[libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem

Stefan Berger stefanb at linux.vnet.ibm.com
Thu Sep 23 12:45:41 UTC 2010 

  On 09/23/2010 07:33 AM, Daniel P. Berrange wrote:
> On Thu, Sep 23, 2010 at 11:36:11AM +0100, Daniel P. Berrange wrote:
>> On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote:
>>>   On a recent installation of FC13, the filtering of IP/IPv6 using
>>> iptables/ip6tables traffic did not work since the proc filesystem
>>> entries /proc/sys/net/bridge/bridge-nf-call-iptables and
>>> /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and
>>> no traffic went into the FORWARD chain. The patch below makes sure that
>>> if iptables or ip6tables are being used by the nwfilter driver that a
>>> '1' is written into the relevant proc filesystem entry so that the
>>> traffic goes into the FORWARD chain.
>> What parts of the nwfilter functionality gets affected by this ?
>>
>> IIUC, the higher level protocols, TCP, UDP, SCTP, ICMP,
>> IGMP, ESP, AH, UDPLITE&  'ALL'  get implemented via iptables ?
>> Alot of the matches you can define using these higher level
>> protocols, can also be defined using the generic IPv4/IPv6 rules.
>> For example everything you can do with TCP protocol can be done
>> with the IPv4/IPv6 protocol, with exception of ip address ranges.
>>
>>
>> Could we either
>>
>>   1. Document that if you want to make use of the higher level
>>      protocols, that you need to enable bridge-nf-call-iptables
>>      and explain the tradeoffs in that setting.[1][2]
>>
>>   2. Provide an alternative impl of 90% of the higher level
>>      protocols, using ebtables instead of iptables. And make
>>      choice of iptables vs ebtables a config param for libvirtd.
>>      eg, for most people an ebtables based impl will be sufficient
>>      but if they need the full funtionality,then switch to the
>>      iptables impl&  enable bridge-nf-call-iptables=1
> Actally I guess 2. is rather pointless given that you can already just
> use the IPv4/6 generic rules to do 90% of that stuff. I think this just
> comes down to a documentation issue, explaining the pros&cons of each
> possible bridge-nf-call-* setting.

Yes, it should work and would be a matter of writing the rules 
differently so that they get enforced on ebtables layer rather than 
iptables.

I still think that if the user writes filtering rules that end up 
creating iptables rules that in that case the bridge-nf-call-* should 
automatically be enabled by libvirt so that the filtering works as 
expected -- assuming the user would end up doing the same anyway (after 
looking for the reason why it does not work as expected).

     Stefan
> Daniel
>
>> [1] http://kerneltrap.org/mailarchive/linux-netdev/2009/6/30/6114563
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=512206
>

More information about the libvir-list mailing list