[libvirt] Appending REJECT rules.

Laine Stump laine at laine.org
Thu Jun 23 15:00:28 UTC 2011 

On 06/22/2011 08:58 PM, Stefan Berger wrote:
> On 06/22/2011 06:01 PM, Eric Blake wrote:
>> On 05/18/2011 03:10 PM, Stephen O'Dor wrote:
>>> Greetings folks,
>> Hello, and sorry for the delayed response.  Looks like this fell through
>> the cracks, because it wasn't in traditional 'git format-patch' style.
>>
>>> I've patched the libvirt iptables interface to append it's REJECT
>>> rules rather than insert at the head. Idea being that I'm not the only
>>> person who usually puts the REJECTs at the end of a chain.
>>>
>>> In my particular case any custom ACCEPT rules involving the bridge
>>> interfaces would get pushed below the rules that libvirt puts in to
>>> REJECT everything on the bridge interface.
>>>
>>> I'm using the routed network mode, I have no idea if this hurts any
>>> other network mode.
>> Stefan is probably the best person to comment on whether this makes 
>> sense.
>>
>>> Thanks,
>>>
>>> -Steve
>>>
>>>
>>> --- iptables.c  2011-02-28 23:03:32.000000000 -0800
>>> +++ iptables.c_new      2011-05-18 14:00:59.110855881 -0700
>>> @@ -51,7 +51,8 @@
>>>
>>>   enum {
>>>       ADD = 0,
>>> -    REMOVE
>>> +    REMOVE,
>>> +    APPEND
>>>   };
>>>
>>>   typedef struct
>>> @@ -111,7 +112,7 @@
>>>                           ? IP6TABLES_PATH : IPTABLES_PATH);
>>>
>>>       virCommandAddArgList(cmd, "--table", rules->table,
>>> -                         action == ADD ? "--insert" : "--delete",
>>> +                         action == ADD ? "--insert" : action ==
>>> REMOVE ? "--delete" : "--append",
>>>                            rules->chain, arg, NULL);
>>>
>>>       va_start(args, arg);
>>> @@ -666,7 +667,7 @@
>>>                               int family,
>>>                               const char *iface)
>>>   {
>>> -    return iptablesForwardRejectOut(ctx, family, iface, ADD);
>>> +    return iptablesForwardRejectOut(ctx, family, iface, APPEND);
>>>   }
>>>
>>>   /**
>>> @@ -722,7 +723,7 @@
>>>                              int family,
>>>                              const char *iface)
>>>   {
>>> -    return iptablesForwardRejectIn(ctx, family, iface, ADD);
>>> +    return iptablesForwardRejectIn(ctx, family, iface, APPEND);
>>>   }
>>>
> 'ADD' caused an 'insertion' at position 0. Now 'APPEND' appends the 
> new rule to the end. To me it makes sense per-se to put the reject 
> rules to the end. There shoudn't be any negative side effects because 
> of this. So I'd give it an ACK.

This very old bug demonstrates that changing the order of the rules can 
have unintended consequences.

    https://bugzilla.redhat.com/show_bug.cgi?id=453580

What does this patch do to that situation? A short synopsis - what we 
really want when there are two virtual networks is that the guests on 
the two networks be completely isolated from each other. Instead, with 
the current filter scheme, a guest on network "A" can contact a guest on 
network "B", but "guest B" can't contact " guest A". Will changing the 
ordering of the reject rules make this behavior better, worse, or will 
it remain the same? That question needs to be answered before making a 
decision about this patch.

More information about the libvir-list mailing list