[libvirt] [PATCH] nwfilter: Fix rule priority problem

Laine Stump laine at laine.org
Thu Mar 13 17:57:42 UTC 2014 

On 03/11/2014 05:47 AM, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.vnet.ibm.com>
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1072292
>
> Fix a problem related to rule priorities that did not allow to
> have rules applied that had a higher priority than the chain they
> were in. In this case the chain did not exist yet when the rule
> was instantiated. The solution is to adjust the priority of rules
> if the priority of the chain is of higher value. That way the chain
> will be created before the rule.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> ---
>  src/nwfilter/nwfilter_ebiptables_driver.c | 18 +++++++++++++++++-
>  1 file changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
> index 9d6cc90..59e07f6 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -3736,7 +3736,6 @@ ebiptablesApplyNewRules(const char *ifname,
>          }
>      }
>  
> -
>      /* cleanup whatever may exist */
>      if (ebtables_cmd_path) {
>          NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
> @@ -3770,6 +3769,23 @@ ebiptablesApplyNewRules(const char *ifname,
>  
>      NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
>  
> +    /* walk the list of rules and increase the priority
> +     * of rules in case the chain priority is of higher value;
> +     * this preserves the order of the rules and ensures that
> +     * the chain will be created before the chain's rules
> +     * are created; don't adjust rules in the root chain
> +     * example: a rule of priority -510 will be adjusted to
> +     * priority -500 and the chain with priority -500 will
> +     * then be created before it.
> +     */
> +    for (i = 0; i < nruleInstances; i++) {
> +        if (inst[i]->chainPriority > inst[i]->priority &&
> +            !strstr("root", inst[i]->neededProtocolChain)) {
> +
> +             inst[i]->priority = inst[i]->chainPriority;
> +        }
> +    }
> +
>      /* process ebtables commands; interleave commands from filters with
>         commands for creating and connecting ebtables chains */
>      j = 0;

ACK.

More information about the libvir-list mailing list