On Thu, Jun 12, 2025 at 05:50:39PM +0200, Dion Bosschieter wrote:
Upon VM bootstrapping (start,restore,incoming migration) iptablesCreateBaseChainsFW is called and unconditionally deletes and reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules). This briefly opens a hole in the firewall, allowing packets through until the insertions complete.
This commit ensures that the base chains are only created once per layer (IPV4/IPV6) and checks whether the expected rules already exist using `iptables -C`. If they do, no delete/insert operations are performed.
This eliminates the short window where packets could bypass filters during VM lifecycle operations.
Signed-off-by: Dion Bosschieter <dionbosschieter@gmail.com> --- src/nwfilter/nwfilter_ebiptables_driver.c | 79 ++++++++++++++--------- 1 file changed, 47 insertions(+), 32 deletions(-)
NB, I'm also seeing test failures for nwfilterxml2firewalltest with this patch applied Use 'meson test -C build --print-errorlogs' to see this This is because the 'commonRules' array in nwfilterxml2firewalltest.c will need updating to match the new logic. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|