ping On Fri, Dec 07, 2018 at 04:21:31PM +0000, Daniel P. Berrangé wrote: > v1: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html > > The virtual networks in NAT mode are supposed to only allow outbound > network access for guests. Unfortunately due to ordering of the firewall > rules libvirt creates, when you have multiple virtual networks, guests > on the more recently created virtual networks can connect to guests on > old virtual networks. > > This was reported way back in 2008 but we always thought the fix would > be very complicated to deal with, so we've been putting it off forever. > > In parallel with this there's also been a long standing desire since > 2009 to move our firewall rules out of the builtin chains, to libvirt > private chains. This is to make it easier for admins to use hook scripts > to setup rules in the builtin chains that take priority over rules > libvirt creates. > > In implementing the changes to use private chains, I suddenly realized > that fixing the network to network traffic blocking problem was trivial > if I grouped the forwarding rules into three distinct sets. > > So this series finally fixes an annoying 10 year old bug, and implements > a 9 year old RFE. > > It may take us a while, but we'll get to your bugs eventually ;-) > > Changed in v2: > - Detect whether chains already exist before creating them > - Only try to delete legacy rules from builtin chain during startup > > Daniel P. Berrangé (4): > network: add platform driver callbacks around firewall reload > util: pass layer into firewall query callback > util: create private chains for virtual network firewall rules > util: move virtual network firwall rules into private chains > > src/libvirt_private.syms | 2 + > src/network/bridge_driver.c | 13 +- > src/network/bridge_driver_linux.c | 32 +++ > src/network/bridge_driver_nop.c | 11 + > src/network/bridge_driver_platform.h | 3 + > src/nwfilter/nwfilter_ebiptables_driver.c | 17 +- > src/util/virfirewall.c | 2 +- > src/util/virfirewall.h | 1 + > src/util/viriptables.c | 254 +++++++++++++++--- > src/util/viriptables.h | 4 + > .../nat-default-linux.args | 32 +-- > .../nat-ipv6-linux.args | 48 ++-- > .../nat-many-ips-linux.args | 60 ++--- > .../nat-no-dhcp-linux.args | 46 ++-- > .../nat-tftp-linux.args | 34 +-- > .../route-default-linux.args | 22 +- > tests/virfirewalltest.c | 3 +- > 17 files changed, 405 insertions(+), 179 deletions(-) > > -- > 2.19.2 > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
