Overview

File ae1232b2-CVE-2011-4600.patch of Package libvirt.openSUSE_12.1_Update

commit ae1232b298323dd7bef909426e2ebafa6bca9157
Author: Laine Stump <laine@redhat.com>
Date:   Tue Dec 6 15:13:50 2011 -0500

    network: don't add iptables rules for externally managed networks
    
    This patch addresses https://bugzilla.redhat.com/show_bug.cgi?id=760442
    
    When a network has any forward type other than route, nat or none, the
    network configuration should be done completely external to libvirt -
    libvirt only uses these types to allow configuring guests in a manner
    that isn't tied to a specific host (all the host-specific information,
    in particular interface names, port profile data, and bandwidth
    configuration is in the network definition, and the guest
    configuration only references it).
    
    Due to a bug in the bridge network driver, libvirt was adding iptables
    rules for networks with forward type='bridge' etc. any time libvirtd
    was restarted while one of these networks was active.
    
    This patch eliminates that error by only "reloading" iptables rules if
    forward type is route, nat, or none.

Index: libvirt-0.9.6/src/network/bridge_driver.c
===================================================================
--- libvirt-0.9.6.orig/src/network/bridge_driver.c
+++ libvirt-0.9.6/src/network/bridge_driver.c
@@ -1480,14 +1480,22 @@ networkReloadIptablesRules(struct networ
     VIR_INFO("Reloading iptables rules");
 
     for (i = 0 ; i < driver->networks.count ; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
-        if (virNetworkObjIsActive(driver->networks.objs[i])) {
-            networkRemoveIptablesRules(driver, driver->networks.objs[i]);
-            if (networkAddIptablesRules(driver, driver->networks.objs[i]) < 0) {
+        virNetworkObjPtr network = driver->networks.objs[i];
+
+        virNetworkObjLock(network);
+        if (virNetworkObjIsActive(network) &&
+            ((network->def->forwardType == VIR_NETWORK_FORWARD_NONE) ||
+             (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) ||
+             (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE))) {
+            /* Only the three L3 network types that are configured by libvirt
+             * need to have iptables rules reloaded.
+             */
+            networkRemoveIptablesRules(driver, network);
+            if (networkAddIptablesRules(driver, network) < 0) {
                 /* failed to add but already logged */
             }
         }
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(network);
     }
 }
openSUSE Build Service is sponsored by
Places