The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7394
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Avoids using the nftables ebtables partially implemented shim command. Fixes orphaned filter rules being left on Ubuntu Focal default installs that have iptables and ebtables (as an nftables) shim installed by default, and no nftables, meaning LXD uses iptables mode and expects the ebtables command to be fully implemented as per its manpage.
From f5b77bb0e22503fb852df9d7d5246f99ee42c379 Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Wed, 20 May 2020 11:17:57 +0100 Subject: [PATCH 1/5] lxd/firewall/drivers/drivers/xtables: Adds ebtablesCmd function Detects if ebtables-legacy command is available and prefers that over ebtables command, as this avoids using the partially implemented nftables ebtables shim command. Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- lxd/firewall/drivers/drivers_xtables.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go index 836dfce32e..b519b1b6bb 100644 --- a/lxd/firewall/drivers/drivers_xtables.go +++ b/lxd/firewall/drivers/drivers_xtables.go @@ -286,6 +286,17 @@ func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName stri return nil } +// ebtablesCmd detects if the ebtables-legacy command is available, and uses that instead of the nftables ebtables +// shim command which isn't fully implemented. +func (d Xtables) ebtablesCmd() string { + _, err := exec.LookPath("ebtables-legacy") + if err == nil { + return "ebtables-legacy" + } + + return "ebtables" +} + // InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering. func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error { comment := d.instanceDeviceIPTablesComment(projectName, instanceName, deviceName) From d925b4ddb419f345d39e21303a176f3c9689e36e Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Wed, 20 May 2020 11:19:26 +0100 Subject: [PATCH 2/5] lxd/firewall/drivers/drivers/xtables: Updates InstanceSetupBridgeFilter to use ebtablesCmd() Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- lxd/firewall/drivers/drivers_xtables.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go index b519b1b6bb..56b69802a9 100644 --- a/lxd/firewall/drivers/drivers_xtables.go +++ b/lxd/firewall/drivers/drivers_xtables.go @@ -257,10 +257,11 @@ func (d Xtables) instanceDeviceIPTablesComment(projectName string, instanceName // InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering. func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error { comment := d.instanceDeviceIPTablesComment(projectName, instanceName, deviceName) + ebtablesCmd := d.ebtablesCmd() rules := d.generateFilterEbtablesRules(hostName, hwAddr, IPv4, IPv6) for _, rule := range rules { - _, err := shared.RunCommand(rule[0], append([]string{"--concurrent"}, rule[1:]...)...) + _, err := shared.RunCommand(ebtablesCmd, append([]string{"--concurrent"}, rule...)...) if err != nil { return err } From 88a12537606f3d28f24923283fa0b9ccf92dc967 Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Wed, 20 May 2020 11:19:53 +0100 Subject: [PATCH 3/5] lxd/firewall/drivers/drivers/xtables: Updates InstanceClearBridgeFilter to use ebtablesCmd() Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- lxd/firewall/drivers/drivers_xtables.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go index 56b69802a9..ea2f58fcc1 100644 --- a/lxd/firewall/drivers/drivers_xtables.go +++ b/lxd/firewall/drivers/drivers_xtables.go @@ -301,9 +301,10 @@ func (d Xtables) ebtablesCmd() string { // InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering. func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error { comment := d.instanceDeviceIPTablesComment(projectName, instanceName, deviceName) + ebtablesCmd := d.ebtablesCmd() // Get a current list of rules active on the host. - out, err := shared.RunCommand("ebtables", "--concurrent", "-L", "--Lmac2", "--Lx") + out, err := shared.RunCommand(ebtablesCmd, "--concurrent", "-L", "--Lmac2", "--Lx") if err != nil { return fmt.Errorf("Failed to get a list of network filters to for %q: %v", deviceName, err) } @@ -314,7 +315,7 @@ func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName stri errs := []error{} // Iterate through each active rule on the host and try and match it to one the LXD rules. for _, line := range strings.Split(out, "\n") { - line = strings.TrimSpace(line) + line = strings.TrimPrefix(strings.TrimSpace(line), "ebtables ") // Remove command from the output. fields := strings.Fields(line) fieldsLen := len(fields) @@ -331,7 +332,7 @@ func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName stri // If we get this far, then the current host rule matches one of our LXD // rules, so we should run the modified command to delete it. - _, err = shared.RunCommand(fields[0], append([]string{"--concurrent"}, fields[1:]...)...) + _, err = shared.RunCommand(ebtablesCmd, append([]string{"--concurrent"}, fields...)...) if err != nil { errs = append(errs, err) } From 7ccd9c09dab00b76fa30ea1065d921f26cddc6c0 Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Wed, 20 May 2020 11:20:15 +0100 Subject: [PATCH 4/5] lxd/firewall/drivers/drivers/xtables: Updates generateFilterEbtablesRules to support multiple ebtables commands Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- lxd/firewall/drivers/drivers_xtables.go | 42 ++++++++++++------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/lxd/firewall/drivers/drivers_xtables.go b/lxd/firewall/drivers/drivers_xtables.go index ea2f58fcc1..6eb0710073 100644 --- a/lxd/firewall/drivers/drivers_xtables.go +++ b/lxd/firewall/drivers/drivers_xtables.go @@ -449,31 +449,31 @@ func (d Xtables) generateFilterEbtablesRules(hostName string, hwAddr string, IPv // MAC source filtering rules. Block any packet coming from instance with an incorrect Ethernet source MAC. // This is required for IP filtering too. rules := [][]string{ - {"ebtables", "-t", "filter", "-A", "INPUT", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"}, - {"ebtables", "-t", "filter", "-A", "FORWARD", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"}, + {"-t", "filter", "-A", "INPUT", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"}, + {"-t", "filter", "-A", "FORWARD", "-s", "!", hwAddr, "-i", hostName, "-j", "DROP"}, } if IPv4 != nil { if IPv4.String() == FilterIPv4All { rules = append(rules, - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "-j", "DROP"}, ) } else { rules = append(rules, // Prevent ARP MAC spoofing (prevents the instance poisoning the ARP cache of its neighbours with a MAC address that isn't its own). - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-mac-src", "!", hwAddr, "-j", "DROP"}, // Prevent ARP IP spoofing (prevents the instance redirecting traffic for IPs that are not its own). - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "ARP", "-i", hostName, "--arp-ip-src", "!", IPv4.String(), "-j", "DROP"}, // Allow DHCPv4 to the host only. This must come before the IP source filtering rules below. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-s", hwAddr, "-i", hostName, "--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv4", "-s", hwAddr, "-i", hostName, "--ip-src", "0.0.0.0", "--ip-dst", "255.255.255.255", "--ip-proto", "udp", "--ip-dport", "67", "-j", "ACCEPT"}, // IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv4", "-i", hostName, "--ip-src", "!", IPv4.String(), "-j", "DROP"}, ) } } @@ -481,20 +481,20 @@ func (d Xtables) generateFilterEbtablesRules(hostName string, hwAddr string, IPv if IPv6 != nil { if IPv6.String() == FilterIPv6All { rules = append(rules, - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "-j", "DROP"}, ) } else { rules = append(rules, // Allow DHCPv6 and Router Solicitation to the host only. This must come before the IP source filtering rules below. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"}, - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::1:2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "udp", "--ip6-dport", "547", "-j", "ACCEPT"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-s", hwAddr, "-i", hostName, "--ip6-src", "fe80::/ffc0::", "--ip6-dst", "ff02::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-solicitation", "-j", "ACCEPT"}, // IP source filtering rules. Blocks any packet coming from instance with an incorrect IP source address. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-src", "!", fmt.Sprintf("%s/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", IPv6.String()), "-j", "DROP"}, // Block any IPv6 router advertisement packets from instance. - []string{"ebtables", "-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"}, - []string{"ebtables", "-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"}, + []string{"-t", "filter", "-A", "INPUT", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"}, + []string{"-t", "filter", "-A", "FORWARD", "-p", "IPv6", "-i", hostName, "--ip6-proto", "ipv6-icmp", "--ip6-icmp-type", "router-advertisement", "-j", "DROP"}, ) } } From fe7d069c07d7b72207418ff83eba1e5b3b1287b3 Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Wed, 20 May 2020 11:20:37 +0100 Subject: [PATCH 5/5] test: Updates NIC bridged filtering tests to support ebtables-legacy Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- ...container_devices_nic_bridged_filtering.sh | 53 +++++++++++-------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/test/suites/container_devices_nic_bridged_filtering.sh b/test/suites/container_devices_nic_bridged_filtering.sh index 3828f9ec61..344c06e6c4 100644 --- a/test/suites/container_devices_nic_bridged_filtering.sh +++ b/test/suites/container_devices_nic_bridged_filtering.sh @@ -9,6 +9,13 @@ test_container_devices_nic_bridged_filtering() { false fi + ebtablesCmd="ebtables" + if [ "$firewallDriver" = "xtables" ]; then + if which "ebtables-legacy"; then + ebtablesCmd="ebtables-legacy" + fi + fi + ctPrefix="nt$$" brName="lxdt$$" @@ -61,7 +68,7 @@ test_container_devices_nic_bridged_filtering() { # Check MAC filter is present in firewall. ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name) if [ "$firewallDriver" = "xtables" ]; then - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then echo "MAC filter not applied as part of mac_filtering in ebtables" false fi @@ -111,7 +118,7 @@ test_container_devices_nic_bridged_filtering() { # Stop CT A and check filters are cleaned up. lxc stop -f "${ctPrefix}A" if [ "$firewallDriver" = "xtables" ]; then - if ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then + if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then echo "MAC filter still applied as part of mac_filtering in ebtables" false fi @@ -140,11 +147,11 @@ test_container_devices_nic_bridged_filtering() { # Check MAC and IPv4 filter is present in firewall. ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name) if [ "$firewallDriver" = "xtables" ]; then - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then echo "MAC filter not applied as part of ipv4_filtering in ebtables" false fi - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then echo "IPv4 filter not applied as part of ipv4_filtering in ebtables" false fi @@ -199,7 +206,7 @@ test_container_devices_nic_bridged_filtering() { # Stop CT A and check filters are cleaned up in firewall. lxc stop -f "${ctPrefix}A" if [ "$firewallDriver" = "xtables" ]; then - if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then + if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then echo "IPv4 filter still applied as part of ipv4_filtering in ebtables" false fi @@ -278,7 +285,7 @@ test_container_devices_nic_bridged_filtering() { macHex=$(echo "${ctAMAC}" |sed "s/://g") if [ "$firewallDriver" = "xtables" ]; then - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then echo "MAC filter not applied as part of ipv6_filtering in ebtables" false fi @@ -296,13 +303,13 @@ test_container_devices_nic_bridged_filtering() { fi # Check IPv6 filter is present in ebtables. - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then echo "IPv6 filter not applied as part of ipv6_filtering in ebtables" false fi # Check IPv6 RA filter is present in ebtables. - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-i ${ctAHost} --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-i ${ctAHost} --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP" ; then echo "IPv6 RA filter not applied as part of ipv6_filtering in ebtables" false fi @@ -378,7 +385,7 @@ test_container_devices_nic_bridged_filtering() { # Stop CT A and check filters are cleaned up. lxc stop -f "${ctPrefix}A" if [ "$firewallDriver" = "xtables" ]; then - if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then + if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then echo "IPv6 filter still applied as part of ipv6_filtering in ebtables" false fi @@ -459,7 +466,7 @@ test_container_devices_nic_bridged_filtering() { if [ "$firewallDriver" = "xtables" ]; then # Check MAC filter is present in ebtables. - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then echo "MAC filter not applied as part of ipv4_filtering in ebtables" false fi @@ -471,13 +478,13 @@ test_container_devices_nic_bridged_filtering() { fi # Check IPv4 filter is present in ebtables. - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "192.0.2.2" ; then echo "IPv4 filter not applied as part of ipv4_filtering in ebtables" false fi # Check IPv6 filter is present in ebtables. - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "2001:db8::2" ; then echo "IPv6 filter not applied as part of ipv6_filtering in ebtables" false fi @@ -529,7 +536,7 @@ test_container_devices_nic_bridged_filtering() { # Delete container and check filters are cleaned up. lxc delete -f "${ctPrefix}A" if [ "$firewallDriver" = "xtables" ]; then - if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then + if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then echo "ebtables filter still applied after delete" false fi @@ -560,7 +567,7 @@ test_container_devices_nic_bridged_filtering() { ctAMAC=$(lxc config get "${ctPrefix}A" volatile.eth0.hwaddr) if [ "$firewallDriver" = "xtables" ]; then - if ! ebtables --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then + if ! "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-s ! ${ctAMAC} -i ${ctAHost} -j DROP" ; then echo "MAC ebtables filter not applied as part of mac_filtering in ebtables" false fi @@ -589,8 +596,8 @@ test_container_devices_nic_bridged_filtering() { # Stop container and check filters are cleaned up. lxc stop -f "${ctPrefix}A" if [ "$firewallDriver" = "xtables" ]; then - if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then - echo "MAC filter still applied as part of mac_filtering in ebtables" + if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then + echo "MAC filter still applied as part of unmanaged bridge mac_filtering in ebtables" false fi else @@ -625,12 +632,12 @@ test_container_devices_nic_bridged_filtering() { ctAHost=$(lxc config get "${ctPrefix}A" volatile.eth0.host_name) if [ "$firewallDriver" = "xtables" ]; then - ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p ARP -i ${ctAHost} -j DROP" - ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p ARP -i ${ctAHost} -j DROP" - ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv4 -i ${ctAHost} -j DROP" - ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv4 -i ${ctAHost} -j DROP" - ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv6 -i ${ctAHost} -j DROP" - ebtables --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv6 -i ${ctAHost} -j DROP" + "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p ARP -i ${ctAHost} -j DROP" + "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p ARP -i ${ctAHost} -j DROP" + "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv4 -i ${ctAHost} -j DROP" + "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv4 -i ${ctAHost} -j DROP" + "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A INPUT -p IPv6 -i ${ctAHost} -j DROP" + "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "-A FORWARD -p IPv6 -i ${ctAHost} -j DROP" else for table in "in" "fwd" do @@ -643,7 +650,7 @@ test_container_devices_nic_bridged_filtering() { # Delete container and check filters are cleaned up. lxc delete -f "${ctPrefix}A" if [ "$firewallDriver" = "xtables" ]; then - if ebtables --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then + if "${ebtablesCmd}" --concurrent -L --Lmac2 --Lx | grep -e "${ctAHost}" ; then echo "Filters still applied as part of IP filter in ebtables" false fi
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel