[PATCH 1/3] Only check for IP forwarding, do not enable it

Benjamin Cama <benjamin.cama@xxxxxxxxxxxxxxxxxxx> · Mon, 15 Oct 2012 12:26:59 +0200

Enabling IP forwarding without the administrator's consent is bad. Only
check for forwarding, do not enable it.
---
 src/network/bridge_driver.c |   56 +++++++++++++++++++++++++++++++++----------
 1 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index e1846ee..e3e8dc2 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1853,19 +1853,51 @@ networkReloadIptablesRules(struct network_driver *driver)
     }
 }
 
-/* Enable IP Forwarding. Return 0 for success, -1 for failure. */
+#define SYSCTL_PATH "/proc/sys"
+
+/* Check for IP Forwarding. Return 0 if required family is enabled, -1 for failure. */
 static int
-networkEnableIpForwarding(bool enableIPv4, bool enableIPv6)
+networkCheckIpForwarding(bool checkIPv4, bool checkIPv6)
 {
     int ret = 0;
-    if (enableIPv4)
-        ret = virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n", 0);
-    if (enableIPv6 && ret == 0)
-        ret = virFileWriteStr("/proc/sys/net/ipv6/conf/all/forwarding", "1\n", 0);
-    return ret;
-}
+    char *buf = NULL;
 
-#define SYSCTL_PATH "/proc/sys"
+    if (checkIPv4) {
+        ret = virFileReadAll(SYSCTL_PATH "/net/ipv4/ip_forward", 2, &buf);
+        if (ret != 2)
+            goto error;
+        if (STRNEQ(buf, "1\n")) {
+            networkReportError(VIR_ERR_SYSTEM_ERROR,
+                               _("IP forwarding is not enabled on your system"));
+            goto cleanup;
+        }
+    }
+    if (checkIPv6) {
+        if (ret > 0)
+            VIR_FREE(buf);
+        ret = virFileReadAll(SYSCTL_PATH "/net/ipv6/conf/all/forwarding", 2, &buf);
+        if (ret != 2)
+            goto error;
+        if (STRNEQ(buf, "1\n")) {
+            networkReportError(VIR_ERR_SYSTEM_ERROR,
+                               _("IPv6 forwarding is not enabled on your system"));
+            goto cleanup;
+        }
+    }
+
+    VIR_FREE(buf);
+    return 0;
+
+error:
+    virReportSystemError(errno, "%s", _("cannot check for IP forwarding"));
+cleanup:
+    if (ret > 0) {
+        VIR_FREE(buf);
+        return -1;
+    } else {
+        return ret;
+    }
+}
 
 static int
 networkSetIPv6Sysctls(virNetworkObjPtr network)
@@ -2140,11 +2172,9 @@ networkStartNetworkVirtual(struct network_driver *driver,
     if (virNetDevSetOnline(network->def->bridge, 1) < 0)
         goto err2;
 
-    /* If forwardType != NONE, turn on global IP forwarding */
+    /* If forwardType != NONE, check for IP forwarding */
     if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE &&
-        networkEnableIpForwarding(v4present, v6present) < 0) {
-        virReportSystemError(errno, "%s",
-                             _("failed to enable IP forwarding"));
+        networkCheckIpForwarding(v4present, v6present) < 0) {
         goto err3;
     }
 
-- 
1.7.2.5



--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





