Apply outbound restriction in exam_mode on macvtap interfaces too

roles/lmn_exam/files/pam-exec.sh

@@ -5,10 +5,16 @@
 
 if [[ "${PAM_USER}" =~ -exam$ ]]; then
   systemctl start firewalld.service
+  if [[ -f /usr/local/sbin/no-way-out-nftable ]]; then
+    /usr/local/sbin/no-way-out-nftable || true
+  fi
   if systemctl is-enabled --quiet libvirtd.service; then
     systemctl restart libvirtd.service
   fi
 elif ! (users | grep -q -- "-exam"); then
+  if /usr/sbin/nft list tables | /usr/bin/grep -q filtermacvtap; then
+    /usr/sbin/nft delete table netdev filtermacvtap || true
+  fi
   systemctl stop firewalld.service
   if systemctl is-enabled --quiet libvirtd.service; then
     systemctl restart libvirtd.service

roles/lmn_exam/tasks/main.yml

@@ -62,13 +62,25 @@
     src: no-way-out.xml.j2
     dest: "/etc/firewalld/policies/no-way-out-{{ item }}.xml"
     mode: '0644'
-  loop:
+  vars:
+    zones:
       - HOST
-    - libvirt
+      - "{{ 'libvirt' if vm_support | default(false) else '' }}"
+  loop: "{{ zones | reject('match','^$') }}"
   when:
     - exam_destination_allowed_ipv4 is defined
     - exam_destination_allowed_ipv4 | length > 0
 
+- name: Install no-way-out nf-table for macvtap device
+  ansible.builtin.template:
+    src: no-way-out-nftable.j2
+    dest: "/usr/local/sbin/no-way-out-nftable"
+    mode: '0755'
+  when:
+    - exam_destination_allowed_ipv4 is defined
+    - exam_destination_allowed_ipv4 | length > 0
+    - vm_support is defined and vm_support
+
 - name: Enable login script via pam_exec.so
   ansible.builtin.lineinfile:
     dest: /etc/pam.d/common-session

roles/lmn_exam/templates/no-way-out-nftable.j2

@@ -0,0 +1,41 @@
+#!/usr/bin/bash
+
+set -eu
+
+interfaces=$(/usr/bin/ip link | /usr/bin/sed -En 's/.*(macvtap-.*)@.*/\1/p')
+gateway=$(/usr/bin/ip route list default | /usr/bin/head -1 | /usr/bin/cut -f 3 -d " ")
+
+filterchain=""
+for interface in ${interfaces}; do
+  filterchain=$(cat <<- EOF
+${filterchain}
+
+    chain filterin_${interface} {
+        type filter hook ingress device ${interface} priority filter; policy drop;
+        ip saddr \$allowed_ipv4 accept
+        ip saddr ${gateway} accept;
+        ip saddr 255.255.255.255 accept;
+    }
+
+    chain filterout_${interface} {
+        type filter hook egress device ${interface} priority filter; policy drop;
+        ip daddr \$allowed_ipv4 accept
+        ip daddr ${gateway} accept;
+        ip daddr 255.255.255.255 accept;
+    }
+EOF
+)
+done
+
+
+
+nft_table=$(cat <<- EOF
+define allowed_ipv4 = { {{ exam_destination_allowed_ipv4 | join(",") }} }
+
+table netdev filtermacvtap {
+${filterchain}
+}
+EOF
+)
+
+echo "$nft_table" | /usr/sbin/nft -f -