[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem

Daniel P. Berrange berrange at redhat.com
Thu Sep 23 09:31:46 UTC 2010


On Wed, Sep 22, 2010 at 03:35:54PM -0400, Stefan Berger wrote:
>  On 09/22/2010 02:49 PM, Daniel P. Berrange wrote:
> >On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote:
> >>  On a recent installation of FC13, the filtering of IP/IPv6 using
> >>iptables/ip6tables traffic did not work since the proc filesystem
> >>entries /proc/sys/net/bridge/bridge-nf-call-iptables and
> >>/proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and
> >>no traffic went into the FORWARD chain. The patch below makes sure that
> >>if iptables or ip6tables are being used by the nwfilter driver that a
> >>'1' is written into the relevant proc filesystem entry so that the
> >>traffic goes into the FORWARD chain.
> >NACK to this. We need to figure out how to make this filtering
> >work with them set to 0. The change to set them to 0 by default
> >is explicitly done for the benefit of virtualization, otherwise
> >guest traffic gets blocked by regular host firewall rules which
> >is not desirable. eg run system-config-firewall and block ssh
> >port on the host, and you've blocked it on all the guests too :-(
> >
> The ssh port blocking for the host is a rule that goes into the INPUT 
> table. That is independent of what libvirt does with the FORWARD table 
> and this host rule would not influence the guest rules and vice versa. 
> Traffic destined to bridged guests will NOT go through the INPUT table, 
> only traffic from guests towards their own host will go through it.

It depends on the version of RHEL/Fedora. Previous system-config-firewall
would put the same rules on INPUT *and* FORWARD chain. The newer s-c-f
puts a generic 'REJECT' rule on the FORWARD table. Either way, if you have
bridge-nf-call-iptables=1, then all bridged guest traffic is significantly
impacted.

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list