[libvirt] [PATCH v3 0/4] Restructure firewall rules for virtual networks into private chains

Michal Privoznik mprivozn at redhat.com
Tue Jan 29 13:25:28 UTC 2019


On 1/24/19 3:05 PM, Daniel P. Berrangé wrote:
>    v1: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html
>    v2: https://www.redhat.com/archives/libvir-list/2018-December/msg00198.html
> 
> The virtual networks in NAT mode are supposed to only allow outbound
> network access for guests. Unfortunately due to ordering of the firewall
> rules libvirt creates, when you have multiple virtual networks, guests
> on the more recently created virtual networks can connect to guests on
> old virtual networks.
> 
> This was reported way back in 2008 but we always thought the fix would
> be very complicated to deal with, so we've been putting it off forever.
> 
> In parallel with this there's also been a long standing desire since
> 2009 to move our firewall rules out of the builtin chains, to libvirt
> private chains. This is to make it easier for admins to use hook scripts
> to setup rules in the builtin chains that take priority over rules
> libvirt creates.
> 
> In implementing the changes to use private chains, I suddenly realized
> that fixing the network to network traffic blocking problem was trivial
> if I grouped the forwarding rules into three distinct sets.
> 
> So this series finally fixes an annoying 10 year old bug, and implements
> a 9 year old RFE.
> 
> It may take us a while, but we'll get to your bugs eventually ;-)
> 
> Changed in v3:
> 
>   - Rebase to git master
> 
> Changed in v2:
> 
>   - Detect whether chains already exist before creating them
>   - Only try to delete legacy rules from builtin chain during startup
> 
> Daniel P. Berrangé (4):
>    network: add platform driver callbacks around firewall reload
>    util: pass layer into firewall query callback
>    util: create private chains for virtual network firewall rules
>    util: move virtual network firwall rules into private chains
> 
>   src/libvirt_private.syms                      |   2 +
>   src/network/bridge_driver.c                   |  13 +-
>   src/network/bridge_driver_linux.c             |  32 +++
>   src/network/bridge_driver_nop.c               |  11 +
>   src/network/bridge_driver_platform.h          |   3 +
>   src/nwfilter/nwfilter_ebiptables_driver.c     |  17 +-
>   src/util/virfirewall.c                        |   2 +-
>   src/util/virfirewall.h                        |   1 +
>   src/util/viriptables.c                        | 254 +++++++++++++++---
>   src/util/viriptables.h                        |   4 +
>   .../nat-default-linux.args                    |  32 +--
>   .../nat-ipv6-linux.args                       |  48 ++--
>   .../nat-many-ips-linux.args                   |  60 ++---
>   .../nat-no-dhcp-linux.args                    |  46 ++--
>   .../nat-tftp-linux.args                       |  34 +--
>   .../route-default-linux.args                  |  22 +-
>   tests/virfirewalltest.c                       |   3 +-
>   17 files changed, 405 insertions(+), 179 deletions(-)
> 

ACK

Michal




More information about the libvir-list mailing list