Re: [libvirt] [PATCH] Fix bridge configuration when OUTPUT policy is DROP on the host

When the host is configured with very restrictive firewall (default policy is DROP for all chains, including OUTPUT), the bridge driver for Linux adds netfilter entries to allow DHCP and DNS requests to go from the VM to the dnsmasq of the host. The issue that this commit fixes is the fact that a DROP policy on the OUTPUT chain blocks the DHCP replies from the host’s dnsmasq to the VM. As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED rule and so, need to be explicitly allowed. Signed-off-by: Lénaïc Huard <lenaic(a)lhuard.fr.eu.org&gt; --- src/libvirt_private.syms | 2 ++ src/network/bridge_driver_linux.c | 35 +++++++++++++--------- src/util/viriptables.c | 61 +++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 7 +++++ 4 files changed, 92 insertions(+), 13 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 2dbb8f8..c26ce29 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1290,6 +1290,7 @@ iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; iptablesAddTcpInput; iptablesAddUdpInput; +iptablesAddUdpOutput; iptablesRemoveDontMasquerade; iptablesRemoveForwardAllowCross; iptablesRemoveForwardAllowIn; @@ -1301,6 +1302,7 @@ iptablesRemoveForwardRejectOut; iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; +iptablesRemoveUdpOutput; # util/virjson.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 066779a..dcdd033 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -564,6 +564,13 @@ int networkAddGeneralFirewallRules(virNetworkObjPtr network) goto err2; } + if (iptablesAddUdpOutput(AF_INET, network->def->bridge, 68) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("failed to add iptables rule to allow DHCP replies to '%s'"), + network->def->bridge); + goto err3; + } +