From nobody Sat May 4 15:23:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591719482; cv=none; d=zohomail.com; s=zohoarc; b=Az1bfMXjazmhKMrredN/M6GNeolZ5aAiI1crdjPaDv8+xeUOlpjA5/3AmA+UQJq3bO4A5uNB90ps61VZZ8LDJVgU/L9eSXmnl8BISq8Vzy5Kqmx56aj4x7kRyg6YHb4bKUE2tngnaZFhBuVkQvs0GaFMlFgmU0vZUmS9EO8uP2I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591719482; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=f7nphCfTlnJwVIQwU6dPzJCbfIWFcxXJQOyAjGZDR/8=; b=Ym0CfswBuB20W4hbfyU+D4j5C5jWzAuijHm7seE3+X+5YZo1ykQUOmgj8/Sa4Gz3X4nVD+c1IBtawotBVIoIr7l+YobJ8WZOcu+ZfhyK3wYfhj9NhYbv6C73jdsGElRVCje8QPRbOweLope5XT+DOQIHpHWHjLED3dzwGFNCcW4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1591719482248938.4348203135538; Tue, 9 Jun 2020 09:18:02 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-358-JUqA8nEtOXKvb6Zf6RIEXA-1; Tue, 09 Jun 2020 12:17:56 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5FB36835B69; Tue, 9 Jun 2020 16:17:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0E34A101E678; Tue, 9 Jun 2020 16:17:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1A39197019; Tue, 9 Jun 2020 16:17:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 059GHkQu023889 for ; Tue, 9 Jun 2020 12:17:46 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4771779C40; Tue, 9 Jun 2020 16:17:46 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id D73EF79598; Tue, 9 Jun 2020 16:17:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591719480; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=f7nphCfTlnJwVIQwU6dPzJCbfIWFcxXJQOyAjGZDR/8=; b=HlxMGezND/oeyhevrxU7fOzqxghalYaVZVXxjV4fmRMl1S/qyuLoyVQuRDHLYTgsAGh1yn G7vfRZSElCAl/ITcPNdxwdfUA8Iplw4RvMqyeiRY9SQI/QWxL76jRqc69jC4v6s+2DWTJL QFzjjzeNA1A/0tVXIRUo2UL1RIvYzCo= X-MC-Unique: JUqA8nEtOXKvb6Zf6RIEXA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 1/3] util: add support for IPv6 masquerade rules Date: Tue, 9 Jun 2020 17:17:34 +0100 Message-Id: <20200609161736.4126010-2-berrange@redhat.com> In-Reply-To: <20200609161736.4126010-1-berrange@redhat.com> References: <20200609161736.4126010-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Laine Stump X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) IPv6 does support masquerade since Linux 3.9.0 / ip6tables 1.4.18, which is Fedora 18 / RHEL-7 vintage, which covers all our supported Linux versions. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/util/viriptables.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index e6a1ded8d5..8ccce835b2 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -854,29 +854,24 @@ iptablesForwardMasquerade(virFirewallPtr fw, g_autofree char *portRangeStr =3D NULL; g_autofree char *natRangeStr =3D NULL; virFirewallRulePtr rule; + int af =3D VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer =3D af =3D=3D AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; =20 - if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) { - /* Higher level code *should* guaranteee it's impossible to get he= re. */ - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Attempted to NAT '%s'. NAT is only supported for= IPv4."), - networkstr); - return -1; - } - - if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, AF_INET)) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { if (!(addrStartStr =3D virSocketAddrFormat(&addr->start))) return -1; - if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, AF_INET)) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { if (!(addrEndStr =3D virSocketAddrFormat(&addr->end))) return -1; } } =20 if (protocol && protocol[0]) { - rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--dele= te", pvt ? "LIBVIRT_PRT" : "POSTROUTING", @@ -885,7 +880,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, "!", "--destination", networkstr, NULL); } else { - rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--dele= te", pvt ? "LIBVIRT_PRT" : "POSTROUTING", @@ -1004,20 +999,14 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { g_autofree char *networkstr =3D NULL; + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; =20 - if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) { - /* Higher level code *should* guaranteee it's impossible to get he= re. */ - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Attempted to NAT '%s'. NAT is only supported for= IPv4."), - networkstr); - return -1; - } - if (physdev && physdev[0]) - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--delete", pvt ? "LIBVIRT_PRT" : "POSTROUTING", @@ -1027,7 +1016,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, "--jump", "RETURN", NULL); else - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--delete", pvt ? "LIBVIRT_PRT" : "POSTROUTING", --=20 2.26.2 From nobody Sat May 4 15:23:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591719496; cv=none; d=zohomail.com; s=zohoarc; b=dfJobYUWUPrbPuUvhwzmHBzaKJbBySIGp9LFi8c4TrSb1xM8tncs9Z/uEXWNCoPeZR+jOvUOks3mzxhq4A1q7Djf0GwSOsYAYvIwnbah18ye/DqTn+yOOJqNeHRwEtcjzm03k49oGZ5ukD0TDTGL+cEQHV6DUei5dqglAeRiATw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591719496; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=cYx6NWKRaZ9maWwQuYlxW/ygPDIcbpl9F9fmWmbb17g=; b=MP+nN6EsFCK8tldCUElYIZW1Da5OxvwOWT3FVAZtrs9Wejt+LebNMZ0s1lR2CJK127WPlYklyRkdQrhWxSXmX0sJbaiRvymyBDsi1RC6RuCdftMXybTL9/9ndiVetbvkrxlf24eXmXQ79Ttx8v/X2OW7murv7JMIUFVVMz4hFW8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1591719496705452.0907225071119; Tue, 9 Jun 2020 09:18:16 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-514-kfCp7IcyMq6striW_shKBA-1; Tue, 09 Jun 2020 12:18:11 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D61A1193F563; Tue, 9 Jun 2020 16:18:05 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B1212101E811; Tue, 9 Jun 2020 16:18:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6EDF51809561; Tue, 9 Jun 2020 16:18:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 059GHlY8023903 for ; Tue, 9 Jun 2020 12:17:47 -0400 Received: by smtp.corp.redhat.com (Postfix) id C2FA879C56; Tue, 9 Jun 2020 16:17:47 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id AE74B79598; Tue, 9 Jun 2020 16:17:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591719495; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=cYx6NWKRaZ9maWwQuYlxW/ygPDIcbpl9F9fmWmbb17g=; b=M/lMFGeiVXrCyUqJsDTJNbW/4dIUy7F2J/vUhZkmKS8yc4e+y6d0ckd383dtyIGh41+ds0 LsQd9EFBXRFLAD9Q4nqW4I9PlJsdL230RAKDRRful0poO5h7n7jlCb6+ig+rUMQogIADHh rtdQweSkLWmtlFnBIyAQ6BXA/0PV0Ks= X-MC-Unique: kfCp7IcyMq6striW_shKBA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 2/3] conf: add an attribute to turn on NAT for IPv6 virtual networks Date: Tue, 9 Jun 2020 17:17:35 +0100 Message-Id: <20200609161736.4126010-3-berrange@redhat.com> In-Reply-To: <20200609161736.4126010-1-berrange@redhat.com> References: <20200609161736.4126010-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Laine Stump X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Historically IPv6 did not support NAT, so when IPv6 was added to libvirt's virtual networks, when requesting libvirt will NOT apply NAT to IPv6 traffic, only IPv4 traffic. This is an annoying historical design decision as it means we cannot enable IPv6 automatically. We thus need to introduce a new attribute The new attribute is a tri-state, so it leaves open the possibility of us intentionally changing the default behaviour in future to honour NAT for IPv6. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- docs/formatnetwork.html.in | 14 +++++++++ docs/schemas/network.rng | 5 ++++ src/conf/network_conf.c | 30 +++++++++++++++++-- src/conf/network_conf.h | 2 ++ .../nat-network-forward-nat-ipv6.xml | 10 +++++++ .../nat-network-forward-nat-ipv6.xml | 10 +++++++ tests/networkxml2xmltest.c | 1 + 7 files changed, 69 insertions(+), 3 deletions(-) create mode 100644 tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml create mode 100644 tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 0383e2d891..fb740111b1 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -276,6 +276,20 @@ </nat> </forward> ... + +

+ Since 6.5.0 it is possible to + enable NAT with IPv6 networking. As noted above, IPv6 + has historically done plain forwarding and thus to avoid + breaking historical compatibility, IPv6 NAT must be + explicitly requested. +

+
+...
+  <forward mode=3D'nat'>
+    <nat ipv6=3D'yes'/>
+  </forward>
+...
=20
route
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng index 88b6f4dfdd..3a5eb3ced4 100644 --- a/docs/schemas/network.rng +++ b/docs/schemas/network.rng @@ -181,6 +181,11 @@ + + + + + diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index f1d22b25b1..1b89e2985d 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -1358,6 +1358,7 @@ virNetworkForwardNatDefParseXML(const char *networkNa= me, int nNatAddrs, nNatPorts; char *addrStart =3D NULL; char *addrEnd =3D NULL; + char *ipv6 =3D NULL; VIR_XPATH_NODE_AUTORESTORE(ctxt); =20 ctxt->node =3D node; @@ -1369,6 +1370,20 @@ virNetworkForwardNatDefParseXML(const char *networkN= ame, goto cleanup; } =20 + ipv6 =3D virXMLPropString(node, "ipv6"); + if (ipv6) { + int natIPv6; + if ((natIPv6 =3D virTristateBoolTypeFromString(ipv6)) <=3D 0) { + virReportError(VIR_ERR_XML_ERROR, + _("Invalid ipv6 setting '%s' " + "in network '%s' NAT"), + ipv6, networkName); + goto cleanup; + } + def->natIPv6 =3D natIPv6; + VIR_FREE(ipv6); + } + /* addresses for SNAT */ nNatAddrs =3D virXPathNodeSet("./address", ctxt, &natAddrNodes); if (nNatAddrs < 0) { @@ -2516,10 +2531,18 @@ virNetworkForwardNatDefFormat(virBufferPtr buf, goto cleanup; } =20 - if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end) + if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end && !f= wd->natIPv6) return 0; =20 - virBufferAddLit(buf, "\n"); + virBufferAddLit(buf, "natIPv6) + virBufferAsprintf(buf, " ipv6=3D'%s'", virTristateBoolTypeToString= (fwd->natIPv6)); + + if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end) { + virBufferAddLit(buf, "/>\n"); + return 0; + } + virBufferAddLit(buf, ">\n"); virBufferAdjustIndent(buf, 2); =20 if (addrStart) { @@ -2627,7 +2650,8 @@ virNetworkDefFormatBuf(virBufferPtr buf, || def->forward.port.start || def->forward.port.end || (def->forward.driverName - !=3D VIR_NETWORK_FORWARD_DRIVER_NAME_DEFAULT)= ); + !=3D VIR_NETWORK_FORWARD_DRIVER_NAME_DEFAULT) + || def->forward.natIPv6); virBufferAsprintf(buf, "%s>\n", shortforward ? "/" : ""); virBufferAdjustIndent(buf, 2); =20 diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index f2dc388ef0..e3a61c62ea 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -244,6 +244,8 @@ struct _virNetworkForwardDef { /* ranges for NAT */ virSocketAddrRange addr; virPortRange port; + + virTristateBool natIPv6; }; =20 typedef struct _virPortGroupDef virPortGroupDef; diff --git a/tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml b/test= s/networkxml2xmlin/nat-network-forward-nat-ipv6.xml new file mode 100644 index 0000000000..c360941e1e --- /dev/null +++ b/tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml @@ -0,0 +1,10 @@ + + default + 81ff0d90-c91e-6742-64da-4a736edb9a9b + + + + + + + diff --git a/tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml b/tes= ts/networkxml2xmlout/nat-network-forward-nat-ipv6.xml new file mode 100644 index 0000000000..cfec391ee2 --- /dev/null +++ b/tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml @@ -0,0 +1,10 @@ + + default + 81ff0d90-c91e-6742-64da-4a736edb9a9b + + + + + + + diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c index 700744785a..17817418b7 100644 --- a/tests/networkxml2xmltest.c +++ b/tests/networkxml2xmltest.c @@ -140,6 +140,7 @@ mymain(void) DO_TEST("nat-network-dns-forward-plain"); DO_TEST("nat-network-dns-forwarders"); DO_TEST("nat-network-dns-forwarder-no-resolv"); + DO_TEST("nat-network-forward-nat-ipv6"); DO_TEST("nat-network-forward-nat-address"); DO_TEST("nat-network-forward-nat-no-address"); DO_TEST("nat-network-mtu"); --=20 2.26.2 From nobody Sat May 4 15:23:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591719494; cv=none; d=zohomail.com; s=zohoarc; b=CvB0Eb9WlEbsyNXD1+nDzoR96SosnjxNmZjwwgxkHFx31pmw5IxW2De/aAWDxPKnRK3EuFqy83Q7KKZ/gAbybFqZ47iUhHpv7INz4gRMtpJGegVykqMpHRkXej93KgesLoTMeeT++g5Kb/I3gdpL+z9Cvt2wIZCtdYr+s9EQUVY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591719494; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2TNxmhk1fdOug5T4Wu+EHbk37cGDfISJsUQCJbzjZQc=; b=M5JY5NatMynionmMqNF1uerZphVU2HAuIvZ07mnezBtbmS0abUQn+Y0VCRU/mEzzFBX6x6PGubvQmXQyqukBAspSi6cLC6EdQFLI4U9NwpXdruElJp/qH/kDpAK4dPnhbObsMGA5BhK2Ac/qXQX5bE0t9h12CW2pn3AcGXdjL/M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1591719494165546.5705806076852; Tue, 9 Jun 2020 09:18:14 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-274-oypA5r3eO7uAANYPR1Sg2g-1; Tue, 09 Jun 2020 12:17:56 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 36E6D2C20; Tue, 9 Jun 2020 16:17:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 11F73101E678; Tue, 9 Jun 2020 16:17:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C0BB91809547; Tue, 9 Jun 2020 16:17:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 059GHn05023909 for ; Tue, 9 Jun 2020 12:17:49 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3D4DC79C40; Tue, 9 Jun 2020 16:17:49 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.36.110.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id 22D8879598; Tue, 9 Jun 2020 16:17:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591719492; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=2TNxmhk1fdOug5T4Wu+EHbk37cGDfISJsUQCJbzjZQc=; b=AwHU82EqPjBPFKu/9X5v07MGSLFEAgrSB8jkIMKcZqmZydLA0pVxvqnHUWKMYJ16nEauOa Ykg9WE+gP4hasE/Kaetx1/0Scsw/htiYyWpWBFmx9IqlapuSTx37J/MIOrijH77ALX2YJ1 z4+Ap/Vwk33sQcezH6Jd+bMtBVyZZ5E= X-MC-Unique: oypA5r3eO7uAANYPR1Sg2g-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 3/3] network: wire up support for IPv6 NAT rules Date: Tue, 9 Jun 2020 17:17:36 +0100 Message-Id: <20200609161736.4126010-4-berrange@redhat.com> In-Reply-To: <20200609161736.4126010-1-berrange@redhat.com> References: <20200609161736.4126010-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Laine Stump X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Now that we have support for IPv6 in the iptables helpers, and a new option in the XML schema, we can wire up support for it in the network driver. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/network/bridge_driver_linux.c | 23 +- .../nat-ipv6-masquerade-linux.args | 228 ++++++++++++++++++ .../nat-ipv6-masquerade.xml | 17 ++ tests/networkxml2firewalltest.c | 1 + 4 files changed, 262 insertions(+), 7 deletions(-) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux= .args create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade.xml diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index b0bd207250..fcb3803965 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -307,7 +307,8 @@ int networkCheckRouteCollision(virNetworkDefPtr def) return ret; } =20 -static const char networkLocalMulticast[] =3D "224.0.0.0/24"; +static const char networkLocalMulticastIPv4[] =3D "224.0.0.0/24"; +static const char networkLocalMulticastIPv6[] =3D "ffx2::/16"; static const char networkLocalBroadcast[] =3D "255.255.255.255/32"; =20 static int @@ -317,6 +318,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw, { int prefix =3D virNetworkIPDefPrefix(ipdef); const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); =20 if (prefix < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -406,7 +408,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw, return -1; =20 /* exempt local network broadcast address as destination */ - if (iptablesAddDontMasquerade(fw, + if (isIPv4 && + iptablesAddDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -418,7 +421,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw, &ipdef->address, prefix, forwardIf, - networkLocalMulticast) < 0) + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) return -1; =20 return 0; @@ -431,6 +435,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr f= w, { int prefix =3D virNetworkIPDefPrefix(ipdef); const char *forwardIf =3D virNetworkDefForwardIf(def, 0); + bool isIPv4 =3D VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); =20 if (prefix < 0) return 0; @@ -439,10 +444,12 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr= fw, &ipdef->address, prefix, forwardIf, - networkLocalMulticast) < 0) + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) return -1; =20 - if (iptablesRemoveDontMasquerade(fw, + if (isIPv4 && + iptablesRemoveDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -769,7 +776,8 @@ networkAddIPSpecificFirewallRules(virFirewallPtr fw, */ =20 if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) return networkAddMasqueradingFirewallRules(fw, def, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) return networkAddRoutingFirewallRules(fw, def, ipdef); @@ -786,7 +794,8 @@ networkRemoveIPSpecificFirewallRules(virFirewallPtr fw, virNetworkIPDefPtr ipdef) { if (def->forward.type =3D=3D VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 =3D=3D VIR_TRISTATE_BOOL_YES) return networkRemoveMasqueradingFirewallRules(fw, def, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) return networkRemoveRoutingFirewallRules(fw, def, ipdef); diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args new file mode 100644 index 0000000000..4ba4c3da30 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args @@ -0,0 +1,228 @@ +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p udp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p tcp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +ip6tables \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +--destination ffx2::/16 \ +--jump RETURN +iptables \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade.xml b/tests/= networkxml2firewalldata/nat-ipv6-masquerade.xml new file mode 100644 index 0000000000..03bcc8c67d --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade.xml @@ -0,0 +1,17 @@ + + default + + + + + + + + + + + + + + + diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 0ad5e2303b..697bfd7e03 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -173,6 +173,7 @@ mymain(void) DO_TEST("nat-many-ips"); DO_TEST("nat-no-dhcp"); DO_TEST("nat-ipv6"); + DO_TEST("nat-ipv6-masquerade"); DO_TEST("route-default"); =20 return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; --=20 2.26.2