This patch removes ebtables rules at qemud shutdown time Signed-off-by: Gerhard Stenzel <gerhard.stenzel@xxxxxxxxxx> Index: libvirt/src/qemu/qemu_bridge_filter.c =================================================================== --- libvirt.orig/src/qemu/qemu_bridge_filter.c +++ libvirt/src/qemu/qemu_bridge_filter.c @@ -48,6 +48,35 @@ networkAddEbtablesRules(struct qemud_dri return 0; } +int +networkRemoveEbtablesRules(struct qemud_driver *driver) { + int err; + + /* Set forward policy to DROP */ + if ((err = ebtablesRemoveForwardPolicyReject(driver->ebtables))) { + virReportSystemError(NULL, err, + _("failed to remove ebtables rule to set default policy to drop on '%s'"), + __FILE__); + return err; + } + + return 0; +} + +int +networkEnableAllFrames(struct qemud_driver *driver) { + int err; + + /* add default rules */ + if ((err = networkRemoveEbtablesRules(driver))) { + virReportSystemError(NULL, err, + _("cannot remove filter on bridge '%s'"), + __FILE__); + return err; + } + return 0; +} + int networkDisableAllFrames(struct qemud_driver *driver) { Index: libvirt/src/util/ebtables.c =================================================================== --- libvirt.orig/src/util/ebtables.c +++ libvirt/src/util/ebtables.c @@ -60,6 +60,7 @@ enum { ADD = 0, REMOVE, CREATE, + DELETE, POLICY, INSERT }; @@ -336,12 +337,28 @@ ebtablesForwardPolicyReject(ebtablesCont INSERT, "--insert", "FORWARD", "--jump", ctx->forward_filter->chain, NULL); - } - - return ebtablesAddRemoveRule(ctx->forward_filter, + return ebtablesAddRemoveRule(ctx->forward_filter, POLICY, "-P", ctx->forward_filter->chain, "DROP", NULL); + } + if (action == REMOVE) { + ebtablesAddRemoveRule(ctx->forward_filter, + POLICY, + "-P", ctx->forward_filter->chain, "ACCEPT", + NULL); + + ebtablesAddRemoveRule(ctx->forward_filter, + INSERT, + "--delete", "FORWARD", "--jump", + ctx->forward_filter->chain, NULL); + + return ebtablesAddRemoveRule(ctx->forward_filter, + DELETE, + "--delete-chain", ctx->forward_filter->chain, NULL, + NULL); + } + } /* Index: libvirt/src/libvirt_private.syms =================================================================== --- libvirt.orig/src/libvirt_private.syms +++ libvirt/src/libvirt_private.syms @@ -179,6 +179,7 @@ virDomainEventQueueDispatch; # ebtables.h ebtablesAddForwardAllowIn; ebtablesAddForwardPolicyReject; +ebtablesRemoveForwardPolicyReject; ebtablesContextNew; ebtablesRemoveForwardAllowIn; Index: libvirt/src/qemu/qemu_driver.c =================================================================== --- libvirt.orig/src/qemu/qemu_driver.c +++ libvirt/src/qemu/qemu_driver.c @@ -1081,6 +1081,14 @@ qemudShutdown(void) { virDomainObjListDeinit(&qemu_driver->domains); + if (qemu_driver->macFilter) { + if ((errno = networkEnableAllFrames(qemu_driver))) { + virReportSystemError(NULL, errno, + _("failed to add rule to allow all frames in '%s'"), + __FILE__); + } + } + VIR_FREE(qemu_driver->securityDriverName); VIR_FREE(qemu_driver->logDir); VIR_FREE(qemu_driver->configDir); -- Best regards, Gerhard Stenzel, ----------------------------------------------------------------------------------------------------------------------------------- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list