Add support for so-far missing protocols for iptables filtering

This patch adds filtering support for the so-far missing protocols 'ah', 'esp' and 'udplite'.
2025-01-10 23:07:44 +00:00 · 2010-03-30 10:16:40 -04:00 · 2010-03-30 10:16:40 -04:00 · 285d38931f
commit 285d38931f
parent 0ec5cd0704
3 changed files with 181 additions and 0 deletions
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@ -83,6 +83,9 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST,
              "icmp",
              "igmp",
              "udp",
+              "udplite",
+              "esp",
+              "ah",
              "sctp",
              "all");

@ -584,6 +587,17 @@ static const struct int_map ipProtoMap[] = {
    } , {
        .attr = IPPROTO_UDP,
        .val  = "udp",
+#ifdef IPPROTO_UDPLITE
+    } , {
+        .attr = IPPROTO_UDPLITE,
+        .val  = "udplite",
+#endif
+    } , {
+        .attr = IPPROTO_ESP,
+        .val  = "esp",
+    } , {
+        .attr = IPPROTO_AH,
+        .val  = "ah",
    } , {
        .attr = IPPROTO_ICMP,
        .val  = "icmp",
@ -948,6 +962,26 @@ static const virXMLAttr2Struct udpAttributes[] = {
    }
 };

+static const virXMLAttr2Struct udpliteAttributes[] = {
+    COMMON_IP_PROPS(udpliteHdrFilter),
+    {
+        .name = NULL,
+    }
+};
+
+static const virXMLAttr2Struct espAttributes[] = {
+    COMMON_IP_PROPS(espHdrFilter),
+    {
+        .name = NULL,
+    }
+};
+
+static const virXMLAttr2Struct ahAttributes[] = {
+    COMMON_IP_PROPS(ahHdrFilter),
+    {
+        .name = NULL,
+    }
+};

 static const virXMLAttr2Struct sctpAttributes[] = {
    COMMON_IP_PROPS(sctpHdrFilter),
@ -1025,6 +1059,18 @@ static const virAttributes virAttr[] = {
        .id = "udp",
        .att = udpAttributes,
        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDP,
+    }, {
+        .id = "udplite",
+        .att = udpliteAttributes,
+        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+    }, {
+        .id = "esp",
+        .att = espAttributes,
+        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_ESP,
+    }, {
+        .id = "ah",
+        .att = ahAttributes,
+        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_AH,
    }, {
        .id = "sctp",
        .att = sctpAttributes,
@ -1494,6 +1540,39 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule)
                      rule->p.udpHdrFilter.portData.dataSrcPortStart);
    break;

+    case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.udpliteHdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.udpliteHdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.udpliteHdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.udpliteHdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.espHdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.espHdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.espHdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.espHdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_AH:
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.ahHdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.ahHdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.ahHdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.ahHdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
    case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
        COPY_NEG_SIGN(rule->p.sctpHdrFilter.ipHdr.dataSrcIPMask,
                      rule->p.sctpHdrFilter.ipHdr.dataSrcIPAddr);
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@ -241,6 +241,30 @@ struct _sctpHdrFilterDef {
 };


+typedef struct _espHdrFilterDef  espHdrFilterDef;
+typedef espHdrFilterDef *espHdrFilterDefPtr;
+struct _espHdrFilterDef {
+    nwItemDesc   dataSrcMACAddr;
+    ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _ahHdrFilterDef  ahHdrFilterDef;
+typedef ahHdrFilterDef *ahHdrFilterDefPtr;
+struct _ahHdrFilterDef {
+    nwItemDesc   dataSrcMACAddr;
+    ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _udpliteHdrFilterDef  udpliteHdrFilterDef;
+typedef udpliteHdrFilterDef *udpliteHdrFilterDefPtr;
+struct _udpliteHdrFilterDef {
+    nwItemDesc   dataSrcMACAddr;
+    ipHdrDataDef ipHdr;
+};
+
+
 enum virNWFilterRuleActionType {
    VIR_NWFILTER_RULE_ACTION_DROP = 0,
    VIR_NWFILTER_RULE_ACTION_ACCEPT,
@ -273,6 +297,9 @@ enum virNWFilterRuleProtocolType {
    VIR_NWFILTER_RULE_PROTOCOL_ICMP,
    VIR_NWFILTER_RULE_PROTOCOL_IGMP,
    VIR_NWFILTER_RULE_PROTOCOL_UDP,
+    VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+    VIR_NWFILTER_RULE_PROTOCOL_ESP,
+    VIR_NWFILTER_RULE_PROTOCOL_AH,
    VIR_NWFILTER_RULE_PROTOCOL_SCTP,
    VIR_NWFILTER_RULE_PROTOCOL_ALL,

@ -306,6 +333,9 @@ struct _virNWFilterRuleDef {
        tcpHdrFilterDef  tcpHdrFilter;
        icmpHdrFilterDef icmpHdrFilter;
        udpHdrFilterDef  udpHdrFilter;
+        udpliteHdrFilterDef  udpliteHdrFilter;
+        espHdrFilterDef  espHdrFilter;
+        ahHdrFilterDef  ahHdrFilter;
        allHdrFilterDef  allHdrFilter;
        igmpHdrFilterDef igmpHdrFilter;
        sctpHdrFilterDef sctpHdrFilter;
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@ -1089,6 +1089,75 @@ _iptablesCreateRuleInstance(virConnectPtr conn,
            goto err_exit;
    break;

+    case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+        virBufferVSprintf(&buf,
+                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+                          chain);
+
+        virBufferAddLit(&buf, " -p udplite");
+
+        if (iptablesHandleSrcMacAddr(conn,
+                                     &buf,
+                                     vars,
+                                     &rule->p.udpliteHdrFilter.dataSrcMACAddr,
+                                     directionIn))
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(conn,
+                                &buf,
+                                vars,
+                                &rule->p.udpliteHdrFilter.ipHdr,
+                                directionIn))
+            goto err_exit;
+
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+        virBufferVSprintf(&buf,
+                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+                          chain);
+
+        virBufferAddLit(&buf, " -p esp");
+
+        if (iptablesHandleSrcMacAddr(conn,
+                                     &buf,
+                                     vars,
+                                     &rule->p.espHdrFilter.dataSrcMACAddr,
+                                     directionIn))
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(conn,
+                                &buf,
+                                vars,
+                                &rule->p.espHdrFilter.ipHdr,
+                                directionIn))
+            goto err_exit;
+
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_AH:
+        virBufferVSprintf(&buf,
+                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+                          chain);
+
+        virBufferAddLit(&buf, " -p ah");
+
+        if (iptablesHandleSrcMacAddr(conn,
+                                     &buf,
+                                     vars,
+                                     &rule->p.ahHdrFilter.dataSrcMACAddr,
+                                     directionIn))
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(conn,
+                                &buf,
+                                vars,
+                                &rule->p.ahHdrFilter.ipHdr,
+                                directionIn))
+            goto err_exit;
+
+    break;
+
    case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
        virBufferVSprintf(&buf,
                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
@ -1836,6 +1905,9 @@ ebiptablesCreateRuleInstance(virConnectPtr conn,

    case VIR_NWFILTER_RULE_PROTOCOL_TCP:
    case VIR_NWFILTER_RULE_PROTOCOL_UDP:
+    case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+    case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+    case VIR_NWFILTER_RULE_PROTOCOL_AH:
    case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
    case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
    case VIR_NWFILTER_RULE_PROTOCOL_IGMP: