From nobody Tue Sep 9 18:59:49 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=gmail.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1749743500301798.2800377006519; Thu, 12 Jun 2025 08:51:40 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 5816512E0; Thu, 12 Jun 2025 11:51:39 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id EE34413AE; Thu, 12 Jun 2025 11:50:53 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D8E821213; Thu, 12 Jun 2025 11:50:51 -0400 (EDT) Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 22CB4D48 for ; Thu, 12 Jun 2025 11:50:51 -0400 (EDT) Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-adeaa4f3d07so201514066b.0 for ; Thu, 12 Jun 2025 08:50:51 -0700 (PDT) Received: from localhost.localdomain ([2a01:7c8:7c8:f866:10::100b]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-adeadb22bbbsm149751866b.81.2025.06.12.08.50.48 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 12 Jun 2025 08:50:49 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749743450; x=1750348250; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4TBFAZZHgzhN5fD9rrPDwuHki6rO2a2XtRFLgtO9e1I=; b=NNSUJOoOHrGag0PvJY9jDKuAWoTrJvU5Z6rZ1Aa8jBiLir+r6PzD3ho5ZEWmvDZdRs bmdvRefA1gfenak2QAHB4ixYCZubLbptKCKEttA/MXdSCkV1ah5seBHWvHfxjlXbiNK4 QmA+ZMMLGYRkRelnBtVqtjYz/mgKs5m1SVJGFT9UCObFK6Vs/ddFbaj0eUXSZMwJ/Z4K RoZD+KI5vthTk9ea1MzZvZA3NBo78VuJ/zrMYEuc9aRa975P56uN3pnZv9JmeSJHMjE4 5s1ZO62g1DAGWGCtWfZOMM6xa/tDYsgiD00zy1yUGwEnfJqR15liSu6RbE58c36xNvVx Voog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749743450; x=1750348250; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4TBFAZZHgzhN5fD9rrPDwuHki6rO2a2XtRFLgtO9e1I=; b=OdJ3+2nQJjYD7GE/S59lCbjW5gXhfqBYEaeOTAqEL+qlf5ZdjaF4gfFMJj7vzW6vaV fDH/jxvZ7cEHUpKiBp3ZAM3spsMWgtmzOnZ+TDMVh7soMDCphjZm0ZC+3H6onvTN1d/r Ys5aFeYKkH6Yh3uP4tYfzE/fy8THn4BcAgaGmyIV95GEM+rjL7EeNHWFPHTWzO9QMbN3 v1N+Rbvq/IUtlFgcXLScgbBc+LoKI7Gc88s02j5Vdz5M2AFPyv7rXEyL3zKAaWoFs4zI 54x3Eztp2HzR+eTAv/den1mch8XzbknpPbDwnG3kbcjWB1TlN/QGESI3NGmM1BGf6CMW k1RQ== X-Gm-Message-State: AOJu0YzjM1LiphHu0sssg7vJY1Nj1GUgcZGbWPonxsP5rYoSLo1iiNoI 9YT0fFPNhMncNhW820ZnyRmZ59YUicpgW337MIX9RWFsqvoDXL+oQyd2P3mk X-Gm-Gg: ASbGncsRZ/5NH9gKWf4D2GCevIgx+QAmcwpKcvvvR3DMi2T9NsxKSgxoLhWxtdtsZWy 0mcH9EtBkqXJAMsYcdUCmT/sf0nPk5Mgoj6IU8uNUBzg+i33hJT1namShr0zaw7PZtu2sqNVHLS Ta/ycdKwZ9l8LKorfgdwMZNqd3PY/XDm/bgp7tpL38xsSIAz/9UOs169GCdgo7yKDPL9mgk+8qS JTikKDHawi05fTnwy3kKyZcBHiQDMc8ZdFrhCTFmIRWxVxZSXIr+BO19nRcl2cyTjxls3wuAcgE zuOYjn6/ywFpRemq5WAEL0os0ErzWu82ms9JA0bgkTMxDc/nL+hHocR+b6QivyIXakIlariuYPJ mY3vSGQkq0uPTneM= X-Google-Smtp-Source: AGHT+IH97DjncEChtKcQZqddQI6aJCqvOK6oB2Cpi5YndPJumXNiejOSdkFca6NpvAUg00frK09q1g== X-Received: by 2002:a17:907:97d4:b0:adb:43d0:aedb with SMTP id a640c23a62f3a-adea3823c00mr343509466b.61.1749743449207; Thu, 12 Jun 2025 08:50:49 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH] nwfilter: Avoid firewall hole during VM startup by checking rule presence Date: Thu, 12 Jun 2025 17:50:39 +0200 Message-Id: <20250612155039.79580-2-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.39.3 (Apple Git-146) In-Reply-To: <20250612155039.79580-1-dionbosschieter@gmail.com> References: <20250612155039.79580-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 5WCPRIUUGPUJ2TQ4HAU4VH5YMCBHHNFK X-Message-ID-Hash: 5WCPRIUUGPUJ2TQ4HAU4VH5YMCBHHNFK X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: jean-louis@dupond.be, dionbosschieter@gmail.com X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1749743502513116600 Content-Type: text/plain; charset="utf-8" Upon VM bootstrapping (start,restore,incoming migration) iptablesCreateBaseChainsFW is called and unconditionally deletes and reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules). This briefly opens a hole in the firewall, allowing packets through until the insertions complete. This commit ensures that the base chains are only created once per layer (IPV4/IPV6) and checks whether the expected rules already exist using `iptables -C`. If they do, no delete/insert operations are performed. This eliminates the short window where packets could bypass filters during VM lifecycle operations. Signed-off-by: Dion Bosschieter --- src/nwfilter/nwfilter_ebiptables_driver.c | 79 ++++++++++++++--------- 1 file changed, 47 insertions(+), 32 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 067df6e612..42a0133159 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -131,6 +131,14 @@ static char chainprefixes_host_temp[3] =3D { 0 }; =20 +typedef struct { + const char *chain; + const char *position; + const char *targetChain; +} iptablesBaseChainFW; + +static bool baseChainFWDefined[VIR_FIREWALL_LAYER_LAST] =3D { false }; + static int printVar(virNWFilterVarCombIter *vars, char *buf, int bufsize, @@ -403,38 +411,45 @@ static void iptablesCreateBaseChainsFW(virFirewall *fw, virFirewallLayer layer) { - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_OUT_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", HOST_IN_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL= ); - virFirewallAddCmd(fw, layer, - "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); + iptablesBaseChainFW fw_chains[] =3D { + {"FORWARD", "1", VIRT_IN_CHAIN}, + {"FORWARD", "2", VIRT_OUT_CHAIN}, + {"FORWARD", "3", VIRT_IN_POST_CHAIN}, + {"INPUT", "1", HOST_IN_CHAIN}, + }; + size_t i; + + // iptablesCreateBaseChainsFW already ran once for this layer, + // we don't have to recreate the base chains on every firewall update + if (baseChainFWDefined[layer]) + return; + + // set defined state so we skip the following logic next run + baseChainFWDefined[layer] =3D true; + + virFirewallStartTransaction(fw, 0); + + for (i =3D 0; i < G_N_ELEMENTS(fw_chains); i++) + virFirewallAddCmd(fw, layer, + "-C", fw_chains[i].chain, + "-j", fw_chains[i].targetChain, NULL); + + if (virFirewallApply(fw) =3D=3D 0) + // rules already in place + return; + + for (i =3D 0; i < G_N_ELEMENTS(fw_chains); i++) { + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", fw_chains[i].targetChain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", fw_chains[i].chain, "-j", + fw_chains[i].targetChain, NULL); + virFirewallAddCmd(fw, layer, + "-I", fw_chains[i].chain, fw_chains[i].position, + "-j", fw_chains[i].targetChain, NULL); + } } =20 =20 --=20 2.39.3 (Apple Git-146)