]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e7a7bfa)
nwfilter: Remove 'qemu-announce-self' example
authorPeter Krempa <pkrempa@redhat.com>
Mon, 7 Jul 2025 06:38:03 +0000 (08:38 +0200)
committerPeter Krempa <pkrempa@redhat.com>
Tue, 8 Jul 2025 12:58:04 +0000 (14:58 +0200)
The example allows packets sent by qemu after migration with broken
protocol ID. The proper self announce is handled via
'qemu-announce-self-rarp'.

The qemu bug was addressed by f8778a7785d530515b0db39 (released as
v0.13.0). As we no longer support such old qemus, and allowing broken
packets makes no sense. Remove the rule and make it into an alias of
'qemu-announce-self-rarp' to preserve compatibility. Adjust the existing
examples to use only the proper rule.t

Closes: https://gitlab.com/libvirt/libvirt/-/issues/792
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
docs/firewall.rst patch | blob | blame | history
docs/formatnwfilter.rst patch | blob | blame | history
src/nwfilter/xml/clean-traffic-gateway.xml patch | blob | blame | history
src/nwfilter/xml/clean-traffic.xml patch | blob | blame | history
src/nwfilter/xml/qemu-announce-self-rarp.xml patch | blob | blame | history
src/nwfilter/xml/qemu-announce-self.xml patch | blob | blame | history

diff --git a/docs/firewall.rst b/docs/firewall.rst
index 26474d3317102449063fe14d29bc961162163c29..81114d2c950fd407754d981e1ef2886a10a5bf12 100644 (file)
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@@ -285,7 +285,6 @@ useful rules:
    fb57c546-76dc-a372-513f-e8179011b48a  no-mac-spoofing
    dba10ea7-446d-76de-346f-335bd99c1d05  no-other-l2-traffic
    f5c78134-9da4-0c60-a9f0-fb37bc21ac1f  no-other-rarp-traffic
-   7637e405-4ccf-42ac-5b41-14f8d03d8cf3  qemu-announce-self
    9aed52e7-f0f3-343e-fe5c-7dcb27b594e5  qemu-announce-self-rarp
 
 Most of these are just building blocks. The interesting one here is
diff --git a/docs/formatnwfilter.rst b/docs/formatnwfilter.rst
index 13e9a791afc453ede0c59dae965c5a497e734ce4..e50497aaf825b40bb026eb79f554cdd65b29f059 100644 (file)
--- a/docs/formatnwfilter.rst
+++ b/docs/formatnwfilter.rst
@@ -438,7 +438,7 @@ several other filters.
      <filterref filter='allow-incoming-ipv4'/>
      <filterref filter='no-arp-spoofing'/>
      <filterref filter='no-other-l2-traffic'/>
-     <filterref filter='qemu-announce-self'/>
+     <filterref filter='qemu-announce-self-rarp'/>
    </filter>
 
 To reference another filter, the XML node ``filterref`` needs to be provided
diff --git a/src/nwfilter/xml/clean-traffic-gateway.xml b/src/nwfilter/xml/clean-traffic-gateway.xml
index b8c204041a68e6cc10a3ca1fb9819aa8bb0ad098..1768a67697d957ff329733bc1d10dbc6fa32aed6 100644 (file)
--- a/src/nwfilter/xml/clean-traffic-gateway.xml
+++ b/src/nwfilter/xml/clean-traffic-gateway.xml
@@ -30,5 +30,5 @@
     <filterref filter='no-other-l2-traffic'/>
 
     <!-- allow qemu to send a self-announce upon migration end -->
-    <filterref filter='qemu-announce-self'/>
+    <filterref filter='qemu-announce-self-rarp'/>
 </filter>
diff --git a/src/nwfilter/xml/clean-traffic.xml b/src/nwfilter/xml/clean-traffic.xml
index b8cde9c560e68535f3f0bdaf3a866906d7b59390..b0530da70a811d854cc9a280076e3a08c425efbd 100644 (file)
--- a/src/nwfilter/xml/clean-traffic.xml
+++ b/src/nwfilter/xml/clean-traffic.xml
@@ -25,6 +25,6 @@
    <filterref filter='no-other-l2-traffic'/>
 
    <!-- allow qemu to send a self-announce upon migration end -->
-   <filterref filter='qemu-announce-self'/>
+   <filterref filter='qemu-announce-self-rarp'/>
 
 </filter>
diff --git a/src/nwfilter/xml/qemu-announce-self-rarp.xml b/src/nwfilter/xml/qemu-announce-self-rarp.xml
index b7a848ad0ff2fa90f8952eb0b6132c6b102a57f1..db7b650320a72feb0f10449c18528b8032566ba6 100644 (file)
--- a/src/nwfilter/xml/qemu-announce-self-rarp.xml
+++ b/src/nwfilter/xml/qemu-announce-self-rarp.xml
@@ -11,4 +11,6 @@
           arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
           arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
   </rule>
+
+  <filterref filter='no-other-rarp-traffic'/>
 </filter>
diff --git a/src/nwfilter/xml/qemu-announce-self.xml b/src/nwfilter/xml/qemu-announce-self.xml
index 352db500de4eb0e259283a33546b829090f0a312..73b77804cfceba78faa33b79c36f3f8866008332 100644 (file)
--- a/src/nwfilter/xml/qemu-announce-self.xml
+++ b/src/nwfilter/xml/qemu-announce-self.xml
@@ -1,13 +1,7 @@
 <filter name='qemu-announce-self' chain='root'>
-    <!-- as of 4/26/2010 qemu sends out a bogus packet with
-         wrong rarp protocol ID -->
-    <!-- accept what is being sent now -->
-    <rule action='accept' direction='out'>
-        <mac protocolid='0x835'/>
-    </rule>
-
-    <!-- accept if it was changed to rarp -->
+  <!-- This rule originally allowed protocol '0x835' which qemu originally used.
+    As this bug in qemu was fixed and libvirt no longer supports such old qemu
+    versions this now is just a shim refering to 'qemu-announce-self-rarp' to
+    preserve compatibility if someone used this rule directly -->
     <filterref filter='qemu-announce-self-rarp'/>
-    <filterref filter='no-other-rarp-traffic'/>
-
 </filter>
Mirror of https://github.com/libvirt/libvirt.git