[libvirt PATCH 07/28] util: #define the names used for private packet filter chains

Laine Stump posted 28 patches 1 year, 6 months ago
There is a newer version of this series
[libvirt PATCH 07/28] util: #define the names used for private packet filter chains
Posted by Laine Stump 1 year, 6 months ago
This is done so that we can be sure we're using the same chain name
for iptables and nftables. Not strictly necessary, but it will make
documentation and troubleshooting simpler.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/util/viriptables.c  | 44 ++++++++++++++++++++---------------------
 src/util/virnetfilter.h |  7 +++++++
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index dc2a4335bf..a0c35887c5 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -120,14 +120,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
 {
     g_autoptr(virFirewall) fw = virFirewallNew();
     iptablesGlobalChain filter_chains[] = {
-        {"INPUT", "LIBVIRT_INP"},
-        {"OUTPUT", "LIBVIRT_OUT"},
-        {"FORWARD", "LIBVIRT_FWO"},
-        {"FORWARD", "LIBVIRT_FWI"},
-        {"FORWARD", "LIBVIRT_FWX"},
+        {"INPUT", VIR_NETFILTER_INPUT_CHAIN},
+        {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN},
+        {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN},
+        {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN},
+        {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN},
     };
     iptablesGlobalChain natmangle_chains[] = {
-        {"POSTROUTING",  "LIBVIRT_PRT"},
+        {"POSTROUTING",  VIR_NETFILTER_NAT_POSTROUTE_CHAIN},
     };
     bool changed = false;
     iptablesGlobalChainData data[] = {
@@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_INP",
+                       VIR_NETFILTER_INPUT_CHAIN,
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -196,7 +196,7 @@ iptablesOutput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_OUT",
+                       VIR_NETFILTER_OUTPUT_CHAIN,
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -227,7 +227,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWO",
+                           VIR_NETFILTER_FWD_OUT_CHAIN,
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -237,7 +237,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWO",
+                           VIR_NETFILTER_FWD_OUT_CHAIN,
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -269,7 +269,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -281,7 +281,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -314,7 +314,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -324,7 +324,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -342,7 +342,7 @@ iptablesForwardAllowCross(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_FWX",
+                       VIR_NETFILTER_FWD_X_CHAIN,
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -359,7 +359,7 @@ iptablesForwardRejectOut(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_FWO",
+                       VIR_NETFILTER_FWD_OUT_CHAIN,
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -375,7 +375,7 @@ iptablesForwardRejectIn(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_FWI",
+                       VIR_NETFILTER_FWD_IN_CHAIN,
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -421,7 +421,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   virIptablesActionTypeToString(action),
-                                  "LIBVIRT_PRT",
+                                  VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -430,7 +430,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   virIptablesActionTypeToString(action),
-                                  "LIBVIRT_PRT",
+                                  VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -503,7 +503,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_PRT",
+                           VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -513,7 +513,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_PRT",
+                           VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -534,7 +534,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_PRT",
+                       VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h
index c8b91f16eb..b515512ad7 100644
--- a/src/util/virnetfilter.h
+++ b/src/util/virnetfilter.h
@@ -23,6 +23,13 @@
 #include "virsocketaddr.h"
 #include "virfirewall.h"
 
+#define VIR_NETFILTER_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_NETFILTER_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_NETFILTER_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_NETFILTER_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
 void             virNetfilterAddTcpInput         (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
-- 
2.39.2
Re: [libvirt PATCH 07/28] util: #define the names used for private packet filter chains
Posted by Daniel P. Berrangé 1 year, 6 months ago
On Sun, Apr 30, 2023 at 11:19:22PM -0400, Laine Stump wrote:
> This is done so that we can be sure we're using the same chain name
> for iptables and nftables. Not strictly necessary, but it will make
> documentation and troubleshooting simpler.
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/util/viriptables.c  | 44 ++++++++++++++++++++---------------------
>  src/util/virnetfilter.h |  7 +++++++
>  2 files changed, 29 insertions(+), 22 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|