From 819520466a4dc5828ec5ad03181c68ee35dffca6 Mon Sep 17 00:00:00 2001
From: Veiko Aasa <veiko17@disroot.org>
Date: Mon, 5 Oct 2020 13:53:49 +0300
Subject: [PATCH] container: Assign virtual network interface to trusted
 firewall zone

If firewalld is running, the virtual network interface created by
systemd-nspawn gets assigned to the home zone by default. Because
of this, DHCP server is not availabe for the container and most
of the incoming ports are closed.

This commit assigns the network interface created by systemd-nspawn to
the trusted network zone if firewalld is running, so that all network
connections are accepted.

Signed-off-by: Veiko Aasa veiko17@disroot.org
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 container | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/container b/container
index 72d565845..5ebf08bce 100755
--- a/container
+++ b/container
@@ -480,6 +480,7 @@ def _setup_nm_connection(distribution):
         'connection.type': '802-3-ethernet',
         'connection.interface-name': _get_interface_name(distribution),
         'connection.autoconnect': 'yes',
+        'connection.zone': 'trusted',
         'ipv4.method': 'shared',
     }
     subprocess.run(['sudo', 'nmcli', 'connection', 'add'] +
@@ -695,6 +696,11 @@ def _destroy(distribution):
     except FileNotFoundError:
         pass
 
+    connection_name = f'fbx-{distribution}-shared'
+    logger.info('Removing Network Manager connection %s', connection_name)
+    subprocess.run(['sudo', 'nmcli', 'connection', 'delete', connection_name],
+                   stdout=subprocess.DEVNULL)
+
     logger.info('Keeping downloaded image: %s',
                 _get_compressed_image_path(distribution))