[lxc-devel] [lxd/master] NIC: Detect and prefer ebtables-legacy command if available
tomponline on Github
lxc-bot at linuxcontainers.org
Wed May 20 10:22:53 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 647 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200520/6575437a/attachment-0001.bin>
-------------- next part --------------
From f5b77bb0e22503fb852df9d7d5246f99ee42c379 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 20 May 2020 11:17:57 +0100
Subject: [PATCH 1/5] lxd/firewall/drivers/drivers/xtables: Adds ebtablesCmd
function
Detects if ebtables-legacy command is available and prefers that over ebtables command, as this avoids using the partially implemented nftables ebtables shim command.
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go
index 836dfce32e..b519b1b6bb 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -286,6 +286,17 @@ func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName stri
return nil
}
+// ebtablesCmd detects if the ebtables-legacy command is available, and uses that instead of the nftables ebtables
+// shim command which isn't fully implemented.
+func (d Xtables) ebtablesCmd() string {
+ _, err := exec.LookPath("ebtables-legacy")
+ if err == nil {
+ return "ebtables-legacy"
+ }
+
+ return "ebtables"
+}
+
// InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.
func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error {
comment := d.instanceDeviceIPTablesComment(projectName, instanceName, deviceName)
From d925b4ddb419f345d39e21303a176f3c9689e36e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 20 May 2020 11:19:26 +0100
Subject: [PATCH 2/5] lxd/firewall/drivers/drivers/xtables: Updates
InstanceSetupBridgeFilter to use ebtablesCmd()
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go
index b519b1b6bb..56b69802a9 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -257,10 +257,11 @@ func (d Xtables) instanceDeviceIPTablesComment(projectName string, instanceName
// InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.
func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error {
comment := d.instanceDeviceIPTablesComment(projectName, instanceName, deviceName)
+ ebtablesCmd := d.ebtablesCmd()
rules := d.generateFilterEbtablesRules(hostName, hwAddr, IPv4, IPv6)
for _, rule := range rules {
- _, err := shared.RunCommand(rule[0], append([]string{"--concurrent"}, rule[1:]...)...)
+ _, err := shared.RunCommand(ebtablesCmd, append([]string{"--concurrent"}, rule...)...)
if err != nil {
return err
}
From 88a12537606f3d28f24923283fa0b9ccf92dc967 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 20 May 2020 11:19:53 +0100
Subject: [PATCH 3/5] lxd/firewall/drivers/drivers/xtables: Updates
InstanceClearBridgeFilter to use ebtablesCmd()
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go
index 56b69802a9..ea2f58fcc1 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -301,9 +301,10 @@ func (d Xtables) ebtablesCmd() string {
// InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.
func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error {
comment := d.instanceDeviceIPTablesComment(projectName, instanceName, deviceName)
+ ebtablesCmd := d.ebtablesCmd()
// Get a current list of rules active on the host.
- out, err := shared.RunCommand("ebtables", "--concurrent", "-L", "--Lmac2", "--Lx")
+ out, err := shared.RunCommand(ebtablesCmd, "--concurrent", "-L", "--Lmac2", "--Lx")
if err != nil {
return fmt.Errorf("Failed to get a list of network filters to for %q: %v", deviceName, err)
}
@@ -314,7 +315,7 @@ func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName stri
errs := []error{}
// Iterate through each active rule on the host and try and match it to one the LXD rules.
for _, line := range strings.Split(out, "\n") {
- line = strings.TrimSpace(line)
+ line = strings.TrimPrefix(strings.TrimSpace(line), "ebtables ") // Remove command from the output.
fields := strings.Fields(line)
fieldsLen := len(fields)
@@ -331,7 +332,7 @@ func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName stri
// If we get this far, then the current host rule matches one of our LXD
// rules, so we should run the modified command to delete it.
- _, err = shared.RunCommand(fields[0], append([]string{"--concurrent"}, fields[1:]...)...)
+ _, err = shared.RunCommand(ebtablesCmd, append([]string{"--concurrent"}, fields...)...)
if err != nil {
errs = append(errs, err)
}
From 7ccd9c09dab00b76fa30ea1065d921f26cddc6c0 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 20 May 2020 11:20:15 +0100
Subject: [PATCH 4/5] lxd/firewall/drivers/drivers/xtables: Updates
generateFilterEbtablesRules to support multiple ebtables commands
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 42 ++++++++++++-------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go
index ea2f58fcc1..6eb0710073 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -449,31 +449,31 @@ func (d Xtables) generateFilterEbtablesRules(hostName string, hwAddr string, IPv
// MAC source filtering rules. Block any packet coming from instance with an incorrect Ethernet source MAC.
// This is required for IP filtering too.
rules := [][]string{
- {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"},
- {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"},
+ {"-t", "filter", "-A", "INPUT", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"},
+ {"-t", "filter", "-A", "FORWARD", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"},
}
if IPv4 != nil {
if IPv4.String() == FilterIPv4All {
rules = append(rules,
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "-j", "DROP"},
)
} else {
rules = append(rules,
// Prevent ARP MAC spoofing (prevents the instance poisoning the ARP cache of its neighbours with a MAC address that isn't its own).
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"},
// Prevent ARP IP spoofing (prevents the instance redirecting traffic for IPs that are not its own).
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"},
// Allow DHCPv4 to the host only. This must come before the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-s", hwAddr, "-i", hostName, "--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv4", "-s", hwAddr, "-i", hostName, "--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"},
// IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"},
)
}
}
@@ -481,20 +481,20 @@ func (d Xtables) generateFilterEbtablesRules(hostName string, hwAddr string, IPv
if IPv6 != nil {
if IPv6.String() == FilterIPv6All {
rules = append(rules,
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
)
} else {
rules = append(rules,
// Allow DHCPv6 and Router Solicitation to the host only. This must come before the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"},
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
// IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"},
// Block any IPv6 router advertisement packets from instance.
- []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
)
}
}
From fe7d069c07d7b72207418ff83eba1e5b3b1287b3 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 20 May 2020 11:20:37 +0100
Subject: [PATCH 5/5] test: Updates NIC bridged filtering tests to support
ebtables-legacy
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
...container_devices_nic_bridged_filtering.sh | 53 +++++++++++--------
1 file changed, 30 insertions(+), 23 deletions(-)
diff --git a/test/suites/container_devices_nic_bridged_filtering.sh b/test/suites/container_devices_nic_bridged_filtering.sh
index 3828f9ec61..344c06e6c4 100644
--- a/test/suites/container_devices_nic_bridged_filtering.sh
+++ b/test/suites/container_devices_nic_bridged_filtering.sh
@@ -9,6 +9,13 @@ test_container_devices_nic_bridged_filtering() {
false
fi
+ ebtablesCmd="ebtables"
+ if [ "$firewallDriver" = "xtables" ]; then
+ if which "ebtables-legacy"; then
+ ebtablesCmd="ebtables-legacy"
+ fi
+ fi
+
ctPrefix="nt$$"
brName="lxdt$$"
@@ -61,7 +68,7 @@ test_container_devices_nic_bridged_filtering() {
# Check MAC filter is present in firewall.
ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name)
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of mac_filtering in ebtables"
false
fi
@@ -111,7 +118,7 @@ test_container_devices_nic_bridged_filtering() {
# Stop CT A and check filters are cleaned up.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter still applied as part of mac_filtering in ebtables"
false
fi
@@ -140,11 +147,11 @@ test_container_devices_nic_bridged_filtering() {
# Check MAC and IPv4 filter is present in firewall.
ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name)
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of ipv4_filtering in ebtables"
false
fi
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then
echo "IPv4 filter not applied as part of ipv4_filtering in ebtables"
false
fi
@@ -199,7 +206,7 @@ test_container_devices_nic_bridged_filtering() {
# Stop CT A and check filters are cleaned up in firewall.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
echo "IPv4 filter still applied as part of ipv4_filtering in ebtables"
false
fi
@@ -278,7 +285,7 @@ test_container_devices_nic_bridged_filtering() {
macHex=$(echo "${ctAMAC}" |sed "s/://g")
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of ipv6_filtering in ebtables"
false
fi
@@ -296,13 +303,13 @@ test_container_devices_nic_bridged_filtering() {
fi
# Check IPv6 filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then
echo "IPv6 filter not applied as part of ipv6_filtering in ebtables"
false
fi
# Check IPv6 RA filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-i ${ctAHost} --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-i ${ctAHost} --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP" ; then
echo "IPv6 RA filter not applied as part of ipv6_filtering in ebtables"
false
fi
@@ -378,7 +385,7 @@ test_container_devices_nic_bridged_filtering() {
# Stop CT A and check filters are cleaned up.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
echo "IPv6 filter still applied as part of ipv6_filtering in ebtables"
false
fi
@@ -459,7 +466,7 @@ test_container_devices_nic_bridged_filtering() {
if [ "$firewallDriver" = "xtables" ]; then
# Check MAC filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of ipv4_filtering in ebtables"
false
fi
@@ -471,13 +478,13 @@ test_container_devices_nic_bridged_filtering() {
fi
# Check IPv4 filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then
echo "IPv4 filter not applied as part of ipv4_filtering in ebtables"
false
fi
# Check IPv6 filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then
echo "IPv6 filter not applied as part of ipv6_filtering in ebtables"
false
fi
@@ -529,7 +536,7 @@ test_container_devices_nic_bridged_filtering() {
# Delete container and check filters are cleaned up.
lxc delete -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
echo "ebtables filter still applied after delete"
false
fi
@@ -560,7 +567,7 @@ test_container_devices_nic_bridged_filtering() {
ctAMAC=$(lxc config get "${ctPrefix}A" volatile.eth0.hwaddr)
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC ebtables filter not applied as part of mac_filtering in ebtables"
false
fi
@@ -589,8 +596,8 @@ test_container_devices_nic_bridged_filtering() {
# Stop container and check filters are cleaned up.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
- echo "MAC filter still applied as part of mac_filtering in ebtables"
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ echo "MAC filter still applied as part of unmanaged bridge mac_filtering in ebtables"
false
fi
else
@@ -625,12 +632,12 @@ test_container_devices_nic_bridged_filtering() {
ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name)
if [ "$firewallDriver" = "xtables" ]; then
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p ARP -i ${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p ARP -i ${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv4 -i ${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv4 -i ${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv6 -i ${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv6 -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p ARP -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p ARP -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv4 -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv4 -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv6 -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv6 -i ${ctAHost} -j DROP"
else
for table in "in" "fwd"
do
@@ -643,7 +650,7 @@ test_container_devices_nic_bridged_filtering() {
# Delete container and check filters are cleaned up.
lxc delete -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
echo "Filters still applied as part of IP filter in ebtables"
false
fi
More information about the lxc-devel
mailing list