[libvirt] [PATCH] qemu: fail on attempts to use <filterref> for non-tap network connections

nwfilter uses iptables and ebtables, which only work properly on tap-based network connections (*not* on macvtap, for example), but we just ignore any <filterref> elements for other types of networks, potentially giving users a false sense of security. This patch checks the network type and fails/logs an error if any domain <interface> has a <filterref> when the connection isn't using a tap device. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1180011 --- src/qemu/qemu_command.c | 11 +++++++++++ src/qemu/qemu_hotplug.c | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index e12278c..829f1dc 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -8581,6 +8581,17 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd, return -1; } + /* and only TAP devices support nwfilter rules */ + if (net->filter && + !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || + actualType == VIR_DOMAIN_NET_TYPE_BRIDGE)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported for " + "network interfaces of type %s"), + virDomainNetTypeToString(actualType)); + return -1; + } + if (net->backend.tap && !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || actualType == VIR_DOMAIN_NET_TYPE_BRIDGE)) { diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 1ea397f..aabdb78 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -910,6 +910,17 @@ int qemuDomainAttachNetDevice(virConnectPtr conn, return -1; } + /* and only TAP devices support nwfilter rules */ + if (net->filter && + !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || + actualType == VIR_DOMAIN_NET_TYPE_BRIDGE)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported for " + "network interfaces of type %s"), + virDomainNetTypeToString(actualType)); + return -1; + } + if (actualType == VIR_DOMAIN_NET_TYPE_BRIDGE || actualType == VIR_DOMAIN_NET_TYPE_NETWORK) { tapfdSize = vhostfdSize = net->driver.virtio.queues; -- 2.1.0

On Mon, Aug 10, 2015 at 02:09:42AM -0400, Laine Stump wrote:
nwfilter uses iptables and ebtables, which only work properly on tap-based network connections (*not* on macvtap, for example), but we just ignore any <filterref> elements for other types of networks, potentially giving users a false sense of security.
This patch checks the network type and fails/logs an error if any domain <interface> has a <filterref> when the connection isn't using a tap device.
This resolves:
ACK Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange
-
Laine Stump