# *** Setup KVM/Libvirt Part 1
# Add at the beginning of /etc/firehol/firehol.conf
#
# Only when environment variable is set
# NAT rules are prepared by libvirt, we just need to take care about not blocking traffic
#
#  Project URL: https://github.com/sd2k9/documentation

# Set mode to accurate when KVM features are requested
# As described in linux/kvm_qemu.md
if [[ "$FIREHOL_USER_FEATURES" =~ ^kvm ]]; then
   FIREHOL_RULESET_MODE="accurate"
fi

# *** Setup KVM/Libvirt Part 2
# Add at the end of /etc/firehol/firehol.conf
#
# Only when environment variable is set
# NAT rules are prepared by libvirt, we just need to take care about not blocking traffic
#
#  Project URL: https://github.com/sd2k9/documentation

if [[ "$FIREHOL_USER_FEATURES" =~ ^kvm ]]; then
  # Bridge Interface, runs an DNS+DHCP server and should allow ping
  # Special DHCP, which is broadcast
  interface4 virbr+ KvmDhcp
    policy return
    # Not working out of whatever reason: server dhcp accept
    # Define service entry manually
    server custom virdhcp udp/67 68 accept

  # All other traffic must match the interface definition
  interface4 virbr+ KvmOtherOut src 192.168.122.96 dst 192.168.122.1
    # The default policy is DROP. You can be more polite with REJECT.
    policy reject

    # The following means that this machine can REQUEST anything via this interface
    client all accept

    # Server for ping, DNS, SSH
    server icmp accept
    server dns accept
    # server ssh accept

    # Enabling interface protection
    protection strong 10/sec 10

    if [[ "$FIREHOL_USER_FEATURES" == "kvm-net" ]]; then
      # Route all traffic to the Internet
      router4 KvmRoute inface virbr+ outface "en+ wl+" src 192.168.122.96 dst not "${UNROUTABLE_IPS} 192.168.0.0/24"
        # Route traffic
        route all accept

        # Enable inface protection without burst limits
        protection reverse strong
        # Enabling outface protection
        protection reverse strong 10/sec 10
    fi
fi