2007-02-14 16:26:42 +00:00
|
|
|
/*
|
2012-12-12 17:42:44 +00:00
|
|
|
* viriptables.h: helper APIs for managing iptables
|
|
|
|
*
|
2008-11-07 16:43:23 +00:00
|
|
|
* Copyright (C) 2007, 2008 Red Hat, Inc.
|
2007-02-14 16:26:42 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2007-02-14 16:26:42 +00:00
|
|
|
*/
|
|
|
|
|
2019-06-18 16:13:08 +00:00
|
|
|
#pragma once
|
2007-02-14 16:26:42 +00:00
|
|
|
|
2019-06-18 16:13:08 +00:00
|
|
|
#include "virsocketaddr.h"
|
|
|
|
#include "virfirewall.h"
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
|
2019-03-18 16:49:32 +00:00
|
|
|
int iptablesSetupPrivateChains (virFirewallLayer layer);
|
util: create private chains for virtual network firewall rules
Historically firewall rules for virtual networks were added straight
into the base chains. This works but has a number of bugs and design
limitations:
- It is inflexible for admins wanting to add extra rules ahead
of libvirt's rules, via hook scripts.
- It is not clear to the admin that the rules were created by
libvirt
- Each rule must be deleted by libvirt individually since they
are all directly in the builtin chains
- The ordering of rules in the forward chain is incorrect
when multiple networks are created, allowing traffic to
mistakenly flow between networks in one direction.
To address all of these problems, libvirt needs to move to creating
rules in its own private chains. In the top level builtin chains,
libvirt will add links to its own private top level chains.
Addressing the traffic ordering bug requires some extra steps. With
everything going into the FORWARD chain there was interleaving of rules
for outbound traffic and inbound traffic for each network:
-A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
The rule allowing outbound traffic from virbr1 would mistakenly
allow packets from virbr1 to virbr0, before the rule denying input
to virbr0 gets a chance to run.
What we really need todo is group the forwarding rules into three
distinct sets:
* Cross rules - LIBVIRT_FWX
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
* Incoming rules - LIBVIRT_FWI
-A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
* Outgoing rules - LIBVIRT_FWO
-A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
There is thus no risk of outgoing rules for one network mistakenly
allowing incoming traffic for another network, as all incoming rules
are evalated first.
With this in mind, we'll thus need three distinct chains linked from
the FORWARD chain, so we end up with:
INPUT --> LIBVIRT_INP (filter)
OUTPUT --> LIBVIRT_OUT (filter)
FORWARD +-> LIBVIRT_FWX (filter)
+-> LIBVIRT_FWO
\-> LIBVIRT_FWI
POSTROUTING --> LIBVIRT_PRT (nat & mangle)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-10-31 19:33:21 +00:00
|
|
|
|
2018-12-05 15:53:55 +00:00
|
|
|
void iptablesSetDeletePrivate (bool pvt);
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesAddTcpInput (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
int port);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveTcpInput (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
int port);
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesAddUdpInput (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
int port);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveUdpInput (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
int port);
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesAddUdpOutput (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2013-12-17 17:56:28 +00:00
|
|
|
const char *iface,
|
|
|
|
int port);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveUdpOutput (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2013-12-17 17:56:28 +00:00
|
|
|
const char *iface,
|
|
|
|
int port);
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
int iptablesAddForwardAllowOut (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2007-03-13 22:43:22 +00:00
|
|
|
const char *iface,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *physdev)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesRemoveForwardAllowOut (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2007-03-13 22:43:22 +00:00
|
|
|
const char *iface,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *physdev)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2008-03-28 20:38:21 +00:00
|
|
|
const char *iface,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *physdev)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
|
|
|
unsigned int prefix,
|
|
|
|
const char *iface,
|
|
|
|
const char *physdev)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
2007-02-14 16:26:42 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
int iptablesAddForwardAllowIn (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2007-03-13 22:43:22 +00:00
|
|
|
const char *iface,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *physdev)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesRemoveForwardAllowIn (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2007-03-13 22:43:22 +00:00
|
|
|
const char *iface,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *physdev)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
2007-04-10 23:17:46 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesAddForwardAllowCross (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveForwardAllowCross (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface);
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesAddForwardRejectOut (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveForwardRejectOut (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface);
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesAddForwardRejectIn (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layer,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveForwardRejectIn (virFirewallPtr fw,
|
|
|
|
virFirewallLayer layery,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface);
|
2007-02-14 16:26:42 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
int iptablesAddForwardMasquerade (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *physdev,
|
2013-02-19 10:44:16 +00:00
|
|
|
virSocketAddrRangePtr addr,
|
|
|
|
virPortRangePtr port,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *protocol)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesRemoveForwardMasquerade (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *physdev,
|
2013-02-19 10:44:16 +00:00
|
|
|
virSocketAddrRangePtr addr,
|
|
|
|
virPortRangePtr port,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *protocol)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesAddDontMasquerade (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2013-09-25 10:45:25 +00:00
|
|
|
unsigned int prefix,
|
|
|
|
const char *physdev,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *destaddr)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
int iptablesRemoveDontMasquerade (virFirewallPtr fw,
|
|
|
|
virSocketAddr *netaddr,
|
2013-09-25 10:45:25 +00:00
|
|
|
unsigned int prefix,
|
|
|
|
const char *physdev,
|
2014-03-06 17:01:13 +00:00
|
|
|
const char *destaddr)
|
|
|
|
ATTRIBUTE_RETURN_CHECK;
|
|
|
|
void iptablesAddOutputFixUdpChecksum (virFirewallPtr fw,
|
|
|
|
const char *iface,
|
2010-07-13 02:59:58 +00:00
|
|
|
int port);
|
2014-03-06 17:01:13 +00:00
|
|
|
void iptablesRemoveOutputFixUdpChecksum (virFirewallPtr fw,
|
|
|
|
const char *iface,
|
2010-07-13 02:59:58 +00:00
|
|
|
int port);
|