From 570d0404352bfa02b6555660297778dbb4670b66 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@us.ibm.com>
Date: Fri, 24 Sep 2010 12:06:17 -0400
Subject: [PATCH] nwfilter: report if ip(6)tables rules would not be active

The patch below reports a warning in the log if the generated ip(6)tables rules would not be effective due to the proc filesystem entries

    /proc/sys/net/bridge/bridge-nf-call-iptables
    /proc/sys/net/bridge/bridge-nf-call-ip6tables

containing a '0'. The warning tells the user what to do. I am rate-limiting the warning message to appear only every 10 seconds.
---
 src/nwfilter/nwfilter_ebiptables_driver.c | 51 +++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 885f12e392..b57d2e9b4c 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -24,6 +24,7 @@
 #include <config.h>
 
 #include <sys/stat.h>
+#include <fcntl.h>
 
 #include "internal.h"
 
@@ -63,6 +64,13 @@
       : ""
 
 
+#define PROC_BRIDGE_NF_CALL_IPTABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-iptables"
+#define PROC_BRIDGE_NF_CALL_IP6TABLES \
+        "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+
+#define BRIDGE_NF_CALL_ALERT_INTERVAL  10 /* seconds */
+
 static char *ebtables_cmd_path;
 static char *iptables_cmd_path;
 static char *ip6tables_cmd_path;
@@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, const void *b)
 }
 
 
+static void
+iptablesCheckBridgeNFCallEnabled(bool isIPv6)
+{
+    static time_t lastReport, lastReportIPv6;
+    const char *pathname = NULL;
+    char buffer[1];
+    time_t now = time(NULL);
+
+    if (isIPv6 &&
+        (now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) {
+        pathname = PROC_BRIDGE_NF_CALL_IP6TABLES;
+    } else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) {
+        pathname = PROC_BRIDGE_NF_CALL_IPTABLES;
+    }
+
+    if (pathname) {
+        int fd = open(pathname, O_RDONLY);
+        if (fd >= 0) {
+            if (read(fd, buffer, 1) == 1) {
+                if (buffer[0] == '0') {
+                    char msg[256];
+                    snprintf(msg, sizeof(msg),
+                             _("To enable ip%stables filtering for the VM do "
+                              "'echo 1 > %s'"),
+                             isIPv6 ? "6" : "",
+                             pathname);
+                    VIR_WARN0(msg);
+                    if (isIPv6)
+                        lastReportIPv6 = now;
+                    else
+                        lastReport = now;
+                }
+            }
+            close(fd);
+        }
+    }
+}
+
+
 static int
 ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
                         const char *ifname,
@@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
 
         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
            goto tear_down_tmpiptchains;
+
+        iptablesCheckBridgeNFCallEnabled(false);
     }
 
     if (haveIp6tables) {
@@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
 
         if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
            goto tear_down_tmpip6tchains;
+
+        iptablesCheckBridgeNFCallEnabled(true);
     }
 
     if (chains_in != 0)