Support masquerading on the libvirt firewall zone.

bogdando · bogdando · commit 46a1bcdcfc6a · 2025-10-23T10:32:20.000+02:00
Defaults to False. May be useful in hybrid setups, where BMO deploys
EDPM nodes, and virtual-media traffic needs to traverse from OCP to
IPMI and back.

Signed-off-by: Bohdan Dobrelia &lt;bdobreli@redhat.com&gt;
diff --git a/roles/libvirt_manager/README.md b/roles/libvirt_manager/README.md
@@ -41,6 +41,7 @@ Used for checking if:
 * `cifmw_libvirt_manager_firewalld_zone_libvirt_forward`: (Bool) Enable forwarding in the libvirt firewall zone. Defaults to: `true`
 * `cifmw_libvirt_manager_firewalld_default_zone`: (String) Name of the default firewall zone. Defaults to `public`.
 * `cifmw_libvirt_manager_firewalld_default_zone_masquerade`: (Bool) Enable masquerading on the default firewall zone. Defaults to `true`.
+* `cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade`: (Bool) Enable masquerading on the `libvirt` firewall zone. Defaults to `false`. May be useful in hybrid setups, where BMO deploys EDPM nodes, and virtual-media traffic needs to traverse from OCP to IPMI and back.
 * `cifmw_libvirt_manager_attach_dummy_interface_on_bridges`: (Bool) Attach dummy interface on bridges. Defaults to `true`.
 * `cifmw_libvirt_manager_default_gw_nets`: (List[String]) List of networks used as default gateway. If not set, defaults to the `cifmw_libvirt_manager_pub_net`. Read bellow for more information about that parameter.
 * `cifmw_libvirt_manager_vm_users`: (List[Dict]) Used to override the default list of users enabled in the vm. For its format, refers to cloud-init [documentation](https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups) about `users`. Defaults to `[]`.
diff --git a/roles/libvirt_manager/defaults/main.yml b/roles/libvirt_manager/defaults/main.yml
@@ -84,6 +84,7 @@ cifmw_libvirt_manager_spineleaf_setup: false
 cifmw_libvirt_manager_firewalld_zone_libvirt_forward: true
 cifmw_libvirt_manager_firewalld_default_zone: public
 cifmw_libvirt_manager_firewalld_default_zone_masquerade: true
+cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade: false
 cifmw_libvirt_manager_attach_dummy_interface_on_bridges: true
 cifmw_libvirt_manager_extra_network_configuration: {}
 
diff --git a/roles/libvirt_manager/tasks/clean_layout.yml b/roles/libvirt_manager/tasks/clean_layout.yml
@@ -200,6 +200,16 @@
         immediate: true
         state: enabled
 
+    - name: Disable masquerade in firewalld libvirt zone
+      when: cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade | bool
+      become: true
+      ansible.posix.firewalld:
+        masquerade: false
+        zone: "libvirt"
+        permanent: true
+        immediate: true
+        state: enabled
+
     - name: Disable forward in firewalld libvirt zone
       become: true
       notify: Restart firewalld
diff --git a/roles/libvirt_manager/tasks/deploy_layout.yml b/roles/libvirt_manager/tasks/deploy_layout.yml
@@ -23,6 +23,16 @@
     immediate: true
     state: enabled
 
+- name: Enable masquerading for libvirt traffic
+  when: cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade | default(false) | bool
+  become: true
+  ansible.posix.firewalld:
+    masquerade: true
+    zone: "libvirt"
+    permanent: true
+    immediate: true
+    state: enabled
+
 - name: Ensure firewalld is restarts
   ansible.builtin.meta: flush_handlers
 
diff --git a/roles/libvirt_manager/tasks/ocp_layout.yml b/roles/libvirt_manager/tasks/ocp_layout.yml
@@ -11,13 +11,25 @@
 - name: Enable masquerading for public traffic
   when: cifmw_libvirt_manager_firewalld_default_zone_masquerade | default(true) | bool
   become: true
+  notify: Restart firewalld
   ansible.posix.firewalld:
     masquerade: true
     zone: "{{ cifmw_libvirt_manager_firewalld_default_zone }}"
     permanent: true
     immediate: true
     state: enabled
 
+- name: Enable masquerading for libvirt traffic
+  when: cifmw_libvirt_manager_firewalld_libvirt_zone_masquerade | default(false) | bool
+  become: true
+  notify: Restart firewalld
+  ansible.posix.firewalld:
+    masquerade: true
+    zone: "libvirt"
+    permanent: true
+    immediate: true
+    state: enabled
+
 - name: Manage virtual resources
   vars:
     cifmw_libvirt_manager_storage_pool: >-
