From nobody Thu May 2 19:47:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591627940; cv=none; d=zohomail.com; s=zohoarc; b=n8RjMdw+xSEMkzO2KmW+Mp2XIpeH3Mq1H1D1lhzS+3/wVjLWgRjJMJDst+QTWG35uDr8qg6Vxi0nevL+WQ9RhNEQS5VAfrpj2Nt/LK8MNotRAKd7fDBENWa8mX61hy3k8X31HH7QBszWwQPWS38J8CpTm+Bn3K29YRpbFLIUT9Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591627940; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=f7nphCfTlnJwVIQwU6dPzJCbfIWFcxXJQOyAjGZDR/8=; b=gWPDJDKgg0cTMMzBDyvFAitl2a9EhVaYnlvDk3NK9YcmRTS3LDr4KKIktqt82S85mb8Zlsb/aMrzQWDYGD38hKtNPhg0mUhknQchGKrCQSyCs9xuNhHTXQGuJ6ycixun+/jRYqiZiKqq7ClnOybG0zkMtp3GWToC6OHnzJM+FO0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1591627940542145.20193951072883; Mon, 8 Jun 2020 07:52:20 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-96-TLPyq16kM1uHimefhqVexQ-1; Mon, 08 Jun 2020 10:52:00 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E0327835B42; Mon, 8 Jun 2020 14:51:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6CC575D9C9; Mon, 8 Jun 2020 14:51:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 555C518095FF; Mon, 8 Jun 2020 14:51:52 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 058Epo37003391 for ; Mon, 8 Jun 2020 10:51:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id B5DA69F43; Mon, 8 Jun 2020 14:51:50 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id 693566111F; Mon, 8 Jun 2020 14:51:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591627939; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=f7nphCfTlnJwVIQwU6dPzJCbfIWFcxXJQOyAjGZDR/8=; b=JOvkkkyQd4BTDk2ySYX6aqdzI8CPm5pmBWOWzNVSZPlwct4uw9XbNkjXM299pECpWu2ffW bOQCaHbFhPkWF80SFgEjHlF4N2o3OGOlF87hHD2uarA1GYXbWPSy/i+XoI/k0U/qxE1nSq it0FZISsZ8dc/JP0OCG4T+7jUxdA1pQ= X-MC-Unique: TLPyq16kM1uHimefhqVexQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 1/3] util: add support for IPv6 masquerade rules Date: Mon, 8 Jun 2020 15:51:39 +0100 Message-Id: <20200608145141.3616144-2-berrange@redhat.com> In-Reply-To: <20200608145141.3616144-1-berrange@redhat.com> References: <20200608145141.3616144-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Cc: Laine Stump X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) IPv6 does support masquerade since Linux 3.9.0 / ip6tables 1.4.18, which is Fedora 18 / RHEL-7 vintage, which covers all our supported Linux versions. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viriptables.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index e6a1ded8d5..8ccce835b2 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -854,29 +854,24 @@ iptablesForwardMasquerade(virFirewallPtr fw, g_autofree char *portRangeStr =3D NULL; g_autofree char *natRangeStr =3D NULL; virFirewallRulePtr rule; + int af =3D VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer =3D af =3D=3D AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; =20 - if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) { - /* Higher level code *should* guaranteee it's impossible to get he= re. */ - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Attempted to NAT '%s'. NAT is only supported for= IPv4."), - networkstr); - return -1; - } - - if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, AF_INET)) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { if (!(addrStartStr =3D virSocketAddrFormat(&addr->start))) return -1; - if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, AF_INET)) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { if (!(addrEndStr =3D virSocketAddrFormat(&addr->end))) return -1; } } =20 if (protocol && protocol[0]) { - rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--dele= te", pvt ? "LIBVIRT_PRT" : "POSTROUTING", @@ -885,7 +880,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, "!", "--destination", networkstr, NULL); } else { - rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--dele= te", pvt ? "LIBVIRT_PRT" : "POSTROUTING", @@ -1004,20 +999,14 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { g_autofree char *networkstr =3D NULL; + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; =20 - if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) { - /* Higher level code *should* guaranteee it's impossible to get he= re. */ - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Attempted to NAT '%s'. NAT is only supported for= IPv4."), - networkstr); - return -1; - } - if (physdev && physdev[0]) - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--delete", pvt ? "LIBVIRT_PRT" : "POSTROUTING", @@ -1027,7 +1016,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, "--jump", "RETURN", NULL); else - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--delete", pvt ? "LIBVIRT_PRT" : "POSTROUTING", --=20 2.26.2 From nobody Thu May 2 19:47:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591628304; cv=none; d=zohomail.com; s=zohoarc; b=XGCRt7Lwy5+0wNSktf4KZT+aSvYVI0/g7tkBW4itWP9BsM4kwZAyAOFtzQ6TlVLIbj9F8b1jjkGOqxO/k4b17AwN78a24O2unf5Pk3BBFZMFYyb/V3Fv8O9v1PDhOzVLjJegM6UqKM+PQl3KzcjP1XdX8PwLG95IlXzVsbouBCM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591628304; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=DUWziKIqW1FPwZuUymu/Duor0PNrnOh3beSpPjRY4XM=; b=ZnOI9hRrkZlvFrnDhdaDkwXHs6E2TqnHH2UEgWYaKZ3I7RjopjubEkGv49baFX8dYNSP6BIDIRwK/zWpuNucNEJiNAah/b+rL7f8kpm49L6LaXCqJhE9CmOP7svQc1quz9FaYxpheDhm5WlXtDDMfHb/kqnbfInm4yOkLU8E/h0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1591628304373472.15042381933426; Mon, 8 Jun 2020 07:58:24 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-389-PqeSn-qWOy21N9mXfHjCDQ-1; Mon, 08 Jun 2020 10:58:20 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BF61A8037EF; Mon, 8 Jun 2020 14:58:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7C30A5D9E4; Mon, 8 Jun 2020 14:58:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CD799B348B; Mon, 8 Jun 2020 14:58:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 058EpqTY003403 for ; Mon, 8 Jun 2020 10:51:52 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8D7379F43; Mon, 8 Jun 2020 14:51:52 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id 15E6961169; Mon, 8 Jun 2020 14:51:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591628303; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=DUWziKIqW1FPwZuUymu/Duor0PNrnOh3beSpPjRY4XM=; b=VTb3BXPWkq1lqYWaCfQ/4jj2tTdXpd/tBosMZqCGNf5b/TPGS80ftb8Xk2pRWkSF2m8RTI 9Grak5PRvBSXhIWPxRxFe9wekNWfC+prE1NO2wFvc7P/C9mHQ/nx95IQWFzq6diR4/WJNx l3tyklU/zT4X5fc+RTcM9LiS+RhnMOA= X-MC-Unique: PqeSn-qWOy21N9mXfHjCDQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 2/3] conf: add an attribute to turn on NAT for IPv6 virtual networks Date: Mon, 8 Jun 2020 15:51:40 +0100 Message-Id: <20200608145141.3616144-3-berrange@redhat.com> In-Reply-To: <20200608145141.3616144-1-berrange@redhat.com> References: <20200608145141.3616144-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Cc: Laine Stump X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Historically IPv6 did not support NAT, so when IPv6 was added to libvirt's virtual networks, when requesting libvirt will NOT apply NAT to IPv6 traffic, only IPv4 traffic. This is an annoying historical design decision as it means we cannot enable IPv6 automatically. We thus need to introduce a new attribute The new attribute is a tri-state, so it leaves open the possibility of us intentionally changing the default behaviour in future to honour NAT for IPv6. Signed-off-by: Daniel P. Berrang=C3=A9 --- docs/formatnetwork.html.in | 14 ++++++++++ docs/schemas/network.rng | 8 ++++++ src/conf/network_conf.c | 26 +++++++++++++++++-- src/conf/network_conf.h | 2 ++ .../nat-network-forward-nat-ipv6.xml | 10 +++++++ .../nat-network-forward-nat-ipv6.xml | 11 ++++++++ tests/networkxml2xmltest.c | 1 + 7 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml create mode 100644 tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 0383e2d891..42cfb6708a 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -276,6 +276,20 @@ </nat> </forward> ... + +

+ Since 6.5.0 it is possible to + enable NAT with IPv6 networking. As noted above, IPv6 + has historically done plain forwarding and thus to avoid + breaking historical compatibility, IPv6 NAT must be + explicitly requested +

+ 
+...
+  <forward mode=3D'nat'>
+    <nat ipv6=3D'yes'/>
+  </forward>
+...
=20
route
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng index 88b6f4dfdd..d9448fa3bb 100644 --- a/docs/schemas/network.rng +++ b/docs/schemas/network.rng @@ -181,6 +181,14 @@ + + + + yes + no + + + diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index f1d22b25b1..cd7683e94b 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -1358,6 +1358,7 @@ virNetworkForwardNatDefParseXML(const char *networkNa= me, int nNatAddrs, nNatPorts; char *addrStart =3D NULL; char *addrEnd =3D NULL; + char *ipv6 =3D NULL; VIR_XPATH_NODE_AUTORESTORE(ctxt); =20 ctxt->node =3D node; @@ -1369,6 +1370,19 @@ virNetworkForwardNatDefParseXML(const char *networkN= ame, goto cleanup; } =20 + ipv6 =3D virXMLPropString(node, "ipv6"); + if (ipv6) { + if ((def->natIPv6 + =3D virTristateBoolTypeFromString(ipv6)) <=3D 0) { + virReportError(VIR_ERR_XML_ERROR, + _("Invalid ipv6 setting '%s' " + "in network '%s' NAT"), + ipv6, networkName); + goto cleanup; + } + VIR_FREE(ipv6); + } + /* addresses for SNAT */ nNatAddrs =3D virXPathNodeSet("./address", ctxt, &natAddrNodes); if (nNatAddrs < 0) { @@ -2516,10 +2530,18 @@ virNetworkForwardNatDefFormat(virBufferPtr buf, goto cleanup; } =20 - if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end) + if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end && !f= wd->natIPv6) return 0; =20 - virBufferAddLit(buf, "\n"); + virBufferAddLit(buf, "natIPv6) + virBufferAsprintf(buf, " ipv6=3D'%s'", virTristateBoolTypeToString= (fwd->natIPv6)); + + if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end) { + virBufferAddLit(buf, "/>\n"); + return 0; + } + virBufferAddLit(buf, ">\n"); virBufferAdjustIndent(buf, 2); =20 if (addrStart) { diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index f2dc388ef0..e3a61c62ea 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -244,6 +244,8 @@ struct _virNetworkForwardDef { /* ranges for NAT */ virSocketAddrRange addr; virPortRange port; + + virTristateBool natIPv6; }; =20 typedef struct _virPortGroupDef virPortGroupDef; diff --git a/tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml b/test= s/networkxml2xmlin/nat-network-forward-nat-ipv6.xml new file mode 100644 index 0000000000..c3b641224c --- /dev/null +++ b/tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml @@ -0,0 +1,10 @@ + + default + 81ff0d90-c91e-6742-64da-4a736edb9a9b + + + + + + + diff --git a/tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml b/tes= ts/networkxml2xmlout/nat-network-forward-nat-ipv6.xml new file mode 100644 index 0000000000..74e1c36c69 --- /dev/null +++ b/tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml @@ -0,0 +1,11 @@ + + default + 81ff0d90-c91e-6742-64da-4a736edb9a9b + + + + + + + + diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c index 700744785a..17817418b7 100644 --- a/tests/networkxml2xmltest.c +++ b/tests/networkxml2xmltest.c @@ -140,6 +140,7 @@ mymain(void) DO_TEST("nat-network-dns-forward-plain"); DO_TEST("nat-network-dns-forwarders"); DO_TEST("nat-network-dns-forwarder-no-resolv"); + DO_TEST("nat-network-forward-nat-ipv6"); DO_TEST("nat-network-forward-nat-address"); DO_TEST("nat-network-forward-nat-no-address"); DO_TEST("nat-network-mtu"); --=20 2.26.2 From nobody Thu May 2 19:47:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591628312; cv=none; d=zohomail.com; s=zohoarc; b=WjzlA87CEQRHYhOZsNJ+h1x6bkdkWgIUU0fuDitmjMhMfnqjTVtZrhkku4fTcQ6bNAzoFK6RAfYEDlhgUfIBk5b8z05xdwIlUmLrYinRXpyxKzQRqjLF3rWbTJibXgl8/A8arHqZ9B8vKJutufqzTptcKu7cwCTTveIh+YMG+pU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591628312; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2TNxmhk1fdOug5T4Wu+EHbk37cGDfISJsUQCJbzjZQc=; b=VJI1ya3D+U+nB0fB2gG7xcIzABT2U8ip9vokI2xZRIFeAIMXdvF9HXeV/PxzanWjnMCmlfDtw77IhuPkYTpePju8xWAIBActfmWhiGp/N4VhNNqmTtetPEhSrNmiP2o61c2tKx7Pdz2wajgQXQ7ozrMZmbJvChSPMBLetZZb0Ls= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1591628312105873.3393283427037; Mon, 8 Jun 2020 07:58:32 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-251-Or9x6BTaNdyEtEzSTUCy0A-1; Mon, 08 Jun 2020 10:58:22 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 88B66100962A; Mon, 8 Jun 2020 14:58:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 68F377A1E6; Mon, 8 Jun 2020 14:58:17 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 38C0118095FF; Mon, 8 Jun 2020 14:58:17 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 058Epsmf003412 for ; Mon, 8 Jun 2020 10:51:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0CE9761169; Mon, 8 Jun 2020 14:51:54 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id F31576111F; Mon, 8 Jun 2020 14:51:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591628308; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=2TNxmhk1fdOug5T4Wu+EHbk37cGDfISJsUQCJbzjZQc=; b=gGlyRFiTDUcoJ8cHaW6xXb+m4T0a31Iv4t8CTPzUuSphBVT0vhdscGtr5QK0l9IpbOBbVW Xy+p0OX5dNjiyVOOxrZvdKfnX7IG3C1ZQfHA1E8U9XyGOTlUgBHset9rJIlwDvEPPqGDyZ FaZrqg7otCKQKATLYeKNgI026fRMghI= X-MC-Unique: Or9x6BTaNdyEtEzSTUCy0A-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 3/3] network: wire up support for IPv6 NAT rules Date: Mon, 8 Jun 2020 15:51:41 +0100 Message-Id: <20200608145141.3616144-4-berrange@redhat.com> In-Reply-To: <20200608145141.3616144-1-berrange@redhat.com> References: <20200608145141.3616144-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Cc: Laine Stump X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Now that we have support for IPv6 in the iptables helpers, and a new option in the XML schema, we can wire up support for it in the network driver. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/network/bridge_driver_linux.c | 23 +- .../nat-ipv6-masquerade-linux.args | 228 ++++++++++++++++++ .../nat-ipv6-masquerade.xml | 17 ++ tests/networkxml2firewalltest.c | 1 + 4 files changed, 262 insertions(+), 7 deletions(-) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux= .args create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade.xml diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index b0bd207250..fcb3803965 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -307,7 +307,8 @@ int networkCheckRouteCollision(virNetworkDefPtr def) return ret; } =20 -static const char networkLocalMulticast[] =3D "224.0.0.0/24"; +static const char networkLocalMulticastIPv4[] =3D "224.0.0.0/24"; +static const char networkLocalMulticastIPv6[] =3D "ffx2::/16"; static const char networkLocalBroadcast[] =3D "255.255.255.255/32"; =20 static int @@ -317,6 +318,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw, { int prefix =3D virNetworkIPDefPrefix(ipdef); const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); =20 if (prefix < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -406,7 +408,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw, return -1; =20 /* exempt local network broadcast address as destination */ - if (iptablesAddDontMasquerade(fw, + if (isIPv4 && + iptablesAddDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -418,7 +421,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw, &ipdef->address, prefix, forwardIf, - networkLocalMulticast) < 0) + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) return -1; =20 return 0; @@ -431,6 +435,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr f= w, { int prefix =3D virNetworkIPDefPrefix(ipdef); const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); =20 if (prefix < 0) return 0; @@ -439,10 +444,12 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr= fw, &ipdef->address, prefix, forwardIf, - networkLocalMulticast) < 0) + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) return -1; =20 - if (iptablesRemoveDontMasquerade(fw, + if (isIPv4 && + iptablesRemoveDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -769,7 +776,8 @@ networkAddIPSpecificFirewallRules(virFirewallPtr fw, */ =20 if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) return networkAddMasqueradingFirewallRules(fw, def, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) return networkAddRoutingFirewallRules(fw, def, ipdef); @@ -786,7 +794,8 @@ networkRemoveIPSpecificFirewallRules(virFirewallPtr fw, virNetworkIPDefPtr ipdef) { if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) return networkRemoveMasqueradingFirewallRules(fw, def, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) return networkRemoveRoutingFirewallRules(fw, def, ipdef); diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args new file mode 100644 index 0000000000..4ba4c3da30 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args @@ -0,0 +1,228 @@ +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p udp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p tcp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +--destination ffx2::/16 \ +--jump RETURN +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade.xml b/tests/= networkxml2firewalldata/nat-ipv6-masquerade.xml new file mode 100644 index 0000000000..03bcc8c67d --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade.xml @@ -0,0 +1,17 @@ + + default + + + + + + + + + + + + + + + diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 0ad5e2303b..697bfd7e03 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -173,6 +173,7 @@ mymain(void) DO_TEST("nat-many-ips"); DO_TEST("nat-no-dhcp"); DO_TEST("nat-ipv6"); + DO_TEST("nat-ipv6-masquerade"); DO_TEST("route-default"); =20 return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; --=20 2.26.2