build: install a firewalld zone for shared mode

Install a NM-specific firewalld zone to be used for interfaces that
are used for connection sharing. The zone blocks all traffic to the
local machine except some protocols (DHCP, DNS and ICMP) and allows
all forwarded traffic.

7 files changed, 57 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index d8cd32fab9..ae3f1fc006 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4903,6 +4903,11 @@ data/server.conf: $(srcdir)/data/server.conf.in
 	@$(MKDIR_P) data/
 	$(AM_V_GEN) $(data_edit) $< >$@
 
+if WITH_FIREWALLD_ZONE
+firewalldzonedir = $(prefix)/lib/firewalld/zones
+firewalldzone_DATA = data/nm-shared.xml
+endif
+
 EXTRA_DIST += \
 	data/84-nm-drivers.rules \
 	data/85-nm-unmanaged.rules \
@@ -4912,6 +4917,7 @@ EXTRA_DIST += \
 	data/NetworkManager-wait-online.service.in \
 	data/NetworkManager.service.in \
 	data/meson.build \
+	data/nm-shared.xml \
 	data/server.conf.in \
 	$(NULL)
 
diff --git a/config.h.meson b/config.h.meson
index 009c635da4..b421ee1e71 100644
--- a/config.h.meson
+++ b/config.h.meson
@@ -233,6 +233,9 @@
 /* Define if you have iwd support */
 #mesondefine WITH_IWD
 
+/* Define if NetworkManager uses a custom zone for shared mode */
+#mesondefine WITH_FIREWALLD_ZONE
+
 /* Define to 1 if on MINIX. */
 #mesondefine _MINIX
 
diff --git a/configure.ac b/configure.ac
index 960f957afd..5b11a13b76 100644
--- a/configure.ac
+++ b/configure.ac
@@ -673,6 +673,18 @@ else
 fi
 AC_SUBST(NM_MODIFY_SYSTEM_POLICY)
 
+AC_ARG_ENABLE(firewalld-zone,
+              AS_HELP_STRING([--enable-firewalld-zone], [Install and use firewalld zone for shared mode]),
+              [enable_firewalld_zone=${enableval}],
+              [enable_firewalld_zone=yes])
+
+if test "${enable_firewalld_zone}" = "yes"; then
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 1, [Define if NetworkManager uses a custom zone for shared mode])
+else
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 0, [Define if NetworkManager uses a custom zone for shared mode])
+fi
+AM_CONDITIONAL(WITH_FIREWALLD_ZONE, test "${enable_firewalld_zone}" = "yes")
+
 PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no])
 PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes])
 if test "${have_crypto_nss}" = "yes"; then
@@ -1370,6 +1382,7 @@ echo "Miscellaneous:"
 echo "  have introspection: $have_introspection"
 echo "  build documentation and manpages: $build_docs"
 echo "  install pregenerated documentation and manpages: $use_pregen_docs"
+echo "  install and use firewalld shared zone: $enable_firewalld_zone"
 echo "  tests: $enable_tests"
 echo "  more-asserts: $more_asserts"
 echo "  more-logging: $enable_more_logging"
diff --git a/data/meson.build b/data/meson.build
index de08c91c62..b713a03c5a 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -67,3 +67,10 @@ if enable_polkit
     install_dir: polkit_gobject_policydir,
   )
 endif
+
+if enable_firewalld_zone
+  install_data(
+    'nm-shared.xml',
+    install_dir: join_paths(nm_prefix, 'lib', 'firewalld', 'zones')
+  )
+endif
diff --git a/data/nm-shared.xml b/data/nm-shared.xml
new file mode 100644
index 0000000000..0dea5dd6ee
--- /dev/null
+++ b/data/nm-shared.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>NetworkManager Shared</short>
+
+  <description>
+    This zone is used internally by NetworkManager when activating a
+    profile that uses connection sharing and doesn't have an explicit
+    firewall zone set.
+    Block all traffic to the local machine except ICMP, ICMPv6, DHCP
+    and DNS. Allow all forwarded traffic.
+    Note that future package updates may change the definition of the
+    zone unless you overwrite it with your own definition.
+  </description>
+
+  <rule priority='32767'>
+    <reject/>
+  </rule>
+
+  <protocol value='icmp'/>
+  <protocol value='ipv6-icmp'/>
+  <service name="dhcp"/>
+  <service name="dns"/>
+</zone>
diff --git a/meson.build b/meson.build
index a2d925a7e5..e2c83d2b57 100644
--- a/meson.build
+++ b/meson.build
@@ -550,6 +550,9 @@ endif
 dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir',  define_variable: ['datadir', nm_datadir])
 dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir])
 
+enable_firewalld_zone = get_option('firewalld_zone')
+config_h.set10('WITH_FIREWALLD_ZONE', enable_firewalld_zone)
+
 # pppd
 enable_ppp = get_option('ppp')
 if enable_ppp
@@ -1028,6 +1031,7 @@ output += '\n'
 output += '\nMiscellaneous:\n'
 output += '  have introspection: ' + enable_introspection.to_string() + '\n'
 output += '  build documentation and manpages: ' + enable_docs.to_string() + '\n'
+output += '  firewalld zone for shared mode: ' + enable_firewalld_zone.to_string() + '\n'
 # FIXME
 #output += '  install pregenerated documentation and manpages: no
 output += '  tests: ' + tests + '\n'
diff --git a/meson_options.txt b/meson_options.txt
index 041d9bfc38..a5c6a22fb0 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -62,6 +62,7 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
+option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)')
 option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging')
 option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests')