[libvirt] [PATCH 1/3] Only check for IP forwarding, do not enable it
Benjamin Cama
benjamin.cama at telecom-bretagne.eu
Mon Oct 15 10:26:59 UTC 2012
Enabling IP forwarding without the administrator's consent is bad. Only
check for forwarding, do not enable it.
---
src/network/bridge_driver.c | 56 +++++++++++++++++++++++++++++++++----------
1 files changed, 43 insertions(+), 13 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index e1846ee..e3e8dc2 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1853,19 +1853,51 @@ networkReloadIptablesRules(struct network_driver *driver)
}
}
-/* Enable IP Forwarding. Return 0 for success, -1 for failure. */
+#define SYSCTL_PATH "/proc/sys"
+
+/* Check for IP Forwarding. Return 0 if required family is enabled, -1 for failure. */
static int
-networkEnableIpForwarding(bool enableIPv4, bool enableIPv6)
+networkCheckIpForwarding(bool checkIPv4, bool checkIPv6)
{
int ret = 0;
- if (enableIPv4)
- ret = virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n", 0);
- if (enableIPv6 && ret == 0)
- ret = virFileWriteStr("/proc/sys/net/ipv6/conf/all/forwarding", "1\n", 0);
- return ret;
-}
+ char *buf = NULL;
-#define SYSCTL_PATH "/proc/sys"
+ if (checkIPv4) {
+ ret = virFileReadAll(SYSCTL_PATH "/net/ipv4/ip_forward", 2, &buf);
+ if (ret != 2)
+ goto error;
+ if (STRNEQ(buf, "1\n")) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("IP forwarding is not enabled on your system"));
+ goto cleanup;
+ }
+ }
+ if (checkIPv6) {
+ if (ret > 0)
+ VIR_FREE(buf);
+ ret = virFileReadAll(SYSCTL_PATH "/net/ipv6/conf/all/forwarding", 2, &buf);
+ if (ret != 2)
+ goto error;
+ if (STRNEQ(buf, "1\n")) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("IPv6 forwarding is not enabled on your system"));
+ goto cleanup;
+ }
+ }
+
+ VIR_FREE(buf);
+ return 0;
+
+error:
+ virReportSystemError(errno, "%s", _("cannot check for IP forwarding"));
+cleanup:
+ if (ret > 0) {
+ VIR_FREE(buf);
+ return -1;
+ } else {
+ return ret;
+ }
+}
static int
networkSetIPv6Sysctls(virNetworkObjPtr network)
@@ -2140,11 +2172,9 @@ networkStartNetworkVirtual(struct network_driver *driver,
if (virNetDevSetOnline(network->def->bridge, 1) < 0)
goto err2;
- /* If forwardType != NONE, turn on global IP forwarding */
+ /* If forwardType != NONE, check for IP forwarding */
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE &&
- networkEnableIpForwarding(v4present, v6present) < 0) {
- virReportSystemError(errno, "%s",
- _("failed to enable IP forwarding"));
+ networkCheckIpForwarding(v4present, v6present) < 0) {
goto err3;
}
--
1.7.2.5
More information about the libvir-list
mailing list