From 477a619e1b37694e3c59c0d6c84ede6d2e28b878 Mon Sep 17 00:00:00 2001 From: Roman Bogorodskiy Date: Fri, 28 Jun 2013 00:52:30 -0400 Subject: [PATCH] Drop iptablesContext iptablesContext holds only 4 pairs of iptables (table, chain) and there's no need to pass it around. This is a first step towards separating bridge_driver.c in platform-specific parts. --- src/libvirt_private.syms | 2 - src/network/bridge_driver.c | 251 ++++++++++++++--------------------- src/util/viriptables.c | 257 +++++++++--------------------------- src/util/viriptables.h | 65 +++------ 4 files changed, 183 insertions(+), 392 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index f08ac64c29..281478fe60 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1417,8 +1417,6 @@ iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; iptablesAddTcpInput; iptablesAddUdpInput; -iptablesContextFree; -iptablesContextNew; iptablesRemoveForwardAllowCross; iptablesRemoveForwardAllowIn; iptablesRemoveForwardAllowOut; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index fb1741faea..2d7790b317 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -75,7 +75,6 @@ struct network_driver { virNetworkObjList networks; - iptablesContext *iptables; char *networkConfigDir; char *networkAutostartDir; char *stateDir; @@ -107,7 +106,7 @@ static int networkStartNetworkVirtual(struct network_driver *driver, virNetworkObjPtr network); static int networkShutdownNetworkVirtual(struct network_driver *driver, - virNetworkObjPtr network); + virNetworkObjPtr network); static int networkStartNetworkExternal(struct network_driver *driver, virNetworkObjPtr network); @@ -420,10 +419,6 @@ networkStateInitialize(bool privileged, } } - if (!(driverState->iptables = iptablesContextNew())) { - goto out_of_memory; - } - /* if this fails now, it will be retried later with dnsmasqCapsRefresh() */ driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ); @@ -531,9 +526,6 @@ networkStateCleanup(void) { VIR_FREE(driverState->dnsmasqStateDir); VIR_FREE(driverState->radvdStateDir); - if (driverState->iptables) - iptablesContextFree(driverState->iptables); - virObjectUnref(driverState->dnsmasqCaps); networkDriverUnlock(driverState); @@ -1544,8 +1536,7 @@ networkRefreshDaemons(struct network_driver *driver) } static int -networkAddMasqueradingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddMasqueradingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -1559,8 +1550,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1573,8 +1563,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* allow forwarding packets to the bridge interface if they are * part of an existing connection */ - if (iptablesAddForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1608,8 +1597,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, */ /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1626,8 +1614,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1644,8 +1631,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1664,30 +1650,26 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, return 0; masqerr5: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "udp"); masqerr4: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, NULL); masqerr3: - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf); masqerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1696,43 +1678,37 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } static void -networkRemoveMasqueradingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveMasqueradingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); if (prefix >= 0) { - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "tcp"); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "udp"); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, NULL); - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf); - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1740,8 +1716,7 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver, } static int -networkAddRoutingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddRoutingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -1755,8 +1730,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, } /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1767,8 +1741,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, } /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowIn(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1781,8 +1754,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, return 0; routeerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1791,22 +1763,19 @@ routeerr1: } static void -networkRemoveRoutingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveRoutingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); if (prefix >= 0) { - iptablesRemoveForwardAllowIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowIn(&ipdef->address, prefix, network->def->bridge, forwardIf); - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1819,8 +1788,7 @@ networkRemoveRoutingIptablesRules(struct network_driver *driver, * If any IPv6 addresses are defined, then add the rules for regular operation. */ static int -networkAddGeneralIp6tablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddGeneralIp6tablesRules(virNetworkObjPtr network) { if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && @@ -1830,16 +1798,14 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, /* Catch all rules to block forwarding to/from bridges */ - if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to block outbound traffic from '%s'"), network->def->bridge); goto err1; } - if (iptablesAddForwardRejectIn(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -1847,8 +1813,7 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, } /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -1860,24 +1825,21 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, return 0; /* allow DNS over IPv6 */ - if (iptablesAddTcpInput(driver->iptables, AF_INET6, - network->def->bridge, 53) < 0) { + if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DNS requests from '%s'"), network->def->bridge); goto err4; } - if (iptablesAddUdpInput(driver->iptables, AF_INET6, - network->def->bridge, 53) < 0) { + if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DNS requests from '%s'"), network->def->bridge); goto err5; } - if (iptablesAddUdpInput(driver->iptables, AF_INET6, - network->def->bridge, 547) < 0) { + if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DHCP6 requests from '%s'"), network->def->bridge); @@ -1888,44 +1850,42 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, /* unwind in reverse order from the point of failure */ err6: - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); err5: - iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); err4: - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); err3: - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); err2: - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); err1: return -1; } static void -networkRemoveGeneralIp6tablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network) { if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && !network->def->ipv6nogw) { return; } if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 547); - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); } /* the following rules are there if no IPv6 address has been defined * but network->def->ipv6nogw == true */ - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); } static int -networkAddGeneralIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddGeneralIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipv4def; @@ -1941,16 +1901,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* allow DHCP requests through to dnsmasq */ - if (iptablesAddTcpInput(driver->iptables, AF_INET, - network->def->bridge, 67) < 0) { + if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); goto err1; } - if (iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 67) < 0) { + if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); @@ -1964,24 +1922,21 @@ networkAddGeneralIptablesRules(struct network_driver *driver, */ if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) && - (iptablesAddOutputFixUdpChecksum(driver->iptables, - network->def->bridge, 68) < 0)) { + (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) { VIR_WARN("Could not add rule to fixup DHCP response checksums " "on network '%s'.", network->def->name); VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule."); } /* allow DNS requests through to dnsmasq */ - if (iptablesAddTcpInput(driver->iptables, AF_INET, - network->def->bridge, 53) < 0) { + if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); goto err3; } - if (iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 53) < 0) { + if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); @@ -1990,8 +1945,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* allow TFTP requests through to dnsmasq if necessary */ if (ipv4def && ipv4def->tftproot && - iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 69) < 0) { + iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow TFTP requests from '%s'"), network->def->bridge); @@ -2000,16 +1954,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* Catch all rules to block forwarding to/from bridges */ - if (iptablesAddForwardRejectOut(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to block outbound traffic from '%s'"), network->def->bridge); goto err6; } - if (iptablesAddForwardRejectIn(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -2017,8 +1969,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, } /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -2026,7 +1977,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, } /* add IPv6 general rules, if needed */ - if (networkAddGeneralIp6tablesRules(driver, network) < 0) { + if (networkAddGeneralIp6tablesRules(network) < 0) { goto err9; } @@ -2034,35 +1985,34 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* unwind in reverse order from the point of failure */ err9: - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); err8: - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); err7: - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); err6: if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); } err5: - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); err4: - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); err3: - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); err2: - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); err1: return -1; } static void -networkRemoveGeneralIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveGeneralIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipv4def; - networkRemoveGeneralIp6tablesRules(driver, network); + networkRemoveGeneralIp6tablesRules(network); for (ii = 0; (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii)); @@ -2071,25 +2021,23 @@ networkRemoveGeneralIptablesRules(struct network_driver *driver, break; } - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); } - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) { - iptablesRemoveOutputFixUdpChecksum(driver->iptables, - network->def->bridge, 68); + iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68); } - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); } static int -networkAddIpSpecificIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddIpSpecificIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { /* NB: in the case of IPv6, routing rules are added when the @@ -2098,48 +2046,46 @@ networkAddIpSpecificIptablesRules(struct network_driver *driver, if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - return networkAddMasqueradingIptablesRules(driver, network, ipdef); + return networkAddMasqueradingIptablesRules(network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkAddRoutingIptablesRules(driver, network, ipdef); + return networkAddRoutingIptablesRules(network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - return networkAddRoutingIptablesRules(driver, network, ipdef); + return networkAddRoutingIptablesRules(network, ipdef); } return 0; } static void -networkRemoveIpSpecificIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveIpSpecificIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - networkRemoveMasqueradingIptablesRules(driver, network, ipdef); + networkRemoveMasqueradingIptablesRules(network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - networkRemoveRoutingIptablesRules(driver, network, ipdef); + networkRemoveRoutingIptablesRules(network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - networkRemoveRoutingIptablesRules(driver, network, ipdef); + networkRemoveRoutingIptablesRules(network, ipdef); } } /* Add all rules for all ip addresses (and general rules) on a network */ static int -networkAddIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipdef; virErrorPtr orig_error; /* Add "once per network" rules */ - if (networkAddGeneralIptablesRules(driver, network) < 0) + if (networkAddGeneralIptablesRules(network) < 0) return -1; for (ii = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); ii++) { /* Add address-specific iptables rules */ - if (networkAddIpSpecificIptablesRules(driver, network, ipdef) < 0) { + if (networkAddIpSpecificIptablesRules(network, ipdef) < 0) { goto err; } } @@ -2155,9 +2101,9 @@ err: */ while ((--ii >= 0) && (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) { - networkRemoveIpSpecificIptablesRules(driver, network, ipdef); + networkRemoveIpSpecificIptablesRules(network, ipdef); } - networkRemoveGeneralIptablesRules(driver, network); + networkRemoveGeneralIptablesRules(network); /* return the original error */ virSetError(orig_error); @@ -2167,8 +2113,7 @@ err: /* Remove all rules for all ip addresses (and general rules) on a network */ static void -networkRemoveIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipdef; @@ -2176,9 +2121,9 @@ networkRemoveIptablesRules(struct network_driver *driver, for (ii = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); ii++) { - networkRemoveIpSpecificIptablesRules(driver, network, ipdef); + networkRemoveIpSpecificIptablesRules(network, ipdef); } - networkRemoveGeneralIptablesRules(driver, network); + networkRemoveGeneralIptablesRules(network); } static void @@ -2199,8 +2144,8 @@ networkReloadIptablesRules(struct network_driver *driver) /* Only the three L3 network types that are configured by libvirt * need to have iptables rules reloaded. */ - networkRemoveIptablesRules(driver, network); - if (networkAddIptablesRules(driver, network) < 0) { + networkRemoveIptablesRules(network); + if (networkAddIptablesRules(network) < 0) { /* failed to add but already logged */ } } @@ -2526,7 +2471,7 @@ networkStartNetworkVirtual(struct network_driver *driver, goto err1; /* Add "once per network" rules */ - if (networkAddIptablesRules(driver, network) < 0) + if (networkAddIptablesRules(network) < 0) goto err1; for (ii = 0; @@ -2619,7 +2564,7 @@ networkStartNetworkVirtual(struct network_driver *driver, err2: if (!save_err) save_err = virSaveLastError(); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); err1: if (!save_err) @@ -2644,8 +2589,8 @@ networkStartNetworkVirtual(struct network_driver *driver, return -1; } -static int networkShutdownNetworkVirtual(struct network_driver *driver, - virNetworkObjPtr network) +static int networkShutdownNetworkVirtual(struct network_driver *driver ATTRIBUTE_UNUSED, + virNetworkObjPtr network) { virNetDevBandwidthClear(network->def->bridge); @@ -2677,7 +2622,7 @@ static int networkShutdownNetworkVirtual(struct network_driver *driver, ignore_value(virNetDevSetOnline(network->def->bridge, 0)); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); ignore_value(virNetDevBridgeDelete(network->def->bridge)); @@ -3490,8 +3435,8 @@ networkUpdate(virNetworkPtr net, network->def->forward.type == VIR_NETWORK_FORWARD_NAT || network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) { /* these could affect the iptables rules */ - networkRemoveIptablesRules(driver, network); - if (networkAddIptablesRules(driver, network) < 0) + networkRemoveIptablesRules(network); + if (networkAddIptablesRules(network) < 0) goto cleanup; } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 16fbe9cbf1..63a803125f 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -88,52 +88,8 @@ enum { REMOVE }; -typedef struct -{ - char *table; - char *chain; -} iptRules; - -struct _iptablesContext -{ - iptRules *input_filter; - iptRules *forward_filter; - iptRules *nat_postrouting; - iptRules *mangle_postrouting; -}; - -static void -iptRulesFree(iptRules *rules) -{ - VIR_FREE(rules->table); - VIR_FREE(rules->chain); - VIR_FREE(rules); -} - -static iptRules * -iptRulesNew(const char *table, - const char *chain) -{ - iptRules *rules; - - if (VIR_ALLOC(rules) < 0) - return NULL; - - if (VIR_STRDUP(rules->table, table) < 0) - goto error; - - if (VIR_STRDUP(rules->chain, chain) < 0) - goto error; - - return rules; - - error: - iptRulesFree(rules); - return NULL; -} - static virCommandPtr -iptablesCommandNew(iptRules *rules, int family, int action) +iptablesCommandNew(const char *table, const char *chain, int family, int action) { virCommandPtr cmd = NULL; #if HAVE_FIREWALLD @@ -150,9 +106,9 @@ iptablesCommandNew(iptRules *rules, int family, int action) ? IP6TABLES_PATH : IPTABLES_PATH); } - virCommandAddArgList(cmd, "--table", rules->table, + virCommandAddArgList(cmd, "--table", table, action == ADD ? "--insert" : "--delete", - rules->chain, NULL); + chain, NULL); return cmd; } @@ -166,14 +122,14 @@ iptablesCommandRunAndFree(virCommandPtr cmd) } static int ATTRIBUTE_SENTINEL -iptablesAddRemoveRule(iptRules *rules, int family, int action, +iptablesAddRemoveRule(const char *table, const char *chain, int family, int action, const char *arg, ...) { va_list args; virCommandPtr cmd = NULL; const char *s; - cmd = iptablesCommandNew(rules, family, action); + cmd = iptablesCommandNew(table, chain, family, action); virCommandAddArg(cmd, arg); va_start(args, arg); @@ -184,63 +140,8 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, return iptablesCommandRunAndFree(cmd); } -/** - * iptablesContextNew: - * - * Create a new IPtable context - * - * Returns a pointer to the new structure or NULL in case of error - */ -iptablesContext * -iptablesContextNew(void) -{ - iptablesContext *ctx; - - if (VIR_ALLOC(ctx) < 0) - return NULL; - - if (!(ctx->input_filter = iptRulesNew("filter", "INPUT"))) - goto error; - - if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD"))) - goto error; - - if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING"))) - goto error; - - if (!(ctx->mangle_postrouting = iptRulesNew("mangle", "POSTROUTING"))) - goto error; - - return ctx; - - error: - iptablesContextFree(ctx); - return NULL; -} - -/** - * iptablesContextFree: - * @ctx: pointer to the IP table context - * - * Free the resources associated with an IP table context - */ -void -iptablesContextFree(iptablesContext *ctx) -{ - if (ctx->input_filter) - iptRulesFree(ctx->input_filter); - if (ctx->forward_filter) - iptRulesFree(ctx->forward_filter); - if (ctx->nat_postrouting) - iptRulesFree(ctx->nat_postrouting); - if (ctx->mangle_postrouting) - iptRulesFree(ctx->mangle_postrouting); - VIR_FREE(ctx); -} - static int -iptablesInput(iptablesContext *ctx, - int family, +iptablesInput(int family, const char *iface, int port, int action, @@ -251,7 +152,7 @@ iptablesInput(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->input_filter, + return iptablesAddRemoveRule("filter", "INPUT", family, action, "--in-interface", iface, @@ -274,12 +175,11 @@ iptablesInput(iptablesContext *ctx, */ int -iptablesAddTcpInput(iptablesContext *ctx, - int family, +iptablesAddTcpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, ADD, 1); + return iptablesInput(family, iface, port, ADD, 1); } /** @@ -294,12 +194,11 @@ iptablesAddTcpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveTcpInput(iptablesContext *ctx, - int family, +iptablesRemoveTcpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, REMOVE, 1); + return iptablesInput(family, iface, port, REMOVE, 1); } /** @@ -315,12 +214,11 @@ iptablesRemoveTcpInput(iptablesContext *ctx, */ int -iptablesAddUdpInput(iptablesContext *ctx, - int family, +iptablesAddUdpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, ADD, 0); + return iptablesInput(family, iface, port, ADD, 0); } /** @@ -335,12 +233,11 @@ iptablesAddUdpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveUdpInput(iptablesContext *ctx, - int family, +iptablesRemoveUdpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, REMOVE, 0); + return iptablesInput(family, iface, port, REMOVE, 0); } @@ -381,8 +278,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, * to proceed to WAN */ static int -iptablesForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -395,7 +291,7 @@ iptablesForwardAllowOut(iptablesContext *ctx, if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; - cmd = iptablesCommandNew(ctx->forward_filter, + cmd = iptablesCommandNew("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action); virCommandAddArgList(cmd, @@ -426,13 +322,12 @@ iptablesForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD); } /** @@ -449,13 +344,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE); } @@ -463,8 +357,7 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx, * and associated with an existing connection */ static int -iptablesForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -477,7 +370,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, return -1; if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -488,7 +381,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -516,13 +409,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD); } /** @@ -539,20 +431,18 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int -iptablesForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -565,7 +455,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, return -1; if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -574,7 +464,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -600,13 +490,12 @@ iptablesForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD); } /** @@ -623,13 +512,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE); } @@ -637,12 +525,11 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx, * with a valid network address */ static int -iptablesForwardAllowCross(iptablesContext *ctx, - int family, +iptablesForwardAllowCross(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, @@ -663,11 +550,10 @@ iptablesForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowCross(iptablesContext *ctx, - int family, +iptablesAddForwardAllowCross(int family, const char *iface) { - return iptablesForwardAllowCross(ctx, family, iface, ADD); + return iptablesForwardAllowCross(family, iface, ADD); } /** @@ -682,11 +568,10 @@ iptablesAddForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowCross(iptablesContext *ctx, - int family, +iptablesRemoveForwardAllowCross(int family, const char *iface) { - return iptablesForwardAllowCross(ctx, family, iface, REMOVE); + return iptablesForwardAllowCross(family, iface, REMOVE); } @@ -694,12 +579,11 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx, * ie the bridge is the in interface */ static int -iptablesForwardRejectOut(iptablesContext *ctx, - int family, +iptablesForwardRejectOut(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, @@ -718,11 +602,10 @@ iptablesForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectOut(iptablesContext *ctx, - int family, +iptablesAddForwardRejectOut(int family, const char *iface) { - return iptablesForwardRejectOut(ctx, family, iface, ADD); + return iptablesForwardRejectOut(family, iface, ADD); } /** @@ -736,11 +619,10 @@ iptablesAddForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectOut(iptablesContext *ctx, - int family, +iptablesRemoveForwardRejectOut(int family, const char *iface) { - return iptablesForwardRejectOut(ctx, family, iface, REMOVE); + return iptablesForwardRejectOut(family, iface, REMOVE); } @@ -750,12 +632,11 @@ iptablesRemoveForwardRejectOut(iptablesContext *ctx, * ie the bridge is the out interface */ static int -iptablesForwardRejectIn(iptablesContext *ctx, - int family, +iptablesForwardRejectIn(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--out-interface", iface, @@ -774,11 +655,10 @@ iptablesForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectIn(iptablesContext *ctx, - int family, +iptablesAddForwardRejectIn(int family, const char *iface) { - return iptablesForwardRejectIn(ctx, family, iface, ADD); + return iptablesForwardRejectIn(family, iface, ADD); } /** @@ -792,11 +672,10 @@ iptablesAddForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectIn(iptablesContext *ctx, - int family, +iptablesRemoveForwardRejectIn(int family, const char *iface) { - return iptablesForwardRejectIn(ctx, family, iface, REMOVE); + return iptablesForwardRejectIn(family, iface, REMOVE); } @@ -804,8 +683,7 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx, * with the bridge */ static int -iptablesForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, @@ -841,7 +719,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, } } - cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); + cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action); virCommandAddArgList(cmd, "--source", networkstr, NULL); if (protocol && protocol[0]) @@ -922,15 +800,14 @@ cleanup: * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, protocol, ADD); } @@ -948,22 +825,20 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, protocol, REMOVE); } static int -iptablesOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesOutputFixUdpChecksum(const char *iface, int port, int action) { @@ -972,7 +847,7 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->mangle_postrouting, + return iptablesAddRemoveRule("mangle", "POSTROUTING", AF_INET, action, "--out-interface", iface, @@ -998,11 +873,10 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx, */ int -iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesAddOutputFixUdpChecksum(const char *iface, int port) { - return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD); + return iptablesOutputFixUdpChecksum(iface, port, ADD); } /** @@ -1019,9 +893,8 @@ iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, * return an error, which should be ignored) */ int -iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesRemoveOutputFixUdpChecksum(const char *iface, int port) { - return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE); + return iptablesOutputFixUdpChecksum(iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index b7ce59b6d9..447f4a824a 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -26,102 +26,77 @@ # include "virsocketaddr.h" -typedef struct _iptablesContext iptablesContext; - -iptablesContext *iptablesContextNew (void); -void iptablesContextFree (iptablesContext *ctx); - -int iptablesAddTcpInput (iptablesContext *ctx, - int family, +int iptablesAddTcpInput (int family, const char *iface, int port); -int iptablesRemoveTcpInput (iptablesContext *ctx, - int family, +int iptablesRemoveTcpInput (int family, const char *iface, int port); -int iptablesAddUdpInput (iptablesContext *ctx, - int family, +int iptablesAddUdpInput (int family, const char *iface, int port); -int iptablesRemoveUdpInput (iptablesContext *ctx, - int family, +int iptablesRemoveUdpInput (int family, const char *iface, int port); -int iptablesAddForwardAllowOut (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowOut (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowOut (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowIn (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowIn (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowIn (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowCross (iptablesContext *ctx, - int family, +int iptablesAddForwardAllowCross (int family, const char *iface); -int iptablesRemoveForwardAllowCross (iptablesContext *ctx, - int family, +int iptablesRemoveForwardAllowCross (int family, const char *iface); -int iptablesAddForwardRejectOut (iptablesContext *ctx, - int family, +int iptablesAddForwardRejectOut (int family, const char *iface); -int iptablesRemoveForwardRejectOut (iptablesContext *ctx, - int family, +int iptablesRemoveForwardRejectOut (int family, const char *iface); -int iptablesAddForwardRejectIn (iptablesContext *ctx, - int family, +int iptablesAddForwardRejectIn (int family, const char *iface); -int iptablesRemoveForwardRejectIn (iptablesContext *ctx, - int family, +int iptablesRemoveForwardRejectIn (int family, const char *iface); -int iptablesAddForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardMasquerade (virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol); -int iptablesRemoveForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol); -int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, +int iptablesAddOutputFixUdpChecksum (const char *iface, int port); -int iptablesRemoveOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, +int iptablesRemoveOutputFixUdpChecksum (const char *iface, int port); #endif /* __QEMUD_IPTABLES_H__ */