diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index 12a2d4c6ad..f3824ece99 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -40,8 +40,12 @@ VIR_LOG_INIT("network.nftables"); #define VIR_FROM_THIS VIR_FROM_NONE -#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" -#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* The input and output tables aren't currently used */ +# define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" +# define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#endif + #define VIR_NFTABLES_FORWARD_CHAIN "forward" #define VIR_NFTABLES_FWD_IN_CHAIN "guest_input" #define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output" @@ -88,9 +92,14 @@ typedef struct { nftablesGlobalChain nftablesChains[] = { /* chains for filter rules */ + +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* nothing is being added to these chains now, so they are effective NOPs */ {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy accept; }"}, - {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy accept; }"}, +#endif + + {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL}, @@ -209,6 +218,11 @@ nftablesSetupPrivateChains(virFirewallLayer layer) } +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* currently these functions aren't used, but they remain in the + * source (uncompiled) as examples of adding specific rules to permit + * input/output of packets. in case the need arises in the future + */ static void nftablesAddInput(virFirewall *fw, virFirewallLayer layer, @@ -315,6 +329,9 @@ nftablesAddUdpOutput(virFirewall *fw, } +#endif + + /** * nftablesAddForwardAllowOut: * @@ -801,6 +818,14 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, break; } +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* These rules copied from the iptables backend, have been removed + * from the nftab because they are redundant since we are using our own + * table that is default accept; there are no other users that + * could add a reject rule that we would need to / be able to + * override with these rules + */ + /* allow DHCP requests through to dnsmasq & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); @@ -818,6 +843,7 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); } +#endif /* Catch all rules to block forwarding to/from bridges */ nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); @@ -849,6 +875,9 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, /* Allow traffic between guests on the same bridge */ nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* see the note above in nftablesAddGeneralIPv4FirewallRules */ + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { /* allow DNS over IPv6 & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); @@ -859,6 +888,7 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); } +#endif } diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index 8b6e0ba406..298a83d088 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index 03fb7397cd..615bb4e144 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index 012a3d5d47..27817d8a68 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index 029274ea06..3ab6286d2c 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index 03fb7397cd..615bb4e144 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index dd84468ad6..298a83d088 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -3,136 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index c1cc8f05b1..09a32f0949 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \