[lxc-devel] [lxd/master] Network bugfixes

Sat Nov 26 18:03:17 UTC 2016

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161126/aee16dff/attachment.bin>
-------------- next part --------------
From e82f45f6b7c8d018de8c4dd60a4c2929e23cedaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Sat, 26 Nov 2016 13:00:28 -0500
Subject: [PATCH 1/2] DHCP over TCP has never been implemented
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

So let's block it.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/networks.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lxd/networks.go b/lxd/networks.go
index d9a7b5e..9cad1cb 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -660,11 +660,9 @@ func (n *network) Start() error {
 		// Setup basic iptables overrides
 		rules := [][]string{
 			[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "67", "-j", "ACCEPT"},
-			[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "67", "-j", "ACCEPT"},
 			[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
 			[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
 			[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "67", "-j", "ACCEPT"},
-			[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "67", "-j", "ACCEPT"},
 			[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
 			[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
 
@@ -819,11 +817,9 @@ func (n *network) Start() error {
 		// Setup basic iptables overrides
 		rules := [][]string{
 			[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "546", "-j", "ACCEPT"},
-			[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "546", "-j", "ACCEPT"},
 			[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
 			[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
 			[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "546", "-j", "ACCEPT"},
-			[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "546", "-j", "ACCEPT"},
 			[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
 			[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
 

From 9eee78e57c86ee0900d4f94639d2136629e615b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Sat, 26 Nov 2016 13:02:14 -0500
Subject: [PATCH 2/2] Restrict ipv{4,6}.firewall to FORWARD rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keep generating INPUT/OUTPUT rules as needed for DHCP and DNS
communications.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 doc/api-extensions.md |  5 ++++-
 lxd/networks.go       | 20 ++++++++------------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 8de41e5..d273d29 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -167,6 +167,9 @@ Enables setting the `security.idmap.isolated` and `security.idmap.isolated`,
 
 ## network\_firewall\_filtering
 Add two new keys, "ipv4.firewall" and "ipv6.firewall" which if set to
-false will turn off the generation of iptables filtering rules. NAT
+false will turn off the generation of iptables FORWARDING rules. NAT
 rules will still be added so long as the matching "ipv4.nat" or
 "ipv6.nat" key is set to true.
+
+Rules necessary for dnsmasq to work (DHCP/DNS) will always be applied if
+dnsmasq is enabled on the bridge.
diff --git a/lxd/networks.go b/lxd/networks.go
index 9cad1cb..fd36c14 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -666,12 +666,10 @@ func (n *network) Start() error {
 			[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
 			[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
 
-		if n.config["ipv4.firewall"] == "" || shared.IsTrue(n.config["ipv4.firewall"]) {
-			for _, rule := range rules {
-				err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
-				if err != nil {
-					return err
-				}
+		for _, rule := range rules {
+			err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+			if err != nil {
+				return err
 			}
 		}
 
@@ -823,12 +821,10 @@ func (n *network) Start() error {
 			[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
 			[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
 
-		if n.config["ipv6.firewall"] == "" || shared.IsTrue(n.config["ipv6.firewall"]) {
-			for _, rule := range rules {
-				err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
-				if err != nil {
-					return err
-				}
+		for _, rule := range rules {
+			err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+			if err != nil {
+				return err
 			}
 		}
 
