[PATCH] nwfilter: enable bridge netfilter calls via proc filesystem

Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> · Wed, 22 Sep 2010 14:19:31 -0400

On a recent installation of FC13, the filtering of IP/IPv6 using 
iptables/ip6tables traffic did not work since the proc filesystem 
entries /proc/sys/net/bridge/bridge-nf-call-iptables and 
/proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and 
no traffic went into the FORWARD chain. The patch below makes sure that 
if iptables or ip6tables are being used by the nwfilter driver that a 
'1' is written into the relevant proc filesystem entry so that the 
traffic goes into the FORWARD chain.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>

---
 src/nwfilter/nwfilter_ebiptables_driver.c |   19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================

--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -63,6 +63,11 @@
       : ""


+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES\
+        "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
 static char *ebtables_cmd_path;
 static char *iptables_cmd_path;
 static char *ip6tables_cmd_path;
@@ -429,16 +434,20 @@ static int iptablesLinkIPTablesBaseChain


 static int iptablesCreateBaseChains(const char *iptables_cmd,
-                                    virBufferPtr buf)
+                                    virBufferPtr buf,
+                                    bool isIPv6)
 {
     virBufferVSprintf(buf,"%s -N " VIRT_IN_CHAIN      CMD_SEPARATOR
                           "%s -N " VIRT_OUT_CHAIN     CMD_SEPARATOR
                           "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
-                          "%s -N " HOST_IN_CHAIN      CMD_SEPARATOR,
+                          "%s -N " HOST_IN_CHAIN      CMD_SEPARATOR
+                          "echo 1 > %s"               CMD_SEPARATOR,
+                          iptables_cmd,
                           iptables_cmd,
                           iptables_cmd,
                           iptables_cmd,
-                          iptables_cmd);
+                          isIPv6 ? PROC_BRIDGE_NF_CALL_IP6TABLES
+                                 : PROC_BRIDGE_NF_CALL_IPTABLES);
     iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
                                   VIRT_IN_CHAIN     , "FORWARD", 1, 1);
     iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
@@ -3074,7 +3083,7 @@ ebiptablesApplyNewRules(virConnectPtr co
         iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname);
         iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);

-        iptablesCreateBaseChains(iptables_cmd_path, &buf);
+        iptablesCreateBaseChains(iptables_cmd_path, &buf, false);

         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
             goto tear_down_tmpebchains;
@@ -3105,7 +3114,7 @@ ebiptablesApplyNewRules(virConnectPtr co
         iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
         iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);

-        iptablesCreateBaseChains(ip6tables_cmd_path, &buf);
+        iptablesCreateBaseChains(ip6tables_cmd_path, &buf, true);

         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
             goto tear_down_tmpiptchains;

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





