Re: [libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem
On 09/23/2010 07:33 AM, Daniel P. Berrange wrote:
On Thu, Sep 23, 2010 at 11:36:11AM +0100, Daniel P. Berrange wrote:
> On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote:
>> On a recent installation of FC13, the filtering of IP/IPv6 using
>> iptables/ip6tables traffic did not work since the proc filesystem
>> entries /proc/sys/net/bridge/bridge-nf-call-iptables and
>> /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and
>> no traffic went into the FORWARD chain. The patch below makes sure that
>> if iptables or ip6tables are being used by the nwfilter driver that a
>> '1' is written into the relevant proc filesystem entry so that the
>> traffic goes into the FORWARD chain.
> What parts of the nwfilter functionality gets affected by this ?
>
> IIUC, the higher level protocols, TCP, UDP, SCTP, ICMP,
> IGMP, ESP, AH, UDPLITE& 'ALL' get implemented via iptables ?
> Alot of the matches you can define using these higher level
> protocols, can also be defined using the generic IPv4/IPv6 rules.
> For example everything you can do with TCP protocol can be done
> with the IPv4/IPv6 protocol, with exception of ip address ranges.
>
>
> Could we either
>
> 1. Document that if you want to make use of the higher level
> protocols, that you need to enable bridge-nf-call-iptables
> and explain the tradeoffs in that setting.[1][2]
>
> 2. Provide an alternative impl of 90% of the higher level
> protocols, using ebtables instead of iptables. And make
> choice of iptables vs ebtables a config param for libvirtd.
> eg, for most people an ebtables based impl will be sufficient
> but if they need the full funtionality,then switch to the
> iptables impl& enable bridge-nf-call-iptables=1
Actally I guess 2. is rather pointless given that you can already just
use the IPv4/6 generic rules to do 90% of that stuff. I think this just
comes down to a documentation issue, explaining the pros&cons of each
possible bridge-nf-call-* setting.
Yes, it should work and would be a matter of writing the rules
differently so that they get enforced on ebtables layer rather than
iptables.
I still think that if the user writes filtering rules that end up
creating iptables rules that in that case the bridge-nf-call-* should
automatically be enabled by libvirt so that the filtering works as
expected -- assuming the user would end up doing the same anyway (after
looking for the reason why it does not work as expected).
Stefan