diff --git a/ChangeLog b/ChangeLog index ffeffa9883..d404a94dbe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin + + * qemud/iptables.c: Remove the target interface parameter + from iptablesPhysdevForward(). This rule is intended to + allow frames to be forwarded across the bridge from the + supplied bridge port. In this context, the --out parameter + would match the outgoing bridge port, which will never + be network->def->forwardDev. + Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin * qemud/iptables.c: ensure iptablesContext is zereod out diff --git a/qemud/conf.c b/qemud/conf.c index 41ee7a3f9c..fa4e463210 100644 --- a/qemud/conf.c +++ b/qemud/conf.c @@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server, } if (net->type == QEMUD_NET_NETWORK && network->def->forward) { - if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) { + if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "Failed to add iptables rule to allow bridging from '%s' :%s", ifname, strerror(err)); @@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server, no_memory: if (net->type == QEMUD_NET_NETWORK && network->def->forward) - iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, ifname); qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds"); error: if (retval) diff --git a/qemud/iptables.c b/qemud/iptables.c index ced742753d..cbd2b8f345 100644 --- a/qemud/iptables.c +++ b/qemud/iptables.c @@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *ctx, static int iptablesPhysdevForward(iptablesContext *ctx, const char *iface, - const char *target, int action) { - if (target && target[0]) { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--out", target, - "--jump", "ACCEPT", - NULL); - } else { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--jump", "ACCEPT", - NULL); - } + return iptablesAddRemoveRule(ctx->forward_filter, + action, + "--match", "physdev", + "--physdev-in", iface, + "--jump", "ACCEPT", + NULL); } int iptablesAddPhysdevForward(iptablesContext *ctx, - const char *iface, - const char *target) + const char *iface) { - return iptablesPhysdevForward(ctx, iface, target, ADD); + return iptablesPhysdevForward(ctx, iface, ADD); } int iptablesRemovePhysdevForward(iptablesContext *ctx, - const char *iface, - const char *target) + const char *iface) { - return iptablesPhysdevForward(ctx, iface, target, REMOVE); + return iptablesPhysdevForward(ctx, iface, REMOVE); } static int diff --git a/qemud/iptables.h b/qemud/iptables.h index 395d5b3780..3b5bb910e1 100644 --- a/qemud/iptables.h +++ b/qemud/iptables.h @@ -42,11 +42,9 @@ int iptablesRemoveUdpInput (iptablesContext *ctx, int port); int iptablesAddPhysdevForward (iptablesContext *ctx, - const char *iface, - const char *target); + const char *iface); int iptablesRemovePhysdevForward (iptablesContext *ctx, - const char *iface, - const char *target); + const char *iface); int iptablesAddInterfaceForward (iptablesContext *ctx, const char *iface, diff --git a/qemud/qemud.c b/qemud/qemud.c index 12b112c4c1..fa5f5d840a 100644 --- a/qemud/qemud.c +++ b/qemud/qemud.c @@ -1050,8 +1050,7 @@ qemudNetworkIfaceDisconnect(struct qemud_server *server, return; } - if (network->def->forward) - iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname); } int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) { @@ -1248,50 +1247,26 @@ qemudAddIptablesRules(struct qemud_server *server, } /* allow bridging from the bridge interface itself */ - if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) { + if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow bridging from '%s' : %s\n", network->bridge, strerror(err)); goto err1; } - /* allow forwarding packets from the bridge interface */ - if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) { - qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow forwarding from '%s' : %s\n", - network->bridge, strerror(err)); - goto err2; - } - - /* allow forwarding packets to the bridge interface if they are part of an existing connection */ - if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) { - qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow forwarding to '%s' : %s\n", - network->bridge, strerror(err)); - goto err3; - } - - /* enable masquerading */ - if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) { - qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to enable masquerading : %s\n", - strerror(err)); - goto err4; - } - /* allow DHCP requests through to dnsmasq */ if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", network->bridge, strerror(err)); - goto err5; + goto err2; } if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", network->bridge, strerror(err)); - goto err6; + goto err3; } /* allow DNS requests through to dnsmasq */ @@ -1299,32 +1274,60 @@ qemudAddIptablesRules(struct qemud_server *server, qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow DNS requests from '%s' : %s\n", network->bridge, strerror(err)); - goto err7; + goto err4; } if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow DNS requests from '%s' : %s\n", network->bridge, strerror(err)); + goto err5; + } + + /* The remaining rules are only needed for IP forwarding */ + if (!network->def->forward) + return 1; + + /* allow forwarding packets from the bridge interface */ + if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) { + qemudReportError(server, VIR_ERR_INTERNAL_ERROR, + "failed to add iptables rule to allow forwarding from '%s' : %s\n", + network->bridge, strerror(err)); + goto err6; + } + + /* allow forwarding packets to the bridge interface if they are part of an existing connection */ + if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) { + qemudReportError(server, VIR_ERR_INTERNAL_ERROR, + "failed to add iptables rule to allow forwarding to '%s' : %s\n", + network->bridge, strerror(err)); + goto err7; + } + + /* enable masquerading */ + if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) { + qemudReportError(server, VIR_ERR_INTERNAL_ERROR, + "failed to add iptables rule to enable masquerading : %s\n", + strerror(err)); goto err8; } return 1; err8: - iptablesRemoveTcpInput(server->iptables, network->bridge, 53); - err7: - iptablesRemoveUdpInput(server->iptables, network->bridge, 67); - err6: - iptablesRemoveTcpInput(server->iptables, network->bridge, 67); - err5: - iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev); - err4: iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); - err3: + err7: iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); + err6: + iptablesRemoveUdpInput(server->iptables, network->bridge, 53); + err5: + iptablesRemoveTcpInput(server->iptables, network->bridge, 53); + err4: + iptablesRemoveUdpInput(server->iptables, network->bridge, 67); + err3: + iptablesRemoveTcpInput(server->iptables, network->bridge, 67); err2: - iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, network->bridge); err1: return 0; } @@ -1333,15 +1336,15 @@ static void qemudRemoveIptablesRules(struct qemud_server *server, struct qemud_network *network) { if (network->def->forward) { - iptablesRemoveUdpInput(server->iptables, network->bridge, 53); - iptablesRemoveTcpInput(server->iptables, network->bridge, 53); - iptablesRemoveUdpInput(server->iptables, network->bridge, 67); - iptablesRemoveTcpInput(server->iptables, network->bridge, 67); iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev); iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); - iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev); } + iptablesRemoveUdpInput(server->iptables, network->bridge, 53); + iptablesRemoveTcpInput(server->iptables, network->bridge, 53); + iptablesRemoveUdpInput(server->iptables, network->bridge, 67); + iptablesRemoveTcpInput(server->iptables, network->bridge, 67); + iptablesRemovePhysdevForward(server->iptables, network->bridge); } static int @@ -1418,8 +1421,7 @@ int qemudStartNetworkDaemon(struct qemud_server *server, goto err_delbr; } - if (network->def->forward && - !qemudAddIptablesRules(server, network)) + if (!qemudAddIptablesRules(server, network)) goto err_delbr1; if (network->def->forward &&