From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713754601553860.9161786926173; Sun, 21 Apr 2024 19:56:41 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6C5F41E1E; Sun, 21 Apr 2024 22:56:40 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id ED8FB1E7E; Sun, 21 Apr 2024 22:53:53 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id BECAC1DAD; Sun, 21 Apr 2024 22:53:42 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 012EE1DA7 for ; Sun, 21 Apr 2024 22:53:38 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-345-eXZ6nN6_OD6kLBefGPu9bA-1; Sun, 21 Apr 2024 22:53:36 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 721F18884A3 for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5BE391121306 for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: eXZ6nN6_OD6kLBefGPu9bA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 01/27] util/network: move viriptables.[ch] from util to network directory Date: Sun, 21 Apr 2024 22:53:09 -0400 Message-ID: <20240422025335.923272-2-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: X4DYM5SFVTCDPMFZD2ZBK23QTZGQ3D2U X-Message-ID-Hash: X4DYM5SFVTCDPMFZD2ZBK23QTZGQ3D2U X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713754603616100001 These functions are only ever used by the network driver, and are so specific to the network driver's usage of iptables that they likely won't ever be used elsewhere. The files are renamed to network_iptables.[ch] to be more in line with driver-specific file naming conventions. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- po/POTFILES | 2 +- src/libvirt_private.syms | 31 ------------------- src/network/bridge_driver_linux.c | 2 +- src/network/meson.build | 1 + .../network_iptables.c} | 7 +++-- .../network_iptables.h} | 2 +- src/util/meson.build | 1 - 7 files changed, 8 insertions(+), 38 deletions(-) rename src/{util/viriptables.c =3D> network/network_iptables.c} (99%) rename src/{util/viriptables.h =3D> network/network_iptables.h} (99%) diff --git a/po/POTFILES b/po/POTFILES index 6fbff4bef2..8b89fcf832 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -144,6 +144,7 @@ src/network/bridge_driver.c src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c src/network/leaseshelper.c +src/network/network_iptables.c src/node_device/node_device_driver.c src/node_device/node_device_udev.c src/nwfilter/nwfilter_dhcpsnoop.c @@ -288,7 +289,6 @@ src/util/virhostmem.c src/util/virhostuptime.c src/util/viridentity.c src/util/virinitctl.c -src/util/viriptables.c src/util/viriscsi.c src/util/virjson.c src/util/virlease.c diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 839fe4f545..e4fbb905d4 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2573,37 +2573,6 @@ virIdentitySetX509DName; virInitctlFifos; virInitctlSetRunLevel; =20 - -# util/viriptables.h -iptablesAddDontMasquerade; -iptablesAddForwardAllowCross; -iptablesAddForwardAllowIn; -iptablesAddForwardAllowOut; -iptablesAddForwardAllowRelatedIn; -iptablesAddForwardMasquerade; -iptablesAddForwardRejectIn; -iptablesAddForwardRejectOut; -iptablesAddOutputFixUdpChecksum; -iptablesAddTcpInput; -iptablesAddTcpOutput; -iptablesAddUdpInput; -iptablesAddUdpOutput; -iptablesRemoveDontMasquerade; -iptablesRemoveForwardAllowCross; -iptablesRemoveForwardAllowIn; -iptablesRemoveForwardAllowOut; -iptablesRemoveForwardAllowRelatedIn; -iptablesRemoveForwardMasquerade; -iptablesRemoveForwardRejectIn; -iptablesRemoveForwardRejectOut; -iptablesRemoveOutputFixUdpChecksum; -iptablesRemoveTcpInput; -iptablesRemoveTcpOutput; -iptablesRemoveUdpInput; -iptablesRemoveUdpOutput; -iptablesSetupPrivateChains; - - # util/viriscsi.h virISCSIConnectionLogin; virISCSIConnectionLogout; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index b8893bfed2..fd4bf7b61c 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -22,11 +22,11 @@ #include =20 #include "virfile.h" -#include "viriptables.h" #include "virstring.h" #include "virlog.h" #include "virfirewall.h" #include "virfirewalld.h" +#include "network_iptables.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 diff --git a/src/network/meson.build b/src/network/meson.build index eb171ae779..305e2d52fb 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -2,6 +2,7 @@ network_driver_sources =3D [ 'bridge_driver.c', 'bridge_driver_conf.c', 'bridge_driver_platform.c', + 'network_iptables.c', ] =20 driver_source_files +=3D files(network_driver_sources) diff --git a/src/util/viriptables.c b/src/network/network_iptables.c similarity index 99% rename from src/util/viriptables.c rename to src/network/network_iptables.c index 018021bc1b..bf6e3065f5 100644 --- a/src/util/viriptables.c +++ b/src/network/network_iptables.c @@ -1,5 +1,5 @@ /* - * viriptables.c: helper APIs for managing iptables + * network_iptables.c: helper APIs for managing iptables in network driver * * Copyright (C) 2007-2014 Red Hat, Inc. * @@ -27,13 +27,14 @@ #include =20 #include "internal.h" -#include "viriptables.h" #include "virfirewalld.h" #include "virerror.h" #include "virlog.h" #include "virhash.h" +#include "virenum.h" +#include "network_iptables.h" =20 -VIR_LOG_INIT("util.iptables"); +VIR_LOG_INIT("network.iptables"); =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 diff --git a/src/util/viriptables.h b/src/network/network_iptables.h similarity index 99% rename from src/util/viriptables.h rename to src/network/network_iptables.h index bb13f3292d..bfb6bbe0e7 100644 --- a/src/util/viriptables.h +++ b/src/network/network_iptables.h @@ -1,5 +1,5 @@ /* - * viriptables.h: helper APIs for managing iptables + * network_iptables.h: helper APIs for managing iptables in network driver * * Copyright (C) 2007, 2008 Red Hat, Inc. * diff --git a/src/util/meson.build b/src/util/meson.build index c2175f1098..896c795150 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -46,7 +46,6 @@ util_sources =3D [ 'virhostuptime.c', 'viridentity.c', 'virinitctl.c', - 'viriptables.c', 'viriscsi.c', 'virjson.c', 'virkeycode.c', --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755608215226.38482901512361; Sun, 21 Apr 2024 20:13:28 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 14764188C; Sun, 21 Apr 2024 23:13:27 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 5AE591DBB; Sun, 21 Apr 2024 22:54:49 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E34B61E36; Sun, 21 Apr 2024 22:53:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1702B1DB0 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-206-kXHkisjeNY6gBYhVjHoUtw-1; Sun, 21 Apr 2024 22:53:36 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A11ED380009B for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7DDF81121306 for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: kXHkisjeNY6gBYhVjHoUtw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 02/27] network: move all functions manipulating iptables rules into network_iptables.c Date: Sun, 21 Apr 2024 22:53:10 -0400 Message-ID: <20240422025335.923272-3-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: OCGEXNZ35J5YGJIRXEJ6LX2Y5FZKSLKM X-Message-ID-Hash: OCGEXNZ35J5YGJIRXEJ6LX2Y5FZKSLKM X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755610065100001 Although initially we will add exactly the same rules for the nftables backend, the two may (hopefully) soon diverge as we take advantage of nftables features that weren't available in iptables. When we do that, there will need to be a different version of these functions (currently in bridge_driver_linux.c) for each backend: networkAddFirewallRules() networkRemoveFirewallRules() networkSetupPrivateChains() Although it will mean duplicating some amount of code (with just the function names changed) for the nftables backend, this patch moves all of the rule-related code in the above three functions into iptables*() functions in network_iptables.c, and changes the functions in bridge_driver_linux.c to call the iptables*() functions. When we make a different backend, it will only need to make equivalents of those 3 functions publicly available to the upper layer. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/bridge_driver_linux.c | 556 +---------------------------- src/network/network_iptables.c | 562 +++++++++++++++++++++++++++++- src/network/network_iptables.h | 7 +- 3 files changed, 574 insertions(+), 551 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index fd4bf7b61c..4914d5c903 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -301,512 +301,10 @@ int networkCheckRouteCollision(virNetworkDef *def) return 0; } =20 -static const char networkLocalMulticastIPv4[] =3D "224.0.0.0/24"; -static const char networkLocalMulticastIPv6[] =3D "ff02::/16"; -static const char networkLocalBroadcast[] =3D "255.255.255.255/32"; =20 -static int -networkAddMasqueradingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix =3D virNetworkIPDefPrefix(ipdef); - const char *forwardIf =3D virNetworkDefForwardIf(def, 0); - bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); - - if (prefix < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Invalid prefix or netmask for '%1$s'"), - def->bridge); - return -1; - } - - /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - /* allow forwarding packets to the bridge interface if they are - * part of an existing connection - */ - if (iptablesAddForwardAllowRelatedIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - /* - * Enable masquerading. - * - * We need to end up with 5 rules in the table in this order - * - * 1. do not masquerade packets targeting 224.0.0.0/24 - * 2. do not masquerade packets targeting 255.255.255.255/32 - * 3. masquerade protocol=3Dtcp with sport mapping restriction - * 4. masquerade protocol=3Dudp with sport mapping restriction - * 5. generic, masquerade any protocol - * - * 224.0.0.0/24 is the local network multicast range. Packets are not - * forwarded outside. - * - * 255.255.255.255/32 is the broadcast address of any local network. A= gain, - * such packets are never forwarded, but strict DHCP clients don't acc= ept - * DHCP replies with changed source ports. - * - * The sport mappings are required, because default IPtables - * MASQUERADE maintain port numbers unchanged where possible. - * - * NFS can be configured to only "trust" port numbers < 1023. - * - * Guests using NAT thus need to be prevented from having port - * numbers < 1023, otherwise they can bypass the NFS "security" - * check on the source port number. - * - * Since we use '--insert' to add rules to the header of the - * chain, we actually need to add them in the reverse of the - * order just mentioned ! - */ - - /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - NULL) < 0) - return -1; - - /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "udp") < 0) - return -1; - - /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "tcp") < 0) - return -1; - - /* exempt local network broadcast address as destination */ - if (isIPv4 && - iptablesAddDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - networkLocalBroadcast) < 0) - return -1; - - /* exempt local multicast range as destination */ - if (iptablesAddDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - isIPv4 ? networkLocalMulticastIPv4 : - networkLocalMulticastIPv6) < 0) - return -1; - - return 0; -} - -static int -networkRemoveMasqueradingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix =3D virNetworkIPDefPrefix(ipdef); - const char *forwardIf =3D virNetworkDefForwardIf(def, 0); - bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); - - if (prefix < 0) - return 0; - - if (iptablesRemoveDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - isIPv4 ? networkLocalMulticastIPv4 : - networkLocalMulticastIPv6) < 0) - return -1; - - if (isIPv4 && - iptablesRemoveDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - networkLocalBroadcast) < 0) - return -1; - - if (iptablesRemoveForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "tcp") < 0) - return -1; - - if (iptablesRemoveForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "udp") < 0) - return -1; - - if (iptablesRemoveForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - NULL) < 0) - return -1; - - if (iptablesRemoveForwardAllowRelatedIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - if (iptablesRemoveForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - return 0; -} - - -static int -networkAddRoutingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix =3D virNetworkIPDefPrefix(ipdef); - const char *forwardIf =3D virNetworkDefForwardIf(def, 0); - - if (prefix < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Invalid prefix or netmask for '%1$s'"), - def->bridge); - return -1; - } - - /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - return 0; -} - - -static int -networkRemoveRoutingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix =3D virNetworkIPDefPrefix(ipdef); - const char *forwardIf =3D virNetworkDefForwardIf(def, 0); - - if (prefix < 0) - return 0; - - if (iptablesRemoveForwardAllowIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - if (iptablesRemoveForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - return 0; -} - - -static void -networkAddGeneralIPv4FirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ - /* We support dhcp config on 1 IPv4 interface only. */ - for (i =3D 0; - (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) - break; - } - - /* allow DHCP requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - - /* allow DNS requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - - /* allow TFTP requests through to dnsmasq if necessary & back out */ - if (ipv4def && ipv4def->tftproot) { - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - } - - /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - - /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); -} - -static void -networkRemoveGeneralIPv4FirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - for (i =3D 0; - (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) - break; - } - - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->brid= ge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge= ); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridg= e); - - if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 6= 9); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 69); - } - - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); -} - - -/* Add all once/network rules required for IPv6. - * If no IPv6 addresses are defined and is - * specified, then allow IPv6 communications between virtual systems. - * If any IPv6 addresses are defined, then add the rules for regular opera= tion. - */ -static void -networkAddGeneralIPv6FirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && - !def->ipv6nogw) { - return; - } - - /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - - /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - - if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - /* allow DNS over IPv6 & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - /* allow DHCPv6 & back out */ - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546= ); - } -} - -static void -networkRemoveGeneralIPv6FirewallRules(virFirewall *fw, - virNetworkDef *def) +int +networkAddFirewallRules(virNetworkDef *def) { - if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && - !def->ipv6nogw) { - return; - } - - if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 546); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 47); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); - } - - /* the following rules are there if no IPv6 address has been defined - * but def->ipv6nogw =3D=3D true - */ - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge= ); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e); -} - - -static void -networkAddGeneralFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - networkAddGeneralIPv4FirewallRules(fw, def); - networkAddGeneralIPv6FirewallRules(fw, def); -} - - -static void -networkRemoveGeneralFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - networkRemoveGeneralIPv4FirewallRules(fw, def); - networkRemoveGeneralIPv6FirewallRules(fw, def); -} - -static void -networkAddChecksumFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ - /* We support dhcp config on 1 IPv4 interface only. */ - for (i =3D 0; - (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts) - break; - } - - /* If we are doing local DHCP service on this network, attempt to - * add a rule that will fixup the checksum of DHCP response - * packets back to the guests (but report failure without - * aborting, since not all iptables implementations support it). - */ - if (ipv4def) - iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68); -} - - -static void -networkRemoveChecksumFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ - /* We support dhcp config on 1 IPv4 interface only. */ - for (i =3D 0; - (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts) - break; - } - - if (ipv4def) - iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68); -} - - -static int -networkAddIPSpecificFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - /* NB: in the case of IPv6, routing rules are added when the - * forward mode is NAT. This is because IPv6 has no NAT. - */ - - if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || - def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) - return networkAddMasqueradingFirewallRules(fw, def, ipdef); - else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkAddRoutingFirewallRules(fw, def, ipdef); - } else if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { - return networkAddRoutingFirewallRules(fw, def, ipdef); - } - return 0; -} - - -static int -networkRemoveIPSpecificFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || - def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) - return networkRemoveMasqueradingFirewallRules(fw, def, ipdef); - else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkRemoveRoutingFirewallRules(fw, def, ipdef); - } else if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { - return networkRemoveRoutingFirewallRules(fw, def, ipdef); - } - return 0; -} - - -/* Add all rules for all ip addresses (and general rules) on a network */ -int networkAddFirewallRules(virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); - if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; =20 @@ -891,52 +389,12 @@ int networkAddFirewallRules(virNetworkDef *def) } } =20 - virFirewallStartTransaction(fw, 0); - - networkAddGeneralFirewallRules(fw, def); - - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkAddIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - - virFirewallStartRollback(fw, 0); - - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); - networkAddChecksumFirewallRules(fw, def); - - return virFirewallApply(fw); + return iptablesAddFirewallRules(def); } =20 -/* Remove all rules for all ip addresses (and general rules) on a network = */ -void networkRemoveFirewallRules(virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); - networkRemoveChecksumFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallApply(fw); +void +networkRemoveFirewallRules(virNetworkDef *def) +{ + iptablesRemoveFirewallRules(def); } diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index bf6e3065f5..106e8bfabf 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -1,5 +1,6 @@ /* - * network_iptables.c: helper APIs for managing iptables in network driver + * network_iptables.c: iptables-based firewall implementation for + * virtual networks. * * Copyright (C) 2007-2014 Red Hat, Inc. * @@ -1071,3 +1072,562 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, { iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); } + + +static const char networkLocalMulticastIPv4[] =3D "224.0.0.0/24"; +static const char networkLocalMulticastIPv6[] =3D "ff02::/16"; +static const char networkLocalBroadcast[] =3D "255.255.255.255/32"; + +static int +iptablesAddMasqueradingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix =3D virNetworkIPDefPrefix(ipdef); + const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow forwarding packets from the bridge interface */ + if (iptablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow forwarding packets to the bridge interface if they are + * part of an existing connection + */ + if (iptablesAddForwardAllowRelatedIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* + * Enable masquerading. + * + * We need to end up with 5 rules in the table in this order + * + * 1. do not masquerade packets targeting 224.0.0.0/24 + * 2. do not masquerade packets targeting 255.255.255.255/32 + * 3. masquerade protocol=3Dtcp with sport mapping restriction + * 4. masquerade protocol=3Dudp with sport mapping restriction + * 5. generic, masquerade any protocol + * + * 224.0.0.0/24 is the local network multicast range. Packets are not + * forwarded outside. + * + * 255.255.255.255/32 is the broadcast address of any local network. A= gain, + * such packets are never forwarded, but strict DHCP clients don't acc= ept + * DHCP replies with changed source ports. + * + * The sport mappings are required, because default IPtables + * MASQUERADE maintain port numbers unchanged where possible. + * + * NFS can be configured to only "trust" port numbers < 1023. + * + * Guests using NAT thus need to be prevented from having port + * numbers < 1023, otherwise they can bypass the NFS "security" + * check on the source port number. + * + * Since we use '--insert' to add rules to the header of the + * chain, we actually need to add them in the reverse of the + * order just mentioned ! + */ + + /* First the generic masquerade rule for other protocols */ + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + NULL) < 0) + return -1; + + /* UDP with a source port restriction */ + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "udp") < 0) + return -1; + + /* TCP with a source port restriction */ + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "tcp") < 0) + return -1; + + /* exempt local network broadcast address as destination */ + if (isIPv4 && + iptablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + /* exempt local multicast range as destination */ + if (iptablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) + return -1; + + return 0; +} + +static int +iptablesRemoveMasqueradingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix =3D virNetworkIPDefPrefix(ipdef); + const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); + + if (prefix < 0) + return 0; + + if (iptablesRemoveDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) + return -1; + + if (isIPv4 && + iptablesRemoveDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "tcp") < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "udp") < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + NULL) < 0) + return -1; + + if (iptablesRemoveForwardAllowRelatedIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + if (iptablesRemoveForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static int +iptablesAddRoutingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix =3D virNetworkIPDefPrefix(ipdef); + const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow routing packets from the bridge interface */ + if (iptablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow routing packets to the bridge interface */ + if (iptablesAddForwardAllowIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static int +iptablesRemoveRoutingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix =3D virNetworkIPDefPrefix(ipdef); + const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + + if (prefix < 0) + return 0; + + if (iptablesRemoveForwardAllowIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + if (iptablesRemoveForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static void +iptablesAddGeneralIPv4FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i =3D 0; + (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) + break; + } + + /* allow DHCP requests through to dnsmasq & back out */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + + /* allow DNS requests through to dnsmasq & back out */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + + /* allow TFTP requests through to dnsmasq if necessary & back out */ + if (ipv4def && ipv4def->tftproot) { + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } + + /* Catch all rules to block forwarding to/from bridges */ + iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + + /* Allow traffic between guests on the same bridge */ + iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); +} + +static void +iptablesRemoveGeneralIPv4FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + for (i =3D 0; + (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) + break; + } + + iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->brid= ge); + iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge= ); + iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridg= e); + + if (ipv4def && ipv4def->tftproot) { + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 6= 9); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 69); + } + + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); +} + + +/* Add all once/network rules required for IPv6. + * If no IPv6 addresses are defined and is + * specified, then allow IPv6 communications between virtual systems. + * If any IPv6 addresses are defined, then add the rules for regular opera= tion. + */ +static void +iptablesAddGeneralIPv6FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && + !def->ipv6nogw) { + return; + } + + /* Catch all rules to block forwarding to/from bridges */ + iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + /* Allow traffic between guests on the same bridge */ + iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + /* allow DNS over IPv6 & back out */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + /* allow DHCPv6 & back out */ + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546= ); + } +} + +static void +iptablesRemoveGeneralIPv6FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && + !def->ipv6nogw) { + return; + } + + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 546); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 47); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); + } + + /* the following rules are there if no IPv6 address has been defined + * but def->ipv6nogw =3D=3D true + */ + iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge); + iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge= ); + iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e); +} + + +static void +iptablesAddGeneralFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + iptablesAddGeneralIPv4FirewallRules(fw, def); + iptablesAddGeneralIPv6FirewallRules(fw, def); +} + + +static void +iptablesRemoveGeneralFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + iptablesRemoveGeneralIPv4FirewallRules(fw, def); + iptablesRemoveGeneralIPv6FirewallRules(fw, def); +} + +static void +iptablesAddChecksumFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i =3D 0; + (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts) + break; + } + + /* If we are doing local DHCP service on this network, attempt to + * add a rule that will fixup the checksum of DHCP response + * packets back to the guests (but report failure without + * aborting, since not all iptables implementations support it). + */ + if (ipv4def) + iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68); +} + + +static void +iptablesRemoveChecksumFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i =3D 0; + (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts) + break; + } + + if (ipv4def) + iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68); +} + + +static int +iptablesAddIPSpecificFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + /* NB: in the case of IPv6, routing rules are added when the + * forward mode is NAT. This is because IPv6 has no NAT. + */ + + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) + return iptablesAddMasqueradingFirewallRules(fw, def, ipdef); + else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) + return iptablesAddRoutingFirewallRules(fw, def, ipdef); + } else if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + return iptablesAddRoutingFirewallRules(fw, def, ipdef); + } + return 0; +} + + +static int +iptablesRemoveIPSpecificFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) + return iptablesRemoveMasqueradingFirewallRules(fw, def, ipdef); + else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) + return iptablesRemoveRoutingFirewallRules(fw, def, ipdef); + } else if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + return iptablesRemoveRoutingFirewallRules(fw, def, ipdef); + } + return 0; +} + + +/* Add all rules for all ip addresses (and general rules) on a network */ +int +iptablesAddFirewallRules(virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipdef; + g_autoptr(virFirewall) fw =3D virFirewallNew(); + + virFirewallStartTransaction(fw, 0); + + iptablesAddGeneralFirewallRules(fw, def); + + for (i =3D 0; + (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (iptablesAddIPSpecificFirewallRules(fw, def, ipdef) < 0) + return -1; + } + + virFirewallStartRollback(fw, 0); + + for (i =3D 0; + (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) + return -1; + } + iptablesRemoveGeneralFirewallRules(fw, def); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + iptablesAddChecksumFirewallRules(fw, def); + + return virFirewallApply(fw); +} + +/* Remove all rules for all ip addresses (and general rules) on a network = */ +void +iptablesRemoveFirewallRules(virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipdef; + g_autoptr(virFirewall) fw =3D virFirewallNew(); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + iptablesRemoveChecksumFirewallRules(fw, def); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + + for (i =3D 0; + (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) + return; + } + iptablesRemoveGeneralFirewallRules(fw, def); + + virFirewallApply(fw); +} diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h index bfb6bbe0e7..d3f6b48437 100644 --- a/src/network/network_iptables.h +++ b/src/network/network_iptables.h @@ -22,8 +22,13 @@ =20 #include "virsocketaddr.h" #include "virfirewall.h" +#include "network_conf.h" =20 -int iptablesSetupPrivateChains (virFirewallLayer layer); +int iptablesAddFirewallRules(virNetworkDef *def); + +void iptablesRemoveFirewallRules(virNetworkDef *def); + +int iptablesSetupPrivateChains(virFirewallLayer layer); =20 void iptablesAddTcpInput (virFirewall *fw, virFirewallLayer layer, --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171375480622423.775984210703086; Sun, 21 Apr 2024 20:00:06 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 34A661EA8; Sun, 21 Apr 2024 23:00:05 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id D9DD61EA0; Sun, 21 Apr 2024 22:54:07 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4CC451E11; Sun, 21 Apr 2024 22:53:45 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0B2661DB2 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-206-RhkpixbyPlCvj_T1XG95Hw-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C1706380009C for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id AAB9A1121306 for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: RhkpixbyPlCvj_T1XG95Hw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 03/27] network: make all iptables functions used only in network_iptables.c static Date: Sun, 21 Apr 2024 22:53:11 -0400 Message-ID: <20240422025335.923272-4-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: ID2MWKIFISGARXJRWU3H2XA7RCITOBAY X-Message-ID-Hash: ID2MWKIFISGARXJRWU3H2XA7RCITOBAY X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713754808124100001 Now that the toplevel iptables functions have been moved out of the linux bridge driver into network_iptables.c, all of the utility functions are used only within that same file, so simplify it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/network_iptables.c | 52 ++++++------- src/network/network_iptables.h | 130 --------------------------------- 2 files changed, 26 insertions(+), 156 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 106e8bfabf..8d32d30980 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -208,7 +208,7 @@ iptablesOutput(virFirewall *fw, * Add an input to the IP table allowing access to the given @port on * the given @iface interface for TCP packets */ -void +static void iptablesAddTcpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -226,7 +226,7 @@ iptablesAddTcpInput(virFirewall *fw, * Removes an input from the IP table, hence forbidding access to the given * @port on the given @iface interface for TCP packets */ -void +static void iptablesRemoveTcpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -244,7 +244,7 @@ iptablesRemoveTcpInput(virFirewall *fw, * Add an input to the IP table allowing access to the given @port on * the given @iface interface for UDP packets */ -void +static void iptablesAddUdpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -262,7 +262,7 @@ iptablesAddUdpInput(virFirewall *fw, * Removes an input from the IP table, hence forbidding access to the given * @port on the given @iface interface for UDP packets */ -void +static void iptablesRemoveUdpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -280,7 +280,7 @@ iptablesRemoveUdpInput(virFirewall *fw, * Add an output to the IP table allowing access to the given @port from * the given @iface interface for TCP packets */ -void +static void iptablesAddTcpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -298,7 +298,7 @@ iptablesAddTcpOutput(virFirewall *fw, * Removes an output from the IP table, hence forbidding access to the giv= en * @port from the given @iface interface for TCP packets */ -void +static void iptablesRemoveTcpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -316,7 +316,7 @@ iptablesRemoveTcpOutput(virFirewall *fw, * Add an output to the IP table allowing access to the given @port from * the given @iface interface for UDP packets */ -void +static void iptablesAddUdpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -334,7 +334,7 @@ iptablesAddUdpOutput(virFirewall *fw, * Removes an output from the IP table, hence forbidding access to the giv= en * @port from the given @iface interface for UDP packets */ -void +static void iptablesRemoveUdpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -398,7 +398,7 @@ iptablesForwardAllowOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardAllowOut(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -422,7 +422,7 @@ iptablesAddForwardAllowOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardAllowOut(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -492,7 +492,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardAllowRelatedIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -516,7 +516,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -579,7 +579,7 @@ iptablesForwardAllowIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -603,7 +603,7 @@ iptablesAddForwardAllowIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -641,7 +641,7 @@ iptablesForwardAllowCross(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -660,7 +660,7 @@ iptablesAddForwardAllowCross(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -693,7 +693,7 @@ iptablesForwardRejectOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -711,7 +711,7 @@ iptablesAddForwardRejectOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -745,7 +745,7 @@ iptablesForwardRejectIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -763,7 +763,7 @@ iptablesAddForwardRejectIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -883,7 +883,7 @@ iptablesForwardMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -910,7 +910,7 @@ iptablesAddForwardMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -980,7 +980,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise. */ -int +static int iptablesAddDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -1005,7 +1005,7 @@ iptablesAddDontMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise. */ -int +static int iptablesRemoveDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -1048,7 +1048,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, * the given @iface interface for TCP packets. * */ -void +static void iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) @@ -1065,7 +1065,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, * Removes the checksum fixup rule that was previous added with * iptablesAddOutputFixUdpChecksum. */ -void +static void iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h index d3f6b48437..cdc143f154 100644 --- a/src/network/network_iptables.h +++ b/src/network/network_iptables.h @@ -20,7 +20,6 @@ =20 #pragma once =20 -#include "virsocketaddr.h" #include "virfirewall.h" #include "network_conf.h" =20 @@ -29,132 +28,3 @@ int iptablesAddFirewallRules(virNetworkDef *def); void iptablesRemoveFirewallRules(virNetworkDef *def); =20 int iptablesSetupPrivateChains(virFirewallLayer layer); - -void iptablesAddTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void iptablesAddUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void iptablesAddTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesAddUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -int iptablesAddForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netadd= r, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -int iptablesAddForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -void iptablesAddForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void iptablesAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void iptablesAddForwardRejectIn (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectIn (virFirewall *fw, - virFirewallLayer layery, - const char *iface); - -int iptablesAddForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -void iptablesAddOutputFixUdpChecksum (virFirewall *fw, - const char *iface, - int port); -void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, - const char *iface, - int port); --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755096304497.57683706892647; Sun, 21 Apr 2024 20:04:56 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 33BE71F84; Sun, 21 Apr 2024 23:04:55 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 1DCA31E62; Sun, 21 Apr 2024 22:54:24 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 5BC281DA7; Sun, 21 Apr 2024 22:53:46 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C97E31DC6 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-179-1GHmMw1MNEKmIFNJyVkaHQ-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E172F1049C9B for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id CB0401121306 for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 1GHmMw1MNEKmIFNJyVkaHQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 04/27] util: #define the names used for private packet filter chains Date: Sun, 21 Apr 2024 22:53:12 -0400 Message-ID: <20240422025335.923272-5-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: L672JXFMTYD3L6XOY4QLUFW3DAAEISYH X-Message-ID-Hash: L672JXFMTYD3L6XOY4QLUFW3DAAEISYH X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755096774100001 Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/network_iptables.c | 51 +++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 8d32d30980..45907dd2da 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -39,6 +39,13 @@ VIR_LOG_INIT("network.iptables"); =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 +#define VIR_IPTABLES_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_IPTABLES_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_IPTABLES_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_IPTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + enum { VIR_NETFILTER_INSERT =3D 0, VIR_NETFILTER_DELETE @@ -115,14 +122,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer) { g_autoptr(virFirewall) fw =3D virFirewallNew(); iptablesGlobalChain filter_chains[] =3D { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, + {"INPUT", VIR_IPTABLES_INPUT_CHAIN}, + {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN}, + {"FORWARD", VIR_IPTABLES_FWD_OUT_CHAIN}, + {"FORWARD", VIR_IPTABLES_FWD_IN_CHAIN}, + {"FORWARD", VIR_IPTABLES_FWD_X_CHAIN}, }; iptablesGlobalChain natmangle_chains[] =3D { - {"POSTROUTING", "LIBVIRT_PRT"}, + {"POSTROUTING", VIR_IPTABLES_NAT_POSTROUTE_CHAIN}, }; bool changed =3D false; iptablesGlobalChainData data[] =3D { @@ -170,7 +177,7 @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - "LIBVIRT_INP", + VIR_IPTABLES_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -191,7 +198,7 @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - "LIBVIRT_OUT", + VIR_IPTABLES_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -366,7 +373,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_FWO", + VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -376,7 +383,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_FWO", + VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -456,7 +463,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -468,7 +475,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -548,7 +555,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -558,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -623,7 +630,7 @@ iptablesForwardAllowCross(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - "LIBVIRT_FWX", + VIR_IPTABLES_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -677,7 +684,7 @@ iptablesForwardRejectOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - "LIBVIRT_FWO", + VIR_IPTABLES_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", NULL); @@ -729,7 +736,7 @@ iptablesForwardRejectIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", NULL); @@ -811,7 +818,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -820,7 +827,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -947,7 +954,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -957,7 +964,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -1029,7 +1036,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171375596028441.942837112439406; Sun, 21 Apr 2024 20:19:20 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id ECF83216F; Sun, 21 Apr 2024 23:19:18 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id DF0BC1F35; Sun, 21 Apr 2024 22:55:04 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 642751E6D; Sun, 21 Apr 2024 22:53:52 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A8ADE1DC2 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-416-AbVsHwreMFur8XYUn3lwtA-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 208453C025B5 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id EF3501121306 for ; Mon, 22 Apr 2024 02:53:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: AbVsHwreMFur8XYUn3lwtA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 05/27] util: change name of virFirewallRule to virFirewallCmd Date: Sun, 21 Apr 2024 22:53:13 -0400 Message-ID: <20240422025335.923272-6-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: MVOGZFW2NFXBIHJGN3CD7SP7WOP4E5H2 X-Message-ID-Hash: MVOGZFW2NFXBIHJGN3CD7SP7WOP4E5H2 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755962297100001 These objects aren't rules, they are commands that are executed that may create a firewall rule, delete a firewall rule, or simply list the existing firewall rules. It's confusing for the objects to be called "Rule" (especially in the case of the function virFirewallRemoveRule(), which doesn't remove a rule from the firewall, it takes one of the objects out of the list of commands to execute! In order to remove a rule from the host's firewall, you have to Add a "rule" (now "cmd" aka command) to the list that will, when applied/run, remove a rule from the host firewall.) Changing the name to virFirewallCmd makes it all much less confusing. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 16 +- src/network/network_iptables.c | 286 +++---- src/nwfilter/nwfilter_ebiptables_driver.c | 988 +++++++++++----------- src/util/virebtables.c | 32 +- src/util/virfirewall.c | 223 +++-- src/util/virfirewall.h | 54 +- tests/virfirewalltest.c | 404 ++++----- 7 files changed, 1000 insertions(+), 1003 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index e4fbb905d4..a9462197e0 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2402,17 +2402,17 @@ virFileCacheSetPriv; =20 =20 # util/virfirewall.h -virFirewallAddRuleFull; +virFirewallAddCmdFull; virFirewallApply; +virFirewallCmdAddArg; +virFirewallCmdAddArgFormat; +virFirewallCmdAddArgList; +virFirewallCmdAddArgSet; +virFirewallCmdGetArgCount; +virFirewallCmdToString; virFirewallFree; virFirewallNew; -virFirewallRemoveRule; -virFirewallRuleAddArg; -virFirewallRuleAddArgFormat; -virFirewallRuleAddArgList; -virFirewallRuleAddArgSet; -virFirewallRuleGetArgCount; -virFirewallRuleToString; +virFirewallRemoveCmd; virFirewallStartRollback; virFirewallStartTransaction; =20 diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 45907dd2da..31af9e0db6 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -99,18 +99,18 @@ iptablesPrivateChainCreate(virFirewall *fw, for (i =3D 0; i < data->nchains; i++) { const char *from; if (!virHashLookup(chains, data->chains[i].child)) { - virFirewallAddRule(fw, layer, - "--table", data->table, - "--new-chain", data->chains[i].child, NULL); + virFirewallAddCmd(fw, layer, + "--table", data->table, + "--new-chain", data->chains[i].child, NULL); *data->changed =3D true; } =20 from =3D virHashLookup(links, data->chains[i].child); if (!from || STRNEQ(from, data->chains[i].parent)) - virFirewallAddRule(fw, layer, - "--table", data->table, - "--insert", data->chains[i].parent, - "--jump", data->chains[i].child, NULL); + virFirewallAddCmd(fw, layer, + "--table", data->table, + "--insert", data->chains[i].parent, + "--jump", data->chains[i].child, NULL); } =20 return 0; @@ -152,10 +152,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer) virFirewallStartTransaction(fw, 0); =20 for (i =3D 0; i < G_N_ELEMENTS(data); i++) - virFirewallAddRuleFull(fw, data[i].layer, - false, iptablesPrivateChainCreate, - &(data[i]), "--table", data[i].table, - "--list-rules", NULL); + virFirewallAddCmdFull(fw, data[i].layer, + false, iptablesPrivateChainCreate, + &(data[i]), "--table", data[i].table, + "--list-rules", NULL); =20 if (virFirewallApply(fw) < 0) return -1; @@ -174,15 +174,15 @@ iptablesInput(virFirewall *fw, { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_INPUT_CHAIN, - "--in-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_INPUT_CHAIN, + "--in-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } =20 static void @@ -195,15 +195,15 @@ iptablesOutput(virFirewall *fw, { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_OUTPUT_CHAIN, - "--out-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_OUTPUT_CHAIN, + "--out-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } =20 /** @@ -370,24 +370,24 @@ iptablesForwardAllowOut(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--source", networkstr, - "--in-interface", iface, - "--out-interface", physdev, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--source", networkstr, + "--in-interface", iface, + "--out-interface", physdev, + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--source", networkstr, - "--in-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--source", networkstr, + "--in-interface", iface, + "--jump", "ACCEPT", + NULL); =20 return 0; } @@ -460,28 +460,28 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); =20 return 0; } @@ -552,24 +552,24 @@ iptablesForwardAllowIn(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); return 0; } =20 @@ -627,14 +627,14 @@ iptablesForwardAllowCross(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_FWD_X_CHAIN, - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_FWD_X_CHAIN, + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); } =20 /** @@ -681,13 +681,13 @@ iptablesForwardRejectOut(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--in-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--in-interface", iface, + "--jump", "REJECT", + NULL); } =20 /** @@ -733,13 +733,13 @@ iptablesForwardRejectIn(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--out-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--out-interface", iface, + "--jump", "REJECT", + NULL); } =20 /** @@ -797,7 +797,7 @@ iptablesForwardMasquerade(virFirewall *fw, g_autofree char *addrEndStr =3D NULL; g_autofree char *portRangeStr =3D NULL; g_autofree char *natRangeStr =3D NULL; - virFirewallRule *rule; + virFirewallCmd *fwCmd; int af =3D VIR_SOCKET_ADDR_FAMILY(netaddr); virFirewallLayer layer =3D af =3D=3D AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -815,7 +815,7 @@ iptablesForwardMasquerade(virFirewall *fw, } =20 if (protocol && protocol[0]) { - rule =3D virFirewallAddRule(fw, layer, + fwCmd =3D virFirewallAddCmd(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", VIR_IPTABLES_NAT_POSTROUTE_CHAIN, @@ -824,7 +824,7 @@ iptablesForwardMasquerade(virFirewall *fw, "!", "--destination", networkstr, NULL); } else { - rule =3D virFirewallAddRule(fw, layer, + fwCmd =3D virFirewallAddCmd(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", VIR_IPTABLES_NAT_POSTROUTE_CHAIN, @@ -834,7 +834,7 @@ iptablesForwardMasquerade(virFirewall *fw, } =20 if (physdev && physdev[0]) - virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NU= LL); + virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NU= LL); =20 if (protocol && protocol[0]) { if (port->start =3D=3D 0 && port->end =3D=3D 0) { @@ -862,16 +862,16 @@ iptablesForwardMasquerade(virFirewall *fw, portRangeStr ? portRangeStr : ""= ); } =20 - virFirewallRuleAddArgList(fw, rule, - "--jump", "SNAT", - "--to-source", natRangeStr, NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--jump", "SNAT", + "--to-source", natRangeStr, NULL); } else { - virFirewallRuleAddArgList(fw, rule, - "--jump", "MASQUERADE", NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--jump", "MASQUERADE", NULL); =20 if (portRangeStr && portRangeStr[0]) - virFirewallRuleAddArgList(fw, rule, - "--to-ports", &portRangeStr[1], NULL= ); + virFirewallCmdAddArgList(fw, fwCmd, + "--to-ports", &portRangeStr[1], NULL); } =20 return 0; @@ -951,24 +951,24 @@ iptablesForwardDontMasquerade(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--out-interface", physdev, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "nat", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--out-interface", physdev, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "nat", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); =20 return 0; } @@ -1033,15 +1033,15 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "--table", "mangle", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--out-interface", iface, - "--protocol", "udp", - "--destination-port", portstr, - "--jump", "CHECKSUM", "--checksum-fill", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "mangle", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--out-interface", iface, + "--protocol", "udp", + "--destination-port", portstr, + "--jump", "CHECKSUM", "--checksum-fill", + NULL); } =20 /** diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 56bddb9097..3ef1bb576e 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -334,7 +334,7 @@ printDataTypeAsHex(virNWFilterVarCombIter *vars, =20 static int ebtablesHandleEthHdr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ethHdrDataDef *ethHdr, bool reverse) @@ -348,11 +348,11 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataSrcMACAddr) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - reverse ? "-d" : "-s", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + reverse ? "-d" : "-s", + NULL); if (ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) { if (printDataType(vars, @@ -360,10 +360,10 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataSrcMACMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", macaddr, macmask); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", macaddr, macmask); } else { - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, macaddr); } } =20 @@ -373,11 +373,11 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataDstMACAddr) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - reverse ? "-s" : "-d", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + reverse ? "-s" : "-d", + NULL); if (ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) { if (printDataType(vars, @@ -385,10 +385,10 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataDstMACMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", macaddr, macmask); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", macaddr, macmask); } else { - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, macaddr); } } =20 @@ -403,38 +403,38 @@ static void iptablesCreateBaseChainsFW(virFirewall *fw, virFirewallLayer layer) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_OUT_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", HOST_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL= ); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NUL= L); - virFirewallAddRule(fw, layer, - "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", HOST_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL= ); + virFirewallAddCmd(fw, layer, + "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); } =20 =20 @@ -453,8 +453,8 @@ iptablesCreateTmpRootChainFW(virFirewall *fw, =20 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, layer, - "-N", chain, NULL); + virFirewallAddCmd(fw, layer, + "-N", chain, NULL); } =20 =20 @@ -490,12 +490,12 @@ _iptablesRemoveRootChainFW(virFirewall *fw, =20 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-F", chain, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-X", chain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-F", chain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-X", chain, NULL); } =20 =20 @@ -561,17 +561,17 @@ iptablesLinkTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 if (incoming) - virFirewallAddRule(fw, layer, - "-A", basechain, - MATCH_PHYSDEV_IN_FW, - ifname, - "-g", chain, NULL); + virFirewallAddCmd(fw, layer, + "-A", basechain, + MATCH_PHYSDEV_IN_FW, + ifname, + "-g", chain, NULL); else - virFirewallAddRule(fw, layer, - "-A", basechain, - MATCH_PHYSDEV_OUT_FW, - ifname, - "-g", chain, NULL); + virFirewallAddCmd(fw, layer, + "-A", basechain, + MATCH_PHYSDEV_OUT_FW, + ifname, + "-g", chain, NULL); } =20 =20 @@ -591,15 +591,15 @@ iptablesSetupVirtInPostFW(virFirewall *fw G_GNUC_UNUS= ED, virFirewallLayer layer G_GNUC_UNUSED, const char *ifname G_GNUC_UNUSED) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, layer, - "-A", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, layer, + "-A", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); } =20 =20 @@ -608,11 +608,11 @@ iptablesClearVirtInPostFW(virFirewall *fw, virFirewallLayer layer, const char *ifname) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); } =20 =20 @@ -638,19 +638,19 @@ _iptablesUnlinkRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 if (incoming) - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_IN_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_IN_FW, ifname, + "-g", chain, + NULL); else - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_OUT_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_OUT_FW, ifname, + "-g", chain, + NULL); =20 /* * Previous versions of libvirt may have created a rule @@ -658,12 +658,12 @@ _iptablesUnlinkRootChainFW(virFirewall *fw, * as well. */ if (!incoming) - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_OUT_OLD_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_OUT_OLD_FW, ifname, + "-g", chain, + NULL); } =20 =20 @@ -735,8 +735,8 @@ iptablesRenameTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, layer, - "-E", tmpchain, chain, NULL); + virFirewallAddCmd(fw, layer, + "-E", tmpchain, chain, NULL); } =20 =20 @@ -753,7 +753,7 @@ iptablesRenameTmpRootChainsFW(virFirewall *fw, =20 static int iptablesHandleSrcMacAddr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, nwItemDesc *srcMacAddr, bool directionIn, @@ -774,15 +774,15 @@ iptablesHandleSrcMacAddr(virFirewall *fw, srcMacAddr) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "mac", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "mac", + NULL); if (ENTRY_WANT_NEG_SIGN(srcMacAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--mac-source", - macaddr, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--mac-source", + macaddr, + NULL); } =20 return 0; @@ -791,7 +791,7 @@ iptablesHandleSrcMacAddr(virFirewall *fw, =20 static int iptablesHandleIPHdr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ipHdrDataDef *ipHdr, bool directionIn, @@ -819,8 +819,8 @@ iptablesHandleIPHdr(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, src); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, src); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) { =20 @@ -829,10 +829,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) { if (printDataType(vars, @@ -840,12 +840,12 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPFrom) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "iprange", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "iprange", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, srcrange); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, srcrange); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) { =20 @@ -854,10 +854,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPTo) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s-%s", ipaddr, ipaddralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -868,8 +868,8 @@ iptablesHandleIPHdr(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dst); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dst); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) { if (printDataType(vars, @@ -877,10 +877,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) { if (printDataType(vars, @@ -888,12 +888,12 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPFrom) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "iprange", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "iprange", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dstrange); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dstrange); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) { if (printDataType(vars, @@ -901,10 +901,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPTo) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s-%s", ipaddr, ipaddralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -914,14 +914,14 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDSCP) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "dscp", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "dscp", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--dscp", number, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--dscp", number, + NULL); } =20 if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) { @@ -939,7 +939,7 @@ iptablesHandleIPHdr(virFirewall *fw, =20 static int iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ipHdrDataDef *ipHdr, bool directionIn) @@ -955,17 +955,17 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, &ipHdr->dataIPSet) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "set", - "--match-set", str, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "set", + "--match-set", str, + NULL); =20 if (printDataTypeDirection(vars, str, sizeof(str), &ipHdr->dataIPSetFlags, directionIn) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, str); + virFirewallCmdAddArg(fw, fwrule, str); } =20 if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) { @@ -977,24 +977,24 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, =20 /* place connlimit after potential -m state --state ... since this is the most useful order */ - virFirewallRuleAddArgList(fw, fwrule, - "-m", "connlimit", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "connlimit", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--connlimit-above", number, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--connlimit-above", number, + NULL); } } =20 if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) { /* keep comments behind everything else -- they are packet eval. no-ops */ - virFirewallRuleAddArgList(fw, fwrule, - "-m", "comment", - "--comment", ipHdr->dataComment.u.string, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "comment", + "--comment", ipHdr->dataComment.u.string, + NULL); } =20 return 0; @@ -1003,7 +1003,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, =20 static int iptablesHandlePortData(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, portDataDef *portData, bool directionIn) @@ -1024,8 +1024,8 @@ iptablesHandlePortData(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, sport); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, sport); =20 if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) { if (printDataType(vars, @@ -1033,10 +1033,10 @@ iptablesHandlePortData(virFirewall *fw, &portData->dataSrcPortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", portstr, portstralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", portstr, portstralt); } else { - virFirewallRuleAddArg(fw, fwrule, portstr); + virFirewallCmdAddArg(fw, fwrule, portstr); } } =20 @@ -1047,8 +1047,8 @@ iptablesHandlePortData(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dport); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dport); =20 if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) { if (printDataType(vars, @@ -1056,10 +1056,10 @@ iptablesHandlePortData(virFirewall *fw, &portData->dataDstPortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", portstr, portstralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", portstr, portstralt); } else { - virFirewallRuleAddArg(fw, fwrule, portstr); + virFirewallCmdAddArg(fw, fwrule, portstr); } } =20 @@ -1069,18 +1069,18 @@ iptablesHandlePortData(virFirewall *fw, =20 static void iptablesEnforceDirection(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, bool directionIn, virNWFilterRuleDef *rule) { if (rule->tt !=3D VIR_NWFILTER_RULE_DIRECTION_INOUT) - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctdir", - (directionIn ? - "Reply" : - "Original"), - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctdir", + (directionIn ? + "Reply" : + "Original"), + NULL); } =20 =20 @@ -1123,7 +1123,7 @@ _iptablesCreateRuleInstance(virFirewall *fw, bool skipRule =3D false; bool skipMatch =3D false; bool hasICMPType =3D false; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; size_t fwruleargs; =20 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); @@ -1131,12 +1131,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, switch ((int)rule->prtclType) { case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "tcp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "tcp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1156,16 +1156,16 @@ _iptablesCreateRuleInstance(virFirewall *fw, g_autofree char *mask =3D NULL; g_autofree char *flags =3D NULL; if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, "--tcp-flags"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "--tcp-flags"); =20 if (!(mask =3D virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.d= ataTCPFlags.u.tcpFlags.mask))) return -1; - virFirewallRuleAddArg(fw, fwrule, mask); + virFirewallCmdAddArg(fw, fwrule, mask); =20 if (!(flags =3D virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.= dataTCPFlags.u.tcpFlags.flags))) return -1; - virFirewallRuleAddArg(fw, fwrule, flags); + virFirewallCmdAddArg(fw, fwrule, flags); } =20 if (iptablesHandlePortData(fw, fwrule, @@ -1181,21 +1181,21 @@ _iptablesCreateRuleInstance(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--tcp-option", number, NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--tcp-option", number, NULL); } =20 break; =20 case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "udp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "udp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1220,12 +1220,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "udplite", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "udplite", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1245,12 +1245,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "esp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "esp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1270,12 +1270,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "ah", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "ah", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1295,12 +1295,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "sctp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "sctp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1325,18 +1325,18 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + NULL); =20 if (rule->prtclType =3D=3D VIR_NWFILTER_RULE_PROTOCOL_ICMP) - virFirewallRuleAddArgList(fw, fwrule, - "-p", "icmp", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "icmp", NULL); else - virFirewallRuleAddArgList(fw, fwrule, - "-p", "icmpv6", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "icmpv6", NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1358,7 +1358,7 @@ _iptablesCreateRuleInstance(virFirewall *fw, hasICMPType =3D true; =20 if (maySkipICMP) { - virFirewallRemoveRule(fw, fwrule); + virFirewallRemoveCmd(fw, fwrule); return 0; } =20 @@ -1373,8 +1373,8 @@ _iptablesCreateRuleInstance(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, parm); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, parm); =20 if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) { if (printDataType(vars, @@ -1382,21 +1382,21 @@ _iptablesCreateRuleInstance(virFirewall *fw, &rule->p.icmpHdrFilter.dataICMPCode) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_IGMP: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "igmp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "igmp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1416,12 +1416,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "all", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "all", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1447,9 +1447,9 @@ _iptablesCreateRuleInstance(virFirewall *fw, } =20 if ((srcMacSkipped && - fwruleargs =3D=3D virFirewallRuleGetArgCount(fwrule)) || + fwruleargs =3D=3D virFirewallCmdGetArgCount(fwrule)) || skipRule) { - virFirewallRemoveRule(fw, fwrule); + virFirewallRemoveCmd(fw, fwrule); return 0; } =20 @@ -1461,10 +1461,10 @@ _iptablesCreateRuleInstance(virFirewall *fw, } =20 if (match && !skipMatch) { - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctstate", match, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctstate", match, + NULL); } =20 if (defMatch && match !=3D NULL && !skipMatch && !hasICMPType) @@ -1478,8 +1478,8 @@ _iptablesCreateRuleInstance(virFirewall *fw, directionIn) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-j", target, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", target, NULL); =20 return 0; } @@ -1752,7 +1752,7 @@ ebtablesCreateRuleInstance(virFirewall *fw, char chain[MAX_CHAINNAME_LENGTH]; const char *target; bool hasMask =3D false; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; =20 if (STREQ(chainSuffix, virNWFilterChainSuffixTypeToString( @@ -1768,10 +1768,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, field, sizeof(field), \ &rule->p.STRUCT.ITEM) < 0) \ return -1; \ - virFirewallRuleAddArg(fw, fwrule, CLI); \ + virFirewallCmdAddArg(fw, fwrule, CLI); \ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \ - virFirewallRuleAddArg(fw, fwrule, "!"); \ - virFirewallRuleAddArg(fw, fwrule, field); \ + virFirewallCmdAddArg(fw, fwrule, "!"); \ + virFirewallCmdAddArg(fw, fwrule, field); \ } =20 #define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \ @@ -1780,18 +1780,18 @@ ebtablesCreateRuleInstance(virFirewall *fw, field, sizeof(field), \ &rule->p.STRUCT.ITEM) < 0) \ return -1; \ - virFirewallRuleAddArg(fw, fwrule, CLI); \ + virFirewallCmdAddArg(fw, fwrule, CLI); \ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \ - virFirewallRuleAddArg(fw, fwrule, "!"); \ + virFirewallCmdAddArg(fw, fwrule, "!"); \ if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \ if (printDataType(vars, \ fieldalt, sizeof(fieldalt), \ &rule->p.STRUCT.ITEM_HI) < 0) \ return -1; \ - virFirewallRuleAddArgFormat(fw, fwrule, \ - "%s%s%s", field, SEP, fieldalt= ); \ + virFirewallCmdAddArgFormat(fw, fwrule, \ + "%s%s%s", field, SEP, fieldalt)= ; \ } else { \ - virFirewallRuleAddArg(fw, fwrule, field); \ + virFirewallCmdAddArg(fw, fwrule, field); \ } \ } #define INST_ITEM_RANGE(S, I, I_HI, C) \ @@ -1801,9 +1801,9 @@ ebtablesCreateRuleInstance(virFirewall *fw, =20 switch ((int)rule->prtclType) { case VIR_NWFILTER_RULE_PROTOCOL_MAC: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", - "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", + "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1816,16 +1816,16 @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.ethHdrFilter.dataProtocolID) <= 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArg(fw, fwrule, "-p"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_VLAN: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1833,8 +1833,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-p", "0x8100", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "0x8100", NULL); =20 INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id") INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap") @@ -1852,8 +1852,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, return -1; } =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1861,8 +1861,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-d", NWFILTER_MAC_BGA, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-d", NWFILTER_MAC_BGA, NULL); =20 INST_ITEM(stpHdrFilter, dataType, "--stp-type") INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags") @@ -1888,8 +1888,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ARP: case VIR_NWFILTER_RULE_PROTOCOL_RARP: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1897,21 +1897,21 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "-p"); - virFirewallRuleAddArgFormat(fw, fwrule, "0x%x", - (rule->prtclType =3D=3D VIR_NWFILTER_R= ULE_PROTOCOL_ARP) - ? l3_protocols[L3_PROTO_ARP_IDX].attr - : l3_protocols[L3_PROTO_RARP_IDX].attr= ); + virFirewallCmdAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArgFormat(fw, fwrule, "0x%x", + (rule->prtclType =3D=3D VIR_NWFILTER_RU= LE_PROTOCOL_ARP) + ? l3_protocols[L3_PROTO_ARP_IDX].attr + : l3_protocols[L3_PROTO_RARP_IDX].attr); =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) { if (printDataType(vars, number, sizeof(number), &rule->p.arpHdrFilter.dataHWType) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-htype"); + virFirewallCmdAddArg(fw, fwrule, "--arp-htype"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) { @@ -1919,10 +1919,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.arpHdrFilter.dataOpcode) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-opcode"); + virFirewallCmdAddArg(fw, fwrule, "--arp-opcode"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) { @@ -1930,10 +1930,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.arpHdrFilter.dataProtocolType)= < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-ptype"); + virFirewallCmdAddArg(fw, fwrule, "--arp-ptype"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType= )) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) { @@ -1950,12 +1950,12 @@ ebtablesCreateRuleInstance(virFirewall *fw, hasMask =3D true; } =20 - virFirewallRuleAddArg(fw, fwrule, + virFirewallCmdAddArg(fw, fwrule, reverse ? "--arp-ip-dst" : "--arp-ip-src= "); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr= )) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, hasMask ? ipmask = : "32"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask := "32"); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { @@ -1972,12 +1972,12 @@ ebtablesCreateRuleInstance(virFirewall *fw, hasMask =3D true; } =20 - virFirewallRuleAddArg(fw, fwrule, + virFirewallCmdAddArg(fw, fwrule, reverse ? "--arp-ip-src" : "--arp-ip-dst= "); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr= )) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, hasMask ? ipmask = : "32"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask := "32"); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) { @@ -1986,11 +1986,11 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--arp-mac-dst" : "--arp-mac-s= rc"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--arp-mac-dst" : "--arp-mac-sr= c"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAdd= r)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, macaddr); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) { @@ -1999,24 +1999,24 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.arpHdrFilter.dataARPDstMACAddr) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--arp-mac-src" : "--arp-mac-d= st"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--arp-mac-src" : "--arp-mac-ds= t"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAdd= r)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, macaddr); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) && rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) { if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousAR= P)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "--arp-gratuitous"); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_IP: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -2024,8 +2024,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-p", "ipv4", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "ipv4", NULL); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) { if (printDataType(vars, @@ -2033,20 +2033,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-destination" : "--ip-sou= rce"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-destination" : "--ip-sour= ce"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAd= dr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask= ) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -2057,20 +2057,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-source" : "--ip-destinat= ion"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-source" : "--ip-destinati= on"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAd= dr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipHdrFilter.ipHdr.dataDstIPMask= ) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -2080,10 +2080,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataProtocolID) <= 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "--ip-protocol"); + virFirewallCmdAddArg(fw, fwrule, "--ip-protocol"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtoco= lID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)= ) { @@ -2092,10 +2092,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataSrcPortSta= rt) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-destination-port" : "--i= p-source-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-destination-port" : "--ip= -source-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcP= ortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEn= d)) { if (printDataType(vars, @@ -2103,10 +2103,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataSrcPor= tEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2116,10 +2116,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataDstPortSta= rt) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-source-port" : "--ip-des= tination-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-source-port" : "--ip-dest= ination-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstP= ortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEn= d)) { if (printDataType(vars, @@ -2127,10 +2127,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataDstPor= tEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2140,16 +2140,16 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataDSCP) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "--ip-tos"); + virFirewallCmdAddArg(fw, fwrule, "--ip-tos"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_IPV6: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -2157,8 +2157,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-p", "ipv6", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "ipv6", NULL); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) { if (printDataType(vars, @@ -2166,20 +2166,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) = < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-destination" : "--ip6-s= ource"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-destination" : "--ip6-so= urce"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIP= Addr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)= ) { if (printDataType(vars, number, sizeof(number), &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMa= sk) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipv6addr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipv6addr); + virFirewallCmdAddArg(fw, fwrule, ipv6addr); } } =20 @@ -2190,20 +2190,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) = < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-source" : "--ip6-destin= ation"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-source" : "--ip6-destina= tion"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIP= Addr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)= ) { if (printDataType(vars, number, sizeof(number), &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMa= sk) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipv6addr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipv6addr); + virFirewallCmdAddArg(fw, fwrule, ipv6addr); } } =20 @@ -2213,10 +2213,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID)= < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol"); + virFirewallCmdAddArg(fw, fwrule, "--ip6-protocol"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProto= colID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStar= t)) { @@ -2226,10 +2226,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataSrcPortS= tart) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-destination-port" : "--= ip6-source-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-destination-port" : "--i= p6-source-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSr= cPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPort= End)) { if (printDataType(vars, @@ -2237,10 +2237,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataSrcP= ortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2251,10 +2251,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataDstPortS= tart) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-source-port" : "--ip6-d= estination-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-source-port" : "--ip6-de= stination-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDs= tPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPort= End)) { if (printDataType(vars, @@ -2262,10 +2262,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataDstP= ortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2277,8 +2277,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; g_autofree char *r =3D NULL; =20 - virFirewallRuleAddArg(fw, fwrule, - "--ip6-icmp-type"); + virFirewallCmdAddArg(fw, fwrule, + "--ip6-icmp-type"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) { if (printDataType(vars, @@ -2335,17 +2335,17 @@ ebtablesCreateRuleInstance(virFirewall *fw, virBufferStrcat(&buf, numberalt, NULL); =20 if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeSta= rt)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 r =3D virBufferContentAndReset(&buf); =20 - virFirewallRuleAddArg(fw, fwrule, r); + virFirewallCmdAddArg(fw, fwrule, r); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_NONE: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); break; =20 default: @@ -2370,8 +2370,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, target =3D virNWFilterJumpTargetTypeToString(rule->action); } =20 - virFirewallRuleAddArgList(fw, fwrule, - "-j", target, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", target, NULL); =20 #undef INST_ITEM_RANGE #undef INST_ITEM_MASK @@ -2461,8 +2461,8 @@ ebtablesCreateTmpRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-N", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-N", chain, NULL); } =20 =20 @@ -2476,11 +2476,11 @@ ebtablesLinkTmpRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", - incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN= _OUTGOING, - incoming ? "-i" : "-o", - ifname, "-j", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", + incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_= OUTGOING, + incoming ? "-i" : "-o", + ifname, "-j", chain, NULL); } =20 =20 @@ -2500,12 +2500,12 @@ _ebtablesRemoveRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-F", chain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-X", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-F", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-X", chain, NULL); } =20 =20 @@ -2543,12 +2543,12 @@ _ebtablesUnlinkRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-D", - incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_C= HAIN_OUTGOING, - incoming ? "-i" : "-o", - ifname, "-j", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-D", + incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CH= AIN_OUTGOING, + incoming ? "-i" : "-o", + ifname, "-j", chain, NULL); } =20 =20 @@ -2577,41 +2577,41 @@ ebtablesCreateTmpSubChainFW(virFirewall *fw, char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char chainPrefix =3D incoming ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_OUT_TEMP; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; =20 PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); PRINT_CHAIN(chain, chainPrefix, ifname, (filtername) ? filtername : l3_protocols[protoidx].val); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-F", chain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-X", chain, NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-N", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-F", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-X", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-N", chain, NULL); =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", rootchain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", rootchain, NULL); =20 switch ((int)protoidx) { case L2_PROTO_MAC_IDX: break; case L2_PROTO_STP_IDX: - virFirewallRuleAddArgList(fw, fwrule, - "-d", NWFILTER_MAC_BGA, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-d", NWFILTER_MAC_BGA, NULL); break; default: - virFirewallRuleAddArg(fw, fwrule, "-p"); - virFirewallRuleAddArgFormat(fw, fwrule, - "0x%04x", - l3_protocols[protoidx].attr); + virFirewallCmdAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArgFormat(fw, fwrule, + "0x%04x", + l3_protocols[protoidx].attr); break; } =20 - virFirewallRuleAddArgList(fw, fwrule, - "-j", chain, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", chain, NULL); } =20 =20 @@ -2636,16 +2636,16 @@ ebtablesRemoveSubChainsQuery(virFirewall *fw, if (tmp[0] =3D=3D chainprefixes[j] && tmp[1] =3D=3D '-') { VIR_DEBUG("Processing chain '%s'", tmp); - virFirewallAddRuleFull(fw, layer, - false, ebtablesRemoveSubChainsQuery, - (void *)chainprefixes, - "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-F", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-X", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + false, ebtablesRemoveSubChainsQuery, + (void *)chainprefixes, + "-t", "nat", "-L", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-F", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-X", tmp, NULL); } } } @@ -2664,10 +2664,10 @@ _ebtablesRemoveSubChainsFW(virFirewall *fw, =20 for (i =3D 0; chainprefixes[i] !=3D 0; i++) { PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - false, ebtablesRemoveSubChainsQuery, - (void *)chainprefixes, - "-t", "nat", "-L", rootchain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, ebtablesRemoveSubChainsQuery, + (void *)chainprefixes, + "-t", "nat", "-L", rootchain, NULL); } } =20 @@ -2706,8 +2706,8 @@ ebtablesRenameTmpSubChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); } =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-E", tmpchain, chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-E", tmpchain, chain, NULL); } =20 static void @@ -2748,18 +2748,18 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewall = *fw, else newchain[0] =3D CHAINPREFIX_HOST_OUT; VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain); - virFirewallAddRuleFull(fw, layer, - false, ebtablesRenameTmpSubAndRootChainsQue= ry, - NULL, - "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-F", newchain, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-X", newchain, NULL); - virFirewallAddRule(fw, layer, - "-t", "nat", "-E", tmp, newchain, NULL); + virFirewallAddCmdFull(fw, layer, + false, ebtablesRenameTmpSubAndRootChainsQuer= y, + NULL, + "-t", "nat", "-L", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-F", newchain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-X", newchain, NULL); + virFirewallAddCmd(fw, layer, + "-t", "nat", "-E", tmp, newchain, NULL); } =20 return 0; @@ -2779,10 +2779,10 @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewall *fw, }; for (i =3D 0; chains[i] !=3D 0; i++) { PRINT_ROOT_CHAIN(rootchain, chains[i], ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - false, ebtablesRenameTmpSubAndRootChainsQue= ry, - NULL, - "-t", "nat", "-L", rootchain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, ebtablesRenameTmpSubAndRootChainsQuer= y, + NULL, + "-t", "nat", "-L", rootchain, NULL); } =20 ebtablesRenameTmpRootChainFW(fw, true, ifname); @@ -2835,21 +2835,21 @@ ebtablesApplyBasicRules(const char *ifname, ebtablesCreateTmpRootChainFW(fw, true, ifname); =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-s", "!", macaddr_str, - "-j", "DROP", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-p", "IPv4", - "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-p", "ARP", - "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-s", "!", macaddr_str, + "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-p", "IPv4", + "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-p", "ARP", + "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-j", "DROP", NULL); =20 ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesRenameTmpRootChainFW(fw, true, ifname); @@ -2908,16 +2908,16 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-s", macaddr_str, - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-sport", "68", "--ip-dport", "67", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-s", macaddr_str, + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-sport", "68", "--ip-dport", "67", + "-j", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-j", "DROP", NULL); =20 num_dhcpsrvrs =3D (dhcpsrvrs !=3D NULL) ? virNWFilterVarValueGetCardinality(dhcpsrvrs) @@ -2936,20 +2936,20 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, */ for (ctr =3D 0; ctr < 2; ctr++) { if (dhcpserver) - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-d", (ctr =3D=3D 0) ? macaddr_str : "f= f:ff:ff:ff:ff:ff", - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-src", dhcpserver, - "--ip-sport", "67", "--ip-dport", "68", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-d", (ctr =3D=3D 0) ? macaddr_str : "ff= :ff:ff:ff:ff:ff", + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-src", dhcpserver, + "--ip-sport", "67", "--ip-dport", "68", + "-j", "ACCEPT", NULL); else - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-d", (ctr =3D=3D 0) ? macaddr_str : "f= f:ff:ff:ff:ff:ff", - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-sport", "67", "--ip-dport", "68", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-d", (ctr =3D=3D 0) ? macaddr_str : "ff= :ff:ff:ff:ff:ff", + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-sport", "67", "--ip-dport", "68", + "-j", "ACCEPT", NULL); } =20 idx++; @@ -2958,9 +2958,9 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, break; } =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-j", "DROP", NULL); =20 ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesLinkTmpRootChainFW(fw, false, ifname); @@ -3008,13 +3008,13 @@ ebtablesApplyDropAllRules(const char *ifname) PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-j", "DROP", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-j", "DROP", NULL); =20 ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesLinkTmpRootChainFW(fw, false, ifname); diff --git a/src/util/virebtables.c b/src/util/virebtables.c index a1f5f7cf1e..cabcbb3e81 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -81,17 +81,17 @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx) g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "--new-chain", ctx->chain, - NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "--insert", "FORWARD", - "--jump", ctx->chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "--new-chain", ctx->chain, + NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "--insert", "FORWARD", + "--jump", ctx->chain, NULL); =20 virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-P", ctx->chain, "DROP", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-P", ctx->chain, "DROP", + NULL); =20 return virFirewallApply(fw); } @@ -109,13 +109,13 @@ ebtablesForwardAllowIn(ebtablesContext *ctx, g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - action =3D=3D ADD ? "--insert" : "--delete", - ctx->chain, - "--in-interface", iface, - "--source", macaddr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + action =3D=3D ADD ? "--insert" : "--delete", + ctx->chain, + "--in-interface", iface, + "--source", macaddr, + "--jump", "ACCEPT", + NULL); =20 return virFirewallApply(fw); } diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 30e73f603e..902cb8e445 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -45,7 +45,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand, IP6TABLES, ); =20 -struct _virFirewallRule { +struct _virFirewallCmd { virFirewallLayer layer; =20 virFirewallQueryCallback queryCB; @@ -62,10 +62,10 @@ struct _virFirewallGroup { unsigned int rollbackFlags; =20 size_t naction; - virFirewallRule **action; + virFirewallCmd **action; =20 size_t nrollback; - virFirewallRule **rollback; + virFirewallCmd **rollback; =20 bool addingRollback; }; @@ -79,7 +79,7 @@ struct _virFirewall { size_t currentGroup; }; =20 -static virMutex ruleLock =3D VIR_MUTEX_INITIALIZER; +static virMutex fwCmdLock =3D VIR_MUTEX_INITIALIZER; =20 static virFirewallGroup * virFirewallGroupNew(void) @@ -107,17 +107,17 @@ virFirewall *virFirewallNew(void) =20 =20 static void -virFirewallRuleFree(virFirewallRule *rule) +virFirewallCmdFree(virFirewallCmd *fwCmd) { size_t i; =20 - if (!rule) + if (!fwCmd) return; =20 - for (i =3D 0; i < rule->argsLen; i++) - g_free(rule->args[i]); - g_free(rule->args); - g_free(rule); + for (i =3D 0; i < fwCmd->argsLen; i++) + g_free(fwCmd->args[i]); + g_free(fwCmd->args); + g_free(fwCmd); } =20 =20 @@ -130,11 +130,11 @@ virFirewallGroupFree(virFirewallGroup *group) return; =20 for (i =3D 0; i < group->naction; i++) - virFirewallRuleFree(group->action[i]); + virFirewallCmdFree(group->action[i]); g_free(group->action); =20 for (i =3D 0; i < group->nrollback; i++) - virFirewallRuleFree(group->rollback[i]); + virFirewallCmdFree(group->rollback[i]); g_free(group->rollback); =20 g_free(group); @@ -167,9 +167,9 @@ void virFirewallFree(virFirewall *firewall) return; \ } while (0) =20 -#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\ +#define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\ do { \ - if (!firewall || firewall->err || !rule) \ + if (!firewall || firewall->err || !fwCmd) \ return; \ } while (0) =20 @@ -179,22 +179,22 @@ void virFirewallFree(virFirewall *firewall) return NULL; \ } while (0) =20 -#define ADD_ARG(rule, str) \ +#define ADD_ARG(fwCmd, str) \ do { \ - VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \ - rule->args[rule->argsLen++] =3D g_strdup(str); \ + VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \ + fwCmd->args[fwCmd->argsLen++] =3D g_strdup(str); \ } while (0) =20 -static virFirewallRule * -virFirewallAddRuleFullV(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - va_list args) +static virFirewallCmd * +virFirewallAddCmdFullV(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + va_list args) { virFirewallGroup *group; - virFirewallRule *rule; + virFirewallCmd *fwCmd; char *str; =20 VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall); @@ -206,43 +206,43 @@ virFirewallAddRuleFullV(virFirewall *firewall, group =3D firewall->groups[firewall->currentGroup]; =20 =20 - rule =3D g_new0(virFirewallRule, 1); + fwCmd =3D g_new0(virFirewallCmd, 1); =20 - rule->layer =3D layer; - rule->queryCB =3D cb; - rule->queryOpaque =3D opaque; - rule->ignoreErrors =3D ignoreErrors; + fwCmd->layer =3D layer; + fwCmd->queryCB =3D cb; + fwCmd->queryOpaque =3D opaque; + fwCmd->ignoreErrors =3D ignoreErrors; =20 - switch (rule->layer) { + switch (fwCmd->layer) { case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(rule, "--concurrent"); + ADD_ARG(fwCmd, "--concurrent"); break; case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(rule, "-w"); + ADD_ARG(fwCmd, "-w"); break; case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(rule, "-w"); + ADD_ARG(fwCmd, "-w"); break; case VIR_FIREWALL_LAYER_LAST: break; } =20 while ((str =3D va_arg(args, char *)) !=3D NULL) - ADD_ARG(rule, str); + ADD_ARG(fwCmd, str); =20 if (group->addingRollback) { - VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); + VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { - VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); + VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } =20 =20 - return rule; + return fwCmd; } =20 =20 /** - * virFirewallAddRuleFull: + * virFirewallAddCmdFull: * @firewall: firewall ruleset to add to * @layer: the firewall layer to change * @ignoreErrors: true to ignore failure of the command @@ -253,7 +253,7 @@ virFirewallAddRuleFullV(virFirewall *firewall, * Add any type of rule to the firewall ruleset. Any output * generated by the addition will be fed into the query * callback @cb. This callback is permitted to create new - * rules by invoking the virFirewallAddRule method, but + * rules by invoking the virFirewallAddCmd method, but * is not permitted to start new transactions. * * If @ignoreErrors is set to TRUE, then any failure of @@ -263,31 +263,31 @@ virFirewallAddRuleFullV(virFirewall *firewall, * * Returns the new rule */ -virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - ...) +virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + ...) { - virFirewallRule *rule; + virFirewallCmd *fwCmd; va_list args; va_start(args, opaque); - rule =3D virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, op= aque, args); + fwCmd =3D virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, op= aque, args); va_end(args); - return rule; + return fwCmd; } =20 =20 /** - * virFirewallRemoveRule: + * virFirewallRemoveCmd: * @firewall: firewall ruleset to remove from * @rule: the rule to remove * * Remove a rule from the current transaction */ -void virFirewallRemoveRule(virFirewall *firewall, - virFirewallRule *rule) +void virFirewallRemoveCmd(virFirewall *firewall, + virFirewallCmd *fwCmd) { size_t i; virFirewallGroup *group; @@ -306,21 +306,21 @@ void virFirewallRemoveRule(virFirewall *firewall, =20 if (group->addingRollback) { for (i =3D 0; i < group->nrollback; i++) { - if (group->rollback[i] =3D=3D rule) { + if (group->rollback[i] =3D=3D fwCmd) { VIR_DELETE_ELEMENT(group->rollback, i, group->nrollback); - virFirewallRuleFree(rule); + virFirewallCmdFree(fwCmd); break; } } } else { for (i =3D 0; i < group->naction; i++) { - if (group->action[i] =3D=3D rule) { + if (group->action[i] =3D=3D fwCmd) { VIR_DELETE_ELEMENT(group->action, i, group->naction); - virFirewallRuleFree(rule); + virFirewallCmdFree(fwCmd); return; } } @@ -328,45 +328,45 @@ void virFirewallRemoveRule(virFirewall *firewall, } =20 =20 -void virFirewallRuleAddArg(virFirewall *firewall, - virFirewallRule *rule, - const char *arg) +void virFirewallCmdAddArg(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *arg) { - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 - ADD_ARG(rule, arg); + ADD_ARG(fwCmd, arg); =20 return; } =20 =20 -void virFirewallRuleAddArgFormat(virFirewall *firewall, - virFirewallRule *rule, - const char *fmt, ...) +void virFirewallCmdAddArgFormat(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *fmt, ...) { g_autofree char *arg =3D NULL; va_list list; =20 - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 va_start(list, fmt); arg =3D g_strdup_vprintf(fmt, list); va_end(list); =20 - ADD_ARG(rule, arg); + ADD_ARG(fwCmd, arg); =20 return; } =20 =20 -void virFirewallRuleAddArgSet(virFirewall *firewall, - virFirewallRule *rule, - const char *const *args) +void virFirewallCmdAddArgSet(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *const *args) { - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 while (*args) { - ADD_ARG(rule, *args); + ADD_ARG(fwCmd, *args); args++; } =20 @@ -374,19 +374,19 @@ void virFirewallRuleAddArgSet(virFirewall *firewall, } =20 =20 -void virFirewallRuleAddArgList(virFirewall *firewall, - virFirewallRule *rule, - ...) +void virFirewallCmdAddArgList(virFirewall *firewall, + virFirewallCmd *fwCmd, + ...) { va_list list; const char *str; =20 - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 - va_start(list, rule); + va_start(list, fwCmd); =20 while ((str =3D va_arg(list, char *)) !=3D NULL) - ADD_ARG(rule, str); + ADD_ARG(fwCmd, str); =20 va_end(list); =20 @@ -394,11 +394,11 @@ void virFirewallRuleAddArgList(virFirewall *firewall, } =20 =20 -size_t virFirewallRuleGetArgCount(virFirewallRule *rule) +size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd) { - if (!rule) + if (!fwCmd) return 0; - return rule->argsLen; + return fwCmd->argsLen; } =20 =20 @@ -462,16 +462,16 @@ void virFirewallStartRollback(virFirewall *firewall, =20 =20 char * -virFirewallRuleToString(const char *cmd, - virFirewallRule *rule) +virFirewallCmdToString(const char *cmd, + virFirewallCmd *fwCmd) { g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; size_t i; =20 virBufferAdd(&buf, cmd, -1); - for (i =3D 0; i < rule->argsLen; i++) { + for (i =3D 0; i < fwCmd->argsLen; i++) { virBufferAddLit(&buf, " "); - virBufferAdd(&buf, rule->args[i], -1); + virBufferAdd(&buf, fwCmd->args[i], -1); } =20 return virBufferContentAndReset(&buf); @@ -479,12 +479,12 @@ virFirewallRuleToString(const char *cmd, =20 =20 static int -virFirewallApplyRuleDirect(virFirewallRule *rule, - bool ignoreErrors, - char **output) +virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, + bool ignoreErrors, + char **output) { size_t i; - const char *bin =3D virFirewallLayerCommandTypeToString(rule->layer); + const char *bin =3D virFirewallLayerCommandTypeToString(fwCmd->layer); g_autoptr(virCommand) cmd =3D NULL; g_autofree char *cmdStr =3D NULL; int status; @@ -493,17 +493,17 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, if (!bin) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Unknown firewall layer %1$d"), - rule->layer); + fwCmd->layer); return -1; } =20 cmd =3D virCommandNewArgList(bin, NULL); =20 - for (i =3D 0; i < rule->argsLen; i++) - virCommandAddArg(cmd, rule->args[i]); + for (i =3D 0; i < fwCmd->argsLen; i++) + virCommandAddArg(cmd, fwCmd->args[i]); =20 cmdStr =3D virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr)); =20 virCommandSetOutputBuffer(cmd, output); virCommandSetErrorBuffer(cmd, &error); @@ -516,7 +516,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, - _("Failed to apply firewall rules %1$s: %2$s"), + _("Failed to run firewall command %1$s: %2$s"), NULLSTR(cmdStr), NULLSTR(error)); VIR_FREE(*output); return -1; @@ -528,30 +528,30 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, =20 =20 static int -virFirewallApplyRule(virFirewall *firewall, - virFirewallRule *rule, - bool ignoreErrors) +virFirewallApplyCmd(virFirewall *firewall, + virFirewallCmd *fwCmd, + bool ignoreErrors) { g_autofree char *output =3D NULL; g_auto(GStrv) lines =3D NULL; =20 - if (rule->ignoreErrors) - ignoreErrors =3D rule->ignoreErrors; + if (fwCmd->ignoreErrors) + ignoreErrors =3D fwCmd->ignoreErrors; =20 - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) + if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) return -1; =20 - if (rule->queryCB && output) { + if (fwCmd->queryCB && output) { if (!(lines =3D g_strsplit(output, "\n", -1))) return -1; =20 - VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output); - if (rule->queryCB(firewall, rule->layer, (const char *const *)line= s, rule->queryOpaque) < 0) + VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB, output); + if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)li= nes, fwCmd->queryOpaque) < 0) return -1; =20 if (firewall->err) { virReportSystemError(firewall->err, "%s", - _("Unable to create rule")); + _("Unable to create firewall command")); return -1; } =20 @@ -573,9 +573,9 @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup =3D idx; group->addingRollback =3D false; for (i =3D 0; i < group->naction; i++) { - if (virFirewallApplyRule(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyCmd(firewall, + group->action[i], + ignoreErrors) < 0) return -1; } return 0; @@ -592,11 +592,8 @@ virFirewallRollbackGroup(virFirewall *firewall, VIR_INFO("Starting rollback for group %p", group); firewall->currentGroup =3D idx; group->addingRollback =3D true; - for (i =3D 0; i < group->nrollback; i++) { - ignore_value(virFirewallApplyRule(firewall, - group->rollback[i], - true)); - } + for (i =3D 0; i < group->nrollback; i++) + ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], tru= e)); } =20 =20 @@ -604,7 +601,7 @@ int virFirewallApply(virFirewall *firewall) { size_t i, j; - VIR_LOCK_GUARD lock =3D virLockGuardLock(&ruleLock); + VIR_LOCK_GUARD lock =3D virLockGuardLock(&fwCmdLock); =20 if (!firewall || firewall->err) { int err =3D EINVAL; @@ -612,7 +609,7 @@ virFirewallApply(virFirewall *firewall) if (firewall) err =3D firewall->err; =20 - virReportSystemError(err, "%s", _("Unable to create rule")); + virReportSystemError(err, "%s", _("Unable to create firewall comma= nd")); return -1; } =20 diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 187748b2bf..956bf0e2bf 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -24,7 +24,7 @@ =20 typedef struct _virFirewall virFirewall; =20 -typedef struct _virFirewallRule virFirewallRule; +typedef struct _virFirewallCmd virFirewallCmd; =20 typedef enum { VIR_FIREWALL_LAYER_ETHERNET, @@ -39,7 +39,7 @@ virFirewall *virFirewallNew(void); void virFirewallFree(virFirewall *firewall); =20 /** - * virFirewallAddRule: + * virFirewallAddCmd: * @firewall: firewall ruleset to add to * @layer: the firewall layer to change * @...: NULL terminated list of strings for the rule @@ -48,49 +48,49 @@ void virFirewallFree(virFirewall *firewall); * * Returns the new rule */ -#define virFirewallAddRule(firewall, layer, ...) \ - virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_A= RGS__) +#define virFirewallAddCmd(firewall, layer, ...) \ + virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_AR= GS__) =20 typedef int (*virFirewallQueryCallback)(virFirewall *firewall, virFirewallLayer layer, const char *const *lines, void *opaque); =20 -virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - ...) +virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + ...) G_GNUC_NULL_TERMINATED; =20 -void virFirewallRemoveRule(virFirewall *firewall, - virFirewallRule *rule); +void virFirewallRemoveCmd(virFirewall *firewall, + virFirewallCmd *rule); =20 -void virFirewallRuleAddArg(virFirewall *firewall, - virFirewallRule *rule, - const char *arg) +void virFirewallCmdAddArg(virFirewall *firewall, + virFirewallCmd *rule, + const char *arg) ATTRIBUTE_NONNULL(3); =20 -void virFirewallRuleAddArgFormat(virFirewall *firewall, - virFirewallRule *rule, - const char *fmt, ...) +void virFirewallCmdAddArgFormat(virFirewall *firewall, + virFirewallCmd *rule, + const char *fmt, ...) ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4); =20 -void virFirewallRuleAddArgSet(virFirewall *firewall, - virFirewallRule *rule, - const char *const *args) +void virFirewallCmdAddArgSet(virFirewall *firewall, + virFirewallCmd *rule, + const char *const *args) ATTRIBUTE_NONNULL(3); =20 -void virFirewallRuleAddArgList(virFirewall *firewall, - virFirewallRule *rule, - ...) +void virFirewallCmdAddArgList(virFirewall *firewall, + virFirewallCmd *rule, + ...) G_GNUC_NULL_TERMINATED; =20 -size_t virFirewallRuleGetArgCount(virFirewallRule *rule); +size_t virFirewallCmdGetArgCount(virFirewallCmd *rule); =20 -char *virFirewallRuleToString(const char *cmd, - virFirewallRule *rule); +char *virFirewallCmdToString(const char *cmd, + virFirewallCmd *rule); =20 typedef enum { /* Ignore all errors when applying rules, so no diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index e676a434c8..45bb67cb21 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -74,15 +74,15 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSE= D) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) return -1; @@ -107,28 +107,28 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUS= ED) const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source"); - virFirewallRemoveRule(fw, fwrule); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", NULL); + virFirewallCmdAddArg(fw, fwrule, "--source"); + virFirewallRemoveCmd(fw, fwrule); =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source"); - virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); - virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", NULL); + virFirewallCmdAddArg(fw, fwrule, "--source"); + virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); + virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) return -1; @@ -161,26 +161,26 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUS= ED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); =20 =20 if (virFirewallApply(fw) < 0) @@ -235,26 +235,26 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC= _UNUSED) =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); =20 =20 if (virFirewallApply(fw) < 0) @@ -288,25 +288,25 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_= UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - true, NULL, NULL, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + true, NULL, NULL, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); =20 =20 if (virFirewallApply(fw) < 0) @@ -338,20 +338,20 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUS= ED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -386,37 +386,37 @@ testFirewallSingleRollback(const void *opaque G_GNUC_= UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -450,41 +450,41 @@ testFirewallManyRollback(const void *opaque G_GNUC_UN= USED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -522,67 +522,67 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -656,10 +656,10 @@ testFirewallQueryCallback(virFirewall *fw, void *opaque G_GNUC_UNUSED) { size_t i; - virFirewallAddRule(fw, layer, - "-A", "INPUT", - "--source", "!192.168.122.129", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, layer, + "-A", "INPUT", + "--source", "!192.168.122.129", + "--jump", "REJECT", NULL); =20 for (i =3D 0; lines[i] !=3D NULL; i++) { if (expectedLineNum >=3D G_N_ELEMENTS(expectedLines)) { @@ -703,46 +703,46 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); - - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, - testFirewallQueryCallback, - NULL, - "-L", NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, - testFirewallQueryCallback, - NULL, + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); + + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + false, + testFirewallQueryCallback, + NULL, + "-L", NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + false, + testFirewallQueryCallback, + NULL, "-t", "nat", "-L", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.130", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.130", + "--jump", "REJECT", NULL); =20 =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.128", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.128", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) return -1; --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713754952256965.8562082987908; Sun, 21 Apr 2024 20:02:32 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 3BD9F2123; Sun, 21 Apr 2024 23:02:31 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id BE93F1E3B; Sun, 21 Apr 2024 22:54:14 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D73D11DC3; Sun, 21 Apr 2024 22:53:45 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A8B071DC7 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-416-LUCkLcdvP2ie8NO8M0FD2g-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4139A3C025D9 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2A63E1121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: LUCkLcdvP2ie8NO8M0FD2g-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 06/27] util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL Date: Sun, 21 Apr 2024 22:53:14 -0400 Message-ID: <20240422025335.923272-7-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: GOKDCNH2K3JAUSUII5KBE7QCSERIATIN X-Message-ID-Hash: GOKDCNH2K3JAUSUII5KBE7QCSERIATIN X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713754952477100001 I had originally named these as VIR_NETFILTER_* because I assumed the same enum would eventually be used by our nftables backend as well as iptables. But it turns out that in most cases it's not possible to delete an nftables rule, so we just never used the enum anyway, so this patch is renaming the values to IPTABLES_ACTION_*, and taking advantage of the newly defined (via VIR_ENUM_DECL/IMPL) iptablesActionTypeToString() to replace all the ternary operators used to translate the enum into a string for the iptables commandline with iptablesActionTypeToString(). Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/network_iptables.c | 125 ++++++++++++++++++--------------- 1 file changed, 68 insertions(+), 57 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 31af9e0db6..d7e749adf0 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -46,10 +46,21 @@ VIR_LOG_INIT("network.iptables"); #define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX" #define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" =20 -enum { - VIR_NETFILTER_INSERT =3D 0, - VIR_NETFILTER_DELETE -}; +typedef enum { + IPTABLES_ACTION_INSERT, + IPTABLES_ACTION_APPEND, + IPTABLES_ACTION_DELETE, + + IPTABLES_ACTION_LAST +} iptablesAction; + +VIR_ENUM_DECL(iptablesAction); +VIR_ENUM_IMPL(iptablesAction, + IPTABLES_ACTION_LAST, + "--insert", + "--append", + "--delete", +); =20 typedef struct { const char *parent; @@ -169,14 +180,14 @@ iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + iptablesAction action, int tcp) { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + iptablesActionTypeToString(action), VIR_IPTABLES_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -190,14 +201,14 @@ iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + iptablesAction action, int tcp) { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + iptablesActionTypeToString(action), VIR_IPTABLES_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -221,7 +232,7 @@ iptablesAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1); } =20 /** @@ -239,7 +250,7 @@ iptablesRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1); } =20 /** @@ -257,7 +268,7 @@ iptablesAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0); } =20 /** @@ -275,7 +286,7 @@ iptablesRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0); } =20 /** @@ -293,7 +304,7 @@ iptablesAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1); } =20 /** @@ -311,7 +322,7 @@ iptablesRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1); } =20 /** @@ -329,7 +340,7 @@ iptablesAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0); } =20 /** @@ -347,7 +358,7 @@ iptablesRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0); } =20 =20 @@ -360,7 +371,7 @@ iptablesForwardAllowOut(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + iptablesAction action) { g_autofree char *networkstr =3D NULL; virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? @@ -372,7 +383,7 @@ iptablesForwardAllowOut(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, @@ -382,7 +393,7 @@ iptablesForwardAllowOut(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, @@ -413,7 +424,7 @@ iptablesAddForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } =20 /** @@ -437,7 +448,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } =20 =20 @@ -450,7 +461,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + iptablesAction action) { virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -462,7 +473,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, @@ -474,7 +485,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, @@ -507,7 +518,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } =20 /** @@ -531,7 +542,7 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } =20 /* Allow all traffic destined to the bridge, with a valid network address @@ -542,7 +553,7 @@ iptablesForwardAllowIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + iptablesAction action) { virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -554,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, @@ -564,7 +575,7 @@ iptablesForwardAllowIn(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, @@ -594,7 +605,7 @@ iptablesAddForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } =20 /** @@ -618,18 +629,18 @@ iptablesRemoveForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } =20 static void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + iptablesAction action) { virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, @@ -653,7 +664,7 @@ iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_INSERT); } =20 /** @@ -672,18 +683,18 @@ iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_DELETE); } =20 static void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + iptablesAction action) { virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", @@ -705,7 +716,7 @@ iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_INSERT); } =20 /** @@ -723,7 +734,7 @@ iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_DELETE); } =20 =20 @@ -731,11 +742,11 @@ static void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + iptablesAction action) { virFirewallAddCmd(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", @@ -757,7 +768,7 @@ iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_INSERT); } =20 /** @@ -775,7 +786,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_DELETE); } =20 =20 @@ -790,7 +801,7 @@ iptablesForwardMasquerade(virFirewall *fw, virSocketAddrRange *addr, virPortRange *port, const char *protocol, - int action) + iptablesAction action) { g_autofree char *networkstr =3D NULL; g_autofree char *addrStartStr =3D NULL; @@ -817,7 +828,7 @@ iptablesForwardMasquerade(virFirewall *fw, if (protocol && protocol[0]) { fwCmd =3D virFirewallAddCmd(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, @@ -826,7 +837,7 @@ iptablesForwardMasquerade(virFirewall *fw, } else { fwCmd =3D virFirewallAddCmd(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, @@ -901,7 +912,7 @@ iptablesAddForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } =20 /** @@ -928,7 +939,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } =20 =20 @@ -941,7 +952,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, unsigned int prefix, const char *physdev, const char *destaddr, - int action) + iptablesAction action) { g_autofree char *networkstr =3D NULL; virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? @@ -953,7 +964,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, @@ -963,7 +974,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, @@ -995,7 +1006,7 @@ iptablesAddDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_= INSERT); + physdev, destaddr, IPTABLES_ACTIO= N_INSERT); } =20 /** @@ -1021,7 +1032,7 @@ iptablesRemoveDontMasquerade(virFirewall *fw, { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } =20 =20 @@ -1029,13 +1040,13 @@ static void iptablesOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port, - int action) + iptablesAction action) { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", @@ -1060,7 +1071,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); + iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_INSERT); } =20 /** @@ -1077,7 +1088,7 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); + iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_DELETE); } =20 =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713754653652131.8645746109686; Sun, 21 Apr 2024 19:57:33 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8ECE61DB0; Sun, 21 Apr 2024 22:57:32 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 469F81E92; Sun, 21 Apr 2024 22:53:59 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B0A151E11; Sun, 21 Apr 2024 22:53:43 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 886B61DBB for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-632-0TF2cEQBNeSdWZjwH4U5ew-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6197E8884A1 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4B0491121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 0TF2cEQBNeSdWZjwH4U5ew-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 07/27] util: check for 0 args when applying iptables rule Date: Sun, 21 Apr 2024 22:53:15 -0400 Message-ID: <20240422025335.923272-8-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: AF65RAFUZ2XILQSSW3WRFVN3FIEZBZ4A X-Message-ID-Hash: AF65RAFUZ2XILQSSW3WRFVN3FIEZBZ4A X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713754655690100001 In normal practice a virFirewallCmd should never have 0 args by the time it gets to the Apply stage, but at some time while debugging one of the other patches in this series, exactly that happened (due to a bug that was since squashed), and having a check for it helped debugging, so let's permanently check for it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/util/virfirewall.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 902cb8e445..1897a66070 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -538,6 +538,12 @@ virFirewallApplyCmd(virFirewall *firewall, if (fwCmd->ignoreErrors) ignoreErrors =3D fwCmd->ignoreErrors; =20 + if (fwCmd->argsLen =3D=3D 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Can't apply empty firewall command")); + return -1; + } + if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) return -1; =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171375470662754.98484116274335; Sun, 21 Apr 2024 19:58:26 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 9A98D1F8A; Sun, 21 Apr 2024 22:58:25 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id DCAA11EA3; Sun, 21 Apr 2024 22:54:02 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id DDC011DBB; Sun, 21 Apr 2024 22:53:43 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 97EBA1DC5 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-343-VS6PfADcNmefiYoJvQaRkA-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 812EB3C000AB for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6B9741121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: VS6PfADcNmefiYoJvQaRkA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 08/27] util: add -w/--concurrent when applying a FirewallCmd rather than when building it Date: Sun, 21 Apr 2024 22:53:16 -0400 Message-ID: <20240422025335.923272-9-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: Z5NG7U3JE2ZJ7SESODCDQT3LC4T4GWFW X-Message-ID-Hash: Z5NG7U3JE2ZJ7SESODCDQT3LC4T4GWFW X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713754707821100001 We will already need a separate function for virFirewallApplyCmd for iptables vs. nftables, but the only reason for needing a separate function for virFirewallAddCmd* is that iptables/ebtables need to have an extra arg added for locking (to prevent multiple iptables commands from running at the same time). We can just as well add in the -w/--concurrent during virFirewallApplyCmd, so move the arg-add to ApplyCmd to keep AddCmd simple. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/util/virfirewall.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 1897a66070..a57a79d4ce 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -213,20 +213,6 @@ virFirewallAddCmdFullV(virFirewall *firewall, fwCmd->queryOpaque =3D opaque; fwCmd->ignoreErrors =3D ignoreErrors; =20 - switch (fwCmd->layer) { - case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(fwCmd, "--concurrent"); - break; - case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(fwCmd, "-w"); - break; - case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(fwCmd, "-w"); - break; - case VIR_FIREWALL_LAYER_LAST: - break; - } - while ((str =3D va_arg(args, char *)) !=3D NULL) ADD_ARG(fwCmd, str); =20 @@ -499,6 +485,19 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, =20 cmd =3D virCommandNewArgList(bin, NULL); =20 + /* lock to assure nobody else is messing with the tables while we are = */ + switch (fwCmd->layer) { + case VIR_FIREWALL_LAYER_ETHERNET: + virCommandAddArg(cmd, "--concurrent"); + break; + case VIR_FIREWALL_LAYER_IPV4: + case VIR_FIREWALL_LAYER_IPV6: + virCommandAddArg(cmd, "-w"); + break; + case VIR_FIREWALL_LAYER_LAST: + break; + } + for (i =3D 0; i < fwCmd->argsLen; i++) virCommandAddArg(cmd, fwCmd->args[i]); =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713754862719815.6492931792608; Sun, 21 Apr 2024 20:01:02 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 900A92116; Sun, 21 Apr 2024 23:01:01 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id A302B1E3E; Sun, 21 Apr 2024 22:54:12 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B89291E13; Sun, 21 Apr 2024 22:53:45 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id CF6851DE0 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-210-jkNSEDs4OF-r-PCagZ_Gtw-1; Sun, 21 Apr 2024 22:53:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A153B3C000AE for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8B50A1121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: jkNSEDs4OF-r-PCagZ_Gtw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 09/27] util: determine ignoreErrors value when creating virFirewallCmd, not when applying Date: Sun, 21 Apr 2024 22:53:17 -0400 Message-ID: <20240422025335.923272-10-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: X5OHXRJBZKSM33CSPNFXHF3DOAX5M26F X-Message-ID-Hash: X5OHXRJBZKSM33CSPNFXHF3DOAX5M26F X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713754864205100001 We know at the time a virFirewallCmd is created (with virFirewallAddCmd*()) whether or not we will later want to ignore errors encountered when attempting to apply that command - if ignoreErrors is set in the AddCmd or if the group has already had VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS set, then we ignore the errors. Rather than setting the fwCmd->ignoreErrors only according to the arg sent to virFirewallAddCmdFull(), and then later (at ApplyCmd-time) combining that with the group transactionFlags setting (and passing it all the way down the call chain), just combine the two flags right away and store this final value in fwCmd->ignoreErrors when the virFirewallCmd is created (thus avoiding the need to look at anything other than fwCmd->ignoreErrors at the time the command is applied). Once that is done, we can simply grab ignoreErrors from the object down in virFirewallApply() rather than cluttering up the argument list on the entire call chain. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/util/virfirewall.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index a57a79d4ce..56d43bfdde 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -211,14 +211,19 @@ virFirewallAddCmdFullV(virFirewall *firewall, fwCmd->layer =3D layer; fwCmd->queryCB =3D cb; fwCmd->queryOpaque =3D opaque; - fwCmd->ignoreErrors =3D ignoreErrors; =20 while ((str =3D va_arg(args, char *)) !=3D NULL) ADD_ARG(fwCmd, str); =20 if (group->addingRollback) { + fwCmd->ignoreErrors =3D true; /* always ignore errors when rolling= back */ VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { + /* when not rolling back, ignore errors if this group (transaction) + * was started with VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS *or* + * if this specific rule was created with ignoreErrors =3D=3D true + */ + fwCmd->ignoreErrors =3D ignoreErrors || (group->actionFlags & VIR_= FIREWALL_TRANSACTION_IGNORE_ERRORS); VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } =20 @@ -466,8 +471,7 @@ virFirewallCmdToString(const char *cmd, =20 static int virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, - bool ignoreErrors, - char **output) + char **output) { size_t i; const char *bin =3D virFirewallLayerCommandTypeToString(fwCmd->layer); @@ -511,7 +515,7 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, return -1; =20 if (status !=3D 0) { - if (ignoreErrors) { + if (fwCmd->ignoreErrors) { VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -528,22 +532,18 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, =20 static int virFirewallApplyCmd(virFirewall *firewall, - virFirewallCmd *fwCmd, - bool ignoreErrors) + virFirewallCmd *fwCmd) { g_autofree char *output =3D NULL; g_auto(GStrv) lines =3D NULL; =20 - if (fwCmd->ignoreErrors) - ignoreErrors =3D fwCmd->ignoreErrors; - if (fwCmd->argsLen =3D=3D 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Can't apply empty firewall command")); return -1; } =20 - if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) + if (virFirewallApplyCmdDirect(fwCmd, &output) < 0) return -1; =20 if (fwCmd->queryCB && output) { @@ -570,7 +570,7 @@ virFirewallApplyGroup(virFirewall *firewall, size_t idx) { virFirewallGroup *group =3D firewall->groups[idx]; - bool ignoreErrors =3D (group->actionFlags & VIR_FIREWALL_TRANSACTION_I= GNORE_ERRORS); + size_t i; =20 VIR_INFO("Starting transaction for firewall=3D%p group=3D%p flags=3D0x= %x", @@ -578,9 +578,7 @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup =3D idx; group->addingRollback =3D false; for (i =3D 0; i < group->naction; i++) { - if (virFirewallApplyCmd(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyCmd(firewall, group->action[i]) < 0) return -1; } return 0; @@ -598,7 +596,7 @@ virFirewallRollbackGroup(virFirewall *firewall, firewall->currentGroup =3D idx; group->addingRollback =3D true; for (i =3D 0; i < group->nrollback; i++) - ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], tru= e)); + ignore_value(virFirewallApplyCmd(firewall, group->rollback[i])); } =20 =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755291269829.1796155085417; Sun, 21 Apr 2024 20:08:11 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 429671ED3; Sun, 21 Apr 2024 23:08:10 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 012CF1EEA; Sun, 21 Apr 2024 22:54:36 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 300031E1F; Sun, 21 Apr 2024 22:53:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 253C91DEA for ; Sun, 21 Apr 2024 22:53:40 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-622-smFvxfUqPaeBagM4ZwULdA-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C36E21C07F20 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id AC01C1121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: smFvxfUqPaeBagM4ZwULdA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 10/27] util/network: new virFirewallBackend enum Date: Sun, 21 Apr 2024 22:53:18 -0400 Message-ID: <20240422025335.923272-11-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: P7LSW3UE56WVR6VYYH2YTZSWZUUCNL57 X-Message-ID-Hash: P7LSW3UE56WVR6VYYH2YTZSWZUUCNL57 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755293366100001 (This paragraph is for historical reference only, described only to avoid confusion of past use of the name with its new use) In a past life, virFirewallBackend had been a private static in virfirewall.c that was set at daemon init time, and used to globally (i.e. for all drivers in the daemon) determine whether to directly execute iptables commands, or to run them indirectly via the firewalld passthrough API. This was removed in commit d566cc55, since we decided that using the firewalld passthrough API is never appropriate. Now the same enum, virFirewallBackend, is being reintroduced, with a different meaning and usage pattern. It will be used to pick between using nftables commands or iptables commands (in either case directly handled by libvirt, *not* via firewalld). Additionally, rather than being a static known only within virfirewall.c and applying to all firewall commands for all drivers, each virFirewall object will have its own backend setting, which will be set during virFirewallNew() by the driver who wants to add a firewall rule. This will allow the nwfilter and network drivers to each have their own backend setting, even when they coexist in a single unified daemon. At least as important as that, it will also allow an instance of the network driver to remove iptables rules that had been added by a previous instance, and then add nftables rules for the new instance (in the case that an admin, or possibly an update, switches the driver backend from iptables to nftable) Initially, the enum will only have one usable value - VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all calls to virFirewallNew(). The other enum value (along with a method of setting it for each driver) will be added later, when it can be used (when the nftables backend is in the code). Signed-off-by: Laine Stump --- src/libvirt_private.syms | 3 +++ src/network/network_iptables.c | 6 +++--- src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++++++++-------- src/util/virebtables.c | 4 ++-- src/util/virfirewall.c | 16 +++++++++++++++- src/util/virfirewall.h | 12 +++++++++++- tests/virfirewalltest.c | 20 ++++++++++---------- 7 files changed, 52 insertions(+), 25 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index a9462197e0..b6eb5a62a7 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2404,6 +2404,8 @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddCmdFull; virFirewallApply; +virFirewallBackendTypeFromString; +virFirewallBackendTypeToString; virFirewallCmdAddArg; virFirewallCmdAddArgFormat; virFirewallCmdAddArgList; @@ -2411,6 +2413,7 @@ virFirewallCmdAddArgSet; virFirewallCmdGetArgCount; virFirewallCmdToString; virFirewallFree; +virFirewallGetBackend; virFirewallNew; virFirewallRemoveCmd; virFirewallStartRollback; diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index d7e749adf0..db35a4c5a0 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -131,7 +131,7 @@ iptablesPrivateChainCreate(virFirewall *fw, int iptablesSetupPrivateChains(virFirewallLayer layer) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); iptablesGlobalChain filter_chains[] =3D { {"INPUT", VIR_IPTABLES_INPUT_CHAIN}, {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN}, @@ -1597,7 +1597,7 @@ iptablesAddFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, 0); =20 @@ -1632,7 +1632,7 @@ iptablesRemoveFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); iptablesRemoveChecksumFirewallRules(fw, def); diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 3ef1bb576e..5082b62577 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2820,7 +2820,7 @@ static int ebtablesApplyBasicRules(const char *ifname, const virMacAddr *macaddr) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); char chain[MAX_CHAINNAME_LENGTH]; char chainPrefix =3D CHAINPREFIX_HOST_IN_TEMP; char macaddr_str[VIR_MAC_STRING_BUFLEN]; @@ -2893,7 +2893,7 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, char macaddr_str[VIR_MAC_STRING_BUFLEN]; unsigned int idx =3D 0; unsigned int num_dhcpsrvrs; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virMacAddrFormat(macaddr, macaddr_str); =20 @@ -2995,7 +2995,7 @@ ebtablesApplyDropAllRules(const char *ifname) { char chain_in [MAX_CHAINNAME_LENGTH], chain_out[MAX_CHAINNAME_LENGTH]; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 if (ebiptablesAllTeardown(ifname) < 0) return -1; @@ -3042,7 +3042,7 @@ ebtablesRemoveBasicRules(const char *ifname) static int ebtablesCleanAll(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3302,7 +3302,7 @@ ebiptablesApplyNewRules(const char *ifname, size_t nrules) { size_t i, j; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); g_autoptr(GHashTable) chains_in_set =3D virHashNew(NULL); g_autoptr(GHashTable) chains_out_set =3D virHashNew(NULL); bool haveEbtables =3D false; @@ -3527,7 +3527,7 @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char = *ifname) static int ebiptablesTearNewRules(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3539,7 +3539,7 @@ ebiptablesTearNewRules(const char *ifname) static int ebiptablesTearOldRules(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3574,7 +3574,7 @@ ebiptablesTearOldRules(const char *ifname) static int ebiptablesAllTeardown(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 diff --git a/src/util/virebtables.c b/src/util/virebtables.c index cabcbb3e81..8a361a2dbb 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -78,7 +78,7 @@ ebtablesContextFree(ebtablesContext *ctx) int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, @@ -106,7 +106,7 @@ ebtablesForwardAllowIn(ebtablesContext *ctx, const char *macaddr, int action) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, 0); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 56d43bfdde..489482fd83 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -35,6 +35,11 @@ =20 VIR_LOG_INIT("util.firewall"); =20 +VIR_ENUM_IMPL(virFirewallBackend, + VIR_FIREWALL_BACKEND_LAST, + "UNSET", /* not yet set */ + "iptables"); + typedef struct _virFirewallGroup virFirewallGroup; =20 VIR_ENUM_DECL(virFirewallLayerCommand); @@ -77,6 +82,7 @@ struct _virFirewall { size_t ngroups; virFirewallGroup **groups; size_t currentGroup; + virFirewallBackend backend; }; =20 static virMutex fwCmdLock =3D VIR_MUTEX_INITIALIZER; @@ -98,14 +104,22 @@ virFirewallGroupNew(void) * * Returns the new firewall ruleset */ -virFirewall *virFirewallNew(void) +virFirewall *virFirewallNew(virFirewallBackend backend) { virFirewall *firewall =3D g_new0(virFirewall, 1); =20 + firewall->backend =3D backend; return firewall; } =20 =20 +virFirewallBackend +virFirewallGetBackend(virFirewall *firewall) +{ + return firewall->backend; +} + + static void virFirewallCmdFree(virFirewallCmd *fwCmd) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 956bf0e2bf..7f0fee047d 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -21,6 +21,7 @@ #pragma once =20 #include "internal.h" +#include "virenum.h" =20 typedef struct _virFirewall virFirewall; =20 @@ -34,9 +35,18 @@ typedef enum { VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; =20 -virFirewall *virFirewallNew(void); +typedef enum { + VIR_FIREWALL_BACKEND_UNSET, + VIR_FIREWALL_BACKEND_IPTABLES, + + VIR_FIREWALL_BACKEND_LAST, +} virFirewallBackend; + +VIR_ENUM_DECL(virFirewallBackend); =20 +virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); +virFirewallBackend virFirewallGetBackend(virFirewall *firewall); =20 /** * virFirewallAddCmd: diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 45bb67cb21..38726dcc7a 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -62,7 +62,7 @@ static int testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -102,7 +102,7 @@ static int testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -148,7 +148,7 @@ static int testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -222,7 +222,7 @@ static int testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -275,7 +275,7 @@ static int testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -327,7 +327,7 @@ static int testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -372,7 +372,7 @@ static int testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -437,7 +437,7 @@ static int testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -505,7 +505,7 @@ static int testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -682,7 +682,7 @@ static int testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755034158302.4188792932234; Sun, 21 Apr 2024 20:03:54 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 094F31F8A; Sun, 21 Apr 2024 23:03:53 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 14A0E1ECF; Sun, 21 Apr 2024 22:54:20 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4EEC01DE1; Sun, 21 Apr 2024 22:53:46 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id F2BA61DE1 for ; Sun, 21 Apr 2024 22:53:39 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-400-SVpnBQXlOXGToiVIxArquQ-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E4AF81049C97 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id CDF3B1121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: SVpnBQXlOXGToiVIxArquQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 11/27] network: add (empty) network.conf file to distribution files Date: Sun, 21 Apr 2024 22:53:19 -0400 Message-ID: <20240422025335.923272-12-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: ZXUR2N5V3WXEAFA2YFJNJNZXWG6HRL3C X-Message-ID-Hash: ZXUR2N5V3WXEAFA2YFJNJNZXWG6HRL3C X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755034626100001 Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug | 36 ++++++++++++++++++++++++ src/network/meson.build | 11 ++++++++ src/network/network.conf | 3 ++ src/network/test_libvirtd_network.aug.in | 2 ++ 5 files changed, 55 insertions(+) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf create mode 100644 src/network/test_libvirtd_network.aug.in diff --git a/libvirt.spec.in b/libvirt.spec.in index 64018192b6..bde25c6f6e 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -2108,6 +2108,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf %{_datadir}/augeas/lenses/virtnetworkd.aug %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug +%config(noreplace) %{_sysconfdir}/libvirt/network.conf +%{_datadir}/augeas/lenses/libvirtd_network.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug %{_unitdir}/virtnetworkd.service %{_unitdir}/virtnetworkd.socket %{_unitdir}/virtnetworkd-ro.socket diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_networ= k.aug new file mode 100644 index 0000000000..ae153d96a1 --- /dev/null +++ b/src/network/libvirtd_network.aug @@ -0,0 +1,36 @@ +(* /etc/libvirt/network.conf *) + +module Libvirtd_network =3D + autoload xfm + + let eol =3D del /[ \t]*\n/ "\n" + let value_sep =3D del /[ \t]*=3D[ \t]*/ " =3D " + let indent =3D del /[ \t]*/ "" + + let array_sep =3D del /,[ \t\n]*/ ", " + let array_start =3D del /\[[ \t\n]*/ "[ " + let array_end =3D del /\]/ "]" + + let str_val =3D del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\"" + let bool_val =3D store /0|1/ + let int_val =3D store /[0-9]+/ + let str_array_element =3D [ seq "el" . str_val ] . del /[ \t\n]*/ "" + let str_array_val =3D counter "el" . array_start . ( str_array_element = . ( array_sep . str_array_element ) * ) ? . array_end + + let str_entry (kw:string) =3D [ key kw . value_sep . str_val ] + let bool_entry (kw:string) =3D [ key kw . value_sep . bool_val ] + let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] + let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] + + (* Each entry in the config is one of the following *) + let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] + let empty =3D [ label "#empty" . eol ] + + let record =3D indent . eol + + let lns =3D ( record | comment | empty ) * + + let filter =3D incl "/etc/libvirt/network.conf" + . Util.stdexcl + + let xfm =3D transform lns filter diff --git a/src/network/meson.build b/src/network/meson.build index 305e2d52fb..c34f00e8ff 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -49,6 +49,17 @@ if conf.has('WITH_NETWORK') ], } =20 + virt_conf_files +=3D files('network.conf') + virt_aug_files +=3D files('libvirtd_network.aug') + virt_test_aug_files +=3D { + 'name': 'test_libvirtd_network.aug', + 'aug': files('test_libvirtd_network.aug.in'), + 'conf': files('network.conf'), + 'test_name': 'libvirtd_network', + 'test_srcdir': meson.current_source_dir(), + 'test_builddir': meson.current_build_dir(), + } + virt_daemon_confs +=3D { 'name': 'virtnetworkd', } diff --git a/src/network/network.conf b/src/network/network.conf new file mode 100644 index 0000000000..5c84003f6d --- /dev/null +++ b/src/network/network.conf @@ -0,0 +1,3 @@ +# Master configuration file for the network driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in new file mode 100644 index 0000000000..ffdca520ce --- /dev/null +++ b/src/network/test_libvirtd_network.aug.in @@ -0,0 +1,2 @@ +module Test_libvirtd_network =3D + @CONFIG@ --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755447735480.58917974858457; Sun, 21 Apr 2024 20:10:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id A5FD51DB6; Sun, 21 Apr 2024 23:10:46 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id F18981F02; Sun, 21 Apr 2024 22:54:44 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id AEC1B1E34; Sun, 21 Apr 2024 22:53:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 265451DE5 for ; Sun, 21 Apr 2024 22:53:40 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-622-W6avGQwHNw-Q3RKc7Al-oQ-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 120021C07F23 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id EF3141121306 for ; Mon, 22 Apr 2024 02:53:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: W6avGQwHNw-Q3RKc7Al-oQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 12/27] network: support setting firewallBackend from network.conf Date: Sun, 21 Apr 2024 22:53:20 -0400 Message-ID: <20240422025335.923272-13-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: PEQWDJLHLCJJUNGJRMQOS2Y35OI2WIXP X-Message-ID-Hash: PEQWDJLHLCJJUNGJRMQOS2Y35OI2WIXP X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755449804100001 It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=3Dnftables" in /etc/libvirt/network.conf. If firewall_backend isn't set in network.conf, then libvirt will check to see if the iptables binary is present on the system and set firewallBackend to iptables; if not, it will be left as "unset", which (once multiple backends are available) will trigger an appropriate error message the first time we attempt to add a rule. Signed-off-by: Laine Stump --- src/network/bridge_driver.c | 22 +++++++------ src/network/bridge_driver_conf.c | 40 ++++++++++++++++++++++++ src/network/bridge_driver_conf.h | 3 ++ src/network/bridge_driver_linux.c | 6 ++-- src/network/bridge_driver_nop.c | 6 ++-- src/network/bridge_driver_platform.h | 6 ++-- src/network/libvirtd_network.aug | 5 ++- src/network/network.conf | 8 +++++ src/network/test_libvirtd_network.aug.in | 3 ++ tests/networkxml2firewalltest.c | 2 +- 10 files changed, 83 insertions(+), 18 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index d89700c6ee..38e4ab84ad 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1682,6 +1682,7 @@ static int networkReloadFirewallRulesHelper(virNetworkObj *obj, void *opaque G_GNUC_UNUSED) { + g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(ne= tworkGetDriver()); VIR_LOCK_GUARD lock =3D virObjectLockGuard(obj); virNetworkDef *def =3D virNetworkObjGetDef(obj); =20 @@ -1695,8 +1696,8 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward=3D'open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def); - ignore_value(networkAddFirewallRules(def)); + networkRemoveFirewallRules(def, cfg->firewallBackend); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1948,7 +1949,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def) < 0) + networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto error; =20 firewalRulesAdded =3D true; @@ -2064,7 +2065,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 if (firewalRulesAdded && def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); =20 virNetworkObjUnrefMacMap(obj); =20 @@ -2076,7 +2077,8 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 =20 static int -networkShutdownNetworkVirtual(virNetworkObj *obj) +networkShutdownNetworkVirtual(virNetworkObj *obj, + virNetworkDriverConfig *cfg) { virNetworkDef *def =3D virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -2102,7 +2104,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) ignore_value(virNetDevSetOnline(def->bridge, false)); =20 if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -2406,7 +2408,7 @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret =3D networkShutdownNetworkVirtual(obj); + ret =3D networkShutdownNetworkVirtual(obj, cfg); break; =20 case VIR_NETWORK_FORWARD_BRIDGE: @@ -3257,7 +3259,7 @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); needFirewallRefresh =3D true; break; default: @@ -3285,14 +3287,14 @@ networkUpdate(virNetworkPtr net, parentIndex, xml, network_driver->xmlopt, flags) < 0) { if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def)); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); goto cleanup; } =20 /* @def is replaced */ def =3D virNetworkObjGetDef(obj); =20 - if (needFirewallRefresh && networkAddFirewallRules(def) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallB= ackend) < 0) goto cleanup; =20 if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index a2edafa837..9769ee06b5 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -25,6 +25,7 @@ #include "datatypes.h" #include "virlog.h" #include "virerror.h" +#include "virfile.h" #include "virutil.h" #include "bridge_driver_conf.h" =20 @@ -62,6 +63,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_= GNUC_UNUSED, const char *filename) { g_autoptr(virConf) conf =3D NULL; + g_autofree char *firewallBackendStr =3D NULL; =20 /* if file doesn't exist or is unreadable, ignore the "error" */ if (access(filename, R_OK) =3D=3D -1) @@ -73,6 +75,44 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G= _GNUC_UNUSED, =20 /* use virConfGetValue*(conf, ...) functions to read any settings into= cfg */ =20 + if (virConfGetValueString(conf, "firewall_backend", &firewallBackendSt= r) < 0) + return -1; + + if (firewallBackendStr) { + int backend =3D virFirewallBackendTypeFromString(firewallBackendSt= r); + + if (backend < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown value for 'firewall_backend' in netw= ork.conf: '%1$s'"), + firewallBackendStr); + return -1; + } + + cfg->firewallBackend =3D backend; + VIR_INFO("using firewall_backend setting from network.conf: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + + } else { + + /* no .conf setting, so see what this host supports by looking + * for binaries used by the backends, and set accordingly. + */ + g_autofree char *iptablesInPath =3D NULL; + + /* virFindFileInPath() uses g_find_program_in_path(), + * which allows absolute paths, and verifies that + * the file is executable. + */ + if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; + + if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) + VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); + else + VIR_INFO("using auto-detected firewall_backend: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + } + return 0; } =20 diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_c= onf.h index 426c16198d..8f221f391e 100644 --- a/src/network/bridge_driver_conf.h +++ b/src/network/bridge_driver_conf.h @@ -26,6 +26,7 @@ #include "virdnsmasq.h" #include "virnetworkobj.h" #include "object_event.h" +#include "virfirewall.h" =20 typedef struct _virNetworkDriverConfig virNetworkDriverConfig; struct _virNetworkDriverConfig { @@ -37,6 +38,8 @@ struct _virNetworkDriverConfig { char *stateDir; char *pidDir; char *dnsmasqStateDir; + + virFirewallBackend firewallBackend; }; =20 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 4914d5c903..c2ef27f251 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -303,7 +303,8 @@ int networkCheckRouteCollision(virNetworkDef *def) =20 =20 int -networkAddFirewallRules(virNetworkDef *def) +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -394,7 +395,8 @@ networkAddFirewallRules(virNetworkDef *def) =20 =20 void -networkRemoveFirewallRules(virNetworkDef *def) +networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend G_GNUC_UNUSE= D) { iptablesRemoveFirewallRules(def); } diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 6eee6043e6..7d9a061e50 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -36,11 +36,13 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNU= C_UNUSED) return 0; } =20 -int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUS= ED) { return 0; } =20 -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_U= NUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index b720d343be..7443c3129f 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup); =20 int networkCheckRouteCollision(virNetworkDef *def); =20 -int networkAddFirewallRules(virNetworkDef *def); +int networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); =20 -void networkRemoveFirewallRules(virNetworkDef *def); +void networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_networ= k.aug index ae153d96a1..5d6d72dd92 100644 --- a/src/network/libvirtd_network.aug +++ b/src/network/libvirtd_network.aug @@ -22,11 +22,14 @@ module Libvirtd_network =3D let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] =20 + let firewall_backend_entry =3D str_entry "firewall_backend" + (* Each entry in the config is one of the following *) + let entry =3D firewall_backend_entry let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] let empty =3D [ label "#empty" . eol ] =20 - let record =3D indent . eol + let record =3D indent . entry . eol =20 let lns =3D ( record | comment | empty ) * =20 diff --git a/src/network/network.conf b/src/network/network.conf index 5c84003f6d..74c79e4cc6 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -1,3 +1,11 @@ # Master configuration file for the network driver. # All settings described here are optional - if omitted, sensible # defaults are used. + +# firewall_backend: +# +# determines which subsystem to use to setup firewall packet +# filtering rules for virtual networks. Currently the only supported +# selection is "iptables". +# +#firewall_backend =3D "iptables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in index ffdca520ce..3aa7b4cc22 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -1,2 +1,5 @@ module Test_libvirtd_network =3D @CONFIG@ + + test Libvirtd_network.lns get conf =3D +{ "firewall_backend" =3D "iptables" } diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index cb66a26294..3a9f409e2a 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -98,7 +98,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755159525327.7358245797552; Sun, 21 Apr 2024 20:05:59 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 3A68D1EB4; Sun, 21 Apr 2024 23:05:58 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 22F391EE0; Sun, 21 Apr 2024 22:54:28 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 55E5F1E1A; Sun, 21 Apr 2024 22:53:48 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 69B3D1DE9 for ; Sun, 21 Apr 2024 22:53:40 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-274-emq16-UGOR-7AnsShPZlrA-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3266389A247 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1BC741121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: emq16-UGOR-7AnsShPZlrA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 13/27] network: framework to call backend-specific function to init private filter chains Date: Sun, 21 Apr 2024 22:53:21 -0400 Message-ID: <20240422025335.923272-14-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: UX5Q3AHVSNPBST63QMVHBYVFH7K2A57O X-Message-ID-Hash: UX5Q3AHVSNPBST63QMVHBYVFH7K2A57O X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755160924100001 Modify networkSetupPrivateChains() in the network driver to accept a firewallBackend argument so it will know which backend to call. (right now it always calls the iptables version of the lower level function, but in the future it could instead call the nftables version based on configuration). But networkSetupPrivateChains() was being called with virOnce(), and virOnce() doesn't support calling functions that require an argument (it's based on pthread_once(), which accepts no arguments, so it's not something we can easily fix in our implementation of virOnce()). To solve this dilemma, this patch eliminates use of virOnce() by adding a static lock, and putting all of networkSetupPrivateChains() (including the setting of "chainInitDone") inside a lock guard - now the places that used to call it via virOnce() can safely call it directly instead (adding in the necessary argument to specify backend). (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump --- src/network/bridge_driver_linux.c | 65 ++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 18 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index c2ef27f251..20671e3ec5 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -34,25 +34,53 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 -static virOnceControl createdOnce; +static virMutex chainInitLock =3D VIR_MUTEX_INITIALIZER; static bool chainInitDone; /* true iff networkSetupPrivateChains was ever = called */ =20 static virErrorPtr errInitV4; static virErrorPtr errInitV6; =20 -/* Usually only called via virOnce, but can also be called directly in - * response to firewalld reload (if chainInitDone =3D=3D true) - */ -static void networkSetupPrivateChains(void) +static void +networkFirewallBackendUnsetError(void) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setting c= ould be auto-detected")); +} + + +static int +networkFirewallSetupPrivateChains(virFirewallBackend backend, + virFirewallLayer layer) +{ + switch (backend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesSetupPrivateChains(layer); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + networkFirewallBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +networkSetupPrivateChains(virFirewallBackend backend, + bool force) +{ + VIR_LOCK_GUARD lock =3D virLockGuardLock(&chainInitLock); int rc; =20 + if (chainInitDone && !force) + return; + VIR_DEBUG("Setting up global firewall chains"); =20 g_clear_pointer(&errInitV4, virFreeError); g_clear_pointer(&errInitV6, virFreeError); =20 - rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); + rc =3D networkFirewallSetupPrivateChains(backend, VIR_FIREWALL_LAYER_I= PV4); if (rc < 0) { VIR_DEBUG("Failed to create global IPv4 chains: %s", virGetLastErrorMessage()); @@ -65,7 +93,7 @@ static void networkSetupPrivateChains(void) VIR_DEBUG("Global IPv4 chains already exist"); } =20 - rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); + rc =3D networkFirewallSetupPrivateChains(backend, VIR_FIREWALL_LAYER_I= PV6); if (rc < 0) { VIR_DEBUG("Failed to create global IPv6 chains: %s", virGetLastErrorMessage()); @@ -138,6 +166,7 @@ networkPreReloadFirewallRules(virNetworkDriverState *dr= iver, bool startup G_GNUC_UNUSED, bool force) { + g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(dr= iver); /* * If there are any running networks, we need to * create the global rules upfront. This allows us @@ -157,14 +186,14 @@ networkPreReloadFirewallRules(virNetworkDriverState *= driver, */ if (chainInitDone && force) { /* The Private chains have already been initialized once - * during this run of libvirtd, so 1) we can't do it again via - * virOnce(), and 2) we need to re-add the private chains even - * if there are currently no running networks, because the - * next time a network is started, libvirt will expect that - * the chains have already been added. So we call directly - * instead of via virOnce(). + * during this run of libvirtd/virtnetworkd (known because + * chainInitDone =3D=3D true) so we need to re-add the private + * chains even if there are currently no running networks, + * because the next time a network is started, libvirt will + * expect that the chains have already been added. So we force + * the init. */ - networkSetupPrivateChains(); + networkSetupPrivateChains(cfg->firewallBackend, true); =20 } else { if (!networkHasRunningNetworksWithFW(driver)) { @@ -172,7 +201,7 @@ networkPreReloadFirewallRules(virNetworkDriverState *dr= iver, return; } =20 - ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); + networkSetupPrivateChains(cfg->firewallBackend, false); } } =20 @@ -304,10 +333,10 @@ int networkCheckRouteCollision(virNetworkDef *def) =20 int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend G_GNUC_UNUSED) + virFirewallBackend firewallBackend) { - if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) - return -1; + + networkSetupPrivateChains(firewallBackend, false); =20 if (errInitV4 && (virNetworkDefGetIPByIndex(def, AF_INET, 0) || --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171375616291118.41923900243728; Sun, 21 Apr 2024 20:22:42 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C5A0E1F28; Sun, 21 Apr 2024 23:22:41 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 01ABF1ECA; Sun, 21 Apr 2024 22:55:18 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D06311E70; Sun, 21 Apr 2024 22:53:52 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id CD6FC1E02 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-375-4tADtWOdPXqPGjdMqP7TdA-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5115189A248 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3B69A1121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 4tADtWOdPXqPGjdMqP7TdA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 14/27] util: new functions to support adding individual firewall rollback commands Date: Sun, 21 Apr 2024 22:53:22 -0400 Message-ID: <20240422025335.923272-15-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: DG47MB6VQTRRFUNDSVAGBSR4M5EW6GAY X-Message-ID-Hash: DG47MB6VQTRRFUNDSVAGBSR4M5EW6GAY X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756164656100001 In the past virFirewall required all rollback commands for a group (those commands necessary to "undo" any rules that had been added in that group in case of a later failure) to be manually added by switching into the virFirewall object into "rollback mode" and then re-calling the inverse of the exact virFirewallAddCmd*() APIs that had been called to add the original rules (ie. for each "iptables --insert" command, for rollback we would need to add a command with all arguments identical except that "--insert" would be replaced by "--delete"). Because nftables can't search for rules to remove by comparing all the arguments (it instead expects *only* a handle that is provided via stdout when the rule was originally added), we won't be able to follow the iptables method and manually construct the command to undo any given nft command by just duplicating all the args of the command (except the action). Instead we will need to be able to automatically create a rollback command at the time the rule-adding command is executed (e.g. an "nft delete rule" command that would include the rule handle returned in stdout by an "nft add rule" command). In order to make this happen, we need to be able to 1) learn whether the user of the virFirewall API desires this behavior (handled by a new transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that can be retrieved with the new virFirewallTransactionGetFlags() API), and 2) add a new command to the current group's rollback command list (with the new virFirewallAddRollbackCmd()). We will actually use this capability in an upcoming patch. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 55 +++++++++++++++++++++++++++++++++++----- src/util/virfirewall.h | 7 +++++ 3 files changed, 57 insertions(+), 6 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index b6eb5a62a7..1a9e996879 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2403,6 +2403,7 @@ virFileCacheSetPriv; =20 # util/virfirewall.h virFirewallAddCmdFull; +virFirewallAddRollbackCmd; virFirewallApply; virFirewallBackendTypeFromString; virFirewallBackendTypeToString; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 489482fd83..274c5179ed 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -199,10 +199,12 @@ void virFirewallFree(virFirewall *firewall) fwCmd->args[fwCmd->argsLen++] =3D g_strdup(str); \ } while (0) =20 + static virFirewallCmd * virFirewallAddCmdFullV(virFirewall *firewall, virFirewallLayer layer, bool ignoreErrors, + bool isRollback, virFirewallQueryCallback cb, void *opaque, va_list args) @@ -219,18 +221,16 @@ virFirewallAddCmdFullV(virFirewall *firewall, } group =3D firewall->groups[firewall->currentGroup]; =20 - fwCmd =3D g_new0(virFirewallCmd, 1); - fwCmd->layer =3D layer; - fwCmd->queryCB =3D cb; - fwCmd->queryOpaque =3D opaque; =20 while ((str =3D va_arg(args, char *)) !=3D NULL) ADD_ARG(fwCmd, str); =20 - if (group->addingRollback) { + if (isRollback || group->addingRollback) { fwCmd->ignoreErrors =3D true; /* always ignore errors when rolling= back */ + fwCmd->queryCB =3D NULL; /* rollback commands can't have a callbac= k */ + fwCmd->queryOpaque =3D NULL; VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { /* when not rolling back, ignore errors if this group (transaction) @@ -238,6 +238,8 @@ virFirewallAddCmdFullV(virFirewall *firewall, * if this specific rule was created with ignoreErrors =3D=3D true */ fwCmd->ignoreErrors =3D ignoreErrors || (group->actionFlags & VIR_= FIREWALL_TRANSACTION_IGNORE_ERRORS); + fwCmd->queryCB =3D cb; + fwCmd->queryOpaque =3D opaque; VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } =20 @@ -278,7 +280,33 @@ virFirewallCmd *virFirewallAddCmdFull(virFirewall *fir= ewall, virFirewallCmd *fwCmd; va_list args; va_start(args, opaque); - fwCmd =3D virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, op= aque, args); + fwCmd =3D virFirewallAddCmdFullV(firewall, layer, ignoreErrors, false,= cb, opaque, args); + va_end(args); + return fwCmd; +} + + +/** + * virFirewallAddRollbackCmd: + * @firewall: firewall commands to add to + * @layer: the firewall layer to change + * @...: NULL terminated list of strings for the command + * + * Add a command to the current firewall command group "rollback". + * Rollback commands always ignore errors and don't support any + * callbacks. + * + * Returns the new Command + */ +virFirewallCmd * +virFirewallAddRollbackCmd(virFirewall *firewall, + virFirewallLayer layer, + ...) +{ + virFirewallCmd *fwCmd; + va_list args; + va_start(args, layer); + fwCmd =3D virFirewallAddCmdFullV(firewall, layer, true, true, NULL, NU= LL, args); va_end(args); return fwCmd; } @@ -435,6 +463,21 @@ void virFirewallStartTransaction(virFirewall *firewall, firewall->currentGroup =3D firewall->ngroups - 1; } =20 + +/** + * virFirewallTransactionGetFlags: + * @firewall: the firewall to look at + * + * Returns the virFirewallTransactionFlags for the currently active + * group (transaction) in @firewall. + */ +static virFirewallTransactionFlags G_GNUC_UNUSED +virFirewallTransactionGetFlags(virFirewall *firewall) +{ + return firewall->groups[firewall->currentGroup]->actionFlags; +} + + /** * virFirewallBeginRollback: * @firewall: the firewall ruleset diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 7f0fee047d..a4e62efbeb 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -74,6 +74,11 @@ virFirewallCmd *virFirewallAddCmdFull(virFirewall *firew= all, ...) G_GNUC_NULL_TERMINATED; =20 +virFirewallCmd *virFirewallAddRollbackCmd(virFirewall *firewall, + virFirewallLayer layer, + ...) + G_GNUC_NULL_TERMINATED; + void virFirewallRemoveCmd(virFirewall *firewall, virFirewallCmd *rule); =20 @@ -106,6 +111,8 @@ typedef enum { /* Ignore all errors when applying rules, so no * rollback block will be required */ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS =3D (1 << 0), + /* Set to auto-add a rollback rule for each rule that is applied */ + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK =3D (1 << 1), } virFirewallTransactionFlags; =20 void virFirewallStartTransaction(virFirewall *firewall, --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756328179832.6345349585262; Sun, 21 Apr 2024 20:25:28 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 22B9C212F; Sun, 21 Apr 2024 23:25:27 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 675581E85; Sun, 21 Apr 2024 22:55:31 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 99EFA1E92; Sun, 21 Apr 2024 22:53:54 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 02C551E03 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-375-5VxBR_rkNb2HL1Fxi5UihA-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 72AEB810602 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5B62E1121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 5VxBR_rkNb2HL1Fxi5UihA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 15/27] util: implement rollback rule autocreation for iptables commands Date: Sun, 21 Apr 2024 22:53:23 -0400 Message-ID: <20240422025335.923272-16-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: K64YYOTGDLMDZCF6DHRCKZKDNGXGZLBB X-Message-ID-Hash: K64YYOTGDLMDZCF6DHRCKZKDNGXGZLBB X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756329035100001 If the VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK flag is set, each time an iptables command is executed that is adding a rule or chain, a corresponding command that will *delete* the same rule/chain is constructed and added to the list of rollback commands. If we later want to undo the entire firewall, we can just run those commands. This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump --- src/util/virfirewall.c | 55 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 274c5179ed..8cc551d6e2 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -471,7 +471,7 @@ void virFirewallStartTransaction(virFirewall *firewall, * Returns the virFirewallTransactionFlags for the currently active * group (transaction) in @firewall. */ -static virFirewallTransactionFlags G_GNUC_UNUSED +static virFirewallTransactionFlags virFirewallTransactionGetFlags(virFirewall *firewall) { return firewall->groups[firewall->currentGroup]->actionFlags; @@ -526,16 +526,25 @@ virFirewallCmdToString(const char *cmd, } =20 =20 +#define VIR_IPTABLES_ARG_IS_INSERT(arg) \ + (STREQ(arg, "--insert") || STREQ(arg, "-I") || \ + STREQ(arg, "--append") || STREQ(arg, "-A")) + + static int -virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, - char **output) +virFirewallCmdIptablesApply(virFirewall *firewall, + virFirewallCmd *fwCmd, + char **output) { - size_t i; const char *bin =3D virFirewallLayerCommandTypeToString(fwCmd->layer); + bool checkRollback =3D (virFirewallTransactionGetFlags(firewall) & + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); + bool needRollback =3D false; g_autoptr(virCommand) cmd =3D NULL; g_autofree char *cmdStr =3D NULL; - int status; g_autofree char *error =3D NULL; + size_t i; + int status; =20 if (!bin) { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -559,8 +568,13 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, break; } =20 - for (i =3D 0; i < fwCmd->argsLen; i++) + for (i =3D 0; i < fwCmd->argsLen; i++) { + /* the -I/-A arg could be at any position in the list */ + if (checkRollback && VIR_IPTABLES_ARG_IS_INSERT(fwCmd->args[i])) + needRollback =3D true; + virCommandAddArg(cmd, fwCmd->args[i]); + } =20 cmdStr =3D virCommandToString(cmd, false); VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr)); @@ -572,8 +586,10 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, return -1; =20 if (status !=3D 0) { + /* the command failed, decide whether or not to report it */ if (fwCmd->ignoreErrors) { VIR_DEBUG("Ignoring error running command"); + return 0; } else { virReportError(VIR_ERR_INTERNAL_ERROR, _("Failed to run firewall command %1$s: %2$s"), @@ -583,6 +599,31 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, } } =20 + /* the command was successful, see if we need to add a + * rollback command + */ + + if (needRollback) { + virFirewallCmd *rollback + =3D virFirewallAddRollbackCmd(firewall, fwCmd->layer, NULL); + g_autofree char *rollbackStr =3D NULL; + + for (i =3D 0; i < fwCmd->argsLen; i++) { + /* iptables --delete wants the entire commandline that + * was used for --insert but with s/insert/delete/ + */ + if (VIR_IPTABLES_ARG_IS_INSERT(fwCmd->args[i])) { + virFirewallCmdAddArg(firewall, rollback, "--delete"); + } else { + virFirewallCmdAddArg(firewall, rollback, fwCmd->args[i]); + } + } + + rollbackStr =3D virFirewallCmdToString(virFirewallLayerCommandType= ToString(fwCmd->layer), + rollback); + VIR_DEBUG("Recording Rollback command '%s'", NULLSTR(rollbackStr)); + } + return 0; } =20 @@ -600,7 +641,7 @@ virFirewallApplyCmd(virFirewall *firewall, return -1; } =20 - if (virFirewallApplyCmdDirect(fwCmd, &output) < 0) + if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) return -1; =20 if (fwCmd->queryCB && output) { --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755208452462.4248651321757; Sun, 21 Apr 2024 20:06:48 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 722A6218F; Sun, 21 Apr 2024 23:06:47 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 9A8211EDB; Sun, 21 Apr 2024 22:54:32 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 5D6EB1DE9; Sun, 21 Apr 2024 22:53:48 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 6E9AB1DEF for ; Sun, 21 Apr 2024 22:53:40 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-280-uwP119bCOiGbmRW5kEzqxQ-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9290E380009B for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7BFAD1121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: uwP119bCOiGbmRW5kEzqxQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 16/27] network: turn on auto-rollback for the rules added for virtual networks Date: Sun, 21 Apr 2024 22:53:24 -0400 Message-ID: <20240422025335.923272-17-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: SHNI33JADWUPVGFTESDBHPHV26VW2HTD X-Message-ID-Hash: SHNI33JADWUPVGFTESDBHPHV26VW2HTD X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755209008100001 So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/network_iptables.c | 15 +++------------ tests/networkxml2firewalltest.c | 9 ++++++++- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index db35a4c5a0..467d43c1e9 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK= ); =20 iptablesAddGeneralFirewallRules(fw, def); =20 @@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def) return -1; } =20 - virFirewallStartRollback(fw, 0); - - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - iptablesRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S | + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBAC= K)); iptablesAddChecksumFirewallRules(fw, def); =20 return virFirewallApply(fw); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 3a9f409e2a..e61787daec 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -79,7 +79,14 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status =3D 0; - *output =3D g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output =3D g_strdup("# handle 5309"); + else + *output =3D g_strdup(""); *error =3D g_strdup(""); } =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756208114335.6879548181083; Sun, 21 Apr 2024 20:23:28 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 0B2022174; Sun, 21 Apr 2024 23:23:26 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id E850B1F4E; Sun, 21 Apr 2024 22:55:21 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 209031E71; Sun, 21 Apr 2024 22:53:53 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 016391E06 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-280-x0uKjum0OxiyUI79HBfRmA-1; Sun, 21 Apr 2024 22:53:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B56708884A1 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9CA261121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: x0uKjum0OxiyUI79HBfRmA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 17/27] util: new function virFirewallNewFromRollback() Date: Sun, 21 Apr 2024 22:53:25 -0400 Message-ID: <20240422025335.923272-18-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: TVYLXG65B4NDXZGM3B2OCZF64QNCLTTL X-Message-ID-Hash: TVYLXG65B4NDXZGM3B2OCZF64QNCLTTL X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756208741100001 virFirewallNewFromRollback() creates a new virFirewall object that contains a copy of the "rollback" commands from an existing virFirewall object, but in reverse order. The intent is that this virFirewall be saved and used later to remove the firewall rules that were added for a network. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 59 ++++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 1 + 3 files changed, 61 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 1a9e996879..e3dcb353b7 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2416,6 +2416,7 @@ virFirewallCmdToString; virFirewallFree; virFirewallGetBackend; virFirewallNew; +virFirewallNewFromRollback; virFirewallRemoveCmd; virFirewallStartRollback; virFirewallStartTransaction; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 8cc551d6e2..57d45abc17 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -751,3 +751,62 @@ virFirewallApply(virFirewall *firewall) =20 return 0; } + + +/** + * virFirewallNewFromRollback: + + * @original: the original virFirewall object containing the rollback + * of interest + * @fwRemoval: a firewall object that, when applied, will remove @original + * + * Copy the rollback rules from the current virFirewall object as a + * new virFirewall. This virFirewall can then be saved to apply later + * and counteract everything done by the original. + * + * Returns 0 on success, -1 on error + */ +int +virFirewallNewFromRollback(virFirewall *original, + virFirewall **fwRemoval) +{ + size_t g; + g_autoptr(virFirewall) firewall =3D NULL; + + if (original->err) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("error in original firewall object")); + return -1; + } + + firewall =3D virFirewallNew(original->backend); + + /* add the rollback commands in reverse order of actions/groups of + * what was applied in the original firewall. + */ + for (g =3D original->ngroups; g > 0; g--) { + size_t r; + virFirewallGroup *group =3D original->groups[g - 1]; + + if (group->nrollback =3D=3D 0) + continue; + + virFirewallStartTransaction(firewall, VIR_FIREWALL_TRANSACTION_IGN= ORE_ERRORS); + + for (r =3D group->nrollback; r > 0; r--) { + size_t i; + virFirewallCmd *origCmd =3D group->rollback[r - 1]; + virFirewallCmd *rbCmd =3D virFirewallAddCmd(firewall, origCmd-= >layer, NULL); + + for (i =3D 0; i < origCmd->argsLen; i++) + ADD_ARG(rbCmd, origCmd->args[i]); + } + } + + if (firewall->ngroups =3D=3D 0) + VIR_DEBUG("original firewall object is empty"); + else + *fwRemoval =3D g_steal_pointer(&firewall); + + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index a4e62efbeb..7d8b36fa96 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -45,6 +45,7 @@ typedef enum { VIR_ENUM_DECL(virFirewallBackend); =20 virFirewall *virFirewallNew(virFirewallBackend backend); +int virFirewallNewFromRollback(virFirewall *original, virFirewall **fwRemo= val); void virFirewallFree(virFirewall *firewall); virFirewallBackend virFirewallGetBackend(virFirewall *firewall); =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755375599571.4714536366378; Sun, 21 Apr 2024 20:09:35 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 936CD1F48; Sun, 21 Apr 2024 23:09:34 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 9BA301783; Sun, 21 Apr 2024 22:54:40 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6A5071E30; Sun, 21 Apr 2024 22:53:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C70CD1DED for ; Sun, 21 Apr 2024 22:53:40 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-484-BrOWYcipNNWMT1mEH7dzfw-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D54B318065AE for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id BF55F1121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: BrOWYcipNNWMT1mEH7dzfw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 18/27] util: new functions virFirewallParseXML() and virFirewallFormat() Date: Sun, 21 Apr 2024 22:53:26 -0400 Message-ID: <20240422025335.923272-19-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: IN7DWGMJ3VUSBF5VJGMIY6P2SRFFPKUL X-Message-ID-Hash: IN7DWGMJ3VUSBF5VJGMIY6P2SRFFPKUL X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755377518100001 These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump --- src/libvirt_private.syms | 2 + src/util/virfirewall.c | 217 +++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 9 ++ 3 files changed, 228 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index e3dcb353b7..aa253a238b 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2413,10 +2413,12 @@ virFirewallCmdAddArgList; virFirewallCmdAddArgSet; virFirewallCmdGetArgCount; virFirewallCmdToString; +virFirewallFormat; virFirewallFree; virFirewallGetBackend; virFirewallNew; virFirewallNewFromRollback; +virFirewallParseXML; virFirewallRemoveCmd; virFirewallStartRollback; virFirewallStartTransaction; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 57d45abc17..684569c760 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -40,6 +40,14 @@ VIR_ENUM_IMPL(virFirewallBackend, "UNSET", /* not yet set */ "iptables"); =20 +VIR_ENUM_DECL(virFirewallLayer); +VIR_ENUM_IMPL(virFirewallLayer, + VIR_FIREWALL_LAYER_LAST, + "ethernet", + "ipv4", + "ipv6", +); + typedef struct _virFirewallGroup virFirewallGroup; =20 VIR_ENUM_DECL(virFirewallLayerCommand); @@ -810,3 +818,212 @@ virFirewallNewFromRollback(virFirewall *original, =20 return 0; } + + +/* virFirewallGetFlagsFromNode: + * @node: the xmlNode to check for an ignoreErrors attribute + * + * A short helper to get the setting of the ignorErrors attribute from + * an xmlNode. Returns -1 on error (with error reported), or the + * VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS bit set/reset according to + * the value of the attribute. + */ +static int +virFirewallGetFlagsFromNode(xmlNodePtr node) +{ + virTristateBool ignoreErrors; + + if (virXMLPropTristateBool(node, "ignoreErrors", VIR_XML_PROP_NONE, &i= gnoreErrors) < 0) + return -1; + + if (ignoreErrors =3D=3D VIR_TRISTATE_BOOL_YES) + return VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS; + return 0; +} + + +/** + * virFirewallParseXML: + * @firewall: pointer to virFirewall* to fill in with new virFirewall obje= ct + * + * Construct a new virFirewall object according to the XML in + * xmlNodePtr. Return 0 (and new object) on success, or -1 (with + * error reported) on error. + * + * Example of element XML: + * + * + * + * + * + * arg1 + * arg2 + * ... + * + * + * + * ... + + * ... + * + * ... + * + */ +int +virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt) +{ + g_autoptr(virFirewall) newfw =3D NULL; + virFirewallBackend backend; + g_autofree xmlNodePtr *groupNodes =3D NULL; + ssize_t ngroups; + size_t g; + VIR_XPATH_NODE_AUTORESTORE(ctxt); + + ctxt->node =3D node; + + ngroups =3D virXPathNodeSet("./group", ctxt, &groupNodes); + if (ngroups < 0) + return -1; + if (ngroups =3D=3D 0) + return 0; + + if (virXMLPropEnum(node, "backend", virFirewallBackendTypeFromString, + VIR_XML_PROP_REQUIRED, &backend) < 0) { + return -1; + } + + newfw =3D virFirewallNew(backend); + + for (g =3D 0; g < ngroups; g++) { + int flags =3D 0; + g_autofree xmlNodePtr *actionNodes =3D NULL; + ssize_t nactions; + size_t a; + + ctxt->node =3D groupNodes[g]; + nactions =3D virXPathNodeSet("./action", ctxt, &actionNodes); + if (nactions < 0) + return -1; + if (nactions =3D=3D 0) + continue; + + if ((flags =3D virFirewallGetFlagsFromNode(groupNodes[g])) < 0) + return -1; + + virFirewallStartTransaction(newfw, flags); + + for (a =3D 0; a < nactions; a++) { + g_autofree xmlNodePtr *argsNodes =3D NULL; + ssize_t nargs; + size_t i; + virFirewallLayer layer; + virFirewallCmd *action; + bool ignoreErrors; + + ctxt->node =3D actionNodes[a]; + + if (!(ctxt->node =3D virXPathNode("./args", ctxt))) + continue; + + if ((flags =3D virFirewallGetFlagsFromNode(actionNodes[a])) < = 0) + return -1; + + ignoreErrors =3D flags & VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S; + + if (virXMLPropEnum(actionNodes[a], "layer", + virFirewallLayerTypeFromString, + VIR_XML_PROP_REQUIRED, &layer) < 0) { + return -1; + } + + nargs =3D virXPathNodeSet("./item", ctxt, &argsNodes); + if (nargs < 0) + return -1; + if (nargs =3D=3D 0) + continue; + + action =3D virFirewallAddCmdFull(newfw, layer, ignoreErrors, + NULL, NULL, NULL); + for (i =3D 0; i < nargs; i++) { + + char *arg =3D virXMLNodeContentString(argsNodes[i]); + if (!arg) + return -1; + + virFirewallCmdAddArg(newfw, action, arg); + } + } + } + + *firewall =3D g_steal_pointer(&newfw); + return 0; +} + + +/** + * virFirewallFormat: + * @buf: output buffer + * @firewall: the virFirewall object to format as XML + * + * Format virFirewall object @firewall into @buf as XML. + * Returns 0 on success, -1 on failure. + * + */ +int +virFirewallFormat(virBuffer *buf, + virFirewall *firewall) +{ + size_t g; + + if (firewall->ngroups =3D=3D 0) + return 0; + + virBufferAsprintf(buf, "\n", + virFirewallBackendTypeToString(virFirewallGetBackend= (firewall))); + virBufferAdjustIndent(buf, 2); + for (g =3D 0; g < firewall->ngroups; g++) { + virFirewallGroup *group =3D firewall->groups[g]; + bool groupIgnoreErrors =3D (group->actionFlags & + VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + size_t a; + + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, 2); + + for (a =3D 0; a < group->naction; a++) { + virFirewallCmd *action =3D group->action[a]; + size_t i; + + virBufferAsprintf(buf, "layer)); + /* if the entire group has ignoreErrors=3D'yes', then it's + * redundant to have it for an action of the group + */ + if (action->ignoreErrors && !groupIgnoreErrors) + virBufferAddLit(buf, " ignoreErrors=3D'yes'"); + virBufferAddLit(buf, ">\n"); + + virBufferAdjustIndent(buf, 2); + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, 2); + for (i =3D 0; i < virFirewallCmdGetArgCount(action); i++) + virBufferEscapeString(buf, "%s\n", action->ar= gs[i]); + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + } + + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + } + + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 7d8b36fa96..87629e8360 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -22,6 +22,8 @@ =20 #include "internal.h" #include "virenum.h" +#include "virbuffer.h" +#include "virxml.h" =20 typedef struct _virFirewall virFirewall; =20 @@ -130,4 +132,11 @@ void virFirewallStartRollback(virFirewall *firewall, =20 int virFirewallApply(virFirewall *firewall); =20 +int virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt); + +int virFirewallFormat(virBuffer *buf, + virFirewall *firewall); + G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755812896474.5811987189204; Sun, 21 Apr 2024 20:16:52 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 98E4E2162; Sun, 21 Apr 2024 23:16:51 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 8D0ED1F28; Sun, 21 Apr 2024 22:55:01 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E56351E66; Sun, 21 Apr 2024 22:53:51 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 7EEDF1E00 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-319-Ztn_sa0rNdOjDG5xg_cBKw-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 01DE929AB3E1 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id DF8C01121306 for ; Mon, 22 Apr 2024 02:53:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: Ztn_sa0rNdOjDG5xg_cBKw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 19/27] conf: add a virFirewall object to virNetworkObj Date: Sun, 21 Apr 2024 22:53:27 -0400 Message-ID: <20240422025335.923272-20-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: RA6AW22NDX4MED66SXPIGQB7UATC2F7C X-Message-ID-Hash: RA6AW22NDX4MED66SXPIGQB7UATC2F7C X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755814498100001 This virFirewall object will store the list of actions required to remove the firewall that was added for the currently active instance of the network, so it has been named "fwRemoval". There are no uses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and free the virFirewall object when the virNetworkObj is freed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/conf/virnetworkobj.c | 39 +++++++++++++++++++++++++++++++++++++++ src/conf/virnetworkobj.h | 11 +++++++++++ src/libvirt_private.syms | 3 +++ 3 files changed, 53 insertions(+) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index d5aa121e20..3501c8cab7 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -55,6 +55,11 @@ struct _virNetworkObj { =20 unsigned int taint; =20 + /* fwRemoval contains all commands needed to remove the firewall + * that was added for this network. + */ + virFirewall *fwRemoval; + /* Immutable pointer, self locking APIs */ virMacMap *macmap; =20 @@ -239,6 +244,28 @@ virNetworkObjSetFloorSum(virNetworkObj *obj, } =20 =20 +virFirewall ** +virNetworkObjGetFwRemovalPtr(virNetworkObj *obj) +{ + return &obj->fwRemoval; +} + + +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj) +{ + return obj->fwRemoval; +} + + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval) +{ + obj->fwRemoval =3D fwRemoval; +} + + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap) @@ -444,6 +471,7 @@ virNetworkObjDispose(void *opaque) virNetworkDefFree(obj->newDef); virBitmapFree(obj->classIdMap); virObjectUnref(obj->macmap); + virFirewallFree(obj->fwRemoval); } =20 =20 @@ -792,6 +820,9 @@ virNetworkObjFormat(virNetworkObj *obj, if (virNetworkDefFormatBuf(&buf, obj->def, xmlopt, flags) < 0) return NULL; =20 + if (obj->fwRemoval && virFirewallFormat(&buf, obj->fwRemoval) < 0) + return NULL; + virBufferAdjustIndent(&buf, -2); virBufferAddLit(&buf, ""); =20 @@ -826,6 +857,7 @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *configFile =3D NULL; g_autoptr(virNetworkDef) def =3D NULL; virNetworkObj *obj =3D NULL; + g_autoptr(virFirewall) fwRemoval =3D NULL; g_autoptr(xmlDoc) xml =3D NULL; xmlNodePtr node =3D NULL; g_autoptr(xmlXPathContext) ctxt =3D NULL; @@ -868,6 +900,7 @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *classIdStr =3D NULL; g_autofree char *floor_sum =3D NULL; g_autofree xmlNodePtr *nodes =3D NULL; + xmlNodePtr fwNode; =20 ctxt->node =3D node; if ((classIdStr =3D virXPathString("string(./class_id[1]/@bitmap)", @@ -902,6 +935,10 @@ virNetworkLoadState(virNetworkObjList *nets, taint |=3D (1 << flag); } } + if ((fwNode =3D virXPathNode("./firewall", ctxt)) && + virFirewallParseXML(&fwRemoval, fwNode, ctxt) < 0) { + return NULL; + } } =20 /* create the object */ @@ -910,6 +947,8 @@ virNetworkLoadState(virNetworkObjList *nets, =20 def =3D NULL; =20 + virNetworkObjSetFwRemoval(obj, g_steal_pointer(&fwRemoval)); + /* assign status data stored in the network object */ if (classIdMap) { virBitmapFree(obj->classIdMap); diff --git a/src/conf/virnetworkobj.h b/src/conf/virnetworkobj.h index d3847d3422..d35e495961 100644 --- a/src/conf/virnetworkobj.h +++ b/src/conf/virnetworkobj.h @@ -23,6 +23,7 @@ =20 #include "network_conf.h" #include "virnetworkportdef.h" +#include "virfirewall.h" =20 typedef struct _virNetworkObj virNetworkObj; =20 @@ -76,6 +77,16 @@ void virNetworkObjSetFloorSum(virNetworkObj *obj, unsigned long long floor_sum); =20 +virFirewall ** +virNetworkObjGetFwRemovalPtr(virNetworkObj *obj); + +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj); + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval); + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index aa253a238b..b69cf5a060 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1299,6 +1299,8 @@ virNetworkObjGetClassIdMap; virNetworkObjGetDef; virNetworkObjGetDnsmasqPid; virNetworkObjGetFloorSum; +virNetworkObjGetFwRemoval; +virNetworkObjGetFwRemovalPtr; virNetworkObjGetMacMap; virNetworkObjGetMetadata; virNetworkObjGetNewDef; @@ -1330,6 +1332,7 @@ virNetworkObjSetDef; virNetworkObjSetDefTransient; virNetworkObjSetDnsmasqPid; virNetworkObjSetFloorSum; +virNetworkObjSetFwRemoval; virNetworkObjSetMacMap; virNetworkObjSetMetadata; virNetworkObjTaint; --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756109673547.6467595200553; Sun, 21 Apr 2024 20:21:49 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8CAA7213F; Sun, 21 Apr 2024 23:21:48 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id C706D1EDD; Sun, 21 Apr 2024 22:55:13 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D4C601DC6; Sun, 21 Apr 2024 22:53:52 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 433B01DF2 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-486-NA7CLnpcPn-zok0vwFkHoA-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 23B3E804C61 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0D9871121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: NA7CLnpcPn-zok0vwFkHoA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 20/27] network: use previously saved list of firewall removal commands Date: Sun, 21 Apr 2024 22:53:28 -0400 Message-ID: <20240422025335.923272-21-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: DK6WCC44APWNLFULTRYOHSRVUTZYQQTX X-Message-ID-Hash: DK6WCC44APWNLFULTRYOHSRVUTZYQQTX X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756110565100001 When destroying a network, the network driver has always assumed that it knew what firewall rules had been added as the network was started. This was usually correct - I only recall one time in the past that the firewall rules added by libvirt were changed. But if the exact rules used for a network *were* ever changed from one build/version of libvirt to another, then we would end up attempting to remove rules that hadn't been added, and could possibly *not* remove rules that had been added. The solution to this to not make such brash assumptions about the past, but instead to save (in the network status object at network start time) a list of all the rules needed to remove the rules that were added for the network, and then use that saved list during network destroy to remove exactly what was previous added. Beyond making net-destroy more precise, there are other benefits: 1) We can change the details of the rules we add for networks from one build/release of libvirt to another and painlessly upgrade. 2) The user can switch from one firewall backend to another by simply changing the setting in network.conf and restarting libvirtd/virtnetworkd. In both cases, the restarted libvirtd/virtnetworkd will remove all the rules that had been previously added (based on the network status), and then add new rules (saving the new removal commands back into the network status) Signed-off-by: Laine Stump =3D=3D NB: the current implementation saves only the commands necessary to remove the network's firewall, and names this in the status XML. It would be simple to instead save the *entire* virFirewall object (thus also including the commands that were used to add the firewall, as well as the commands needed to remove it) - although very verbose, it's possible it could be useful when debugging a firewall issue (since it's not obvious which rules were added for which network when just looking at the output of "nft list ruleset". Alternately, we could continue to store only the removal commands, but maybe change the name of the element in XML from to (which would leave the door open to expanding what is saved in the future). Any opinions on this? Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/bridge_driver.c | 31 ++++++++++++-------- src/network/bridge_driver_linux.c | 26 +++++++++++++---- src/network/bridge_driver_nop.c | 6 ++-- src/network/bridge_driver_platform.h | 6 ++-- src/network/network_iptables.c | 43 +++++++++++++++++++++++++--- src/network/network_iptables.h | 2 +- tests/networkxml2firewalltest.c | 2 +- 7 files changed, 87 insertions(+), 29 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 38e4ab84ad..c54a595d4d 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1696,8 +1696,9 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward=3D'open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def, cfg->firewallBackend); - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); + networkRemoveFirewallRules(obj); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, + virNetworkObjGetFwRemoval= Ptr(obj))); break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1949,8 +1950,10 @@ networkStartNetworkVirtual(virNetworkDriverState *dr= iver, =20 /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def, cfg->firewallBackend) < 0) + networkAddFirewallRules(def, cfg->firewallBackend, + virNetworkObjGetFwRemovalPtr(obj)) < 0) { goto error; + } =20 firewalRulesAdded =3D true; =20 @@ -2065,7 +2068,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 if (firewalRulesAdded && def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); =20 virNetworkObjUnrefMacMap(obj); =20 @@ -2077,8 +2080,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 =20 static int -networkShutdownNetworkVirtual(virNetworkObj *obj, - virNetworkDriverConfig *cfg) +networkShutdownNetworkVirtual(virNetworkObj *obj) { virNetworkDef *def =3D virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -2104,7 +2106,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj, ignore_value(virNetDevSetOnline(def->bridge, false)); =20 if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -2408,7 +2410,7 @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret =3D networkShutdownNetworkVirtual(obj, cfg); + ret =3D networkShutdownNetworkVirtual(obj); break; =20 case VIR_NETWORK_FORWARD_BRIDGE: @@ -3259,7 +3261,7 @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); needFirewallRefresh =3D true; break; default: @@ -3286,16 +3288,21 @@ networkUpdate(virNetworkPtr net, if (virNetworkObjUpdate(obj, command, section, parentIndex, xml, network_driver->xmlopt, flags) < 0) { - if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); + if (needFirewallRefresh) { + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, + virNetworkObjGetFwRemoval= Ptr(obj))); + } goto cleanup; } =20 /* @def is replaced */ def =3D virNetworkObjGetDef(obj); =20 - if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallB= ackend) < 0) + if (needFirewallRefresh && + networkAddFirewallRules(def, cfg->firewallBackend, + virNetworkObjGetFwRemovalPtr(obj)) < 0) { goto cleanup; + } =20 if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { /* save updated persistent config to disk */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 20671e3ec5..61a4a6cdc1 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -333,7 +333,8 @@ int networkCheckRouteCollision(virNetworkDef *def) =20 int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend) + virFirewallBackend firewallBackend, + virFirewall **fwRemoval) { =20 networkSetupPrivateChains(firewallBackend, false); @@ -419,13 +420,28 @@ networkAddFirewallRules(virNetworkDef *def, } } =20 - return iptablesAddFirewallRules(def); + return iptablesAddFirewallRules(def, fwRemoval); } =20 =20 void -networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend G_GNUC_UNUSE= D) +networkRemoveFirewallRules(virNetworkObj *obj) { - iptablesRemoveFirewallRules(def); + virFirewall *fw; + + if ((fw =3D virNetworkObjGetFwRemoval(obj)) =3D=3D NULL) { + /* No information about firewall rules in the network status, + * so we assume the old iptables-based rules from 10.2.0 and + * earlier. + */ + VIR_DEBUG("No firewall info in network status, assuming old-style = iptables"); + iptablesRemoveFirewallRules(virNetworkObjGetDef(obj)); + return; + } + + /* fwRemoval info was stored in the network status, so use that to + * remove the firewall + */ + VIR_DEBUG("Removing firewall rules with commands saved in network stat= us"); + virFirewallApply(fw); } diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 7d9a061e50..537b9234f8 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -37,12 +37,12 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNU= C_UNUSED) } =20 int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_UNUS= ED) + virFirewallBackend firewallBackend G_GNUC_UNUS= ED, + virFirewall **fwRemoval G_GNUC_UNUSED) { return 0; } =20 -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_U= NUSED) +void networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index 7443c3129f..cd2e3fa7b5 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -33,7 +33,7 @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); =20 int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend); + virFirewallBackend firewallBackend, + virFirewall **fwRemoval); =20 -void networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend); +void networkRemoveFirewallRules(virNetworkObj *obj); diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 467d43c1e9..f774176b3d 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -1591,9 +1591,19 @@ iptablesRemoveIPSpecificFirewallRules(virFirewall *f= w, } =20 =20 -/* Add all rules for all ip addresses (and general rules) on a network */ +/* iptablesAddFirewallrules: + * + * @def - the network that needs an iptables firewall added + * @fwRemoval - if this is not NULL, it points to a pointer + * that should be filled in with a virFirewall object containing + * all the commands needed to remove this firewall at a later time. + * + * Add all rules for all ip addresses (and general rules) on a + * network, and optionally return a virFirewall object containing all + * the rules needed to later remove the firewall that has been added. +*/ int -iptablesAddFirewallRules(virNetworkDef *def) +iptablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval) { size_t i; virNetworkIPDef *ipdef; @@ -1614,10 +1624,35 @@ iptablesAddFirewallRules(virNetworkDef *def) VIR_FIREWALL_TRANSACTION_AUTO_ROLLBAC= K)); iptablesAddChecksumFirewallRules(fw, def); =20 - return virFirewallApply(fw); + if (virFirewallApply(fw) < 0) + return -1; + + if (fwRemoval) { + /* caller wants us to create a virFirewall object that can be + * applied to undo everything that was just done by * virFirewallA= pply() + */ + + if (virFirewallNewFromRollback(fw, fwRemoval) < 0) + return -1; + } + + return 0; } =20 -/* Remove all rules for all ip addresses (and general rules) on a network = */ +/* iptablesRemoveFirewallRules: + * + * @def - the network that needs its iptables firewall rules removed + * + * Remove all rules for all ip addresses (and general rules) on a + * network that is being shut down. + * + * This function assumes the set of iptables rules that were added by + * all versions of libvirt prior to 10.4.0; any libvirt of that + * release or newer may or may not have this same set of rules, and + * should be using the list of commands saved in NetworkObj::fwRemoval + * ( element in the network status XML) to remove the + * network's firewall rules. + */ void iptablesRemoveFirewallRules(virNetworkDef *def) { diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h index cdc143f154..d6ffc15bb0 100644 --- a/src/network/network_iptables.h +++ b/src/network/network_iptables.h @@ -23,7 +23,7 @@ #include "virfirewall.h" #include "network_conf.h" =20 -int iptablesAddFirewallRules(virNetworkDef *def); +int iptablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval); =20 void iptablesRemoveFirewallRules(virNetworkDef *def); =20 diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index e61787daec..93f693a8d7 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -105,7 +105,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) = < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 17137557526501015.5584796004246; Sun, 21 Apr 2024 20:15:52 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 895842127; Sun, 21 Apr 2024 23:15:51 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 5FFC91E34; Sun, 21 Apr 2024 22:54:56 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 970441E5E; Sun, 21 Apr 2024 22:53:51 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 8DE671DFC for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-423-cygSbt4bNI-_txRTLtaiMA-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 43D55380009C for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2D5731121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: cygSbt4bNI-_txRTLtaiMA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 21/27] network: save network status when firewall rules are reloaded Date: Sun, 21 Apr 2024 22:53:29 -0400 Message-ID: <20240422025335.923272-22-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: VTB2DRF4I5QCP6KBHS6PNFXAE7T4J3YJ X-Message-ID-Hash: VTB2DRF4I5QCP6KBHS6PNFXAE7T4J3YJ X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755754360100001 In the case that a new version of libvirt is started that uses different rules to build the network firewall, we need to re-save the status so that when the network is destroyed (or the *next* time libvirt is restarted and wants to remove/re-add the firewall), it will have the proper information to perform the firewall removal. Signed-off-by: Laine Stump --- src/conf/virnetworkobj.c | 1 + src/network/bridge_driver.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index 3501c8cab7..0012aaa0a2 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -838,6 +838,7 @@ virNetworkObjSaveStatus(const char *statusDir, int flags =3D 0; g_autofree char *xml =3D NULL; =20 + VIR_DEBUG("Writing network status to disk"); if (!(xml =3D virNetworkObjFormat(obj, xmlopt, flags))) return -1; =20 diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index c54a595d4d..c1dddd0550 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1685,6 +1685,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(ne= tworkGetDriver()); VIR_LOCK_GUARD lock =3D virObjectLockGuard(obj); virNetworkDef *def =3D virNetworkObjGetDef(obj); + bool saveStatus =3D false; =20 if (virNetworkObjIsActive(obj)) { switch ((virNetworkForwardType) def->forward.type) { @@ -1699,6 +1700,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, networkRemoveFirewallRules(obj); ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, virNetworkObjGetFwRemoval= Ptr(obj))); + saveStatus =3D true; break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1716,6 +1718,11 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, } } =20 + if (saveStatus) { + ignore_value(virNetworkObjSaveStatus(cfg->stateDir, obj, + network_driver->xmlopt)); + } + return 0; } =20 @@ -2362,7 +2369,6 @@ networkStartNetwork(virNetworkDriverState *driver, /* Persist the live configuration now that anything autogenerated * is setup. */ - VIR_DEBUG("Writing network status to disk"); if (virNetworkObjSaveStatus(cfg->stateDir, obj, network_driver->xmlopt) < 0) goto cleanup; --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713755685557253.7156539288835; Sun, 21 Apr 2024 20:14:45 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 88D8E1E75; Sun, 21 Apr 2024 23:14:44 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id D26561F16; Sun, 21 Apr 2024 22:54:52 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 93D141E42; Sun, 21 Apr 2024 22:53:50 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 5C1101DF7 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-486-xLf-t_oDOfOy0ukm_opmMA-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 63C203C025B5 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4D7661121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: xLf-t_oDOfOy0ukm_opmMA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 22/27] meson: stop looking for iptables/ip6tables/ebtables at build time Date: Sun, 21 Apr 2024 22:53:30 -0400 Message-ID: <20240422025335.923272-23-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: KRN6CKTCQMNU7T3FWI7QGF6LGZY75IXY X-Message-ID-Hash: KRN6CKTCQMNU7T3FWI7QGF6LGZY75IXY X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713755686184100001 This was the only reason we required the iptables and ebtables packages at build time, and many other external commands already have their binaries found at runtime by looking through $PATH (virCommand automatically does this), so we may as well do it for these commands as well. Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575 Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- meson.build | 3 --- src/network/bridge_driver_conf.c | 2 ++ src/util/virfirewall.h | 5 +++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/meson.build b/meson.build index 1518afa1cb..18807a0fe9 100644 --- a/meson.build +++ b/meson.build @@ -818,10 +818,7 @@ optional_test_programs =3D [ =20 optional_programs =3D [ 'dmidecode', - 'ebtables', 'ip', - 'ip6tables', - 'iptables', 'iscsiadm', 'mdevctl', 'mm-ctl', diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index 9769ee06b5..5ebb362f5a 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -27,8 +27,10 @@ #include "virerror.h" #include "virfile.h" #include "virutil.h" +#include "virfirewall.h" /* for binary names */ #include "bridge_driver_conf.h" =20 + #define VIR_FROM_THIS VIR_FROM_NETWORK =20 VIR_LOG_INIT("network.bridge_driver"); diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 87629e8360..c75fb44347 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -25,6 +25,11 @@ #include "virbuffer.h" #include "virxml.h" =20 +/* various external programs executed when applying firewalls */ +#define EBTABLES "ebtables" +#define IPTABLES "iptables" +#define IP6TABLES "ip6tables" + typedef struct _virFirewall virFirewall; =20 typedef struct _virFirewallCmd virFirewallCmd; --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171375627897238.12826885590903; Sun, 21 Apr 2024 20:24:38 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id D78F31F88; Sun, 21 Apr 2024 23:24:37 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 52D531F5B; Sun, 21 Apr 2024 22:55:26 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8C2761DE1; Sun, 21 Apr 2024 22:53:53 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 050F11E0C for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-670-CX69mboBN2iAedIrdIk7wA-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 838291049C93 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6D40F1121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: CX69mboBN2iAedIrdIk7wA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 23/27] rpm: drop BuildRequires for iptables and ebtables Date: Sun, 21 Apr 2024 22:53:31 -0400 Message-ID: <20240422025335.923272-24-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: VNWULDNRT2EAM6EC7X66NPZKOD4KVR6A X-Message-ID-Hash: VNWULDNRT2EAM6EC7X66NPZKOD4KVR6A X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756280923100001 The only reason for requiring these was so that meson could search for the binary location, and the previous patch eliminated that, so we no longer need them at build time. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- libvirt.spec.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index bde25c6f6e..05f7a7e7c0 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -356,8 +356,6 @@ BuildRequires: sanlock-devel >=3D 2.4 BuildRequires: libpcap-devel >=3D 1.5.0 BuildRequires: libnl3-devel BuildRequires: libselinux-devel -BuildRequires: iptables -BuildRequires: ebtables # For modprobe BuildRequires: kmod BuildRequires: cyrus-sasl-devel --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756707816164.4871866599891; Sun, 21 Apr 2024 20:31:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id ABD9117DA; Sun, 21 Apr 2024 23:31:46 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 124A91E21; Sun, 21 Apr 2024 22:55:42 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4FC3E1E1F; Sun, 21 Apr 2024 22:54:04 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 66B011E0F for ; Sun, 21 Apr 2024 22:53:42 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-8U-bIavSOjqDylvJQVlNlw-1; Sun, 21 Apr 2024 22:53:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A5AEF380009B for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8EB661121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 8U-bIavSOjqDylvJQVlNlw-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 24/27] network: add an nftables backend for network driver's firewall construction Date: Sun, 21 Apr 2024 22:53:32 -0400 Message-ID: <20240422025335.923272-25-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: RX5K6DEVHCHRYDSH4Q5RZB64DAVYDWWB X-Message-ID-Hash: RX5K6DEVHCHRYDSH4Q5RZB64DAVYDWWB X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756708190100001 Support using nftables to setup the firewall for each virtual network, rather than iptables. The initial implementation of the nftables backend creates (almost) exactly the same ruleset as the iptables backend, determined by running the following commands on a host that has an active virtual network: iptables-save >iptables.txt iptables-restore-translate -f iptables.txt (and the similar ip6tables-save/ip6tables-restore-translate for an IPv6 network). Correctness of the new backend was checked by comparing the output of: nft list ruleset when the backend is set to iptables and when it is set to nftables. This page was used as a guide: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to= _nftables The only differences between the rules created by the nftables backed vs. the iptables backend (aside from a few inconsequential changes in display order of some chains/options) are: 1) When we add nftables rules, rather than adding them in the system-created "filter" and "nat" tables, we add them in a private table (ie only we should be using it) created by us called "libvirt" (the system-created "filter" and "nat" tables can't be used because adding any rules to those tables directly with nft will cause failure of any legacy application attempting to use iptables when it tries to list the iptables rules (e.g. "iptables -S"). (NB: in nftables only a single table is required for both nat and filter rules - the chains for each are differentiated by specifying different "hook" locations for the toplevel chain of each) 2) nftables doesn't support the "checksum mangle" rule (or any equivalent functionality) that we have historically added to our iptables rules, so the nftables rules we add have nothing related to checksum mangling. (NB: The result of (2) is that if you a) have a very old guest (RHEL5 era or earlier) and b) that guest is using a virtio-net network device, and c) the virtio-net device is using vhost packet processing (the default) then DHCP on the guest will fail. You can work around this by adding to the XML for the guest). There are certainly much better nftables rulesets that could be used instead of those implemented here, and everything is in place to make future changes to the rules that are used simple and free of surprises (e.g. the rules that are added have coresponding "removal" commands added to the network status so that we will always remove exactly the rules that were previously added rather than trying to remove the rules that "this build of libvirt would have added" (which will be incorrect the first time we run a libvirt with a newly modified ruleset). For this initial implementation though, I wanted the nftables rules to be as identical to the iptables rules as possible, just to make it easier to verify that everything is working. The backend can be manually chosen using the firewall_backend setting in /etc/libvirt/network.conf. libvirtd/virtnetworkd will read this setting when it starts; if there is no explicit setting, it will look for iptables commands on the host and, if they are found, will select the iptables backend (this is the default for the sake of 100% backward compatibility), but if iptables commands aren't found, then it will use the nftables backend. (Since libvirt will automatically remove all its previous filter rules and re-add rules using the current backend setting for all active networks when it starts up, and the only noticeable change in behavior between the iptables and nftables backends is that noted in item (2) above, we could instead decide to make nftables the default backend rather than iptables - it all depends on how important it is to work properly on 15 year old guest OSes using DHCP with virtio-net interfaces). Signed-off-by: Laine Stump --- po/POTFILES | 1 + src/network/bridge_driver_conf.c | 3 + src/network/bridge_driver_linux.c | 18 +- src/network/meson.build | 1 + src/network/network.conf | 17 +- src/network/network_nftables.c | 940 ++++++++++++++++++++++++++++++ src/network/network_nftables.h | 28 + src/util/virfirewall.c | 169 +++++- src/util/virfirewall.h | 2 + 9 files changed, 1174 insertions(+), 5 deletions(-) create mode 100644 src/network/network_nftables.c create mode 100644 src/network/network_nftables.h diff --git a/po/POTFILES b/po/POTFILES index 8b89fcf832..118c9a98c8 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -145,6 +145,7 @@ src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c src/network/leaseshelper.c src/network/network_iptables.c +src/network/network_nftables.c src/node_device/node_device_driver.c src/node_device/node_device_udev.c src/nwfilter/nwfilter_dhcpsnoop.c diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index 5ebb362f5a..f1159ed245 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -100,6 +100,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg = G_GNUC_UNUSED, * for binaries used by the backends, and set accordingly. */ g_autofree char *iptablesInPath =3D NULL; + g_autofree char *nftInPath =3D NULL; =20 /* virFindFileInPath() uses g_find_program_in_path(), * which allows absolute paths, and verifies that @@ -107,6 +108,8 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg = G_GNUC_UNUSED, */ if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; + else if ((nftInPath =3D virFindFileInPath(NFT))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_NFTABLES; =20 if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 61a4a6cdc1..a4ae381cb8 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -27,6 +27,7 @@ #include "virfirewall.h" #include "virfirewalld.h" #include "network_iptables.h" +#include "network_nftables.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 @@ -56,6 +57,9 @@ networkFirewallSetupPrivateChains(virFirewallBackend back= end, case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesSetupPrivateChains(layer); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return nftablesSetupPrivateChains(layer); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: networkFirewallBackendUnsetError(); @@ -420,7 +424,19 @@ networkAddFirewallRules(virNetworkDef *def, } } =20 - return iptablesAddFirewallRules(def, fwRemoval); + switch (firewallBackend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesAddFirewallRules(def, fwRemoval); + + case VIR_FIREWALL_BACKEND_NFTABLES: + return nftablesAddFirewallRules(def, fwRemoval); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + networkFirewallBackendUnsetError(); + return -1; + } + return 0; } =20 =20 diff --git a/src/network/meson.build b/src/network/meson.build index c34f00e8ff..91fe1784f0 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -3,6 +3,7 @@ network_driver_sources =3D [ 'bridge_driver_conf.c', 'bridge_driver_platform.c', 'network_iptables.c', + 'network_nftables.c', ] =20 driver_source_files +=3D files(network_driver_sources) diff --git a/src/network/network.conf b/src/network/network.conf index 74c79e4cc6..630c4387a1 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -5,7 +5,20 @@ # firewall_backend: # # determines which subsystem to use to setup firewall packet -# filtering rules for virtual networks. Currently the only supported -# selection is "iptables". +# filtering rules for virtual networks. +# +# Supported settings: +# +# iptables - use iptables commands to construct the firewall +# nftables - use nft commands to construct the firewall +# +# For backward compatibility, and to reduce surprises, the +# default setting is "iptables". +# +# (NB: switching from one backend to another while there are active +# virtual networks *is* supported. The change will take place the +# next time that libvirtd/virtnetworkd is restarted - all existing +# virtual networks will have their old firewalls removed, and then +# reloaded using the new backend.) # #firewall_backend =3D "iptables" diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c new file mode 100644 index 0000000000..c8cee98df5 --- /dev/null +++ b/src/network/network_nftables.c @@ -0,0 +1,940 @@ +/* + * network_nftables.c: nftables-based firewall implementation for + * virtual networks. + * + * Copyright (C) 2007-2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include +#include +#include +#include +#include + +#include "internal.h" +#include "virfirewalld.h" +#include "virerror.h" +#include "virlog.h" +#include "virhash.h" +#include "virenum.h" +#include "virstring.h" +#include "network_nftables.h" + +VIR_LOG_INIT("network.nftables"); + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + +/* we must avoid using the standard "filter" table as used by + * iptables, as any subsequent attempts to use iptables commands will + * fail (due to the "filter" table having rules that are unexpected by + * the iptables-compat + */ + +#define VIR_NFTABLES_PRIVATE_TABLE "libvirt" + +/* nftables backend uses the same binary (nft) for all layers, but + * IPv4 and IPv6 have their rules in separate classes of tables, + * either "ip" or "ip6". (there is also an "inet" class of tables that + * would examined for both IPv4 and IPv6 traffic, but since we want + * different rules for each family, we only use the family-specific + * table classes). + */ +VIR_ENUM_DECL(nftablesLayer); +VIR_ENUM_IMPL(nftablesLayer, + VIR_FIREWALL_LAYER_LAST, + "", + "ip", + "ip6", +); + + +typedef struct { + const char *parent; + const char *child; + const char *extraArgs; +} nftablesGlobalChain; + +typedef struct { + virFirewallLayer layer; + nftablesGlobalChain *chains; + size_t nchains; + bool *changed; +} nftablesGlobalChainData; + + +nftablesGlobalChain nftablesChains[] =3D { + /* chains for filter rules */ + {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }= "}, + {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accep= t; }"}, + {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept;= }"}, + {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL}, + {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL}, + {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, + {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL}, + {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL}, + + /* chains for NAT rules */ + {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; polic= y accept; }"}, + {"POSTROUTING", VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL}, +}; + + +static int +nftablesPrivateChainCreate(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + nftablesGlobalChainData *data =3D opaque; + g_autoptr(GHashTable) chains =3D virHashNew(NULL); + g_autoptr(GHashTable) links =3D virHashNew(NULL); + const char *const *line; + const char *chain =3D NULL; + size_t i; + bool tableMatch =3D false; + const char *layerStr =3D nftablesLayerTypeToString(layer); + g_autofree char *tableStr =3D g_strdup_printf("table %s %s {", + layerStr, + VIR_NFTABLES_PRIVATE_TABLE= ); + + line =3D lines; + while (line && *line) { + const char *pos =3D *line; + + virSkipSpaces(&pos); + if (STREQ(pos, tableStr)) { + /* "table ip libvirt {" */ + + tableMatch =3D true; + + } else if (STRPREFIX(pos, "chain ")) { + /* "chain LIBVIRT_OUT {" */ + + chain =3D pos + 6; + pos =3D strchr(chain, ' '); + if (pos) { + *(char *)pos =3D '\0'; + if (virHashUpdateEntry(chains, chain, (void *)0x1) < 0) + return -1; + } + + } else if ((pos =3D strstr(pos, "jump "))) { + /* "counter packets 20189046 bytes 3473108889 jump LIBVIRT_OUT= " */ + + pos +=3D 5; + if (chain) { + if (virHashUpdateEntry(links, pos, (char *)chain) < 0) + return -1; + } + + } + line++; + } + + if (!tableMatch) { + virFirewallAddCmd(fw, layer, "add", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + } + + for (i =3D 0; i < data->nchains; i++) { + if (!(tableMatch && virHashLookup(chains, data->chains[i].child)))= { + virFirewallAddCmd(fw, layer, "add", "chain", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].child, + data->chains[i].extraArgs, NULL); + *data->changed =3D true; + } + + if (data->chains[i].parent) { + const char *from =3D virHashLookup(links, data->chains[i].chil= d); + + if (!from || STRNEQ(from, data->chains[i].parent)) { + virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].parent, "counter", + "jump", data->chains[i].child, NULL); + } + } + } + + return 0; +} + + +int +nftablesSetupPrivateChains(virFirewallLayer layer) +{ + bool changed =3D false; + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + const char *layerStr =3D nftablesLayerTypeToString(layer); + nftablesGlobalChainData data =3D { layer, nftablesChains, G_N_ELEMENT= S(nftablesChains), &changed }; + + virFirewallStartTransaction(fw, 0); + + /* the output of "nft list table ip[6] libvirt" will be parsed by + * the callback nftablesPrivateChainCreate which will add any + * needed commands to add missing chains (or possibly even add the + * "ip[6] libvirt" table itself + */ + virFirewallAddCmdFull(fw, layer, false, + nftablesPrivateChainCreate, &data, + "list", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + + if (virFirewallApply(fw) < 0) + return -1; + + return changed ? 1 : 0; +} + + +static void +nftablesAddInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int tcp) +{ + g_autofree char *portstr =3D g_strdup_printf("%d", port); + const char *layerStr =3D nftablesLayerTypeToString(layer); + + virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_INPUT_CHAIN, + "iifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + + +static void +nftablesAddOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int tcp) +{ + g_autofree char *portstr =3D g_strdup_printf("%d", port); + const char *layerStr =3D nftablesLayerTypeToString(layer); + + virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_OUTPUT_CHAIN, + "oifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + + +/** + * nftablesAddTcpInput: + * + * Add a rule to @fw that will allow incoming TCP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddInput(fw, layer, iface, port, 1); +} + + +/** + * nftablesAddUdpInput: + * + * Add a rule to @fw that will allow incoming UDP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddInput(fw, layer, iface, port, 0); +} + + +/** + * nftablesAddTcpOutput: + * + * Add a rule to @fw that will allow outbound TCP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddOutput(fw, layer, iface, port, 1); +} + + +/** + * nftablesAddUdpOutput: + * + * Add a rule to @fw that will allow outbound UDP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddOutput(fw, layer, iface, port, 0); +} + + +/** + * nftablesAddForwardAllowOut: + * + * Add a rule to @fw that allows all outbound traffic coming from + * @iface (the virtual network's bridge) to be forwarded out @physdev, + * as long as its source address is in @netaddr/@prefix. + */ +static int +nftablesAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + g_autofree char *networkstr =3D NULL; + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D nftablesLayerTypeToString(layer); + virFirewallCmd *fwCmd; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + fwCmd =3D virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_OUT_CHAIN, + layerStr, "saddr", networkstr, + "iifname", iface, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL); + + return 0; +} + +/** + * nftablesAddForwardAllowRelatedIn: + * + * Add a rule to @fw that allows all traffic coming in from @physdev + * and destined to @iface (the virtual network's bridge) that has a + * destination within @netaddr/@prefix and is associated with an + * existing connection. + */ +static int +nftablesAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D nftablesLayerTypeToString(layer); + g_autofree char *networkstr =3D NULL; + virFirewallCmd *fwCmd; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + fwCmd =3D virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_IN_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + layerStr, "daddr", networkstr, + "ct", "state", "related,established", + "counter", "accept", NULL); + return 0; +} + + +/** + * nftablesAddForwardAllowIn: + * + * Add a rule to @fw that allows all traffic coming in from @physdev + * and destined to @iface (the virtual network's bridge) that has a + * destination within @netaddr/@prefix. + */ +static int +nftablesAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D nftablesLayerTypeToString(layer); + g_autofree char *networkstr =3D NULL; + virFirewallCmd *fwCmd; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + fwCmd =3D virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_IN_CHAIN, + layerStr, "daddr", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + "counter", "accept", NULL); + return 0; +} + + +/** + * nftablesAddForwardAllowCross: + * + * Add a rule to @fw to allow traffic to go across @iface (the virtual + * network's bridge) from one port to another. This allows all traffic + * between guests on the same virtual network. + */ +static void +nftablesAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_X_CHAIN, + "iifname", iface, + "oifname", iface, + "counter", "accept", + NULL); +} + + +/** + * nftablesAddForwardRejectOut: + * + * Add a rule to @fw to forbid all outbound traffic through @iface + * (the virtual network's bridge). This is used as a catchall rule to + * reject traffic that hasn't already been explicitly allowed by + * another rule. + */ +static void +nftablesAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_OUT_CHAIN, + "iifname", iface, + "counter", "reject", + NULL); +} + + +/** + * nftablesAddForwardRejectIn: + * + * Add a rule to @fw to forbid all inbound traffic through @iface (the + * virtual network's bridge). This is used as a catchall rule to + * reject traffic that hasn't already been explicitly allowed by + * another rule. + */ +static void +nftablesAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_IN_CHAIN, + "oifname", iface, + "counter", "reject", + NULL); +} + + +/** + * nftablesAddForwardMasquerade: + * + * Add a rule to @fw that will masquerade outbound traffic from + * @netaddr/@prefix @iface to have the source IP/port from one of the + * range of @addr:@port (or something appropriate for the interface + * used for egress, if no address/port range is given) + */ +static int +nftablesAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + g_autofree char *networkstr =3D NULL; + g_autofree char *addrStartStr =3D NULL; + g_autofree char *addrEndStr =3D NULL; + g_autofree char *portRangeStr =3D NULL; + g_autofree char *natRangeStr =3D NULL; + virFirewallCmd *fwCmd; + int af =3D VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer =3D af =3D=3D AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D nftablesLayerTypeToString(layer); + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { + if (!(addrStartStr =3D virSocketAddrFormat(&addr->start))) + return -1; + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { + if (!(addrEndStr =3D virSocketAddrFormat(&addr->end))) + return -1; + } + } + + fwCmd =3D virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); + + if (protocol && protocol[0]) + virFirewallCmdAddArgList(fw, fwCmd, "meta", "l4proto", protocol, N= ULL); + + virFirewallCmdAddArgList(fw, fwCmd, + layerStr, "saddr", networkstr, + layerStr, "daddr", "!=3D", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + + if (protocol && protocol[0]) { + if (port->start =3D=3D 0 && port->end =3D=3D 0) { + port->start =3D 1024; + port->end =3D 65535; + } + + if (port->start < port->end && port->end < 65536) { + portRangeStr =3D g_strdup_printf(":%u-%u", port->start, port->= end); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid port range '%1$u-%2$u'."), + port->start, port->end); + return -1; + } + } + + /* Use snat if public address is specified */ + if (addrStartStr && addrStartStr[0]) { + if (addrEndStr && addrEndStr[0]) { + natRangeStr =3D g_strdup_printf("%s-%s%s", addrStartStr, addrE= ndStr, + portRangeStr ? portRangeStr : ""= ); + } else { + natRangeStr =3D g_strdup_printf("%s%s", addrStartStr, + portRangeStr ? portRangeStr : ""= ); + } + + virFirewallCmdAddArgList(fw, fwCmd, "counter", "snat", "to", natRa= ngeStr, NULL); + } else { + virFirewallCmdAddArgList(fw, fwCmd, "counter", "masquerade", NULL); + + if (portRangeStr && portRangeStr[0]) + virFirewallCmdAddArgList(fw, fwCmd, "to", portRangeStr, NULL); + } + + return 0; +} + + +/** + * nftablesAddDontMasquerade: + * + * Add a rule to @fw that prevents masquerading traffic coming from + * the network associated with the bridge if said traffic targets + * @destaddr. + */ +static int +nftablesAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + g_autofree char *networkstr =3D NULL; + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D nftablesLayerTypeToString(layer); + virFirewallCmd *fwCmd; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + fwCmd =3D virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, + layerStr, "saddr", networkstr, + layerStr, "daddr", destaddr, + "counter", "return", NULL); + return 0; +} + + +static const char networkLocalMulticastIPv4[] =3D "224.0.0.0/24"; +static const char networkLocalMulticastIPv6[] =3D "ff02::/16"; +static const char networkLocalBroadcast[] =3D "255.255.255.255/32"; + + +static int +nftablesAddMasqueradingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix =3D virNetworkIPDefPrefix(ipdef); + const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow forwarding packets from the bridge interface */ + if (nftablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow forwarding packets to the bridge interface if they are + * part of an existing connection + */ + if (nftablesAddForwardAllowRelatedIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* + * Enable masquerading. + * + * We need to end up with 5 rules in the table in this order + * + * 1. do not masquerade packets targeting 224.0.0.0/24 + * 2. do not masquerade packets targeting 255.255.255.255/32 + * 3. masquerade protocol=3Dtcp with sport mapping restriction + * 4. masquerade protocol=3Dudp with sport mapping restriction + * 5. generic, masquerade any protocol + * + * 224.0.0.0/24 is the local network multicast range. Packets are not + * forwarded outside. + * + * 255.255.255.255/32 is the broadcast address of any local network. A= gain, + * such packets are never forwarded, but strict DHCP clients don't acc= ept + * DHCP replies with changed source ports. + * + * The sport mappings are required, because default Nftables + * MASQUERADE maintain port numbers unchanged where possible. + * + * NFS can be configured to only "trust" port numbers < 1023. + * + * Guests using NAT thus need to be prevented from having port + * numbers < 1023, otherwise they can bypass the NFS "security" + * check on the source port number. + * + * Since we use '--insert' to add rules to the header of the + * chain, we actually need to add them in the reverse of the + * order just mentioned ! + */ + + /* First the generic masquerade rule for other protocols */ + if (nftablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + NULL) < 0) + return -1; + + /* UDP with a source port restriction */ + if (nftablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "udp") < 0) + return -1; + + /* TCP with a source port restriction */ + if (nftablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "tcp") < 0) + return -1; + + /* exempt local network broadcast address as destination */ + if (isIPv4 && + nftablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + /* exempt local multicast range as destination */ + if (nftablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) + return -1; + + return 0; +} + + +static int +nftablesAddRoutingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix =3D virNetworkIPDefPrefix(ipdef); + const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow routing packets from the bridge interface */ + if (nftablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow routing packets to the bridge interface */ + if (nftablesAddForwardAllowIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static void +nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i =3D 0; + (ipv4def =3D virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) + break; + } + + /* allow DHCP requests through to dnsmasq & back out */ + nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + + /* allow DNS requests through to dnsmasq & back out */ + nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + + /* allow TFTP requests through to dnsmasq if necessary & back out */ + if (ipv4def && ipv4def->tftproot) { + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } + + /* Catch all rules to block forwarding to/from bridges */ + nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + nftablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + + /* Allow traffic between guests on the same bridge */ + nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); +} + + +/* Add all once/network rules required for IPv6. + * If no IPv6 addresses are defined and is + * specified, then allow IPv6 communications between virtual systems. + * If any IPv6 addresses are defined, then add the rules for regular opera= tion. + */ +static void +nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && + !def->ipv6nogw) { + return; + } + + /* Catch all rules to block forwarding to/from bridges */ + nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + nftablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + /* Allow traffic between guests on the same bridge */ + nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + /* allow DNS over IPv6 & back out */ + nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + /* allow DHCPv6 & back out */ + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546= ); + } +} + + +static void +nftablesAddGeneralFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + nftablesAddGeneralIPv4FirewallRules(fw, def); + nftablesAddGeneralIPv6FirewallRules(fw, def); +} + + +static int +nftablesAddIPSpecificFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + /* NB: in the case of IPv6, routing rules are added when the + * forward mode is NAT. This is because IPv6 has no NAT. + */ + + if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) + return nftablesAddMasqueradingFirewallRules(fw, def, ipdef); + else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) + return nftablesAddRoutingFirewallRules(fw, def, ipdef); + } else if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_ROUTE) { + return nftablesAddRoutingFirewallRules(fw, def, ipdef); + } + return 0; +} + + +/* nftablesAddFirewallrules: + * + * @def - the network that needs an nftables firewall added + * @fwRemoval - if this is not NULL, it points to a pointer + * that should be filled in with a virFirewall object containing + * all the commands needed to remove this firewall at a later time. + * + * Add all rules for all ip addresses (and general rules) on a + * network, and optionally return a virFirewall object containing all + * the rules needed to later remove the firewall that has been added. + */ +int +nftablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval) +{ + size_t i; + virNetworkIPDef *ipdef; + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK= ); + + nftablesAddGeneralFirewallRules(fw, def); + + for (i =3D 0; + (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (nftablesAddIPSpecificFirewallRules(fw, def, ipdef) < 0) + return -1; + } + + if (virFirewallApply(fw) < 0) + return -1; + + if (fwRemoval) { + /* caller wants us to create a virFirewall object that can be + * applied to undo everything that was just done by * virFirewallA= pply() + */ + + if (virFirewallNewFromRollback(fw, fwRemoval) < 0) + return -1; + } + + return 0; +} diff --git a/src/network/network_nftables.h b/src/network/network_nftables.h new file mode 100644 index 0000000000..5abae3a423 --- /dev/null +++ b/src/network/network_nftables.h @@ -0,0 +1,28 @@ +/* + * network_nftables.h: helper APIs for managing nftables in network driver + * + * Copyright (C) 2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "virfirewall.h" +#include "network_conf.h" + +int nftablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval); + +int nftablesSetupPrivateChains(virFirewallLayer layer); diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 684569c760..c3d843ac58 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -38,7 +38,8 @@ VIR_LOG_INIT("util.firewall"); VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, "UNSET", /* not yet set */ - "iptables"); + "iptables", + "nftables"); =20 VIR_ENUM_DECL(virFirewallLayer); VIR_ENUM_IMPL(virFirewallLayer, @@ -636,6 +637,153 @@ virFirewallCmdIptablesApply(virFirewall *firewall, } =20 =20 +#define VIR_NFTABLES_ARG_IS_INSERT(arg) \ + (STREQ(arg, "insert") || STREQ(arg, "add") || STREQ(arg, "create")) + +static int +virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED, + virFirewallCmd *fwCmd, + char **output) +{ + bool needRollback =3D false; + size_t cmdIdx =3D 0; + const char *objectType =3D NULL; + g_autoptr(virCommand) cmd =3D NULL; + g_autofree char *cmdStr =3D NULL; + g_autofree char *error =3D NULL; + size_t i; + int status; + + cmd =3D virCommandNew(NFT); + + if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTI= ON_AUTO_ROLLBACK) && + fwCmd->argsLen > 1) { + /* skip any leading options to get to command verb */ + for (i =3D 0; i < fwCmd->argsLen - 1; i++) { + if (fwCmd->args[i][0] !=3D '-') + break; + } + + if (i + 1 < fwCmd->argsLen && + VIR_NFTABLES_ARG_IS_INSERT(fwCmd->args[i])) { + + cmdIdx =3D i; + objectType =3D fwCmd->args[i + 1]; + + /* we currently only handle auto-rollback for rules, + * chains, and tables, and those all can be "rolled + * back" by a delete command using the handle that is + * returned when "-ae" is added to the add/insert + * command. + */ + if (STREQ_NULLABLE(objectType, "rule") || + STREQ_NULLABLE(objectType, "chain") || + STREQ_NULLABLE(objectType, "table")) { + + needRollback =3D true; + /* this option to nft instructs it to add the + * "handle" of the created object to stdout + */ + virCommandAddArg(cmd, "-ae"); + } + } + } + + for (i =3D 0; i < fwCmd->argsLen; i++) + virCommandAddArg(cmd, fwCmd->args[i]); + + cmdStr =3D virCommandToString(cmd, false); + VIR_INFO("Applying '%s'", NULLSTR(cmdStr)); + + virCommandSetOutputBuffer(cmd, output); + virCommandSetErrorBuffer(cmd, &error); + + if (virCommandRun(cmd, &status) < 0) + return -1; + + if (status !=3D 0) { + if (STREQ_NULLABLE(fwCmd->args[0], "list")) { + /* nft returns error status when the target of a "list" + * command doesn't exist, but we always want to just have + * an empty result, so this is not actually an error. + */ + } else if (fwCmd->ignoreErrors) { + VIR_DEBUG("Ignoring error running command"); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to apply firewall command '%1$s': %2$= s"), + NULLSTR(cmdStr), NULLSTR(error)); + VIR_FREE(*output); + return -1; + } + + /* there was an error, so we won't be building any rollback comman= d, + * but the error should be ignored, so we return success + */ + return 0; + } + + if (needRollback) { + virFirewallCmd *rollback =3D virFirewallAddRollbackCmd(firewall, f= wCmd->layer, NULL); + const char *handleStart =3D NULL; + size_t handleLen =3D 0; + g_autofree char *handleStr =3D NULL; + g_autofree char *rollbackStr =3D NULL; + + /* Search for "# handle n" in stdout of the nft add command - + * that is the handle of the table/rule/chain that will later + * need to be deleted. + */ + + if ((handleStart =3D strstr(*output, "# handle "))) { + handleStart +=3D 9; /* move past "# handle " */ + handleLen =3D strspn(handleStart, "0123456789"); + } + + if (!handleLen) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("couldn't register rollback command - command= '%1$s' had no valid handle in output ('%2$s')"), + NULLSTR(cmdStr), NULLSTR(*output)); + return -1; + } + + handleStr =3D g_strdup_printf("%.*s", (int)handleLen, handleStart); + + /* The rollback command is created from the original command like = this: + * + * 1) skip any leading options + * 2) replace add/insert with delete + * 3) keep the type of item being added (rule/chain/table) + * 4) keep the class (ip/ip6/inet) + * 5) for chain/rule, keep the table name + * 6) for rule, keep the chain name + * 7) add "handle n" where "n" is parsed from the + * stdout of the original nft command + */ + virFirewallCmdAddArgList(firewall, rollback, "delete", objectType, + fwCmd->args[cmdIdx + 2], /* ip/ip6/inet */ + NULL); + + if (STREQ_NULLABLE(objectType, "rule") || + STREQ_NULLABLE(objectType, "chain")) { + /* include table name in command */ + virFirewallCmdAddArg(firewall, rollback, fwCmd->args[cmdIdx + = 3]); + } + + if (STREQ_NULLABLE(objectType, "rule")) { + /* include chain name in command */ + virFirewallCmdAddArg(firewall, rollback, fwCmd->args[cmdIdx + = 4]); + } + + virFirewallCmdAddArgList(firewall, rollback, "handle", handleStr, = NULL); + + rollbackStr =3D virFirewallCmdToString(NFT, rollback); + VIR_DEBUG("Recording Rollback command '%s'", NULLSTR(rollbackStr)); + } + return 0; +} + + static int virFirewallApplyCmd(virFirewall *firewall, virFirewallCmd *fwCmd) @@ -649,8 +797,25 @@ virFirewallApplyCmd(virFirewall *firewall, return -1; } =20 - if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) + switch (virFirewallGetBackend(firewall)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) + return -1; + break; + + case VIR_FIREWALL_BACKEND_NFTABLES: + if (virFirewallCmdNftablesApply(firewall, fwCmd, &output) < 0) + return -1; + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + default: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unknown firewall backend %1$d"), + virFirewallGetBackend(firewall)); return -1; + } =20 if (fwCmd->queryCB && output) { if (!(lines =3D g_strsplit(output, "\n", -1))) diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index c75fb44347..a493d44db6 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -29,6 +29,7 @@ #define EBTABLES "ebtables" #define IPTABLES "iptables" #define IP6TABLES "ip6tables" +#define NFT "nft" =20 typedef struct _virFirewall virFirewall; =20 @@ -45,6 +46,7 @@ typedef enum { typedef enum { VIR_FIREWALL_BACKEND_UNSET, VIR_FIREWALL_BACKEND_IPTABLES, + VIR_FIREWALL_BACKEND_NFTABLES, =20 VIR_FIREWALL_BACKEND_LAST, } virFirewallBackend; --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756526926767.6170355763043; Sun, 21 Apr 2024 20:28:46 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 965E1212F; Sun, 21 Apr 2024 23:28:45 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 1551D1F6C; Sun, 21 Apr 2024 22:55:39 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B37991E1F; Sun, 21 Apr 2024 22:54:03 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1E7DB1E04 for ; Sun, 21 Apr 2024 22:53:42 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-316-lc5S3L4tO0KBAgy0lJBL6Q-1; Sun, 21 Apr 2024 22:53:40 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D22F429AB3E7 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id AFC341121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: lc5S3L4tO0KBAgy0lJBL6Q-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 25/27] tests: test cases for nftables backend Date: Sun, 21 Apr 2024 22:53:33 -0400 Message-ID: <20240422025335.923272-26-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: B5EQJTCGGCAI26WX55IE2VS3MRU2BIZH X-Message-ID-Hash: B5EQJTCGGCAI26WX55IE2VS3MRU2BIZH X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756527566100001 Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump --- .../{base.args =3D> base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++++++++++ ...-linux.args =3D> nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++++++ ...pv6-linux.args =3D> nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++++++++ ...rgs =3D> nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++ ...linux.args =3D> nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 ++++++++++++++++++ ...-linux.args =3D> nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++++++++ ...ftp-linux.args =3D> nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++++++ ...inux.args =3D> route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++++ tests/networkxml2firewalltest.c | 47 +- 17 files changed, 2670 insertions(+), 13 deletions(-) rename tests/networkxml2firewalldata/{base.args =3D> base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args =3D> nat-defa= ult-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args =3D> nat-ipv6-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =3D> = nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux= .nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =3D> nat-man= y-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftabl= es rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =3D> nat-no-d= hcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args =3D> nat-tftp-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args =3D> route-= default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftab= les diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2fir= ewalldata/base.iptables similarity index 100% rename from tests/networkxml2firewalldata/base.args rename to tests/networkxml2firewalldata/base.iptables diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml= 2firewalldata/base.nftables new file mode 100644 index 0000000000..4f1f475a85 --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -0,0 +1,256 @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-default-linux.args rename to tests/networkxml2firewalldata/nat-default-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index 0000000000..2dafe078a1 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -0,0 +1,248 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index 0000000000..63d4d8e2a5 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -0,0 +1,384 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index 0000000000..e6d5dea661 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -0,0 +1,456 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-many-ips-linux.args rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index 0000000000..e636916c7e --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -0,0 +1,472 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index 0000000000..63d4d8e2a5 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -0,0 +1,384 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-tftp-linux.args rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index 0000000000..bb0598d011 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -0,0 +1,274 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/route-default-linux.args rename to tests/networkxml2firewalldata/route-default-linux.iptables diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index 0000000000..834f6366ae --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -0,0 +1,162 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 93f693a8d7..4cabe39d1d 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -92,7 +92,8 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, =20 static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv =3D NULL; g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; @@ -105,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) = < 0) + if (networkAddFirewallRules(def, backend, NULL) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); @@ -126,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; =20 =20 @@ -139,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data) =20 xml =3D g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); =20 - result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs); + result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs, info->= backend); =20 return result; } @@ -152,24 +155,42 @@ static int mymain(void) { int ret =3D 0; - g_autofree char *basefile =3D NULL; - g_autofree char *baseargs =3D NULL; + g_autofree char *basefileIptables =3D NULL; + g_autofree char *basefileNftables =3D NULL; + g_autofree char *baseargsIptables =3D NULL; + g_autofree char *baseargsNftables =3D NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; =20 -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info =3D { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label =3D g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToS= tring(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret =3D -1; \ } while (0) =20 - basefile =3D g_strdup_printf("%s/networkxml2firewalldata/base.args", a= bs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); + + + basefileIptables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] =3D baseargsIptables; =20 - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + basefileNftables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) return EXIT_FAILURE; =20 + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] =3D baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756035565601.2768219490202; Sun, 21 Apr 2024 20:20:35 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 772761B10; Sun, 21 Apr 2024 23:20:34 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B53F11EC3; Sun, 21 Apr 2024 22:55:09 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 91DC31E70; Sun, 21 Apr 2024 22:53:52 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C2EA91E01 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-349-P1hTSnKIMGK-6cF8soTY2A-1; Sun, 21 Apr 2024 22:53:40 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F0BBE1C07F20 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id D8B051121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: P1hTSnKIMGK-6cF8soTY2A-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 26/27] network: prefer the nftables backend over iptables Date: Sun, 21 Apr 2024 22:53:34 -0400 Message-ID: <20240422025335.923272-27-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: DZRL632R5LR2D4HN6W5G6NDJLJCMITIT X-Message-ID-Hash: DZRL632R5LR2D4HN6W5G6NDJLJCMITIT X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756036562100001 The initial patches to support nftables for virtual networks left iptables as the default backend. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. In the extremely unlikely case that this causes a problem for anyone, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump --- src/network/bridge_driver_conf.c | 6 +++--- src/network/network.conf | 9 ++++++--- src/network/test_libvirtd_network.aug.in | 2 +- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index f1159ed245..0139ece5ad 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -106,10 +106,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cf= g G_GNUC_UNUSED, * which allows absolute paths, and verifies that * the file is executable. */ - if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) - cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; - else if ((nftInPath =3D virFindFileInPath(NFT))) + if ((nftInPath =3D virFindFileInPath(NFT))) cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_NFTABLES; + else if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; =20 if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); diff --git a/src/network/network.conf b/src/network/network.conf index 630c4387a1..31723bccd5 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -12,8 +12,11 @@ # iptables - use iptables commands to construct the firewall # nftables - use nft commands to construct the firewall # -# For backward compatibility, and to reduce surprises, the -# default setting is "iptables". +# If firewall_backend isn't explicitly specified here, libvirt +# will default to using nftables if the "nft" command is available +# on the host, otherwise it will use iptables if the "iptables" +# command is available. If neither is available, then libvirt +# will log an error the first time any network is started. # # (NB: switching from one backend to another while there are active # virtual networks *is* supported. The change will take place the @@ -21,4 +24,4 @@ # virtual networks will have their old firewalls removed, and then # reloaded using the new backend.) # -#firewall_backend =3D "iptables" +#firewall_backend =3D "nftables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in index 3aa7b4cc22..81a6256919 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -2,4 +2,4 @@ module Test_libvirtd_network =3D @CONFIG@ =20 test Libvirtd_network.lns get conf =3D -{ "firewall_backend" =3D "iptables" } +{ "firewall_backend" =3D "nftables" } --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Sat May 18 10:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756368191978.7785406601288; Sun, 21 Apr 2024 20:26:08 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 297EA1705; Sun, 21 Apr 2024 23:26:07 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id AFD871EF4; Sun, 21 Apr 2024 22:55:34 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 81F071EA3; Sun, 21 Apr 2024 22:54:01 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id BA1201E14 for ; Sun, 21 Apr 2024 22:53:42 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-672-vpQv5FIlMXCQ3dvGv3njBQ-1; Sun, 21 Apr 2024 22:53:40 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1D9273C000AB for ; Mon, 22 Apr 2024 02:53:40 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 073CD1121306 for ; Mon, 22 Apr 2024 02:53:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: vpQv5FIlMXCQ3dvGv3njBQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 27/27] RFC: spec: change iptables/ebtables from Requires to Recommends, add nftables Date: Sun, 21 Apr 2024 22:53:35 -0400 Message-ID: <20240422025335.923272-28-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: TJIKKN3WJE7RYO3FJEBBVGG7W44DO5J7 X-Message-ID-Hash: TJIKKN3WJE7RYO3FJEBBVGG7W44DO5J7 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756369112100001 We really shouldn't be requiring ebtables and iptables any more, since they don't always need to be used. Likewise, we probably should at least Recommend nftables, even though it's pretty much always installed already anyway. (Changing Requires to Recommends for the nwfilter package is a bit premature, since it currently will always require iptables and ebtables to function properly, but changing those to Recommends leads to a much smaller list of dependent packages removed by "dnf rm iptables/ebtables"). Signed-off-by: Laine Stump --- libvirt.spec.in | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 05f7a7e7c0..66b328671d 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -592,7 +592,8 @@ Summary: Network driver plugin for the libvirtd daemon Requires: libvirt-daemon-common =3D %{version}-%{release} Requires: libvirt-libs =3D %{version}-%{release} Requires: dnsmasq >=3D 2.41 -Requires: iptables +Recommends: iptables +Recommends: nftables =20 %description daemon-driver-network The network driver plugin for the libvirtd daemon, providing @@ -603,8 +604,8 @@ bridge capabilities. Summary: Nwfilter driver plugin for the libvirtd daemon Requires: libvirt-daemon-common =3D %{version}-%{release} Requires: libvirt-libs =3D %{version}-%{release} -Requires: iptables -Requires: ebtables +Recommends: iptables +Recommends: ebtables =20 %description daemon-driver-nwfilter The nwfilter driver plugin for the libvirtd daemon, providing --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org