From nobody Tue Sep  9 18:59:49 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=gmail.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1749743478987423.4205911213196;
 Thu, 12 Jun 2025 08:51:18 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 69C92137F; Thu, 12 Jun 2025 11:51:17 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 8345D1284;
	Thu, 12 Jun 2025 11:50:53 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id C5BE31213; Thu, 12 Jun 2025 11:50:50 -0400 (EDT)
Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com
 [209.85.218.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id B82A7D48
	for <devel@lists.libvirt.org>; Thu, 12 Jun 2025 11:50:49 -0400 (EDT)
Received: by mail-ej1-f49.google.com with SMTP id
 a640c23a62f3a-ad891bb0957so185874266b.3
        for <devel@lists.libvirt.org>; Thu, 12 Jun 2025 08:50:49 -0700 (PDT)
Received: from localhost.localdomain ([2a01:7c8:7c8:f866:10::100b])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-adeadb22bbbsm149751866b.81.2025.06.12.08.50.47
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Thu, 12 Jun 2025 08:50:47 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1749743448; x=1750348248;
 darn=lists.libvirt.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=4TBFAZZHgzhN5fD9rrPDwuHki6rO2a2XtRFLgtO9e1I=;
        b=XwIE52u1APmhZ4RrGwAM9sMeeN6qMMztqDbY146Xm+T3i1StKC+9UW/WeWT76Z+2bF
         A0xzR7sQMGvnJQwmTWhuKsG64exd8eHfoeajfp/eNyEiApKFqSBK5gu0cyTEbigr4c15
         YkDeCfsx4zOSjU86a7DvgtNrkSego6gKMtWum1zqKlhK2s/AsQSGgEv9LK/kvNp8VyF0
         xFF+XqzuyF49mtC31+S/+syn4Zoq/Xh5HJeshSbOwjiKC+4iwgjekiGEF6TPOKxxP6yN
         02OF82bQXYmMtZlpYlXcBVe54c2XnT8baHgClESSZfClqLT9UQzRWHyJbtpTmcy0YmXN
         +f/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1749743448; x=1750348248;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4TBFAZZHgzhN5fD9rrPDwuHki6rO2a2XtRFLgtO9e1I=;
        b=AnOsdDv4vz7E79scLpPaLTfT28ttKH0E3rJB2zi3bnhSqTbNKWX84PW6Wo5OTuzbkl
         Cxhg1vQuFDbwnSiY+E8GtxpTFd7iXg6bhoLnV/S+hgiu3ZYkuN3jG0Lvn0LZibEih9TN
         bpxSciyLCKze0Nk0zNte51u6WXC/b9jU4Px+kiwWJ3rhd4TOrMcD0vzTpI4NXDPcdk2X
         S6DhbUhr71ANq9AauZYF/92WWWt9Lre/y1TAQPrTa0+PTQdrwsWddE7P1xVK13+jR9ge
         p6NF1Af5e4OjimQYbWGkvfVnd4k4j0lY6XdNeYGZ03WUEM/29Um8S7bhdxEricwjd2X4
         LA4Q==
X-Gm-Message-State: AOJu0Yw0ntuvWNfvXzfYBQHKnI120lfDjpUEBOWtwAM/PBg626ksUAhu
	bakmqAXY5GUI13mT5J99oI8cZZSijBfv4rCCa/XcBtdZXgT+vfDUSQttE7pl
X-Gm-Gg: ASbGnctFNvWlWeHlClIYG8ZEqn8mt9gTJ0BtSfCjOrO1/NsLW6bbAtkhZnMM9EXCWrh
	fYpw2Sr4rimJ8PafJWGFxTerulLPAv96gMsFE7W44FIRJsBu9NTVmoJ4Vngs71ish3Pjou8W4oM
	v2S4PvHannHjKQ52X35dTN+8HV5zPYSUb4MaWvhfMVEb9VSBInarlNVgTo4LLSqFTKQ9+9mTM0s
	Xffu8NpHWkxS4woWYkeLf+toDsffGLRfDgDlH7ccKZmoSexEJ3wvI9+tAY8pYvmCaTv2GoLntcf
	3MKPBxLYGGTt6Me+NI+7BQMrUG/zXIrsq5E8uirFzu3cCaijmJdHsl2XAtTUxu14/6cs8EMZVPq
	05+9YNWFc9Y4BeZY=
X-Google-Smtp-Source: 
 AGHT+IHz79BbjYS6oUfVaILEGDajDrlEy1asefchCFCaCkh6HZiIaypJ4wzgJ3u8/BD1ReiJEGFd2w==
X-Received: by 2002:a17:907:3d04:b0:ad8:9c97:c2e5 with SMTP id
 a640c23a62f3a-ade88ed8589mr775941966b.0.1749743448207;
        Thu, 12 Jun 2025 08:50:48 -0700 (PDT)
From: Dion Bosschieter <dionbosschieter@gmail.com>
To: devel@lists.libvirt.org
Subject: [PATCH] nwfilter: Avoid firewall hole during VM startup by checking
 rule presence
Date: Thu, 12 Jun 2025 17:50:38 +0200
Message-Id: <20250612155039.79580-1-dionbosschieter@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-146)
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: S5472CPIKDIOUMK2AXRPHF7Y2IN6KUW2
X-Message-ID-Hash: S5472CPIKDIOUMK2AXRPHF7Y2IN6KUW2
X-MailFrom: dionbosschieter@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: jean-louis@dupond.be, dionbosschieter@gmail.com
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/S5472CPIKDIOUMK2AXRPHF7Y2IN6KUW2/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1749743482965116600
Content-Type: text/plain; charset="utf-8"

Upon VM bootstrapping (start,restore,incoming migration)
iptablesCreateBaseChainsFW is called and unconditionally deletes and
reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules).
This briefly opens a hole in the firewall, allowing packets through
until the insertions complete.

This commit ensures that the base chains are only created once per layer
(IPV4/IPV6) and checks whether the expected rules already exist using
`iptables -C`. If they do, no delete/insert operations are performed.

This eliminates the short window where packets could bypass filters during
VM lifecycle operations.

Signed-off-by: Dion Bosschieter <dionbosschieter@gmail.com>
---
 src/nwfilter/nwfilter_ebiptables_driver.c | 79 ++++++++++++++---------
 1 file changed, 47 insertions(+), 32 deletions(-)

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil=
ter_ebiptables_driver.c
index 067df6e612..42a0133159 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -131,6 +131,14 @@ static char chainprefixes_host_temp[3] =3D {
     0
 };
=20
+typedef struct {
+    const char *chain;
+    const char *position;
+    const char *targetChain;
+} iptablesBaseChainFW;
+
+static bool baseChainFWDefined[VIR_FIREWALL_LAYER_LAST] =3D { false };
+
 static int
 printVar(virNWFilterVarCombIter *vars,
          char *buf, int bufsize,
@@ -403,38 +411,45 @@ static void
 iptablesCreateBaseChainsFW(virFirewall *fw,
                            virFirewallLayer layer)
 {
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-N", VIRT_IN_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-N", VIRT_OUT_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-N", VIRT_IN_POST_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-N", HOST_IN_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL);
-    virFirewallAddCmdFull(fw, layer,
-                          true, NULL, NULL,
-                          "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL);
-    virFirewallAddCmd(fw, layer,
-                      "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL);
-    virFirewallAddCmd(fw, layer,
-                      "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL);
-    virFirewallAddCmd(fw, layer,
-                      "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL=
);
-    virFirewallAddCmd(fw, layer,
-                      "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL);
+    iptablesBaseChainFW fw_chains[] =3D {
+        {"FORWARD", "1", VIRT_IN_CHAIN},
+        {"FORWARD", "2", VIRT_OUT_CHAIN},
+        {"FORWARD", "3", VIRT_IN_POST_CHAIN},
+        {"INPUT", "1", HOST_IN_CHAIN},
+    };
+    size_t i;
+
+    // iptablesCreateBaseChainsFW already ran once for this layer,
+    // we don't have to recreate the base chains on every firewall update
+    if (baseChainFWDefined[layer])
+        return;
+
+    // set defined state so we skip the following logic next run
+    baseChainFWDefined[layer] =3D true;
+
+    virFirewallStartTransaction(fw, 0);
+
+    for (i =3D 0; i < G_N_ELEMENTS(fw_chains); i++)
+        virFirewallAddCmd(fw, layer,
+                      "-C", fw_chains[i].chain,
+                      "-j", fw_chains[i].targetChain, NULL);
+
+    if (virFirewallApply(fw) =3D=3D 0)
+        // rules already in place
+        return;
+
+    for (i =3D 0; i < G_N_ELEMENTS(fw_chains); i++) {
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-N", fw_chains[i].targetChain, NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-D", fw_chains[i].chain, "-j",
+                              fw_chains[i].targetChain, NULL);
+        virFirewallAddCmd(fw, layer,
+                          "-I", fw_chains[i].chain, fw_chains[i].position,
+                          "-j", fw_chains[i].targetChain, NULL);
+    }
 }
=20
=20
--=20
2.39.3 (Apple Git-146)