External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 15:27:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Drop iptablesContext

Browse Source 
iptablesContext holds only 4 pairs of iptables
(table, chain) and there's no need to pass
it around.

This is a first step towards separating bridge_driver.c
in platform-specific parts.
This commit is contained in:
Roman Bogorodskiy 2013-06-28 00:52:30 -04:00 committed by Laine Stump
parent 87bbf83f99
commit 477a619e1b
4 changed files with 183 additions and 392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libvirt_private.syms
View File

@ -1417,8 +1417,6 @@ iptablesAddForwardRejectOut;
iptablesAddOutputFixUdpChecksum; iptablesAddOutputFixUdpChecksum;
iptablesAddTcpInput; iptablesAddTcpInput;
iptablesAddUdpInput; iptablesAddUdpInput;
iptablesContextFree;
iptablesContextNew;
iptablesRemoveForwardAllowCross; iptablesRemoveForwardAllowCross;
iptablesRemoveForwardAllowIn; iptablesRemoveForwardAllowIn;
iptablesRemoveForwardAllowOut; iptablesRemoveForwardAllowOut;

247
src/network/bridge_driver.c
View File

@ -75,7 +75,6 @@ struct network_driver {
virNetworkObjList networks; virNetworkObjList networks;
iptablesContext *iptables;
char *networkConfigDir; char *networkConfigDir;
char *networkAutostartDir; char *networkAutostartDir;
char *stateDir; char *stateDir;
@ -420,10 +419,6 @@ networkStateInitialize(bool privileged,
} }
} }
if (!(driverState->iptables = iptablesContextNew())) {
goto out_of_memory;
}
/* if this fails now, it will be retried later with dnsmasqCapsRefresh() */ /* if this fails now, it will be retried later with dnsmasqCapsRefresh() */
driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ); driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ);
@ -531,9 +526,6 @@ networkStateCleanup(void) {
VIR_FREE(driverState->dnsmasqStateDir); VIR_FREE(driverState->dnsmasqStateDir);
VIR_FREE(driverState->radvdStateDir); VIR_FREE(driverState->radvdStateDir);
if (driverState->iptables)
iptablesContextFree(driverState->iptables);
virObjectUnref(driverState->dnsmasqCaps); virObjectUnref(driverState->dnsmasqCaps);
networkDriverUnlock(driverState); networkDriverUnlock(driverState);
@ -1544,8 +1536,7 @@ networkRefreshDaemons(struct network_driver *driver)
} }
static int static int
networkAddMasqueradingIptablesRules(struct network_driver *driver, networkAddMasqueradingIptablesRules(virNetworkObjPtr network,
virNetworkObjPtr network,
virNetworkIpDefPtr ipdef) virNetworkIpDefPtr ipdef)
{ {
int prefix = virNetworkIpDefPrefix(ipdef); int prefix = virNetworkIpDefPrefix(ipdef);
@ -1559,8 +1550,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
} }
/* allow forwarding packets from the bridge interface */ /* allow forwarding packets from the bridge interface */
if (iptablesAddForwardAllowOut(driver->iptables, if (iptablesAddForwardAllowOut(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf) < 0) { forwardIf) < 0) {
@ -1573,8 +1563,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
/* allow forwarding packets to the bridge interface if they are /* allow forwarding packets to the bridge interface if they are
* part of an existing connection * part of an existing connection
*/ */
if (iptablesAddForwardAllowRelatedIn(driver->iptables, if (iptablesAddForwardAllowRelatedIn(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf) < 0) { forwardIf) < 0) {
@ -1608,8 +1597,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
*/ */
/* First the generic masquerade rule for other protocols */ /* First the generic masquerade rule for other protocols */
if (iptablesAddForwardMasquerade(driver->iptables, if (iptablesAddForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
@ -1626,8 +1614,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
} }
/* UDP with a source port restriction */ /* UDP with a source port restriction */
if (iptablesAddForwardMasquerade(driver->iptables, if (iptablesAddForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
@ -1644,8 +1631,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
} }
/* TCP with a source port restriction */ /* TCP with a source port restriction */
if (iptablesAddForwardMasquerade(driver->iptables, if (iptablesAddForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
@ -1664,30 +1650,26 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
return 0; return 0;
masqerr5: masqerr5:
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
&network->def->forward.port, &network->def->forward.port,
"udp"); "udp");
masqerr4: masqerr4:
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
&network->def->forward.port, &network->def->forward.port,
NULL); NULL);
masqerr3: masqerr3:
iptablesRemoveForwardAllowRelatedIn(driver->iptables, iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
masqerr2: masqerr2:
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
@ -1696,43 +1678,37 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
} }
static void static void
networkRemoveMasqueradingIptablesRules(struct network_driver *driver, networkRemoveMasqueradingIptablesRules(virNetworkObjPtr network,
virNetworkObjPtr network,
virNetworkIpDefPtr ipdef) virNetworkIpDefPtr ipdef)
{ {
int prefix = virNetworkIpDefPrefix(ipdef); int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0); const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
if (prefix >= 0) { if (prefix >= 0) {
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
&network->def->forward.port, &network->def->forward.port,
"tcp"); "tcp");
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
&network->def->forward.port, &network->def->forward.port,
"udp"); "udp");
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(&ipdef->address,
&ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addr, &network->def->forward.addr,
&network->def->forward.port, &network->def->forward.port,
NULL); NULL);
iptablesRemoveForwardAllowRelatedIn(driver->iptables, iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
@ -1740,8 +1716,7 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
} }
static int static int
networkAddRoutingIptablesRules(struct network_driver *driver, networkAddRoutingIptablesRules(virNetworkObjPtr network,
virNetworkObjPtr network,
virNetworkIpDefPtr ipdef) virNetworkIpDefPtr ipdef)
{ {
int prefix = virNetworkIpDefPrefix(ipdef); int prefix = virNetworkIpDefPrefix(ipdef);
@ -1755,8 +1730,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
} }
/* allow routing packets from the bridge interface */ /* allow routing packets from the bridge interface */
if (iptablesAddForwardAllowOut(driver->iptables, if (iptablesAddForwardAllowOut(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf) < 0) { forwardIf) < 0) {
@ -1767,8 +1741,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
} }
/* allow routing packets to the bridge interface */ /* allow routing packets to the bridge interface */
if (iptablesAddForwardAllowIn(driver->iptables, if (iptablesAddForwardAllowIn(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf) < 0) { forwardIf) < 0) {
@ -1781,8 +1754,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
return 0; return 0;
routeerr2: routeerr2:
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
@ -1791,22 +1763,19 @@ routeerr1:
} }
static void static void
networkRemoveRoutingIptablesRules(struct network_driver *driver, networkRemoveRoutingIptablesRules(virNetworkObjPtr network,
virNetworkObjPtr network,
virNetworkIpDefPtr ipdef) virNetworkIpDefPtr ipdef)
{ {
int prefix = virNetworkIpDefPrefix(ipdef); int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0); const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
if (prefix >= 0) { if (prefix >= 0) {
iptablesRemoveForwardAllowIn(driver->iptables, iptablesRemoveForwardAllowIn(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(&ipdef->address,
&ipdef->address,
prefix, prefix,
network->def->bridge, network->def->bridge,
forwardIf); forwardIf);
@ -1819,8 +1788,7 @@ networkRemoveRoutingIptablesRules(struct network_driver *driver,
* If any IPv6 addresses are defined, then add the rules for regular operation. * If any IPv6 addresses are defined, then add the rules for regular operation.
*/ */
static int static int
networkAddGeneralIp6tablesRules(struct network_driver *driver, networkAddGeneralIp6tablesRules(virNetworkObjPtr network)
virNetworkObjPtr network)
{ {
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
@ -1830,16 +1798,14 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
/* Catch all rules to block forwarding to/from bridges */ /* Catch all rules to block forwarding to/from bridges */
if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6, if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) {
network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to block outbound traffic from '%s'"), _("failed to add ip6tables rule to block outbound traffic from '%s'"),
network->def->bridge); network->def->bridge);
goto err1; goto err1;
} }
if (iptablesAddForwardRejectIn(driver->iptables, AF_INET6, if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) {
network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to block inbound traffic to '%s'"), _("failed to add ip6tables rule to block inbound traffic to '%s'"),
network->def->bridge); network->def->bridge);
@ -1847,8 +1813,7 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
} }
/* Allow traffic between guests on the same bridge */ /* Allow traffic between guests on the same bridge */
if (iptablesAddForwardAllowCross(driver->iptables, AF_INET6, if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) {
network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow cross bridge traffic on '%s'"), _("failed to add ip6tables rule to allow cross bridge traffic on '%s'"),
network->def->bridge); network->def->bridge);
@ -1860,24 +1825,21 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
return 0; return 0;
/* allow DNS over IPv6 */ /* allow DNS over IPv6 */
if (iptablesAddTcpInput(driver->iptables, AF_INET6, if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) {
network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DNS requests from '%s'"), _("failed to add ip6tables rule to allow DNS requests from '%s'"),
network->def->bridge); network->def->bridge);
goto err4; goto err4;
} }
if (iptablesAddUdpInput(driver->iptables, AF_INET6, if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) {
network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DNS requests from '%s'"), _("failed to add ip6tables rule to allow DNS requests from '%s'"),
network->def->bridge); network->def->bridge);
goto err5; goto err5;
} }
if (iptablesAddUdpInput(driver->iptables, AF_INET6, if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) {
network->def->bridge, 547) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DHCP6 requests from '%s'"), _("failed to add ip6tables rule to allow DHCP6 requests from '%s'"),
network->def->bridge); network->def->bridge);
@ -1888,44 +1850,42 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
/* unwind in reverse order from the point of failure */ /* unwind in reverse order from the point of failure */
err6: err6:
iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
err5: err5:
iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
err4: err4:
iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
err3: err3:
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
err2: err2:
iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
err1: err1:
return -1; return -1;
} }
static void static void
networkRemoveGeneralIp6tablesRules(struct network_driver *driver, networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network)
virNetworkObjPtr network)
{ {
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
!network->def->ipv6nogw) { !network->def->ipv6nogw) {
return; return;
} }
if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 547); iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547);
iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
} }
/* the following rules are there if no IPv6 address has been defined /* the following rules are there if no IPv6 address has been defined
* but network->def->ipv6nogw == true * but network->def->ipv6nogw == true
*/ */
iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
} }
static int static int
networkAddGeneralIptablesRules(struct network_driver *driver, networkAddGeneralIptablesRules(virNetworkObjPtr network)
virNetworkObjPtr network)
{ {
int ii; int ii;
virNetworkIpDefPtr ipv4def; virNetworkIpDefPtr ipv4def;
@ -1941,16 +1901,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* allow DHCP requests through to dnsmasq */ /* allow DHCP requests through to dnsmasq */
if (iptablesAddTcpInput(driver->iptables, AF_INET, if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) {
network->def->bridge, 67) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from '%s'"), _("failed to add iptables rule to allow DHCP requests from '%s'"),
network->def->bridge); network->def->bridge);
goto err1; goto err1;
} }
if (iptablesAddUdpInput(driver->iptables, AF_INET, if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) {
network->def->bridge, 67) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from '%s'"), _("failed to add iptables rule to allow DHCP requests from '%s'"),
network->def->bridge); network->def->bridge);
@ -1964,24 +1922,21 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
*/ */
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) && if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) &&
(iptablesAddOutputFixUdpChecksum(driver->iptables, (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) {
network->def->bridge, 68) < 0)) {
VIR_WARN("Could not add rule to fixup DHCP response checksums " VIR_WARN("Could not add rule to fixup DHCP response checksums "
"on network '%s'.", network->def->name); "on network '%s'.", network->def->name);
VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule."); VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule.");
} }
/* allow DNS requests through to dnsmasq */ /* allow DNS requests through to dnsmasq */
if (iptablesAddTcpInput(driver->iptables, AF_INET, if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) {
network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from '%s'"), _("failed to add iptables rule to allow DNS requests from '%s'"),
network->def->bridge); network->def->bridge);
goto err3; goto err3;
} }
if (iptablesAddUdpInput(driver->iptables, AF_INET, if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) {
network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from '%s'"), _("failed to add iptables rule to allow DNS requests from '%s'"),
network->def->bridge); network->def->bridge);
@ -1990,8 +1945,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* allow TFTP requests through to dnsmasq if necessary */ /* allow TFTP requests through to dnsmasq if necessary */
if (ipv4def && ipv4def->tftproot && if (ipv4def && ipv4def->tftproot &&
iptablesAddUdpInput(driver->iptables, AF_INET, iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) {
network->def->bridge, 69) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow TFTP requests from '%s'"), _("failed to add iptables rule to allow TFTP requests from '%s'"),
network->def->bridge); network->def->bridge);
@ -2000,16 +1954,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* Catch all rules to block forwarding to/from bridges */ /* Catch all rules to block forwarding to/from bridges */
if (iptablesAddForwardRejectOut(driver->iptables, AF_INET, if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) {
network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block outbound traffic from '%s'"), _("failed to add iptables rule to block outbound traffic from '%s'"),
network->def->bridge); network->def->bridge);
goto err6; goto err6;
} }
if (iptablesAddForwardRejectIn(driver->iptables, AF_INET, if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) {
network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block inbound traffic to '%s'"), _("failed to add iptables rule to block inbound traffic to '%s'"),
network->def->bridge); network->def->bridge);
@ -2017,8 +1969,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
} }
/* Allow traffic between guests on the same bridge */ /* Allow traffic between guests on the same bridge */
if (iptablesAddForwardAllowCross(driver->iptables, AF_INET, if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) {
network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow cross bridge traffic on '%s'"), _("failed to add iptables rule to allow cross bridge traffic on '%s'"),
network->def->bridge); network->def->bridge);
@ -2026,7 +1977,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
} }
/* add IPv6 general rules, if needed */ /* add IPv6 general rules, if needed */
if (networkAddGeneralIp6tablesRules(driver, network) < 0) { if (networkAddGeneralIp6tablesRules(network) < 0) {
goto err9; goto err9;
} }
@ -2034,35 +1985,34 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* unwind in reverse order from the point of failure */ /* unwind in reverse order from the point of failure */
err9: err9:
iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
err8: err8:
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
err7: err7:
iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
err6: err6:
if (ipv4def && ipv4def->tftproot) { if (ipv4def && ipv4def->tftproot) {
iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
} }
err5: err5:
iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
err4: err4:
iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
err3: err3:
iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
err2: err2:
iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
err1: err1:
return -1; return -1;
} }
static void static void
networkRemoveGeneralIptablesRules(struct network_driver *driver, networkRemoveGeneralIptablesRules(virNetworkObjPtr network)
virNetworkObjPtr network)
{ {
int ii; int ii;
virNetworkIpDefPtr ipv4def; virNetworkIpDefPtr ipv4def;
networkRemoveGeneralIp6tablesRules(driver, network); networkRemoveGeneralIp6tablesRules(network);
for (ii = 0; for (ii = 0;
(ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii)); (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii));
@ -2071,25 +2021,23 @@ networkRemoveGeneralIptablesRules(struct network_driver *driver,
break; break;
} }
iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
if (ipv4def && ipv4def->tftproot) { if (ipv4def && ipv4def->tftproot) {
iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
} }
iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) { if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) {
iptablesRemoveOutputFixUdpChecksum(driver->iptables, iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68);
network->def->bridge, 68);
} }
iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
} }
static int static int
networkAddIpSpecificIptablesRules(struct network_driver *driver, networkAddIpSpecificIptablesRules(virNetworkObjPtr network,
virNetworkObjPtr network,
virNetworkIpDefPtr ipdef) virNetworkIpDefPtr ipdef)
{ {
/* NB: in the case of IPv6, routing rules are added when the /* NB: in the case of IPv6, routing rules are added when the
@ -2098,48 +2046,46 @@ networkAddIpSpecificIptablesRules(struct network_driver *driver,
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
return networkAddMasqueradingIptablesRules(driver, network, ipdef); return networkAddMasqueradingIptablesRules(network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
return networkAddRoutingIptablesRules(driver, network, ipdef); return networkAddRoutingIptablesRules(network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
return networkAddRoutingIptablesRules(driver, network, ipdef); return networkAddRoutingIptablesRules(network, ipdef);
} }
return 0; return 0;
} }
static void static void
networkRemoveIpSpecificIptablesRules(struct network_driver *driver, networkRemoveIpSpecificIptablesRules(virNetworkObjPtr network,
virNetworkObjPtr network,
virNetworkIpDefPtr ipdef) virNetworkIpDefPtr ipdef)
{ {
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
networkRemoveMasqueradingIptablesRules(driver, network, ipdef); networkRemoveMasqueradingIptablesRules(network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
networkRemoveRoutingIptablesRules(driver, network, ipdef); networkRemoveRoutingIptablesRules(network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
networkRemoveRoutingIptablesRules(driver, network, ipdef); networkRemoveRoutingIptablesRules(network, ipdef);
} }
} }
/* Add all rules for all ip addresses (and general rules) on a network */ /* Add all rules for all ip addresses (and general rules) on a network */
static int static int
networkAddIptablesRules(struct network_driver *driver, networkAddIptablesRules(virNetworkObjPtr network)
virNetworkObjPtr network)
{ {
int ii; int ii;
virNetworkIpDefPtr ipdef; virNetworkIpDefPtr ipdef;
virErrorPtr orig_error; virErrorPtr orig_error;
/* Add "once per network" rules */ /* Add "once per network" rules */
if (networkAddGeneralIptablesRules(driver, network) < 0) if (networkAddGeneralIptablesRules(network) < 0)
return -1; return -1;
for (ii = 0; for (ii = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
ii++) { ii++) {
/* Add address-specific iptables rules */ /* Add address-specific iptables rules */
if (networkAddIpSpecificIptablesRules(driver, network, ipdef) < 0) { if (networkAddIpSpecificIptablesRules(network, ipdef) < 0) {
goto err; goto err;
} }
} }
@ -2155,9 +2101,9 @@ err:
*/ */
while ((--ii >= 0) && while ((--ii >= 0) &&
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) { (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) {
networkRemoveIpSpecificIptablesRules(driver, network, ipdef); networkRemoveIpSpecificIptablesRules(network, ipdef);
} }
networkRemoveGeneralIptablesRules(driver, network); networkRemoveGeneralIptablesRules(network);
/* return the original error */ /* return the original error */
virSetError(orig_error); virSetError(orig_error);
@ -2167,8 +2113,7 @@ err:
/* Remove all rules for all ip addresses (and general rules) on a network */ /* Remove all rules for all ip addresses (and general rules) on a network */
static void static void
networkRemoveIptablesRules(struct network_driver *driver, networkRemoveIptablesRules(virNetworkObjPtr network)
virNetworkObjPtr network)
{ {
int ii; int ii;
virNetworkIpDefPtr ipdef; virNetworkIpDefPtr ipdef;
@ -2176,9 +2121,9 @@ networkRemoveIptablesRules(struct network_driver *driver,
for (ii = 0; for (ii = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
ii++) { ii++) {
networkRemoveIpSpecificIptablesRules(driver, network, ipdef); networkRemoveIpSpecificIptablesRules(network, ipdef);
} }
networkRemoveGeneralIptablesRules(driver, network); networkRemoveGeneralIptablesRules(network);
} }
static void static void
@ -2199,8 +2144,8 @@ networkReloadIptablesRules(struct network_driver *driver)
/* Only the three L3 network types that are configured by libvirt /* Only the three L3 network types that are configured by libvirt
* need to have iptables rules reloaded. * need to have iptables rules reloaded.
*/ */
networkRemoveIptablesRules(driver, network); networkRemoveIptablesRules(network);
if (networkAddIptablesRules(driver, network) < 0) { if (networkAddIptablesRules(network) < 0) {
/* failed to add but already logged */ /* failed to add but already logged */
} }
} }
@ -2526,7 +2471,7 @@ networkStartNetworkVirtual(struct network_driver *driver,
goto err1; goto err1;
/* Add "once per network" rules */ /* Add "once per network" rules */
if (networkAddIptablesRules(driver, network) < 0) if (networkAddIptablesRules(network) < 0)
goto err1; goto err1;
for (ii = 0; for (ii = 0;
@ -2619,7 +2564,7 @@ networkStartNetworkVirtual(struct network_driver *driver,
err2: err2:
if (!save_err) if (!save_err)
save_err = virSaveLastError(); save_err = virSaveLastError();
networkRemoveIptablesRules(driver, network); networkRemoveIptablesRules(network);
err1: err1:
if (!save_err) if (!save_err)
@ -2644,7 +2589,7 @@ networkStartNetworkVirtual(struct network_driver *driver,
return -1; return -1;
} }
static int networkShutdownNetworkVirtual(struct network_driver *driver, static int networkShutdownNetworkVirtual(struct network_driver *driver ATTRIBUTE_UNUSED,
virNetworkObjPtr network) virNetworkObjPtr network)
{ {
virNetDevBandwidthClear(network->def->bridge); virNetDevBandwidthClear(network->def->bridge);
@ -2677,7 +2622,7 @@ static int networkShutdownNetworkVirtual(struct network_driver *driver,
ignore_value(virNetDevSetOnline(network->def->bridge, 0)); ignore_value(virNetDevSetOnline(network->def->bridge, 0));
networkRemoveIptablesRules(driver, network); networkRemoveIptablesRules(network);
ignore_value(virNetDevBridgeDelete(network->def->bridge)); ignore_value(virNetDevBridgeDelete(network->def->bridge));
@ -3490,8 +3435,8 @@ networkUpdate(virNetworkPtr net,
network->def->forward.type == VIR_NETWORK_FORWARD_NAT || network->def->forward.type == VIR_NETWORK_FORWARD_NAT ||
network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) { network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {
/* these could affect the iptables rules */ /* these could affect the iptables rules */
networkRemoveIptablesRules(driver, network); networkRemoveIptablesRules(network);
if (networkAddIptablesRules(driver, network) < 0) if (networkAddIptablesRules(network) < 0)
goto cleanup; goto cleanup;
} }

257
src/util/viriptables.c
View File

@ -88,52 +88,8 @@ enum {
REMOVE REMOVE
}; };
typedef struct
{
char *table;
char *chain;
} iptRules;
struct _iptablesContext
{
iptRules *input_filter;
iptRules *forward_filter;
iptRules *nat_postrouting;
iptRules *mangle_postrouting;
};
static void
iptRulesFree(iptRules *rules)
{
VIR_FREE(rules->table);
VIR_FREE(rules->chain);
VIR_FREE(rules);
}
static iptRules *
iptRulesNew(const char *table,
const char *chain)
{
iptRules *rules;
if (VIR_ALLOC(rules) < 0)
return NULL;
if (VIR_STRDUP(rules->table, table) < 0)
goto error;
if (VIR_STRDUP(rules->chain, chain) < 0)
goto error;
return rules;
error:
iptRulesFree(rules);
return NULL;
}
static virCommandPtr static virCommandPtr
iptablesCommandNew(iptRules *rules, int family, int action) iptablesCommandNew(const char *table, const char *chain, int family, int action)
{ {
virCommandPtr cmd = NULL; virCommandPtr cmd = NULL;
#if HAVE_FIREWALLD #if HAVE_FIREWALLD
@ -150,9 +106,9 @@ iptablesCommandNew(iptRules *rules, int family, int action)
? IP6TABLES_PATH : IPTABLES_PATH); ? IP6TABLES_PATH : IPTABLES_PATH);
} }
virCommandAddArgList(cmd, "--table", rules->table, virCommandAddArgList(cmd, "--table", table,
action == ADD ? "--insert" : "--delete", action == ADD ? "--insert" : "--delete",
rules->chain, NULL); chain, NULL);
return cmd; return cmd;
} }
@ -166,14 +122,14 @@ iptablesCommandRunAndFree(virCommandPtr cmd)
} }
static int ATTRIBUTE_SENTINEL static int ATTRIBUTE_SENTINEL
iptablesAddRemoveRule(iptRules *rules, int family, int action, iptablesAddRemoveRule(const char *table, const char *chain, int family, int action,
const char *arg, ...) const char *arg, ...)
{ {
va_list args; va_list args;
virCommandPtr cmd = NULL; virCommandPtr cmd = NULL;
const char *s; const char *s;
cmd = iptablesCommandNew(rules, family, action); cmd = iptablesCommandNew(table, chain, family, action);
virCommandAddArg(cmd, arg); virCommandAddArg(cmd, arg);
va_start(args, arg); va_start(args, arg);
@ -184,63 +140,8 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action,
return iptablesCommandRunAndFree(cmd); return iptablesCommandRunAndFree(cmd);
} }
/**
* iptablesContextNew:
*
* Create a new IPtable context
*
* Returns a pointer to the new structure or NULL in case of error
*/
iptablesContext *
iptablesContextNew(void)
{
iptablesContext *ctx;
if (VIR_ALLOC(ctx) < 0)
return NULL;
if (!(ctx->input_filter = iptRulesNew("filter", "INPUT")))
goto error;
if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD")))
goto error;
if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING")))
goto error;
if (!(ctx->mangle_postrouting = iptRulesNew("mangle", "POSTROUTING")))
goto error;
return ctx;
error:
iptablesContextFree(ctx);
return NULL;
}
/**
* iptablesContextFree:
* @ctx: pointer to the IP table context
*
* Free the resources associated with an IP table context
*/
void
iptablesContextFree(iptablesContext *ctx)
{
if (ctx->input_filter)
iptRulesFree(ctx->input_filter);
if (ctx->forward_filter)
iptRulesFree(ctx->forward_filter);
if (ctx->nat_postrouting)
iptRulesFree(ctx->nat_postrouting);
if (ctx->mangle_postrouting)
iptRulesFree(ctx->mangle_postrouting);
VIR_FREE(ctx);
}
static int static int
iptablesInput(iptablesContext *ctx, iptablesInput(int family,
int family,
const char *iface, const char *iface,
int port, int port,
int action, int action,
@ -251,7 +152,7 @@ iptablesInput(iptablesContext *ctx,
snprintf(portstr, sizeof(portstr), "%d", port); snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0'; portstr[sizeof(portstr) - 1] = '\0';
return iptablesAddRemoveRule(ctx->input_filter, return iptablesAddRemoveRule("filter", "INPUT",
family, family,
action, action,
"--in-interface", iface, "--in-interface", iface,
@ -274,12 +175,11 @@ iptablesInput(iptablesContext *ctx,
*/ */
int int
iptablesAddTcpInput(iptablesContext *ctx, iptablesAddTcpInput(int family,
int family,
const char *iface, const char *iface,
int port) int port)
{ {
return iptablesInput(ctx, family, iface, port, ADD, 1); return iptablesInput(family, iface, port, ADD, 1);
} }
/** /**
@ -294,12 +194,11 @@ iptablesAddTcpInput(iptablesContext *ctx,
* Returns 0 in case of success or an error code in case of error * Returns 0 in case of success or an error code in case of error
*/ */
int int
iptablesRemoveTcpInput(iptablesContext *ctx, iptablesRemoveTcpInput(int family,
int family,
const char *iface, const char *iface,
int port) int port)
{ {
return iptablesInput(ctx, family, iface, port, REMOVE, 1); return iptablesInput(family, iface, port, REMOVE, 1);
} }
/** /**
@ -315,12 +214,11 @@ iptablesRemoveTcpInput(iptablesContext *ctx,
*/ */
int int
iptablesAddUdpInput(iptablesContext *ctx, iptablesAddUdpInput(int family,
int family,
const char *iface, const char *iface,
int port) int port)
{ {
return iptablesInput(ctx, family, iface, port, ADD, 0); return iptablesInput(family, iface, port, ADD, 0);
} }
/** /**
@ -335,12 +233,11 @@ iptablesAddUdpInput(iptablesContext *ctx,
* Returns 0 in case of success or an error code in case of error * Returns 0 in case of success or an error code in case of error
*/ */
int int
iptablesRemoveUdpInput(iptablesContext *ctx, iptablesRemoveUdpInput(int family,
int family,
const char *iface, const char *iface,
int port) int port)
{ {
return iptablesInput(ctx, family, iface, port, REMOVE, 0); return iptablesInput(family, iface, port, REMOVE, 0);
} }
@ -381,8 +278,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
* to proceed to WAN * to proceed to WAN
*/ */
static int static int
iptablesForwardAllowOut(iptablesContext *ctx, iptablesForwardAllowOut(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
@ -395,7 +291,7 @@ iptablesForwardAllowOut(iptablesContext *ctx,
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1; return -1;
cmd = iptablesCommandNew(ctx->forward_filter, cmd = iptablesCommandNew("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr), VIR_SOCKET_ADDR_FAMILY(netaddr),
action); action);
virCommandAddArgList(cmd, virCommandAddArgList(cmd,
@ -426,13 +322,12 @@ iptablesForwardAllowOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardAllowOut(iptablesContext *ctx, iptablesAddForwardAllowOut(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD); return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD);
} }
/** /**
@ -449,13 +344,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardAllowOut(iptablesContext *ctx, iptablesRemoveForwardAllowOut(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE); return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE);
} }
@ -463,8 +357,7 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
* and associated with an existing connection * and associated with an existing connection
*/ */
static int static int
iptablesForwardAllowRelatedIn(iptablesContext *ctx, iptablesForwardAllowRelatedIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
@ -477,7 +370,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
return -1; return -1;
if (physdev && physdev[0]) { if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter, ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr), VIR_SOCKET_ADDR_FAMILY(netaddr),
action, action,
"--destination", networkstr, "--destination", networkstr,
@ -488,7 +381,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
} else { } else {
ret = iptablesAddRemoveRule(ctx->forward_filter, ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr), VIR_SOCKET_ADDR_FAMILY(netaddr),
action, action,
"--destination", networkstr, "--destination", networkstr,
@ -516,13 +409,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD); return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD);
} }
/** /**
@ -539,20 +431,18 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE); return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE);
} }
/* Allow all traffic destined to the bridge, with a valid network address /* Allow all traffic destined to the bridge, with a valid network address
*/ */
static int static int
iptablesForwardAllowIn(iptablesContext *ctx, iptablesForwardAllowIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
@ -565,7 +455,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
return -1; return -1;
if (physdev && physdev[0]) { if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter, ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr), VIR_SOCKET_ADDR_FAMILY(netaddr),
action, action,
"--destination", networkstr, "--destination", networkstr,
@ -574,7 +464,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
} else { } else {
ret = iptablesAddRemoveRule(ctx->forward_filter, ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr), VIR_SOCKET_ADDR_FAMILY(netaddr),
action, action,
"--destination", networkstr, "--destination", networkstr,
@ -600,13 +490,12 @@ iptablesForwardAllowIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardAllowIn(iptablesContext *ctx, iptablesAddForwardAllowIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD); return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD);
} }
/** /**
@ -623,13 +512,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardAllowIn(iptablesContext *ctx, iptablesRemoveForwardAllowIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE); return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE);
} }
@ -637,12 +525,11 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx,
* with a valid network address * with a valid network address
*/ */
static int static int
iptablesForwardAllowCross(iptablesContext *ctx, iptablesForwardAllowCross(int family,
int family,
const char *iface, const char *iface,
int action) int action)
{ {
return iptablesAddRemoveRule(ctx->forward_filter, return iptablesAddRemoveRule("filter", "FORWARD",
family, family,
action, action,
"--in-interface", iface, "--in-interface", iface,
@ -663,11 +550,10 @@ iptablesForwardAllowCross(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardAllowCross(iptablesContext *ctx, iptablesAddForwardAllowCross(int family,
int family,
const char *iface) const char *iface)
{ {
return iptablesForwardAllowCross(ctx, family, iface, ADD); return iptablesForwardAllowCross(family, iface, ADD);
} }
/** /**
@ -682,11 +568,10 @@ iptablesAddForwardAllowCross(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardAllowCross(iptablesContext *ctx, iptablesRemoveForwardAllowCross(int family,
int family,
const char *iface) const char *iface)
{ {
return iptablesForwardAllowCross(ctx, family, iface, REMOVE); return iptablesForwardAllowCross(family, iface, REMOVE);
} }
@ -694,12 +579,11 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx,
* ie the bridge is the in interface * ie the bridge is the in interface
*/ */
static int static int
iptablesForwardRejectOut(iptablesContext *ctx, iptablesForwardRejectOut(int family,
int family,
const char *iface, const char *iface,
int action) int action)
{ {
return iptablesAddRemoveRule(ctx->forward_filter, return iptablesAddRemoveRule("filter", "FORWARD",
family, family,
action, action,
"--in-interface", iface, "--in-interface", iface,
@ -718,11 +602,10 @@ iptablesForwardRejectOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardRejectOut(iptablesContext *ctx, iptablesAddForwardRejectOut(int family,
int family,
const char *iface) const char *iface)
{ {
return iptablesForwardRejectOut(ctx, family, iface, ADD); return iptablesForwardRejectOut(family, iface, ADD);
} }
/** /**
@ -736,11 +619,10 @@ iptablesAddForwardRejectOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardRejectOut(iptablesContext *ctx, iptablesRemoveForwardRejectOut(int family,
int family,
const char *iface) const char *iface)
{ {
return iptablesForwardRejectOut(ctx, family, iface, REMOVE); return iptablesForwardRejectOut(family, iface, REMOVE);
} }
@ -750,12 +632,11 @@ iptablesRemoveForwardRejectOut(iptablesContext *ctx,
* ie the bridge is the out interface * ie the bridge is the out interface
*/ */
static int static int
iptablesForwardRejectIn(iptablesContext *ctx, iptablesForwardRejectIn(int family,
int family,
const char *iface, const char *iface,
int action) int action)
{ {
return iptablesAddRemoveRule(ctx->forward_filter, return iptablesAddRemoveRule("filter", "FORWARD",
family, family,
action, action,
"--out-interface", iface, "--out-interface", iface,
@ -774,11 +655,10 @@ iptablesForwardRejectIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardRejectIn(iptablesContext *ctx, iptablesAddForwardRejectIn(int family,
int family,
const char *iface) const char *iface)
{ {
return iptablesForwardRejectIn(ctx, family, iface, ADD); return iptablesForwardRejectIn(family, iface, ADD);
} }
/** /**
@ -792,11 +672,10 @@ iptablesAddForwardRejectIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardRejectIn(iptablesContext *ctx, iptablesRemoveForwardRejectIn(int family,
int family,
const char *iface) const char *iface)
{ {
return iptablesForwardRejectIn(ctx, family, iface, REMOVE); return iptablesForwardRejectIn(family, iface, REMOVE);
} }
@ -804,8 +683,7 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
* with the bridge * with the bridge
*/ */
static int static int
iptablesForwardMasquerade(iptablesContext *ctx, iptablesForwardMasquerade(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddrRangePtr addr, virSocketAddrRangePtr addr,
@ -841,7 +719,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
} }
} }
cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action);
virCommandAddArgList(cmd, "--source", networkstr, NULL); virCommandAddArgList(cmd, "--source", networkstr, NULL);
if (protocol && protocol[0]) if (protocol && protocol[0])
@ -922,15 +800,14 @@ cleanup:
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesAddForwardMasquerade(iptablesContext *ctx, iptablesAddForwardMasquerade(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddrRangePtr addr, virSocketAddrRangePtr addr,
virPortRangePtr port, virPortRangePtr port,
const char *protocol) const char *protocol)
{ {
return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
protocol, ADD); protocol, ADD);
} }
@ -948,22 +825,20 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise * Returns 0 in case of success or an error code otherwise
*/ */
int int
iptablesRemoveForwardMasquerade(iptablesContext *ctx, iptablesRemoveForwardMasquerade(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddrRangePtr addr, virSocketAddrRangePtr addr,
virPortRangePtr port, virPortRangePtr port,
const char *protocol) const char *protocol)
{ {
return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
protocol, REMOVE); protocol, REMOVE);
} }
static int static int
iptablesOutputFixUdpChecksum(iptablesContext *ctx, iptablesOutputFixUdpChecksum(const char *iface,
const char *iface,
int port, int port,
int action) int action)
{ {
@ -972,7 +847,7 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx,
snprintf(portstr, sizeof(portstr), "%d", port); snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0'; portstr[sizeof(portstr) - 1] = '\0';
return iptablesAddRemoveRule(ctx->mangle_postrouting, return iptablesAddRemoveRule("mangle", "POSTROUTING",
AF_INET, AF_INET,
action, action,
"--out-interface", iface, "--out-interface", iface,
@ -998,11 +873,10 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx,
*/ */
int int
iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, iptablesAddOutputFixUdpChecksum(const char *iface,
const char *iface,
int port) int port)
{ {
return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD); return iptablesOutputFixUdpChecksum(iface, port, ADD);
} }
/** /**
@ -1019,9 +893,8 @@ iptablesAddOutputFixUdpChecksum(iptablesContext *ctx,
* return an error, which should be ignored) * return an error, which should be ignored)
*/ */
int int
iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx, iptablesRemoveOutputFixUdpChecksum(const char *iface,
const char *iface,
int port) int port)
{ {
return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE); return iptablesOutputFixUdpChecksum(iface, port, REMOVE);
} }

65
src/util/viriptables.h
View File

@ -26,102 +26,77 @@
# include "virsocketaddr.h" # include "virsocketaddr.h"
typedef struct _iptablesContext iptablesContext; int iptablesAddTcpInput (int family,
iptablesContext *iptablesContextNew (void);
void iptablesContextFree (iptablesContext *ctx);
int iptablesAddTcpInput (iptablesContext *ctx,
int family,
const char *iface, const char *iface,
int port); int port);
int iptablesRemoveTcpInput (iptablesContext *ctx, int iptablesRemoveTcpInput (int family,
int family,
const char *iface, const char *iface,
int port); int port);
int iptablesAddUdpInput (iptablesContext *ctx, int iptablesAddUdpInput (int family,
int family,
const char *iface, const char *iface,
int port); int port);
int iptablesRemoveUdpInput (iptablesContext *ctx, int iptablesRemoveUdpInput (int family,
int family,
const char *iface, const char *iface,
int port); int port);
int iptablesAddForwardAllowOut (iptablesContext *ctx, int iptablesAddForwardAllowOut (virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesRemoveForwardAllowOut (iptablesContext *ctx, int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesAddForwardAllowIn (iptablesContext *ctx, int iptablesAddForwardAllowIn (virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesRemoveForwardAllowIn (iptablesContext *ctx, int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesAddForwardAllowCross (iptablesContext *ctx, int iptablesAddForwardAllowCross (int family,
int family,
const char *iface); const char *iface);
int iptablesRemoveForwardAllowCross (iptablesContext *ctx, int iptablesRemoveForwardAllowCross (int family,
int family,
const char *iface); const char *iface);
int iptablesAddForwardRejectOut (iptablesContext *ctx, int iptablesAddForwardRejectOut (int family,
int family,
const char *iface); const char *iface);
int iptablesRemoveForwardRejectOut (iptablesContext *ctx, int iptablesRemoveForwardRejectOut (int family,
int family,
const char *iface); const char *iface);
int iptablesAddForwardRejectIn (iptablesContext *ctx, int iptablesAddForwardRejectIn (int family,
int family,
const char *iface); const char *iface);
int iptablesRemoveForwardRejectIn (iptablesContext *ctx, int iptablesRemoveForwardRejectIn (int family,
int family,
const char *iface); const char *iface);
int iptablesAddForwardMasquerade (iptablesContext *ctx, int iptablesAddForwardMasquerade (virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddrRangePtr addr, virSocketAddrRangePtr addr,
virPortRangePtr port, virPortRangePtr port,
const char *protocol); const char *protocol);
int iptablesRemoveForwardMasquerade (iptablesContext *ctx, int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr,
virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddrRangePtr addr, virSocketAddrRangePtr addr,
virPortRangePtr port, virPortRangePtr port,
const char *protocol); const char *protocol);
int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, int iptablesAddOutputFixUdpChecksum (const char *iface,
const char *iface,
int port); int port);
int iptablesRemoveOutputFixUdpChecksum (iptablesContext *ctx, int iptablesRemoveOutputFixUdpChecksum (const char *iface,
const char *iface,
int port); int port);
#endif /* __QEMUD_IPTABLES_H__ */ #endif /* __QEMUD_IPTABLES_H__ */