On Thu, Jun 12, 2025 at 05:50:39PM +0200, Dion Bosschieter wrote: > Upon VM bootstrapping (start,restore,incoming migration) > iptablesCreateBaseChainsFW is called and unconditionally deletes and > reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules). > This briefly opens a hole in the firewall, allowing packets through > until the insertions complete. > > This commit ensures that the base chains are only created once per layer > (IPV4/IPV6) and checks whether the expected rules already exist using > `iptables -C`. If they do, no delete/insert operations are performed. > > This eliminates the short window where packets could bypass filters during > VM lifecycle operations. > > Signed-off-by: Dion Bosschieter <dionbosschie...@gmail.com> > --- > src/nwfilter/nwfilter_ebiptables_driver.c | 79 ++++++++++++++--------- > 1 file changed, 47 insertions(+), 32 deletions(-)
NB, I'm also seeing test failures for nwfilterxml2firewalltest with this patch applied Use 'meson test -C build --print-errorlogs' to see this This is because the 'commonRules' array in nwfilterxml2firewalltest.c will need updating to match the new logic. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
