mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-03 11:35:19 +00:00
network: eliminate code that uses default iptables chains
The network driver has put all its rules into private chains (created
by libvirt) since commit 7431b3eb9a
, which was included in
libvirt-5.1.0. When the conversion was made, code was included that
would attempt to delete existing rules in the default chains, to make
it possible to upgrade libvirt without restarting the host OS.
Almost 3 years has passed, and it is doubtful that anyone will be
attempting to upgrade directly from a pre-5.1.0 libvirt to something
as new as 8.0.0 (possibly with the exception of upgrading the entire
OS to a new release, which would include also rebooting), so it is now
safe to remove this code.
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
d9fdc65a51
commit
b449603192
@ -2501,7 +2501,6 @@ iptablesRemoveTcpInput;
|
|||||||
iptablesRemoveTcpOutput;
|
iptablesRemoveTcpOutput;
|
||||||
iptablesRemoveUdpInput;
|
iptablesRemoveUdpInput;
|
||||||
iptablesRemoveUdpOutput;
|
iptablesRemoveUdpOutput;
|
||||||
iptablesSetDeletePrivate;
|
|
||||||
iptablesSetupPrivateChains;
|
iptablesSetupPrivateChains;
|
||||||
|
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ VIR_LOG_INIT("network.bridge_driver_linux");
|
|||||||
|
|
||||||
static virOnceControl createdOnce;
|
static virOnceControl createdOnce;
|
||||||
static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */
|
static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */
|
||||||
static bool createdChains; /* true iff networkSetupPrivateChains created chains during most recent call */
|
|
||||||
static virErrorPtr errInitV4;
|
static virErrorPtr errInitV4;
|
||||||
static virErrorPtr errInitV6;
|
static virErrorPtr errInitV6;
|
||||||
|
|
||||||
@ -50,7 +50,6 @@ static void networkSetupPrivateChains(void)
|
|||||||
|
|
||||||
VIR_DEBUG("Setting up global firewall chains");
|
VIR_DEBUG("Setting up global firewall chains");
|
||||||
|
|
||||||
createdChains = false;
|
|
||||||
virFreeError(errInitV4);
|
virFreeError(errInitV4);
|
||||||
errInitV4 = NULL;
|
errInitV4 = NULL;
|
||||||
virFreeError(errInitV6);
|
virFreeError(errInitV6);
|
||||||
@ -63,12 +62,10 @@ static void networkSetupPrivateChains(void)
|
|||||||
errInitV4 = virSaveLastError();
|
errInitV4 = virSaveLastError();
|
||||||
virResetLastError();
|
virResetLastError();
|
||||||
} else {
|
} else {
|
||||||
if (rc) {
|
if (rc)
|
||||||
VIR_DEBUG("Created global IPv4 chains");
|
VIR_DEBUG("Created global IPv4 chains");
|
||||||
createdChains = true;
|
else
|
||||||
} else {
|
|
||||||
VIR_DEBUG("Global IPv4 chains already exist");
|
VIR_DEBUG("Global IPv4 chains already exist");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
|
rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
|
||||||
@ -78,12 +75,10 @@ static void networkSetupPrivateChains(void)
|
|||||||
errInitV6 = virSaveLastError();
|
errInitV6 = virSaveLastError();
|
||||||
virResetLastError();
|
virResetLastError();
|
||||||
} else {
|
} else {
|
||||||
if (rc) {
|
if (rc)
|
||||||
VIR_DEBUG("Created global IPv6 chains");
|
VIR_DEBUG("Created global IPv6 chains");
|
||||||
createdChains = true;
|
else
|
||||||
} else {
|
|
||||||
VIR_DEBUG("Global IPv6 chains already exist");
|
VIR_DEBUG("Global IPv6 chains already exist");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chainInitDone = true;
|
chainInitDone = true;
|
||||||
@ -145,7 +140,7 @@ networkHasRunningNetworksWithFW(virNetworkDriverState *driver)
|
|||||||
|
|
||||||
void
|
void
|
||||||
networkPreReloadFirewallRules(virNetworkDriverState *driver,
|
networkPreReloadFirewallRules(virNetworkDriverState *driver,
|
||||||
bool startup,
|
bool startup G_GNUC_UNUSED,
|
||||||
bool force)
|
bool force)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
@ -183,31 +178,13 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver,
|
|||||||
}
|
}
|
||||||
|
|
||||||
ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
|
ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
|
||||||
|
|
||||||
/*
|
|
||||||
* If this is initial startup, and we just created the
|
|
||||||
* top level private chains we either
|
|
||||||
*
|
|
||||||
* - upgraded from old libvirt
|
|
||||||
* - freshly booted from clean state
|
|
||||||
*
|
|
||||||
* In the first case we must delete the old rules from
|
|
||||||
* the built-in chains, instead of our new private chains.
|
|
||||||
* In the second case it doesn't matter, since no existing
|
|
||||||
* rules will be present. Thus we can safely just tell it
|
|
||||||
* to always delete from the builin chain
|
|
||||||
*/
|
|
||||||
if (startup && createdChains) {
|
|
||||||
VIR_DEBUG("Requesting cleanup of legacy firewall rules");
|
|
||||||
iptablesSetDeletePrivate(false);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
|
void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
|
||||||
{
|
{
|
||||||
iptablesSetDeletePrivate(true);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -47,8 +47,6 @@ enum {
|
|||||||
REMOVE
|
REMOVE
|
||||||
};
|
};
|
||||||
|
|
||||||
static bool deletePrivate = true;
|
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
const char *parent;
|
const char *parent;
|
||||||
const char *child;
|
const char *child;
|
||||||
@ -162,17 +160,9 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
void
|
|
||||||
iptablesSetDeletePrivate(bool pvt)
|
|
||||||
{
|
|
||||||
deletePrivate = pvt;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
iptablesInput(virFirewall *fw,
|
iptablesInput(virFirewall *fw,
|
||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
bool pvt,
|
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int port,
|
int port,
|
||||||
int action,
|
int action,
|
||||||
@ -186,7 +176,7 @@ iptablesInput(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_INP" : "INPUT",
|
"LIBVIRT_INP",
|
||||||
"--in-interface", iface,
|
"--in-interface", iface,
|
||||||
"--protocol", tcp ? "tcp" : "udp",
|
"--protocol", tcp ? "tcp" : "udp",
|
||||||
"--destination-port", portstr,
|
"--destination-port", portstr,
|
||||||
@ -197,7 +187,6 @@ iptablesInput(virFirewall *fw,
|
|||||||
static void
|
static void
|
||||||
iptablesOutput(virFirewall *fw,
|
iptablesOutput(virFirewall *fw,
|
||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
bool pvt,
|
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int port,
|
int port,
|
||||||
int action,
|
int action,
|
||||||
@ -211,7 +200,7 @@ iptablesOutput(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_OUT" : "OUTPUT",
|
"LIBVIRT_OUT",
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
"--protocol", tcp ? "tcp" : "udp",
|
"--protocol", tcp ? "tcp" : "udp",
|
||||||
"--destination-port", portstr,
|
"--destination-port", portstr,
|
||||||
@ -234,7 +223,7 @@ iptablesAddTcpInput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesInput(fw, layer, true, iface, port, ADD, 1);
|
iptablesInput(fw, layer, iface, port, ADD, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -252,7 +241,7 @@ iptablesRemoveTcpInput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
|
iptablesInput(fw, layer, iface, port, REMOVE, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -270,7 +259,7 @@ iptablesAddUdpInput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesInput(fw, layer, true, iface, port, ADD, 0);
|
iptablesInput(fw, layer, iface, port, ADD, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -288,7 +277,7 @@ iptablesRemoveUdpInput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
|
iptablesInput(fw, layer, iface, port, REMOVE, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -306,7 +295,7 @@ iptablesAddTcpOutput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesOutput(fw, layer, true, iface, port, ADD, 1);
|
iptablesOutput(fw, layer, iface, port, ADD, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -324,7 +313,7 @@ iptablesRemoveTcpOutput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
|
iptablesOutput(fw, layer, iface, port, REMOVE, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -342,7 +331,7 @@ iptablesAddUdpOutput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesOutput(fw, layer, true, iface, port, ADD, 0);
|
iptablesOutput(fw, layer, iface, port, ADD, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -360,7 +349,7 @@ iptablesRemoveUdpOutput(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
|
iptablesOutput(fw, layer, iface, port, REMOVE, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -400,7 +389,6 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
|
|||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
iptablesForwardAllowOut(virFirewall *fw,
|
iptablesForwardAllowOut(virFirewall *fw,
|
||||||
bool pvt,
|
|
||||||
virSocketAddr *netaddr,
|
virSocketAddr *netaddr,
|
||||||
unsigned int prefix,
|
unsigned int prefix,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
@ -418,7 +406,7 @@ iptablesForwardAllowOut(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWO" : "FORWARD",
|
"LIBVIRT_FWO",
|
||||||
"--source", networkstr,
|
"--source", networkstr,
|
||||||
"--in-interface", iface,
|
"--in-interface", iface,
|
||||||
"--out-interface", physdev,
|
"--out-interface", physdev,
|
||||||
@ -428,7 +416,7 @@ iptablesForwardAllowOut(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWO" : "FORWARD",
|
"LIBVIRT_FWO",
|
||||||
"--source", networkstr,
|
"--source", networkstr,
|
||||||
"--in-interface", iface,
|
"--in-interface", iface,
|
||||||
"--jump", "ACCEPT",
|
"--jump", "ACCEPT",
|
||||||
@ -457,7 +445,7 @@ iptablesAddForwardAllowOut(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
const char *physdev)
|
const char *physdev)
|
||||||
{
|
{
|
||||||
return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
|
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -480,7 +468,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
const char *physdev)
|
const char *physdev)
|
||||||
{
|
{
|
||||||
return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
|
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -489,7 +477,6 @@ iptablesRemoveForwardAllowOut(virFirewall *fw,
|
|||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
iptablesForwardAllowRelatedIn(virFirewall *fw,
|
iptablesForwardAllowRelatedIn(virFirewall *fw,
|
||||||
bool pvt,
|
|
||||||
virSocketAddr *netaddr,
|
virSocketAddr *netaddr,
|
||||||
unsigned int prefix,
|
unsigned int prefix,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
@ -507,7 +494,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWI" : "FORWARD",
|
"LIBVIRT_FWI",
|
||||||
"--destination", networkstr,
|
"--destination", networkstr,
|
||||||
"--in-interface", physdev,
|
"--in-interface", physdev,
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
@ -519,7 +506,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWI" : "FORWARD",
|
"LIBVIRT_FWI",
|
||||||
"--destination", networkstr,
|
"--destination", networkstr,
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
"--match", "conntrack",
|
"--match", "conntrack",
|
||||||
@ -550,7 +537,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
const char *physdev)
|
const char *physdev)
|
||||||
{
|
{
|
||||||
return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD);
|
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -573,14 +560,13 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
const char *physdev)
|
const char *physdev)
|
||||||
{
|
{
|
||||||
return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
|
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Allow all traffic destined to the bridge, with a valid network address
|
/* Allow all traffic destined to the bridge, with a valid network address
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
iptablesForwardAllowIn(virFirewall *fw,
|
iptablesForwardAllowIn(virFirewall *fw,
|
||||||
bool pvt,
|
|
||||||
virSocketAddr *netaddr,
|
virSocketAddr *netaddr,
|
||||||
unsigned int prefix,
|
unsigned int prefix,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
@ -598,7 +584,7 @@ iptablesForwardAllowIn(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWI" : "FORWARD",
|
"LIBVIRT_FWI",
|
||||||
"--destination", networkstr,
|
"--destination", networkstr,
|
||||||
"--in-interface", physdev,
|
"--in-interface", physdev,
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
@ -608,7 +594,7 @@ iptablesForwardAllowIn(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWI" : "FORWARD",
|
"LIBVIRT_FWI",
|
||||||
"--destination", networkstr,
|
"--destination", networkstr,
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
"--jump", "ACCEPT",
|
"--jump", "ACCEPT",
|
||||||
@ -636,7 +622,7 @@ iptablesAddForwardAllowIn(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
const char *physdev)
|
const char *physdev)
|
||||||
{
|
{
|
||||||
return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
|
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -659,20 +645,19 @@ iptablesRemoveForwardAllowIn(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
const char *physdev)
|
const char *physdev)
|
||||||
{
|
{
|
||||||
return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
|
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
iptablesForwardAllowCross(virFirewall *fw,
|
iptablesForwardAllowCross(virFirewall *fw,
|
||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
bool pvt,
|
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int action)
|
int action)
|
||||||
{
|
{
|
||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWX" : "FORWARD",
|
"LIBVIRT_FWX",
|
||||||
"--in-interface", iface,
|
"--in-interface", iface,
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
"--jump", "ACCEPT",
|
"--jump", "ACCEPT",
|
||||||
@ -695,7 +680,7 @@ iptablesAddForwardAllowCross(virFirewall *fw,
|
|||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface)
|
const char *iface)
|
||||||
{
|
{
|
||||||
iptablesForwardAllowCross(fw, layer, true, iface, ADD);
|
iptablesForwardAllowCross(fw, layer, iface, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -714,20 +699,19 @@ iptablesRemoveForwardAllowCross(virFirewall *fw,
|
|||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface)
|
const char *iface)
|
||||||
{
|
{
|
||||||
iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
|
iptablesForwardAllowCross(fw, layer, iface, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
iptablesForwardRejectOut(virFirewall *fw,
|
iptablesForwardRejectOut(virFirewall *fw,
|
||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
bool pvt,
|
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int action)
|
int action)
|
||||||
{
|
{
|
||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWO" : "FORWARD",
|
"LIBVIRT_FWO",
|
||||||
"--in-interface", iface,
|
"--in-interface", iface,
|
||||||
"--jump", "REJECT",
|
"--jump", "REJECT",
|
||||||
NULL);
|
NULL);
|
||||||
@ -748,7 +732,7 @@ iptablesAddForwardRejectOut(virFirewall *fw,
|
|||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface)
|
const char *iface)
|
||||||
{
|
{
|
||||||
iptablesForwardRejectOut(fw, layer, true, iface, ADD);
|
iptablesForwardRejectOut(fw, layer, iface, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -766,21 +750,20 @@ iptablesRemoveForwardRejectOut(virFirewall *fw,
|
|||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface)
|
const char *iface)
|
||||||
{
|
{
|
||||||
iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
|
iptablesForwardRejectOut(fw, layer, iface, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
iptablesForwardRejectIn(virFirewall *fw,
|
iptablesForwardRejectIn(virFirewall *fw,
|
||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
bool pvt,
|
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int action)
|
int action)
|
||||||
{
|
{
|
||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "filter",
|
"--table", "filter",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_FWI" : "FORWARD",
|
"LIBVIRT_FWI",
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
"--jump", "REJECT",
|
"--jump", "REJECT",
|
||||||
NULL);
|
NULL);
|
||||||
@ -801,7 +784,7 @@ iptablesAddForwardRejectIn(virFirewall *fw,
|
|||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface)
|
const char *iface)
|
||||||
{
|
{
|
||||||
iptablesForwardRejectIn(fw, layer, true, iface, ADD);
|
iptablesForwardRejectIn(fw, layer, iface, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -819,7 +802,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw,
|
|||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface)
|
const char *iface)
|
||||||
{
|
{
|
||||||
iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
|
iptablesForwardRejectIn(fw, layer, iface, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -828,7 +811,6 @@ iptablesRemoveForwardRejectIn(virFirewall *fw,
|
|||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
iptablesForwardMasquerade(virFirewall *fw,
|
iptablesForwardMasquerade(virFirewall *fw,
|
||||||
bool pvt,
|
|
||||||
virSocketAddr *netaddr,
|
virSocketAddr *netaddr,
|
||||||
unsigned int prefix,
|
unsigned int prefix,
|
||||||
const char *physdev,
|
const char *physdev,
|
||||||
@ -863,7 +845,7 @@ iptablesForwardMasquerade(virFirewall *fw,
|
|||||||
rule = virFirewallAddRule(fw, layer,
|
rule = virFirewallAddRule(fw, layer,
|
||||||
"--table", "nat",
|
"--table", "nat",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_PRT" : "POSTROUTING",
|
"LIBVIRT_PRT",
|
||||||
"--source", networkstr,
|
"--source", networkstr,
|
||||||
"-p", protocol,
|
"-p", protocol,
|
||||||
"!", "--destination", networkstr,
|
"!", "--destination", networkstr,
|
||||||
@ -872,7 +854,7 @@ iptablesForwardMasquerade(virFirewall *fw,
|
|||||||
rule = virFirewallAddRule(fw, layer,
|
rule = virFirewallAddRule(fw, layer,
|
||||||
"--table", "nat",
|
"--table", "nat",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_PRT" : "POSTROUTING",
|
"LIBVIRT_PRT",
|
||||||
"--source", networkstr,
|
"--source", networkstr,
|
||||||
"!", "--destination", networkstr,
|
"!", "--destination", networkstr,
|
||||||
NULL);
|
NULL);
|
||||||
@ -944,7 +926,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
|
|||||||
virPortRange *port,
|
virPortRange *port,
|
||||||
const char *protocol)
|
const char *protocol)
|
||||||
{
|
{
|
||||||
return iptablesForwardMasquerade(fw, true, netaddr, prefix,
|
return iptablesForwardMasquerade(fw, netaddr, prefix,
|
||||||
physdev, addr, port, protocol, ADD);
|
physdev, addr, port, protocol, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -970,7 +952,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw,
|
|||||||
virPortRange *port,
|
virPortRange *port,
|
||||||
const char *protocol)
|
const char *protocol)
|
||||||
{
|
{
|
||||||
return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
|
return iptablesForwardMasquerade(fw, netaddr, prefix,
|
||||||
physdev, addr, port, protocol, REMOVE);
|
physdev, addr, port, protocol, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -980,7 +962,6 @@ iptablesRemoveForwardMasquerade(virFirewall *fw,
|
|||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
iptablesForwardDontMasquerade(virFirewall *fw,
|
iptablesForwardDontMasquerade(virFirewall *fw,
|
||||||
bool pvt,
|
|
||||||
virSocketAddr *netaddr,
|
virSocketAddr *netaddr,
|
||||||
unsigned int prefix,
|
unsigned int prefix,
|
||||||
const char *physdev,
|
const char *physdev,
|
||||||
@ -998,7 +979,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "nat",
|
"--table", "nat",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_PRT" : "POSTROUTING",
|
"LIBVIRT_PRT",
|
||||||
"--out-interface", physdev,
|
"--out-interface", physdev,
|
||||||
"--source", networkstr,
|
"--source", networkstr,
|
||||||
"--destination", destaddr,
|
"--destination", destaddr,
|
||||||
@ -1008,7 +989,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, layer,
|
virFirewallAddRule(fw, layer,
|
||||||
"--table", "nat",
|
"--table", "nat",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_PRT" : "POSTROUTING",
|
"LIBVIRT_PRT",
|
||||||
"--source", networkstr,
|
"--source", networkstr,
|
||||||
"--destination", destaddr,
|
"--destination", destaddr,
|
||||||
"--jump", "RETURN",
|
"--jump", "RETURN",
|
||||||
@ -1038,7 +1019,7 @@ iptablesAddDontMasquerade(virFirewall *fw,
|
|||||||
const char *physdev,
|
const char *physdev,
|
||||||
const char *destaddr)
|
const char *destaddr)
|
||||||
{
|
{
|
||||||
return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
|
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
|
||||||
physdev, destaddr, ADD);
|
physdev, destaddr, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1063,14 +1044,13 @@ iptablesRemoveDontMasquerade(virFirewall *fw,
|
|||||||
const char *physdev,
|
const char *physdev,
|
||||||
const char *destaddr)
|
const char *destaddr)
|
||||||
{
|
{
|
||||||
return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
|
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
|
||||||
physdev, destaddr, REMOVE);
|
physdev, destaddr, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
iptablesOutputFixUdpChecksum(virFirewall *fw,
|
iptablesOutputFixUdpChecksum(virFirewall *fw,
|
||||||
bool pvt,
|
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int port,
|
int port,
|
||||||
int action)
|
int action)
|
||||||
@ -1083,7 +1063,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
|
|||||||
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
||||||
"--table", "mangle",
|
"--table", "mangle",
|
||||||
action == ADD ? "--insert" : "--delete",
|
action == ADD ? "--insert" : "--delete",
|
||||||
pvt ? "LIBVIRT_PRT" : "POSTROUTING",
|
"LIBVIRT_PRT",
|
||||||
"--out-interface", iface,
|
"--out-interface", iface,
|
||||||
"--protocol", "udp",
|
"--protocol", "udp",
|
||||||
"--destination-port", portstr,
|
"--destination-port", portstr,
|
||||||
@ -1107,7 +1087,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
|
iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1124,5 +1104,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw,
|
|||||||
const char *iface,
|
const char *iface,
|
||||||
int port)
|
int port)
|
||||||
{
|
{
|
||||||
iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
|
iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
|
||||||
}
|
}
|
||||||
|
@ -25,8 +25,6 @@
|
|||||||
|
|
||||||
int iptablesSetupPrivateChains (virFirewallLayer layer);
|
int iptablesSetupPrivateChains (virFirewallLayer layer);
|
||||||
|
|
||||||
void iptablesSetDeletePrivate (bool pvt);
|
|
||||||
|
|
||||||
void iptablesAddTcpInput (virFirewall *fw,
|
void iptablesAddTcpInput (virFirewall *fw,
|
||||||
virFirewallLayer layer,
|
virFirewallLayer layer,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
|
Loading…
Reference in New Issue
Block a user