[libvirt] [PATCH] nwfilter: Deactivate iptables MAC address check where needed
From: Stefan Berger <stefanb@linux.vnet.ibm.com> Recent Linux iptables (3.11.7) refuses to create iptables MAC address check rules using -m mac --mac-source <addr> where previous versions still allowed it. So we now need to deactivate the filtering rules for when the incoming traffic is filtered before it is sent into the VM. Those are typically the chains that start with FO-* or start with FP-* when they are being built. Adapt the documentation to reflect the fact that srcmacaddr, when used in iptables rules, should be regarded as deprecated due to the above mentioned problems. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- docs/formatnwfilter.html.in | 42 +++++-------------------------- src/nwfilter/nwfilter_ebiptables_driver.c | 29 +++++++++++++-------- 2 files changed, 24 insertions(+), 47 deletions(-) diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 4b95fce..ee23d8e 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -1209,7 +1209,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1320,22 +1320,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> - </tr> - <tr> - <td>srcmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of sender</td> - </tr> - <tr> - <td>dstmacaddr</td> - <td>MAC_ADDR</td> - <td>MAC address of destination</td> - </tr> - <tr> - <td>dstmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of destination</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1429,22 +1414,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> - </tr> - <tr> - <td>srcmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of sender</td> - </tr> - <tr> - <td>dstmacaddr</td> - <td>MAC_ADDR</td> - <td>MAC address of destination</td> - </tr> - <tr> - <td>dstmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of destination</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1529,7 +1499,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1640,7 +1610,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> @@ -1735,7 +1705,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td> </tr> <tr> <td>srcipaddr</td> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 9d6cc90..ebc3505 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -972,7 +972,7 @@ static int iptablesHandleSrcMacAddr(virBufferPtr buf, virNWFilterVarCombIterPtr vars, nwItemDescPtr srcMacAddr, - bool directionIn, + const char *chain, bool directionIn, bool *srcmacskipped) { char macaddr[VIR_MAC_STRING_BUFLEN]; @@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf, return 0; } + /* recent Linux iptables does not allow this filteirng rule to be + * applied to all FO-* chains + */ + if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP ) { + *srcmacskipped = true; + return 0; + } + if (printDataType(vars, macaddr, sizeof(macaddr), srcMacAddr) < 0) @@ -1366,7 +1374,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.tcpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1421,7 +1429,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.udpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1454,7 +1462,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.udpliteHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1482,7 +1490,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.espHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1506,11 +1514,10 @@ _iptablesCreateRuleInstance(bool directionIn, virBufferAddLit(&buf, " -p ah"); bufUsed = virBufferUse(&buf); - if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.ahHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1538,7 +1545,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.sctpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1574,7 +1581,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.icmpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1636,7 +1643,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.igmpHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; @@ -1664,7 +1671,7 @@ _iptablesCreateRuleInstance(bool directionIn, if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.allHdrFilter.dataSrcMACAddr, - directionIn, + chain, directionIn, &srcMacSkipped) < 0) goto err_exit; -- 1.8.1.4
On 03/10/2014 02:49 PM, Stefan Berger wrote:
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Recent Linux iptables (3.11.7) refuses to create iptables MAC address check rules using -m mac --mac-source <addr> where previous versions still allowed it. So we now need to deactivate the filtering rules for when the incoming traffic is filtered before it is sent into the VM. Those are typically the chains that start with FO-* or start with FP-* when they are being built.
Adapt the documentation to reflect the fact that srcmacaddr, when used in iptables rules, should be regarded as deprecated due to the above mentioned problems.
Is this an unintentional kernel regression, or something that we were doing wrong all along and the kernel is now finally calling our bluff?
+++ b/docs/formatnwfilter.html.in @@ -1209,7 +1209,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td>
Marking something as deprecated is one thing...
</tr> <tr> <td>srcipaddr</td> @@ -1320,22 +1320,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> - </tr> - <tr> - <td>srcmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of sender</td> - </tr>
...but completely removing documentation feels wrong. Was this bogus documentation, or do we still support usage of this XML on older kernels that don't prohibit it? Maybe separate this into multiple patches - doc fixes (deleting stuff that never worked) vs. deprecation (marking stuff that no longer works on newer kernels).
@@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf, return 0; }
+ /* recent Linux iptables does not allow this filteirng rule to be
s/filteirng/filtering/
+ * applied to all FO-* chains + */ + if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP ) {
No space before ) -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Eric Blake <eblake@redhat.com> wrote on 03/10/2014 06:05:18 PM:
From: Eric Blake <eblake@redhat.com>
On 03/10/2014 02:49 PM, Stefan Berger wrote:
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Recent Linux iptables (3.11.7) refuses to create iptables MAC address check rules using -m mac --mac-source <addr> where previous versions still allowed it. So we now need to deactivate the filtering rules for when the incoming traffic is filtered before it is sent into the VM. Those are typically the chains that start with FO-* or start with FP-* when they are being built.
Adapt the documentation to reflect the fact that srcmacaddr, when used in iptables rules, should be regarded as deprecated due to the above mentioned problems.
Is this an unintentional kernel regression, or something that we were doing wrong all along and the kernel is now finally calling our bluff?
I must say, I did not test whether the iptables rule in this particular case did not work. I assumed that if it applies, it will work. And besides that it is supposed to work in the FORWARD chain (following dmesg) and we now have a case where the rule is accepted in a chain that is connected to the FORWARD chain and is rejected in a chain that is also connected to the FORWARD chain. Both chains are not connected to the FORDWARD chain directly but there is one other chain in between. It may be that iptables walks these chains to see whether they are connected to the FORWARD chain but for some reason doesn't do it correctly for the 2nd case. It still applies in 3.10.
+++ b/docs/formatnwfilter.html.in @@ -1209,7 +1209,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> + <td>MAC address of sender; this option is deprecated</td>
Marking something as deprecated is one thing...
</tr> <tr> <td>srcipaddr</td> @@ -1320,22 +1320,7 @@ <tr> <td>srcmacaddr</td> <td>MAC_ADDR</td> - <td>MAC address of sender</td> - </tr> - <tr> - <td>srcmacmask</td> - <td>MAC_MASK</td> - <td>Mask applied to MAC address of sender</td> - </tr>
...but completely removing documentation feels wrong. Was this bogus documentation, or do we still support usage of this XML on older kernels that don't prohibit it? Maybe separate this into multiple patches - doc
This was bogs documentation. Must have been a c&p error. srcmacmask only exists for rules mapping into ebtables rules, but that's not the case here.
fixes (deleting stuff that never worked) vs. deprecation (marking stuff that no longer works on newer kernels).
@@ -984,6 +984,14 @@ iptablesHandleSrcMacAddr(virBufferPtr buf, return 0; }
+ /* recent Linux iptables does not allow this filteirng rule to be
s/filteirng/filtering/
+ * applied to all FO-* chains + */ + if (chain[1] == CHAINPREFIX_HOST_OUT_TEMP ) {
No space before )
Will fix. Stefan
participants (2)
-
Eric Blake -
Stefan Berger