From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> Subject nwfilter: Deactivate iptables MAC address check where needed Recent Linux iptables (3.11.7) refuses to create iptables MAC address check rules using -m mac --mac-source <addr> where previous versions still allowed it. So we now need to deactivate the filtering rules for when the incoming traffic is filtered before it is sent into the VM. Those are typically the chains that start with FO-* or start with FP-* when they are being built. Adapt the documentation to reflect the fact that srcmacaddr, when used in iptables rules, should be regarded as deprecated due to the above mentioned problems. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> --- docs/formatnwfilter.html.in | 42 +++++-------------------------- src/nwfilter/nwfilter_ebiptables_driver.c | 29 +++++++++++++-------- 2 files changed, 24 insertions(+), 47 deletions(-) diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 4b95fce..ee23d8e 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -1209,7 +1209,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1320,22 +1320,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> - </tr> - <tr> - <td>srcmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of sender</td> - </tr> - <tr> - <td>dstmacaddr</td> - <td>MAC_ADDR</td> - <td>MAC address of destination</td> - </tr> - <tr> - <td>dstmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of destination</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1429,22 +1414,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> - </tr> - <tr> - <td>srcmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of sender</td> - </tr> - <tr> - <td>dstmacaddr</td> - <td>MAC_ADDR</td> - <td>MAC address of destination</td> - </tr> - <tr> - <td>dstmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of destination</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1529,7 +1499,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1640,7 +1610,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1735,7 +1705,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 9d6cc90..ebc3505 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -972,7 +972,7 @@ static int iptablesHandleSrcMacAddr(virBufferPtr buf, virNWFilterVarCombIterPtr vars, nwItemDescPtr srcMacAddr, - bool directionIn, + const char *chain, bool directionIn, bool *srcmacskipped) { char macaddr[VIR_MAC_STRING_BUFLEN]; @@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf, return 0; } + /* recent Linux iptables does not allow this filteirng rule to be + * applied to all FO-* chains + */ + if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP ) { + *srcmacskipped = true; + return 0; + } + if (printDataType(vars, macaddr, sizeof(macaddr), srcMacAddr) < 0) @@ -1366,7 +1374,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.tcpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1421,7 +1429,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.udpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1454,7 +1462,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.udpliteHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1482,7 +1490,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.espHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1506,11 +1514,10 @@ _iptablesCreateRuleInstance(bool directionIn, virBufferAddLit(&buf, " -p ah"); bufUsed = virBufferUse(&buf); - if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.ahHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1538,7 +1545,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.sctpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1574,7 +1581,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.icmpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1636,7 +1643,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.igmpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1664,7 +1671,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.allHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; -- 1.8.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list