Bug 1067441
Summary: | nwfilter with direction out are put in all iptables chains | ||
---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Stephan Sachse <ste.sachse> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | acathrow, stefanb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-11 11:39:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephan Sachse
2014-02-20 13:10:42 UTC
For the above shown filters all iptables rules are correctly generated. The RETURN in (FI-vnet0 -- speak *F*orwarded traffic *I*ncoming through vnet0) is added since traffic originating from a VM on the local host may have another VM on the local host as destination. So we cannot accept the traffic here because the destination VM may have a policy not allowing to receive this traffic. Only once traffic has been filtered for the receiving VM (FO-vethX - speak *F*orwarded traffic *O*utgoing through vnetX) will it be ACCEPT'ed. This makes the rules look more complicated. When the rules are generated it is not known whether another VM on the same host will be the recipient. The 2nd filter leaves control to creating the rules for accepting stateful filtered rules up to libvirt and that's why it generated such rules. The rule in FI-vnet0-fedora2 is for accepting (subject to further filtering,so a RETURN) all traffic originating from the VM per its filtering policy. The rule in FO-vnet0-fedora2 is for allowing the incoming traffic to be responded to, so it's for accepting traffic in the return path. HI-vnet0-fedora2 is similar to FI-vnet0-fedora2 in that it accepts all traffic originating from the VM per its filtering policy but destined for the local host where the traffic now has to pass the filtering rules of the INPUT chain on the host. So also here ACCEPT is not used right away since this would mean ACCEPTing the traffic on the local host, but RETURN is used instead so that we can use this filter from the INPUT chain. |