build: install a firewalld zone for shared mode

Install a NM-specific firewalld zone to be used for interfaces that
are used for connection sharing. The zone blocks all traffic to the
local machine except some protocols (DHCP, DNS and ICMP) and allows
all forwarded traffic.

Makefile.am

@@ -4903,6 +4903,11 @@ data/server.conf: $(srcdir)/data/server.conf.in
 	@$(MKDIR_P) data/
 	$(AM_V_GEN) $(data_edit) $< >$@
 
+if WITH_FIREWALLD_ZONE
+firewalldzonedir = $(prefix)/lib/firewalld/zones
+firewalldzone_DATA = data/nm-shared.xml
+endif
+
 EXTRA_DIST += \
 	data/84-nm-drivers.rules \
 	data/85-nm-unmanaged.rules \
@@ -4912,6 +4917,7 @@ EXTRA_DIST += \
 	data/NetworkManager-wait-online.service.in \
 	data/NetworkManager.service.in \
 	data/meson.build \
+	data/nm-shared.xml \
 	data/server.conf.in \
 	$(NULL)
 

config.h.meson

@@ -233,6 +233,9 @@
 /* Define if you have iwd support */
 #mesondefine WITH_IWD
 
+/* Define if NetworkManager uses a custom zone for shared mode */
+#mesondefine WITH_FIREWALLD_ZONE
+
 /* Define to 1 if on MINIX. */
 #mesondefine _MINIX
 

configure.ac

@@ -673,6 +673,18 @@ else
 fi
 AC_SUBST(NM_MODIFY_SYSTEM_POLICY)
 
+AC_ARG_ENABLE(firewalld-zone,
+              AS_HELP_STRING([--enable-firewalld-zone], [Install and use firewalld zone for shared mode]),
+              [enable_firewalld_zone=${enableval}],
+              [enable_firewalld_zone=yes])
+
+if test "${enable_firewalld_zone}" = "yes"; then
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 1, [Define if NetworkManager uses a custom zone for shared mode])
+else
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 0, [Define if NetworkManager uses a custom zone for shared mode])
+fi
+AM_CONDITIONAL(WITH_FIREWALLD_ZONE, test "${enable_firewalld_zone}" = "yes")
+
 PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no])
 PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes])
 if test "${have_crypto_nss}" = "yes"; then
@@ -1370,6 +1382,7 @@ echo "Miscellaneous:"
 echo "  have introspection: $have_introspection"
 echo "  build documentation and manpages: $build_docs"
 echo "  install pregenerated documentation and manpages: $use_pregen_docs"
+echo "  install and use firewalld shared zone: $enable_firewalld_zone"
 echo "  tests: $enable_tests"
 echo "  more-asserts: $more_asserts"
 echo "  more-logging: $enable_more_logging"

data/meson.build

@@ -67,3 +67,10 @@ if enable_polkit
     install_dir: polkit_gobject_policydir,
   )
 endif
+
+if enable_firewalld_zone
+  install_data(
+    'nm-shared.xml',
+    install_dir: join_paths(nm_prefix, 'lib', 'firewalld', 'zones')
+  )
+endif

data/nm-shared.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>NetworkManager Shared</short>
+
+  <description>
+    This zone is used internally by NetworkManager when activating a
+    profile that uses connection sharing and doesn't have an explicit
+    firewall zone set.
+    Block all traffic to the local machine except ICMP, ICMPv6, DHCP
+    and DNS. Allow all forwarded traffic.
+    Note that future package updates may change the definition of the
+    zone unless you overwrite it with your own definition.
+  </description>
+
+  <rule priority='32767'>
+    <reject/>
+  </rule>
+
+  <protocol value='icmp'/>
+  <protocol value='ipv6-icmp'/>
+  <service name="dhcp"/>
+  <service name="dns"/>
+</zone>

meson.build

@@ -550,6 +550,9 @@ endif
 dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir',  define_variable: ['datadir', nm_datadir])
 dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir])
 
+enable_firewalld_zone = get_option('firewalld_zone')
+config_h.set10('WITH_FIREWALLD_ZONE', enable_firewalld_zone)
+
 # pppd
 enable_ppp = get_option('ppp')
 if enable_ppp
@@ -1028,6 +1031,7 @@ output += '\n'
 output += '\nMiscellaneous:\n'
 output += '  have introspection: ' + enable_introspection.to_string() + '\n'
 output += '  build documentation and manpages: ' + enable_docs.to_string() + '\n'
+output += '  firewalld zone for shared mode: ' + enable_firewalld_zone.to_string() + '\n'
 # FIXME
 #output += '  install pregenerated documentation and manpages: no
 output += '  tests: ' + tests + '\n'

meson_options.txt

@@ -62,6 +62,7 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
+option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)')
 option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging')
 option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests')