[libvirt] [PATCH] nwfilter: Deactivate iptables MAC address check where needed
Stefan Berger
stefanb at us.ibm.com
Mon Mar 10 20:49:56 UTC 2014
From: Stefan Berger <stefanb at linux.vnet.ibm.com>
Recent Linux iptables (3.11.7) refuses to create iptables MAC address
check rules using -m mac --mac-source <addr> where previous versions
still allowed it. So we now need to deactivate the filtering rules for
when the incoming traffic is filtered before it is sent into the VM.
Those are typically the chains that start with FO-* or start with FP-*
when they are being built.
Adapt the documentation to reflect the fact that srcmacaddr, when
used in iptables rules, should be regarded as deprecated due to the
above mentioned problems.
Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
docs/formatnwfilter.html.in | 42 +++++--------------------------
src/nwfilter/nwfilter_ebiptables_driver.c | 29 +++++++++++++--------
2 files changed, 24 insertions(+), 47 deletions(-)
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 4b95fce..ee23d8e 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -1209,7 +1209,7 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1320,22 +1320,7 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
- </tr>
- <tr>
- <td>srcmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of sender</td>
- </tr>
- <tr>
- <td>dstmacaddr</td>
- <td>MAC_ADDR</td>
- <td>MAC address of destination</td>
- </tr>
- <tr>
- <td>dstmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of destination</td>
+ <td>MAC address of sender; this option is deprecated</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1429,22 +1414,7 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
- </tr>
- <tr>
- <td>srcmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of sender</td>
- </tr>
- <tr>
- <td>dstmacaddr</td>
- <td>MAC_ADDR</td>
- <td>MAC address of destination</td>
- </tr>
- <tr>
- <td>dstmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of destination</td>
+ <td>MAC address of sender; this option is deprecated</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1529,7 +1499,7 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1640,7 +1610,7 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1735,7 +1705,7 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated</td>
</tr>
<tr>
<td>srcipaddr</td>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 9d6cc90..ebc3505 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -972,7 +972,7 @@ static int
iptablesHandleSrcMacAddr(virBufferPtr buf,
virNWFilterVarCombIterPtr vars,
nwItemDescPtr srcMacAddr,
- bool directionIn,
+ const char *chain, bool directionIn,
bool *srcmacskipped)
{
char macaddr[VIR_MAC_STRING_BUFLEN];
@@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf,
return 0;
}
+ /* recent Linux iptables does not allow this filteirng rule to be
+ * applied to all FO-* chains
+ */
+ if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP ) {
+ *srcmacskipped = true;
+ return 0;
+ }
+
if (printDataType(vars,
macaddr, sizeof(macaddr),
srcMacAddr) < 0)
@@ -1366,7 +1374,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.tcpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1421,7 +1429,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.udpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1454,7 +1462,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.udpliteHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1482,7 +1490,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.espHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1506,11 +1514,10 @@ _iptablesCreateRuleInstance(bool directionIn,
virBufferAddLit(&buf, " -p ah");
bufUsed = virBufferUse(&buf);
-
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.ahHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1538,7 +1545,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.sctpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1574,7 +1581,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.icmpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1636,7 +1643,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.igmpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1664,7 +1671,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.allHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
--
1.8.1.4
More information about the libvir-list
mailing list