[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Sep 22 18:19:31 UTC 2010 

  On a recent installation of FC13, the filtering of IP/IPv6 using 
iptables/ip6tables traffic did not work since the proc filesystem 
entries /proc/sys/net/bridge/bridge-nf-call-iptables and 
/proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and 
no traffic went into the FORWARD chain. The patch below makes sure that 
if iptables or ip6tables are being used by the nwfilter driver that a 
'1' is written into the relevant proc filesystem entry so that the 
traffic goes into the FORWARD chain.

Signed-off-by: Stefan Berger <stefanb at us.ibm.com>

---
  src/nwfilter/nwfilter_ebiptables_driver.c |   19 ++++++++++++++-----
  1 file changed, 14 insertions(+), 5 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -63,6 +63,11 @@
        : ""


+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES\
+        "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
  static char *ebtables_cmd_path;
  static char *iptables_cmd_path;
  static char *ip6tables_cmd_path;
@@ -429,16 +434,20 @@ static int iptablesLinkIPTablesBaseChain


  static int iptablesCreateBaseChains(const char *iptables_cmd,
-                                    virBufferPtr buf)
+                                    virBufferPtr buf,
+                                    bool isIPv6)
  {
      virBufferVSprintf(buf,"%s -N " VIRT_IN_CHAIN      CMD_SEPARATOR
                            "%s -N " VIRT_OUT_CHAIN     CMD_SEPARATOR
                            "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
-                          "%s -N " HOST_IN_CHAIN      CMD_SEPARATOR,
+                          "%s -N " HOST_IN_CHAIN      CMD_SEPARATOR
+                          "echo 1 > %s"               CMD_SEPARATOR,
+                          iptables_cmd,
                            iptables_cmd,
                            iptables_cmd,
                            iptables_cmd,
-                          iptables_cmd);
+                          isIPv6 ? PROC_BRIDGE_NF_CALL_IP6TABLES
+                                 : PROC_BRIDGE_NF_CALL_IPTABLES);
      iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
                                    VIRT_IN_CHAIN     , "FORWARD", 1, 1);
      iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
@@ -3074,7 +3083,7 @@ ebiptablesApplyNewRules(virConnectPtr co
          iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname);
          iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);

-        iptablesCreateBaseChains(iptables_cmd_path, &buf);
+        iptablesCreateBaseChains(iptables_cmd_path, &buf, false);

          if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
              goto tear_down_tmpebchains;
@@ -3105,7 +3114,7 @@ ebiptablesApplyNewRules(virConnectPtr co
          iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
          iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);

-        iptablesCreateBaseChains(ip6tables_cmd_path, &buf);
+        iptablesCreateBaseChains(ip6tables_cmd_path, &buf, true);

          if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
              goto tear_down_tmpiptchains;

More information about the libvir-list mailing list