[libvirt] [PATCH] nwfilter: Fix rule priority problem

Stefan Berger stefanb at us.ibm.com
Tue Mar 11 11:47:09 UTC 2014 

From: Stefan Berger <stefanb at linux.vnet.ibm.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1072292

Fix a problem related to rule priorities that did not allow to
have rules applied that had a higher priority than the chain they
were in. In this case the chain did not exist yet when the rule
was instantiated. The solution is to adjust the priority of rules
if the priority of the chain is of higher value. That way the chain
will be created before the rule.

Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
 src/nwfilter/nwfilter_ebiptables_driver.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 9d6cc90..59e07f6 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3736,7 +3736,6 @@ ebiptablesApplyNewRules(const char *ifname,
         }
     }
 
-
     /* cleanup whatever may exist */
     if (ebtables_cmd_path) {
         NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
@@ -3770,6 +3769,23 @@ ebiptablesApplyNewRules(const char *ifname,
 
     NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
 
+    /* walk the list of rules and increase the priority
+     * of rules in case the chain priority is of higher value;
+     * this preserves the order of the rules and ensures that
+     * the chain will be created before the chain's rules
+     * are created; don't adjust rules in the root chain
+     * example: a rule of priority -510 will be adjusted to
+     * priority -500 and the chain with priority -500 will
+     * then be created before it.
+     */
+    for (i = 0; i < nruleInstances; i++) {
+        if (inst[i]->chainPriority > inst[i]->priority &&
+            !strstr("root", inst[i]->neededProtocolChain)) {
+
+             inst[i]->priority = inst[i]->chainPriority;
+        }
+    }
+
     /* process ebtables commands; interleave commands from filters with
        commands for creating and connecting ebtables chains */
     j = 0;
-- 
1.8.1.4

More information about the libvir-list mailing list