[libvirt] [PATCH] remove ebtables rules at qemud shutdown
This patch removes ebtables rules at qemud shutdown time
Signed-off-by: Gerhard Stenzel <gerhard.stenzel(a)de.ibm.com>
Index: libvirt/src/qemu/qemu_bridge_filter.c
===================================================================
--- libvirt.orig/src/qemu/qemu_bridge_filter.c
+++ libvirt/src/qemu/qemu_bridge_filter.c
@@ -48,6 +48,35 @@ networkAddEbtablesRules(struct qemud_dri
return 0;
}
+int
+networkRemoveEbtablesRules(struct qemud_driver *driver) {
+ int err;
+
+ /* Set forward policy to DROP */
+ if ((err = ebtablesRemoveForwardPolicyReject(driver->ebtables))) {
+ virReportSystemError(NULL, err,
+ _("failed to remove ebtables rule to set default policy to
drop on '%s'"),
+ __FILE__);
+ return err;
+ }
+
+ return 0;
+}
+
+int
+networkEnableAllFrames(struct qemud_driver *driver) {
+ int err;
+
+ /* add default rules */
+ if ((err = networkRemoveEbtablesRules(driver))) {
+ virReportSystemError(NULL, err,
+ _("cannot remove filter on bridge '%s'"),
+ __FILE__);
+ return err;
+ }
+ return 0;
+}
+
int
networkDisableAllFrames(struct qemud_driver *driver) {
Index: libvirt/src/util/ebtables.c
===================================================================
--- libvirt.orig/src/util/ebtables.c
+++ libvirt/src/util/ebtables.c
@@ -60,6 +60,7 @@ enum {
ADD = 0,
REMOVE,
CREATE,
+ DELETE,
POLICY,
INSERT
};
@@ -336,12 +337,28 @@ ebtablesForwardPolicyReject(ebtablesCont
INSERT,
"--insert", "FORWARD",
"--jump",
ctx->forward_filter->chain, NULL);
- }
-
- return ebtablesAddRemoveRule(ctx->forward_filter,
+ return ebtablesAddRemoveRule(ctx->forward_filter,
POLICY,
"-P", ctx->forward_filter->chain,
"DROP",
NULL);
+ }
+ if (action == REMOVE) {
+ ebtablesAddRemoveRule(ctx->forward_filter,
+ POLICY,
+ "-P", ctx->forward_filter->chain,
"ACCEPT",
+ NULL);
+
+ ebtablesAddRemoveRule(ctx->forward_filter,
+ INSERT,
+ "--delete", "FORWARD",
"--jump",
+ ctx->forward_filter->chain, NULL);
+
+ return ebtablesAddRemoveRule(ctx->forward_filter,
+ DELETE,
+ "--delete-chain",
ctx->forward_filter->chain, NULL,
+ NULL);
+ }
+
}
/*
Index: libvirt/src/libvirt_private.syms
===================================================================
--- libvirt.orig/src/libvirt_private.syms
+++ libvirt/src/libvirt_private.syms
@@ -179,6 +179,7 @@ virDomainEventQueueDispatch;
# ebtables.h
ebtablesAddForwardAllowIn;
ebtablesAddForwardPolicyReject;
+ebtablesRemoveForwardPolicyReject;
ebtablesContextNew;
ebtablesRemoveForwardAllowIn;
Index: libvirt/src/qemu/qemu_driver.c
===================================================================
--- libvirt.orig/src/qemu/qemu_driver.c
+++ libvirt/src/qemu/qemu_driver.c
@@ -1081,6 +1081,14 @@ qemudShutdown(void) {
virDomainObjListDeinit(&qemu_driver->domains);
+ if (qemu_driver->macFilter) {
+ if ((errno = networkEnableAllFrames(qemu_driver))) {
+ virReportSystemError(NULL, errno,
+ _("failed to add rule to allow all
frames in '%s'"),
+ __FILE__);
+ }
+ }
+
VIR_FREE(qemu_driver->securityDriverName);
VIR_FREE(qemu_driver->logDir);
VIR_FREE(qemu_driver->configDir);
--
Best regards,
Gerhard Stenzel,
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294