[libvirt] [PATCH] Fix bridge configuration when OUTPUT policy is DROP on the host
Michal Privoznik
mprivozn at redhat.com
Tue Jan 7 17:33:44 UTC 2014
On 17.12.2013 18:56, Lénaïc Huard wrote:
> When the host is configured with very restrictive firewall (default policy
> is DROP for all chains, including OUTPUT), the bridge driver for Linux
> adds netfilter entries to allow DHCP and DNS requests to go from the VM
> to the dnsmasq of the host.
>
> The issue that this commit fixes is the fact that a DROP policy on the OUTPUT
> chain blocks the DHCP replies from the host’s dnsmasq to the VM.
> As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED
> rule and so, need to be explicitly allowed.
>
> Signed-off-by: Lénaïc Huard <lenaic at lhuard.fr.eu.org>
> ---
> src/libvirt_private.syms | 2 ++
> src/network/bridge_driver_linux.c | 35 +++++++++++++---------
> src/util/viriptables.c | 61 +++++++++++++++++++++++++++++++++++++++
> src/util/viriptables.h | 7 +++++
> 4 files changed, 92 insertions(+), 13 deletions(-)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 2dbb8f8..c26ce29 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -1290,6 +1290,7 @@ iptablesAddForwardRejectOut;
> iptablesAddOutputFixUdpChecksum;
> iptablesAddTcpInput;
> iptablesAddUdpInput;
> +iptablesAddUdpOutput;
> iptablesRemoveDontMasquerade;
> iptablesRemoveForwardAllowCross;
> iptablesRemoveForwardAllowIn;
> @@ -1301,6 +1302,7 @@ iptablesRemoveForwardRejectOut;
> iptablesRemoveOutputFixUdpChecksum;
> iptablesRemoveTcpInput;
> iptablesRemoveUdpInput;
> +iptablesRemoveUdpOutput;
>
>
> # util/virjson.h
> diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> index 066779a..dcdd033 100644
> --- a/src/network/bridge_driver_linux.c
> +++ b/src/network/bridge_driver_linux.c
> @@ -564,6 +564,13 @@ int networkAddGeneralFirewallRules(virNetworkObjPtr network)
> goto err2;
> }
>
> + if (iptablesAddUdpOutput(AF_INET, network->def->bridge, 68) < 0) {
> + virReportError(VIR_ERR_SYSTEM_ERROR,
> + _("failed to add iptables rule to allow DHCP replies to '%s'"),
> + network->def->bridge);
> + goto err3;
> + }
> +
While adding this to networkAddGeneralFirewallRules() the counterpart in
networkRemoveGeneralFirewallRules() is required too. We don't want to
leave any stale firewall rules behind, right?
Anyway, that's just a small nit that I've fixed prior to push.
ACKed & pushed. Congrats on your second commit in libvirt :)
Michal
More information about the libvir-list
mailing list