[libvirt PATCH 04/28] util: rename iptables helpers that will become the frontend for ip&nftables

Laine Stump posted 28 patches 1 year, 4 months ago
There is a newer version of this series
[libvirt PATCH 04/28] util: rename iptables helpers that will become the frontend for ip&nftables
Posted by Laine Stump 1 year, 4 months ago
These toplevel functions have no iptables-specific code, except that
they each call a lower-level internal function that *is* iptables
specific. As a preparation to supporting use of either iptables or
nftables, rename these functions from iptablesXXX to virNetfilterXXX.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/libvirt_private.syms          |  48 +++---
 src/network/bridge_driver_linux.c | 124 +++++++-------
 src/util/viriptables.c            | 260 +++++++++++++++---------------
 src/util/viriptables.h            |  96 +++++------
 4 files changed, 264 insertions(+), 264 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 73cccf38a1..9f3868bbac 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2547,33 +2547,33 @@ virInitctlSetRunLevel;
 
 
 # util/viriptables.h
-iptablesAddDontMasquerade;
-iptablesAddForwardAllowCross;
-iptablesAddForwardAllowIn;
-iptablesAddForwardAllowOut;
-iptablesAddForwardAllowRelatedIn;
-iptablesAddForwardMasquerade;
-iptablesAddForwardRejectIn;
-iptablesAddForwardRejectOut;
 iptablesAddOutputFixUdpChecksum;
-iptablesAddTcpInput;
-iptablesAddTcpOutput;
-iptablesAddUdpInput;
-iptablesAddUdpOutput;
-iptablesRemoveDontMasquerade;
-iptablesRemoveForwardAllowCross;
-iptablesRemoveForwardAllowIn;
-iptablesRemoveForwardAllowOut;
-iptablesRemoveForwardAllowRelatedIn;
-iptablesRemoveForwardMasquerade;
-iptablesRemoveForwardRejectIn;
-iptablesRemoveForwardRejectOut;
 iptablesRemoveOutputFixUdpChecksum;
-iptablesRemoveTcpInput;
-iptablesRemoveTcpOutput;
-iptablesRemoveUdpInput;
-iptablesRemoveUdpOutput;
 iptablesSetupPrivateChains;
+virNetfilterAddDontMasquerade;
+virNetfilterAddForwardAllowCross;
+virNetfilterAddForwardAllowIn;
+virNetfilterAddForwardAllowOut;
+virNetfilterAddForwardAllowRelatedIn;
+virNetfilterAddForwardMasquerade;
+virNetfilterAddForwardRejectIn;
+virNetfilterAddForwardRejectOut;
+virNetfilterAddTcpInput;
+virNetfilterAddTcpOutput;
+virNetfilterAddUdpInput;
+virNetfilterAddUdpOutput;
+virNetfilterRemoveDontMasquerade;
+virNetfilterRemoveForwardAllowCross;
+virNetfilterRemoveForwardAllowIn;
+virNetfilterRemoveForwardAllowOut;
+virNetfilterRemoveForwardAllowRelatedIn;
+virNetfilterRemoveForwardMasquerade;
+virNetfilterRemoveForwardRejectIn;
+virNetfilterRemoveForwardRejectOut;
+virNetfilterRemoveTcpInput;
+virNetfilterRemoveTcpOutput;
+virNetfilterRemoveUdpInput;
+virNetfilterRemoveUdpOutput;
 
 
 # util/viriscsi.h
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 1ef5b9d917..da7d78a40a 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -322,7 +322,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
     }
 
     /* allow forwarding packets from the bridge interface */
-    if (iptablesAddForwardAllowOut(fw,
+    if (virNetfilterAddForwardAllowOut(fw,
                                    &ipdef->address,
                                    prefix,
                                    def->bridge,
@@ -332,7 +332,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
     /* allow forwarding packets to the bridge interface if they are
      * part of an existing connection
      */
-    if (iptablesAddForwardAllowRelatedIn(fw,
+    if (virNetfilterAddForwardAllowRelatedIn(fw,
                                          &ipdef->address,
                                          prefix,
                                          def->bridge,
@@ -372,7 +372,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
      */
 
     /* First the generic masquerade rule for other protocols */
-    if (iptablesAddForwardMasquerade(fw,
+    if (virNetfilterAddForwardMasquerade(fw,
                                      &ipdef->address,
                                      prefix,
                                      forwardIf,
@@ -382,7 +382,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
         return -1;
 
     /* UDP with a source port restriction */
-    if (iptablesAddForwardMasquerade(fw,
+    if (virNetfilterAddForwardMasquerade(fw,
                                      &ipdef->address,
                                      prefix,
                                      forwardIf,
@@ -392,7 +392,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
         return -1;
 
     /* TCP with a source port restriction */
-    if (iptablesAddForwardMasquerade(fw,
+    if (virNetfilterAddForwardMasquerade(fw,
                                      &ipdef->address,
                                      prefix,
                                      forwardIf,
@@ -403,7 +403,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
 
     /* exempt local network broadcast address as destination */
     if (isIPv4 &&
-        iptablesAddDontMasquerade(fw,
+        virNetfilterAddDontMasquerade(fw,
                                   &ipdef->address,
                                   prefix,
                                   forwardIf,
@@ -411,7 +411,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
         return -1;
 
     /* exempt local multicast range as destination */
-    if (iptablesAddDontMasquerade(fw,
+    if (virNetfilterAddDontMasquerade(fw,
                                   &ipdef->address,
                                   prefix,
                                   forwardIf,
@@ -434,7 +434,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
     if (prefix < 0)
         return 0;
 
-    if (iptablesRemoveDontMasquerade(fw,
+    if (virNetfilterRemoveDontMasquerade(fw,
                                      &ipdef->address,
                                      prefix,
                                      forwardIf,
@@ -443,14 +443,14 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
         return -1;
 
     if (isIPv4 &&
-        iptablesRemoveDontMasquerade(fw,
+        virNetfilterRemoveDontMasquerade(fw,
                                      &ipdef->address,
                                      prefix,
                                      forwardIf,
                                      networkLocalBroadcast) < 0)
         return -1;
 
-    if (iptablesRemoveForwardMasquerade(fw,
+    if (virNetfilterRemoveForwardMasquerade(fw,
                                         &ipdef->address,
                                         prefix,
                                         forwardIf,
@@ -459,7 +459,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
                                         "tcp") < 0)
         return -1;
 
-    if (iptablesRemoveForwardMasquerade(fw,
+    if (virNetfilterRemoveForwardMasquerade(fw,
                                         &ipdef->address,
                                         prefix,
                                         forwardIf,
@@ -468,7 +468,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
                                         "udp") < 0)
         return -1;
 
-    if (iptablesRemoveForwardMasquerade(fw,
+    if (virNetfilterRemoveForwardMasquerade(fw,
                                         &ipdef->address,
                                         prefix,
                                         forwardIf,
@@ -477,14 +477,14 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
                                         NULL) < 0)
         return -1;
 
-    if (iptablesRemoveForwardAllowRelatedIn(fw,
+    if (virNetfilterRemoveForwardAllowRelatedIn(fw,
                                             &ipdef->address,
                                             prefix,
                                             def->bridge,
                                             forwardIf) < 0)
         return -1;
 
-    if (iptablesRemoveForwardAllowOut(fw,
+    if (virNetfilterRemoveForwardAllowOut(fw,
                                       &ipdef->address,
                                       prefix,
                                       def->bridge,
@@ -511,7 +511,7 @@ networkAddRoutingFirewallRules(virFirewall *fw,
     }
 
     /* allow routing packets from the bridge interface */
-    if (iptablesAddForwardAllowOut(fw,
+    if (virNetfilterAddForwardAllowOut(fw,
                                    &ipdef->address,
                                    prefix,
                                    def->bridge,
@@ -519,7 +519,7 @@ networkAddRoutingFirewallRules(virFirewall *fw,
         return -1;
 
     /* allow routing packets to the bridge interface */
-    if (iptablesAddForwardAllowIn(fw,
+    if (virNetfilterAddForwardAllowIn(fw,
                                   &ipdef->address,
                                   prefix,
                                   def->bridge,
@@ -541,14 +541,14 @@ networkRemoveRoutingFirewallRules(virFirewall *fw,
     if (prefix < 0)
         return 0;
 
-    if (iptablesRemoveForwardAllowIn(fw,
+    if (virNetfilterRemoveForwardAllowIn(fw,
                                      &ipdef->address,
                                      prefix,
                                      def->bridge,
                                      forwardIf) < 0)
         return -1;
 
-    if (iptablesRemoveForwardAllowOut(fw,
+    if (virNetfilterRemoveForwardAllowOut(fw,
                                       &ipdef->address,
                                       prefix,
                                       def->bridge,
@@ -576,29 +576,29 @@ networkAddGeneralIPv4FirewallRules(virFirewall *fw,
     }
 
     /* allow DHCP requests through to dnsmasq & back out */
-    iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
-    iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
-    iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
-    iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+    virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+    virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+    virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+    virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
 
     /* allow DNS requests through to dnsmasq & back out */
-    iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-    iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-    iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-    iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
 
     /* allow TFTP requests through to dnsmasq if necessary & back out */
     if (ipv4def && ipv4def->tftproot) {
-        iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
-        iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+        virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+        virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
     }
 
     /* Catch all rules to block forwarding to/from bridges */
-    iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
-    iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+    virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+    virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
 
     /* Allow traffic between guests on the same bridge */
-    iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+    virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
 }
 
 static void
@@ -615,24 +615,24 @@ networkRemoveGeneralIPv4FirewallRules(virFirewall *fw,
             break;
     }
 
-    iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
-    iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
-    iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+    virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+    virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+    virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
 
     if (ipv4def && ipv4def->tftproot) {
-        iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
-        iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+        virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+        virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
     }
 
-    iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-    iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-    iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-    iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+    virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
 
-    iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
-    iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
-    iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
-    iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+    virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+    virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+    virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+    virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
 }
 
 
@@ -651,21 +651,21 @@ networkAddGeneralIPv6FirewallRules(virFirewall *fw,
     }
 
     /* Catch all rules to block forwarding to/from bridges */
-    iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
-    iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+    virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+    virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
 
     /* Allow traffic between guests on the same bridge */
-    iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+    virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
 
     if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
         /* allow DNS over IPv6 & back out */
-        iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
-        iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
-        iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
-        iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
         /* allow DHCPv6 & back out */
-        iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
-        iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+        virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+        virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
     }
 }
 
@@ -679,20 +679,20 @@ networkRemoveGeneralIPv6FirewallRules(virFirewall *fw,
     }
 
     if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
-        iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
-        iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
-        iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
-        iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
-        iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
-        iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+        virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+        virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+        virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
     }
 
     /* the following rules are there if no IPv6 address has been defined
      * but def->ipv6nogw == true
      */
-    iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
-    iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
-    iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+    virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+    virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+    virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
 }
 
 
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 018021bc1b..8db5bb3e4b 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -198,7 +198,7 @@ iptablesOutput(virFirewall *fw,
 }
 
 /**
- * iptablesAddTcpInput:
+ * virNetfilterAddTcpInput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the TCP port to add
@@ -207,16 +207,16 @@ iptablesOutput(virFirewall *fw,
  * the given @iface interface for TCP packets
  */
 void
-iptablesAddTcpInput(virFirewall *fw,
-                    virFirewallLayer layer,
-                    const char *iface,
-                    int port)
+virNetfilterAddTcpInput(virFirewall *fw,
+                        virFirewallLayer layer,
+                        const char *iface,
+                        int port)
 {
     iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
 }
 
 /**
- * iptablesRemoveTcpInput:
+ * virNetfilterRemoveTcpInput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the TCP port to remove
@@ -225,16 +225,16 @@ iptablesAddTcpInput(virFirewall *fw,
  * @port on the given @iface interface for TCP packets
  */
 void
-iptablesRemoveTcpInput(virFirewall *fw,
-                       virFirewallLayer layer,
-                       const char *iface,
-                       int port)
+virNetfilterRemoveTcpInput(virFirewall *fw,
+                           virFirewallLayer layer,
+                           const char *iface,
+                           int port)
 {
     iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
 }
 
 /**
- * iptablesAddUdpInput:
+ * virNetfilterAddUdpInput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to add
@@ -243,16 +243,16 @@ iptablesRemoveTcpInput(virFirewall *fw,
  * the given @iface interface for UDP packets
  */
 void
-iptablesAddUdpInput(virFirewall *fw,
-                    virFirewallLayer layer,
-                    const char *iface,
-                    int port)
+virNetfilterAddUdpInput(virFirewall *fw,
+                        virFirewallLayer layer,
+                        const char *iface,
+                        int port)
 {
     iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
 }
 
 /**
- * iptablesRemoveUdpInput:
+ * virNetfilterRemoveUdpInput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to remove
@@ -261,16 +261,16 @@ iptablesAddUdpInput(virFirewall *fw,
  * @port on the given @iface interface for UDP packets
  */
 void
-iptablesRemoveUdpInput(virFirewall *fw,
-                       virFirewallLayer layer,
-                       const char *iface,
-                       int port)
+virNetfilterRemoveUdpInput(virFirewall *fw,
+                           virFirewallLayer layer,
+                           const char *iface,
+                           int port)
 {
     iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
 }
 
 /**
- * iptablesAddTcpOutput:
+ * virNetfilterAddTcpOutput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the TCP port to add
@@ -279,16 +279,16 @@ iptablesRemoveUdpInput(virFirewall *fw,
  * the given @iface interface for TCP packets
  */
 void
-iptablesAddTcpOutput(virFirewall *fw,
-                     virFirewallLayer layer,
-                     const char *iface,
-                     int port)
+virNetfilterAddTcpOutput(virFirewall *fw,
+                         virFirewallLayer layer,
+                         const char *iface,
+                         int port)
 {
     iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
 }
 
 /**
- * iptablesRemoveTcpOutput:
+ * virNetfilterRemoveTcpOutput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to remove
@@ -297,16 +297,16 @@ iptablesAddTcpOutput(virFirewall *fw,
  * @port from the given @iface interface for TCP packets
  */
 void
-iptablesRemoveTcpOutput(virFirewall *fw,
-                        virFirewallLayer layer,
-                        const char *iface,
-                        int port)
+virNetfilterRemoveTcpOutput(virFirewall *fw,
+                            virFirewallLayer layer,
+                            const char *iface,
+                            int port)
 {
     iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
 }
 
 /**
- * iptablesAddUdpOutput:
+ * virNetfilterAddUdpOutput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to add
@@ -315,16 +315,16 @@ iptablesRemoveTcpOutput(virFirewall *fw,
  * the given @iface interface for UDP packets
  */
 void
-iptablesAddUdpOutput(virFirewall *fw,
-                     virFirewallLayer layer,
-                     const char *iface,
-                     int port)
+virNetfilterAddUdpOutput(virFirewall *fw,
+                         virFirewallLayer layer,
+                         const char *iface,
+                         int port)
 {
     iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
 }
 
 /**
- * iptablesRemoveUdpOutput:
+ * virNetfilterRemoveUdpOutput:
  * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to remove
@@ -333,10 +333,10 @@ iptablesAddUdpOutput(virFirewall *fw,
  * @port from the given @iface interface for UDP packets
  */
 void
-iptablesRemoveUdpOutput(virFirewall *fw,
-                        virFirewallLayer layer,
-                        const char *iface,
-                        int port)
+virNetfilterRemoveUdpOutput(virFirewall *fw,
+                            virFirewallLayer layer,
+                            const char *iface,
+                            int port)
 {
     iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
 }
@@ -384,7 +384,7 @@ iptablesForwardAllowOut(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardAllowOut:
+ * virNetfilterAddForwardAllowOut:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the source interface name
@@ -397,18 +397,18 @@ iptablesForwardAllowOut(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowOut(virFirewall *fw,
-                           virSocketAddr *netaddr,
-                           unsigned int prefix,
-                           const char *iface,
-                           const char *physdev)
+virNetfilterAddForwardAllowOut(virFirewall *fw,
+                               virSocketAddr *netaddr,
+                               unsigned int prefix,
+                               const char *iface,
+                               const char *physdev)
 {
     return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
                                    VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveForwardAllowOut:
+ * virNetfilterRemoveForwardAllowOut:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the source interface name
@@ -421,11 +421,11 @@ iptablesAddForwardAllowOut(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowOut(virFirewall *fw,
-                              virSocketAddr *netaddr,
-                              unsigned int prefix,
-                              const char *iface,
-                              const char *physdev)
+virNetfilterRemoveForwardAllowOut(virFirewall *fw,
+                                  virSocketAddr *netaddr,
+                                  unsigned int prefix,
+                                  const char *iface,
+                                  const char *physdev)
 {
     return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
                                    VIR_NETFILTER_DELETE);
@@ -478,7 +478,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardAllowRelatedIn:
+ * virNetfilterAddForwardAllowRelatedIn:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
@@ -491,18 +491,18 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowRelatedIn(virFirewall *fw,
-                                 virSocketAddr *netaddr,
-                                 unsigned int prefix,
-                                 const char *iface,
-                                 const char *physdev)
+virNetfilterAddForwardAllowRelatedIn(virFirewall *fw,
+                                     virSocketAddr *netaddr,
+                                     unsigned int prefix,
+                                     const char *iface,
+                                     const char *physdev)
 {
     return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
                                          VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveForwardAllowRelatedIn:
+ * virNetfilterRemoveForwardAllowRelatedIn:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
@@ -515,11 +515,11 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
-                                    virSocketAddr *netaddr,
-                                    unsigned int prefix,
-                                    const char *iface,
-                                    const char *physdev)
+virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw,
+                                        virSocketAddr *netaddr,
+                                        unsigned int prefix,
+                                        const char *iface,
+                                        const char *physdev)
 {
     return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
                                          VIR_NETFILTER_DELETE);
@@ -565,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardAllowIn:
+ * virNetfilterAddForwardAllowIn:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
@@ -578,18 +578,18 @@ iptablesForwardAllowIn(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowIn(virFirewall *fw,
-                          virSocketAddr *netaddr,
-                          unsigned int prefix,
-                          const char *iface,
-                          const char *physdev)
+virNetfilterAddForwardAllowIn(virFirewall *fw,
+                              virSocketAddr *netaddr,
+                              unsigned int prefix,
+                              const char *iface,
+                              const char *physdev)
 {
     return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
                                   VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveForwardAllowIn:
+ * virNetfilterRemoveForwardAllowIn:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
@@ -602,11 +602,11 @@ iptablesAddForwardAllowIn(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowIn(virFirewall *fw,
-                             virSocketAddr *netaddr,
-                             unsigned int prefix,
-                             const char *iface,
-                             const char *physdev)
+virNetfilterRemoveForwardAllowIn(virFirewall *fw,
+                                 virSocketAddr *netaddr,
+                                 unsigned int prefix,
+                                 const char *iface,
+                                 const char *physdev)
 {
     return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
                                   VIR_NETFILTER_DELETE);
@@ -629,7 +629,7 @@ iptablesForwardAllowCross(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardAllowCross:
+ * virNetfilterAddForwardAllowCross:
  * @ctx: pointer to the IP table context
  * @iface: the input/output interface name
  *
@@ -640,15 +640,15 @@ iptablesForwardAllowCross(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 void
-iptablesAddForwardAllowCross(virFirewall *fw,
-                             virFirewallLayer layer,
-                             const char *iface)
+virNetfilterAddForwardAllowCross(virFirewall *fw,
+                                 virFirewallLayer layer,
+                                 const char *iface)
 {
     iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveForwardAllowCross:
+ * virNetfilterRemoveForwardAllowCross:
  * @ctx: pointer to the IP table context
  * @iface: the input/output interface name
  *
@@ -659,9 +659,9 @@ iptablesAddForwardAllowCross(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 void
-iptablesRemoveForwardAllowCross(virFirewall *fw,
-                                virFirewallLayer layer,
-                                const char *iface)
+virNetfilterRemoveForwardAllowCross(virFirewall *fw,
+                                    virFirewallLayer layer,
+                                    const char *iface)
 {
     iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE);
 }
@@ -682,7 +682,7 @@ iptablesForwardRejectOut(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardRejectOut:
+ * virNetfilterAddForwardRejectOut:
  * @ctx: pointer to the IP table context
  * @iface: the output interface name
  *
@@ -692,15 +692,15 @@ iptablesForwardRejectOut(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 void
-iptablesAddForwardRejectOut(virFirewall *fw,
-                            virFirewallLayer layer,
-                            const char *iface)
+virNetfilterAddForwardRejectOut(virFirewall *fw,
+                                virFirewallLayer layer,
+                                const char *iface)
 {
     iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveForwardRejectOut:
+ * virNetfilterRemoveForwardRejectOut:
  * @ctx: pointer to the IP table context
  * @iface: the output interface name
  *
@@ -710,9 +710,9 @@ iptablesAddForwardRejectOut(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 void
-iptablesRemoveForwardRejectOut(virFirewall *fw,
-                               virFirewallLayer layer,
-                               const char *iface)
+virNetfilterRemoveForwardRejectOut(virFirewall *fw,
+                                   virFirewallLayer layer,
+                                   const char *iface)
 {
     iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE);
 }
@@ -734,7 +734,7 @@ iptablesForwardRejectIn(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardRejectIn:
+ * virNetfilterAddForwardRejectIn:
  * @ctx: pointer to the IP table context
  * @iface: the input interface name
  *
@@ -744,15 +744,15 @@ iptablesForwardRejectIn(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 void
-iptablesAddForwardRejectIn(virFirewall *fw,
-                           virFirewallLayer layer,
-                           const char *iface)
+virNetfilterAddForwardRejectIn(virFirewall *fw,
+                               virFirewallLayer layer,
+                               const char *iface)
 {
     iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveForwardRejectIn:
+ * virNetfilterRemoveForwardRejectIn:
  * @ctx: pointer to the IP table context
  * @iface: the input interface name
  *
@@ -762,9 +762,9 @@ iptablesAddForwardRejectIn(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 void
-iptablesRemoveForwardRejectIn(virFirewall *fw,
-                              virFirewallLayer layer,
-                              const char *iface)
+virNetfilterRemoveForwardRejectIn(virFirewall *fw,
+                                  virFirewallLayer layer,
+                                  const char *iface)
 {
     iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE);
 }
@@ -869,7 +869,7 @@ iptablesForwardMasquerade(virFirewall *fw,
 }
 
 /**
- * iptablesAddForwardMasquerade:
+ * virNetfilterAddForwardMasquerade:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @physdev: the physical input device or NULL
@@ -882,13 +882,13 @@ iptablesForwardMasquerade(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardMasquerade(virFirewall *fw,
-                             virSocketAddr *netaddr,
-                             unsigned int prefix,
-                             const char *physdev,
-                             virSocketAddrRange *addr,
-                             virPortRange *port,
-                             const char *protocol)
+virNetfilterAddForwardMasquerade(virFirewall *fw,
+                                 virSocketAddr *netaddr,
+                                 unsigned int prefix,
+                                 const char *physdev,
+                                 virSocketAddrRange *addr,
+                                 virPortRange *port,
+                                 const char *protocol)
 {
     return iptablesForwardMasquerade(fw, netaddr, prefix,
                                      physdev, addr, port, protocol,
@@ -896,7 +896,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
 }
 
 /**
- * iptablesRemoveForwardMasquerade:
+ * virNetfilterRemoveForwardMasquerade:
  * @ctx: pointer to the IP table context
  * @network: the source network name
  * @physdev: the physical input device or NULL
@@ -909,13 +909,13 @@ iptablesAddForwardMasquerade(virFirewall *fw,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardMasquerade(virFirewall *fw,
-                                virSocketAddr *netaddr,
-                                unsigned int prefix,
-                                const char *physdev,
-                                virSocketAddrRange *addr,
-                                virPortRange *port,
-                                const char *protocol)
+virNetfilterRemoveForwardMasquerade(virFirewall *fw,
+                                    virSocketAddr *netaddr,
+                                    unsigned int prefix,
+                                    const char *physdev,
+                                    virSocketAddrRange *addr,
+                                    virPortRange *port,
+                                    const char *protocol)
 {
     return iptablesForwardMasquerade(fw, netaddr, prefix,
                                      physdev, addr, port, protocol,
@@ -965,7 +965,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
 }
 
 /**
- * iptablesAddDontMasquerade:
+ * virNetfilterAddDontMasquerade:
  * @netaddr: the source network name
  * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr
  * @physdev: the physical output device or NULL
@@ -973,24 +973,24 @@ iptablesForwardDontMasquerade(virFirewall *fw,
  *
  * Add rules to the IP table context to avoid masquerading from
  * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format
- * directly consumable by iptables, it must not depend on user input or
+ * directly consumable by iptables/nftables, it must not depend on user input or
  * configuration.
  *
  * Returns 0 in case of success or an error code otherwise.
  */
 int
-iptablesAddDontMasquerade(virFirewall *fw,
-                          virSocketAddr *netaddr,
-                          unsigned int prefix,
-                          const char *physdev,
-                          const char *destaddr)
+virNetfilterAddDontMasquerade(virFirewall *fw,
+                              virSocketAddr *netaddr,
+                              unsigned int prefix,
+                              const char *physdev,
+                              const char *destaddr)
 {
     return iptablesForwardDontMasquerade(fw, netaddr, prefix,
                                          physdev, destaddr, VIR_NETFILTER_INSERT);
 }
 
 /**
- * iptablesRemoveDontMasquerade:
+ * virNetfilterRemoveDontMasquerade:
  * @netaddr: the source network name
  * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr
  * @physdev: the physical output device or NULL
@@ -998,17 +998,17 @@ iptablesAddDontMasquerade(virFirewall *fw,
  *
  * Remove rules from the IP table context that prevent masquerading from
  * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format
- * directly consumable by iptables, it must not depend on user input or
+ * directly consumable by iptables/nftables, it must not depend on user input or
  * configuration.
  *
  * Returns 0 in case of success or an error code otherwise.
  */
 int
-iptablesRemoveDontMasquerade(virFirewall *fw,
-                             virSocketAddr *netaddr,
-                             unsigned int prefix,
-                             const char *physdev,
-                             const char *destaddr)
+virNetfilterRemoveDontMasquerade(virFirewall *fw,
+                                 virSocketAddr *netaddr,
+                                 unsigned int prefix,
+                                 const char *physdev,
+                                 const char *destaddr)
 {
     return iptablesForwardDontMasquerade(fw, netaddr, prefix,
                                          physdev, destaddr,
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index bb13f3292d..610c4dccde 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -25,101 +25,101 @@
 
 int              iptablesSetupPrivateChains      (virFirewallLayer layer);
 
-void             iptablesAddTcpInput             (virFirewall *fw,
+void             virNetfilterAddTcpInput         (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
-void             iptablesRemoveTcpInput          (virFirewall *fw,
+void             virNetfilterRemoveTcpInput      (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
 
-void             iptablesAddUdpInput             (virFirewall *fw,
+void             virNetfilterAddUdpInput         (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
-void             iptablesRemoveUdpInput          (virFirewall *fw,
+void             virNetfilterRemoveUdpInput      (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
 
-void             iptablesAddTcpOutput            (virFirewall *fw,
+void             virNetfilterAddTcpOutput        (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
-void             iptablesRemoveTcpOutput         (virFirewall *fw,
+void             virNetfilterRemoveTcpOutput     (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
-void             iptablesAddUdpOutput            (virFirewall *fw,
+void             virNetfilterAddUdpOutput        (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
-void             iptablesRemoveUdpOutput         (virFirewall *fw,
+void             virNetfilterRemoveUdpOutput     (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
                                                   int port);
 
-int              iptablesAddForwardAllowOut      (virFirewall *fw,
+int              virNetfilterAddForwardAllowOut  (virFirewall *fw,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
                                                   const char *iface,
                                                   const char *physdev)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesRemoveForwardAllowOut   (virFirewall *fw,
-                                                  virSocketAddr *netaddr,
-                                                  unsigned int prefix,
-                                                  const char *iface,
-                                                  const char *physdev)
+int              virNetfilterRemoveForwardAllowOut(virFirewall *fw,
+                                                   virSocketAddr *netaddr,
+                                                   unsigned int prefix,
+                                                   const char *iface,
+                                                   const char *physdev)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesAddForwardAllowRelatedIn(virFirewall *fw,
-                                                  virSocketAddr *netaddr,
-                                                  unsigned int prefix,
-                                                  const char *iface,
-                                                  const char *physdev)
+int              virNetfilterAddForwardAllowRelatedIn(virFirewall *fw,
+                                                      virSocketAddr *netaddr,
+                                                      unsigned int prefix,
+                                                      const char *iface,
+                                                      const char *physdev)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
-                                                     virSocketAddr *netaddr,
-                                                     unsigned int prefix,
-                                                     const char *iface,
-                                                     const char *physdev)
+int              virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw,
+                                                         virSocketAddr *netaddr,
+                                                         unsigned int prefix,
+                                                         const char *iface,
+                                                         const char *physdev)
     G_GNUC_WARN_UNUSED_RESULT;
 
-int              iptablesAddForwardAllowIn       (virFirewall *fw,
+int              virNetfilterAddForwardAllowIn   (virFirewall *fw,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
                                                   const char *iface,
                                                   const char *physdev)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesRemoveForwardAllowIn    (virFirewall *fw,
+int              virNetfilterRemoveForwardAllowIn(virFirewall *fw,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
                                                   const char *iface,
                                                   const char *physdev)
     G_GNUC_WARN_UNUSED_RESULT;
 
-void             iptablesAddForwardAllowCross    (virFirewall *fw,
-                                                  virFirewallLayer layer,
-                                                  const char *iface);
-void             iptablesRemoveForwardAllowCross (virFirewall *fw,
+void             virNetfilterAddForwardAllowCross(virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface);
+void             virNetfilterRemoveForwardAllowCross(virFirewall *fw,
+                                                     virFirewallLayer layer,
+                                                     const char *iface);
 
-void             iptablesAddForwardRejectOut     (virFirewall *fw,
-                                                  virFirewallLayer layer,
-                                                  const char *iface);
-void             iptablesRemoveForwardRejectOut  (virFirewall *fw,
+void             virNetfilterAddForwardRejectOut (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface);
+void             virNetfilterRemoveForwardRejectOut(virFirewall *fw,
+                                                    virFirewallLayer layer,
+                                                    const char *iface);
 
-void             iptablesAddForwardRejectIn      (virFirewall *fw,
+void             virNetfilterAddForwardRejectIn  (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface);
-void             iptablesRemoveForwardRejectIn   (virFirewall *fw,
-                                                  virFirewallLayer layery,
-                                                  const char *iface);
+void             virNetfilterRemoveForwardRejectIn(virFirewall *fw,
+                                                   virFirewallLayer layery,
+                                                   const char *iface);
 
-int              iptablesAddForwardMasquerade    (virFirewall *fw,
+int              virNetfilterAddForwardMasquerade(virFirewall *fw,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
                                                   const char *physdev,
@@ -127,21 +127,21 @@ int              iptablesAddForwardMasquerade    (virFirewall *fw,
                                                   virPortRange *port,
                                                   const char *protocol)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesRemoveForwardMasquerade (virFirewall *fw,
-                                                  virSocketAddr *netaddr,
-                                                  unsigned int prefix,
-                                                  const char *physdev,
-                                                  virSocketAddrRange *addr,
-                                                  virPortRange *port,
-                                                  const char *protocol)
+int              virNetfilterRemoveForwardMasquerade(virFirewall *fw,
+                                                     virSocketAddr *netaddr,
+                                                     unsigned int prefix,
+                                                     const char *physdev,
+                                                     virSocketAddrRange *addr,
+                                                     virPortRange *port,
+                                                     const char *protocol)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesAddDontMasquerade       (virFirewall *fw,
+int              virNetfilterAddDontMasquerade   (virFirewall *fw,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
                                                   const char *physdev,
                                                   const char *destaddr)
     G_GNUC_WARN_UNUSED_RESULT;
-int              iptablesRemoveDontMasquerade    (virFirewall *fw,
+int              virNetfilterRemoveDontMasquerade(virFirewall *fw,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
                                                   const char *physdev,
-- 
2.39.2
Re: [libvirt PATCH 04/28] util: rename iptables helpers that will become the frontend for ip&nftables
Posted by Daniel P. Berrangé 1 year, 4 months ago
On Sun, Apr 30, 2023 at 11:19:19PM -0400, Laine Stump wrote:
> These toplevel functions have no iptables-specific code, except that
> they each call a lower-level internal function that *is* iptables
> specific. As a preparation to supporting use of either iptables or
> nftables, rename these functions from iptablesXXX to virNetfilterXXX.

Anyone have any thoughts on virNetfilterXXX vs virNetFilterXXX ?
I would probably have gone for the latter, but its pretty minor
so not too fussed about it.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [libvirt PATCH 04/28] util: rename iptables helpers that will become the frontend for ip&nftables
Posted by Laine Stump 1 year, 4 months ago
On 5/3/23 11:54 AM, Daniel P. Berrangé wrote:
> On Sun, Apr 30, 2023 at 11:19:19PM -0400, Laine Stump wrote:
>> These toplevel functions have no iptables-specific code, except that
>> they each call a lower-level internal function that *is* iptables
>> specific. As a preparation to supporting use of either iptables or
>> nftables, rename these functions from iptablesXXX to virNetfilterXXX.
> 
> Anyone have any thoughts on virNetfilterXXX vs virNetFilterXXX ?
> I would probably have gone for the latter, but its pretty minor
> so not too fussed about it.

Either way is okay with me. "netfilter" is a single word that is usually 
lower case, which is why I made it "virNetfilter" (first letter of a 
word in the middle of the identifier has to be capitalized to follow 
"camelCase"). But of course if you're thinking of it as the generic term 
"net filter" rather than the specific "netfilter", then "virNetFilter" 
is better.

Re: [libvirt PATCH 04/28] util: rename iptables helpers that will become the frontend for ip&nftables
Posted by Daniel P. Berrangé 1 year, 4 months ago
On Sun, Apr 30, 2023 at 11:19:19PM -0400, Laine Stump wrote:
> These toplevel functions have no iptables-specific code, except that
> they each call a lower-level internal function that *is* iptables
> specific. As a preparation to supporting use of either iptables or
> nftables, rename these functions from iptablesXXX to virNetfilterXXX.
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/libvirt_private.syms          |  48 +++---
>  src/network/bridge_driver_linux.c | 124 +++++++-------
>  src/util/viriptables.c            | 260 +++++++++++++++---------------
>  src/util/viriptables.h            |  96 +++++------
>  4 files changed, 264 insertions(+), 264 deletions(-)
> 
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 73cccf38a1..9f3868bbac 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -2547,33 +2547,33 @@ virInitctlSetRunLevel;

> diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> index 1ef5b9d917..da7d78a40a 100644
> --- a/src/network/bridge_driver_linux.c
> +++ b/src/network/bridge_driver_linux.c
> @@ -322,7 +322,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
>      }
>  
>      /* allow forwarding packets from the bridge interface */
> -    if (iptablesAddForwardAllowOut(fw,
> +    if (virNetfilterAddForwardAllowOut(fw,
>                                     &ipdef->address,
>                                     prefix,
>                                     def->bridge,

nit-pick - the arguments all need their indentation adjusting
for this rename.


> diff --git a/src/util/viriptables.h b/src/util/viriptables.h
> index bb13f3292d..610c4dccde 100644
> --- a/src/util/viriptables.h
> +++ b/src/util/viriptables.h
> @@ -25,101 +25,101 @@
>  
>  int              iptablesSetupPrivateChains      (virFirewallLayer layer);
>  
> -void             iptablesAddTcpInput             (virFirewall *fw,
> +void             virNetfilterAddTcpInput         (virFirewall *fw,
>                                                    virFirewallLayer layer,
>                                                    const char *iface,
>                                                    int port);

I'd be inclined to remove the excessive whitespace between the
function name and the parameter list while making this change.
This file is a long standing outlier in our codebase and we
might as well take this opportunity to fix that.

With the whitespace points addressed:

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|