diff --git a/iptables/firewalld.go b/iptables/firewalld.go index f7bf1db6e7..a26305f05a 100644 --- a/iptables/firewalld.go +++ b/iptables/firewalld.go @@ -165,3 +165,56 @@ func Passthrough(ipv IPV, args ...string) ([]byte, error) { } return []byte(output), nil } + +// AddInterfaceFirewalld adds the interface to the trusted zone +func AddInterfaceFirewalld(intf string) error { + zone := "trusted" + var intfs []string + // Check if interface is already added of the zone + if err := connection.sysobj.Call(dbusInterface+".zone.getInterfaces", 0, zone).Store(&intfs); err != nil { + return err + } + // Return if interface is already part of the zone + if contains(intfs, intf) { + logrus.Infof("Firewalld: interface %s already part of %s zone, returning", intf, zone) + return nil + } + + logrus.Debugf("Firewalld: adding %s interface to %s zone", intf, zone) + var output string + if err := connection.sysobj.Call(dbusInterface+".zone.addInterface", 0, zone, intf).Store(&output); err != nil { + return err + } + + return nil +} + +// DelInterfaceFirewalld removes the interface from the trusted zone +func DelInterfaceFirewalld(intf string) error { + zone := "trusted" + var intfs []string + // Check if interface is already added of the zone + if err := connection.sysobj.Call(dbusInterface+".zone.getInterfaces", 0, zone).Store(&intfs); err != nil { + return err + } + // Remove interface if it exists + if !contains(intfs, intf) { + return fmt.Errorf("Firewalld: unable to find interface %s in %s zone", intf, zone) + } + + logrus.Debugf("Firewalld: removing %s interface from %s zone", intf, zone) + var output string + if err := connection.sysobj.Call(dbusInterface+".zone.removeInterface", 0, zone, intf).Store(&output); err != nil { + return err + } + return nil +} + +func contains(list []string, val string) bool { + for _, v := range list { + if v == val { + return true + } + } + return false +} diff --git a/iptables/iptables.go b/iptables/iptables.go index 5523c4858c..bd262eb86c 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -146,6 +146,19 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err return errors.New("Could not program chain, missing chain name") } + // Either add or remove the interface from the firewalld zone + if firewalldRunning { + if enable { + if err := AddInterfaceFirewalld(bridgeName); err != nil { + return err + } + } else { + if err := DelInterfaceFirewalld(bridgeName); err != nil { + return err + } + } + } + switch c.Table { case Nat: preroute := []string{