ebtables/iptables processing is skipped for any interface connected to Open vSwitch (they have their own packet filtering), likewise for midonet (according to http://blog.midokura.com/2016/04/midonet-rule-chains), but libvirt would allow adding a <filterref> to interfaces connected in these ways, so the user might mistakenly believe they were being protected. This patch checks for a non-NULL <virtualport> element for an interface (or its network) and logs an error if <virtualport> and <filterref> are both present. This could cause some previously working domains to no longer start, but that's really the whole point of this patch - to warn people that their filterref isn't protecting them as they might have thought. I don't bother checking this during post-parse validation, because such a check would be incomplete - it's possible that a network would have a <virtualport> that would be applied to an interface, and you can't know that until the domain is started. Resolves: https://bugzilla.redhat.com/1502754 --- src/qemu/qemu_command.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 2dd50a214..4d0c141e5 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -8545,15 +8545,25 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, } /* and only TAP devices support nwfilter rules */ - if (net->filter && - !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || - actualType == VIR_DOMAIN_NET_TYPE_BRIDGE || - actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("filterref is not supported for " - "network interfaces of type %s"), - virDomainNetTypeToString(actualType)); - return -1; + if (net->filter) { + virNetDevVPortProfilePtr vport = virDomainNetGetActualVirtPortProfile(net); + if (!(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || + actualType == VIR_DOMAIN_NET_TYPE_BRIDGE || + actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported for " + "network interfaces of type %s"), + virDomainNetTypeToString(actualType)); + return -1; + } + if (vport && vport->virtPortType != VIR_NETDEV_VPORT_PROFILE_NONE) { + /* currently none of the defined virtualport types support iptables */ + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported for " + "network interfaces with virtualport type %s"), + virNetDevVPortTypeToString(vport->virtPortType)); + return -1; + } } if (net->backend.tap && -- 2.13.6 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list