External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-20 07:59:00 +00:00
Code

Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin <markmc@redhat.com>

Browse Source 
* qemud/iptables.c: Remove the target interface parameter
        from iptablesPhysdevForward(). This rule is intended to
        allow frames to be forwarded across the bridge from the
        supplied bridge port. In this context, the --out parameter
        would match the outgoing bridge port, which will never
        be network->def->forwardDev.
This commit is contained in:
Mark McLoughlin 2007-03-30 16:23:04 +00:00
parent 27c1d7b9fa
commit 42d4b85d86
5 changed files with 72 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin <markmc@redhat.com>
* qemud/iptables.c: Remove the target interface parameter
from iptablesPhysdevForward(). This rule is intended to
allow frames to be forwarded across the bridge from the
supplied bridge port. In this context, the --out parameter
would match the outgoing bridge port, which will never
be network->def->forwardDev.
Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin <markmc@redhat.com>
* qemud/iptables.c: ensure iptablesContext is zereod out

4
qemud/conf.c
View File

@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server,
}
if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) {
if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"Failed to add iptables rule to allow bridging from '%s' :%s",
ifname, strerror(err));
@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server,
no_memory:
if (net->type == QEMUD_NET_NETWORK && network->def->forward)
iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev);
iptablesRemovePhysdevForward(server->iptables, ifname);
qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
error:
if (retval)

33
qemud/iptables.c
View File

@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
static int
iptablesPhysdevForward(iptablesContext *ctx,
const char *iface,
const char *target,
int action)
{
if (target && target[0]) {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--match", "physdev",
"--physdev-in", iface,
"--out", target,
"--jump", "ACCEPT",
NULL);
} else {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--match", "physdev",
"--physdev-in", iface,
"--jump", "ACCEPT",
NULL);
}
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--match", "physdev",
"--physdev-in", iface,
"--jump", "ACCEPT",
NULL);
}
int
iptablesAddPhysdevForward(iptablesContext *ctx,
const char *iface,
const char *target)
const char *iface)
{
return iptablesPhysdevForward(ctx, iface, target, ADD);
return iptablesPhysdevForward(ctx, iface, ADD);
}
int
iptablesRemovePhysdevForward(iptablesContext *ctx,
const char *iface,
const char *target)
const char *iface)
{
return iptablesPhysdevForward(ctx, iface, target, REMOVE);
return iptablesPhysdevForward(ctx, iface, REMOVE);
}
static int

6
qemud/iptables.h
View File

@ -42,11 +42,9 @@ int iptablesRemoveUdpInput (iptablesContext *ctx,
int port);
int iptablesAddPhysdevForward (iptablesContext *ctx,
const char *iface,
const char *target);
const char *iface);
int iptablesRemovePhysdevForward (iptablesContext *ctx,
const char *iface,
const char *target);
const char *iface);
int iptablesAddInterfaceForward (iptablesContext *ctx,
const char *iface,

96
qemud/qemud.c
View File

@ -1050,8 +1050,7 @@ qemudNetworkIfaceDisconnect(struct qemud_server *server,
return;
}
if (network->def->forward)
iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev);
iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname);
}
int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
@ -1248,50 +1247,26 @@ qemudAddIptablesRules(struct qemud_server *server,
}
/* allow bridging from the bridge interface itself */
if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) {
if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow bridging from '%s' : %s\n",
network->bridge, strerror(err));
goto err1;
}
/* allow forwarding packets from the bridge interface */
if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow forwarding from '%s' : %s\n",
network->bridge, strerror(err));
goto err2;
}
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow forwarding to '%s' : %s\n",
network->bridge, strerror(err));
goto err3;
}
/* enable masquerading */
if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to enable masquerading : %s\n",
strerror(err));
goto err4;
}
/* allow DHCP requests through to dnsmasq */
if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err5;
goto err2;
}
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err6;
goto err3;
}
/* allow DNS requests through to dnsmasq */
@ -1299,32 +1274,60 @@ qemudAddIptablesRules(struct qemud_server *server,
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err7;
goto err4;
}
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err5;
}
/* The remaining rules are only needed for IP forwarding */
if (!network->def->forward)
return 1;
/* allow forwarding packets from the bridge interface */
if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow forwarding from '%s' : %s\n",
network->bridge, strerror(err));
goto err6;
}
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow forwarding to '%s' : %s\n",
network->bridge, strerror(err));
goto err7;
}
/* enable masquerading */
if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to enable masquerading : %s\n",
strerror(err));
goto err8;
}
return 1;
err8:
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
err7:
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
err6:
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
err5:
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
err4:
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
err3:
err7:
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
err6:
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
err5:
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
err4:
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
err3:
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
err2:
iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
iptablesRemovePhysdevForward(server->iptables, network->bridge);
err1:
return 0;
}
@ -1333,15 +1336,15 @@ static void
qemudRemoveIptablesRules(struct qemud_server *server,
struct qemud_network *network) {
if (network->def->forward) {
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
}
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
iptablesRemovePhysdevForward(server->iptables, network->bridge);
}
static int
@ -1418,8 +1421,7 @@ int qemudStartNetworkDaemon(struct qemud_server *server,
goto err_delbr;
}
if (network->def->forward &&
!qemudAddIptablesRules(server, network))
if (!qemudAddIptablesRules(server, network))
goto err_delbr1;
if (network->def->forward &&