提交 f8352e22 编写于 作者: S Stefan Berger

nwfiler: fix due to non-symmetric src mac address match in iptables

The attached patch fixes a problem due to the mac match in iptables only
supporting --mac-source and no --mac-destination, thus it not being
symmetric. Therefore a rule like this one

<rule action='drop' direction='out'>
  <all match='no' srcmacaddr='$MAC'/>
</rule>

should only have the MAC match on traffic leaving the VM and not test
for the same source MAC address on traffic that the VM receives.
上级 d33b8726
...@@ -772,11 +772,18 @@ static int ...@@ -772,11 +772,18 @@ static int
iptablesHandleSrcMacAddr(virBufferPtr buf, iptablesHandleSrcMacAddr(virBufferPtr buf,
virNWFilterHashTablePtr vars, virNWFilterHashTablePtr vars,
nwItemDescPtr srcMacAddr, nwItemDescPtr srcMacAddr,
int directionIn ATTRIBUTE_UNUSED) int directionIn,
bool *srcmacskipped)
{ {
char macaddr[VIR_MAC_STRING_BUFLEN]; char macaddr[VIR_MAC_STRING_BUFLEN];
*srcmacskipped = false;
if (HAS_ENTRY_ITEM(srcMacAddr)) { if (HAS_ENTRY_ITEM(srcMacAddr)) {
if (directionIn) {
*srcmacskipped = true;
return 0;
}
if (printDataType(vars, if (printDataType(vars,
macaddr, sizeof(macaddr), macaddr, sizeof(macaddr),
srcMacAddr)) srcMacAddr))
...@@ -1039,6 +1046,8 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1039,6 +1046,8 @@ _iptablesCreateRuleInstance(int directionIn,
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
const char *target; const char *target;
const char *iptables_cmd = (isIPv6) ? IP6TABLES_CMD : IPTABLES_CMD; const char *iptables_cmd = (isIPv6) ? IP6TABLES_CMD : IPTABLES_CMD;
unsigned int bufUsed;
bool srcMacSkipped = false;
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
...@@ -1052,10 +1061,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1052,10 +1061,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p tcp"); virBufferAddLit(&buf, " -p tcp");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.tcpHdrFilter.dataSrcMACAddr, &rule->p.tcpHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1093,10 +1105,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1093,10 +1105,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p udp"); virBufferAddLit(&buf, " -p udp");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.udpHdrFilter.dataSrcMACAddr, &rule->p.udpHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1121,10 +1136,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1121,10 +1136,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p udplite"); virBufferAddLit(&buf, " -p udplite");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.udpliteHdrFilter.dataSrcMACAddr, &rule->p.udpliteHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1144,10 +1162,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1144,10 +1162,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p esp"); virBufferAddLit(&buf, " -p esp");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.espHdrFilter.dataSrcMACAddr, &rule->p.espHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1167,10 +1188,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1167,10 +1188,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p ah"); virBufferAddLit(&buf, " -p ah");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.ahHdrFilter.dataSrcMACAddr, &rule->p.ahHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1190,10 +1214,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1190,10 +1214,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p sctp"); virBufferAddLit(&buf, " -p sctp");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.sctpHdrFilter.dataSrcMACAddr, &rule->p.sctpHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1221,10 +1248,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1221,10 +1248,13 @@ _iptablesCreateRuleInstance(int directionIn,
else else
virBufferAddLit(&buf, " -p icmpv6"); virBufferAddLit(&buf, " -p icmpv6");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.icmpHdrFilter.dataSrcMACAddr, &rule->p.icmpHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1272,10 +1302,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1272,10 +1302,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p igmp"); virBufferAddLit(&buf, " -p igmp");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.igmpHdrFilter.dataSrcMACAddr, &rule->p.igmpHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1295,10 +1328,13 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1295,10 +1328,13 @@ _iptablesCreateRuleInstance(int directionIn,
virBufferAddLit(&buf, " -p all"); virBufferAddLit(&buf, " -p all");
bufUsed = virBufferUse(&buf);
if (iptablesHandleSrcMacAddr(&buf, if (iptablesHandleSrcMacAddr(&buf,
vars, vars,
&rule->p.allHdrFilter.dataSrcMACAddr, &rule->p.allHdrFilter.dataSrcMACAddr,
directionIn)) directionIn,
&srcMacSkipped))
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
...@@ -1313,6 +1349,11 @@ _iptablesCreateRuleInstance(int directionIn, ...@@ -1313,6 +1349,11 @@ _iptablesCreateRuleInstance(int directionIn,
return -1; return -1;
} }
if (srcMacSkipped && bufUsed == virBufferUse(&buf)) {
virBufferFreeAndReset(&buf);
return 0;
}
if (match) if (match)
virBufferVSprintf(&buf, " %s", match); virBufferVSprintf(&buf, " %s", match);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册