qemu: log error on attempts to set filterref on an OVS-connected interface

ebtables/iptables processing is skipped for any interface connected to Open vSwitch (they have their own packet filtering), likewise for midonet (according to http://blog.midokura.com/2016/04/midonet-rule-chains), but libvirt would allow adding a <filterref> to interfaces connected in these ways, so the user might mistakenly believe they were being protected. This patch checks for a non-NULL <virtualport> element for an interface (or its network) and logs an error if <virtualport> and <filterref> are both present. This could cause some previously working domains to no longer start, but that's really the whole point of this patch - to warn people that their filterref isn't protecting them as they might have thought. I don't bother checking this during post-parse validation, because such a check would be incomplete - it's possible that a network would have a <virtualport> that would be applied to an interface, and you can't know that until the domain is started. Resolves: https://bugzilla.redhat.com/1502754
2025-02-22 03:12:22 +00:00 · 2017-12-12 16:18:07 -05:00 · 2017-12-12 16:18:07 -05:00 · 16a9a28129
commit 16a9a28129
parent b21163bd11
1 changed files with 19 additions and 9 deletions
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@ -8545,15 +8545,25 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
    }

    /* and only TAP devices support nwfilter rules */
-    if (net->filter &&
-        !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
-          actualType == VIR_DOMAIN_NET_TYPE_BRIDGE ||
-          actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) {
-        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                       _("filterref is not supported for "
-                         "network interfaces of type %s"),
-                       virDomainNetTypeToString(actualType));
-        return -1;
+    if (net->filter) {
+        virNetDevVPortProfilePtr vport = virDomainNetGetActualVirtPortProfile(net);
+        if (!(actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
+              actualType == VIR_DOMAIN_NET_TYPE_BRIDGE ||
+              actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("filterref is not supported for "
+                             "network interfaces of type %s"),
+                           virDomainNetTypeToString(actualType));
+            return -1;
+        }
+        if (vport && vport->virtPortType != VIR_NETDEV_VPORT_PROFILE_NONE) {
+            /* currently none of the defined virtualport types support iptables */
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("filterref is not supported for "
+                             "network interfaces with virtualport type %s"),
+                           virNetDevVPortTypeToString(vport->virtPortType));
+            return -1;
+        }
    }

    if (net->backend.tap &&