The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7394
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Avoids using the nftables ebtables partially implemented shim command.
Fixes orphaned filter rules being left on Ubuntu Focal default installs that have iptables and ebtables (as an nftables) shim installed by default, and no nftables, meaning LXD uses iptables mode and expects the ebtables command to be fully implemented as per its manpage.
From f5b77bb0e22503fb852df9d7d5246f99ee42c379 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Wed, 20 May 2020 11:17:57 +0100
Subject: [PATCH 1/5] lxd/firewall/drivers/drivers/xtables: Adds ebtablesCmd
function
Detects if ebtables-legacy command is available and prefers that over ebtables
command, as this avoids using the partially implemented nftables ebtables shim
command.
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lxd/firewall/drivers/drivers_xtables.go
b/lxd/firewall/drivers/drivers_xtables.go
index 836dfce32e..b519b1b6bb 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -286,6 +286,17 @@ func (d Xtables) InstanceSetupBridgeFilter(projectName
string, instanceName stri
return nil
}
+// ebtablesCmd detects if the ebtables-legacy command is available, and uses
that instead of the nftables ebtables
+// shim command which isn't fully implemented.
+func (d Xtables) ebtablesCmd() string {
+ _, err := exec.LookPath("ebtables-legacy")
+ if err == nil {
+ return "ebtables-legacy"
+ }
+
+ return "ebtables"
+}
+
// InstanceClearBridgeFilter removes any filter rules that were added to apply
bridged device IP filtering.
func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName
string, deviceName string, parentName string, hostName string, hwAddr string,
IPv4 net.IP, IPv6 net.IP) error {
comment := d.instanceDeviceIPTablesComment(projectName, instanceName,
deviceName)
From d925b4ddb419f345d39e21303a176f3c9689e36e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Wed, 20 May 2020 11:19:26 +0100
Subject: [PATCH 2/5] lxd/firewall/drivers/drivers/xtables: Updates
InstanceSetupBridgeFilter to use ebtablesCmd()
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lxd/firewall/drivers/drivers_xtables.go
b/lxd/firewall/drivers/drivers_xtables.go
index b519b1b6bb..56b69802a9 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -257,10 +257,11 @@ func (d Xtables)
instanceDeviceIPTablesComment(projectName string, instanceName
// InstanceSetupBridgeFilter sets up the filter rules to apply bridged device
IP filtering.
func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName
string, deviceName string, parentName string, hostName string, hwAddr string,
IPv4 net.IP, IPv6 net.IP) error {
comment := d.instanceDeviceIPTablesComment(projectName, instanceName,
deviceName)
+ ebtablesCmd := d.ebtablesCmd()
rules := d.generateFilterEbtablesRules(hostName, hwAddr, IPv4, IPv6)
for _, rule := range rules {
- _, err := shared.RunCommand(rule[0],
append([]string{"--concurrent"}, rule[1:]...)...)
+ _, err := shared.RunCommand(ebtablesCmd,
append([]string{"--concurrent"}, rule...)...)
if err != nil {
return err
}
From 88a12537606f3d28f24923283fa0b9ccf92dc967 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Wed, 20 May 2020 11:19:53 +0100
Subject: [PATCH 3/5] lxd/firewall/drivers/drivers/xtables: Updates
InstanceClearBridgeFilter to use ebtablesCmd()
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lxd/firewall/drivers/drivers_xtables.go
b/lxd/firewall/drivers/drivers_xtables.go
index 56b69802a9..ea2f58fcc1 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -301,9 +301,10 @@ func (d Xtables) ebtablesCmd() string {
// InstanceClearBridgeFilter removes any filter rules that were added to apply
bridged device IP filtering.
func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName
string, deviceName string, parentName string, hostName string, hwAddr string,
IPv4 net.IP, IPv6 net.IP) error {
comment := d.instanceDeviceIPTablesComment(projectName, instanceName,
deviceName)
+ ebtablesCmd := d.ebtablesCmd()
// Get a current list of rules active on the host.
- out, err := shared.RunCommand("ebtables", "--concurrent", "-L",
"--Lmac2", "--Lx")
+ out, err := shared.RunCommand(ebtablesCmd, "--concurrent", "-L",
"--Lmac2", "--Lx")
if err != nil {
return fmt.Errorf("Failed to get a list of network filters to
for %q: %v", deviceName, err)
}
@@ -314,7 +315,7 @@ func (d Xtables) InstanceClearBridgeFilter(projectName
string, instanceName stri
errs := []error{}
// Iterate through each active rule on the host and try and match it to
one the LXD rules.
for _, line := range strings.Split(out, "\n") {
- line = strings.TrimSpace(line)
+ line = strings.TrimPrefix(strings.TrimSpace(line), "ebtables ")
// Remove command from the output.
fields := strings.Fields(line)
fieldsLen := len(fields)
@@ -331,7 +332,7 @@ func (d Xtables) InstanceClearBridgeFilter(projectName
string, instanceName stri
// If we get this far, then the current host rule
matches one of our LXD
// rules, so we should run the modified command to
delete it.
- _, err = shared.RunCommand(fields[0],
append([]string{"--concurrent"}, fields[1:]...)...)
+ _, err = shared.RunCommand(ebtablesCmd,
append([]string{"--concurrent"}, fields...)...)
if err != nil {
errs = append(errs, err)
}
From 7ccd9c09dab00b76fa30ea1065d921f26cddc6c0 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Wed, 20 May 2020 11:20:15 +0100
Subject: [PATCH 4/5] lxd/firewall/drivers/drivers/xtables: Updates
generateFilterEbtablesRules to support multiple ebtables commands
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
lxd/firewall/drivers/drivers_xtables.go | 42 ++++++++++++-------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/lxd/firewall/drivers/drivers_xtables.go
b/lxd/firewall/drivers/drivers_xtables.go
index ea2f58fcc1..6eb0710073 100644
--- a/lxd/firewall/drivers/drivers_xtables.go
+++ b/lxd/firewall/drivers/drivers_xtables.go
@@ -449,31 +449,31 @@ func (d Xtables) generateFilterEbtablesRules(hostName
string, hwAddr string, IPv
// MAC source filtering rules. Block any packet coming from instance
with an incorrect Ethernet source MAC.
// This is required for IP filtering too.
rules := [][]string{
- {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!", hwAddr,
"-i", hostName, "-j", "DROP"},
- {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!",
hwAddr, "-i", hostName, "-j", "DROP"},
+ {"-t", "filter", "-A", "INPUT", "-s", "!", hwAddr, "-i",
hostName, "-j", "DROP"},
+ {"-t", "filter", "-A", "FORWARD", "-s", "!", hwAddr, "-i",
hostName, "-j", "DROP"},
}
if IPv4 != nil {
if IPv4.String() == FilterIPv4All {
rules = append(rules,
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "ARP", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "ARP", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv4", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "IPv4", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"ARP", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"ARP", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv4", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"IPv4", "-i", hostName, "-j", "DROP"},
)
} else {
rules = append(rules,
// Prevent ARP MAC spoofing (prevents the
instance poisoning the ARP cache of its neighbours with a MAC address that
isn't its own).
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j",
"DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"},
// Prevent ARP IP spoofing (prevents the
instance redirecting traffic for IPs that are not its own).
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(),
"-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"},
// Allow DHCPv4 to the host only. This must
come before the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv4", "-s", hwAddr, "-i", hostName, "--ip-src", "0.0.0.0",
"--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j",
"ACCEPT"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv4", "-s", hwAddr, "-i", hostName, "--ip-src", "0.0.0.0", "--ip-dst",
"255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"},
// IP source filtering rules. Blocks any packet
coming from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j",
"DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"},
)
}
}
@@ -481,20 +481,20 @@ func (d Xtables) generateFilterEbtablesRules(hostName
string, hwAddr string, IPv
if IPv6 != nil {
if IPv6.String() == FilterIPv6All {
rules = append(rules,
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "IPv6", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv6", "-i", hostName, "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"IPv6", "-i", hostName, "-j", "DROP"},
)
} else {
rules = append(rules,
// Allow DHCPv6 and Router Solicitation to the
host only. This must come before the IP source filtering rules below.
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src",
"fe80::/ffc0::", "--ip6-dst",
"ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp",
"--ip6-dport", "547", "-j", "ACCEPT"},
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src",
"fe80::/ffc0::", "--ip6-dst",
"ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp",
"--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::",
"--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
"--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::",
"--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto",
"ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"},
// IP source filtering rules. Blocks any packet
coming from instance with an incorrect IP source address.
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv6", "-i", hostName, "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"IPv6", "-i", hostName, "--ip6-src", "!",
fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j",
"DROP"},
// Block any IPv6 router advertisement packets
from instance.
- []string{"ebtables", "-t", "filter", "-A",
"INPUT", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp",
"--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
- []string{"ebtables", "-t", "filter", "-A",
"FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp",
"--ip6-icmp-type", "router-advertisement", "-j", "DROP"},
+ []string{"-t", "filter", "-A", "INPUT", "-p",
"IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type",
"router-advertisement", "-j", "DROP"},
+ []string{"-t", "filter", "-A", "FORWARD", "-p",
"IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type",
"router-advertisement", "-j", "DROP"},
)
}
}
From fe7d069c07d7b72207418ff83eba1e5b3b1287b3 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Wed, 20 May 2020 11:20:37 +0100
Subject: [PATCH 5/5] test: Updates NIC bridged filtering tests to support
ebtables-legacy
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
...container_devices_nic_bridged_filtering.sh | 53 +++++++++++--------
1 file changed, 30 insertions(+), 23 deletions(-)
diff --git a/test/suites/container_devices_nic_bridged_filtering.sh
b/test/suites/container_devices_nic_bridged_filtering.sh
index 3828f9ec61..344c06e6c4 100644
--- a/test/suites/container_devices_nic_bridged_filtering.sh
+++ b/test/suites/container_devices_nic_bridged_filtering.sh
@@ -9,6 +9,13 @@ test_container_devices_nic_bridged_filtering() {
false
fi
+ ebtablesCmd="ebtables"
+ if [ "$firewallDriver" = "xtables" ]; then
+ if which "ebtables-legacy"; then
+ ebtablesCmd="ebtables-legacy"
+ fi
+ fi
+
ctPrefix="nt$$"
brName="lxdt$$"
@@ -61,7 +68,7 @@ test_container_devices_nic_bridged_filtering() {
# Check MAC filter is present in firewall.
ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name)
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i
${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s !
${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of mac_filtering in ebtables"
false
fi
@@ -111,7 +118,7 @@ test_container_devices_nic_bridged_filtering() {
# Stop CT A and check filters are cleaned up.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i
${ctAHost} -j DROP" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC}
-i ${ctAHost} -j DROP" ; then
echo "MAC filter still applied as part of mac_filtering in ebtables"
false
fi
@@ -140,11 +147,11 @@ test_container_devices_nic_bridged_filtering() {
# Check MAC and IPv4 filter is present in firewall.
ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name)
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i
${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s !
${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of ipv4_filtering in ebtables"
false
fi
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ;
then
echo "IPv4 filter not applied as part of ipv4_filtering in ebtables"
false
fi
@@ -199,7 +206,7 @@ test_container_devices_nic_bridged_filtering() {
# Stop CT A and check filters are cleaned up in firewall.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ;
then
echo "IPv4 filter still applied as part of ipv4_filtering in ebtables"
false
fi
@@ -278,7 +285,7 @@ test_container_devices_nic_bridged_filtering() {
macHex=$(echo "${ctAMAC}" |sed "s/://g")
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i
${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s !
${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of ipv6_filtering in ebtables"
false
fi
@@ -296,13 +303,13 @@ test_container_devices_nic_bridged_filtering() {
fi
# Check IPv6 filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2"
; then
echo "IPv6 filter not applied as part of ipv6_filtering in ebtables"
false
fi
# Check IPv6 RA filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-i ${ctAHost}
--ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-i
${ctAHost} --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP"
; then
echo "IPv6 RA filter not applied as part of ipv6_filtering in ebtables"
false
fi
@@ -378,7 +385,7 @@ test_container_devices_nic_bridged_filtering() {
# Stop CT A and check filters are cleaned up.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ;
then
echo "IPv6 filter still applied as part of ipv6_filtering in ebtables"
false
fi
@@ -459,7 +466,7 @@ test_container_devices_nic_bridged_filtering() {
if [ "$firewallDriver" = "xtables" ]; then
# Check MAC filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i
${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s !
${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC filter not applied as part of ipv4_filtering in ebtables"
false
fi
@@ -471,13 +478,13 @@ test_container_devices_nic_bridged_filtering() {
fi
# Check IPv4 filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ;
then
echo "IPv4 filter not applied as part of ipv4_filtering in ebtables"
false
fi
# Check IPv6 filter is present in ebtables.
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2"
; then
echo "IPv6 filter not applied as part of ipv6_filtering in ebtables"
false
fi
@@ -529,7 +536,7 @@ test_container_devices_nic_bridged_filtering() {
# Delete container and check filters are cleaned up.
lxc delete -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ;
then
echo "ebtables filter still applied after delete"
false
fi
@@ -560,7 +567,7 @@ test_container_devices_nic_bridged_filtering() {
ctAMAC=$(lxc config get "${ctPrefix}A" volatile.eth0.hwaddr)
if [ "$firewallDriver" = "xtables" ]; then
- if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i
${ctAHost} -j DROP" ; then
+ if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s !
${ctAMAC} -i ${ctAHost} -j DROP" ; then
echo "MAC ebtables filter not applied as part of mac_filtering in
ebtables"
false
fi
@@ -589,8 +596,8 @@ test_container_devices_nic_bridged_filtering() {
# Stop container and check filters are cleaned up.
lxc stop -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
- echo "MAC filter still applied as part of mac_filtering in ebtables"
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ;
then
+ echo "MAC filter still applied as part of unmanaged bridge
mac_filtering in ebtables"
false
fi
else
@@ -625,12 +632,12 @@ test_container_devices_nic_bridged_filtering() {
ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name)
if [ "$firewallDriver" = "xtables" ]; then
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p ARP -i
${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p ARP -i
${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv4 -i
${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv4 -i
${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv6 -i
${ctAHost} -j DROP"
- ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv6 -i
${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p ARP
-i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p ARP
-i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv4
-i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p
IPv4 -i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv6
-i ${ctAHost} -j DROP"
+ "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p
IPv6 -i ${ctAHost} -j DROP"
else
for table in "in" "fwd"
do
@@ -643,7 +650,7 @@ test_container_devices_nic_bridged_filtering() {
# Delete container and check filters are cleaned up.
lxc delete -f "${ctPrefix}A"
if [ "$firewallDriver" = "xtables" ]; then
- if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then
+ if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ;
then
echo "Filters still applied as part of IP filter in ebtables"
false
fi
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
