Re: [PATCH] Fix bridge configuration when OUTPUT policy is DROP on the host

Michal Privoznik <mprivozn@xxxxxxxxxx> · Tue, 07 Jan 2014 18:33:44 +0100

On 17.12.2013 18:56, Lénaïc Huard wrote:
> When the host is configured with very restrictive firewall (default policy
> is DROP for all chains, including OUTPUT), the bridge driver for Linux
> adds netfilter entries to allow DHCP and DNS requests to go from the VM
> to the dnsmasq of the host.
> 
> The issue that this commit fixes is the fact that a DROP policy on the OUTPUT
> chain blocks the DHCP replies from the host’s dnsmasq to the VM.
> As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED
> rule and so, need to be explicitly allowed.
> 
> Signed-off-by: Lénaïc Huard <lenaic@xxxxxxxxxxxxxxxx>
> ---
>  src/libvirt_private.syms          |  2 ++
>  src/network/bridge_driver_linux.c | 35 +++++++++++++---------
>  src/util/viriptables.c            | 61 +++++++++++++++++++++++++++++++++++++++
>  src/util/viriptables.h            |  7 +++++
>  4 files changed, 92 insertions(+), 13 deletions(-)
> 
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 2dbb8f8..c26ce29 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -1290,6 +1290,7 @@ iptablesAddForwardRejectOut;
>  iptablesAddOutputFixUdpChecksum;
>  iptablesAddTcpInput;
>  iptablesAddUdpInput;
> +iptablesAddUdpOutput;
>  iptablesRemoveDontMasquerade;
>  iptablesRemoveForwardAllowCross;
>  iptablesRemoveForwardAllowIn;
> @@ -1301,6 +1302,7 @@ iptablesRemoveForwardRejectOut;
>  iptablesRemoveOutputFixUdpChecksum;
>  iptablesRemoveTcpInput;
>  iptablesRemoveUdpInput;
> +iptablesRemoveUdpOutput;
>  
>  
>  # util/virjson.h
> diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> index 066779a..dcdd033 100644
> --- a/src/network/bridge_driver_linux.c
> +++ b/src/network/bridge_driver_linux.c
> @@ -564,6 +564,13 @@ int networkAddGeneralFirewallRules(virNetworkObjPtr network)
>          goto err2;
>      }
>  
> +    if (iptablesAddUdpOutput(AF_INET, network->def->bridge, 68) < 0) {
> +        virReportError(VIR_ERR_SYSTEM_ERROR,
> +                       _("failed to add iptables rule to allow DHCP replies to '%s'"),
> +                       network->def->bridge);
> +        goto err3;
> +    }
> +

While adding this to networkAddGeneralFirewallRules() the counterpart in
networkRemoveGeneralFirewallRules() is required too. We don't want to
leave any stale firewall rules behind, right?

Anyway, that's just a small nit that I've fixed prior to push.

ACKed & pushed. Congrats on your second commit in libvirt :)

Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list