2007-02-14 16:26:42 +00:00
|
|
|
/*
|
2012-12-12 17:42:44 +00:00
|
|
|
* viriptables.c: helper APIs for managing iptables
|
|
|
|
|
*
|
2013-02-04 09:45:23 +00:00
|
|
|
* Copyright (C) 2007-2013 Red Hat, Inc.
|
2007-02-14 16:26:42 +00:00
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2007-02-14 16:26:42 +00:00
|
|
|
*
|
|
|
|
|
* Authors:
|
|
|
|
|
* Mark McLoughlin <markmc@redhat.com>
|
|
|
|
|
*/
|
|
|
|
|
|
2008-01-29 18:15:54 +00:00
|
|
|
#include <config.h>
|
2007-02-14 16:26:42 +00:00
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <stdarg.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <limits.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
2010-04-29 03:31:16 +00:00
|
|
|
#include <sys/wait.h>
|
2007-12-07 14:45:39 +00:00
|
|
|
|
|
|
|
|
#ifdef HAVE_PATHS_H
|
2010-03-09 18:22:22 +00:00
|
|
|
# include <paths.h>
|
2007-12-07 14:45:39 +00:00
|
|
|
#endif
|
2007-02-14 16:26:42 +00:00
|
|
|
|
2007-03-30 16:25:02 +00:00
|
|
|
#include "internal.h"
|
2012-12-12 17:42:44 +00:00
|
|
|
#include "viriptables.h"
|
2012-12-12 16:27:01 +00:00
|
|
|
#include "vircommand.h"
|
2012-12-12 18:06:53 +00:00
|
|
|
#include "viralloc.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
2013-05-09 18:59:04 +00:00
|
|
|
#include "virfile.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2012-12-13 15:49:48 +00:00
|
|
|
#include "virthread.h"
|
2013-04-03 10:36:23 +00:00
|
|
|
#include "virstring.h"
|
|
|
|
|
#include "virutil.h"
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 18:59:52 +00:00
|
|
|
|
|
|
|
|
#if HAVE_FIREWALLD
|
|
|
|
|
static char *firewall_cmd_path = NULL;
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
virIpTablesOnceInit(void)
|
|
|
|
|
{
|
|
|
|
|
firewall_cmd_path = virFindFileInPath("firewall-cmd");
|
|
|
|
|
if (!firewall_cmd_path) {
|
2012-08-22 20:00:28 +00:00
|
|
|
VIR_INFO("firewall-cmd not found on system. "
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 18:59:52 +00:00
|
|
|
"firewalld support disabled for iptables.");
|
|
|
|
|
} else {
|
|
|
|
|
virCommandPtr cmd = virCommandNew(firewall_cmd_path);
|
|
|
|
|
int status;
|
|
|
|
|
|
|
|
|
|
virCommandAddArgList(cmd, "--state", NULL);
|
|
|
|
|
if (virCommandRun(cmd, &status) < 0 || status != 0) {
|
2012-08-22 20:00:28 +00:00
|
|
|
VIR_INFO("firewall-cmd found but disabled for iptables");
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 18:59:52 +00:00
|
|
|
VIR_FREE(firewall_cmd_path);
|
|
|
|
|
firewall_cmd_path = NULL;
|
|
|
|
|
} else {
|
2012-08-22 20:00:28 +00:00
|
|
|
VIR_INFO("using firewalld for iptables commands");
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 18:59:52 +00:00
|
|
|
}
|
|
|
|
|
virCommandFree(cmd);
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VIR_ONCE_GLOBAL_INIT(virIpTables)
|
|
|
|
|
|
|
|
|
|
#endif
|
2007-06-26 23:48:46 +00:00
|
|
|
|
2010-10-25 14:10:33 +00:00
|
|
|
#define VIR_FROM_THIS VIR_FROM_NONE
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
|
2007-02-14 16:26:42 +00:00
|
|
|
enum {
|
|
|
|
|
ADD = 0,
|
|
|
|
|
REMOVE
|
|
|
|
|
};
|
|
|
|
|
|
2013-02-04 09:45:23 +00:00
|
|
|
static virCommandPtr
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesCommandNew(const char *table, const char *chain, int family, int action)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 18:59:52 +00:00
|
|
|
virCommandPtr cmd = NULL;
|
|
|
|
|
#if HAVE_FIREWALLD
|
|
|
|
|
virIpTablesInitialize();
|
|
|
|
|
if (firewall_cmd_path) {
|
|
|
|
|
cmd = virCommandNew(firewall_cmd_path);
|
|
|
|
|
virCommandAddArgList(cmd, "--direct", "--passthrough",
|
|
|
|
|
(family == AF_INET6) ? "ipv6" : "ipv4", NULL);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if (cmd == NULL) {
|
|
|
|
|
cmd = virCommandNew((family == AF_INET6)
|
2010-12-08 19:09:25 +00:00
|
|
|
? IP6TABLES_PATH : IPTABLES_PATH);
|
network: use firewalld instead of iptables, when available
* configure.ac, spec file: firewalld defaults to enabled if dbus is
available, otherwise is disabled. If --with_firewalld is explicitly
requested and dbus is not available, configure will fail.
* bridge_driver: add dbus filters to get the FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1.
When these are encountered, reload all the iptables reuls of all
libvirt's virtual networks (similar to what happens when libvirtd is
restarted).
* iptables, ebtables: use firewall-cmd's direct passthrough interface
when available, otherwise use iptables and ebtables commands. This
decision is made once the first time libvirt calls
iptables/ebtables, and that decision is maintained for the life of
libvirtd.
* Note that the nwfilter part of this patch was separated out into
another patch by Stefan in V2, so that needs to be revised and
re-reviewed as well.
================
All the configure.ac and specfile changes are unchanged from Thomas'
V3.
V3 re-ran "firewall-cmd --state" every time a new rule was added,
which was extremely inefficient. V4 uses VIR_ONCE_GLOBAL_INIT to set
up a one-time initialization function.
The VIR_ONCE_GLOBAL_INIT(x) macro references a static function called
vir(Ip|Eb)OnceInit(), which will then be called the first time that
the static function vir(Ip|Eb)TablesInitialize() is called (that
function is defined for you by the macro). This is
thread-safe, so there is no chance of any race.
IMPORTANT NOTE: I've left the VIR_DEBUG messages in these two init
functions (one for iptables, on for ebtables) as VIR_WARN so that I
don't have to turn on all the other debug message just to see
these. Even if this patch doesn't need any other modification, those
messages need to be changed to VIR_DEBUG before pushing.
This one-time initialization works well. However, I've encountered
problems with testing:
1) Whenever I have enabled the firewalld service, *all* attempts to
call firewall-cmd from within libvirtd end with firewall-cmd hanging
internally somewhere. This is *not* the case if firewall-cmd returns
non-0 in response to "firewall-cmd --state" (i.e. *that* command runs
and returns to libvirt successfully.)
2) If I start libvirtd while firewalld is stopped, then start
firewalld later, this triggers libvirtd to reload its iptables rules,
however it also spits out a *ton* of complaints about deletion failing
(I suppose because firewalld has nuked all of libvirt's rules). I
guess we need to suppress those messages (which is a more annoying
problem to fix than you might think, but that's another story).
3) I noticed a few times during this long line of errors that
firewalld made a complaint about "Resource Temporarily
unavailable. Having libvirtd access iptables commands directly at the
same time as firewalld is doing so is apparently problematic.
4) In general, I'm concerned about the "set it once and never change
it" method - if firewalld is disabled at libvirtd startup, causing
libvirtd to always use iptables/ebtables directly, this won't cause
*terrible* problems, but if libvirtd decides to use firewall-cmd and
firewalld is later disabled, libvirtd will not be able to recover.
2012-08-14 18:59:52 +00:00
|
|
|
}
|
2010-12-08 19:09:25 +00:00
|
|
|
|
2013-06-28 04:52:30 +00:00
|
|
|
virCommandAddArgList(cmd, "--table", table,
|
2010-05-25 11:18:53 +00:00
|
|
|
action == ADD ? "--insert" : "--delete",
|
2013-06-28 04:52:30 +00:00
|
|
|
chain, NULL);
|
2013-02-04 09:45:23 +00:00
|
|
|
return cmd;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
iptablesCommandRunAndFree(virCommandPtr cmd)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
ret = virCommandRun(cmd, NULL);
|
|
|
|
|
virCommandFree(cmd);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ATTRIBUTE_SENTINEL
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddRemoveRule(const char *table, const char *chain, int family, int action,
|
2013-02-04 09:45:23 +00:00
|
|
|
const char *arg, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list args;
|
|
|
|
|
virCommandPtr cmd = NULL;
|
|
|
|
|
const char *s;
|
|
|
|
|
|
2013-06-28 04:52:30 +00:00
|
|
|
cmd = iptablesCommandNew(table, chain, family, action);
|
2013-02-04 09:45:23 +00:00
|
|
|
virCommandAddArg(cmd, arg);
|
2007-02-14 16:26:42 +00:00
|
|
|
|
|
|
|
|
va_start(args, arg);
|
2010-05-25 11:18:53 +00:00
|
|
|
while ((s = va_arg(args, const char *)))
|
|
|
|
|
virCommandAddArg(cmd, s);
|
2007-02-14 16:26:42 +00:00
|
|
|
va_end(args);
|
|
|
|
|
|
2013-02-04 09:45:23 +00:00
|
|
|
return iptablesCommandRunAndFree(cmd);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesInput(int family,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int port,
|
|
|
|
|
int action,
|
|
|
|
|
int tcp)
|
|
|
|
|
{
|
|
|
|
|
char portstr[32];
|
|
|
|
|
|
|
|
|
|
snprintf(portstr, sizeof(portstr), "%d", port);
|
|
|
|
|
portstr[sizeof(portstr) - 1] = '\0';
|
|
|
|
|
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesAddRemoveRule("filter", "INPUT",
|
2010-12-08 19:09:25 +00:00
|
|
|
family,
|
2007-03-13 22:43:22 +00:00
|
|
|
action,
|
|
|
|
|
"--in-interface", iface,
|
|
|
|
|
"--protocol", tcp ? "tcp" : "udp",
|
|
|
|
|
"--destination-port", portstr,
|
|
|
|
|
"--jump", "ACCEPT",
|
|
|
|
|
NULL);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddTcpInput:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the interface name
|
|
|
|
|
* @port: the TCP port to add
|
|
|
|
|
*
|
|
|
|
|
* Add an input to the IP table allowing access to the given @port on
|
|
|
|
|
* the given @iface interface for TCP packets
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code in case of error
|
|
|
|
|
*/
|
|
|
|
|
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddTcpInput(int family,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int port)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesInput(family, iface, port, ADD, 1);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveTcpInput:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the interface name
|
|
|
|
|
* @port: the TCP port to remove
|
|
|
|
|
*
|
2008-02-27 10:37:19 +00:00
|
|
|
* Removes an input from the IP table, hence forbidding access to the given
|
2007-06-29 13:23:13 +00:00
|
|
|
* @port on the given @iface interface for TCP packets
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code in case of error
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveTcpInput(int family,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int port)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesInput(family, iface, port, REMOVE, 1);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddUdpInput:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the interface name
|
|
|
|
|
* @port: the UDP port to add
|
|
|
|
|
*
|
|
|
|
|
* Add an input to the IP table allowing access to the given @port on
|
|
|
|
|
* the given @iface interface for UDP packets
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code in case of error
|
|
|
|
|
*/
|
|
|
|
|
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddUdpInput(int family,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int port)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesInput(family, iface, port, ADD, 0);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveUdpInput:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the interface name
|
|
|
|
|
* @port: the UDP port to remove
|
|
|
|
|
*
|
2008-02-27 10:37:19 +00:00
|
|
|
* Removes an input from the IP table, hence forbidding access to the given
|
2007-06-29 13:23:13 +00:00
|
|
|
* @port on the given @iface interface for UDP packets
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code in case of error
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveUdpInput(int family,
|
2007-02-14 16:26:42 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int port)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesInput(family, iface, port, REMOVE, 0);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-10-25 14:10:33 +00:00
|
|
|
static char *iptablesFormatNetwork(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix)
|
2010-10-25 14:10:33 +00:00
|
|
|
{
|
|
|
|
|
virSocketAddr network;
|
|
|
|
|
char *netstr;
|
|
|
|
|
char *ret;
|
|
|
|
|
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
if (!(VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET) ||
|
|
|
|
|
VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET6))) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
|
|
|
_("Only IPv4 or IPv6 addresses can be used with iptables"));
|
2010-10-25 14:10:33 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-31 11:20:43 +00:00
|
|
|
if (virSocketAddrMaskByPrefix(netaddr, prefix, &network) < 0) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
|
_("Failure to mask address"));
|
2010-11-30 19:35:58 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
2010-10-25 14:10:33 +00:00
|
|
|
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
netstr = virSocketAddrFormat(&network);
|
2010-10-25 14:10:33 +00:00
|
|
|
|
|
|
|
|
if (!netstr)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2013-07-04 10:17:18 +00:00
|
|
|
ignore_value(virAsprintf(&ret, "%s/%d", netstr, prefix));
|
2010-10-25 14:10:33 +00:00
|
|
|
|
|
|
|
|
VIR_FREE(netstr);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-04-10 23:17:46 +00:00
|
|
|
/* Allow all traffic coming from the bridge, with a valid network address
|
|
|
|
|
* to proceed to WAN
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardAllowOut(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-10-25 14:10:33 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev,
|
|
|
|
|
int action)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
int ret;
|
|
|
|
|
char *networkstr;
|
2013-02-04 09:45:23 +00:00
|
|
|
virCommandPtr cmd = NULL;
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
|
2010-11-30 19:35:58 +00:00
|
|
|
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
return -1;
|
|
|
|
|
|
2013-06-28 04:52:30 +00:00
|
|
|
cmd = iptablesCommandNew("filter", "FORWARD",
|
2013-02-04 09:45:23 +00:00
|
|
|
VIR_SOCKET_ADDR_FAMILY(netaddr),
|
|
|
|
|
action);
|
|
|
|
|
virCommandAddArgList(cmd,
|
|
|
|
|
"--source", networkstr,
|
|
|
|
|
"--in-interface", iface, NULL);
|
|
|
|
|
|
|
|
|
|
if (physdev && physdev[0])
|
|
|
|
|
virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
|
|
|
|
|
|
|
|
|
|
virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
|
|
ret = iptablesCommandRunAndFree(cmd);
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
VIR_FREE(networkstr);
|
|
|
|
|
return ret;
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardAllowOut:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @iface: the source interface name
|
|
|
|
|
* @physdev: the physical output device
|
2008-02-05 19:27:37 +00:00
|
|
|
*
|
2007-06-29 13:23:13 +00:00
|
|
|
* Add a rule to the IP table context to allow the traffic for the
|
|
|
|
|
* network @network via interface @iface to be forwarded to
|
|
|
|
|
* @physdev device. This allow the outbound traffic on a bridge.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardAllowOut(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-10-25 14:10:33 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardAllowOut:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @iface: the source interface name
|
|
|
|
|
* @physdev: the physical output device
|
2008-02-05 19:27:37 +00:00
|
|
|
*
|
2007-06-29 13:23:13 +00:00
|
|
|
* Remove a rule from the IP table context hence forbidding forwarding
|
|
|
|
|
* of the traffic for the network @network via interface @iface
|
|
|
|
|
* to the @physdev device output. This stops the outbound traffic on a bridge.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardAllowOut(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-10-25 14:10:33 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-04-10 23:17:46 +00:00
|
|
|
|
|
|
|
|
/* Allow all traffic destined to the bridge, with a valid network address
|
|
|
|
|
* and associated with an existing connection
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardAllowRelatedIn(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-10-25 14:10:33 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev,
|
|
|
|
|
int action)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
int ret;
|
|
|
|
|
char *networkstr;
|
|
|
|
|
|
2010-11-30 19:35:58 +00:00
|
|
|
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
return -1;
|
|
|
|
|
|
2007-04-10 23:17:46 +00:00
|
|
|
if (physdev && physdev[0]) {
|
2013-06-28 04:52:30 +00:00
|
|
|
ret = iptablesAddRemoveRule("filter", "FORWARD",
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
VIR_SOCKET_ADDR_FAMILY(netaddr),
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
action,
|
|
|
|
|
"--destination", networkstr,
|
|
|
|
|
"--in-interface", physdev,
|
|
|
|
|
"--out-interface", iface,
|
2013-03-25 19:39:40 +00:00
|
|
|
"--match", "conntrack",
|
|
|
|
|
"--ctstate", "ESTABLISHED,RELATED",
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
"--jump", "ACCEPT",
|
|
|
|
|
NULL);
|
2007-03-13 22:43:22 +00:00
|
|
|
} else {
|
2013-06-28 04:52:30 +00:00
|
|
|
ret = iptablesAddRemoveRule("filter", "FORWARD",
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
VIR_SOCKET_ADDR_FAMILY(netaddr),
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
action,
|
|
|
|
|
"--destination", networkstr,
|
|
|
|
|
"--out-interface", iface,
|
2013-03-25 19:39:40 +00:00
|
|
|
"--match", "conntrack",
|
|
|
|
|
"--ctstate", "ESTABLISHED,RELATED",
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
"--jump", "ACCEPT",
|
|
|
|
|
NULL);
|
2007-03-13 22:43:22 +00:00
|
|
|
}
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
VIR_FREE(networkstr);
|
|
|
|
|
return ret;
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2008-03-28 20:38:21 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardAllowRelatedIn:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @iface: the output interface name
|
|
|
|
|
* @physdev: the physical input device or NULL
|
|
|
|
|
*
|
|
|
|
|
* Add rules to the IP table context to allow the traffic for the
|
|
|
|
|
* network @network on @physdev device to be forwarded to
|
|
|
|
|
* interface @iface, if it is part of an existing connection.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
|
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-10-25 14:10:33 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev)
|
2008-03-28 20:38:21 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD);
|
2008-03-28 20:38:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardAllowRelatedIn:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @iface: the output interface name
|
|
|
|
|
* @physdev: the physical input device or NULL
|
|
|
|
|
*
|
|
|
|
|
* Remove rules from the IP table context hence forbidding the traffic for
|
|
|
|
|
* network @network on @physdev device to be forwarded to
|
|
|
|
|
* interface @iface, if it is part of an existing connection.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
|
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-10-25 14:10:33 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev)
|
2008-03-28 20:38:21 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE);
|
2008-03-28 20:38:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Allow all traffic destined to the bridge, with a valid network address
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardAllowIn(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2008-03-28 20:38:21 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev,
|
|
|
|
|
int action)
|
|
|
|
|
{
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
int ret;
|
|
|
|
|
char *networkstr;
|
|
|
|
|
|
2010-11-30 19:35:58 +00:00
|
|
|
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
return -1;
|
|
|
|
|
|
2008-03-28 20:38:21 +00:00
|
|
|
if (physdev && physdev[0]) {
|
2013-06-28 04:52:30 +00:00
|
|
|
ret = iptablesAddRemoveRule("filter", "FORWARD",
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
VIR_SOCKET_ADDR_FAMILY(netaddr),
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
action,
|
|
|
|
|
"--destination", networkstr,
|
|
|
|
|
"--in-interface", physdev,
|
|
|
|
|
"--out-interface", iface,
|
|
|
|
|
"--jump", "ACCEPT",
|
|
|
|
|
NULL);
|
2008-03-28 20:38:21 +00:00
|
|
|
} else {
|
2013-06-28 04:52:30 +00:00
|
|
|
ret = iptablesAddRemoveRule("filter", "FORWARD",
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
VIR_SOCKET_ADDR_FAMILY(netaddr),
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
action,
|
|
|
|
|
"--destination", networkstr,
|
|
|
|
|
"--out-interface", iface,
|
|
|
|
|
"--jump", "ACCEPT",
|
|
|
|
|
NULL);
|
2008-03-28 20:38:21 +00:00
|
|
|
}
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
VIR_FREE(networkstr);
|
|
|
|
|
return ret;
|
2008-03-28 20:38:21 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardAllowIn:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @iface: the output interface name
|
|
|
|
|
* @physdev: the physical input device or NULL
|
2008-02-05 19:27:37 +00:00
|
|
|
*
|
2007-06-29 13:23:13 +00:00
|
|
|
* Add rules to the IP table context to allow the traffic for the
|
|
|
|
|
* network @network on @physdev device to be forwarded to
|
|
|
|
|
* interface @iface. This allow the inbound traffic on a bridge.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardAllowIn(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardAllowIn:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @iface: the output interface name
|
|
|
|
|
* @physdev: the physical input device or NULL
|
2008-02-05 19:27:37 +00:00
|
|
|
*
|
2007-06-29 13:23:13 +00:00
|
|
|
* Remove rules from the IP table context hence forbidding the traffic for
|
|
|
|
|
* network @network on @physdev device to be forwarded to
|
|
|
|
|
* interface @iface. This stops the inbound traffic on a bridge.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-04-10 23:17:46 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardAllowIn(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface,
|
|
|
|
|
const char *physdev)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Allow all traffic between guests on the same bridge,
|
|
|
|
|
* with a valid network address
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardAllowCross(int family,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int action)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesAddRemoveRule("filter", "FORWARD",
|
2010-12-08 19:09:25 +00:00
|
|
|
family,
|
2007-04-10 23:17:46 +00:00
|
|
|
action,
|
|
|
|
|
"--in-interface", iface,
|
|
|
|
|
"--out-interface", iface,
|
|
|
|
|
"--jump", "ACCEPT",
|
|
|
|
|
NULL);
|
|
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardAllowCross:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the input/output interface name
|
|
|
|
|
*
|
|
|
|
|
* Add rules to the IP table context to allow traffic to cross that
|
|
|
|
|
* interface. It allows all traffic between guests on the same bridge
|
|
|
|
|
* represented by that interface.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-04-10 23:17:46 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardAllowCross(int family,
|
2010-12-08 19:09:25 +00:00
|
|
|
const char *iface)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowCross(family, iface, ADD);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardAllowCross:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the input/output interface name
|
|
|
|
|
*
|
|
|
|
|
* Remove rules to the IP table context to block traffic to cross that
|
|
|
|
|
* interface. It forbids traffic between guests on the same bridge
|
|
|
|
|
* represented by that interface.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-04-10 23:17:46 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardAllowCross(int family,
|
2010-12-08 19:09:25 +00:00
|
|
|
const char *iface)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardAllowCross(family, iface, REMOVE);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Drop all traffic trying to forward from the bridge.
|
|
|
|
|
* ie the bridge is the in interface
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardRejectOut(int family,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface,
|
|
|
|
|
int action)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesAddRemoveRule("filter", "FORWARD",
|
2010-12-08 19:09:25 +00:00
|
|
|
family,
|
|
|
|
|
action,
|
|
|
|
|
"--in-interface", iface,
|
|
|
|
|
"--jump", "REJECT",
|
|
|
|
|
NULL);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardRejectOut:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the output interface name
|
|
|
|
|
*
|
|
|
|
|
* Add rules to the IP table context to forbid all traffic to that
|
|
|
|
|
* interface. It forbids forwarding from the bridge to that interface.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-04-10 23:17:46 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardRejectOut(int family,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardRejectOut(family, iface, ADD);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardRejectOut:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the output interface name
|
|
|
|
|
*
|
|
|
|
|
* Remove rules from the IP table context forbidding all traffic to that
|
|
|
|
|
* interface. It reallow forwarding from the bridge to that interface.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-04-10 23:17:46 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardRejectOut(int family,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardRejectOut(family, iface, REMOVE);
|
2007-04-10 23:17:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Drop all traffic trying to forward to the bridge.
|
|
|
|
|
* ie the bridge is the out interface
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardRejectIn(int family,
|
2007-03-13 22:43:22 +00:00
|
|
|
const char *iface,
|
2007-04-10 23:17:46 +00:00
|
|
|
int action)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesAddRemoveRule("filter", "FORWARD",
|
2010-12-08 19:09:25 +00:00
|
|
|
family,
|
2007-04-10 23:17:46 +00:00
|
|
|
action,
|
|
|
|
|
"--out-interface", iface,
|
|
|
|
|
"--jump", "REJECT",
|
|
|
|
|
NULL);
|
|
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardRejectIn:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the input interface name
|
|
|
|
|
*
|
|
|
|
|
* Add rules to the IP table context to forbid all traffic from that
|
|
|
|
|
* interface. It forbids forwarding from that interface to the bridge.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-04-10 23:17:46 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardRejectIn(int family,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardRejectIn(family, iface, ADD);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardRejectIn:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the input interface name
|
|
|
|
|
*
|
|
|
|
|
* Remove rules from the IP table context forbidding all traffic from that
|
|
|
|
|
* interface. It allows forwarding from that interface to the bridge.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardRejectIn(int family,
|
2007-04-10 23:17:46 +00:00
|
|
|
const char *iface)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardRejectIn(family, iface, REMOVE);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-04-10 23:17:46 +00:00
|
|
|
|
|
|
|
|
/* Masquerade all traffic coming from the network associated
|
|
|
|
|
* with the bridge
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesForwardMasquerade(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *physdev,
|
2013-02-19 10:44:16 +00:00
|
|
|
virSocketAddrRangePtr addr,
|
|
|
|
|
virPortRangePtr port,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *protocol,
|
|
|
|
|
int action)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-02-19 10:44:14 +00:00
|
|
|
int ret = -1;
|
|
|
|
|
char *networkstr = NULL;
|
|
|
|
|
char *addrStartStr = NULL;
|
|
|
|
|
char *addrEndStr = NULL;
|
2013-02-19 10:44:15 +00:00
|
|
|
char *portRangeStr = NULL;
|
2013-02-19 10:44:14 +00:00
|
|
|
char *natRangeStr = NULL;
|
2013-02-04 09:45:23 +00:00
|
|
|
virCommandPtr cmd = NULL;
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
|
2010-11-30 19:35:58 +00:00
|
|
|
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
return -1;
|
|
|
|
|
|
Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.
Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.
* src/util/network.c, src/util/network.h: Santize socket
address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
src/nwfilter/nwfilter_ebiptables_driver.c,
src/nwfilter/nwfilter_learnipaddr.c,
src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
src/util/dnsmasq.c, src/util/iptables.c,
src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
API renaming
2011-11-02 14:06:59 +00:00
|
|
|
if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) {
|
2011-01-04 17:31:40 +00:00
|
|
|
/* Higher level code *should* guaranteee it's impossible to get here. */
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("Attempted to NAT '%s'. NAT is only supported for IPv4."),
|
|
|
|
|
networkstr);
|
2013-02-19 10:44:14 +00:00
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
2013-02-19 10:44:16 +00:00
|
|
|
if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, AF_INET)) {
|
|
|
|
|
if (!(addrStartStr = virSocketAddrFormat(&addr->start)))
|
2013-02-19 10:44:14 +00:00
|
|
|
goto cleanup;
|
2013-02-19 10:44:16 +00:00
|
|
|
if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, AF_INET)) {
|
|
|
|
|
if (!(addrEndStr = virSocketAddrFormat(&addr->end)))
|
2013-02-19 10:44:14 +00:00
|
|
|
goto cleanup;
|
|
|
|
|
}
|
2011-01-04 17:31:40 +00:00
|
|
|
}
|
|
|
|
|
|
2013-06-28 04:52:30 +00:00
|
|
|
cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action);
|
2013-02-04 09:45:23 +00:00
|
|
|
virCommandAddArgList(cmd, "--source", networkstr, NULL);
|
|
|
|
|
|
|
|
|
|
if (protocol && protocol[0])
|
|
|
|
|
virCommandAddArgList(cmd, "-p", protocol, NULL);
|
|
|
|
|
|
|
|
|
|
virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL);
|
|
|
|
|
|
|
|
|
|
if (physdev && physdev[0])
|
|
|
|
|
virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
|
|
|
|
|
|
2013-02-19 10:44:15 +00:00
|
|
|
if (protocol && protocol[0]) {
|
2013-02-19 10:44:16 +00:00
|
|
|
if (port->start == 0 && port->end == 0) {
|
|
|
|
|
port->start = 1024;
|
|
|
|
|
port->end = 65535;
|
2013-02-19 10:44:15 +00:00
|
|
|
}
|
|
|
|
|
|
2013-02-19 10:44:16 +00:00
|
|
|
if (port->start < port->end && port->end < 65536) {
|
|
|
|
|
if (virAsprintf(&portRangeStr, ":%u-%u",
|
2013-07-04 10:17:18 +00:00
|
|
|
port->start, port->end) < 0)
|
2013-02-19 10:44:15 +00:00
|
|
|
goto cleanup;
|
|
|
|
|
} else {
|
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("Invalid port range '%u-%u'."),
|
2013-02-19 10:44:16 +00:00
|
|
|
port->start, port->end);
|
2013-02-19 10:44:15 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-02-19 10:44:14 +00:00
|
|
|
/* Use --jump SNAT if public addr is specified */
|
|
|
|
|
if (addrStartStr && addrStartStr[0]) {
|
|
|
|
|
int r = 0;
|
2013-02-04 09:45:23 +00:00
|
|
|
|
2013-02-19 10:44:14 +00:00
|
|
|
if (addrEndStr && addrEndStr[0]) {
|
|
|
|
|
r = virAsprintf(&natRangeStr, "%s-%s%s", addrStartStr, addrEndStr,
|
2013-02-19 10:44:15 +00:00
|
|
|
portRangeStr ? portRangeStr : "");
|
2013-02-19 10:44:14 +00:00
|
|
|
} else {
|
2013-02-19 10:44:15 +00:00
|
|
|
r = virAsprintf(&natRangeStr, "%s%s", addrStartStr,
|
|
|
|
|
portRangeStr ? portRangeStr : "");
|
2013-02-19 10:44:14 +00:00
|
|
|
}
|
|
|
|
|
|
2013-07-04 10:17:18 +00:00
|
|
|
if (r < 0)
|
2013-02-19 10:44:14 +00:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
|
|
virCommandAddArgList(cmd, "--jump", "SNAT",
|
|
|
|
|
"--to-source", natRangeStr, NULL);
|
|
|
|
|
} else {
|
|
|
|
|
virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
|
|
|
|
|
|
2013-02-19 10:44:15 +00:00
|
|
|
if (portRangeStr && portRangeStr[0])
|
|
|
|
|
virCommandAddArgList(cmd, "--to-ports", &portRangeStr[1], NULL);
|
2013-02-19 10:44:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = virCommandRun(cmd, NULL);
|
|
|
|
|
cleanup:
|
|
|
|
|
virCommandFree(cmd);
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
VIR_FREE(networkstr);
|
2013-02-19 10:44:14 +00:00
|
|
|
VIR_FREE(addrStartStr);
|
|
|
|
|
VIR_FREE(addrEndStr);
|
2013-02-19 10:44:15 +00:00
|
|
|
VIR_FREE(portRangeStr);
|
2013-02-19 10:44:14 +00:00
|
|
|
VIR_FREE(natRangeStr);
|
Convert virNetwork to use virSocketAddr everywhere
Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present
* src/conf/network_conf.c, src/conf/network_conf.h,
src/network/bridge_driver.c: Convert to use virSocketAddr
in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
src/util/dnsmasq.c, src/util/dnsmasq.h,
src/util/iptables.c, src/util/iptables.h: Convert to
take a virSocketAddr instead of char * for any IP
address parameters
* src/util/network.h: Add macros to determine if an address
is set, and what address family is set.
2010-10-21 12:14:33 +00:00
|
|
|
return ret;
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesAddForwardMasquerade:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @physdev: the physical input device or NULL
|
2010-06-10 16:50:38 +00:00
|
|
|
* @protocol: the network protocol or NULL
|
2008-02-05 19:27:37 +00:00
|
|
|
*
|
2007-06-29 13:23:13 +00:00
|
|
|
* Add rules to the IP table context to allow masquerading
|
|
|
|
|
* network @network on @physdev. This allow the bridge to
|
|
|
|
|
* masquerade for that network (on @physdev).
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddForwardMasquerade(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *physdev,
|
2013-02-19 10:44:16 +00:00
|
|
|
virSocketAddrRangePtr addr,
|
|
|
|
|
virPortRangePtr port,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *protocol)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
|
2013-02-19 10:44:15 +00:00
|
|
|
protocol, ADD);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-29 13:23:13 +00:00
|
|
|
/**
|
|
|
|
|
* iptablesRemoveForwardMasquerade:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @network: the source network name
|
|
|
|
|
* @physdev: the physical input device or NULL
|
2010-06-10 16:50:38 +00:00
|
|
|
* @protocol: the network protocol or NULL
|
2008-02-05 19:27:37 +00:00
|
|
|
*
|
2007-06-29 13:23:13 +00:00
|
|
|
* Remove rules from the IP table context to stop masquerading
|
|
|
|
|
* network @network on @physdev. This stops the bridge from
|
|
|
|
|
* masquerading for that network (on @physdev).
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code otherwise
|
|
|
|
|
*/
|
2007-02-14 16:26:42 +00:00
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveForwardMasquerade(virSocketAddr *netaddr,
|
2010-11-30 19:35:58 +00:00
|
|
|
unsigned int prefix,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *physdev,
|
2013-02-19 10:44:16 +00:00
|
|
|
virSocketAddrRangePtr addr,
|
|
|
|
|
virPortRangePtr port,
|
2010-06-10 16:50:38 +00:00
|
|
|
const char *protocol)
|
2007-02-14 16:26:42 +00:00
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
|
2013-02-19 10:44:15 +00:00
|
|
|
protocol, REMOVE);
|
2007-02-14 16:26:42 +00:00
|
|
|
}
|
2010-07-13 02:59:58 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesOutputFixUdpChecksum(const char *iface,
|
2010-07-13 02:59:58 +00:00
|
|
|
int port,
|
|
|
|
|
int action)
|
|
|
|
|
{
|
|
|
|
|
char portstr[32];
|
|
|
|
|
|
|
|
|
|
snprintf(portstr, sizeof(portstr), "%d", port);
|
|
|
|
|
portstr[sizeof(portstr) - 1] = '\0';
|
|
|
|
|
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesAddRemoveRule("mangle", "POSTROUTING",
|
2010-12-08 19:09:25 +00:00
|
|
|
AF_INET,
|
2010-07-13 02:59:58 +00:00
|
|
|
action,
|
|
|
|
|
"--out-interface", iface,
|
|
|
|
|
"--protocol", "udp",
|
|
|
|
|
"--destination-port", portstr,
|
|
|
|
|
"--jump", "CHECKSUM", "--checksum-fill",
|
|
|
|
|
NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* iptablesAddOutputFixUdpChecksum:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the interface name
|
|
|
|
|
* @port: the UDP port to match
|
|
|
|
|
*
|
2011-12-04 00:06:07 +00:00
|
|
|
* Add a rule to the mangle table's POSTROUTING chain that fixes up the
|
2010-07-13 02:59:58 +00:00
|
|
|
* checksum of packets with the given destination @port.
|
|
|
|
|
* the given @iface interface for TCP packets.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code in case of error.
|
|
|
|
|
* (NB: if the system's iptables does not support checksum mangling,
|
|
|
|
|
* this will return an error, which should be ignored.)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesAddOutputFixUdpChecksum(const char *iface,
|
2010-07-13 02:59:58 +00:00
|
|
|
int port)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesOutputFixUdpChecksum(iface, port, ADD);
|
2010-07-13 02:59:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* iptablesRemoveOutputFixUdpChecksum:
|
|
|
|
|
* @ctx: pointer to the IP table context
|
|
|
|
|
* @iface: the interface name
|
|
|
|
|
* @port: the UDP port of the rule to remove
|
|
|
|
|
*
|
|
|
|
|
* Removes the checksum fixup rule that was previous added with
|
|
|
|
|
* iptablesAddOutputFixUdpChecksum.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 in case of success or an error code in case of error
|
|
|
|
|
* (again, if iptables doesn't support checksum fixup, this will
|
|
|
|
|
* return an error, which should be ignored)
|
|
|
|
|
*/
|
|
|
|
|
int
|
2013-06-28 04:52:30 +00:00
|
|
|
iptablesRemoveOutputFixUdpChecksum(const char *iface,
|
2010-07-13 02:59:58 +00:00
|
|
|
int port)
|
|
|
|
|
{
|
2013-06-28 04:52:30 +00:00
|
|
|
return iptablesOutputFixUdpChecksum(iface, port, REMOVE);
|
2010-07-13 02:59:58 +00:00
|
|
|
}
|
