| Summary: | Request for inclusion of nwfilter patch [13e9ba7c2b83e2c4fb74c17a885ffa8722137554] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Stefan Berger <stefanb> |
| Component: | libvirt | Assignee: | Daniel Veillard <veillard> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dallan, dyuan, eblake, jdenemar, mjenner, xen-maint, xhu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-0.8.7-10.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 13:27:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Stefan Berger
2011-02-16 21:15:23 UTC
Patch setn to rhvirt-patches: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-February/msg01459.html Please provide some notes on how to effectively test/confirm this patch is applied/working correctly. Thanks. Assuming an interface description like this one containing a line <filterref filter='acl-fw'/>
<interface type='bridge'>
<source bridge='virbr0'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='acl-fw'/>
</interface>
and a nwfilter like this one:
<filter name='acl-fw' chain='root'>
<rule action='drop' direction='in' priority='400'>
<all connlimit-above='1000' state='NEW' comment='test'/>
</rule>
</filter>
Once the VM has been started and has an interface called 'vnet0', the command
iptables -L FO-vnet0 -n
should return the following output:
Chain FO-vnet0 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW #conn/32 > 1000 /* test */
*Previously* the output looked like this
Chain FO-vnet0 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1000 /* test */ state NEW
with the 'state NEW' being at the end of the line.
I verified it on RHEL6-x86_64-Server with the following component and it passed:
libvirt-0.8.7-10.el6
qemu-kvm-0.12.1.2-2.149.el6
kernel-2.6.32-118.el6
1 install libvirt-0.8.7-10.el6.src.rpm, and found the "libvirt-nwfilter-reorder-match-extensions-relative-to-state-match.patch" patch was contained in rpmbuild/SOURCE dir
2 define "acl-fw" by using the following xml:
# virsh define acl-fw.xml
Network filter acl-fw defined from acl-fw.xm
# cat acl-fw.xml
<filter name='acl-fw' chain='root'>
<rule action='drop' direction='in' priority='400'>
<all connlimit-above='1000' state='NEW' comment='test'/>
</rule>
</filter>
3 start a guest with the following xml:
<interface type='bridge'>
<source bridge='virbr0'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='acl-fw'/>
</interface>
4 check iptables rule:
# iptables -L FO-vnet0 -n
# iptables -L FO-vnet0 -n
Chain FO-vnet0 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW #conn/32 > 1000 /* test */
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0596.html |