It still can have only one useful value ("iptables"), but once a 2nd
value is supported, it will be selectable by setting
"firewall_backend=nftables" in /etc/libvirt/network.conf.
If firewall_backend isn't set in network.conf, then libvirt will check
to see if the iptables binary is present on the system and set
firewallBackend to iptables; if not, it will be left as "unset", which
(once multiple backends are available) will trigger an appropriate
error message the first time we attempt to add a rule.
Signed-off-by: Laine Stump <laine@redhat.com>
---
src/network/bridge_driver.c | 22 +++++++------
src/network/bridge_driver_conf.c | 40 ++++++++++++++++++++++++
src/network/bridge_driver_conf.h | 3 ++
src/network/bridge_driver_linux.c | 12 ++++---
src/network/bridge_driver_nop.c | 6 ++--
src/network/bridge_driver_platform.h | 6 ++--
src/network/libvirtd_network.aug | 5 ++-
src/network/network.conf | 8 +++++
src/network/test_libvirtd_network.aug.in | 3 ++
tests/networkxml2firewalltest.c | 2 +-
10 files changed, 87 insertions(+), 20 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 9eb543a0a3..fb353e449a 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1684,6 +1684,7 @@ static int
networkReloadFirewallRulesHelper(virNetworkObj *obj,
void *opaque G_GNUC_UNUSED)
{
+ g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(networkGetDriver());
VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
virNetworkDef *def = virNetworkObjGetDef(obj);
@@ -1697,8 +1698,8 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
* network type, forward='open', doesn't need this because it
* has no iptables rules.
*/
- networkRemoveFirewallRules(def);
- ignore_value(networkAddFirewallRules(def));
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
+ ignore_value(networkAddFirewallRules(def, cfg->firewallBackend));
break;
case VIR_NETWORK_FORWARD_OPEN:
@@ -1949,7 +1950,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
/* Add "once per network" rules */
if (def->forward.type != VIR_NETWORK_FORWARD_OPEN &&
- networkAddFirewallRules(def) < 0)
+ networkAddFirewallRules(def, cfg->firewallBackend) < 0)
goto error;
firewalRulesAdded = true;
@@ -2036,7 +2037,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
if (firewalRulesAdded &&
def->forward.type != VIR_NETWORK_FORWARD_OPEN)
- networkRemoveFirewallRules(def);
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
virNetworkObjUnrefMacMap(obj);
@@ -2048,7 +2049,8 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
static int
-networkShutdownNetworkVirtual(virNetworkObj *obj)
+networkShutdownNetworkVirtual(virNetworkObj *obj,
+ virNetworkDriverConfig *cfg)
{
virNetworkDef *def = virNetworkObjGetDef(obj);
pid_t dnsmasqPid;
@@ -2074,7 +2076,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj)
ignore_value(virNetDevSetOnline(def->bridge, false));
if (def->forward.type != VIR_NETWORK_FORWARD_OPEN)
- networkRemoveFirewallRules(def);
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
ignore_value(virNetDevBridgeDelete(def->bridge));
@@ -2378,7 +2380,7 @@ networkShutdownNetwork(virNetworkDriverState *driver,
case VIR_NETWORK_FORWARD_NAT:
case VIR_NETWORK_FORWARD_ROUTE:
case VIR_NETWORK_FORWARD_OPEN:
- ret = networkShutdownNetworkVirtual(obj);
+ ret = networkShutdownNetworkVirtual(obj, cfg);
break;
case VIR_NETWORK_FORWARD_BRIDGE:
@@ -3241,7 +3243,7 @@ networkUpdate(virNetworkPtr net,
* old rules (and remember to load new ones after the
* update).
*/
- networkRemoveFirewallRules(def);
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
needFirewallRefresh = true;
break;
default:
@@ -3269,14 +3271,14 @@ networkUpdate(virNetworkPtr net,
parentIndex, xml,
network_driver->xmlopt, flags) < 0) {
if (needFirewallRefresh)
- ignore_value(networkAddFirewallRules(def));
+ ignore_value(networkAddFirewallRules(def, cfg->firewallBackend));
goto cleanup;
}
/* @def is replaced */
def = virNetworkObjGetDef(obj);
- if (needFirewallRefresh && networkAddFirewallRules(def) < 0)
+ if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallBackend) < 0)
goto cleanup;
if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) {
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index a2edafa837..9769ee06b5 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -25,6 +25,7 @@
#include "datatypes.h"
#include "virlog.h"
#include "virerror.h"
+#include "virfile.h"
#include "virutil.h"
#include "bridge_driver_conf.h"
@@ -62,6 +63,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
const char *filename)
{
g_autoptr(virConf) conf = NULL;
+ g_autofree char *firewallBackendStr = NULL;
/* if file doesn't exist or is unreadable, ignore the "error" */
if (access(filename, R_OK) == -1)
@@ -73,6 +75,44 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
/* use virConfGetValue*(conf, ...) functions to read any settings into cfg */
+ if (virConfGetValueString(conf, "firewall_backend", &firewallBackendStr) < 0)
+ return -1;
+
+ if (firewallBackendStr) {
+ int backend = virFirewallBackendTypeFromString(firewallBackendStr);
+
+ if (backend < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unknown value for 'firewall_backend' in network.conf: '%1$s'"),
+ firewallBackendStr);
+ return -1;
+ }
+
+ cfg->firewallBackend = backend;
+ VIR_INFO("using firewall_backend setting from network.conf: '%s'",
+ virFirewallBackendTypeToString(cfg->firewallBackend));
+
+ } else {
+
+ /* no .conf setting, so see what this host supports by looking
+ * for binaries used by the backends, and set accordingly.
+ */
+ g_autofree char *iptablesInPath = NULL;
+
+ /* virFindFileInPath() uses g_find_program_in_path(),
+ * which allows absolute paths, and verifies that
+ * the file is executable.
+ */
+ if ((iptablesInPath = virFindFileInPath(IPTABLES)))
+ cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
+
+ if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET)
+ VIR_INFO("firewall_backend not set, and no usable backend auto-detected");
+ else
+ VIR_INFO("using auto-detected firewall_backend: '%s'",
+ virFirewallBackendTypeToString(cfg->firewallBackend));
+ }
+
return 0;
}
diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_conf.h
index 426c16198d..8f221f391e 100644
--- a/src/network/bridge_driver_conf.h
+++ b/src/network/bridge_driver_conf.h
@@ -26,6 +26,7 @@
#include "virdnsmasq.h"
#include "virnetworkobj.h"
#include "object_event.h"
+#include "virfirewall.h"
typedef struct _virNetworkDriverConfig virNetworkDriverConfig;
struct _virNetworkDriverConfig {
@@ -37,6 +38,8 @@ struct _virNetworkDriverConfig {
char *stateDir;
char *pidDir;
char *dnsmasqStateDir;
+
+ virFirewallBackend firewallBackend;
};
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref);
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index c6aab9b236..ff2f87054d 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -802,11 +802,13 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw,
/* Add all rules for all ip addresses (and general rules) on a network */
-int networkAddFirewallRules(virNetworkDef *def)
+int
+networkAddFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend)
{
size_t i;
virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
+ g_autoptr(virFirewall) fw = virFirewallNew(firewallBackend);
if (virOnce(&createdOnce, networkSetupPrivateChains) < 0)
return -1;
@@ -928,11 +930,13 @@ int networkAddFirewallRules(virNetworkDef *def)
}
/* Remove all rules for all ip addresses (and general rules) on a network */
-void networkRemoveFirewallRules(virNetworkDef *def)
+void
+networkRemoveFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend)
{
size_t i;
virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
+ g_autoptr(virFirewall) fw = virFirewallNew(firewallBackend);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
networkRemoveChecksumFirewallRules(fw, def);
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
index 6eee6043e6..7d9a061e50 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -36,11 +36,13 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
return 0;
}
-int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED)
+int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend G_GNUC_UNUSED)
{
return 0;
}
-void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED)
+void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend G_GNUC_UNUSED)
{
}
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h
index b720d343be..7443c3129f 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup);
int networkCheckRouteCollision(virNetworkDef *def);
-int networkAddFirewallRules(virNetworkDef *def);
+int networkAddFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend);
-void networkRemoveFirewallRules(virNetworkDef *def);
+void networkRemoveFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend);
diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug
index ae153d96a1..5d6d72dd92 100644
--- a/src/network/libvirtd_network.aug
+++ b/src/network/libvirtd_network.aug
@@ -22,11 +22,14 @@ module Libvirtd_network =
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
+ let firewall_backend_entry = str_entry "firewall_backend"
+
(* Each entry in the config is one of the following *)
+ let entry = firewall_backend_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
- let record = indent . eol
+ let record = indent . entry . eol
let lns = ( record | comment | empty ) *
diff --git a/src/network/network.conf b/src/network/network.conf
index 5c84003f6d..74c79e4cc6 100644
--- a/src/network/network.conf
+++ b/src/network/network.conf
@@ -1,3 +1,11 @@
# Master configuration file for the network driver.
# All settings described here are optional - if omitted, sensible
# defaults are used.
+
+# firewall_backend:
+#
+# determines which subsystem to use to setup firewall packet
+# filtering rules for virtual networks. Currently the only supported
+# selection is "iptables".
+#
+#firewall_backend = "iptables"
diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in
index ffdca520ce..3aa7b4cc22 100644
--- a/src/network/test_libvirtd_network.aug.in
+++ b/src/network/test_libvirtd_network.aug.in
@@ -1,2 +1,5 @@
module Test_libvirtd_network =
@CONFIG@
+
+ test Libvirtd_network.lns get conf =
+{ "firewall_backend" = "iptables" }
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index cb66a26294..3a9f409e2a 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -98,7 +98,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
return -1;
- if (networkAddFirewallRules(def) < 0)
+ if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0)
return -1;
actual = actualargv = virBufferContentAndReset(&buf);
--
2.39.2