[libvirt] [PATCH 0/7] Restructure firewall rules for virtual networks into private chains

Daniel P. Berrangé posted 7 patches 5 years, 4 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20181101125237.20723-1-berrange@redhat.com
There is a newer version of this series
src/libvirt_private.syms                      |   1 +
src/network/bridge_driver_linux.c             |   3 +
src/util/viriptables.c                        | 317 ++++++++++++++----
src/util/viriptables.h                        |   2 +
.../nat-default-linux.args                    | 150 ++++++++-
.../nat-ipv6-linux.args                       | 166 +++++++--
.../nat-many-ips-linux.args                   | 178 ++++++++--
.../nat-no-dhcp-linux.args                    | 164 +++++++--
.../nat-tftp-linux.args                       | 152 ++++++++-
.../route-default-linux.args                  | 140 +++++++-
tests/networkxml2firewalltest.c               |  17 +-
11 files changed, 1107 insertions(+), 183 deletions(-)
[libvirt] [PATCH 0/7] Restructure firewall rules for virtual networks into private chains
Posted by Daniel P. Berrangé 5 years, 4 months ago
The virtual networks in NAT mode are supposed to only allow outbound
network access for guests. Unfortunately due to ordering of the firewall
rules libvirt creates, when you have multiple virtual networks, guests
on the more recently created virtual networks can connect to guests on
old virtual networks.

This was reported way back in 2008 but we always thought the fix would
be very complicated to deal with, so we've been putting it off forever.

In parallel with this there's also been a long standing desire since
2009 to move our firewall rules out of the builtin chains, to libvirt
private chains. This is to make it easier for admins to use hook scripts
to setup rules in the builtin chains that take priority over rules
libvirt creates.

In implementing the changes to use private chains, I suddenly realized
that fixing the network to network traffic blocking problem was trivial
if I grouped the forwarding rules into three distinct sets.

So this series finally fixes an annoying 10 year old bug, and implements
a 9 year old RFE.

It may take us a while, but we'll get to your bugs eventually ;-)

Daniel P. Berrangé (7):
  util: refactor iptables APIs to share more code
  util: add iptables API for creating base chains
  util: prepare iptables for putting rules into private chains
  network: setup default iptables chains
  util: switch over to creating rules in private chains
  tests: remove duplicated test case in networkxml2firewalltest
  tests: fix dry run handling in network firewall test

 src/libvirt_private.syms                      |   1 +
 src/network/bridge_driver_linux.c             |   3 +
 src/util/viriptables.c                        | 317 ++++++++++++++----
 src/util/viriptables.h                        |   2 +
 .../nat-default-linux.args                    | 150 ++++++++-
 .../nat-ipv6-linux.args                       | 166 +++++++--
 .../nat-many-ips-linux.args                   | 178 ++++++++--
 .../nat-no-dhcp-linux.args                    | 164 +++++++--
 .../nat-tftp-linux.args                       | 152 ++++++++-
 .../route-default-linux.args                  | 140 +++++++-
 tests/networkxml2firewalltest.c               |  17 +-
 11 files changed, 1107 insertions(+), 183 deletions(-)

-- 
2.19.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list