Bug 681948 - Request for inclusion of nwfilter patch [912d170f87b3d147bfde987249a727f7a7c7f1d7]
Summary: Request for inclusion of nwfilter patch [912d170f87b3d147bfde987249a727f7a7c7...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-03 16:57 UTC by Stefan Berger
Modified: 2011-05-19 13:28 UTC (History)
7 users (show)

Fixed In Version: libvirt-0.8.7-16.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:28:30 UTC
Target Upstream Version:
stefanb: needinfo+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0596 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2011-05-18 17:56:36 UTC

Description Stefan Berger 2011-03-03 16:57:16 UTC 
Description of the problem:

Requesting the patch 912d170f87b3d147bfde987249a727f7a7c7f1d7 to be applied to
RHEL 6.1

http://libvirt.org/git/?p=libvirt.git;a=commit;h=912d170f87b3d147bfde987249a727f7a7c7f1d7


Packets not accepted by a VM's nwfilter configuration could not be rejected with an ICMP message sent back to the originator but could only be dropped.


To verify that this patch was applied:

Assuming an interface description like this one containing a line <filterref
filter='acl-fw'/>

    <interface type='bridge'>
      <source bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <filterref filter='acl-fw'/>
    </interface>


and a nwfilter like this one:

<filter name='acl-fw' chain='root'>
  <rule action='reject' direction='in' priority='400'>
    <all/>
  </rule>
</filter>

Once the VM has been started and has an interface called 'vnet0', the command

iptables -L FO-vnet0 -n

should return the following output:

iptables -L FI-vnet0
Chain FI-vnet0 (1 references)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Previous versions of libvirt would simply discard the <rule...> line in the XML since 'reject' was not known.
Comment 4 Stefan Berger 2011-03-29 15:30:57 UTC 
Once the build is available I can run the libvirt-tck test cases against it.

Thanks.
   Stefan
Comment 5 Laine Stump 2011-03-29 21:18:58 UTC 
This patch applied cleanly to RHEL6.1 libvirt, and has been posted to rhvirt-patches, and ACKed:

http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-March/msg00862.html
Comment 9 Stefan Berger 2011-04-07 13:04:28 UTC 
The TCK test suite passes the tests regarding the reject target (covered by this patch request) on libvirt 0.8.7-16. From my perspective you can close the bug. Thanks.
Comment 10 Min Zhan 2011-04-08 02:21:16 UTC 
According to Comment #9, So turn this bug status as Verified.
Comment 13 errata-xmlrpc 2011-05-19 13:28:30 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html
Note You need to log in before you can comment on or make changes to this bug.