[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem



On a recent installation of FC13, the filtering of IP/IPv6 using iptables/ip6tables traffic did not work since the proc filesystem entries /proc/sys/net/bridge/bridge-nf-call-iptables and /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and no traffic went into the FORWARD chain. The patch below makes sure that if iptables or ip6tables are being used by the nwfilter driver that a '1' is written into the relevant proc filesystem entry so that the traffic goes into the FORWARD chain.

Signed-off-by: Stefan Berger <stefanb us ibm com>

---
 src/nwfilter/nwfilter_ebiptables_driver.c |   19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -63,6 +63,11 @@
       : ""


+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES\
+        "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
 static char *ebtables_cmd_path;
 static char *iptables_cmd_path;
 static char *ip6tables_cmd_path;
@@ -429,16 +434,20 @@ static int iptablesLinkIPTablesBaseChain


 static int iptablesCreateBaseChains(const char *iptables_cmd,
-                                    virBufferPtr buf)
+                                    virBufferPtr buf,
+                                    bool isIPv6)
 {
     virBufferVSprintf(buf,"%s -N " VIRT_IN_CHAIN      CMD_SEPARATOR
                           "%s -N " VIRT_OUT_CHAIN     CMD_SEPARATOR
                           "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
-                          "%s -N " HOST_IN_CHAIN      CMD_SEPARATOR,
+                          "%s -N " HOST_IN_CHAIN      CMD_SEPARATOR
+                          "echo 1 > %s"               CMD_SEPARATOR,
+                          iptables_cmd,
                           iptables_cmd,
                           iptables_cmd,
                           iptables_cmd,
-                          iptables_cmd);
+                          isIPv6 ? PROC_BRIDGE_NF_CALL_IP6TABLES
+                                 : PROC_BRIDGE_NF_CALL_IPTABLES);
     iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
                                   VIRT_IN_CHAIN     , "FORWARD", 1, 1);
     iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
@@ -3074,7 +3083,7 @@ ebiptablesApplyNewRules(virConnectPtr co
         iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname);
         iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);

-        iptablesCreateBaseChains(iptables_cmd_path, &buf);
+        iptablesCreateBaseChains(iptables_cmd_path, &buf, false);

         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
             goto tear_down_tmpebchains;
@@ -3105,7 +3114,7 @@ ebiptablesApplyNewRules(virConnectPtr co
         iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
         iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);

-        iptablesCreateBaseChains(ip6tables_cmd_path, &buf);
+        iptablesCreateBaseChains(ip6tables_cmd_path, &buf, true);

         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
             goto tear_down_tmpiptchains;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]