qemu: log error on attempts to set filterref on an OVS-connected interface

ebtables/iptables processing is skipped for any interface connected to Open vSwitch (they have their own packet filtering), likewise for midonet (according to http://blog.midokura.com/2016/04/midonet-rule-chains), but libvirt would allow adding a <filterref> to interfaces connected in these ways, so the user might mistakenly believe they were being protected. This patch checks for a non-NULL <virtualport> element for an interface (or its network) and logs an error if <virtualport> and <filterref> are both present. This could cause some previously working domains to no longer start, but that's really the whole point of this patch - to warn people that their filterref isn't protecting them as they might have thought. I don't bother checking this during post-parse validation, because such a check would be incomplete - it's possible that a network would have a <virtualport> that would be applied to an interface, and you can't know that until the domain is started. Resolves: https://bugzilla.redhat.com/1502754

qemu: log error on attempts to set filterref on an OVS-connected interface
ebtables/iptables processing is skipped for any interface connected to Open vSwitch (they have their own packet filtering), likewise for midonet (according to http://blog.midokura.com/2016/04/midonet-rule-chains), but libvirt would allow adding a <filterref> to interfaces connected in these ways, so the user might mistakenly believe they were being protected. This patch checks for a non-NULL <virtualport> element for an interface (or its network) and logs an error if <virtualport> and <filterref> are both present. This could cause some previously working domains to no longer start, but that's really the whole point of this patch - to warn people that their filterref isn't protecting them as they might have thought. I don't bother checking this during post-parse validation, because such a check would be incomplete - it's possible that a network would have a <virtualport> that would be applied to an interface, and you can't know that until the domain is started. Resolves: https://bugzilla.redhat.com/1502754
16a9a281 · Laine Stump · b21163bd · 16a9a281
隐藏空白更改
内联并排

Showing with 19 addition and 9 deletion

src/qemu/qemu_command.c src/qemu/qemu_command.c +19 -9

未找到文件。
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -8545,15 +8545,25 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
    }

    /* and only TAP devices support nwfilter rules */
-    if (net->filter &&
-        !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
-          actualType == VIR_DOMAIN_NET_TYPE_BRIDGE ||
-          actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) {
-        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                       _("filterref is not supported for "
-                         "network interfaces of type %s"),
-                       virDomainNetTypeToString(actualType));
-        return -1;
+    if (net->filter) {
+        virNetDevVPortProfilePtr vport = virDomainNetGetActualVirtPortProfile(net);
+        if (!(actualType == VIR_DOMAIN_NET_TYPE_NETWORK ||
+              actualType == VIR_DOMAIN_NET_TYPE_BRIDGE ||
+              actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("filterref is not supported for "
+                             "network interfaces of type %s"),
+                           virDomainNetTypeToString(actualType));
+            return -1;
+        }
+        if (vport && vport->virtPortType != VIR_NETDEV_VPORT_PROFILE_NONE) {
+            /* currently none of the defined virtualport types support iptables */
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("filterref is not supported for "
+                             "network interfaces with virtualport type %s"),
+                           virNetDevVPortTypeToString(vport->virtPortType));
+            return -1;
+        }
    }

    if (net->backend.tap &&