From nobody Sun Apr 28 17:07:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1544199741392599.3321143107719; Fri, 7 Dec 2018 08:22:21 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 04886C075659; Fri, 7 Dec 2018 16:22:19 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C660D2E02B; Fri, 7 Dec 2018 16:22:18 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8184A181B9E7; Fri, 7 Dec 2018 16:22:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wB7GLkEO002479 for ; Fri, 7 Dec 2018 11:21:46 -0500 Received: by smtp.corp.redhat.com (Postfix) id 2EAF5104C53B; Fri, 7 Dec 2018 16:21:46 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-37.ams2.redhat.com [10.36.112.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 078EF1001F3C; Fri, 7 Dec 2018 16:21:44 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 7 Dec 2018 16:21:32 +0000 Message-Id: <20181207162135.15093-2-berrange@redhat.com> In-Reply-To: <20181207162135.15093-1-berrange@redhat.com> References: <20181207162135.15093-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 1/4] network: add platform driver callbacks around firewall reload X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 07 Dec 2018 16:22:19 +0000 (UTC) Allow the platform driver impls to run logic before and after the firewall reload process. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/network/bridge_driver.c | 13 ++++++++----- src/network/bridge_driver_linux.c | 11 +++++++++++ src/network/bridge_driver_nop.c | 11 +++++++++++ src/network/bridge_driver_platform.h | 3 +++ 4 files changed, 33 insertions(+), 5 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 4bbc4f5a6d..11095bf974 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -165,7 +165,7 @@ static int networkShutdownNetworkExternal(virNetworkObjPtr obj); =20 static void -networkReloadFirewallRules(virNetworkDriverStatePtr driver); +networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup); =20 static void networkRefreshDaemons(virNetworkDriverStatePtr driver); @@ -553,7 +553,7 @@ firewalld_dbus_filter_bridge(DBusConnection *connection= ATTRIBUTE_UNUSED, "Reloaded")) { VIR_DEBUG("Reload in bridge_driver because of firewalld."); - networkReloadFirewallRules(driver); + networkReloadFirewallRules(driver, false); } =20 return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; @@ -753,7 +753,7 @@ networkStateInitialize(bool privileged, virNetworkObjListPrune(network_driver->networks, VIR_CONNECT_LIST_NETWORKS_INACTIVE | VIR_CONNECT_LIST_NETWORKS_TRANSIENT); - networkReloadFirewallRules(network_driver); + networkReloadFirewallRules(network_driver, true); networkRefreshDaemons(network_driver); =20 network_driver->networkEventState =3D virObjectEventStateNew(); @@ -829,7 +829,7 @@ networkStateReload(void) virNetworkObjLoadAllConfigs(network_driver->networks, network_driver->networkConfigDir, network_driver->networkAutostartDir); - networkReloadFirewallRules(network_driver); + networkReloadFirewallRules(network_driver, false); networkRefreshDaemons(network_driver); virNetworkObjListForEach(network_driver->networks, networkAutostartConfig, @@ -2181,12 +2181,15 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr o= bj, =20 =20 static void -networkReloadFirewallRules(virNetworkDriverStatePtr driver) +networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup) { VIR_INFO("Reloading iptables rules"); + if (networkPreReloadFirewallRules(startup) < 0) + return; virNetworkObjListForEach(driver->networks, networkReloadFirewallRulesHelper, NULL); + networkPostReloadFirewallRules(startup); } =20 =20 diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index fb09954b8f..5650e1e061 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -36,6 +36,17 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 +int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) +{ + return 0; +} + + +void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) +{ +} + + /* XXX: This function can be a lot more exhaustive, there are certainly * other scenarios where we can ruin host network connectivity. * XXX: Using a proper library is preferred over parsing /proc diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 5e1acd07b4..64ff768b2f 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -21,6 +21,17 @@ =20 #include =20 +int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) +{ + return 0; +} + + +void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) +{ +} + + int networkCheckRouteCollision(virNetworkDefPtr def ATTRIBUTE_UNUSED) { return 0; diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index 706000df4e..2589948933 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -60,6 +60,9 @@ struct _virNetworkDriverState { typedef struct _virNetworkDriverState virNetworkDriverState; typedef virNetworkDriverState *virNetworkDriverStatePtr; =20 +int networkPreReloadFirewallRules(bool startup); +void networkPostReloadFirewallRules(bool startup); + int networkCheckRouteCollision(virNetworkDefPtr def); =20 int networkAddFirewallRules(virNetworkDefPtr def); --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 17:07:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1544199762508157.8026911866623; Fri, 7 Dec 2018 08:22:42 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AAC0630BCCCF; Fri, 7 Dec 2018 16:22:40 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F0A25D77E; Fri, 7 Dec 2018 16:22:40 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id F3B0C181B9EB; Fri, 7 Dec 2018 16:22:39 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wB7GLpe3002490 for ; Fri, 7 Dec 2018 11:21:51 -0500 Received: by smtp.corp.redhat.com (Postfix) id 074FD105705C; Fri, 7 Dec 2018 16:21:51 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-37.ams2.redhat.com [10.36.112.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2FD71105704C; Fri, 7 Dec 2018 16:21:46 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 7 Dec 2018 16:21:33 +0000 Message-Id: <20181207162135.15093-3-berrange@redhat.com> In-Reply-To: <20181207162135.15093-1-berrange@redhat.com> References: <20181207162135.15093-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/4] util: pass layer into firewall query callback X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Fri, 07 Dec 2018 16:22:41 +0000 (UTC) Some of the query callbacks want to know the firewall layer that was being used for triggering the query to avoid duplicating that data. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/nwfilter/nwfilter_ebiptables_driver.c | 17 ++++++++++------- src/util/virfirewall.c | 2 +- src/util/virfirewall.h | 1 + tests/virfirewalltest.c | 3 ++- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 5be1c9b07a..a9b40988dd 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2703,6 +2703,7 @@ ebtablesCreateTmpSubChainFW(virFirewallPtr fw, =20 static int ebtablesRemoveSubChainsQuery(virFirewallPtr fw, + virFirewallLayer layer, const char *const *lines, void *opaque) { @@ -2719,14 +2720,14 @@ ebtablesRemoveSubChainsQuery(virFirewallPtr fw, if (tmp[0] =3D=3D chainprefixes[j] && tmp[1] =3D=3D '-') { VIR_DEBUG("Processing chain '%s'", tmp); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, false, ebtablesRemoveSubChainsQuery, (void *)chainprefixes, "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-F", tmp, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-X", tmp, NULL); } @@ -2804,6 +2805,7 @@ ebtablesRenameTmpRootChainFW(virFirewallPtr fw, =20 static int ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw, + virFirewallLayer layer, const char *const *lines, void *opaque ATTRIBUTE_UNUSED) { @@ -2828,17 +2830,17 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewallP= tr fw, else newchain[0] =3D CHAINPREFIX_HOST_OUT; VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, false, ebtablesRenameTmpSubAndRootChainsQue= ry, NULL, "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-F", newchain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-X", newchain, NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRule(fw, layer, "-t", "nat", "-E", tmp, newchain, NULL); } =20 @@ -3760,6 +3762,7 @@ ebiptablesDriverProbeCtdir(void) =20 static int ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw ATTRIBUTE_UNUSED, + virFirewallLayer layer ATTRIBUTE_UNUS= ED, const char *const *lines, void *opaque) { diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index c786d7671b..42819cedb0 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -828,7 +828,7 @@ virFirewallApplyRule(virFirewallPtr firewall, return -1; =20 VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output); - if (rule->queryCB(firewall, (const char *const *)lines, rule->quer= yOpaque) < 0) + if (rule->queryCB(firewall, rule->layer, (const char *const *)line= s, rule->queryOpaque) < 0) return -1; =20 if (firewall->err =3D=3D ENOMEM) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index e024e88cc2..15f33223be 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -59,6 +59,7 @@ void virFirewallFree(virFirewallPtr firewall); virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_A= RGS__) =20 typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall, + virFirewallLayer layer, const char *const *lines, void *opaque); =20 diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index dda736cae5..d0bb824836 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -992,11 +992,12 @@ testFirewallQueryHook(const char *const*args, =20 static int testFirewallQueryCallback(virFirewallPtr fw, + virFirewallLayer layer, const char *const *lines, void *opaque ATTRIBUTE_UNUSED) { size_t i; - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + virFirewallAddRule(fw, layer, "-A", "INPUT", "--source-host", "!192.168.122.129", "--jump", "REJECT", NULL); --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 17:07:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 154419971748711.966426238516306; Fri, 7 Dec 2018 08:21:57 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DB2BC89AD1; Fri, 7 Dec 2018 16:21:54 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 82D8381752; Fri, 7 Dec 2018 16:21:54 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3664C3F602; Fri, 7 Dec 2018 16:21:54 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wB7GLqcJ002500 for ; Fri, 7 Dec 2018 11:21:52 -0500 Received: by smtp.corp.redhat.com (Postfix) id 65532104C53B; Fri, 7 Dec 2018 16:21:52 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-37.ams2.redhat.com [10.36.112.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7BB17105704C; Fri, 7 Dec 2018 16:21:51 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 7 Dec 2018 16:21:34 +0000 Message-Id: <20181207162135.15093-4-berrange@redhat.com> In-Reply-To: <20181207162135.15093-1-berrange@redhat.com> References: <20181207162135.15093-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 3/4] util: create private chains for virtual network firewall rules X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 07 Dec 2018 16:21:55 +0000 (UTC) Historically firewall rules for virtual networks were added straight into the base chains. This works but has a number of bugs and design limitations: - It is inflexible for admins wanting to add extra rules ahead of libvirt's rules, via hook scripts. - It is not clear to the admin that the rules were created by libvirt - Each rule must be deleted by libvirt individually since they are all directly in the builtin chains - The ordering of rules in the forward chain is incorrect when multiple networks are created, allowing traffic to mistakenly flow between networks in one direction. To address all of these problems, libvirt needs to move to creating rules in its own private chains. In the top level builtin chains, libvirt will add links to its own private top level chains. Addressing the traffic ordering bug requires some extra steps. With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network: -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,EST= ABLISHED -j ACCEPT -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,EST= ABLISHED -j ACCEPT -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable The rule allowing outbound traffic from virbr1 would mistakenly allow packets from virbr1 to virbr0, before the rule denying input to virbr0 gets a chance to run. What we really need todo is group the forwarding rules into three distinct sets: * Cross rules - LIBVIRT_FWX -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT * Incoming rules - LIBVIRT_FWI -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,EST= ABLISHED -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,EST= ABLISHED -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable * Outgoing rules - LIBVIRT_FWO -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable There is thus no risk of outgoing rules for one network mistakenly allowing incoming traffic for another network, as all incoming rules are evalated first. With this in mind, we'll thus need three distinct chains linked from the FORWARD chain, so we end up with: INPUT --> LIBVIRT_INP (filter) OUTPUT --> LIBVIRT_OUT (filter) FORWARD +-> LIBVIRT_FWX (filter) +-> LIBVIRT_FWO \-> LIBVIRT_FWI POSTROUTING --> LIBVIRT_PRT (nat & mangle) Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/network/bridge_driver_linux.c | 3 + src/util/viriptables.c | 131 ++++++++++++++++++++++++++++++ src/util/viriptables.h | 2 + 4 files changed, 137 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index fd63c9ca61..31aa14b74d 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2071,6 +2071,7 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; +iptablesSetupPrivateChains; =20 =20 # util/viriscsi.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 5650e1e061..435de5e17d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -38,6 +38,9 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) { + int ret =3D iptablesSetupPrivateChains(); + if (ret < 0) + return -1; return 0; } =20 diff --git a/src/util/viriptables.c b/src/util/viriptables.c index f379844d28..fbcf394fac 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -40,6 +40,7 @@ #include "virthread.h" #include "virstring.h" #include "virutil.h" +#include "virhash.h" =20 VIR_LOG_INIT("util.iptables"); =20 @@ -51,6 +52,136 @@ enum { }; =20 =20 +typedef struct { + const char *parent; + const char *child; +} iptablesGlobalChain; + +typedef struct { + virFirewallLayer layer; + const char *table; + iptablesGlobalChain *chains; + size_t nchains; + bool *changed; +} iptablesGlobalChainData; + + +static int +iptablesPrivateChainCreate(virFirewallPtr fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + iptablesGlobalChainData *data =3D opaque; + virHashTablePtr chains =3D NULL; + virHashTablePtr links =3D NULL; + const char *const *tmp; + int ret =3D -1; + size_t i; + + if (!(chains =3D virHashCreate(50, NULL))) + goto cleanup; + if (!(links =3D virHashCreate(50, NULL))) + goto cleanup; + + tmp =3D lines; + while (tmp && *tmp) { + if (STRPREFIX(*tmp, "-N ")) { /* eg "-N LIBVIRT_INP" */ + if (virHashUpdateEntry(chains, *tmp + 3, (void *)0x1) < 0) + goto cleanup; + } else if (STRPREFIX(*tmp, "-A ")) { /* eg "-A INPUT -j LIBVIRT_IN= P" */ + char *sep =3D strchr(*tmp + 3, ' '); + if (sep) { + *sep =3D '\0'; + if (STRPREFIX(sep + 1, "-j ")) { + if (virHashUpdateEntry(links, sep + 4, + (char *)*tmp + 3) < 0) + goto cleanup; + } + } + } + tmp++; + } + + for (i =3D 0; i < data->nchains; i++) { + const char *from; + if (!virHashLookup(chains, data->chains[i].child)) { + virFirewallAddRule(fw, layer, + "--table", data->table, + "--new-chain", data->chains[i].child, NULL); + *data->changed =3D true; + } + + from =3D virHashLookup(links, data->chains[i].child); + if (!from || STRNEQ(from, data->chains[i].parent)) + virFirewallAddRule(fw, layer, + "--table", data->table, + "--insert", data->chains[i].parent, + "--jump", data->chains[i].child, NULL); + } + + ret =3D 0; + cleanup: + virHashFree(chains); + virHashFree(links); + return ret; +} + + +int +iptablesSetupPrivateChains(void) +{ + virFirewallPtr fw =3D NULL; + int ret =3D -1; + iptablesGlobalChain filter_chains[] =3D { + {"INPUT", "LIBVIRT_INP"}, + {"OUTPUT", "LIBVIRT_OUT"}, + {"FORWARD", "LIBVIRT_FWO"}, + {"FORWARD", "LIBVIRT_FWI"}, + {"FORWARD", "LIBVIRT_FWX"}, + }; + iptablesGlobalChain natmangle_chains[] =3D { + {"POSTROUTING", "LIBVIRT_PRT"}, + }; + bool changed =3D false; + iptablesGlobalChainData data[] =3D { + { VIR_FIREWALL_LAYER_IPV4, "filter", + filter_chains, ARRAY_CARDINALITY(filter_chains), &changed }, + { VIR_FIREWALL_LAYER_IPV4, "nat", + natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, + { VIR_FIREWALL_LAYER_IPV4, "mangle", + natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, + { VIR_FIREWALL_LAYER_IPV6, "filter", + filter_chains, ARRAY_CARDINALITY(filter_chains), &changed }, + { VIR_FIREWALL_LAYER_IPV6, "nat", + natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, + { VIR_FIREWALL_LAYER_IPV6, "mangle", + natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, + }; + size_t i; + + fw =3D virFirewallNew(); + + virFirewallStartTransaction(fw, 0); + + for (i =3D 0; i < ARRAY_CARDINALITY(data); i++) + virFirewallAddRuleFull(fw, data[i].layer, + false, iptablesPrivateChainCreate, + &(data[i]), "--table", data[i].table, + "--list-rules", NULL); + + if (virFirewallApply(fw) < 0) + goto cleanup; + + ret =3D changed ? 1 : 0; + + cleanup: + + virFirewallFree(fw); + return ret; +} + + static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 9ea25fc096..1db97937a1 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -27,6 +27,8 @@ # include "virsocketaddr.h" # include "virfirewall.h" =20 +int iptablesSetupPrivateChains (void); + void iptablesAddTcpInput (virFirewallPtr fw, virFirewallLayer layer, const char *iface, --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 17:07:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 154419972899916.91873372421196; Fri, 7 Dec 2018 08:22:08 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2264130001DD; Fri, 7 Dec 2018 16:22:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CC321105B219; Fri, 7 Dec 2018 16:22:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 59F223F605; Fri, 7 Dec 2018 16:22:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wB7GM4uQ002546 for ; Fri, 7 Dec 2018 11:22:04 -0500 Received: by smtp.corp.redhat.com (Postfix) id 22ABF1057066; Fri, 7 Dec 2018 16:22:04 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-37.ams2.redhat.com [10.36.112.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7155A1057048; Fri, 7 Dec 2018 16:21:52 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 7 Dec 2018 16:21:35 +0000 Message-Id: <20181207162135.15093-5-berrange@redhat.com> In-Reply-To: <20181207162135.15093-1-berrange@redhat.com> References: <20181207162135.15093-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 4/4] util: move virtual network firwall rules into private chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Fri, 07 Dec 2018 16:22:07 +0000 (UTC) The previous commit created new chains to hold the firewall rules. This commit changes the code that creates rules to place them in the new private chains instead of the builtin top level chains. With two networks running, the rules in the filter table now look like -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED= ,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED= ,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.0.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.1.0/24 -i virbr1 -j ACCEPT -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT While in the nat table: -N LIBVIRT_PRT -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE= --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE= --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE -A LIBVIRT_PRT -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE= --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE= --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE And finally the mangle table: -N LIBVIRT_PRT -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-= fill -A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-= fill Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/network/bridge_driver_linux.c | 20 ++- src/util/viriptables.c | 123 +++++++++++------- src/util/viriptables.h | 2 + .../nat-default-linux.args | 32 ++--- .../nat-ipv6-linux.args | 48 +++---- .../nat-many-ips-linux.args | 60 ++++----- .../nat-no-dhcp-linux.args | 46 +++---- .../nat-tftp-linux.args | 34 ++--- .../route-default-linux.args | 22 ++-- 10 files changed, 222 insertions(+), 166 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 31aa14b74d..8ab09a522c 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2071,6 +2071,7 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; +iptablesSetDeletePrivate; iptablesSetupPrivateChains; =20 =20 diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 435de5e17d..571077d83a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -36,17 +36,35 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 -int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) +int networkPreReloadFirewallRules(bool startup) { int ret =3D iptablesSetupPrivateChains(); if (ret < 0) return -1; + + /* + * If this is initial startup, and we just created the + * top level private chains we either + * + * - upgraded from old libvirt + * - freshly booted from clean state + * + * In the first case we must delete the old rules from + * the built-in chains, instead of our new private chains. + * In the second case it doesn't matter, since no existing + * rules will be present. Thus we can safely just tell it + * to always delete from the builin chain + */ + if (startup && ret =3D=3D 1) { + iptablesSetDeletePrivate(false); + } return 0; } =20 =20 void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) { + iptablesSetDeletePrivate(true); } =20 =20 diff --git a/src/util/viriptables.c b/src/util/viriptables.c index fbcf394fac..668967fcc5 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -51,6 +51,7 @@ enum { REMOVE }; =20 +static int deletePrivate =3D true; =20 typedef struct { const char *parent; @@ -182,9 +183,17 @@ iptablesSetupPrivateChains(void) } =20 =20 +void +iptablesSetDeletePrivate(bool pvt) +{ + deletePrivate =3D pvt; +} + + static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, + bool pvt, const char *iface, int port, int action, @@ -197,7 +206,8 @@ iptablesInput(virFirewallPtr fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "INPUT= ", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_INP" : "INPUT", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -208,6 +218,7 @@ iptablesInput(virFirewallPtr fw, static void iptablesOutput(virFirewallPtr fw, virFirewallLayer layer, + bool pvt, const char *iface, int port, int action, @@ -220,7 +231,8 @@ iptablesOutput(virFirewallPtr fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "OUTPU= T", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_OUT" : "OUTPUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -243,7 +255,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, true, iface, port, ADD, 1); } =20 /** @@ -261,7 +273,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1); } =20 /** @@ -279,7 +291,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, true, iface, port, ADD, 0); } =20 /** @@ -297,7 +309,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, iface, port, REMOVE, 0); + iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0); } =20 /** @@ -315,7 +327,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, true, iface, port, ADD, 0); } =20 /** @@ -333,7 +345,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0); } =20 =20 @@ -373,6 +385,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netad= dr, */ static int iptablesForwardAllowOut(virFirewallPtr fw, + bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -389,7 +402,8 @@ iptablesForwardAllowOut(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWO" : "FORWARD", "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -398,7 +412,8 @@ iptablesForwardAllowOut(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWO" : "FORWARD", "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -427,7 +442,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD= D); + return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physd= ev, ADD); } =20 /** @@ -450,7 +465,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE= MOVE); + return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, ifa= ce, physdev, REMOVE); } =20 =20 @@ -459,6 +474,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, */ static int iptablesForwardAllowRelatedIn(virFirewallPtr fw, + bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -475,7 +491,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWI" : "FORWARD", "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -486,7 +503,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWI" : "FORWARD", "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -517,7 +535,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, ADD); + return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface,= physdev, ADD); } =20 /** @@ -540,13 +558,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefi= x, iface, physdev, REMOVE); } =20 /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewallPtr fw, + bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -563,7 +582,8 @@ iptablesForwardAllowIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWI" : "FORWARD", "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -572,7 +592,8 @@ iptablesForwardAllowIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWI" : "FORWARD", "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -600,7 +621,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD= ); + return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physde= v, ADD); } =20 /** @@ -623,18 +644,20 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); + return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, ifac= e, physdev, REMOVE); } =20 static void iptablesForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, + bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWX" : "FORWARD", "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -657,7 +680,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, true, iface, ADD); } =20 /** @@ -676,18 +699,20 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE); } =20 static void iptablesForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, + bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "delete", "FORWARD= ", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWO" : "FORWARD", "--in-interface", iface, "--jump", "REJECT", NULL); @@ -708,7 +733,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, true, iface, ADD); } =20 /** @@ -726,19 +751,21 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE); } =20 =20 static void iptablesForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, + bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_FWI" : "FORWARD", "--out-interface", iface, "--jump", "REJECT", NULL); @@ -759,7 +786,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, true, iface, ADD); } =20 /** @@ -777,7 +804,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE); } =20 =20 @@ -786,6 +813,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, */ static int iptablesForwardMasquerade(virFirewallPtr fw, + bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -824,7 +852,8 @@ iptablesForwardMasquerade(virFirewallPtr fw, if (protocol && protocol[0]) { rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", "POSTROUTING", + action =3D=3D ADD ? "--insert" : "--dele= te", + pvt ? "LIBVIRT_PRT" : "POSTROUTING", "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -832,7 +861,8 @@ iptablesForwardMasquerade(virFirewallPtr fw, } else { rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", "POSTROUTING", + action =3D=3D ADD ? "--insert" : "--dele= te", + pvt ? "LIBVIRT_PRT" : "POSTROUTING", "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -910,8 +940,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p= ort, - protocol, ADD); + return iptablesForwardMasquerade(fw, true, netaddr, prefix, + physdev, addr, port, protocol, ADD); } =20 /** @@ -936,8 +966,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p= ort, - protocol, REMOVE); + return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix, + physdev, addr, port, protocol, REMOVE= ); } =20 =20 @@ -946,6 +976,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, */ static int iptablesForwardDontMasquerade(virFirewallPtr fw, + bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -968,7 +999,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", "P= OSTROUTING", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_PRT" : "POSTROUTING", "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -977,7 +1009,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, else virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", "P= OSTROUTING", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_PRT" : "POSTROUTING", "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -1007,8 +1040,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des= taddr, - ADD); + return iptablesForwardDontMasquerade(fw, true, netaddr, prefix, + physdev, destaddr, ADD); } =20 /** @@ -1032,13 +1065,14 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des= taddr, - REMOVE); + return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefi= x, + physdev, destaddr, REMOVE); } =20 =20 static void iptablesOutputFixUdpChecksum(virFirewallPtr fw, + bool pvt, const char *iface, int port, int action) @@ -1050,7 +1084,8 @@ iptablesOutputFixUdpChecksum(virFirewallPtr fw, =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D ADD ? "--insert" : "--delete", "POSTR= OUTING", + action =3D=3D ADD ? "--insert" : "--delete", + pvt ? "LIBVIRT_PRT" : "POSTROUTING", "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1074,7 +1109,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD); } =20 /** @@ -1091,5 +1126,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 1db97937a1..d50158a59e 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -29,6 +29,8 @@ =20 int iptablesSetupPrivateChains (void); =20 +void iptablesSetDeletePrivate (bool pvt); + void iptablesAddTcpInput (virFirewallPtr fw, virFirewallLayer layer, const char *iface, diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index ffdafdff0e..c9d523d043 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,63 +1,63 @@ iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -65,13 +65,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -79,7 +79,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -87,19 +87,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index 22285afa10..a57b9266af 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,100 +1,100 @@ iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -102,13 +102,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -116,7 +116,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -124,31 +124,31 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index aff9f69664..1bdc43fd6a 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,63 +1,63 @@ iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -65,13 +65,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -79,7 +79,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -87,25 +87,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.128.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.128.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -113,13 +113,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.128.0/24 '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ -p udp '!' \ --destination 192.168.128.0/24 \ @@ -127,7 +127,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ -p tcp '!' \ --destination 192.168.128.0/24 \ @@ -135,25 +135,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.150.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.150.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -161,13 +161,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.150.0/24 '!' \ --destination 192.168.150.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ -p udp '!' \ --destination 192.168.150.0/24 \ @@ -175,7 +175,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ -p tcp '!' \ --destination 192.168.150.0/24 \ @@ -183,19 +183,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index 2a9d79054e..7d359f3824 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,100 +1,100 @@ iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -102,13 +102,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -116,7 +116,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -124,25 +124,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index 1a06f0d0a5..b721801b70 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,70 +1,70 @@ iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 69 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -72,13 +72,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -86,7 +86,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -94,19 +94,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index 65563ff8b4..ed3c560f74 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,69 +1,69 @@ iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert LIBVIRT_OUT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert LIBVIRT_PRT \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list