]> git.ipfire.org Git - thirdparty/libvirt.git/commit
projects / thirdparty / libvirt.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9a3d7a4) | patch
Fix bridge configuration when OUTPUT policy is DROP on the host
authorLénaïc Huard <lenaic@lhuard.fr.eu.org>
Tue, 17 Dec 2013 17:56:28 +0000 (18:56 +0100)
committerMichal Privoznik <mprivozn@redhat.com>
Tue, 7 Jan 2014 17:18:29 +0000 (18:18 +0100)
commit538daf7f3a7090d6a7ec94d11c17e509eceb642c
tree4f07f990466c31fce535ee7dc54056a9f9b35550tree
parent9a3d7a47788510872587c052716b43806fa36a6fcommit | diff
Fix bridge configuration when OUTPUT policy is DROP on the host

When the host is configured with very restrictive firewall (default policy
is DROP for all chains, including OUTPUT), the bridge driver for Linux
adds netfilter entries to allow DHCP and DNS requests to go from the VM
to the dnsmasq of the host.

The issue that this commit fixes is the fact that a DROP policy on the OUTPUT
chain blocks the DHCP replies from the host’s dnsmasq to the VM.
As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED
rule and so, need to be explicitly allowed.

Signed-off-by: Lénaïc Huard <lenaic@lhuard.fr.eu.org>
src/libvirt_private.syms diff | blob | blame | history
src/network/bridge_driver_linux.c diff | blob | blame | history
src/util/viriptables.c diff | blob | blame | history
src/util/viriptables.h diff | blob | blame | history
Mirror of https://github.com/libvirt/libvirt.git