External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-05 22:05:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

nwfilter: report if ip(6)tables rules would not be active

Browse Source 
The patch below reports a warning in the log if the generated ip(6)tables rules would not be effective due to the proc filesystem entries

    /proc/sys/net/bridge/bridge-nf-call-iptables
    /proc/sys/net/bridge/bridge-nf-call-ip6tables

containing a '0'. The warning tells the user what to do. I am rate-limiting the warning message to appear only every 10 seconds.
This commit is contained in:
Stefan Berger 2010-09-24 12:06:17 -04:00
parent 2e5e614e6b
commit 570d040435
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -24,6 +24,7 @@
#include <config.h> #include <config.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <fcntl.h>
#include "internal.h" #include "internal.h"
@ -63,6 +64,13 @@
: "" : ""
#define PROC_BRIDGE_NF_CALL_IPTABLES \
"/proc/sys/net/bridge/bridge-nf-call-iptables"
#define PROC_BRIDGE_NF_CALL_IP6TABLES \
"/proc/sys/net/bridge/bridge-nf-call-ip6tables"
#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */
static char *ebtables_cmd_path; static char *ebtables_cmd_path;
static char *iptables_cmd_path; static char *iptables_cmd_path;
static char *ip6tables_cmd_path; static char *ip6tables_cmd_path;
@ -2986,6 +2994,45 @@ ebiptablesRuleOrderSort(const void *a, const void *b)
} }
static void
iptablesCheckBridgeNFCallEnabled(bool isIPv6)
{
static time_t lastReport, lastReportIPv6;
const char *pathname = NULL;
char buffer[1];
time_t now = time(NULL);
if (isIPv6 &&
(now - lastReportIPv6) > BRIDGE_NF_CALL_ALERT_INTERVAL ) {
pathname = PROC_BRIDGE_NF_CALL_IP6TABLES;
} else if (now - lastReport > BRIDGE_NF_CALL_ALERT_INTERVAL) {
pathname = PROC_BRIDGE_NF_CALL_IPTABLES;
}
if (pathname) {
int fd = open(pathname, O_RDONLY);
if (fd >= 0) {
if (read(fd, buffer, 1) == 1) {
if (buffer[0] == '0') {
char msg[256];
snprintf(msg, sizeof(msg),
_("To enable ip%stables filtering for the VM do "
"'echo 1 > %s'"),
isIPv6 ? "6" : "",
pathname);
VIR_WARN0(msg);
if (isIPv6)
lastReportIPv6 = now;
else
lastReport = now;
}
}
close(fd);
}
}
}
static int static int
ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED, ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
const char *ifname, const char *ifname,
@ -3099,6 +3146,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpiptchains; goto tear_down_tmpiptchains;
iptablesCheckBridgeNFCallEnabled(false);
} }
if (haveIp6tables) { if (haveIp6tables) {
@ -3129,6 +3178,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
goto tear_down_tmpip6tchains; goto tear_down_tmpip6tchains;
iptablesCheckBridgeNFCallEnabled(true);
} }
if (chains_in != 0) if (chains_in != 0)