The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6302
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
This fixes failures during concurrent runs of ebtables by LXD.
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
From af0de63eb96e5aa4971b50f2fdf027098ef30ee1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 10 Oct 2019 09:06:29 -0400
Subject: [PATCH] lxd/device/nic: Pass --concurrent to ebtables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/device/nic_bridged.go | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index a658118c48..c486ae2b5e 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -391,7 +391,7 @@ func (d *nicBridged) removeFilters(m deviceConfig.Device)
error {
}
// Get a current list of rules active on the host.
- out, err := shared.RunCommand("ebtables", "-L", "--Lmac2", "--Lx")
+ out, err := shared.RunCommand("ebtables", "--concurrent", "-L",
"--Lmac2", "--Lx")
if err != nil {
return fmt.Errorf("Failed to remove network filters for %s:
%v", m["name"], err)
}
@@ -479,34 +479,34 @@ func (d *nicBridged) generateFilterEbtablesRules(m
deviceConfig.Device, IPv4 net
// MAC source filtering rules. Blocks any packet coming from instance
with an incorrect Ethernet source MAC.
// This is required for IP filtering too.
rules := [][]string{
- {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!",
m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
- {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!",
m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
+ {"ebtables", "--concurrent", "-t", "filter", "-A", "INPUT",
"-s", "!", m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
+ {"ebtables", "--concurrent", "-t", "filter", "-A", "FORWARD",
"-s", "!", m["hwaddr"], "-i", m["host_name"], "-j", "DROP"},
}
if shared.IsTrue(m["security.ipv4_filtering"]) && IPv4 != nil {
rules = append(rules,
// Prevent ARP MAC spoofing (prevents the instance
poisoning the ARP cache of its neighbours with a MAC address that isn't its
own).
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!", m["hwaddr"], "-j",
"DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!",
m["hwaddr"], "-j", "DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "FORWARD", "-p", "ARP", "-i", m["host_name"], "--arp-mac-src", "!",
m["hwaddr"], "-j", "DROP"},
// Prevent ARP IP spoofing (prevents the instance
redirecting traffic for IPs that are not its own).
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", IPv4.String(), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!", IPv4.String(), "-j",
"DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!",
IPv4.String(), "-j", "DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "FORWARD", "-p", "ARP", "-i", m["host_name"], "--arp-ip-src", "!",
IPv4.String(), "-j", "DROP"},
// Allow DHCPv4 to the host only. This must come before
the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv4", "-s", m["hwaddr"], "-i", m["host_name"], "--ip-src", "0.0.0.0",
"--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j",
"ACCEPT"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "IPv4", "-s", m["hwaddr"], "-i", m["host_name"],
"--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp",
"--ip-dport", "67", "-j", "ACCEPT"},
// IP source filtering rules. Blocks any packet coming
from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", IPv4.String(), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "IPv4", "-i", m["host_name"], "--ip-src", "!", IPv4.String(), "-j",
"DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "IPv4", "-i", m["host_name"], "--ip-src", "!",
IPv4.String(), "-j", "DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "FORWARD", "-p", "IPv4", "-i", m["host_name"], "--ip-src", "!",
IPv4.String(), "-j", "DROP"},
)
}
if shared.IsTrue(m["security.ipv6_filtering"]) && IPv6 != nil {
rules = append(rules,
// Allow DHCPv6 and Router Solicitation to the host
only. This must come before the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src",
"fe80::/ffc0::", "--ip6-dst",
"ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp",
"--ip6-dport", "547", "-j", "ACCEPT"},
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"], "--ip6-src",
"fe80::/ffc0::", "--ip6-dst",
"ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp",
"--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"],
"--ip6-src", "fe80::/ffc0::", "--ip6-dst",
"ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp",
"--ip6-dport", "547", "-j", "ACCEPT"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "IPv6", "-s", m["hwaddr"], "-i", m["host_name"],
"--ip6-src", "fe80::/ffc0::", "--ip6-dst",
"ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp",
"--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
// IP source filtering rules. Blocks any packet coming
from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A", "INPUT",
"-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A", "FORWARD",
"-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "INPUT", "-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
+ []string{"ebtables", "--concurrent", "-t", "filter",
"-A", "FORWARD", "-p", "IPv6", "-i", m["host_name"], "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
)
}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
