Supporting other L4 protocols other than the l3_protocols
Hi,
I was trying to enable VRRP, which is protocol 112 over IP (well, at least in my case :). I've read all documentation I could find: https://libvirt.org/formatnwfilter.html#ipv4 ... which states I should be able to just do:
<rule action='accept' direction='inout'>
<ip protocol='112'/>
</rule>
(and at the end a "drop all" will follow). However, any entry of seems to be ignored and not translated into an iptables rule. I'd expect to see the equivalent of:
iptables -A FI-vnet0 -p 112 -j RETURN
iptables -A FO-vnet0 -p 112 -j RETURN
... etc.
So, I've decided to have a look at the code, and indeed I see no coverage for VIR_NWFILTER_RULE_PROTOCOL_IP in _iptablesCreateRuleInstance() - there is, indeed, for ebtablesCreateRuleInstance(), but that won't be enough if there's a "drop all" rule at the end of the ruleset. My understanding is that at some point the rule should enter _iptablesCreateRuleInstance() for materialization, however I should also be receiving a "VIR_ERR_INTERNAL_ERROR/Unexpected protocol" and I'm not so, so maybe I got it all wrong :)
I confess my knowledge of libvirt's code is now approx. 30min old from reading it, and I'm wondering if I'm just not missing something here, as I find it very odd that I cannot find anyone reporting this. Supporting this generic rule will allow for good flexibility (and possibly interim solutions while new protocols support are developed).
I've checked "git log" and could not find any previous implementation that would have covered it either... confusing, especially when the documentation is so clear about it, and the implementation looks like little more than a repetition of what is there already (in terms of using ipAttributes, validation, etc, but inside the iptables relevant block).
Am I missing something? Can this be implemented, or it's definitely going to clash with something that I'm missing right now?
For an experienced libvirt developer this should be mostly copy&paste from another section in the file, I suppose, but I may be able to help..
I'm currently running libvirt-4.5.0-33.el7_8.1.x86_64, but looking at the git repo (411cbe71).