External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-09-24 16:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
e123e1ee6b
libvirt/src/util/iptables.c

931 lines
29 KiB
C
Raw Normal View History

Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
/*
build: use gnulib's sys/wait.h * configure.ac: Drop sys/wait.h check. * src/libvirt.c (includes): Use header unconditionally. * src/remote/remote_driver.c (includes): Likewise. * src/storage/storage_backend.c (includes): Likewise. * src/util/ebtables.c (includes): Likewise. * src/util/hooks.c (includes): Likewise. * src/util/iptables.c (includes): Likewise. * src/util/util.c (includes): Likewise.
2010-04-29 03:31:16 +00:00
* Copyright (C) 2007-2010 Red Hat, Inc.
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Authors:
* Mark McLoughlin <markmc@redhat.com>
*/
Enable the <config.h>-requiring test; fix violations Use <config.h>, not "config.h", per autoconf documentation. * Makefile.cfg (local-checks-to-skip) [sc_require_config_h]: Enable. * .x-sc_require_config_h: New file, to list exempted files. * Makefile.am (EXTRA_DIST): Add .x-sc_require_config_h.
2008-01-29 18:15:54 +00:00
#include <config.h>
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <errno.h>
#include <limits.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
build: use gnulib's sys/wait.h * configure.ac: Drop sys/wait.h check. * src/libvirt.c (includes): Use header unconditionally. * src/remote/remote_driver.c (includes): Likewise. * src/storage/storage_backend.c (includes): Likewise. * src/util/ebtables.c (includes): Likewise. * src/util/hooks.c (includes): Likewise. * src/util/iptables.c (includes): Likewise. * src/util/util.c (includes): Likewise.
2010-04-29 03:31:16 +00:00
#include <sys/wait.h>
Fri Dec 7 14:36:00 UTC 2007 Richard W.M. Jones <rjones@redhat.com> * src/.cvsignore: Ignore *.loT files (generated under Windows). * proxy/libvirt_proxy.c: Bail out earlier --without-xen. * src/proxy_internal.c: Don't build proxy client side if configured --without-xen. * src/iptables.c, src/iptables.h: Disable this code if configured --without-qemu. * src/nodeinfo.c: If no 'uname' function, set model name to empty string (for Windows). * src/xen_unified.h, src/util.c, src/test.c: Include <winsock2.h> on Windows. * src/util.c: Disable virExec* and virFileLinkPointsTo on MinGW.
2007-12-07 14:45:39 +00:00
#ifdef HAVE_PATHS_H
build: consistently indent preprocessor directives * global: patch created by running: for f in $(git ls-files '*.[ch]') ; do cppi $f > $f.t && mv $f.t $f done
2010-03-09 18:22:22 +00:00
# include <paths.h>
Fri Dec 7 14:36:00 UTC 2007 Richard W.M. Jones <rjones@redhat.com> * src/.cvsignore: Ignore *.loT files (generated under Windows). * proxy/libvirt_proxy.c: Bail out earlier --without-xen. * src/proxy_internal.c: Don't build proxy client side if configured --without-xen. * src/iptables.c, src/iptables.h: Disable this code if configured --without-qemu. * src/nodeinfo.c: If no 'uname' function, set model name to empty string (for Windows). * src/xen_unified.h, src/util.c, src/test.c: Include <winsock2.h> on Windows. * src/util.c: Disable virExec* and virFileLinkPointsTo on MinGW.
2007-12-07 14:45:39 +00:00
#endif
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
Wed Mar 30 17:25:33 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.c: As suggested by danpb, make libvirt_qemud handle SIGHUP by re-loading the iptables rules.
2007-03-30 16:25:02 +00:00
#include "internal.h"
Fri Dec 7 14:36:00 UTC 2007 Richard W.M. Jones <rjones@redhat.com> * src/.cvsignore: Ignore *.loT files (generated under Windows). * proxy/libvirt_proxy.c: Bail out earlier --without-xen. * src/proxy_internal.c: Don't build proxy client side if configured --without-xen. * src/iptables.c, src/iptables.h: Disable this code if configured --without-qemu. * src/nodeinfo.c: If no 'uname' function, set model name to empty string (for Windows). * src/xen_unified.h, src/util.c, src/test.c: Include <winsock2.h> on Windows. * src/util.c: Disable virExec* and virFileLinkPointsTo on MinGW.
2007-12-07 14:45:39 +00:00
#include "iptables.h"
Port hooks and iptables code to new command execution APIs This proof of concept shows how two existing uses of virExec and virRun can be ported to the new virCommand APIs, and how much simpler the code becomes
2010-05-25 11:18:53 +00:00
#include "command.h"
Switch over remaining driver code to use memory alloc apis
2008-06-06 11:09:57 +00:00
#include "memory.h"
iptables.c: Use virStrerror, not strerror. * src/iptables.c: Include "virterror_internal.h". Use virStrerror, not strerror. * src/iptables.c (notifyRulesUpdated): Use %s rather than string-concatenation that made sc_unmarked_diagnostics report a false-positive.
2009-02-05 16:27:51 +00:00
#include "virterror_internal.h"
Replace use of qemudLog with logging.h APIs/macros
2009-03-03 11:40:08 +00:00
#include "logging.h"
Move QEMU driver into main libvirt.so and use single daemon for all drivers
2007-06-26 23:48:46 +00:00
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
#define VIR_FROM_THIS VIR_FROM_NONE
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
#define iptablesError(code, ...) \
Remove virConnectPtr from virRaiseErrorFull And from all related macros and functions.
2011-04-16 08:30:22 +00:00
virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
__FUNCTION__, __LINE__, __VA_ARGS__)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
enum {
ADD = 0,
REMOVE
};
typedef struct
{
char *table;
char *chain;
} iptRules;
struct _iptablesContext
{
iptRules *input_filter;
iptRules *forward_filter;
iptRules *nat_postrouting;
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
iptRules *mangle_postrouting;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
};
static void
iptRulesFree(iptRules *rules)
{
cleanup: remove useless if-before-VIR_FREE * Makefile.cfg (useless_free_options): Also check for VIR_FREE. * src/iptables.c (iptRulesFree): Remove useless if-before-VIR_FREE. * src/remote_internal.c (remoteAuthSASL): Likewise. * src/test.c (testOpenFromFile): Likewise.
2009-02-03 13:08:07 +00:00
VIR_FREE(rules->table);
VIR_FREE(rules->chain);
Switch over remaining driver code to use memory alloc apis
2008-06-06 11:09:57 +00:00
VIR_FREE(rules);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
static iptRules *
iptRulesNew(const char *table,
const char *chain)
{
iptRules *rules;
Switch over remaining driver code to use memory alloc apis
2008-06-06 11:09:57 +00:00
if (VIR_ALLOC(rules) < 0)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
return NULL;
if (!(rules->table = strdup(table)))
goto error;
if (!(rules->chain = strdup(chain)))
goto error;
return rules;
error:
iptRulesFree(rules);
return NULL;
}
Add sentinel attribute for NULL terminated arg lists * src/internal.h (ATTRIBUTE_SENTINEL): New, it's a ggc feature and protected as such * src/util/buf.c (virBufferStrcat): Use it. * src/util/ebtables.c (ebtablesAddRemoveRule): Use it. * src/util/iptables.c (iptableAddRemoveRule: Use it. * src/util/qparams.h (new_qparam_set, append_qparams): Use it. * docs/apibuild.py: avoid breaking the API generator with that new internal keyword macro
2009-11-06 09:39:13 +00:00
static int ATTRIBUTE_SENTINEL
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
iptablesAddRemoveRule(iptRules *rules, int family, int action,
const char *arg, ...)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
va_list args;
Port hooks and iptables code to new command execution APIs This proof of concept shows how two existing uses of virExec and virRun can be ported to the new virCommand APIs, and how much simpler the code becomes
2010-05-25 11:18:53 +00:00
int ret;
virCommandPtr cmd;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *s;
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
cmd = virCommandNew((family == AF_INET6)
? IP6TABLES_PATH : IPTABLES_PATH);
Port hooks and iptables code to new command execution APIs This proof of concept shows how two existing uses of virExec and virRun can be ported to the new virCommand APIs, and how much simpler the code becomes
2010-05-25 11:18:53 +00:00
virCommandAddArgList(cmd, "--table", rules->table,
action == ADD ? "--insert" : "--delete",
rules->chain, arg, NULL);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
va_start(args, arg);
Port hooks and iptables code to new command execution APIs This proof of concept shows how two existing uses of virExec and virRun can be ported to the new virCommand APIs, and how much simpler the code becomes
2010-05-25 11:18:53 +00:00
while ((s = va_arg(args, const char *)))
virCommandAddArg(cmd, s);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
va_end(args);
Port hooks and iptables code to new command execution APIs This proof of concept shows how two existing uses of virExec and virRun can be ported to the new virCommand APIs, and how much simpler the code becomes
2010-05-25 11:18:53 +00:00
ret = virCommandRun(cmd, NULL);
virCommandFree(cmd);
return ret;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesContextNew:
*
* Create a new IPtable context
*
* Returns a pointer to the new structure or NULL in case of error
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
iptablesContext *
iptablesContextNew(void)
{
iptablesContext *ctx;
Switch over remaining driver code to use memory alloc apis
2008-06-06 11:09:57 +00:00
if (VIR_ALLOC(ctx) < 0)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
return NULL;
--with-iptables-prefix was added to integrate with a proposed system for letting iptables know how to reload our rules. The proposed system wasn't accepted so, although there might be some other theoretical use for this, let's just remove it.
2008-01-10 13:56:22 +00:00
if (!(ctx->input_filter = iptRulesNew("filter", "INPUT")))
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
goto error;
--with-iptables-prefix was added to integrate with a proposed system for letting iptables know how to reload our rules. The proposed system wasn't accepted so, although there might be some other theoretical use for this, let's just remove it.
2008-01-10 13:56:22 +00:00
if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD")))
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
goto error;
--with-iptables-prefix was added to integrate with a proposed system for letting iptables know how to reload our rules. The proposed system wasn't accepted so, although there might be some other theoretical use for this, let's just remove it.
2008-01-10 13:56:22 +00:00
if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING")))
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
goto error;
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
if (!(ctx->mangle_postrouting = iptRulesNew("mangle", "POSTROUTING")))
goto error;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
return ctx;
error:
iptablesContextFree(ctx);
return NULL;
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesContextFree:
* @ctx: pointer to the IP table context
*
Fix typos (Atsushi SAKAI).
2008-02-27 10:37:19 +00:00
* Free the resources associated with an IP table context
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
void
iptablesContextFree(iptablesContext *ctx)
{
Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.c: ensure iptablesContext is zereod out when allocating so we don't try and free an invalid pointer.
2007-03-30 16:20:19 +00:00
if (ctx->input_filter)
iptRulesFree(ctx->input_filter);
if (ctx->forward_filter)
iptRulesFree(ctx->forward_filter);
if (ctx->nat_postrouting)
iptRulesFree(ctx->nat_postrouting);
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
if (ctx->mangle_postrouting)
iptRulesFree(ctx->mangle_postrouting);
Switch over remaining driver code to use memory alloc apis
2008-06-06 11:09:57 +00:00
VIR_FREE(ctx);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
static int
iptablesInput(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
return iptablesAddRemoveRule(ctx->input_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
family,
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
action,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
"--jump", "ACCEPT",
NULL);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddTcpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to add
*
* Add an input to the IP table allowing access to the given @port on
* the given @iface interface for TCP packets
*
* Returns 0 in case of success or an error code in case of error
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
iptablesAddTcpInput(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port)
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesInput(ctx, family, iface, port, ADD, 1);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveTcpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to remove
*
Fix typos (Atsushi SAKAI).
2008-02-27 10:37:19 +00:00
* Removes an input from the IP table, hence forbidding access to the given
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* @port on the given @iface interface for TCP packets
*
* Returns 0 in case of success or an error code in case of error
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
iptablesRemoveTcpInput(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port)
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesInput(ctx, family, iface, port, REMOVE, 1);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddUdpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to add
*
* Add an input to the IP table allowing access to the given @port on
* the given @iface interface for UDP packets
*
* Returns 0 in case of success or an error code in case of error
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
iptablesAddUdpInput(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port)
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesInput(ctx, family, iface, port, ADD, 0);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveUdpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to remove
*
Fix typos (Atsushi SAKAI).
2008-02-27 10:37:19 +00:00
* Removes an input from the IP table, hence forbidding access to the given
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* @port on the given @iface interface for UDP packets
*
* Returns 0 in case of success or an error code in case of error
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
iptablesRemoveUdpInput(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
const char *iface,
int port)
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesInput(ctx, family, iface, port, REMOVE, 0);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
static char *iptablesFormatNetwork(virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix)
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
{
virSocketAddr network;
char *netstr;
char *ret;
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
if (!(VIR_SOCKET_IS_FAMILY(netaddr, AF_INET) ||
VIR_SOCKET_IS_FAMILY(netaddr, AF_INET6))) {
Fix several warnings about a non-literal format string They only popped up during --disable-nls build. Without this configure option, gcc wasn't able to detect them.
2010-11-02 08:47:22 +00:00
iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
_("Only IPv4 or IPv6 addresses can be used with iptables"));
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
return NULL;
}
Improve virSocketAddrMask[ByPrefix] API The original version of these functions would modify the address sent in, meaning that the caller would usually need to copy the address first. This change makes the original a const, and puts the resulting masked address into a new arg (which could point to the same virSocketAddr as the original, if the caller really wants to modify it). This also makes the API consistent with virSocketAddrBroadcast[ByPrefix].
2010-12-31 11:20:43 +00:00
if (virSocketAddrMaskByPrefix(netaddr, prefix, &network) < 0) {
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
iptablesError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Failure to mask address"));
return NULL;
}
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
netstr = virSocketFormatAddr(&network);
if (!netstr)
return NULL;
if (virAsprintf(&ret, "%s/%d", netstr, prefix) < 0)
virReportOOMError();
VIR_FREE(netstr);
return ret;
}
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
/* Allow all traffic coming from the bridge, with a valid network address
* to proceed to WAN
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
static int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesForwardAllowOut(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
const char *iface,
const char *physdev,
int action)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
int ret;
char *networkstr;
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
return -1;
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
if (physdev && physdev[0]) {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
VIR_SOCKET_FAMILY(netaddr),
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
"--jump", "ACCEPT",
NULL);
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
} else {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
VIR_SOCKET_FAMILY(netaddr),
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
}
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
VIR_FREE(networkstr);
return ret;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddForwardAllowOut:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the source interface name
* @physdev: the physical output device
Remove all trailing blanks; turn on the rule to detect them. * Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
2008-02-05 19:27:37 +00:00
*
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* Add a rule to the IP table context to allow the traffic for the
* network @network via interface @iface to be forwarded to
* @physdev device. This allow the outbound traffic on a bridge.
*
* Returns 0 in case of success or an error code otherwise
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesAddForwardAllowOut(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
const char *iface,
const char *physdev)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveForwardAllowOut:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the source interface name
* @physdev: the physical output device
Remove all trailing blanks; turn on the rule to detect them. * Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
2008-02-05 19:27:37 +00:00
*
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* Remove a rule from the IP table context hence forbidding forwarding
* of the traffic for the network @network via interface @iface
* to the @physdev device output. This stops the outbound traffic on a bridge.
*
* Returns 0 in case of success or an error code otherwise
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesRemoveForwardAllowOut(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
const char *iface,
const char *physdev)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
/* Allow all traffic destined to the bridge, with a valid network address
* and associated with an existing connection
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
static int
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
iptablesForwardAllowRelatedIn(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
const char *iface,
const char *physdev,
int action)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
int ret;
char *networkstr;
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
return -1;
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
if (physdev && physdev[0]) {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
VIR_SOCKET_FAMILY(netaddr),
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--match", "state",
"--state", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
} else {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
VIR_SOCKET_FAMILY(netaddr),
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--destination", networkstr,
"--out-interface", iface,
"--match", "state",
"--state", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
}
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
VIR_FREE(networkstr);
return ret;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
/**
* iptablesAddForwardAllowRelatedIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
*
* Add rules to the IP table context to allow the traffic for the
* network @network on @physdev device to be forwarded to
* interface @iface, if it is part of an existing connection.
*
* Returns 0 in case of success or an error code otherwise
*/
int
iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
const char *iface,
const char *physdev)
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD);
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
}
/**
* iptablesRemoveForwardAllowRelatedIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
*
* Remove rules from the IP table context hence forbidding the traffic for
* network @network on @physdev device to be forwarded to
* interface @iface, if it is part of an existing connection.
*
* Returns 0 in case of success or an error code otherwise
*/
int
iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
const char *iface,
const char *physdev)
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
const char *iface,
const char *physdev,
int action)
{
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
int ret;
char *networkstr;
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
return -1;
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
if (physdev && physdev[0]) {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
VIR_SOCKET_FAMILY(netaddr),
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
} else {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
VIR_SOCKET_FAMILY(netaddr),
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
}
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
VIR_FREE(networkstr);
return ret;
Added patches for routed networking from Mads Chr. Olesen
2008-03-28 20:38:21 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddForwardAllowIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
Remove all trailing blanks; turn on the rule to detect them. * Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
2008-02-05 19:27:37 +00:00
*
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* Add rules to the IP table context to allow the traffic for the
* network @network on @physdev device to be forwarded to
* interface @iface. This allow the inbound traffic on a bridge.
*
* Returns 0 in case of success or an error code otherwise
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesAddForwardAllowIn(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface,
const char *physdev)
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveForwardAllowIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
Remove all trailing blanks; turn on the rule to detect them. * Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
2008-02-05 19:27:37 +00:00
*
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* Remove rules from the IP table context hence forbidding the traffic for
* network @network on @physdev device to be forwarded to
* interface @iface. This stops the inbound traffic on a bridge.
*
* Returns 0 in case of success or an error code otherwise
*/
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int
iptablesRemoveForwardAllowIn(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface,
const char *physdev)
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
/* Allow all traffic between guests on the same bridge,
* with a valid network address
*/
static int
iptablesForwardAllowCross(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface,
int action)
{
return iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
action,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddForwardAllowCross:
* @ctx: pointer to the IP table context
* @iface: the input/output interface name
*
* Add rules to the IP table context to allow traffic to cross that
* interface. It allows all traffic between guests on the same bridge
* represented by that interface.
*
* Returns 0 in case of success or an error code otherwise
*/
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int
iptablesAddForwardAllowCross(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
const char *iface)
{
return iptablesForwardAllowCross(ctx, family, iface, ADD);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveForwardAllowCross:
* @ctx: pointer to the IP table context
* @iface: the input/output interface name
*
* Remove rules to the IP table context to block traffic to cross that
* interface. It forbids traffic between guests on the same bridge
* represented by that interface.
*
* Returns 0 in case of success or an error code otherwise
*/
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int
iptablesRemoveForwardAllowCross(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
const char *iface)
{
return iptablesForwardAllowCross(ctx, family, iface, REMOVE);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
/* Drop all traffic trying to forward from the bridge.
* ie the bridge is the in interface
*/
static int
iptablesForwardRejectOut(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface,
int action)
{
return iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
family,
action,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddForwardRejectOut:
* @ctx: pointer to the IP table context
* @iface: the output interface name
*
* Add rules to the IP table context to forbid all traffic to that
* interface. It forbids forwarding from the bridge to that interface.
*
* Returns 0 in case of success or an error code otherwise
*/
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int
iptablesAddForwardRejectOut(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface)
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesForwardRejectOut(ctx, family, iface, ADD);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveForwardRejectOut:
* @ctx: pointer to the IP table context
* @iface: the output interface name
*
* Remove rules from the IP table context forbidding all traffic to that
* interface. It reallow forwarding from the bridge to that interface.
*
* Returns 0 in case of success or an error code otherwise
*/
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int
iptablesRemoveForwardRejectOut(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface)
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesForwardRejectOut(ctx, family, iface, REMOVE);
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
}
/* Drop all traffic trying to forward to the bridge.
* ie the bridge is the out interface
*/
static int
iptablesForwardRejectIn(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
const char *iface,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int action)
{
return iptablesAddRemoveRule(ctx->forward_filter,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
action,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddForwardRejectIn:
* @ctx: pointer to the IP table context
* @iface: the input interface name
*
* Add rules to the IP table context to forbid all traffic from that
* interface. It forbids forwarding from that interface to the bridge.
*
* Returns 0 in case of success or an error code otherwise
*/
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
int
iptablesAddForwardRejectIn(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesForwardRejectIn(ctx, family, iface, ADD);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveForwardRejectIn:
* @ctx: pointer to the IP table context
* @iface: the input interface name
*
* Remove rules from the IP table context forbidding all traffic from that
* interface. It allows forwarding from that interface to the bridge.
*
* Returns 0 in case of success or an error code otherwise
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesRemoveForwardRejectIn(iptablesContext *ctx,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
int family,
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
const char *iface)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
return iptablesForwardRejectIn(ctx, family, iface, REMOVE);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
/* Masquerade all traffic coming from the network associated
* with the bridge
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
static int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesForwardMasquerade(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
const char *physdev,
const char *protocol,
int action)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
int ret;
char *networkstr;
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
return -1;
Log an error on attempts to add a NAT rule for non-IPv4 addresses Although the upper-layer code protected against it, it was possible to call iptablesForwardMasquerade() with an IPv6 address and have it attempt to add a rule to the MASQUERADE chain of ip6tables (which doesn't exist). This patch changes that function to check the protocol of the given address, generate an error log if it's not IPv4 (AF_INET), and finally hardcodes all the family parameters sent down to lower-level functions.
2011-01-04 17:31:40 +00:00
if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET)) {
/* Higher level code *should* guaranteee it's impossible to get here. */
iptablesError(VIR_ERR_INTERNAL_ERROR,
_("Attempted to NAT '%s'. NAT is only supported for IPv4."),
networkstr);
VIR_FREE(networkstr);
return -1;
}
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
if (protocol && protocol[0]) {
if (physdev && physdev[0]) {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
Log an error on attempts to add a NAT rule for non-IPv4 addresses Although the upper-layer code protected against it, it was possible to call iptablesForwardMasquerade() with an IPv6 address and have it attempt to add a rule to the MASQUERADE chain of ip6tables (which doesn't exist). This patch changes that function to check the protocol of the given address, generate an error log if it's not IPv4 (AF_INET), and finally hardcodes all the family parameters sent down to lower-level functions.
2011-01-04 17:31:40 +00:00
AF_INET,
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
"--out-interface", physdev,
"--jump", "MASQUERADE",
"--to-ports", "1024-65535",
NULL);
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
} else {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
Log an error on attempts to add a NAT rule for non-IPv4 addresses Although the upper-layer code protected against it, it was possible to call iptablesForwardMasquerade() with an IPv6 address and have it attempt to add a rule to the MASQUERADE chain of ip6tables (which doesn't exist). This patch changes that function to check the protocol of the given address, generate an error log if it's not IPv4 (AF_INET), and finally hardcodes all the family parameters sent down to lower-level functions.
2011-01-04 17:31:40 +00:00
AF_INET,
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
"--jump", "MASQUERADE",
"--to-ports", "1024-65535",
NULL);
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
}
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
} else {
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
if (physdev && physdev[0]) {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
Log an error on attempts to add a NAT rule for non-IPv4 addresses Although the upper-layer code protected against it, it was possible to call iptablesForwardMasquerade() with an IPv6 address and have it attempt to add a rule to the MASQUERADE chain of ip6tables (which doesn't exist). This patch changes that function to check the protocol of the given address, generate an error log if it's not IPv4 (AF_INET), and finally hardcodes all the family parameters sent down to lower-level functions.
2011-01-04 17:31:40 +00:00
AF_INET,
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--source", networkstr,
"!", "--destination", networkstr,
"--out-interface", physdev,
"--jump", "MASQUERADE",
NULL);
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
} else {
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
Log an error on attempts to add a NAT rule for non-IPv4 addresses Although the upper-layer code protected against it, it was possible to call iptablesForwardMasquerade() with an IPv6 address and have it attempt to add a rule to the MASQUERADE chain of ip6tables (which doesn't exist). This patch changes that function to check the protocol of the given address, generate an error log if it's not IPv4 (AF_INET), and finally hardcodes all the family parameters sent down to lower-level functions.
2011-01-04 17:31:40 +00:00
AF_INET,
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
action,
"--source", networkstr,
"!", "--destination", networkstr,
"--jump", "MASQUERADE",
NULL);
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
}
Improve support for virtual networking
2007-03-13 22:43:22 +00:00
}
Convert virNetwork to use virSocketAddr everywhere Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
2010-10-21 12:14:33 +00:00
VIR_FREE(networkstr);
return ret;
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesAddForwardMasquerade:
* @ctx: pointer to the IP table context
* @network: the source network name
* @physdev: the physical input device or NULL
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
* @protocol: the network protocol or NULL
Remove all trailing blanks; turn on the rule to detect them. * Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
2008-02-05 19:27:37 +00:00
*
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* Add rules to the IP table context to allow masquerading
* network @network on @physdev. This allow the bridge to
* masquerade for that network (on @physdev).
*
* Returns 0 in case of success or an error code otherwise
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesAddForwardMasquerade(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
const char *physdev,
const char *protocol)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, ADD);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
/**
* iptablesRemoveForwardMasquerade:
* @ctx: pointer to the IP table context
* @network: the source network name
* @physdev: the physical input device or NULL
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
* @protocol: the network protocol or NULL
Remove all trailing blanks; turn on the rule to detect them. * Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank. * .x-sc_trailing_blank: New file, to exempt the few binary files.
2008-02-05 19:27:37 +00:00
*
* docs/apibuild.py docs/newapi.xsl: fix generation of XML and stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
2007-06-29 13:23:13 +00:00
* Remove rules from the IP table context to stop masquerading
* network @network on @physdev. This stops the bridge from
* masquerading for that network (on @physdev).
*
* Returns 0 in case of success or an error code otherwise
*/
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
int
Fixed up IPtables rules to be more strict
2007-04-10 23:17:46 +00:00
iptablesRemoveForwardMasquerade(iptablesContext *ctx,
Fix formatting of network address in iptables helpers The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
2010-10-25 14:10:33 +00:00
virSocketAddr *netaddr,
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
unsigned int prefix,
CVE-2010-2242 Apply a source port mapping to virtual network masquerading IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
2010-06-10 16:50:38 +00:00
const char *physdev,
const char *protocol)
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
{
Pass prefix rather than netmask into iptables functions IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
2010-11-30 19:35:58 +00:00
return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, REMOVE);
Tue Feb 14 16:23:25 IST 2007 Mark McLoughlin <markmc@redhat.com> * qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
2007-02-14 16:26:42 +00:00
}
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
static int
iptablesOutputFixUdpChecksum(iptablesContext *ctx,
const char *iface,
int port,
int action)
{
char portstr[32];
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
return iptablesAddRemoveRule(ctx->mangle_postrouting,
Update iptables.c to also support ip6tables. All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
2010-12-08 19:09:25 +00:00
AF_INET,
Add iptables rule to fixup DHCP response checksum. This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
2010-07-13 02:59:58 +00:00
action,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
"--jump", "CHECKSUM", "--checksum-fill",
NULL);
}
/**
* iptablesAddOutputFixUdpChecksum:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to match
*
* Add an rule to the mangle table's POSTROUTING chain that fixes up the
* checksum of packets with the given destination @port.
* the given @iface interface for TCP packets.
*
* Returns 0 in case of success or an error code in case of error.
* (NB: if the system's iptables does not support checksum mangling,
* this will return an error, which should be ignored.)
*/
int
iptablesAddOutputFixUdpChecksum(iptablesContext *ctx,
const char *iface,
int port)
{
return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD);
}
/**
* iptablesRemoveOutputFixUdpChecksum:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port of the rule to remove
*
* Removes the checksum fixup rule that was previous added with
* iptablesAddOutputFixUdpChecksum.
*
* Returns 0 in case of success or an error code in case of error
* (again, if iptables doesn't support checksum fixup, this will
* return an error, which should be ignored)
*/
int
iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx,
const char *iface,
int port)
{
return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE);
}
Reference in New Issue Copy Permalink