[PATCH] nwfilter: report if ip(6)tables rules would not be effective

Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> · Thu, 23 Sep 2010 11:53:53 -0400

The patch below reports a warning in the log if the generated 
ip(6)tables rules would not be effective due to the proc filesystem entries

    /proc/sys/net/bridge/bridge-nf-call-iptables
    /proc/sys/net/bridge/bridge-nf-call-ip6tables

containing a '0'. The warning tells the user what to do. I am 
rate-limiting the warning message to appear only every 10 seconds.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>

---
 src/nwfilter/nwfilter_ebiptables_driver.c |   51 
++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================

--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -24,6 +24,7 @@
 #include <config.h>

 #include <sys/stat.h>
+#include <fcntl.h>

 #include "internal.h"

@@ -63,6 +64,13 @@
       : ""


+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
+#define BRIDGE_NF_CALL_ALERT_INTERVAL  10 /* seconds */
+
 static char *ebtables_cmd_path;
 static char *iptables_cmd_path;
 static char *ip6tables_cmd_path;
@@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, c
 }


+static void
+iptablesCheckBridgeNFCallEnabled(bool isIPv6)
+{
+    static time_t lastReport, lastReportIPv6;
+    const char *pathname = NULL;
+    char buffer[1];
+    time_t now = time(NULL);
+
+    if (isIPv6 &&
+        (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) {
+        pathname = PROC_BRIDGE_NF_CALL_IP6TABLES;
+    } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) {
+        pathname = PROC_BRIDGE_NF_CALL_IPTABLES;
+    }
+
+    if (pathname) {
+        int fd = open(pathname, O_RDONLY);
+        if (fd >= 0) {
+            if (read(fd, buffer, 1) == 1) {
+                if (buffer[0] == '0') {
+                    char msg[256];
+                    snprintf(msg, sizeof(msg),
+                             _("To enable ip%stables filtering for the 
VM do "
+                              "'echo 1 > %s'\n"),
+                             isIPv6 ? "6" : "",
+                             pathname);
+                    VIR_WARN0(msg);
+                    if (isIPv6)
+                        lastReportIPv6 = now;
+                    else
+                        lastReport = now;
+                }
+            }
+            close(fd);
+        }
+    }
+}
+
+
 static int
 ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
                         const char *ifname,
@@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr co

         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
            goto tear_down_tmpiptchains;
+
+        iptablesCheckBridgeNFCallEnabled(false);
     }

     if (haveIp6tables) {
@@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr co

         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
            goto tear_down_tmpip6tchains;
+
+        iptablesCheckBridgeNFCallEnabled(true);
     }

     if (chains_in != 0)

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





