libvirt/src/nwfilter/nwfilter_ebiptables_driver.h

/*
 * nwfilter_ebiptables_driver.h: ebtables/iptables driver support
 *
 * Copyright (C) 2010 IBM Corporation
 * Copyright (C) 2010 Stefan Berger
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library;  If not, see
 * <http://www.gnu.org/licenses/>.
 *
 * Author: Stefan Berger <stefanb@us.ibm.com>
 */
#ifndef VIR_NWFILTER_EBTABLES_DRIVER_H__
# define VIR_NWFILTER_EBTABLES_DRIVER_H__

# define MAX_CHAINNAME_LENGTH  32 /* see linux/netfilter_bridge/ebtables.h */

enum RuleType {
    RT_EBTABLES,
    RT_IPTABLES,
    RT_IP6TABLES,
};

typedef struct _ebiptablesRuleInst ebiptablesRuleInst;
typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;
struct _ebiptablesRuleInst {
    char *commandTemplate;
    const char *neededProtocolChain;
    virNWFilterChainPriority chainPriority;
    char chainprefix;    /* I for incoming, O for outgoing */
    virNWFilterRulePriority priority;
    enum RuleType ruleType;
};

extern virNWFilterTechDriver ebiptables_driver;

# define EBIPTABLES_DRIVER_ID "ebiptables"

# define IPTABLES_MAX_COMMENT_LENGTH  256

#endif
Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00			`/*`
			`* nwfilter_ebiptables_driver.h: ebtables/iptables driver support`
			`*`
			`* Copyright (C) 2010 IBM Corporation`
			`* Copyright (C) 2010 Stefan Berger`
			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU Lesser General Public`
			`* License as published by the Free Software Foundation; either`
			`* version 2.1 of the License, or (at your option) any later version.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* Lesser General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Lesser General Public`
Desert the FSF address in copyright Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c 2012-07-21 10:06:23 +00:00			`* License along with this library; If not, see`
			`* <http://www.gnu.org/licenses/>.`
Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00			`*`
			`* Author: Stefan Berger <stefanb@us.ibm.com>`
			`*/`
			`#ifndef VIR_NWFILTER_EBTABLES_DRIVER_H__`
filter new files through cppi, so syntax-check passes once again * src/conf/nwfilter_conf.h: Indent cpp directives. * src/conf/nwfilter_params.h: Likewise. * src/datatypes.h: Likewise. * src/nwfilter/nwfilter_driver.h: Likewise. * src/nwfilter/nwfilter_ebiptables_driver.h: Likewise. * src/nwfilter/nwfilter_gentech_driver.h: Likewise. 2010-03-26 18:29:54 +00:00			`# define VIR_NWFILTER_EBTABLES_DRIVER_H__`
Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00
filter new files through cppi, so syntax-check passes once again * src/conf/nwfilter_conf.h: Indent cpp directives. * src/conf/nwfilter_params.h: Likewise. * src/datatypes.h: Likewise. * src/nwfilter/nwfilter_driver.h: Likewise. * src/nwfilter/nwfilter_ebiptables_driver.h: Likewise. * src/nwfilter/nwfilter_gentech_driver.h: Likewise. 2010-03-26 18:29:54 +00:00			`# define MAX_CHAINNAME_LENGTH 32 /* see linux/netfilter_bridge/ebtables.h */`
Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00
Extensions for iptables rules This patch adds support for L3/L4 filtering using iptables. This adds support for 'tcp', 'udp', 'icmp', 'igmp', 'sctp' etc. filtering. As mentioned in the introduction, a .c file provided by this patch is #include'd into a .c file. This will need work, but should be alright for review. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:12 +00:00			`enum RuleType {`
			`RT_EBTABLES,`
			`RT_IPTABLES,`
Add ip6tables support for IPv6 filtering This patch adds IPv6 filtering support for the following protocols: - tcp-ipv6 - udp-ipv6 - udplite-ipv6 - esp-ipv6 - ah-ipv6 - sctp-ipv6 - all-ipv6 - icmpv6 Many of the IPv4 data structure could be re-used for IPv6 support. Since ip6tables also supports pretty much the same command line parameters as iptables does, also much of the code could be re-used and now command lines are invoked with the ip(6)tables tool parameter passed through the functions as a parameter. 2010-03-30 14:36:35 +00:00			`RT_IP6TABLES,`
Extensions for iptables rules This patch adds support for L3/L4 filtering using iptables. This adds support for 'tcp', 'udp', 'icmp', 'igmp', 'sctp' etc. filtering. As mentioned in the introduction, a .c file provided by this patch is #include'd into a .c file. This will need work, but should be alright for review. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:12 +00:00			`};`

Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00			`typedef struct _ebiptablesRuleInst ebiptablesRuleInst;`
			`typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;`
			`struct _ebiptablesRuleInst {`
			`char *commandTemplate;`
Use the actual names of chains in data structure Use the name of the chain rather than its type index (enum). This pushes the later enablement of chains with user-given names into the XML parser. For now we still only allow those names that are well known ('root', 'arp', 'rarp', 'ipv4' and 'ipv6'). Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2011-11-18 16:58:17 +00:00			`const char *neededProtocolChain;`
Introduce an internal priority for chains For better handling of the sorting of chains introduce an internally used priority. Use a lookup table to store the priorities. For now their actual values do not matter just that the values cause the chains to be properly sorted through changes in the following patches. However, the values are chosen as negative so that once they are sorted along with filtering rules (whose priority may only be positive for now) they will always be instantiated before them (lower values cause instantiation before higher values). This is done to maintain backwards compatibility. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2011-11-18 16:58:17 +00:00			`virNWFilterChainPriority chainPriority;`
Prefer C style comments over C++ ones Pure cosmetic change. 2011-01-28 21:38:06 +00:00			`char chainprefix; /* I for incoming, O for outgoing */`
Extend rule priorities into negative numbers So far rules' priorities have only been valid in the range [0,1000]. Now I am extending their priority into the range [-1000, 1000] for subsequently being able to sort rules and the access of (jumps into) chains following priorities. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2011-11-18 16:58:18 +00:00			`virNWFilterRulePriority priority;`
Extensions for iptables rules This patch adds support for L3/L4 filtering using iptables. This adds support for 'tcp', 'udp', 'icmp', 'igmp', 'sctp' etc. filtering. As mentioned in the introduction, a .c file provided by this patch is #include'd into a .c file. This will need work, but should be alright for review. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:12 +00:00			`enum RuleType ruleType;`
Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00			`};`

			`extern virNWFilterTechDriver ebiptables_driver;`

filter new files through cppi, so syntax-check passes once again * src/conf/nwfilter_conf.h: Indent cpp directives. * src/conf/nwfilter_params.h: Likewise. * src/datatypes.h: Likewise. * src/nwfilter/nwfilter_driver.h: Likewise. * src/nwfilter/nwfilter_ebiptables_driver.h: Likewise. * src/nwfilter/nwfilter_gentech_driver.h: Likewise. 2010-03-26 18:29:54 +00:00			`# define EBIPTABLES_DRIVER_ID "ebiptables"`
Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00
nwfilter: Instantiate comments in ip(6)tables rules In this patch I am extending the rule instantiator to create the comment node where supported, which is the case for iptables and ip6tables. Since commands are written in the format cmd='iptables ...-m comment --comment \"\" ' certain characters ('`) in the comment need to be escaped to prevent comments from becoming commands themselves or cause other forms of (bash) substitutions. I have tested this with various input and in my tests the input made it straight into the comment. A test case for TCK will be provided separately that tests this. 2010-09-30 19:56:09 +00:00			`# define IPTABLES_MAX_COMMENT_LENGTH 256`

Core driver implementation with ebtables support This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: Stefan Berger <stefanb@us.ibm.com> 2010-03-25 17:46:09 +00:00			`#endif`