core: install a firewalld zone for connection sharingbg/shared-firewalld

https://bugzilla.redhat.com/show_bug.cgi?id=1829637

9 files changed, 74 insertions, 1 deletions

diff --git a/Makefile.am b/Makefile.am
index 35564aa5c5..d8c2a00a0d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4893,6 +4893,11 @@ data/server.conf: $(srcdir)/data/server.conf.in
 	@$(MKDIR_P) data/
 	$(AM_V_GEN) $(data_edit) $< >$@
 
+if WITH_FIREWALLD_ZONE
+firewalldzonedir = $(prefix)/lib/firewalld/zones
+firewalldzone_DATA = data/nm-shared.xml
+endif
+
 EXTRA_DIST += \
 	data/84-nm-drivers.rules \
 	data/85-nm-unmanaged.rules \
@@ -4902,6 +4907,7 @@ EXTRA_DIST += \
 	data/NetworkManager-wait-online.service.in \
 	data/NetworkManager.service.in \
 	data/meson.build \
+	data/nm-shared.xml \
 	data/server.conf.in \
 	$(NULL)
 
diff --git a/config.h.meson b/config.h.meson
index 009c635da4..bf093ea760 100644
--- a/config.h.meson
+++ b/config.h.meson
@@ -233,6 +233,9 @@
 /* Define if you have iwd support */
 #mesondefine WITH_IWD
 
+/* Define if NetworkManager should use a custom zone for shared mode */
+#mesondefine WITH_FIREWALLD_ZONE
+
 /* Define to 1 if on MINIX. */
 #mesondefine _MINIX
 
diff --git a/configure.ac b/configure.ac
index 3594f8312e..a04b816e40 100644
--- a/configure.ac
+++ b/configure.ac
@@ -673,6 +673,25 @@ else
 fi
 AC_SUBST(NM_MODIFY_SYSTEM_POLICY)
 
+AC_ARG_ENABLE(firewalld-zone,
+              AS_HELP_STRING([--enable-firewalld-zone], [Install and use firewalld zone for shared mode]),
+              [enable_firewalld_zone=${enableval}],
+              [enable_firewalld_zone=yes])
+
+if test "${enable_firewalld_zone}" = "yes"; then
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 1, [Define if NetworkManager should use a custom zone for shared mode])
+else
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 0, [Define if NetworkManager should use a custom zone for shared mode])
+fi
+AM_CONDITIONAL(WITH_FIREWALLD_ZONE, test "${enable_firewalld_zone}" = "yes")
+
+if test "${enable_modify_system}" = "yes"; then
+	NM_MODIFY_SYSTEM_POLICY="yes"
+else
+	NM_MODIFY_SYSTEM_POLICY="auth_admin_keep"
+fi
+
+
 PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no])
 PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes])
 if test "${have_crypto_nss}" = "yes"; then
@@ -1362,6 +1381,7 @@ echo "Miscellaneous:"
 echo "  have introspection: $have_introspection"
 echo "  build documentation and manpages: $build_docs"
 echo "  install pregenerated documentation and manpages: $use_pregen_docs"
+echo "  install and use firewalld shared zone: $enable_firewalld_zone"
 echo "  tests: $enable_tests"
 echo "  more-asserts: $more_asserts"
 echo "  more-logging: $enable_more_logging"
diff --git a/contrib/fedora/rpm/NetworkManager.spec b/contrib/fedora/rpm/NetworkManager.spec
index 5717d9d208..316638bb9b 100644
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@@ -930,6 +930,7 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/polkit-1/actions/*.policy
 %{_prefix}/lib/udev/rules.d/*.rules
+%{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff
 %{systemd_dir}/NetworkManager.service
 %{systemd_dir}/NetworkManager-wait-online.service
diff --git a/data/meson.build b/data/meson.build
index de08c91c62..b713a03c5a 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -67,3 +67,10 @@ if enable_polkit
     install_dir: polkit_gobject_policydir,
   )
 endif
+
+if enable_firewalld_zone
+  install_data(
+    'nm-shared.xml',
+    install_dir: join_paths(nm_prefix, 'lib', 'firewalld', 'zones')
+  )
+endif
diff --git a/data/nm-shared.xml b/data/nm-shared.xml
new file mode 100644
index 0000000000..25e9cd8636
--- /dev/null
+++ b/data/nm-shared.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>NM Shared</short>
+
+  <description>
+    Zone for NetworkManager connection sharing. Block all traffic to
+    the local machine except ICMPv6, DHCP, ICMPv6 and DNS. Allow all
+    forwarded traffic.
+  </description>
+
+  <rule priority='32767'>
+    <reject/>
+  </rule>
+
+  <protocol value='icmp'/>
+  <protocol value='ipv6-icmp'/>
+  <service name="dhcp"/>
+  <service name="dns"/>
+  <masquerade/>
+</zone>
diff --git a/meson.build b/meson.build
index 9946e26779..be829f49e3 100644
--- a/meson.build
+++ b/meson.build
@@ -550,6 +550,9 @@ endif
 dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir',  define_variable: ['datadir', nm_datadir])
 dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir])
 
+enable_firewalld_zone = get_option('firewalld_zone')
+config_h.set10('WITH_FIREWALLD_ZONE', enable_firewalld_zone)
+
 # pppd
 enable_ppp = get_option('ppp')
 if enable_ppp
@@ -1028,6 +1031,7 @@ output += '\n'
 output += '\nMiscellaneous:\n'
 output += '  have introspection: ' + enable_introspection.to_string() + '\n'
 output += '  build documentation and manpages: ' + enable_docs.to_string() + '\n'
+output += '  install and use firewalld shared zone: ' + enable_firewalld_zone.to_string() + '\n'
 # FIXME
 #output += '  install pregenerated documentation and manpages: no
 output += '  tests: ' + tests + '\n'
diff --git a/meson_options.txt b/meson_options.txt
index 041d9bfc38..a5c6a22fb0 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -62,6 +62,7 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
+option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)')
 option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging')
 option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests')
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 27b1b600b1..cb255df1e1 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -10922,6 +10922,7 @@ fw_change_zone (NMDevice *self)
 	NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
 	NMConnection *applied_connection;
 	NMSettingConnection *s_con;
+	const char *zone;
 
 	nm_assert (priv->fw_state >= FIREWALL_STATE_INITIALIZED);
 
@@ -10939,9 +10940,19 @@ fw_change_zone (NMDevice *self)
 	if (G_UNLIKELY (!priv->fw_mgr))
 		priv->fw_mgr = g_object_ref (nm_firewall_manager_get ());
 
+	zone = nm_setting_connection_get_zone (s_con);
+#if WITH_FIREWALLD_ZONE
+	if (!zone || zone[0] == '\0') {
+		if (   nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET),
+		                  NM_SETTING_IP4_CONFIG_METHOD_SHARED)
+		    || nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET6),
+		                  NM_SETTING_IP6_CONFIG_METHOD_SHARED))
+			zone = "nm-shared";
+	}
+#endif
 	priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_mgr,
 	                                                        nm_device_get_ip_iface (self),
-	                                                        nm_setting_connection_get_zone (s_con),
+	                                                        zone,
 	                                                        FALSE, /* change zone */
 	                                                        fw_change_zone_cb,
 	                                                        self);