From nobody Wed Nov 27 18:46:32 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 154420205909440.59882752853366; Fri, 7 Dec 2018 09:00:59 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AF15C307D982; Fri, 7 Dec 2018 17:00:56 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 35F181974D; Fri, 7 Dec 2018 17:00:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 742493F602; Fri, 7 Dec 2018 17:00:54 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wB7H0q5j009128 for ; Fri, 7 Dec 2018 12:00:52 -0500 Received: by smtp.corp.redhat.com (Postfix) id CE2535D9CD; Fri, 7 Dec 2018 17:00:52 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-37.ams2.redhat.com [10.36.112.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id B5D0E5D9C6; Fri, 7 Dec 2018 17:00:51 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 7 Dec 2018 17:00:47 +0000 Message-Id: <20181207170048.18181-2-berrange@redhat.com> In-Reply-To: <20181207170048.18181-1-berrange@redhat.com> References: <20181207170048.18181-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] util: add support for creating per-network chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Fri, 07 Dec 2018 17:00:57 +0000 (UTC) Rather than putting all rules into libvirt's main private chains, create a private chain per network. This will make it easier for administrators to use hooks to customize the chains per network. For the LIBVIRT_INP, LIBVIRT_OUT, LIBVIRT_FWO and LIBVIRT_FWI chains it is also possible to set interface name matches on the jumps to the per-network chains. This will result in fewer iptables rules being evaluated per packet when lots of networks are running. We thus end up with the following chains INPUT --> LIBVIRT_INP +-> LIBVIRT_INP_virbr0 (filter) +-> LIBVIRT_INP_virbr1 | ... \-> LIBVIRT_INP_virbrN OUTPUT --> LIBVIRT_OUT +-> LIBVIRT_OUT_virbr0 (filter) +-> LIBVIRT_INP_virbr1 | ... \-> LIBVIRT_INP_virbrN FORWARD +-> LIBVIRT_FWX +-> LIBVIRT_FWX_virbr0 (filter) | +-> LIBVIRT_INP_virbr1 | | ... | \-> LIBVIRT_INP_virbrN | +-> LIBVIRT_FWO +-> LIBVIRT_FWO_virbr0 (filter) | +-> LIBVIRT_INP_virbr1 | | ... | \-> LIBVIRT_INP_virbrN | \-> LIBVIRT_FWI +-> LIBVIRT_FWI_virbr0 (filter) +-> LIBVIRT_INP_virbr1 | ... \-> LIBVIRT_INP_virbrN POSTROUTING --> LIBVIRT_PRT +-> LIBVIRT_PRT_virbr0 (nat & mangle) +-> LIBVIRT_INP_virbr1 | ... \-> LIBVIRT_INP_virbrN Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 2 + src/network/bridge_driver_linux.c | 5 + src/util/viriptables.c | 85 ++++++++++++++++ src/util/viriptables.h | 2 + .../nat-default-linux.args | 98 +++++++++++++++++++ .../nat-ipv6-linux.args | 98 +++++++++++++++++++ .../nat-many-ips-linux.args | 98 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 98 +++++++++++++++++++ .../nat-tftp-linux.args | 98 +++++++++++++++++++ .../route-default-linux.args | 98 +++++++++++++++++++ 10 files changed, 682 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 8ab09a522c..8f7f166aef 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2072,7 +2072,9 @@ iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; iptablesSetDeletePrivate; +iptablesSetupLocalChains; iptablesSetupPrivateChains; +iptablesTeardownLocalChains; =20 =20 # util/viriscsi.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 571077d83a..4777e9efc4 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -672,6 +672,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 + if (iptablesSetupLocalChains(def->bridge) < 0) + return -1; + fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, 0); @@ -714,6 +717,8 @@ void networkRemoveFirewallRules(virNetworkDefPtr def) virNetworkIPDefPtr ipdef; virFirewallPtr fw =3D NULL; =20 + iptablesTeardownLocalChains(def->bridge); + fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 668967fcc5..53d0568a84 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -183,6 +183,91 @@ iptablesSetupPrivateChains(void) } =20 =20 +static int +iptablesLocalChainsManage(int action, + const char *iface) +{ + virFirewallPtr fw =3D NULL; + int ret =3D -1; + struct { + virFirewallLayer layer; + const char *table; + const char *parent; + } chains[] =3D { + {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_INP"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_OUT"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_FWO"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_FWI"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_FWX"}, + {VIR_FIREWALL_LAYER_IPV4, "nat", "LIBVIRT_PRT"}, + {VIR_FIREWALL_LAYER_IPV4, "mangle", "LIBVIRT_PRT"}, + + {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_INP"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_OUT"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_FWO"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_FWI"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_FWX"}, + {VIR_FIREWALL_LAYER_IPV6, "nat", "LIBVIRT_PRT"}, + {VIR_FIREWALL_LAYER_IPV6, "mangle", "LIBVIRT_PRT"}, + }; + size_t i; + + fw =3D virFirewallNew(); + + virFirewallStartTransaction(fw, action =3D=3D ADD ? 0 : + VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (i =3D 0; i < ARRAY_CARDINALITY(chains); i++) { + char *child; + if (virAsprintf(&child, "%s_%s", chains[i].parent, iface) < 0) + goto cleanup; + + if (action =3D=3D ADD) { + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--new-chain", child, NULL); + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--insert", chains[i].parent, + "--jump", child, NULL); + } else { + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--delete", chains[i].parent, + "--jump", child, NULL); + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--flush", child, NULL); + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--delete-chain", child, NULL); + } + } + + if (virFirewallApply(fw) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + virFirewallFree(fw); + return ret; +} + + +int +iptablesSetupLocalChains(const char *iface) +{ + return iptablesLocalChainsManage(ADD, iface); +} + + +int +iptablesTeardownLocalChains(const char *iface) +{ + return iptablesLocalChainsManage(REMOVE, iface); +} + + void iptablesSetDeletePrivate(bool pvt) { diff --git a/src/util/viriptables.h b/src/util/viriptables.h index d50158a59e..8eb884aa9f 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -28,6 +28,8 @@ # include "virfirewall.h" =20 int iptablesSetupPrivateChains (void); +int iptablesSetupLocalChains (const char *iface); +int iptablesTeardownLocalChains (const char *iface); =20 void iptablesSetDeletePrivate (bool pvt); =20 diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index c9d523d043..8efc415bee 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,5 +1,103 @@ iptables \ --table filter \ +--new-chain LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index a57b9266af..a72efecc49 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,5 +1,103 @@ iptables \ --table filter \ +--new-chain LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index 1bdc43fd6a..5094d6793b 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,5 +1,103 @@ iptables \ --table filter \ +--new-chain LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index 7d359f3824..3b870a0a02 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,5 +1,103 @@ iptables \ --table filter \ +--new-chain LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index b721801b70..f002f0add9 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,5 +1,103 @@ iptables \ --table filter \ +--new-chain LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index ed3c560f74..783e803dff 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,5 +1,103 @@ iptables \ --table filter \ +--new-chain LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--jump LIBVIRT_INP_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--jump LIBVIRT_OUT_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--jump LIBVIRT_FWO_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--jump LIBVIRT_FWI_virbr0 +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX_virbr0 +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--jump LIBVIRT_FWX_virbr0 +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT_virbr0 +ip6tables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--jump LIBVIRT_PRT_virbr0 +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list