in security group, CS put a rule in ebtables filter table FORWARD chain to prevent user from changing VM mac address

util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac, '-j', 'DROP']) if user changes the VM mac address, all egress packet from the VM will be dropped, but the egress packet still contaminate the bridge cache with fake MAC, This patch moves the rule to ebtables nat table PREROUTING chain, then the egress packet with modified MAC will not contaminate the bridge cache. Anthony
2025-11-04 20:29:27 +01:00 · 2013-07-30 17:04:21 -07:00 · 2013-07-30 17:04:21 -07:00 · f1fb7c3efe
commit f1fb7c3efe
parent e4f8068ef1
2 changed files with 30 additions and 6 deletions
--- a/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
+++ b/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
@ -52,19 +52,34 @@ def apply_flows(bridge, this_vif_ofport, vif_ofports):
    pluginlib.add_flow(bridge, priority=1100,
                       nw_dst='224.0.0.0/24', actions=action)

+def clear_rules(vif):
+    try:
+        delcmd = "/sbin/ebtables -t nat -L PREROUTING | grep " + vif
+        delcmds = pluginlib.do_cmd(['/bin/bash', '-c', delcmd]).split('\n')
+        for cmd in delcmds:
+            try:
+                cmd = '/sbin/ebtables -t nat -D PREROUTING ' + cmd
+                pluginlib.do_cmd(['/bin/bash', '-c', cmd])
+            except:
+                pass
+    except:
+        pass
+

 def main(command, vif_raw):
    if command not in ('online', 'offline'):
        return
-    # Make sure the networking stack is not linux bridge!
-    net_stack = pluginlib.do_cmd(['cat', '/etc/xensource/network.conf'])
-    if net_stack.lower() == "bridge":
-        # Nothing to do here!
-        return

    vif_name, dom_id, vif_index = vif_raw.split('-')
    # validate vif and dom-id
    this_vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
+    # Make sure the networking stack is not linux bridge!
+    net_stack = pluginlib.do_cmd(['cat', '/etc/xensource/network.conf'])
+    if net_stack.lower() == "bridge":
+        if command == 'offline':
+            clear_rules(this_vif)
+        # Nothing to do here!
+        return

    bridge = pluginlib.do_cmd([pluginlib.VSCTL_PATH, 'iface-to-br', this_vif])
    
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@ -486,6 +486,11 @@ def can_bridge_firewall(session, args):
    try:
        util.pread2(['ebtables', '-V'])
        util.pread2(['ipset', '-V'])
+        cmd = ['cat', '/etc/xensource/network.conf']
+        result = util.pread2(cmd)
+        if result.lower().strip() != "bridge":
+            return 'false'
+
    except:
        return 'false'

@ -749,7 +754,11 @@ def default_ebtables_antispoof_rules(vm_chain, vifs, vm_ip, vm_mac):
    try:
        for vif in vifs:
            # only allow source mac that belongs to the vm
-	    util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac,  '-j', 'DROP'])
+            try:
+                util.pread2(['ebtables', '-t', 'nat', '-I', 'PREROUTING', '-i', vif, '-s', '!' , vm_mac, '-j', 'DROP'])
+            except:
+                util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac,  '-j', 'DROP'])
+
            # do not allow fake dhcp responses
            util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-p', 'IPv4', '--ip-proto', 'udp', '--ip-dport', '68', '-j', 'DROP'])
            # do not allow snooping of dhcp requests