[lxc-devel] [lxd/master] Network bugfixes
stgraber on Github
lxc-bot at linuxcontainers.org
Sat Nov 26 18:03:17 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161126/aee16dff/attachment.bin>
-------------- next part --------------
From e82f45f6b7c8d018de8c4dd60a4c2929e23cedaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Sat, 26 Nov 2016 13:00:28 -0500
Subject: [PATCH 1/2] DHCP over TCP has never been implemented
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
So let's block it.
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/networks.go | 4 ----
1 file changed, 4 deletions(-)
diff --git a/lxd/networks.go b/lxd/networks.go
index d9a7b5e..9cad1cb 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -660,11 +660,9 @@ func (n *network) Start() error {
// Setup basic iptables overrides
rules := [][]string{
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "67", "-j", "ACCEPT"},
- []string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "67", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "67", "-j", "ACCEPT"},
- []string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "67", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
@@ -819,11 +817,9 @@ func (n *network) Start() error {
// Setup basic iptables overrides
rules := [][]string{
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "546", "-j", "ACCEPT"},
- []string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "546", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "546", "-j", "ACCEPT"},
- []string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "546", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
From 9eee78e57c86ee0900d4f94639d2136629e615b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Sat, 26 Nov 2016 13:02:14 -0500
Subject: [PATCH 2/2] Restrict ipv{4,6}.firewall to FORWARD rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Keep generating INPUT/OUTPUT rules as needed for DHCP and DNS
communications.
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/api-extensions.md | 5 ++++-
lxd/networks.go | 20 ++++++++------------
2 files changed, 12 insertions(+), 13 deletions(-)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 8de41e5..d273d29 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -167,6 +167,9 @@ Enables setting the `security.idmap.isolated` and `security.idmap.isolated`,
## network\_firewall\_filtering
Add two new keys, "ipv4.firewall" and "ipv6.firewall" which if set to
-false will turn off the generation of iptables filtering rules. NAT
+false will turn off the generation of iptables FORWARDING rules. NAT
rules will still be added so long as the matching "ipv4.nat" or
"ipv6.nat" key is set to true.
+
+Rules necessary for dnsmasq to work (DHCP/DNS) will always be applied if
+dnsmasq is enabled on the bridge.
diff --git a/lxd/networks.go b/lxd/networks.go
index 9cad1cb..fd36c14 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -666,12 +666,10 @@ func (n *network) Start() error {
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
- if n.config["ipv4.firewall"] == "" || shared.IsTrue(n.config["ipv4.firewall"]) {
- for _, rule := range rules {
- err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
- if err != nil {
- return err
- }
+ for _, rule := range rules {
+ err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+ if err != nil {
+ return err
}
}
@@ -823,12 +821,10 @@ func (n *network) Start() error {
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
- if n.config["ipv6.firewall"] == "" || shared.IsTrue(n.config["ipv6.firewall"]) {
- for _, rule := range rules {
- err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
- if err != nil {
- return err
- }
+ for _, rule := range rules {
+ err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+ if err != nil {
+ return err
}
}
More information about the lxc-devel
mailing list