[PATCH v2] nwfilter: Deactivate iptables MAC address check where needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>

Recent Linux iptables (3.11.7) refuses to create iptables MAC address
check rules using -m mac --mac-source <addr> where previous versions
still allowed it. So we now need to deactivate the filtering rules for
when the incoming traffic is filtered before it is sent into the VM.
Those are typically the chains that start with FO-* or start with FP-*
when they are being built.

Adapt the documentation to reflect the fact that srcmacaddr, when
used in iptables rules, should be regarded as deprecated due to the
above mentioned problems.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
 docs/formatnwfilter.html.in               | 42 +++++--------------------------
 src/nwfilter/nwfilter_ebiptables_driver.c | 29 +++++++++++++--------
 2 files changed, 24 insertions(+), 47 deletions(-)

diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 4b95fce..ee23d8e 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -1209,7 +1209,7 @@
        <tr>
          <td>srcmacaddr</td>
          <td>MAC_ADDR</td>
-         <td>MAC address of sender</td>
+         <td>MAC address of sender; this option is deprecated</td>
        </tr>
        <tr>
          <td>srcipaddr</td>
@@ -1320,22 +1320,7 @@
        <tr>
          <td>srcmacaddr</td>
          <td>MAC_ADDR</td>
-         <td>MAC address of sender</td>
-       </tr>
-       <tr>
-         <td>srcmacmask</td>
-         <td>MAC_MASK</td>
-         <td>Mask applied to MAC address of sender</td>
-       </tr>
-       <tr>
-         <td>dstmacaddr</td>
-         <td>MAC_ADDR</td>
-         <td>MAC address of destination</td>
-       </tr>
-       <tr>
-         <td>dstmacmask</td>
-         <td>MAC_MASK</td>
-         <td>Mask applied to MAC address of destination</td>
+         <td>MAC address of sender; this option is deprecated</td>
        </tr>
        <tr>
          <td>srcipaddr</td>
@@ -1429,22 +1414,7 @@
        <tr>
          <td>srcmacaddr</td>
          <td>MAC_ADDR</td>
-         <td>MAC address of sender</td>
-       </tr>
-       <tr>
-         <td>srcmacmask</td>
-         <td>MAC_MASK</td>
-         <td>Mask applied to MAC address of sender</td>
-       </tr>
-       <tr>
-         <td>dstmacaddr</td>
-         <td>MAC_ADDR</td>
-         <td>MAC address of destination</td>
-       </tr>
-       <tr>
-         <td>dstmacmask</td>
-         <td>MAC_MASK</td>
-         <td>Mask applied to MAC address of destination</td>
+         <td>MAC address of sender; this option is deprecated</td>
        </tr>
        <tr>
          <td>srcipaddr</td>
@@ -1529,7 +1499,7 @@
        <tr>
          <td>srcmacaddr</td>
          <td>MAC_ADDR</td>
-         <td>MAC address of sender</td>
+         <td>MAC address of sender; this option is deprecated</td>
        </tr>
        <tr>
          <td>srcipaddr</td>
@@ -1640,7 +1610,7 @@
        <tr>
          <td>srcmacaddr</td>
          <td>MAC_ADDR</td>
-         <td>MAC address of sender</td>
+         <td>MAC address of sender; this option is deprecated</td>
        </tr>
        <tr>
          <td>srcipaddr</td>
@@ -1735,7 +1705,7 @@
        <tr>
          <td>srcmacaddr</td>
          <td>MAC_ADDR</td>
-         <td>MAC address of sender</td>
+         <td>MAC address of sender; this option is deprecated</td>
        </tr>
        <tr>
          <td>srcipaddr</td>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 352c08f..ae20bf0 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -972,7 +972,7 @@ static int
 iptablesHandleSrcMacAddr(virBufferPtr buf,
                          virNWFilterVarCombIterPtr vars,
                          nwItemDescPtr srcMacAddr,
-                         bool directionIn,
+                         const char *chain, bool directionIn,
                          bool *srcmacskipped)
 {
     char macaddr[VIR_MAC_STRING_BUFLEN];
@@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf,
             return 0;
         }
 
+        /* recent Linux iptables does not allow this filteirng rule to be
+         * applied to all FO-* chains
+         */
+        if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP) {
+            *srcmacskipped = true;
+            return 0;
+        }
+
         if (printDataType(vars,
                           macaddr, sizeof(macaddr),
                           srcMacAddr) < 0)
@@ -1366,7 +1374,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.tcpHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1421,7 +1429,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.udpHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1454,7 +1462,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.udpliteHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1482,7 +1490,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.espHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1506,11 +1514,10 @@ _iptablesCreateRuleInstance(bool directionIn,
         virBufferAddLit(&buf, " -p ah");
 
         bufUsed = virBufferUse(&buf);
-
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.ahHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1538,7 +1545,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.sctpHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1574,7 +1581,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.icmpHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1636,7 +1643,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.igmpHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
@@ -1664,7 +1671,7 @@ _iptablesCreateRuleInstance(bool directionIn,
         if (iptablesHandleSrcMacAddr(&buf,
                                      vars,
                                      &rule->p.allHdrFilter.dataSrcMACAddr,
-                                     directionIn,
+                                     chain, directionIn,
                                      &srcMacSkipped) < 0)
             goto err_exit;
 
-- 
1.8.1.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]