From 16a9a28129993d87639a22e4799557e15c22ac1c Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Tue, 12 Dec 2017 16:18:07 -0500 Subject: [PATCH] qemu: log error on attempts to set filterref on an OVS-connected interface ebtables/iptables processing is skipped for any interface connected to Open vSwitch (they have their own packet filtering), likewise for midonet (according to http://blog.midokura.com/2016/04/midonet-rule-chains), but libvirt would allow adding a to interfaces connected in these ways, so the user might mistakenly believe they were being protected. This patch checks for a non-NULL element for an interface (or its network) and logs an error if and are both present. This could cause some previously working domains to no longer start, but that's really the whole point of this patch - to warn people that their filterref isn't protecting them as they might have thought. I don't bother checking this during post-parse validation, because such a check would be incomplete - it's possible that a network would have a that would be applied to an interface, and you can't know that until the domain is started. Resolves: https://bugzilla.redhat.com/1502754 --- src/qemu/qemu_command.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 2dd50a2145..4d0c141e55 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -8545,15 +8545,25 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, } /* and only TAP devices support nwfilter rules */ - if (net->filter && - !(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || - actualType == VIR_DOMAIN_NET_TYPE_BRIDGE || - actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("filterref is not supported for " - "network interfaces of type %s"), - virDomainNetTypeToString(actualType)); - return -1; + if (net->filter) { + virNetDevVPortProfilePtr vport = virDomainNetGetActualVirtPortProfile(net); + if (!(actualType == VIR_DOMAIN_NET_TYPE_NETWORK || + actualType == VIR_DOMAIN_NET_TYPE_BRIDGE || + actualType == VIR_DOMAIN_NET_TYPE_ETHERNET)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported for " + "network interfaces of type %s"), + virDomainNetTypeToString(actualType)); + return -1; + } + if (vport && vport->virtPortType != VIR_NETDEV_VPORT_PROFILE_NONE) { + /* currently none of the defined virtualport types support iptables */ + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("filterref is not supported for " + "network interfaces with virtualport type %s"), + virNetDevVPortTypeToString(vport->virtPortType)); + return -1; + } } if (net->backend.tap && -- 2.47.2