External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-06 06:15:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
d00d078968
libvirt/src/util/viriptables.h

156 lines
8.7 KiB
C
Raw Normal View History

Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
/*
Rename iptables.{c,h} to viriptables.{c,h}
2012-12-12 17:42:44 +00:00
* viriptables.h: helper APIs for managing iptables
*
always compile iptables.c Avoid a build error when configuring --without-xen --without-qemu. * src/iptables.c [WITH_QEMU]: Don't #ifdef-out. * src/iptables.h [WITH_QEMU]: Don't #ifdef-out. * src/util.c (virRun) [__MINGW32__]: Define a stub that always fails.
2008-11-07 16:43:23 +00:00
* Copyright (C) 2007, 2008 Red Hat, Inc.
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
maint: fix up copyright notice inconsistencies https://www.gnu.org/licenses/gpl-howto.html recommends that the 'If not, see <url>.' phrase be a separate sentence. * tests/securityselinuxhelper.c: Remove doubled line. * tests/securityselinuxtest.c: Likewise. * globally: s/; If/. If/
2012-09-20 22:30:55 +00:00
* License along with this library. If not, see
Desert the FSF address in copyright Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c
2012-07-21 10:06:23 +00:00
* <http://www.gnu.org/licenses/>.
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
*/
util: misc: use #pragma once in headers Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-18 16:13:08 +00:00
#pragma once
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
util: misc: use #pragma once in headers Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-18 16:13:08 +00:00
#include "virsocketaddr.h"
#include "virfirewall.h"
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
network: split setup of ipv4 and ipv6 top level chains During startup libvirtd creates top level chains for both ipv4 and ipv6 protocols. If this fails for any reason then startup of virtual networks is blocked. The default virtual network, however, only requires use of ipv4 and some servers have ipv6 disabled so it is expected that ipv6 chain creation will fail. There could equally be servers with no ipv4, only ipv6. This patch thus makes error reporting a little more fine grained so that it works more sensibly when either ipv4 or ipv6 is disabled on the server. Only the protocols that are actually used by the virtual network have errors reported. Reviewed-by: Andrea Bolognani <abologna@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-03-18 16:49:32 +00:00
int iptablesSetupPrivateChains (virFirewallLayer layer);
util: create private chains for virtual network firewall rules Historically firewall rules for virtual networks were added straight into the base chains. This works but has a number of bugs and design limitations: - It is inflexible for admins wanting to add extra rules ahead of libvirt's rules, via hook scripts. - It is not clear to the admin that the rules were created by libvirt - Each rule must be deleted by libvirt individually since they are all directly in the builtin chains - The ordering of rules in the forward chain is incorrect when multiple networks are created, allowing traffic to mistakenly flow between networks in one direction. To address all of these problems, libvirt needs to move to creating rules in its own private chains. In the top level builtin chains, libvirt will add links to its own private top level chains. Addressing the traffic ordering bug requires some extra steps. With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network: -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable The rule allowing outbound traffic from virbr1 would mistakenly allow packets from virbr1 to virbr0, before the rule denying input to virbr0 gets a chance to run. What we really need todo is group the forwarding rules into three distinct sets: * Cross rules - LIBVIRT_FWX -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT * Incoming rules - LIBVIRT_FWI -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable * Outgoing rules - LIBVIRT_FWO -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable There is thus no risk of outgoing rules for one network mistakenly allowing incoming traffic for another network, as all incoming rules are evalated first. With this in mind, we'll thus need three distinct chains linked from the FORWARD chain, so we end up with: INPUT --> LIBVIRT_INP (filter) OUTPUT --> LIBVIRT_OUT (filter) FORWARD +-> LIBVIRT_FWX (filter) +-> LIBVIRT_FWO \-> LIBVIRT_FWI POSTROUTING --> LIBVIRT_PRT (nat & mangle) Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-10-31 19:33:21 +00:00
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddTcpInput (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveTcpInput (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddUdpInput (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveUdpInput (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddTcpOutput (virFirewall *fw,
network: allow DHCP/DNS/TFTP explicitly in OUTPUT rules While the default iptables setup used by Fedora/RHEL distros only restricts traffic on the INPUT and/or FORWARD rules, some users might have custom firewalls that restrict the OUTPUT rules too. These can prevent DHCP/DNS/TFTP responses from dnsmasq from reaching the guest VMs. We should thus whitelist these protocols in the OUTPUT chain, as well as the INPUT chain. Signed-off-by: Malina Salina <malina.salina@protonmail.com> Initial patch then modified to add unit tests and IPv6 support Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-09-27 16:10:34 +00:00
virFirewallLayer layer,
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveTcpOutput (virFirewall *fw,
network: allow DHCP/DNS/TFTP explicitly in OUTPUT rules While the default iptables setup used by Fedora/RHEL distros only restricts traffic on the INPUT and/or FORWARD rules, some users might have custom firewalls that restrict the OUTPUT rules too. These can prevent DHCP/DNS/TFTP responses from dnsmasq from reaching the guest VMs. We should thus whitelist these protocols in the OUTPUT chain, as well as the INPUT chain. Signed-off-by: Malina Salina <malina.salina@protonmail.com> Initial patch then modified to add unit tests and IPv6 support Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-09-27 16:10:34 +00:00
virFirewallLayer layer,
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddUdpOutput (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fix bridge configuration when OUTPUT policy is DROP on the host When the host is configured with very restrictive firewall (default policy is DROP for all chains, including OUTPUT), the bridge driver for Linux adds netfilter entries to allow DHCP and DNS requests to go from the VM to the dnsmasq of the host. The issue that this commit fixes is the fact that a DROP policy on the OUTPUT chain blocks the DHCP replies from the host’s dnsmasq to the VM. As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED rule and so, need to be explicitly allowed. Signed-off-by: Lénaïc Huard <lenaic@lhuard.fr.eu.org>
2013-12-17 17:56:28 +00:00
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveUdpOutput (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fix bridge configuration when OUTPUT policy is DROP on the host When the host is configured with very restrictive firewall (default policy is DROP for all chains, including OUTPUT), the bridge driver for Linux adds netfilter entries to allow DHCP and DNS requests to go from the VM to the dnsmasq of the host. The issue that this commit fixes is the fact that a DROP policy on the OUTPUT chain blocks the DHCP replies from the host’s dnsmasq to the VM. As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED rule and so, need to be explicitly allowed. Signed-off-by: Lénaïc Huard <lenaic@lhuard.fr.eu.org>
2013-12-17 17:56:28 +00:00
const char *iface,
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesAddForwardAllowOut (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
const char *iface,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *physdev)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesRemoveForwardAllowOut (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
const char *iface,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *physdev)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesAddForwardAllowRelatedIn(virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
const char *iface,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *physdev)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesAddForwardAllowIn (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
const char *iface,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *physdev)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesRemoveForwardAllowIn (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
const char *iface,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *physdev)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddForwardAllowCross (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveForwardAllowCross (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddForwardRejectOut (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveForwardRejectOut (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddForwardRejectIn (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layer,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveForwardRejectIn (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virFirewallLayer layery,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesAddForwardMasquerade (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
const char *physdev,
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
virSocketAddrRange *addr,
virPortRange *port,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *protocol)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesRemoveForwardMasquerade (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
const char *physdev,
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
virSocketAddrRange *addr,
virPortRange *port,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *protocol)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesAddDontMasquerade (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
util/viriptables: add/remove rules that short-circuit masquerading The functions - iptablesAddForwardDontMasquerade(), - iptablesRemoveForwardDontMasquerade handle exceptions in the masquerading implemented in the POSTROUTING chain of the "nat" table. Such exceptions should be added as chronologically latest, logically top-most rules. The bridge driver will call these functions beginning with the next patch: some special destination IP addresses always refer to the local subnetwork, even though they don't match any practical subnetwork's netmask. Packets from virbrN targeting such IP addresses are never routed outwards, but the current rules treat them as non-virbrN-destined packets and masquerade them. This causes problems for some receivers on virbrN. Signed-off-by: Laszlo Ersek <lersek@redhat.com>
2013-09-25 10:45:25 +00:00
unsigned int prefix,
const char *physdev,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *destaddr)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
int iptablesRemoveDontMasquerade (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
virSocketAddr *netaddr,
util/viriptables: add/remove rules that short-circuit masquerading The functions - iptablesAddForwardDontMasquerade(), - iptablesRemoveForwardDontMasquerade handle exceptions in the masquerading implemented in the POSTROUTING chain of the "nat" table. Such exceptions should be added as chronologically latest, logically top-most rules. The bridge driver will call these functions beginning with the next patch: some special destination IP addresses always refer to the local subnetwork, even though they don't match any practical subnetwork's netmask. Packets from virbrN targeting such IP addresses are never routed outwards, but the current rules treat them as non-virbrN-destined packets and masquerade them. This causes problems for some receivers on virbrN. Signed-off-by: Laszlo Ersek <lersek@redhat.com>
2013-09-25 10:45:25 +00:00
unsigned int prefix,
const char *physdev,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *destaddr)
Use G_GNUC_WARN_UNUSED_RESULT instead of ATTRIBUTE_RETURN_CHECK Introduced in GLib 2.10. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 12:25:14 +00:00
G_GNUC_WARN_UNUSED_RESULT;
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesAddOutputFixUdpChecksum (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *iface,
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
int port);
lib: Drop internal virXXXPtr typedefs Historically, we declared pointer type to our types: typedef struct _virXXX virXXX; typedef virXXX *virXXXPtr; But usefulness of such declaration is questionable, at best. Unfortunately, we can't drop every such declaration - we have to carry some over, because they are part of public API (e.g. virDomainPtr). But for internal types - we can do drop them and use what every other C project uses 'virXXX *'. This change was generated by a very ugly shell script that generated sed script which was then called over each file in the repository. For the shell script refer to the cover letter: https://listman.redhat.com/archives/libvir-list/2021-March/msg00537.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-03-11 07:16:13 +00:00
void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw,
Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-06 17:01:13 +00:00
const char *iface,
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
int port);
Reference in New Issue Copy Permalink