On 1/24/19 3:05 PM, Daniel P. Berrangé wrote:
v1: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html v2: https://www.redhat.com/archives/libvir-list/2018-December/msg00198.html The virtual networks in NAT mode are supposed to only allow outbound network access for guests. Unfortunately due to ordering of the firewall rules libvirt creates, when you have multiple virtual networks, guests on the more recently created virtual networks can connect to guests on old virtual networks. This was reported way back in 2008 but we always thought the fix would be very complicated to deal with, so we've been putting it off forever. In parallel with this there's also been a long standing desire since 2009 to move our firewall rules out of the builtin chains, to libvirt private chains. This is to make it easier for admins to use hook scripts to setup rules in the builtin chains that take priority over rules libvirt creates. In implementing the changes to use private chains, I suddenly realized that fixing the network to network traffic blocking problem was trivial if I grouped the forwarding rules into three distinct sets. So this series finally fixes an annoying 10 year old bug, and implements a 9 year old RFE. It may take us a while, but we'll get to your bugs eventually ;-) Changed in v3: - Rebase to git master Changed in v2: - Detect whether chains already exist before creating them - Only try to delete legacy rules from builtin chain during startup Daniel P. Berrangé (4): network: add platform driver callbacks around firewall reload util: pass layer into firewall query callback util: create private chains for virtual network firewall rules util: move virtual network firwall rules into private chains src/libvirt_private.syms | 2 + src/network/bridge_driver.c | 13 +- src/network/bridge_driver_linux.c | 32 +++ src/network/bridge_driver_nop.c | 11 + src/network/bridge_driver_platform.h | 3 + src/nwfilter/nwfilter_ebiptables_driver.c | 17 +- src/util/virfirewall.c | 2 +- src/util/virfirewall.h | 1 + src/util/viriptables.c | 254 +++++++++++++++--- src/util/viriptables.h | 4 + .../nat-default-linux.args | 32 +-- .../nat-ipv6-linux.args | 48 ++-- .../nat-many-ips-linux.args | 60 ++--- .../nat-no-dhcp-linux.args | 46 ++-- .../nat-tftp-linux.args | 34 +-- .../route-default-linux.args | 22 +- tests/virfirewalltest.c | 3 +- 17 files changed, 405 insertions(+), 179 deletions(-)
ACK Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
