[libvirt] [PATCH v3 0/4] Restructure firewall rules for virtual networks into private chains
Michal Privoznik
mprivozn at redhat.com
Tue Jan 29 13:25:28 UTC 2019
On 1/24/19 3:05 PM, Daniel P. Berrangé wrote:
> v1: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html
> v2: https://www.redhat.com/archives/libvir-list/2018-December/msg00198.html
>
> The virtual networks in NAT mode are supposed to only allow outbound
> network access for guests. Unfortunately due to ordering of the firewall
> rules libvirt creates, when you have multiple virtual networks, guests
> on the more recently created virtual networks can connect to guests on
> old virtual networks.
>
> This was reported way back in 2008 but we always thought the fix would
> be very complicated to deal with, so we've been putting it off forever.
>
> In parallel with this there's also been a long standing desire since
> 2009 to move our firewall rules out of the builtin chains, to libvirt
> private chains. This is to make it easier for admins to use hook scripts
> to setup rules in the builtin chains that take priority over rules
> libvirt creates.
>
> In implementing the changes to use private chains, I suddenly realized
> that fixing the network to network traffic blocking problem was trivial
> if I grouped the forwarding rules into three distinct sets.
>
> So this series finally fixes an annoying 10 year old bug, and implements
> a 9 year old RFE.
>
> It may take us a while, but we'll get to your bugs eventually ;-)
>
> Changed in v3:
>
> - Rebase to git master
>
> Changed in v2:
>
> - Detect whether chains already exist before creating them
> - Only try to delete legacy rules from builtin chain during startup
>
> Daniel P. Berrangé (4):
> network: add platform driver callbacks around firewall reload
> util: pass layer into firewall query callback
> util: create private chains for virtual network firewall rules
> util: move virtual network firwall rules into private chains
>
> src/libvirt_private.syms | 2 +
> src/network/bridge_driver.c | 13 +-
> src/network/bridge_driver_linux.c | 32 +++
> src/network/bridge_driver_nop.c | 11 +
> src/network/bridge_driver_platform.h | 3 +
> src/nwfilter/nwfilter_ebiptables_driver.c | 17 +-
> src/util/virfirewall.c | 2 +-
> src/util/virfirewall.h | 1 +
> src/util/viriptables.c | 254 +++++++++++++++---
> src/util/viriptables.h | 4 +
> .../nat-default-linux.args | 32 +--
> .../nat-ipv6-linux.args | 48 ++--
> .../nat-many-ips-linux.args | 60 ++---
> .../nat-no-dhcp-linux.args | 46 ++--
> .../nat-tftp-linux.args | 34 +--
> .../route-default-linux.args | 22 +-
> tests/virfirewalltest.c | 3 +-
> 17 files changed, 405 insertions(+), 179 deletions(-)
>
ACK
Michal
More information about the libvir-list
mailing list