[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem

Daniel P. Berrange berrange at redhat.com
Thu Sep 23 10:36:11 UTC 2010 

On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote:
>  On a recent installation of FC13, the filtering of IP/IPv6 using 
> iptables/ip6tables traffic did not work since the proc filesystem 
> entries /proc/sys/net/bridge/bridge-nf-call-iptables and 
> /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and 
> no traffic went into the FORWARD chain. The patch below makes sure that 
> if iptables or ip6tables are being used by the nwfilter driver that a 
> '1' is written into the relevant proc filesystem entry so that the 
> traffic goes into the FORWARD chain.

What parts of the nwfilter functionality gets affected by this ?

IIUC, the higher level protocols, TCP, UDP, SCTP, ICMP,
IGMP, ESP, AH, UDPLITE & 'ALL'  get implemented via iptables ? 
Alot of the matches you can define using these higher level
protocols, can also be defined using the generic IPv4/IPv6 rules.
For example everything you can do with TCP protocol can be done
with the IPv4/IPv6 protocol, with exception of ip address ranges.


Could we either

 1. Document that if you want to make use of the higher level
    protocols, that you need to enable bridge-nf-call-iptables
    and explain the tradeoffs in that setting.[1][2]

 2. Provide an alternative impl of 90% of the higher level
    protocols, using ebtables instead of iptables. And make
    choice of iptables vs ebtables a config param for libvirtd.
    eg, for most people an ebtables based impl will be sufficient
    but if they need the full funtionality,then switch to the
    iptables impl & enable bridge-nf-call-iptables=1


Daniel

[1] http://kerneltrap.org/mailarchive/linux-netdev/2009/6/30/6114563
[2] https://bugzilla.redhat.com/show_bug.cgi?id=512206
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list