Re: [PATCH] network: allow DHCP/DNS/TFTP explicitly in OUTPUT rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/27/19 6:16 PM, Daniel P. Berrangé wrote:
> From: Malina Salina <malina.salina@xxxxxxxxxxxxxx>
> 
> While the default iptables setup used by Fedora/RHEL distros
> only restricts traffic on the INPUT and/or FORWARD rules,
> some users might have custom firewalls that restrict the
> OUTPUT rules too.
> 
> These can prevent DHCP/DNS/TFTP responses from dnsmasq
> from reaching the guest VMs. We should thus whitelist
> these protocols in the OUTPUT chain, as well as the
> INPUT chain.
> 
> Signed-off-by: Malina Salina <malina.salina@xxxxxxxxxxxxxx>
> 
> Initial patch then modified to add unit tests and IPv6
> support
> 
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
>  src/libvirt_private.syms                      |  2 +
>  src/network/bridge_driver_linux.c             | 29 ++++++++++---
>  src/util/viriptables.c                        | 36 ++++++++++++++++
>  src/util/viriptables.h                        |  8 ++++
>  .../nat-default-linux.args                    | 21 ++++++++++
>  .../nat-ipv6-linux.args                       | 42 +++++++++++++++++++
>  .../nat-many-ips-linux.args                   | 21 ++++++++++
>  .../nat-no-dhcp-linux.args                    | 42 +++++++++++++++++++
>  .../nat-tftp-linux.args                       | 28 +++++++++++++
>  .../route-default-linux.args                  | 21 ++++++++++
>  10 files changed, 244 insertions(+), 6 deletions(-)

Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>

Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux