From: Peter Krempa <pkre...@redhat.com> The example allows packets sent by qemu after migration with broken protocol ID. The proper self announce is handled via 'qemu-announce-self-rarp'.
The qemu bug was addressed by f8778a7785d530515b0db39 (released as v0.13.0). As we no longer support such old qemus, and allowing broken packets makes no sense remove the filter, and adjust the existing ones to refer to the proper name. Closes: https://gitlab.com/libvirt/libvirt/-/issues/792 Signed-off-by: Peter Krempa <pkre...@redhat.com> --- docs/firewall.rst | 1 - docs/formatnwfilter.rst | 2 +- src/nwfilter/xml/clean-traffic-gateway.xml | 2 +- src/nwfilter/xml/clean-traffic.xml | 2 +- src/nwfilter/xml/meson.build | 1 - src/nwfilter/xml/qemu-announce-self-rarp.xml | 2 ++ src/nwfilter/xml/qemu-announce-self.xml | 13 ------------- 7 files changed, 5 insertions(+), 18 deletions(-) delete mode 100644 src/nwfilter/xml/qemu-announce-self.xml diff --git a/docs/firewall.rst b/docs/firewall.rst index 26474d3317..81114d2c95 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -285,7 +285,6 @@ useful rules: fb57c546-76dc-a372-513f-e8179011b48a no-mac-spoofing dba10ea7-446d-76de-346f-335bd99c1d05 no-other-l2-traffic f5c78134-9da4-0c60-a9f0-fb37bc21ac1f no-other-rarp-traffic - 7637e405-4ccf-42ac-5b41-14f8d03d8cf3 qemu-announce-self 9aed52e7-f0f3-343e-fe5c-7dcb27b594e5 qemu-announce-self-rarp Most of these are just building blocks. The interesting one here is diff --git a/docs/formatnwfilter.rst b/docs/formatnwfilter.rst index 13e9a791af..e50497aaf8 100644 --- a/docs/formatnwfilter.rst +++ b/docs/formatnwfilter.rst @@ -438,7 +438,7 @@ several other filters. <filterref filter='allow-incoming-ipv4'/> <filterref filter='no-arp-spoofing'/> <filterref filter='no-other-l2-traffic'/> - <filterref filter='qemu-announce-self'/> + <filterref filter='qemu-announce-self-rarp'/> </filter> To reference another filter, the XML node ``filterref`` needs to be provided diff --git a/src/nwfilter/xml/clean-traffic-gateway.xml b/src/nwfilter/xml/clean-traffic-gateway.xml index b8c204041a..1768a67697 100644 --- a/src/nwfilter/xml/clean-traffic-gateway.xml +++ b/src/nwfilter/xml/clean-traffic-gateway.xml @@ -30,5 +30,5 @@ <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> - <filterref filter='qemu-announce-self'/> + <filterref filter='qemu-announce-self-rarp'/> </filter> diff --git a/src/nwfilter/xml/clean-traffic.xml b/src/nwfilter/xml/clean-traffic.xml index b8cde9c560..b0530da70a 100644 --- a/src/nwfilter/xml/clean-traffic.xml +++ b/src/nwfilter/xml/clean-traffic.xml @@ -25,6 +25,6 @@ <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> - <filterref filter='qemu-announce-self'/> + <filterref filter='qemu-announce-self-rarp'/> </filter> diff --git a/src/nwfilter/xml/meson.build b/src/nwfilter/xml/meson.build index 0d96c54ebe..de3f205a7c 100644 --- a/src/nwfilter/xml/meson.build +++ b/src/nwfilter/xml/meson.build @@ -22,7 +22,6 @@ nwfilter_xml_files = [ 'no-other-l2-traffic.xml', 'no-other-rarp-traffic.xml', 'qemu-announce-self-rarp.xml', - 'qemu-announce-self.xml', ] install_data(nwfilter_xml_files, install_dir: sysconfdir / 'libvirt' / 'nwfilter') diff --git a/src/nwfilter/xml/qemu-announce-self-rarp.xml b/src/nwfilter/xml/qemu-announce-self-rarp.xml index b7a848ad0f..db7b650320 100644 --- a/src/nwfilter/xml/qemu-announce-self-rarp.xml +++ b/src/nwfilter/xml/qemu-announce-self-rarp.xml @@ -11,4 +11,6 @@ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> </rule> + + <filterref filter='no-other-rarp-traffic'/> </filter> diff --git a/src/nwfilter/xml/qemu-announce-self.xml b/src/nwfilter/xml/qemu-announce-self.xml deleted file mode 100644 index 352db500de..0000000000 --- a/src/nwfilter/xml/qemu-announce-self.xml +++ /dev/null @@ -1,13 +0,0 @@ -<filter name='qemu-announce-self' chain='root'> - <!-- as of 4/26/2010 qemu sends out a bogus packet with - wrong rarp protocol ID --> - <!-- accept what is being sent now --> - <rule action='accept' direction='out'> - <mac protocolid='0x835'/> - </rule> - - <!-- accept if it was changed to rarp --> - <filterref filter='qemu-announce-self-rarp'/> - <filterref filter='no-other-rarp-traffic'/> - -</filter> -- 2.49.0
