The patch below reports a warning in the log if the generated ip(6)tables rules would not be effective due to the proc filesystem entries /proc/sys/net/bridge/bridge-nf-call-iptables /proc/sys/net/bridge/bridge-nf-call-ip6tables containing a '0'. The warning tells the user what to do. I am rate-limiting the warning message to appear only every 10 seconds. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> --- src/nwfilter/nwfilter_ebiptables_driver.c | 51 ++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -24,6 +24,7 @@ #include <config.h> #include <sys/stat.h> +#include <fcntl.h> #include "internal.h" @@ -63,6 +64,13 @@ : "" +#define PROC_BRIDGE_NF_CALL_IPTABLES \ + "/proc/sys/net/bridge/bridge-nf-call-iptables" +#define PROC_BRIDGE_NF_CALL_IP6TABLES \ + "/proc/sys/net/bridge/bridge-nf-call-ip6tables" + +#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */ + static char *ebtables_cmd_path; static char *iptables_cmd_path; static char *ip6tables_cmd_path; @@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, c } +static void +iptablesCheckBridgeNFCallEnabled(bool isIPv6) +{ + static time_t lastReport, lastReportIPv6; + const char *pathname = NULL; + char buffer[1]; + time_t now = time(NULL); + + if (isIPv6 && + (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) { + pathname = PROC_BRIDGE_NF_CALL_IP6TABLES; + } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) { + pathname = PROC_BRIDGE_NF_CALL_IPTABLES; + } + + if (pathname) { + int fd = open(pathname, O_RDONLY); + if (fd >= 0) { + if (read(fd, buffer, 1) == 1) { + if (buffer[0] == '0') { + char msg[256]; + snprintf(msg, sizeof(msg), + _("To enable ip%stables filtering for the VM do " + "'echo 1 > %s'\n"), + isIPv6 ? "6" : "", + pathname); + VIR_WARN0(msg); + if (isIPv6) + lastReportIPv6 = now; + else + lastReport = now; + } + } + close(fd); + } + } +} + + static int ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED, const char *ifname, @@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr co if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) goto tear_down_tmpiptchains; + + iptablesCheckBridgeNFCallEnabled(false); } if (haveIp6tables) { @@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr co if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) goto tear_down_tmpip6tchains; + + iptablesCheckBridgeNFCallEnabled(true); } if (chains_in != 0)