";
|
| 51 |
} |
| 52 |
} |
| 53 |
|
| 54 |
if $dhcpv4 {
|
| 55 |
nftables::rule {
|
| 56 |
'default_in-qemu_dhcpv4': |
| 57 |
content => "iifname \"${interface}\" meta l4proto udp udp dport 67 accept";
|
| 58 |
# The rule below is created by libvirt. It should not be necessary here |
| 59 |
# as it should be accepted by the conntrack rules in OUTPUT. |
| 60 |
#'default_out-qemu_dhcpv4': |
| 61 |
# content => "oifname \"${interface}\" meta l4proto udp udp dport 68 accept";
|
| 62 |
} |
| 63 |
} |
| 64 |
|
| 65 |
if $forward_traffic {
|
| 66 |
nftables::rule {
|
| 67 |
'default_fwd-qemu_oip_v4': |
| 68 |
content => "oifname \"${interface}\" ip daddr ${network_v4} ct state related,established accept";
|
| 69 |
'default_fwd-qemu_iip_v4': |
| 70 |
content => "iifname \"${interface}\" ip saddr ${network_v4} accept";
|
| 71 |
} |
| 72 |
if $network_v6 {
|
| 73 |
nftables::rule {
|
| 74 |
'default_fwd-qemu_oip_v6': |
| 75 |
content => "oifname \"${interface}\" ip6 daddr ${network_v6} ct state related,established accept";
|
| 76 |
'default_fwd-qemu_iip_v6': |
| 77 |
content => "iifname \"${interface}\" ip6 saddr ${network_v6} accept";
|
| 78 |
} |
| 79 |
} |
| 80 |
} |
| 81 |
|
| 82 |
if $internal_traffic {
|
| 83 |
nftables::rule {
|
| 84 |
'default_fwd-qemu_io_internal': |
| 85 |
content => "iifname \"${interface}\" oifname \"${interface}\" accept",
|
| 86 |
} |
| 87 |
} |
| 88 |
|
| 89 |
# Libvirt rejects all the remaining forwarded traffic passing |
| 90 |
# through the virtual interface. This is not necessary here because |
| 91 |
# of the default policy in default_fwd. |
| 92 |
|
| 93 |
if $masquerade {
|
| 94 |
nftables::rule {
|
| 95 |
'POSTROUTING-qemu_ignore_multicast': |
| 96 |
table => 'ip-nat', |
| 97 |
content => "ip saddr ${network_v4} ip daddr 224.0.0.0/24 return";
|
| 98 |
'POSTROUTING-qemu_ignore_broadcast': |
| 99 |
table => 'ip-nat', |
| 100 |
content => "ip saddr ${network_v4} ip daddr 255.255.255.255 return";
|
| 101 |
'POSTROUTING-qemu_masq_tcp': |
| 102 |
table => 'ip-nat', |
| 103 |
content => "meta l4proto tcp ip saddr ${network_v4} ip daddr != ${network_v4} masquerade to :1024-65535";
|
| 104 |
'POSTROUTING-qemu_masq_udp': |
| 105 |
table => 'ip-nat', |
| 106 |
content => "meta l4proto udp ip saddr ${network_v4} ip daddr != ${network_v4} masquerade to :1024-65535";
|
| 107 |
'POSTROUTING-qemu_masq_ip': |
| 108 |
table => 'ip-nat', |
| 109 |
content => "ip saddr ${network_v4} ip daddr != ${network_v4} masquerade";
|
| 110 |
} |
| 111 |
} |
| 112 |
} |