From f8352e221f05910d9f6ab00edc0eb664efc0018b Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 7 Apr 2010 06:28:16 -0400 Subject: [PATCH] nwfiler: fix due to non-symmetric src mac address match in iptables The attached patch fixes a problem due to the mac match in iptables only supporting --mac-source and no --mac-destination, thus it not being symmetric. Therefore a rule like this one should only have the MAC match on traffic leaving the VM and not test for the same source MAC address on traffic that the VM receives. --- src/nwfilter/nwfilter_ebiptables_driver.c | 61 +++++++++++++++++++---- 1 file changed, 51 insertions(+), 10 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index ec2542bb7f..4ec7edffc0 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -772,11 +772,18 @@ static int iptablesHandleSrcMacAddr(virBufferPtr buf, virNWFilterHashTablePtr vars, nwItemDescPtr srcMacAddr, - int directionIn ATTRIBUTE_UNUSED) + int directionIn, + bool *srcmacskipped) { char macaddr[VIR_MAC_STRING_BUFLEN]; + *srcmacskipped = false; if (HAS_ENTRY_ITEM(srcMacAddr)) { + if (directionIn) { + *srcmacskipped = true; + return 0; + } + if (printDataType(vars, macaddr, sizeof(macaddr), srcMacAddr)) @@ -1039,6 +1046,8 @@ _iptablesCreateRuleInstance(int directionIn, virBuffer buf = VIR_BUFFER_INITIALIZER; const char *target; const char *iptables_cmd = (isIPv6) ? IP6TABLES_CMD : IPTABLES_CMD; + unsigned int bufUsed; + bool srcMacSkipped = false; PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); @@ -1052,10 +1061,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p tcp"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.tcpHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1093,10 +1105,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p udp"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.udpHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1121,10 +1136,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p udplite"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.udpliteHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1144,10 +1162,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p esp"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.espHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1167,10 +1188,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p ah"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.ahHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1190,10 +1214,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p sctp"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.sctpHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1221,10 +1248,13 @@ _iptablesCreateRuleInstance(int directionIn, else virBufferAddLit(&buf, " -p icmpv6"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.icmpHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1272,10 +1302,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p igmp"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.igmpHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1295,10 +1328,13 @@ _iptablesCreateRuleInstance(int directionIn, virBufferAddLit(&buf, " -p all"); + bufUsed = virBufferUse(&buf); + if (iptablesHandleSrcMacAddr(&buf, vars, &rule->p.allHdrFilter.dataSrcMACAddr, - directionIn)) + directionIn, + &srcMacSkipped)) goto err_exit; if (iptablesHandleIpHdr(&buf, @@ -1313,6 +1349,11 @@ _iptablesCreateRuleInstance(int directionIn, return -1; } + if (srcMacSkipped && bufUsed == virBufferUse(&buf)) { + virBufferFreeAndReset(&buf); + return 0; + } + if (match) virBufferVSprintf(&buf, " %s", match);