2013-07-24 12:22:54 +00:00
|
|
|
/*
|
|
|
|
|
* bridge_driver_linux.c: Linux implementation of bridge driver
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2006-2013 Red Hat, Inc.
|
|
|
|
|
* Copyright (C) 2006 Daniel P. Berrange
|
|
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
|
* License along with this library. If not, see
|
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
|
|
#include "viralloc.h"
|
|
|
|
|
#include "virfile.h"
|
|
|
|
|
#include "viriptables.h"
|
|
|
|
|
#include "virstring.h"
|
2014-02-28 12:16:17 +00:00
|
|
|
#include "virlog.h"
|
2014-03-06 17:01:13 +00:00
|
|
|
#include "virfirewall.h"
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_NONE
|
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("network.bridge_driver_linux");
|
|
|
|
|
|
2013-07-24 12:22:54 +00:00
|
|
|
#define PROC_NET_ROUTE "/proc/net/route"
|
|
|
|
|
|
2018-12-05 15:53:55 +00:00
|
|
|
int networkPreReloadFirewallRules(bool startup)
|
2018-12-05 13:29:07 +00:00
|
|
|
{
|
util: create private chains for virtual network firewall rules
Historically firewall rules for virtual networks were added straight
into the base chains. This works but has a number of bugs and design
limitations:
- It is inflexible for admins wanting to add extra rules ahead
of libvirt's rules, via hook scripts.
- It is not clear to the admin that the rules were created by
libvirt
- Each rule must be deleted by libvirt individually since they
are all directly in the builtin chains
- The ordering of rules in the forward chain is incorrect
when multiple networks are created, allowing traffic to
mistakenly flow between networks in one direction.
To address all of these problems, libvirt needs to move to creating
rules in its own private chains. In the top level builtin chains,
libvirt will add links to its own private top level chains.
Addressing the traffic ordering bug requires some extra steps. With
everything going into the FORWARD chain there was interleaving of rules
for outbound traffic and inbound traffic for each network:
-A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
The rule allowing outbound traffic from virbr1 would mistakenly
allow packets from virbr1 to virbr0, before the rule denying input
to virbr0 gets a chance to run.
What we really need todo is group the forwarding rules into three
distinct sets:
* Cross rules - LIBVIRT_FWX
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
* Incoming rules - LIBVIRT_FWI
-A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
* Outgoing rules - LIBVIRT_FWO
-A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
There is thus no risk of outgoing rules for one network mistakenly
allowing incoming traffic for another network, as all incoming rules
are evalated first.
With this in mind, we'll thus need three distinct chains linked from
the FORWARD chain, so we end up with:
INPUT --> LIBVIRT_INP (filter)
OUTPUT --> LIBVIRT_OUT (filter)
FORWARD +-> LIBVIRT_FWX (filter)
+-> LIBVIRT_FWO
\-> LIBVIRT_FWI
POSTROUTING --> LIBVIRT_PRT (nat & mangle)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-10-31 19:33:21 +00:00
|
|
|
int ret = iptablesSetupPrivateChains();
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
return -1;
|
2018-12-05 15:53:55 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If this is initial startup, and we just created the
|
|
|
|
|
* top level private chains we either
|
|
|
|
|
*
|
|
|
|
|
* - upgraded from old libvirt
|
|
|
|
|
* - freshly booted from clean state
|
|
|
|
|
*
|
|
|
|
|
* In the first case we must delete the old rules from
|
|
|
|
|
* the built-in chains, instead of our new private chains.
|
|
|
|
|
* In the second case it doesn't matter, since no existing
|
|
|
|
|
* rules will be present. Thus we can safely just tell it
|
|
|
|
|
* to always delete from the builin chain
|
|
|
|
|
*/
|
|
|
|
|
if (startup && ret == 1)
|
|
|
|
|
iptablesSetDeletePrivate(false);
|
|
|
|
|
|
2018-12-05 13:29:07 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
2018-12-05 15:53:55 +00:00
|
|
|
iptablesSetDeletePrivate(true);
|
2018-12-05 13:29:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2013-07-24 12:22:54 +00:00
|
|
|
/* XXX: This function can be a lot more exhaustive, there are certainly
|
|
|
|
|
* other scenarios where we can ruin host network connectivity.
|
|
|
|
|
* XXX: Using a proper library is preferred over parsing /proc
|
|
|
|
|
*/
|
2014-03-19 16:56:35 +00:00
|
|
|
int networkCheckRouteCollision(virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
|
|
|
|
int ret = 0, len;
|
|
|
|
|
char *cur, *buf = NULL;
|
|
|
|
|
/* allow for up to 100000 routes (each line is 128 bytes) */
|
|
|
|
|
enum {MAX_ROUTE_SIZE = 128*100000};
|
|
|
|
|
|
|
|
|
|
/* Read whole routing table into memory */
|
|
|
|
|
if ((len = virFileReadAll(PROC_NET_ROUTE, MAX_ROUTE_SIZE, &buf)) < 0)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/* Dropping the last character shouldn't hurt */
|
|
|
|
|
if (len > 0)
|
|
|
|
|
buf[len-1] = '\0';
|
|
|
|
|
|
|
|
|
|
VIR_DEBUG("%s output:\n%s", PROC_NET_ROUTE, buf);
|
|
|
|
|
|
|
|
|
|
if (!STRPREFIX(buf, "Iface"))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/* First line is just headings, skip it */
|
|
|
|
|
cur = strchr(buf, '\n');
|
|
|
|
|
if (cur)
|
|
|
|
|
cur++;
|
|
|
|
|
|
|
|
|
|
while (cur) {
|
|
|
|
|
char iface[17], dest[128], mask[128];
|
|
|
|
|
unsigned int addr_val, mask_val;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef;
|
2016-06-14 17:40:04 +00:00
|
|
|
virNetDevIPRoutePtr routedef;
|
2013-07-24 12:22:54 +00:00
|
|
|
int num;
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
/* NUL-terminate the line, so sscanf doesn't go beyond a newline. */
|
|
|
|
|
char *nl = strchr(cur, '\n');
|
2014-11-13 14:27:11 +00:00
|
|
|
if (nl)
|
2013-07-24 12:22:54 +00:00
|
|
|
*nl++ = '\0';
|
|
|
|
|
|
|
|
|
|
num = sscanf(cur, "%16s %127s %*s %*s %*s %*s %*s %127s",
|
|
|
|
|
iface, dest, mask);
|
|
|
|
|
cur = nl;
|
|
|
|
|
|
|
|
|
|
if (num != 3) {
|
|
|
|
|
VIR_DEBUG("Failed to parse %s", PROC_NET_ROUTE);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (virStrToLong_ui(dest, NULL, 16, &addr_val) < 0) {
|
|
|
|
|
VIR_DEBUG("Failed to convert network address %s to uint", dest);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (virStrToLong_ui(mask, NULL, 16, &mask_val) < 0) {
|
|
|
|
|
VIR_DEBUG("Failed to convert network mask %s to uint", mask);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
addr_val &= mask_val;
|
|
|
|
|
|
|
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipdef = virNetworkDefGetIPByIndex(def, AF_INET, i));
|
2013-07-24 12:22:54 +00:00
|
|
|
i++) {
|
|
|
|
|
|
|
|
|
|
unsigned int net_dest;
|
|
|
|
|
virSocketAddr netmask;
|
|
|
|
|
|
2016-06-08 16:48:50 +00:00
|
|
|
if (virNetworkIPDefNetmask(ipdef, &netmask) < 0) {
|
2013-07-24 12:22:54 +00:00
|
|
|
VIR_WARN("Failed to get netmask of '%s'",
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge);
|
2013-07-24 12:22:54 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
net_dest = (ipdef->address.data.inet4.sin_addr.s_addr &
|
|
|
|
|
netmask.data.inet4.sin_addr.s_addr);
|
|
|
|
|
|
|
|
|
|
if ((net_dest == addr_val) &&
|
|
|
|
|
(netmask.data.inet4.sin_addr.s_addr == mask_val)) {
|
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("Network is already in use by interface %s"),
|
|
|
|
|
iface);
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-07-09 13:53:25 +00:00
|
|
|
|
|
|
|
|
for (i = 0;
|
|
|
|
|
(routedef = virNetworkDefGetRouteByIndex(def, AF_INET, i));
|
|
|
|
|
i++) {
|
|
|
|
|
|
|
|
|
|
virSocketAddr r_mask, r_addr;
|
2016-06-14 17:40:04 +00:00
|
|
|
virSocketAddrPtr tmp_addr = virNetDevIPRouteGetAddress(routedef);
|
|
|
|
|
int r_prefix = virNetDevIPRouteGetPrefix(routedef);
|
2015-07-09 13:53:25 +00:00
|
|
|
|
|
|
|
|
if (!tmp_addr ||
|
|
|
|
|
virSocketAddrMaskByPrefix(tmp_addr, r_prefix, &r_addr) < 0 ||
|
|
|
|
|
virSocketAddrPrefixToNetmask(r_prefix, &r_mask, AF_INET) < 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if ((r_addr.data.inet4.sin_addr.s_addr == addr_val) &&
|
|
|
|
|
(r_mask.data.inet4.sin_addr.s_addr == mask_val)) {
|
|
|
|
|
char *addr_str = virSocketAddrFormat(&r_addr);
|
|
|
|
|
if (!addr_str)
|
|
|
|
|
virResetLastError();
|
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("Route address '%s' conflicts "
|
|
|
|
|
"with IP address for '%s'"),
|
|
|
|
|
NULLSTR(addr_str), iface);
|
|
|
|
|
VIR_FREE(addr_str);
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-25 06:56:13 +00:00
|
|
|
out:
|
2013-07-24 12:22:54 +00:00
|
|
|
VIR_FREE(buf);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-25 10:45:26 +00:00
|
|
|
static const char networkLocalMulticast[] = "224.0.0.0/24";
|
|
|
|
|
static const char networkLocalBroadcast[] = "255.255.255.255/32";
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
static int
|
2014-03-06 17:01:13 +00:00
|
|
|
networkAddMasqueradingFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def,
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2016-06-08 16:48:50 +00:00
|
|
|
int prefix = virNetworkIPDefPrefix(ipdef);
|
2014-03-19 16:56:35 +00:00
|
|
|
const char *forwardIf = virNetworkDefForwardIf(def, 0);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
if (prefix < 0) {
|
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("Invalid prefix or netmask for '%s'"),
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge);
|
2014-03-06 17:01:13 +00:00
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* allow forwarding packets from the bridge interface */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardAllowOut(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/* allow forwarding packets to the bridge interface if they are
|
|
|
|
|
* part of an existing connection
|
|
|
|
|
*/
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardAllowRelatedIn(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Enable masquerading.
|
|
|
|
|
*
|
2013-09-25 10:45:26 +00:00
|
|
|
* We need to end up with 5 rules in the table in this order
|
|
|
|
|
*
|
|
|
|
|
* 1. do not masquerade packets targeting 224.0.0.0/24
|
|
|
|
|
* 2. do not masquerade packets targeting 255.255.255.255/32
|
|
|
|
|
* 3. masquerade protocol=tcp with sport mapping restriction
|
|
|
|
|
* 4. masquerade protocol=udp with sport mapping restriction
|
|
|
|
|
* 5. generic, masquerade any protocol
|
2013-07-24 12:22:54 +00:00
|
|
|
*
|
2013-09-25 10:45:26 +00:00
|
|
|
* 224.0.0.0/24 is the local network multicast range. Packets are not
|
|
|
|
|
* forwarded outside.
|
|
|
|
|
*
|
|
|
|
|
* 255.255.255.255/32 is the broadcast address of any local network. Again,
|
|
|
|
|
* such packets are never forwarded, but strict DHCP clients don't accept
|
|
|
|
|
* DHCP replies with changed source ports.
|
2013-07-24 12:22:54 +00:00
|
|
|
*
|
|
|
|
|
* The sport mappings are required, because default IPtables
|
|
|
|
|
* MASQUERADE maintain port numbers unchanged where possible.
|
|
|
|
|
*
|
|
|
|
|
* NFS can be configured to only "trust" port numbers < 1023.
|
|
|
|
|
*
|
|
|
|
|
* Guests using NAT thus need to be prevented from having port
|
|
|
|
|
* numbers < 1023, otherwise they can bypass the NFS "security"
|
|
|
|
|
* check on the source port number.
|
|
|
|
|
*
|
|
|
|
|
* Since we use '--insert' to add rules to the header of the
|
|
|
|
|
* chain, we actually need to add them in the reverse of the
|
|
|
|
|
* order just mentioned !
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* First the generic masquerade rule for other protocols */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-19 16:56:35 +00:00
|
|
|
&def->forward.addr,
|
|
|
|
|
&def->forward.port,
|
2014-03-06 17:01:13 +00:00
|
|
|
NULL) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/* UDP with a source port restriction */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-19 16:56:35 +00:00
|
|
|
&def->forward.addr,
|
|
|
|
|
&def->forward.port,
|
2014-03-06 17:01:13 +00:00
|
|
|
"udp") < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/* TCP with a source port restriction */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-19 16:56:35 +00:00
|
|
|
&def->forward.addr,
|
|
|
|
|
&def->forward.port,
|
2014-03-06 17:01:13 +00:00
|
|
|
"tcp") < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2013-09-25 10:45:26 +00:00
|
|
|
/* exempt local network broadcast address as destination */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddDontMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-09-25 10:45:26 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-06 17:01:13 +00:00
|
|
|
networkLocalBroadcast) < 0)
|
|
|
|
|
return -1;
|
2013-09-25 10:45:26 +00:00
|
|
|
|
|
|
|
|
/* exempt local multicast range as destination */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddDontMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-09-25 10:45:26 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-06 17:01:13 +00:00
|
|
|
networkLocalMulticast) < 0)
|
|
|
|
|
return -1;
|
2013-09-25 10:45:26 +00:00
|
|
|
|
2013-07-24 12:22:54 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
static int
|
|
|
|
|
networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def,
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2016-06-08 16:48:50 +00:00
|
|
|
int prefix = virNetworkIPDefPrefix(ipdef);
|
2014-03-19 16:56:35 +00:00
|
|
|
const char *forwardIf = virNetworkDefForwardIf(def, 0);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
if (prefix < 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveDontMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-09-25 10:45:26 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-06 17:01:13 +00:00
|
|
|
networkLocalMulticast) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveDontMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-09-25 10:45:26 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-06 17:01:13 +00:00
|
|
|
networkLocalBroadcast) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveForwardMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-19 16:56:35 +00:00
|
|
|
&def->forward.addr,
|
|
|
|
|
&def->forward.port,
|
2014-03-06 17:01:13 +00:00
|
|
|
"tcp") < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveForwardMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-19 16:56:35 +00:00
|
|
|
&def->forward.addr,
|
|
|
|
|
&def->forward.port,
|
2014-03-06 17:01:13 +00:00
|
|
|
"udp") < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveForwardMasquerade(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
|
|
|
|
forwardIf,
|
2014-03-19 16:56:35 +00:00
|
|
|
&def->forward.addr,
|
|
|
|
|
&def->forward.port,
|
2014-03-06 17:01:13 +00:00
|
|
|
NULL) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesRemoveForwardAllowRelatedIn(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveForwardAllowOut(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
return 0;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
static int
|
2014-03-06 17:01:13 +00:00
|
|
|
networkAddRoutingFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def,
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2016-06-08 16:48:50 +00:00
|
|
|
int prefix = virNetworkIPDefPrefix(ipdef);
|
2014-03-19 16:56:35 +00:00
|
|
|
const char *forwardIf = virNetworkDefForwardIf(def, 0);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
if (prefix < 0) {
|
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("Invalid prefix or netmask for '%s'"),
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge);
|
2014-03-06 17:01:13 +00:00
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* allow routing packets from the bridge interface */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardAllowOut(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/* allow routing packets to the bridge interface */
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesAddForwardAllowIn(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
static int
|
|
|
|
|
networkRemoveRoutingFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def,
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2016-06-08 16:48:50 +00:00
|
|
|
int prefix = virNetworkIPDefPrefix(ipdef);
|
2014-03-19 16:56:35 +00:00
|
|
|
const char *forwardIf = virNetworkDefForwardIf(def, 0);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
if (prefix < 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (iptablesRemoveForwardAllowIn(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
if (iptablesRemoveForwardAllowOut(fw,
|
|
|
|
|
&ipdef->address,
|
2013-07-24 12:22:54 +00:00
|
|
|
prefix,
|
2014-03-19 16:56:35 +00:00
|
|
|
def->bridge,
|
2014-03-06 17:01:13 +00:00
|
|
|
forwardIf) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
networkAddGeneralIPv4FirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2014-03-06 17:01:13 +00:00
|
|
|
{
|
|
|
|
|
size_t i;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipv4def;
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
/* First look for first IPv4 address that has dhcp or tftpboot defined. */
|
|
|
|
|
/* We support dhcp config on 1 IPv4 interface only. */
|
|
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
|
2014-03-06 17:01:13 +00:00
|
|
|
i++) {
|
|
|
|
|
if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* allow DHCP requests through to dnsmasq */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
|
|
|
|
|
iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
|
|
|
|
|
iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
/* allow DNS requests through to dnsmasq */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
|
|
|
|
|
iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
/* allow TFTP requests through to dnsmasq if necessary */
|
|
|
|
|
if (ipv4def && ipv4def->tftproot)
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
/* Catch all rules to block forwarding to/from bridges */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
|
|
|
|
|
iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
/* Allow traffic between guests on the same bridge */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
|
2014-03-06 17:01:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
networkRemoveGeneralIPv4FirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2014-03-06 17:01:13 +00:00
|
|
|
{
|
|
|
|
|
size_t i;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipv4def;
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
|
2014-03-06 17:01:13 +00:00
|
|
|
i++) {
|
|
|
|
|
if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
|
|
|
|
|
break;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
2014-03-06 17:01:13 +00:00
|
|
|
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
|
|
|
|
|
iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
|
|
|
|
|
iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
if (ipv4def && ipv4def->tftproot)
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
|
|
|
|
|
iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
|
|
|
|
|
iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
|
|
|
|
|
iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
|
2013-07-24 12:22:54 +00:00
|
|
|
/* Add all once/network rules required for IPv6.
|
|
|
|
|
* If no IPv6 addresses are defined and <network ipv6='yes'> is
|
2015-03-19 15:53:00 +00:00
|
|
|
* specified, then allow IPv6 communications between virtual systems.
|
2013-07-24 12:22:54 +00:00
|
|
|
* If any IPv6 addresses are defined, then add the rules for regular operation.
|
|
|
|
|
*/
|
2014-03-06 17:01:13 +00:00
|
|
|
static void
|
|
|
|
|
networkAddGeneralIPv6FirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2016-06-08 16:48:50 +00:00
|
|
|
if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
|
2014-03-19 16:56:35 +00:00
|
|
|
!def->ipv6nogw) {
|
2014-03-06 17:01:13 +00:00
|
|
|
return;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Catch all rules to block forwarding to/from bridges */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
|
|
|
|
|
iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/* Allow traffic between guests on the same bridge */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2016-06-08 16:48:50 +00:00
|
|
|
if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
|
2014-03-06 17:01:13 +00:00
|
|
|
/* allow DNS over IPv6 */
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
|
|
|
|
|
iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
|
|
|
|
|
iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2014-03-06 17:01:13 +00:00
|
|
|
networkRemoveGeneralIPv6FirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2016-06-08 16:48:50 +00:00
|
|
|
if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
|
2014-03-19 16:56:35 +00:00
|
|
|
!def->ipv6nogw) {
|
2013-07-24 12:22:54 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2014-03-06 17:01:13 +00:00
|
|
|
|
2016-06-08 16:48:50 +00:00
|
|
|
if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
|
|
|
|
|
iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
|
|
|
|
|
iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* the following rules are there if no IPv6 address has been defined
|
2014-03-19 16:56:35 +00:00
|
|
|
* but def->ipv6nogw == true
|
2013-07-24 12:22:54 +00:00
|
|
|
*/
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
|
|
|
|
|
iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
|
|
|
|
|
iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
static void
|
|
|
|
|
networkAddGeneralFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2014-03-06 17:01:13 +00:00
|
|
|
{
|
2014-03-19 16:56:35 +00:00
|
|
|
networkAddGeneralIPv4FirewallRules(fw, def);
|
|
|
|
|
networkAddGeneralIPv6FirewallRules(fw, def);
|
2014-03-06 17:01:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
networkRemoveGeneralFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2014-03-06 17:01:13 +00:00
|
|
|
{
|
2014-03-19 16:56:35 +00:00
|
|
|
networkRemoveGeneralIPv4FirewallRules(fw, def);
|
|
|
|
|
networkRemoveGeneralIPv6FirewallRules(fw, def);
|
2014-03-06 17:01:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
networkAddChecksumFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
|
|
|
|
size_t i;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipv4def;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
/* First look for first IPv4 address that has dhcp or tftpboot defined. */
|
|
|
|
|
/* We support dhcp config on 1 IPv4 interface only. */
|
|
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
|
2013-07-24 12:22:54 +00:00
|
|
|
i++) {
|
2014-03-06 17:01:13 +00:00
|
|
|
if (ipv4def->nranges || ipv4def->nhosts)
|
2013-07-24 12:22:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If we are doing local DHCP service on this network, attempt to
|
|
|
|
|
* add a rule that will fixup the checksum of DHCP response
|
|
|
|
|
* packets back to the guests (but report failure without
|
|
|
|
|
* aborting, since not all iptables implementations support it).
|
|
|
|
|
*/
|
2014-03-06 17:01:13 +00:00
|
|
|
if (ipv4def)
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
|
|
|
|
|
static void
|
2014-03-06 17:01:13 +00:00
|
|
|
networkRemoveChecksumFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
|
|
|
|
size_t i;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipv4def;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
/* First look for first IPv4 address that has dhcp or tftpboot defined. */
|
|
|
|
|
/* We support dhcp config on 1 IPv4 interface only. */
|
2013-07-24 12:22:54 +00:00
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
|
2013-07-24 12:22:54 +00:00
|
|
|
i++) {
|
2014-03-06 17:01:13 +00:00
|
|
|
if (ipv4def->nranges || ipv4def->nhosts)
|
2013-07-24 12:22:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
if (ipv4def)
|
2014-03-19 16:56:35 +00:00
|
|
|
iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
|
|
|
|
|
static int
|
2016-06-08 16:48:50 +00:00
|
|
|
networkAddIPSpecificFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def,
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
|
|
|
|
/* NB: in the case of IPv6, routing rules are added when the
|
|
|
|
|
* forward mode is NAT. This is because IPv6 has no NAT.
|
|
|
|
|
*/
|
|
|
|
|
|
2014-03-19 16:56:35 +00:00
|
|
|
if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
|
2013-07-24 12:22:54 +00:00
|
|
|
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
|
2014-03-19 16:56:35 +00:00
|
|
|
return networkAddMasqueradingFirewallRules(fw, def, ipdef);
|
2013-07-24 12:22:54 +00:00
|
|
|
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
|
2014-03-19 16:56:35 +00:00
|
|
|
return networkAddRoutingFirewallRules(fw, def, ipdef);
|
|
|
|
|
} else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
|
|
|
|
|
return networkAddRoutingFirewallRules(fw, def, ipdef);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
static int
|
2016-06-08 16:48:50 +00:00
|
|
|
networkRemoveIPSpecificFirewallRules(virFirewallPtr fw,
|
2014-03-19 16:56:35 +00:00
|
|
|
virNetworkDefPtr def,
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2014-03-19 16:56:35 +00:00
|
|
|
if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
|
2013-07-24 12:22:54 +00:00
|
|
|
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
|
2014-03-19 16:56:35 +00:00
|
|
|
return networkRemoveMasqueradingFirewallRules(fw, def, ipdef);
|
2013-07-24 12:22:54 +00:00
|
|
|
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
|
2014-03-19 16:56:35 +00:00
|
|
|
return networkRemoveRoutingFirewallRules(fw, def, ipdef);
|
|
|
|
|
} else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
|
|
|
|
|
return networkRemoveRoutingFirewallRules(fw, def, ipdef);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
2014-03-06 17:01:13 +00:00
|
|
|
return 0;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 12:03:46 +00:00
|
|
|
|
2013-07-24 12:22:54 +00:00
|
|
|
/* Add all rules for all ip addresses (and general rules) on a network */
|
2014-03-19 16:56:35 +00:00
|
|
|
int networkAddFirewallRules(virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
2014-03-06 17:01:13 +00:00
|
|
|
size_t i;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef;
|
2014-03-06 17:01:13 +00:00
|
|
|
virFirewallPtr fw = NULL;
|
|
|
|
|
int ret = -1;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
fw = virFirewallNew();
|
|
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
2014-03-19 16:56:35 +00:00
|
|
|
networkAddGeneralFirewallRules(fw, def);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
|
2013-07-24 12:22:54 +00:00
|
|
|
i++) {
|
2016-06-08 16:48:50 +00:00
|
|
|
if (networkAddIPSpecificFirewallRules(fw, def, ipdef) < 0)
|
2014-03-06 17:01:13 +00:00
|
|
|
goto cleanup;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
virFirewallStartRollback(fw, 0);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
|
2014-03-06 17:01:13 +00:00
|
|
|
i++) {
|
2016-06-08 16:48:50 +00:00
|
|
|
if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
|
2014-03-06 17:01:13 +00:00
|
|
|
goto cleanup;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
2014-03-19 16:56:35 +00:00
|
|
|
networkRemoveGeneralFirewallRules(fw, def);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
|
2014-03-19 16:56:35 +00:00
|
|
|
networkAddChecksumFirewallRules(fw, def);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
|
|
|
|
goto cleanup;
|
2013-07-24 12:22:54 +00:00
|
|
|
|
2014-03-06 17:01:13 +00:00
|
|
|
ret = 0;
|
|
|
|
|
cleanup:
|
|
|
|
|
virFirewallFree(fw);
|
|
|
|
|
return ret;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Remove all rules for all ip addresses (and general rules) on a network */
|
2014-03-19 16:56:35 +00:00
|
|
|
void networkRemoveFirewallRules(virNetworkDefPtr def)
|
2013-07-24 12:22:54 +00:00
|
|
|
{
|
|
|
|
|
size_t i;
|
2016-06-08 16:48:50 +00:00
|
|
|
virNetworkIPDefPtr ipdef;
|
2014-03-06 17:01:13 +00:00
|
|
|
virFirewallPtr fw = NULL;
|
|
|
|
|
|
|
|
|
|
fw = virFirewallNew();
|
|
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
|
2014-03-19 16:56:35 +00:00
|
|
|
networkRemoveChecksumFirewallRules(fw, def);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
|
2013-07-24 12:22:54 +00:00
|
|
|
|
|
|
|
|
for (i = 0;
|
2016-06-08 16:48:50 +00:00
|
|
|
(ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
|
2013-07-24 12:22:54 +00:00
|
|
|
i++) {
|
2016-06-08 16:48:50 +00:00
|
|
|
if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
|
2014-03-06 17:01:13 +00:00
|
|
|
goto cleanup;
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
2014-03-19 16:56:35 +00:00
|
|
|
networkRemoveGeneralFirewallRules(fw, def);
|
2014-03-06 17:01:13 +00:00
|
|
|
|
|
|
|
|
virFirewallApply(fw);
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
virFirewallFree(fw);
|
2013-07-24 12:22:54 +00:00
|
|
|
}
|
