5:11 p.m.
From: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
Recent Linux iptables (3.11.7) refuses to create iptables MAC address
check rules using -m mac --mac-source <addr> where previous versions
still allowed it. So we now need to deactivate the filtering rules for
when the incoming traffic is filtered before it is sent into the VM.
Those are typically the chains that start with FO-* or start with FP-*
when they are being built.
Adapt the documentation to reflect the fact that srcmacaddr, when
used in iptables rules, should be regarded as deprecated due to the
above mentioned problems.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
docs/formatnwfilter.html.in | 54 +++++++++++--------------------
src/nwfilter/nwfilter_ebiptables_driver.c | 29 ++++++++++-------
2 files changed, 36 insertions(+), 47 deletions(-)
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 4b95fce..5c06bf2 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -1209,7 +1209,9 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated and
+ MAC address filtering using for example the mac protocol
+ above should be used</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1320,22 +1322,9 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
- </tr>
- <tr>
- <td>srcmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of sender</td>
- </tr>
- <tr>
- <td>dstmacaddr</td>
- <td>MAC_ADDR</td>
- <td>MAC address of destination</td>
- </tr>
- <tr>
- <td>dstmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of destination</td>
+ <td>MAC address of sender; this option is deprecated and
+ MAC address filtering using for example the mac protocol
+ above should be used</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1429,22 +1418,9 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
- </tr>
- <tr>
- <td>srcmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of sender</td>
- </tr>
- <tr>
- <td>dstmacaddr</td>
- <td>MAC_ADDR</td>
- <td>MAC address of destination</td>
- </tr>
- <tr>
- <td>dstmacmask</td>
- <td>MAC_MASK</td>
- <td>Mask applied to MAC address of destination</td>
+ <td>MAC address of sender; this option is deprecated and
+ MAC address filtering using for example the mac protocol
+ above should be used</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1529,7 +1505,9 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated and
+ MAC address filtering using for example the mac protocol
+ above should be used</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1640,7 +1618,9 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated and
+ MAC address filtering using for example the mac protocol
+ above should be used</td>
</tr>
<tr>
<td>srcipaddr</td>
@@ -1735,7 +1715,9 @@
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
- <td>MAC address of sender</td>
+ <td>MAC address of sender; this option is deprecated and
+ MAC address filtering using for example the mac protocol
+ above should be used</td>
</tr>
<tr>
<td>srcipaddr</td>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 352c08f..bea9535 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -972,7 +972,7 @@ static int
iptablesHandleSrcMacAddr(virBufferPtr buf,
virNWFilterVarCombIterPtr vars,
nwItemDescPtr srcMacAddr,
- bool directionIn,
+ const char *chain, bool directionIn,
bool *srcmacskipped)
{
char macaddr[VIR_MAC_STRING_BUFLEN];
@@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf,
return 0;
}
+ /* recent Linux iptables does not allow this filtering rule to be
+ * applied to the FP-/FO- chains
+ */
+ if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP) {
+ *srcmacskipped = true;
+ return 0;
+ }
+
if (printDataType(vars,
macaddr, sizeof(macaddr),
srcMacAddr) < 0)
@@ -1366,7 +1374,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.tcpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1421,7 +1429,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.udpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1454,7 +1462,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.udpliteHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1482,7 +1490,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.espHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1506,11 +1514,10 @@ _iptablesCreateRuleInstance(bool directionIn,
virBufferAddLit(&buf, " -p ah");
bufUsed = virBufferUse(&buf);
-
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.ahHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1538,7 +1545,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.sctpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1574,7 +1581,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.icmpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1636,7 +1643,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.igmpHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
@@ -1664,7 +1671,7 @@ _iptablesCreateRuleInstance(bool directionIn,
if (iptablesHandleSrcMacAddr(&buf,
vars,
&rule->p.allHdrFilter.dataSrcMACAddr,
- directionIn,
+ chain, directionIn,
&srcMacSkipped) < 0)
goto err_exit;
--
1.8.1.4