[libvirt] [PATCH] nwfilter: report if ip(6)tables rules would not be effective
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu Sep 23 15:53:53 UTC 2010
The patch below reports a warning in the log if the generated
ip(6)tables rules would not be effective due to the proc filesystem entries
/proc/sys/net/bridge/bridge-nf-call-iptables
/proc/sys/net/bridge/bridge-nf-call-ip6tables
containing a '0'. The warning tells the user what to do. I am
rate-limiting the warning message to appear only every 10 seconds.
Signed-off-by: Stefan Berger <stefanb at us.ibm.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 51
++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -24,6 +24,7 @@
#include <config.h>
#include <sys/stat.h>
+#include <fcntl.h>
#include "internal.h"
@@ -63,6 +64,13 @@
: ""
+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+ "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES \
+ "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
+#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */
+
static char *ebtables_cmd_path;
static char *iptables_cmd_path;
static char *ip6tables_cmd_path;
@@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, c
}
+static void
+iptablesCheckBridgeNFCallEnabled(bool isIPv6)
+{
+ static time_t lastReport, lastReportIPv6;
+ const char *pathname = NULL;
+ char buffer[1];
+ time_t now = time(NULL);
+
+ if (isIPv6 &&
+ (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) {
+ pathname = PROC_BRIDGE_NF_CALL_IP6TABLES;
+ } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) {
+ pathname = PROC_BRIDGE_NF_CALL_IPTABLES;
+ }
+
+ if (pathname) {
+ int fd = open(pathname, O_RDONLY);
+ if (fd >= 0) {
+ if (read(fd, buffer, 1) == 1) {
+ if (buffer[0] == '0') {
+ char msg[256];
+ snprintf(msg, sizeof(msg),
+ _("To enable ip%stables filtering for the
VM do "
+ "'echo 1 > %s'\n"),
+ isIPv6 ? "6" : "",
+ pathname);
+ VIR_WARN0(msg);
+ if (isIPv6)
+ lastReportIPv6 = now;
+ else
+ lastReport = now;
+ }
+ }
+ close(fd);
+ }
+ }
+}
+
+
static int
ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
const char *ifname,
@@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr co
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpiptchains;
+
+ iptablesCheckBridgeNFCallEnabled(false);
}
if (haveIp6tables) {
@@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr co
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpip6tchains;
+
+ iptablesCheckBridgeNFCallEnabled(true);
}
if (chains_in != 0)
More information about the libvir-list
mailing list