Restrict outbound traffic in exam-mode

roles/lmn_exam/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 exam_mode: true
+exam_teacherpc_last_digit: 80

roles/lmn_exam/tasks/main.yml

@@ -50,6 +50,25 @@
     - pam-exec.sh
     - rmexam
 
+- name: Append teacherPC to exam_destination_allowed_ipv4 addresses
+  ansible.builtin.set_fact:
+    exam_destination_allowed_ipv4: "{{ exam_destination_allowed_ipv4 + [ ansible_default_ipv4.address[:-1] ~ exam_teacherpc_last_digit ] }}"
+  when:
+    - exam_destination_allowed_ipv4 is defined
+    - exam_destination_allowed_ipv4 | length > 0
+
+- name: Install no-way-out-policy
+  ansible.builtin.template:
+    src: no-way-out.xml.j2
+    dest: "/etc/firewalld/policies/no-way-out-{{ item }}.xml"
+    mode: '0644'
+  loop:
+    - HOST
+    - libvirt
+  when:
+    - exam_destination_allowed_ipv4 is defined
+    - exam_destination_allowed_ipv4 | length > 0
+
 - name: Enable login script via pam_exec.so
   ansible.builtin.lineinfile:
     dest: /etc/pam.d/common-session

roles/lmn_exam/templates/no-way-out.xml.j2

@@ -0,0 +1,10 @@
+<policy target="REJECT">
+{% for address in exam_destination_allowed_ipv4 %}
+<rule family="ipv4">
+<destination address="{{ address }}"/>
+<accept/>
+</rule>
+{% endfor %}
+<ingress-zone name="{{ item }}"/>
+<egress-zone name="ANY"/>
+</policy>