[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem

Daniel P. Berrange berrange at redhat.com
Thu Sep 23 11:33:34 UTC 2010 

On Thu, Sep 23, 2010 at 11:36:11AM +0100, Daniel P. Berrange wrote:
> On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote:
> >  On a recent installation of FC13, the filtering of IP/IPv6 using 
> > iptables/ip6tables traffic did not work since the proc filesystem 
> > entries /proc/sys/net/bridge/bridge-nf-call-iptables and 
> > /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and 
> > no traffic went into the FORWARD chain. The patch below makes sure that 
> > if iptables or ip6tables are being used by the nwfilter driver that a 
> > '1' is written into the relevant proc filesystem entry so that the 
> > traffic goes into the FORWARD chain.
> 
> What parts of the nwfilter functionality gets affected by this ?
> 
> IIUC, the higher level protocols, TCP, UDP, SCTP, ICMP,
> IGMP, ESP, AH, UDPLITE & 'ALL'  get implemented via iptables ? 
> Alot of the matches you can define using these higher level
> protocols, can also be defined using the generic IPv4/IPv6 rules.
> For example everything you can do with TCP protocol can be done
> with the IPv4/IPv6 protocol, with exception of ip address ranges.
> 
> 
> Could we either
> 
>  1. Document that if you want to make use of the higher level
>     protocols, that you need to enable bridge-nf-call-iptables
>     and explain the tradeoffs in that setting.[1][2]
> 
>  2. Provide an alternative impl of 90% of the higher level
>     protocols, using ebtables instead of iptables. And make
>     choice of iptables vs ebtables a config param for libvirtd.
>     eg, for most people an ebtables based impl will be sufficient
>     but if they need the full funtionality,then switch to the
>     iptables impl & enable bridge-nf-call-iptables=1

Actally I guess 2. is rather pointless given that you can already just
use the IPv4/6 generic rules to do 90% of that stuff. I think this just
comes down to a documentation issue, explaining the pros&cons of each
possible bridge-nf-call-* setting. 

Daniel

> [1] http://kerneltrap.org/mailarchive/linux-netdev/2009/6/30/6114563
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=512206


-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list