The patch below reports a warning in the log if the generated
ip(6)tables rules would not be effective due to the proc filesystem entries
/proc/sys/net/bridge/bridge-nf-call-iptables
/proc/sys/net/bridge/bridge-nf-call-ip6tables
containing a '0'. The warning tells the user what to do. I am
rate-limiting the warning message to appear only every 10 seconds.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 51
++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -24,6 +24,7 @@
#include <config.h>
#include <sys/stat.h>
+#include <fcntl.h>
#include "internal.h"
@@ -63,6 +64,13 @@
: ""
+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+ "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES \
+ "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
+#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */
+
static char *ebtables_cmd_path;
static char *iptables_cmd_path;
static char *ip6tables_cmd_path;
@@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, c
}
+static void
+iptablesCheckBridgeNFCallEnabled(bool isIPv6)
+{
+ static time_t lastReport, lastReportIPv6;
+ const char *pathname = NULL;
+ char buffer[1];
+ time_t now = time(NULL);
+
+ if (isIPv6 &&
+ (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) {
+ pathname = PROC_BRIDGE_NF_CALL_IP6TABLES;
+ } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) {
+ pathname = PROC_BRIDGE_NF_CALL_IPTABLES;
+ }
+
+ if (pathname) {
+ int fd = open(pathname, O_RDONLY);
+ if (fd >= 0) {
+ if (read(fd, buffer, 1) == 1) {
+ if (buffer[0] == '0') {
+ char msg[256];
+ snprintf(msg, sizeof(msg),
+ _("To enable ip%stables filtering for the
VM do "
+ "'echo 1 > %s'\n"),
+ isIPv6 ? "6" : "",
+ pathname);
+ VIR_WARN0(msg);
+ if (isIPv6)
+ lastReportIPv6 = now;
+ else
+ lastReport = now;
+ }
+ }
+ close(fd);
+ }
+ }
+}
+
+
static int
ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
const char *ifname,
@@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr co
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpiptchains;
+
+ iptablesCheckBridgeNFCallEnabled(false);
}
if (haveIp6tables) {
@@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr co
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpip6tchains;
+
+ iptablesCheckBridgeNFCallEnabled(true);
}
if (chains_in != 0)
Show replies by thread
On 09/23/2010 09:53 AM, Stefan Berger wrote:
The patch below reports a warning in the log if the generated
ip(6)tables rules would not be effective due to the proc filesystem entries
/proc/sys/net/bridge/bridge-nf-call-iptables
/proc/sys/net/bridge/bridge-nf-call-ip6tables
containing a '0'. The warning tells the user what to do. I am
rate-limiting the warning message to appear only every 10 seconds.
ACK; looks like a reasonable way to warn about the issue, leaving the
resolution in the user's hands to either update the kernel state or
rewrite their nwfilter rules to not rely on iptables.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library
http://libvirt.org
On 09/24/2010 12:01 PM, Eric Blake wrote:
On 09/23/2010 09:53 AM, Stefan Berger wrote:
> The patch below reports a warning in the log if the generated
> ip(6)tables rules would not be effective due to the proc filesystem
> entries
>
> /proc/sys/net/bridge/bridge-nf-call-iptables
> /proc/sys/net/bridge/bridge-nf-call-ip6tables
>
> containing a '0'. The warning tells the user what to do. I am
> rate-limiting the warning message to appear only every 10 seconds.
ACK; looks like a reasonable way to warn about the issue, leaving the
resolution in the user's hands to either update the kernel state or
rewrite their nwfilter rules to not rely on iptables.
Pushed.
Stefan