mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-16 22:57:15 +00:00
Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin <markmc@redhat.com>
* qemud/iptables.c: Remove the target interface parameter
from iptablesPhysdevForward(). This rule is intended to
allow frames to be forwarded across the bridge from the
supplied bridge port. In this context, the --out parameter
would match the outgoing bridge port, which will never
be network->def->forwardDev.
This commit is contained in:
Mark McLoughlin
parent
27c1d7b9fa
commit
42d4b85d86
@ -1,3 +1,12 @@
|
||||
Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
||||
|
||||
* qemud/iptables.c: Remove the target interface parameter
|
||||
from iptablesPhysdevForward(). This rule is intended to
|
||||
allow frames to be forwarded across the bridge from the
|
||||
supplied bridge port. In this context, the --out parameter
|
||||
would match the outgoing bridge port, which will never
|
||||
be network->def->forwardDev.
|
||||
|
||||
Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
||||
|
||||
* qemud/iptables.c: ensure iptablesContext is zereod out
|
||||
|
||||
@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server,
|
||||
}
|
||||
|
||||
if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
|
||||
if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) {
|
||||
if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"Failed to add iptables rule to allow bridging from '%s' :%s",
|
||||
ifname, strerror(err));
|
||||
@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server,
|
||||
|
||||
no_memory:
|
||||
if (net->type == QEMUD_NET_NETWORK && network->def->forward)
|
||||
iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev);
|
||||
iptablesRemovePhysdevForward(server->iptables, ifname);
|
||||
qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
|
||||
error:
|
||||
if (retval)
|
||||
|
||||
@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
|
||||
static int
|
||||
iptablesPhysdevForward(iptablesContext *ctx,
|
||||
const char *iface,
|
||||
const char *target,
|
||||
int action)
|
||||
{
|
||||
if (target && target[0]) {
|
||||
return iptablesAddRemoveRule(ctx->forward_filter,
|
||||
action,
|
||||
"--match", "physdev",
|
||||
"--physdev-in", iface,
|
||||
"--out", target,
|
||||
"--jump", "ACCEPT",
|
||||
NULL);
|
||||
} else {
|
||||
return iptablesAddRemoveRule(ctx->forward_filter,
|
||||
action,
|
||||
"--match", "physdev",
|
||||
"--physdev-in", iface,
|
||||
"--jump", "ACCEPT",
|
||||
NULL);
|
||||
}
|
||||
return iptablesAddRemoveRule(ctx->forward_filter,
|
||||
action,
|
||||
"--match", "physdev",
|
||||
"--physdev-in", iface,
|
||||
"--jump", "ACCEPT",
|
||||
NULL);
|
||||
}
|
||||
|
||||
int
|
||||
iptablesAddPhysdevForward(iptablesContext *ctx,
|
||||
const char *iface,
|
||||
const char *target)
|
||||
const char *iface)
|
||||
{
|
||||
return iptablesPhysdevForward(ctx, iface, target, ADD);
|
||||
return iptablesPhysdevForward(ctx, iface, ADD);
|
||||
}
|
||||
|
||||
int
|
||||
iptablesRemovePhysdevForward(iptablesContext *ctx,
|
||||
const char *iface,
|
||||
const char *target)
|
||||
const char *iface)
|
||||
{
|
||||
return iptablesPhysdevForward(ctx, iface, target, REMOVE);
|
||||
return iptablesPhysdevForward(ctx, iface, REMOVE);
|
||||
}
|
||||
|
||||
static int
|
||||
|
||||
@ -42,11 +42,9 @@ int iptablesRemoveUdpInput (iptablesContext *ctx,
|
||||
int port);
|
||||
|
||||
int iptablesAddPhysdevForward (iptablesContext *ctx,
|
||||
const char *iface,
|
||||
const char *target);
|
||||
const char *iface);
|
||||
int iptablesRemovePhysdevForward (iptablesContext *ctx,
|
||||
const char *iface,
|
||||
const char *target);
|
||||
const char *iface);
|
||||
|
||||
int iptablesAddInterfaceForward (iptablesContext *ctx,
|
||||
const char *iface,
|
||||
|
||||
@ -1050,8 +1050,7 @@ qemudNetworkIfaceDisconnect(struct qemud_server *server,
|
||||
return;
|
||||
}
|
||||
|
||||
if (network->def->forward)
|
||||
iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev);
|
||||
iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname);
|
||||
}
|
||||
|
||||
int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
|
||||
@ -1248,50 +1247,26 @@ qemudAddIptablesRules(struct qemud_server *server,
|
||||
}
|
||||
|
||||
/* allow bridging from the bridge interface itself */
|
||||
if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||
if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow bridging from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err1;
|
||||
}
|
||||
|
||||
/* allow forwarding packets from the bridge interface */
|
||||
if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow forwarding from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err2;
|
||||
}
|
||||
|
||||
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
|
||||
if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow forwarding to '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err3;
|
||||
}
|
||||
|
||||
/* enable masquerading */
|
||||
if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to enable masquerading : %s\n",
|
||||
strerror(err));
|
||||
goto err4;
|
||||
}
|
||||
|
||||
/* allow DHCP requests through to dnsmasq */
|
||||
if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err5;
|
||||
goto err2;
|
||||
}
|
||||
|
||||
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err6;
|
||||
goto err3;
|
||||
}
|
||||
|
||||
/* allow DNS requests through to dnsmasq */
|
||||
@ -1299,32 +1274,60 @@ qemudAddIptablesRules(struct qemud_server *server,
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err7;
|
||||
goto err4;
|
||||
}
|
||||
|
||||
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err5;
|
||||
}
|
||||
|
||||
/* The remaining rules are only needed for IP forwarding */
|
||||
if (!network->def->forward)
|
||||
return 1;
|
||||
|
||||
/* allow forwarding packets from the bridge interface */
|
||||
if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow forwarding from '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err6;
|
||||
}
|
||||
|
||||
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
|
||||
if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to allow forwarding to '%s' : %s\n",
|
||||
network->bridge, strerror(err));
|
||||
goto err7;
|
||||
}
|
||||
|
||||
/* enable masquerading */
|
||||
if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
|
||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||
"failed to add iptables rule to enable masquerading : %s\n",
|
||||
strerror(err));
|
||||
goto err8;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
err8:
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
||||
err7:
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
||||
err6:
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
||||
err5:
|
||||
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
|
||||
err4:
|
||||
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||
err3:
|
||||
err7:
|
||||
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||
err6:
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
|
||||
err5:
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
||||
err4:
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
||||
err3:
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
||||
err2:
|
||||
iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||
iptablesRemovePhysdevForward(server->iptables, network->bridge);
|
||||
err1:
|
||||
return 0;
|
||||
}
|
||||
@ -1333,15 +1336,15 @@ static void
|
||||
qemudRemoveIptablesRules(struct qemud_server *server,
|
||||
struct qemud_network *network) {
|
||||
if (network->def->forward) {
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
||||
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
|
||||
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||
iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||
}
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
||||
iptablesRemovePhysdevForward(server->iptables, network->bridge);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -1418,8 +1421,7 @@ int qemudStartNetworkDaemon(struct qemud_server *server,
|
||||
goto err_delbr;
|
||||
}
|
||||
|
||||
if (network->def->forward &&
|
||||
!qemudAddIptablesRules(server, network))
|
||||
if (!qemudAddIptablesRules(server, network))
|
||||
goto err_delbr1;
|
||||
|
||||
if (network->def->forward &&
|
||||
|
||||
Loading…
Reference in New Issue
Block a user