External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-21 20:15:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: #define the names used for private packet filter chains

Browse Source 
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Laine Stump 2024-04-19 22:19:42 -04:00
parent b4913820ec
commit 5ac0dc4cef
1 changed files with 29 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
src/network/network_iptables.c
View File

@ -38,6 +38,13 @@ VIR_LOG_INIT("network.iptables");
#define VIR_FROM_THIS VIR_FROM_NONE
#define VIR_IPTABLES_INPUT_CHAIN "LIBVIRT_INP"
#define VIR_IPTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
#define VIR_IPTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
#define VIR_IPTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
enum {
VIR_NETFILTER_INSERT = 0,
VIR_NETFILTER_DELETE
@ -114,14 +121,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
{
g_autoptr(virFirewall) fw = virFirewallNew();
iptablesGlobalChain filter_chains[] = {
{"INPUT", "LIBVIRT_INP"},
{"OUTPUT", "LIBVIRT_OUT"},
{"FORWARD", "LIBVIRT_FWO"},
{"FORWARD", "LIBVIRT_FWI"},
{"FORWARD", "LIBVIRT_FWX"},
{"INPUT", VIR_IPTABLES_INPUT_CHAIN},
{"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN},
{"FORWARD", VIR_IPTABLES_FWD_OUT_CHAIN},
{"FORWARD", VIR_IPTABLES_FWD_IN_CHAIN},
{"FORWARD", VIR_IPTABLES_FWD_X_CHAIN},
};
iptablesGlobalChain natmangle_chains[] = {
{"POSTROUTING", "LIBVIRT_PRT"},
{"POSTROUTING", VIR_IPTABLES_NAT_POSTROUTE_CHAIN},
};
bool changed = false;
iptablesGlobalChainData data[] = {
@ -169,7 +176,7 @@ iptablesInput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_INP",
VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@ -190,7 +197,7 @@ iptablesOutput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_OUT",
VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@ -365,7 +372,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWO",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@ -375,7 +382,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWO",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@ -455,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWI",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@ -467,7 +474,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWI",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@ -547,7 +554,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWI",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@ -557,7 +564,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWI",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@ -622,7 +629,7 @@ iptablesForwardAllowCross(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWX",
VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@ -676,7 +683,7 @@ iptablesForwardRejectOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWO",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@ -728,7 +735,7 @@ iptablesForwardRejectIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_FWI",
VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@ -810,7 +817,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_PRT",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@ -819,7 +826,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_PRT",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@ -946,7 +953,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_PRT",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@ -956,7 +963,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_PRT",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@ -1028,7 +1035,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
"LIBVIRT_PRT",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,