On 12/3/18 10:07 AM, Laine Stump wrote:
> On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
>> Historically rules were added straight into the base chains. This works
>> but it is inflexible for admins adding extra rules via hook scripts, and
>> it is not clear which rules are libvirt created.
>>
>> There is a further complexity with the FORWARD chain where a specific
>> ordering of rules is needed to ensure traffic is matched correctly. This
>> would require complex interleaving of rules instead of plain appending.
>> By splitting the FORWARD chain into three chains management will be
>> simpler. Thus we create
>>
>> INPUT -> INP_libvirt
>> OUTPUT -> OUT_libvirt
>> FORWARD -> FWD_libvirt_cross
>> FORWARD -> FWD_libvirt_in
>> FORWARD -> FWD_libvirt_out
>> POSTROUTING -> PRT_libvirt
>>
>> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
>> ---
>> src/libvirt_private.syms | 1 +
>> src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++
>> src/util/viriptables.h | 2 +
>> 3 files changed, 84 insertions(+)
>>
>> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
>> index 335210c31d..e42c946de6 100644
>> --- a/src/libvirt_private.syms
>> +++ b/src/libvirt_private.syms
>> @@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum;
>> iptablesRemoveTcpInput;
>> iptablesRemoveUdpInput;
>> iptablesRemoveUdpOutput;
>> +iptablesSetupPrivateChains;
>>
>>
>> # util/viriscsi.h
>> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
>> index f379844d28..4a7ea54b38 100644
>> --- a/src/util/viriptables.c
>> +++ b/src/util/viriptables.c
>> @@ -51,6 +51,87 @@ enum {
>> };
>>
>>
>> +
>> +typedef struct {
>> + virFirewallLayer layer;
>> + const char *table;
>> + const char *parent;
>> + const char *child;
>> +} iptablesChain;
>> +
>> +static int
>> +iptablesCheckPrivateChain(virFirewallPtr fw,
>> + const char *const *lines,
>> + void *opaque)
>> +{
>> + iptablesChain *data = opaque;
>> + bool found = false;
>> +
>> + while (lines && *lines && !found) {
>> + if (STRPREFIX(*lines, data->child))
>> + found = true;
>> + lines++;
>> + }
>> +
>> + if (!found)
>> + virFirewallAddRule(fw, data->layer,
>> + "--table", data->table,
>> + "--insert", data->parent,
>> + "--jump", data->child, NULL);
>> +
>> + return 0;
>> +}
>> +
>> +
>> +int
>> +iptablesSetupPrivateChains(void)
>> +{
>> + virFirewallPtr fw;
>> + int ret = -1;
>> + iptablesChain chains[] = {
>> + {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT", "INP_libvirt"},
>> + {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT", "OUT_libvirt"},
>> + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_out"},
>> + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_in"},
>> + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_cross"},
>> + {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING", "PRT_libvirt"},
You also need this entry (for the rule that fixes the UDP checksum of
dhcp packets):
+ {VIR_FIREWALL_LAYER_IPV4, "mangle", "POSTROUTING", "PRT_libvirt"},
(that is, unless we think it's okay to do away with that rule. It was originally added because of some strange combination of virtio+vhost+[old OS, e.g. RHEL5] getting dhcp requests with incorrect checksums on the host. See https://bugzilla.redhat.com/show_bug.cgi?id=612588 for more info (although it's difficult since the Bug description is marked as Private :-( )
Attachment:
pEpkey.asc
Description: application/pgp-keys
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
