[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem



 On 09/22/2010 02:25 PM, Eric Blake wrote:
On 09/22/2010 12:19 PM, Stefan Berger wrote:
On a recent installation of FC13, the filtering of IP/IPv6 using
iptables/ip6tables traffic did not work since the proc filesystem
entries /proc/sys/net/bridge/bridge-nf-call-iptables and
/proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and
no traffic went into the FORWARD chain. The patch below makes sure that
if iptables or ip6tables are being used by the nwfilter driver that a
'1' is written into the relevant proc filesystem entry so that the
traffic goes into the FORWARD chain.

Do we have to worry about a minimum kernel version where these /proc/sys files are guaranteed to exist?
How would I find out? At least on the machines I have looked, these proc filesystem entries do exists -- just that they already contain the expected '1'. I don't know what used to write the '1' into these files, but it doesn't do it anymore on the other 2 systems I installed, possible due to packages that I have installed on other systems but not on the new ones.

My assumption is that on systems where these files exist, writing a '1' into them won't hurt. If they don't exist then the expected behavior is activated by default.


virBufferVSprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR
"%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR
"%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
- "%s -N " HOST_IN_CHAIN CMD_SEPARATOR,
+ "%s -N " HOST_IN_CHAIN CMD_SEPARATOR
+ "echo 1 > %s" CMD_SEPARATOR,

Not introduced by this patch, but shouldn't you be checking individual commands for appropriate exit status? And with this particular patch, what happens when a successful exit status of 'echo 1 >file' masks an earlier failure of the iptables_cmd?

The particular sequence of above 4 commands (above the echo) is run quite frequently and they may fail if for example the tables already exist. If they did not succeed for some other reason, then subsequent commands trying to establish a 'jump' into one of these tables will then fail (see code following below the patch in the same function) and report back. So error codes in this case can be masked.

  Stefan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]