8:09 p.m.
The following set of patches are primarily related to the
thread learning the IP address of a VM and deal with:
- ebtables cleanup before applying basic filtering rules that are
active while the IP address is detected
- shutting down all traffic in case the filtering rules could not
be applied by the thread
- serialization of the teardown of eb/ip/ip6tables rules to occurr
after the IP address learning thread has terminated
- not to apply or tear any eb/ip/ip6tables rules of a VM's interface
while the IP address learning thread is active. This may be due
to a filter being updated concurrently using for exampe
'virsh define/edit'.
Regards,
Stefan
8:09 p.m.
New subject: [libvirt] [v2 1/3] Clean all tables before applying basic rules
The functions invoked by the IP address learning thread
that apply some basic filtering rules did not clean up
any previous filtering rules that may still be there
(due to a libvirt restart for example). With the
patch below all the rules are cleaned up first.
Also, I am introducing a function to drop all traffic
in case the IP address learning thread could not apply
the rules.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
src/conf/nwfilter_conf.h | 3
src/nwfilter/nwfilter_ebiptables_driver.c | 104 +++++++++++++++++++++++++-----
src/nwfilter/nwfilter_learnipaddr.c | 4 -
src/nwfilter/nwfilter_learnipaddr.h | 2
4 files changed, 96 insertions(+), 17 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -102,6 +102,7 @@ static const char *m_physdev_out_str = "
static int ebtablesRemoveBasicRules(const char *ifname);
static int ebiptablesDriverInit(void);
static void ebiptablesDriverShutdown(void);
+static int ebtablesCleanAll(const char *ifname);
struct ushort_map {
@@ -2679,12 +2680,7 @@ ebtablesApplyBasicRules(const char *ifna
virFormatMacAddr(macaddr, macaddr_str);
- ebtablesUnlinkTmpRootChain(&buf, 1, ifname);
- ebtablesUnlinkTmpRootChain(&buf, 0, ifname);
- ebtablesRemoveTmpSubChains(&buf, ifname);
- ebtablesRemoveTmpRootChain(&buf, 1, ifname);
- ebtablesRemoveTmpRootChain(&buf, 0, ifname);
- ebiptablesExecCLI(&buf, &cli_status);
+ ebtablesCleanAll(ifname);
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
@@ -2723,6 +2719,7 @@ ebtablesApplyBasicRules(const char *ifna
CMD_STOPONERR(1));
ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
+ ebtablesRenameTmpRootChain(&buf, 1, ifname);
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpebchains;
@@ -2730,7 +2727,7 @@ ebtablesApplyBasicRules(const char *ifna
return 0;
tear_down_tmpebchains:
- ebtablesRemoveBasicRules(ifname);
+ ebtablesCleanAll(ifname);
virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
"%s",
@@ -2782,12 +2779,7 @@ ebtablesApplyDHCPOnlyRules(const char *i
virFormatMacAddr(macaddr, macaddr_str);
- ebtablesUnlinkTmpRootChain(&buf, 1, ifname);
- ebtablesUnlinkTmpRootChain(&buf, 0, ifname);
- ebtablesRemoveTmpSubChains(&buf, ifname);
- ebtablesRemoveTmpRootChain(&buf, 1, ifname);
- ebtablesRemoveTmpRootChain(&buf, 0, ifname);
- ebiptablesExecCLI(&buf, &cli_status);
+ ebtablesCleanAll(ifname);
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
ebtablesCreateTmpRootChain(&buf, 0, ifname, 1);
@@ -2842,6 +2834,8 @@ ebtablesApplyDHCPOnlyRules(const char *i
ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
ebtablesLinkTmpRootChain(&buf, 0, ifname, 1);
+ ebtablesRenameTmpRootChain(&buf, 1, ifname);
+ ebtablesRenameTmpRootChain(&buf, 0, ifname);
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpebchains;
@@ -2851,7 +2845,7 @@ ebtablesApplyDHCPOnlyRules(const char *i
return 0;
tear_down_tmpebchains:
- ebtablesRemoveBasicRules(ifname);
+ ebtablesCleanAll(ifname);
virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
"%s",
@@ -2863,15 +2857,96 @@ tear_down_tmpebchains:
}
+/**
+ * ebtablesApplyDropAllRules
+ *
+ * @ifname: name of the backend-interface to which to apply the rules
+ *
+ * Returns 0 on success, 1 on failure with the rules removed
+ *
+ * Apply filtering rules so that the VM cannot receive or send traffic.
+ */
+static int
+ebtablesApplyDropAllRules(const char *ifname)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ int cli_status;
+ char chain_in [MAX_CHAINNAME_LENGTH],
+ chain_out[MAX_CHAINNAME_LENGTH];
+
+ if (!ebtables_cmd_path) {
+ virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("cannot create rules since ebtables tool is "
+ "missing."));
+ return 1;
+ }
+
+ ebtablesCleanAll(ifname);
+
+ ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
+ ebtablesCreateTmpRootChain(&buf, 0, ifname, 1);
+
+ PRINT_ROOT_CHAIN(chain_in , CHAINPREFIX_HOST_IN_TEMP , ifname);
+ PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
+
+ virBufferVSprintf(&buf,
+ CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR
+ CMD_EXEC
+ "%s",
+
+ ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in,
+ CMD_STOPONERR(1));
+
+ virBufferVSprintf(&buf,
+ CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR
+ CMD_EXEC
+ "%s",
+
+ ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out,
+ CMD_STOPONERR(1));
+
+ ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
+ ebtablesLinkTmpRootChain(&buf, 0, ifname, 1);
+ ebtablesRenameTmpRootChain(&buf, 1, ifname);
+ ebtablesRenameTmpRootChain(&buf, 0, ifname);
+
+ if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
+ goto tear_down_tmpebchains;
+
+ return 0;
+
+tear_down_tmpebchains:
+ ebtablesCleanAll(ifname);
+
+ virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
+ "%s",
+ _("Some rules could not be created."));
+
+ return 1;
+}
+
+
static int
ebtablesRemoveBasicRules(const char *ifname)
{
+ return ebtablesCleanAll(ifname);
+}
+
+
+static int ebtablesCleanAll(const char *ifname)
+{
virBuffer buf = VIR_BUFFER_INITIALIZER;
int cli_status;
if (!ebtables_cmd_path)
return 0;
+ ebtablesUnlinkRootChain(&buf, 1, ifname);
+ ebtablesUnlinkRootChain(&buf, 0, ifname);
+ ebtablesRemoveSubChains(&buf, ifname);
+ ebtablesRemoveRootChain(&buf, 1, ifname);
+ ebtablesRemoveRootChain(&buf, 0, ifname);
+
ebtablesUnlinkTmpRootChain(&buf, 1, ifname);
ebtablesUnlinkTmpRootChain(&buf, 0, ifname);
ebtablesRemoveTmpSubChains(&buf, ifname);
@@ -3265,6 +3340,7 @@ virNWFilterTechDriver ebiptables_driver
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
.applyBasicRules = ebtablesApplyBasicRules,
.applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules,
+ .applyDropAllRules = ebtablesApplyDropAllRules,
.removeBasicRules = ebtablesRemoveBasicRules,
};
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.c
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
@@ -598,8 +598,6 @@ learnIPAddressThread(void *arg)
if (handle)
pcap_close(handle);
- techdriver->removeBasicRules(req->ifname);
-
if (req->status == 0) {
int ret;
char inetaddr[INET_ADDRSTRLEN];
@@ -624,6 +622,8 @@ learnIPAddressThread(void *arg)
_("encountered an error on interface %s "
"index %d"),
req->ifname, req->ifindex);
+
+ techdriver->applyDropAllRules(req->ifname);
}
memset(&req->thread, 0x0, sizeof(req->thread));
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -521,6 +521,8 @@ typedef int (*virNWFilterApplyDHCPOnlyRu
typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
+typedef int (*virNWFilterDropAllRules)(const char *ifname);
+
enum techDrvFlags {
TECHDRV_FLAG_INITIALIZED = (1 << 0),
};
@@ -544,6 +546,7 @@ struct _virNWFilterTechDriver {
virNWFilterCanApplyBasicRules canApplyBasicRules;
virNWFilterApplyBasicRules applyBasicRules;
virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
+ virNWFilterDropAllRules applyDropAllRules;
virNWFilterRemoveBasicRules removeBasicRules;
};
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.h
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
@@ -60,7 +60,7 @@ int virNWFilterLearnIPAddress(virNWFilte
enum howDetect howDetect);
virNWFilterIPAddrLearnReqPtr virNWFilterLookupLearnReq(int ifindex);
-
+int virNWFilterTerminateLearnReq(const char *ifname);
void virNWFilterDelIpAddrForIfname(const char *ifname);
const char *virNWFilterGetIpAddrForIfname(const char *ifname);
8:09 p.m.
New subject: [libvirt] [v2 2/3] Syncronize the teardown of rules with the thread
Introduce a function to notify the IP address learning
thread to terminate and thus release the lock on the interface.
Notify the thread before grabbing the lock on the interface
and tearing down the rules. This prevents a 'virsh destroy' to
tear down the rules that the IP address learning thread has
applied.
Signed-off-by; Stefan Berger <stefanb(a)us.ibm.com>
---
src/nwfilter/nwfilter_gentech_driver.c | 8 ++++++++
src/nwfilter/nwfilter_learnipaddr.c | 27 ++++++++++++++++++++++++++-
src/nwfilter/nwfilter_learnipaddr.h | 1 +
3 files changed, 35 insertions(+), 1 deletion(-)
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.c
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
@@ -243,8 +243,33 @@ virNWFilterRegisterLearnReq(virNWFilterI
return res;
}
+
#endif
+int
+virNWFilterTerminateLearnReq(const char *ifname) {
+ int rc = 1;
+ int ifindex;
+ virNWFilterIPAddrLearnReqPtr req;
+
+ if (ifaceGetIndex(false, ifname, &ifindex) == 0) {
+
+ IFINDEX2STR(ifindex_str, ifindex);
+
+ virMutexLock(&pendingLearnReqLock);
+
+ req = virHashLookup(pendingLearnReq, ifindex_str);
+ if (req) {
+ rc = 0;
+ req->terminate = true;
+ }
+
+ virMutexUnlock(&pendingLearnReqLock);
+ }
+
+ return rc;
+}
+
virNWFilterIPAddrLearnReqPtr
virNWFilterLookupLearnReq(int ifindex) {
@@ -472,7 +497,7 @@ learnIPAddressThread(void *arg)
if (!packet) {
- if (threadsTerminate) {
+ if (threadsTerminate || req->terminate) {
req->status = ECANCELED;
showError = false;
break;
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
@@ -937,10 +937,18 @@ _virNWFilterTeardownFilter(const char *i
drvname);
return 1;
}
+
+ virNWFilterTerminateLearnReq(ifname);
+
+ if (virNWFilterLockIface(ifname))
+ return 1;
+
techdriver->allTeardown(ifname);
virNWFilterDelIpAddrForIfname(ifname);
+ virNWFilterUnlockIface(ifname);
+
return 0;
}
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.h
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
@@ -46,6 +46,7 @@ struct _virNWFilterIPAddrLearnReq {
int status;
pthread_t thread;
+ volatile bool terminate;
};
int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
8:09 p.m.
New subject: [libvirt] [v2 3/3] Prevent updates while IP address learn thread is running
Prevent updating and tearing down of filter while the IP
address learning thread is running and has its own filtering
rules applied.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
@@ -610,6 +610,8 @@ virNWFilterInstantiate(virConnectPtr con
} else if (virHashSize(missing_vars->hashTable) > 1) {
rc = 1;
goto err_exit;
+ } else if (virNWFilterLookupLearnReq(ifindex) == NULL) {
+ goto err_exit;
}
rc = _virNWFilterInstantiateRec(conn,
@@ -890,7 +892,9 @@ int virNWFilterRollbackUpdateFilter(virC
const virDomainNetDefPtr net)
{
const char *drvname = EBIPTABLES_DRIVER_ID;
+ int ifindex;
virNWFilterTechDriverPtr techdriver;
+
techdriver = virNWFilterTechDriverForName(drvname);
if (!techdriver) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -900,6 +904,11 @@ int virNWFilterRollbackUpdateFilter(virC
return 1;
}
+ /* don't tear anything while the address is being learned */
+ if (ifaceGetIndex(true, net->ifname, &ifindex) == 0 &&
+ virNWFilterLookupLearnReq(ifindex) != NULL)
+ return 0;
+
return techdriver->tearNewRules(conn, net->ifname);
}
@@ -909,7 +918,9 @@ virNWFilterTearOldFilter(virConnectPtr c
virDomainNetDefPtr net)
{
const char *drvname = EBIPTABLES_DRIVER_ID;
+ int ifindex;
virNWFilterTechDriverPtr techdriver;
+
techdriver = virNWFilterTechDriverForName(drvname);
if (!techdriver) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
@@ -919,6 +930,11 @@ virNWFilterTearOldFilter(virConnectPtr c
return 1;
}
+ /* don't tear anything while the address is being learned */
+ if (ifaceGetIndex(true, net->ifname, &ifindex) == 0 &&
+ virNWFilterLookupLearnReq(ifindex) != NULL)
+ return 0;
+
return techdriver->tearOldRules(conn, net->ifname);
}
5319
days inactive
5319
days old
3 comments
1 participants
participants (1)
-
Stefan Berger