[libvirt] [PATCH] nwfilter: cut off connections after changing filters

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Oct 13 17:53:00 UTC 2010 

  The following filter transition from a filter allowing incoming TCP 
connections

   <rule action='accept' direction='in' priority='401'>
     <tcp/>
   </rule>
   <rule action='accept' direction='out' priority='500'>
     <tcp/>
   </rule>


to one that does not allow them

   <rule action='drop' direction='in' priority='401'>
     <tcp/>
   </rule>
   <rule action='accept' direction='out' priority='500'>
     <tcp/>
   </rule>

did previously not cut off existing (ssh) connections but only prevented 
newly initiated ones. The attached patch allows to cut off existing 
connections as well, thus enforcing what the filter is showing.

I had only tested with a configuration where the physical interface is 
connected to the bridge where the filters are applied. This patch now 
also solves a filtering problem where the physical interface is not 
connected to the bridge, but the bridge is given an IP address and the 
host routes between bridge and physical interface. Here the filters drop 
non-allowed traffic on the outgoing side on the host.

Signed-off-by: Stefan Berger <stefanb at us.ibm.com>

---
  src/nwfilter/nwfilter_ebiptables_driver.c |   17 +++++++++++++++++
  1 file changed, 17 insertions(+)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1100,6 +1100,19 @@ err_exit:
      return 1;
  }

+
+static void
+iptablesEnforceDirection(int directionIn,
+                         virNWFilterRuleDefPtr rule,
+                         virBufferPtr buf)
+{
+    if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
+        virBufferVSprintf(buf, " -m conntrack --ctdir %s",
+                          (directionIn) ? "Original"
+                                        : "Reply");
+}
+
+
  /*
   * _iptablesCreateRuleInstance:
   * @chainPrefix : The prefix to put in front of the name of the chain
@@ -1494,6 +1507,10 @@ _iptablesCreateRuleInstance(int directio
      if (match && !skipMatch)
          virBufferVSprintf(&buf, " %s", match);

+    if (defMatch && match != NULL)
+        iptablesEnforceDirection(directionIn,
+                                 rule,
+ &buf);

      virBufferVSprintf(&buf,
                        " -j %s" CMD_DEF_POST CMD_SEPARATOR

More information about the libvir-list mailing list