Hide Forgot
Requesting the patch 13e9ba7c2b83e2c4fb74c17a885ffa8722137554 to be applied to RHEL 6.1 http://libvirt.org/git/?p=libvirt.git;a=commit;h=13e9ba7c2b83e2c4fb74c17a885ffa8722137554
Patch setn to rhvirt-patches: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-February/msg01459.html
Please provide some notes on how to effectively test/confirm this patch is applied/working correctly. Thanks.
Assuming an interface description like this one containing a line <filterref filter='acl-fw'/> <interface type='bridge'> <source bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='acl-fw'/> </interface> and a nwfilter like this one: <filter name='acl-fw' chain='root'> <rule action='drop' direction='in' priority='400'> <all connlimit-above='1000' state='NEW' comment='test'/> </rule> </filter> Once the VM has been started and has an interface called 'vnet0', the command iptables -L FO-vnet0 -n should return the following output: Chain FO-vnet0 (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW #conn/32 > 1000 /* test */ *Previously* the output looked like this Chain FO-vnet0 (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1000 /* test */ state NEW with the 'state NEW' being at the end of the line.
I verified it on RHEL6-x86_64-Server with the following component and it passed: libvirt-0.8.7-10.el6 qemu-kvm-0.12.1.2-2.149.el6 kernel-2.6.32-118.el6 1 install libvirt-0.8.7-10.el6.src.rpm, and found the "libvirt-nwfilter-reorder-match-extensions-relative-to-state-match.patch" patch was contained in rpmbuild/SOURCE dir 2 define "acl-fw" by using the following xml: # virsh define acl-fw.xml Network filter acl-fw defined from acl-fw.xm # cat acl-fw.xml <filter name='acl-fw' chain='root'> <rule action='drop' direction='in' priority='400'> <all connlimit-above='1000' state='NEW' comment='test'/> </rule> </filter> 3 start a guest with the following xml: <interface type='bridge'> <source bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='acl-fw'/> </interface> 4 check iptables rule: # iptables -L FO-vnet0 -n # iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW #conn/32 > 1000 /* test */
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0596.html