Remove the target interface parameter from iptablesPhysdevForward(). This rule is intended to allow frames to be forwarded across the bridge from the supplied bridge port. In this context, the --out parameter would match the outgoing bridge port, which will never be network->def->forwardDev. Signed-off-by: Mark McLoughlin <markmc@redhat.com> Index: libvirt/qemud/iptables.c =================================================================== --- libvirt.orig/qemud/iptables.c +++ libvirt/qemud/iptables.c @@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext * static int iptablesPhysdevForward(iptablesContext *ctx, const char *iface, - const char *target, int action) { - if (target && target[0]) { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--out", target, - "--jump", "ACCEPT", - NULL); - } else { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--jump", "ACCEPT", - NULL); - } + return iptablesAddRemoveRule(ctx->forward_filter, + action, + "--match", "physdev", + "--physdev-in", iface, + "--jump", "ACCEPT", + NULL); } int iptablesAddPhysdevForward(iptablesContext *ctx, - const char *iface, - const char *target) + const char *iface) { - return iptablesPhysdevForward(ctx, iface, target, ADD); + return iptablesPhysdevForward(ctx, iface, ADD); } int iptablesRemovePhysdevForward(iptablesContext *ctx, - const char *iface, - const char *target) + const char *iface) { - return iptablesPhysdevForward(ctx, iface, target, REMOVE); + return iptablesPhysdevForward(ctx, iface, REMOVE); } static int Index: libvirt/qemud/iptables.h =================================================================== --- libvirt.orig/qemud/iptables.h +++ libvirt/qemud/iptables.h @@ -42,11 +42,9 @@ int iptablesRemoveUdpInput int port); int iptablesAddPhysdevForward (iptablesContext *ctx, - const char *iface, - const char *target); + const char *iface); int iptablesRemovePhysdevForward (iptablesContext *ctx, - const char *iface, - const char *target); + const char *iface); int iptablesAddInterfaceForward (iptablesContext *ctx, const char *iface, Index: libvirt/qemud/conf.c =================================================================== --- libvirt.orig/qemud/conf.c +++ libvirt/qemud/conf.c @@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_se } if (net->type == QEMUD_NET_NETWORK && network->def->forward) { - if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) { + if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "Failed to add iptables rule to allow bridging from '%s' :%s", ifname, strerror(err)); @@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_se no_memory: if (net->type == QEMUD_NET_NETWORK && network->def->forward) - iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, ifname); qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds"); error: if (retval) Index: libvirt/qemud/qemud.c =================================================================== --- libvirt.orig/qemud/qemud.c +++ libvirt/qemud/qemud.c @@ -1042,8 +1042,7 @@ qemudNetworkIfaceDisconnect(struct qemud return; } - if (network->def->forward) - iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname); } int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) { @@ -1242,83 +1241,87 @@ qemudAddIptablesRules(struct qemud_serve } /* allow bridging from the bridge interface itself */ - if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) { + if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow bridging from '%s' : %s\n", network->bridge, strerror(err)); goto err1; } - /* allow forwarding packets from the bridge interface */ - if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) { + /* allow DHCP requests through to dnsmasq */ + if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow forwarding from '%s' : %s\n", + "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", network->bridge, strerror(err)); goto err2; } - /* allow forwarding packets to the bridge interface if they are part of an existing connection */ - if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) { + if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow forwarding to '%s' : %s\n", + "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", network->bridge, strerror(err)); goto err3; } - /* enable masquerading */ - if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) { + /* allow DNS requests through to dnsmasq */ + if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to enable masquerading : %s\n", - strerror(err)); + "failed to add iptables rule to allow DNS requests from '%s' : %s\n", + network->bridge, strerror(err)); goto err4; } - /* allow DHCP requests through to dnsmasq */ - if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) { + if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", + "failed to add iptables rule to allow DNS requests from '%s' : %s\n", network->bridge, strerror(err)); goto err5; } - if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) { + /* The remaining rules are only needed for IP forwarding */ + if (!network->def->forward) + return 1; + + /* allow forwarding packets from the bridge interface */ + if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", + "failed to add iptables rule to allow forwarding from '%s' : %s\n", network->bridge, strerror(err)); goto err6; } - /* allow DNS requests through to dnsmasq */ - if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) { + /* allow forwarding packets to the bridge interface if they are part of an existing connection */ + if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DNS requests from '%s' : %s\n", + "failed to add iptables rule to allow forwarding to '%s' : %s\n", network->bridge, strerror(err)); goto err7; } - if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) { + /* enable masquerading */ + if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DNS requests from '%s' : %s\n", - network->bridge, strerror(err)); + "failed to add iptables rule to enable masquerading : %s\n", + strerror(err)); goto err8; } return 1; err8: - iptablesRemoveTcpInput(server->iptables, network->bridge, 53); + iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); err7: - iptablesRemoveUdpInput(server->iptables, network->bridge, 67); + iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); err6: - iptablesRemoveTcpInput(server->iptables, network->bridge, 67); + iptablesRemoveUdpInput(server->iptables, network->bridge, 53); err5: - iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev); + iptablesRemoveTcpInput(server->iptables, network->bridge, 53); err4: - iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemoveUdpInput(server->iptables, network->bridge, 67); err3: - iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemoveTcpInput(server->iptables, network->bridge, 67); err2: - iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, network->bridge); err1: return 0; } @@ -1327,15 +1330,15 @@ static void qemudRemoveIptablesRules(struct qemud_server *server, struct qemud_network *network) { if (network->def->forward) { - iptablesRemoveUdpInput(server->iptables, network->bridge, 53); - iptablesRemoveTcpInput(server->iptables, network->bridge, 53); - iptablesRemoveUdpInput(server->iptables, network->bridge, 67); - iptablesRemoveTcpInput(server->iptables, network->bridge, 67); iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev); iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); - iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev); } + iptablesRemoveUdpInput(server->iptables, network->bridge, 53); + iptablesRemoveTcpInput(server->iptables, network->bridge, 53); + iptablesRemoveUdpInput(server->iptables, network->bridge, 67); + iptablesRemoveTcpInput(server->iptables, network->bridge, 67); + iptablesRemovePhysdevForward(server->iptables, network->bridge); } static int @@ -1412,8 +1415,7 @@ int qemudStartNetworkDaemon(struct qemud goto err_delbr; } - if (network->def->forward && - !qemudAddIptablesRules(server, network)) + if (!qemudAddIptablesRules(server, network)) goto err_delbr1; if (network->def->forward && --