[libvirt] [PATCH v2 0/4] Restructure firewall rules for virtual networks into private chains

Daniel P. Berrangé berrange at redhat.com
Wed Jan 9 15:13:28 UTC 2019 

ping

On Fri, Dec 07, 2018 at 04:21:31PM +0000, Daniel P. Berrangé wrote:
>   v1: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html
> 
> The virtual networks in NAT mode are supposed to only allow outbound
> network access for guests. Unfortunately due to ordering of the firewall
> rules libvirt creates, when you have multiple virtual networks, guests
> on the more recently created virtual networks can connect to guests on
> old virtual networks.
> 
> This was reported way back in 2008 but we always thought the fix would
> be very complicated to deal with, so we've been putting it off forever.
> 
> In parallel with this there's also been a long standing desire since
> 2009 to move our firewall rules out of the builtin chains, to libvirt
> private chains. This is to make it easier for admins to use hook scripts
> to setup rules in the builtin chains that take priority over rules
> libvirt creates.
> 
> In implementing the changes to use private chains, I suddenly realized
> that fixing the network to network traffic blocking problem was trivial
> if I grouped the forwarding rules into three distinct sets.
> 
> So this series finally fixes an annoying 10 year old bug, and implements
> a 9 year old RFE.
> 
> It may take us a while, but we'll get to your bugs eventually ;-)
> 
> Changed in v2:
>  - Detect whether chains already exist before creating them
>  - Only try to delete legacy rules from builtin chain during startup
> 
> Daniel P. Berrangé (4):
>   network: add platform driver callbacks around firewall reload
>   util: pass layer into firewall query callback
>   util: create private chains for virtual network firewall rules
>   util: move virtual network firwall rules into private chains
> 
>  src/libvirt_private.syms                      |   2 +
>  src/network/bridge_driver.c                   |  13 +-
>  src/network/bridge_driver_linux.c             |  32 +++
>  src/network/bridge_driver_nop.c               |  11 +
>  src/network/bridge_driver_platform.h          |   3 +
>  src/nwfilter/nwfilter_ebiptables_driver.c     |  17 +-
>  src/util/virfirewall.c                        |   2 +-
>  src/util/virfirewall.h                        |   1 +
>  src/util/viriptables.c                        | 254 +++++++++++++++---
>  src/util/viriptables.h                        |   4 +
>  .../nat-default-linux.args                    |  32 +--
>  .../nat-ipv6-linux.args                       |  48 ++--
>  .../nat-many-ips-linux.args                   |  60 ++---
>  .../nat-no-dhcp-linux.args                    |  46 ++--
>  .../nat-tftp-linux.args                       |  34 +--
>  .../route-default-linux.args                  |  22 +-
>  tests/virfirewalltest.c                       |   3 +-
>  17 files changed, 405 insertions(+), 179 deletions(-)
> 
> -- 
> 2.19.2
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list