:p
atchew
Login
This patch series enables libvirt to use nftables rules rather than iptables *when setting up virtual networks* (it does *not* add nftables support to the nwfilter driver). It accomplishes this by abstracting several iptables functions (from viriptables.[ch] called by the virtual network driver into a rudimentary "virNetfilter API" (in virnetfilter.[ch], having the virtual network driver call the virNetFilter API rather than calling the existing iptables functions directly, and then finally adding an equivalent virNftables backend that can be used instead of iptables (selected manually via a network.conf setting, or automatically if iptables isn't found on the host). A first look at the result may have you thinking that it's filled with a lot of bad decisions. While I would agree with that in many cases, I think that overall they are the "least bad" decisions, or at least "bad within acceptable limits / no worse than something else", and point out that it's been done in a way that minimizes (actually eliminates) the need for immediate changes to nwfilter (the other consumer of iptables, which *also* needs to be updated to use native nftables), and makes it much easier to change our mind about the details in the future. When I first started on this (long, protracted, repeatedly interrupted for extended periods - many of these patches are > a year old) task, I considered doing an all-at-once complete replacement of iptables with nftables, since all the Linux distros we support have had nftables for several years, and I'm pretty sure nobody has it disabled (not even sure if it's possible to disable nftables while still enabling iptables, since they both use xtables in the kernel). But due to libvirt's use of "-t mangle -j CHECKSUM --checksum-fill" (see commit fd5b15ff all the way back in July 2010 for details) which has no equivalent in nftables rules (and we don't *want* it to!!), and the desire to be able to easily switch back to iptables in case of an unforeseen regression, we decided that both iptables and nftables need to be supported (for now), with the default (for now) remaining as iptables. Just allowing for dual backends complicated matters, since it means that we have to have a config file, a setting, detection of which backends are available, and of course some sort of concept of an abstracted frontend that can use either backend based on the config setting (and/or auto-detection). Combining that with the fact that it would just be "too big" of a project to switch over nwfilter's iptables usage at the same time means that we have to keep around a lot of existing code for compatibility's sake rather than just wiping it all away and starting over. So, what I've ended up with is: 1) a network.conf file (didn't exist before) with a single setting "firewall_backend". If unset, the network driver tries to use iptables on the backend, and if that's missing, then tries to use nftables. 2) a new (internal-only, so transient!) virNetFilterXXX API that is used by the network driver in place of the iptablesXXX API, and calls either iptablesXXX or: 3) a virNftablesXXX API that exactly replicates the filtering rules of the existing iptablesXXX API (except in the custom "libvirt" base table rather than the system "filter" and "nat" tables). This means that: 4) when the nftables backend is used, the rules added are *exactly the same* (functionally speaking) as we currently add for iptables (except they are in the "libvirt" table). We had spent some time in IRC discussing different ways of using new functionality available in nftables to make a more efficient/performant implemention of the desired filtering, and there are some really great possibilities that need to be explored, but in the end there were too many details up in the air, and I decided that it would be more "accomplishable" (coined a new word there!) to first replicate existing behavior with nftables, but do it inside a framework that makes it easy to modify the details in the future (in particular making it painless to switch back and forth between builds with differing filter models at runtime) - this way we'll be able to separate the infrastructure work from the details of the rules (which we can then more easily work on and experiment with). (This implies that the main objective right now is "get rid of iptables dependencies", not "make the filtering faster and more efficient"). Notable features of this patchset: * allows switching between iptables/nftables backends without rebooting or restarting networks/guests. Because the commands required to remove a network's filter rules are now saved in the network status XML, each time libvirtd (or virtnetworkd) is restarted, it will execute exactly the commands needed to remove the filter rules that had been added by the previous libvirtd/virtnetworkd (rather than just making a guess, as we've always done up until now), and then add new rules using the current backend+binary's set of rules (while also saving the info needed for future removal of these new rules back into the network's status XML). * firewall_backend can be explicitly set in (new) /etc/libvirt/network.conf, but if it's not explicitly set, libvirt will default to the iptables backend if the iptables binary is found, and otherwise fall back to nftables as long as the nft binary is found; otherwise the first attempt to start a network will fail with an appropriate error. Things that seem ugly / that I would like to clean up / that I think are just fine as they are: * virFirewall does *not* provide a backend-agnostic interface [this is fine] * We need to maintain a backward-compatible API for virFirewall so that we don't have to touch nwfilter code. Trying to make its API backend-agnostic would require individually considering/changing every nwfilter use of virFirewall. * instead virFirewall objects are just a way to build a collection of commands to execute to build a firewall, then execute them while collecting info for and building a collection of commands that will tear down that firewall in the future. Do I want to "fix" this in the future by making virFirewall a higher level interface that accepts tokens describing the type of rule to add (rather than backend-specific arguments to a backend-specific command)? No. I think I like the way virFirewall works (as described in that previous bullet-point), instead I'm thinking that it is just slightly mis-named - I've lately been thinking of it as a "virNetFilterCmdList". Similarly, the virFirewallRules that it has a list of aren't really "rules", they are better described as commands or actions, so maybe they should be renamed to virNetfilterCmd or virNetfilterAction. But that is just cosmetic, so I didn't want to get into it in these patches (especially in case someone disagrees, or has a better idea for naming). * Speaking of renaming - I should probably rename all the "iptablesXXX" functions to "virIptablesXXX" to be consistent with so much of our other code. I lost the ambition to deal with it right now though, so I'm leaving that for later cleanup (or I could do it now if it really makes someone's day :-). * I could have chosen a higher place in the callchain to make the virNetfilter abstraction, e.g. at the level of "networkAddXXXFirewallRules()" rather than at the lower level of iptablesXXX(). That is actually probably what will happen in the future (since it will be necessary in order for an nftables-based firewall to be significantly different in structure from an iptables-based firewall). But that's the beauty of an API being private - we can freely add/remove things as needed. the important thing is that we now have the basic structure there. For now, the split is just above the existing iptablesXXX API (util/viriptables.[ch], which seems like a "narrow" enough place. Most iptablesXXX functions are written in terms of just 10 *other* iptablesXXX functions that add iptables-specific commands - I've just moved those functions into virnetfilter.[ch] (appropriately renamed), and changed them to call the 10 virNetfilterXXX functions that will in-turn call those 10 iptablesXXX (or equivalent virNftablesXXX) functions. * Some people may dislike that the 10 virNetfilterXXX functions are each written with a switch statement that has cases to directly call each backend, rather than each backend driver having a table of pointers to API functions, with the virNetfilter API function calling backends[fwBackend]->XXX() (ie the pattern for so many drivers in libvirt). But for just 2 backends, that really seemed like overkill and unnecessary obfuscation. * As implemented here, I am storing a "<fwRemoval>" element in the network status XML - it contains a serialized virFirewall object that directly contains the commands necessary to remove the firewall. I could instead just store "<firewall>", which would include all the commands that were used to *create* the firewall in addition to the commands needed to remove the firewall. The way it's done currently takes up less space; switching to storing the full firewall *might* be more informative to somebody, but on the other hand would make the network status XML *very* long. If anybody has an opinion about this, now is the time to bring it up - do you think it's worth having a separate list of all the commands that were used to create a network's firewall (keeping in mind that there is no public API to access it)? Or is it enough to just store what's needed to remove the firewall? * Several months ago Eric Garver posted patches for a pure firewalld backend, and I requested that they not be pushed because I wanted that to be integrated with my nftables backend support. Due to the fact that the firewalld backend is almost entirely implemented by putting the bridge into a new firewalld "zone", with no individual rules added, that won't happen as just another backend driver file in parallel to iptables and nftables; it will instead work by checking firewall_backend at a higher level in the network driver, thus avoiding the calls to virNetfilterXXX() entirely. I have locally merged Eric's patches over the top of these patches, and there are surprisingly few conflicts, but since his patches didn't account for a user-settable config (but instead just always used the firewalld backend if firewalld was active), some of the patches are going to require a bit of rework, which I'll take care of after getting these patches in. Laine Stump (28): util: add -w/--concurrent when applying the rule rather than when building it util: new virFirewallRuleGet*() APIs util: determine ignoreErrors value when creating rule, not when applying util: rename iptables helpers that will become the frontend for ip&nftables util: move backend-agnostic virNetfilter*() functions to their own file util: make netfilter action a proper typedefed (virFirewall) enum util: #define the names used for private packet filter chains util: move/rename virFirewallApplyRuleDirect to virIptablesApplyFirewallRule util/network: reintroduce virFirewallBackend, but different network: add (empty) network.conf file to distribution files network: allow setting firewallBackend from network.conf network: do not add DHCP checksum mangle rule unless using iptables network: call backend agnostic function to init private filter chains util: setup functions in virnetfilter which will call appropriate backend build: add nft to the list of binaries we attempt to locate util: add nftables backend to virnetfilter API used by network driver tests: test cases for nftables backend util: new functions to support adding individual rollback rules util: check for 0 args when applying iptables rule util: implement rollback rule autosave for iptables backend util: implement rollback rule autosave for nftables backend network: turn on auto-rollback for the rules added for virtual networks util: new function virFirewallNewFromRollback() util: new functions virFirewallParseXML() and virFirewallFormat() conf: add a virFirewall object to virNetworkObj network: use previously saved list of firewall rules when removing network: save network status when firewall rules are reloaded network: improve log message when reloading virtual network firewall rules libvirt.spec.in | 5 + meson.build | 1 + po/POTFILES | 2 + src/conf/virnetworkobj.c | 40 + src/conf/virnetworkobj.h | 11 + src/libvirt_private.syms | 68 +- src/network/bridge_driver.c | 40 +- src/network/bridge_driver_conf.c | 44 + src/network/bridge_driver_conf.h | 3 + src/network/bridge_driver_linux.c | 241 +++-- src/network/bridge_driver_nop.c | 6 +- src/network/bridge_driver_platform.h | 6 +- src/network/libvirtd_network.aug | 39 + src/network/meson.build | 11 + src/network/network.conf | 24 + src/network/test_libvirtd_network.aug.in | 5 + src/nwfilter/nwfilter_ebiptables_driver.c | 16 +- src/util/meson.build | 2 + src/util/virebtables.c | 4 +- src/util/virfirewall.c | 490 ++++++++-- src/util/virfirewall.h | 51 +- src/util/viriptables.c | 762 ++++----------- src/util/viriptables.h | 222 ++--- src/util/virnetfilter.c | 892 ++++++++++++++++++ src/util/virnetfilter.h | 159 ++++ src/util/virnftables.c | 698 ++++++++++++++ src/util/virnftables.h | 118 +++ .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 +++++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++ ...pv6-linux.args => nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++ ...rgs => nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++ ...linux.args => nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 +++++++++ ...-linux.args => nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++ ...ftp-linux.args => nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++ ...inux.args => route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++ tests/networkxml2firewalltest.c | 56 +- tests/virfirewalltest.c | 20 +- 45 files changed, 5718 insertions(+), 954 deletions(-) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf create mode 100644 src/network/test_libvirtd_network.aug.in create mode 100644 src/util/virnetfilter.c create mode 100644 src/util/virnetfilter.h create mode 100644 src/util/virnftables.c create mode 100644 src/util/virnftables.h rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables -- 2.39.2
We will already need a separate function for virFirewallApplyRule for iptables vs. nftables, but the only reason for needing a separate function for virFirewallAddRule* is that iptables/ebtables need to have an extra arg added for locking (to prevent multiple iptables commands from running at the same time). We can just as well add in the -w/--concurrent during virFirewallApplyRule, so move the arg-add to ApplyRule to keep AddRule simple. Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/virfirewall.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, rule->queryOpaque = opaque; rule->ignoreErrors = ignoreErrors; - switch (rule->layer) { - case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(rule, "--concurrent"); - break; - case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(rule, "-w"); - break; - case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(rule, "-w"); - break; - case VIR_FIREWALL_LAYER_LAST: - break; - } - while ((str = va_arg(args, char *)) != NULL) ADD_ARG(rule, str); @@ -XXX,XX +XXX,XX @@ virFirewallApplyRuleDirect(virFirewallRule *rule, cmd = virCommandNewArgList(bin, NULL); + /* lock to assure nobody else is messing with the tables while we are */ + switch (rule->layer) { + case VIR_FIREWALL_LAYER_ETHERNET: + virCommandAddArg(cmd, "--concurrent"); + break; + case VIR_FIREWALL_LAYER_IPV4: + case VIR_FIREWALL_LAYER_IPV6: + virCommandAddArg(cmd, "-w"); + break; + case VIR_FIREWALL_LAYER_LAST: + break; + } + for (i = 0; i < rule->argsLen; i++) virCommandAddArg(cmd, rule->args[i]); -- 2.39.2
We will need access to these attributes of the object from outside virfirewall.c. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 3 +++ src/util/virfirewall.c | 30 ++++++++++++++++++++++++++++++ src/util/virfirewall.h | 10 ++++++++++ 3 files changed, 43 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFirewallRuleAddArg; virFirewallRuleAddArgFormat; virFirewallRuleAddArgList; virFirewallRuleAddArgSet; +virFirewallRuleGetArg; virFirewallRuleGetArgCount; +virFirewallRuleGetIgnoreErrors; +virFirewallRuleGetLayer; virFirewallRuleToString; virFirewallStartRollback; virFirewallStartTransaction; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ size_t virFirewallRuleGetArgCount(virFirewallRule *rule) } +const char * +virFirewallRuleGetArg(virFirewallRule *rule, + int index) +{ + if (!rule || rule->argsLen <= index) + return NULL; + return rule->args[index]; +} + + +virFirewallLayer +virFirewallRuleGetLayer(virFirewallRule *rule) +{ + if (!rule) + return VIR_FIREWALL_LAYER_LAST; + + return rule->layer; +} + + +bool +virFirewallRuleGetIgnoreErrors(virFirewallRule *rule) +{ + if (!rule) + return false; + + return rule->ignoreErrors; +} + + /** * virFirewallStartTransaction: * @firewall: the firewall ruleset diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ void virFirewallRuleAddArgList(virFirewall *firewall, size_t virFirewallRuleGetArgCount(virFirewallRule *rule); +const char * +virFirewallRuleGetArg(virFirewallRule *rule, + int index); + +virFirewallLayer +virFirewallRuleGetLayer(virFirewallRule *rule); + +bool +virFirewallRuleGetIgnoreErrors(virFirewallRule *rule); + char *virFirewallRuleToString(const char *cmd, virFirewallRule *rule); -- 2.39.2
We know at the time a virFirewallRule is created (with virFirewallAddRule*()) whether or not we will later want to ignore errors encountered when attempting to apply that rule - if ignoreErrors is set in the AddRule or if the group has already had VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS set, then we ignore the errors. Rather than setting the rule->ignoreErrors rule only according to the arg sent to virFirewallAddRuleFull(), and then later (at ApplyRule-time) combining that with the group transactionFlags setting (and passing it all the way down the call chain), just combine the two flags right away and store this final value in rule->ignoreErrors when the rule is created (thus avoiding the need to look at anything other than rule->ignoreErrors at the time the rule is applied). And since we now have an API for retrieving the setting of ignoreErrors from a rule, just grab that with the API down in vir*ApplyRule() rather than cluttering up the argument list on the entire call chain. Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/virfirewall.c | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, rule->layer = layer; rule->queryCB = cb; rule->queryOpaque = opaque; - rule->ignoreErrors = ignoreErrors; while ((str = va_arg(args, char *)) != NULL) ADD_ARG(rule, str); if (group->addingRollback) { + rule->ignoreErrors = true; /* always ignore errors when rolling back */ VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); } else { + /* when not rolling back, ignore errors if this group (transaction) + * was started with VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS *or* + * if this specific rule was created with ignoreErrors == true + */ + rule->ignoreErrors = ignoreErrors + || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); } @@ -XXX,XX +XXX,XX @@ virFirewallRuleToString(const char *cmd, static int virFirewallApplyRuleDirect(virFirewallRule *rule, - bool ignoreErrors, char **output) { size_t i; @@ -XXX,XX +XXX,XX @@ virFirewallApplyRuleDirect(virFirewallRule *rule, return -1; if (status != 0) { - if (ignoreErrors) { + if (virFirewallRuleGetIgnoreErrors(rule)) { VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -XXX,XX +XXX,XX @@ virFirewallApplyRuleDirect(virFirewallRule *rule, static int virFirewallApplyRule(virFirewall *firewall, - virFirewallRule *rule, - bool ignoreErrors) + virFirewallRule *rule) { g_autofree char *output = NULL; g_auto(GStrv) lines = NULL; - if (rule->ignoreErrors) - ignoreErrors = rule->ignoreErrors; - - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) + if (virFirewallApplyRuleDirect(rule, &output) < 0) return -1; if (rule->queryCB && output) { @@ -XXX,XX +XXX,XX @@ virFirewallApplyGroup(virFirewall *firewall, size_t idx) { virFirewallGroup *group = firewall->groups[idx]; - bool ignoreErrors = (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + size_t i; VIR_INFO("Starting transaction for firewall=%p group=%p flags=0x%x", @@ -XXX,XX +XXX,XX @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup = idx; group->addingRollback = false; for (i = 0; i < group->naction; i++) { - if (virFirewallApplyRule(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyRule(firewall, group->action[i]) < 0) return -1; } return 0; @@ -XXX,XX +XXX,XX @@ virFirewallRollbackGroup(virFirewall *firewall, VIR_INFO("Starting rollback for group %p", group); firewall->currentGroup = idx; group->addingRollback = true; - for (i = 0; i < group->nrollback; i++) { - ignore_value(virFirewallApplyRule(firewall, - group->rollback[i], - true)); - } + for (i = 0; i < group->nrollback; i++) + ignore_value(virFirewallApplyRule(firewall, group->rollback[i])); } -- 2.39.2
These toplevel functions have no iptables-specific code, except that they each call a lower-level internal function that *is* iptables specific. As a preparation to supporting use of either iptables or nftables, rename these functions from iptablesXXX to virNetfilterXXX. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 48 +++--- src/network/bridge_driver_linux.c | 124 +++++++------- src/util/viriptables.c | 260 +++++++++++++++--------------- src/util/viriptables.h | 96 +++++------ 4 files changed, 264 insertions(+), 264 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virInitctlSetRunLevel; # util/viriptables.h -iptablesAddDontMasquerade; -iptablesAddForwardAllowCross; -iptablesAddForwardAllowIn; -iptablesAddForwardAllowOut; -iptablesAddForwardAllowRelatedIn; -iptablesAddForwardMasquerade; -iptablesAddForwardRejectIn; -iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; -iptablesAddTcpInput; -iptablesAddTcpOutput; -iptablesAddUdpInput; -iptablesAddUdpOutput; -iptablesRemoveDontMasquerade; -iptablesRemoveForwardAllowCross; -iptablesRemoveForwardAllowIn; -iptablesRemoveForwardAllowOut; -iptablesRemoveForwardAllowRelatedIn; -iptablesRemoveForwardMasquerade; -iptablesRemoveForwardRejectIn; -iptablesRemoveForwardRejectOut; iptablesRemoveOutputFixUdpChecksum; -iptablesRemoveTcpInput; -iptablesRemoveTcpOutput; -iptablesRemoveUdpInput; -iptablesRemoveUdpOutput; iptablesSetupPrivateChains; +virNetfilterAddDontMasquerade; +virNetfilterAddForwardAllowCross; +virNetfilterAddForwardAllowIn; +virNetfilterAddForwardAllowOut; +virNetfilterAddForwardAllowRelatedIn; +virNetfilterAddForwardMasquerade; +virNetfilterAddForwardRejectIn; +virNetfilterAddForwardRejectOut; +virNetfilterAddTcpInput; +virNetfilterAddTcpOutput; +virNetfilterAddUdpInput; +virNetfilterAddUdpOutput; +virNetfilterRemoveDontMasquerade; +virNetfilterRemoveForwardAllowCross; +virNetfilterRemoveForwardAllowIn; +virNetfilterRemoveForwardAllowOut; +virNetfilterRemoveForwardAllowRelatedIn; +virNetfilterRemoveForwardMasquerade; +virNetfilterRemoveForwardRejectIn; +virNetfilterRemoveForwardRejectOut; +virNetfilterRemoveTcpInput; +virNetfilterRemoveTcpOutput; +virNetfilterRemoveUdpInput; +virNetfilterRemoveUdpOutput; # util/viriscsi.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, } /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, + if (virNetfilterAddForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, /* allow forwarding packets to the bridge interface if they are * part of an existing connection */ - if (iptablesAddForwardAllowRelatedIn(fw, + if (virNetfilterAddForwardAllowRelatedIn(fw, &ipdef->address, prefix, def->bridge, @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, */ /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(fw, + if (virNetfilterAddForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, return -1; /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, + if (virNetfilterAddForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, return -1; /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, + if (virNetfilterAddForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, /* exempt local network broadcast address as destination */ if (isIPv4 && - iptablesAddDontMasquerade(fw, + virNetfilterAddDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkAddMasqueradingFirewallRules(virFirewall *fw, return -1; /* exempt local multicast range as destination */ - if (iptablesAddDontMasquerade(fw, + if (virNetfilterAddDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, if (prefix < 0) return 0; - if (iptablesRemoveDontMasquerade(fw, + if (virNetfilterRemoveDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, return -1; if (isIPv4 && - iptablesRemoveDontMasquerade(fw, + virNetfilterRemoveDontMasquerade(fw, &ipdef->address, prefix, forwardIf, networkLocalBroadcast) < 0) return -1; - if (iptablesRemoveForwardMasquerade(fw, + if (virNetfilterRemoveForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, "tcp") < 0) return -1; - if (iptablesRemoveForwardMasquerade(fw, + if (virNetfilterRemoveForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, "udp") < 0) return -1; - if (iptablesRemoveForwardMasquerade(fw, + if (virNetfilterRemoveForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -XXX,XX +XXX,XX @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, NULL) < 0) return -1; - if (iptablesRemoveForwardAllowRelatedIn(fw, + if (virNetfilterRemoveForwardAllowRelatedIn(fw, &ipdef->address, prefix, def->bridge, forwardIf) < 0) return -1; - if (iptablesRemoveForwardAllowOut(fw, + if (virNetfilterRemoveForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -XXX,XX +XXX,XX @@ networkAddRoutingFirewallRules(virFirewall *fw, } /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, + if (virNetfilterAddForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -XXX,XX +XXX,XX @@ networkAddRoutingFirewallRules(virFirewall *fw, return -1; /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(fw, + if (virNetfilterAddForwardAllowIn(fw, &ipdef->address, prefix, def->bridge, @@ -XXX,XX +XXX,XX @@ networkRemoveRoutingFirewallRules(virFirewall *fw, if (prefix < 0) return 0; - if (iptablesRemoveForwardAllowIn(fw, + if (virNetfilterRemoveForwardAllowIn(fw, &ipdef->address, prefix, def->bridge, forwardIf) < 0) return -1; - if (iptablesRemoveForwardAllowOut(fw, + if (virNetfilterRemoveForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -XXX,XX +XXX,XX @@ networkAddGeneralIPv4FirewallRules(virFirewall *fw, } /* allow DHCP requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); /* allow DNS requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); /* allow TFTP requests through to dnsmasq if necessary & back out */ if (ipv4def && ipv4def->tftproot) { - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); } /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); } static void @@ -XXX,XX +XXX,XX @@ networkRemoveGeneralIPv4FirewallRules(virFirewall *fw, break; } - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); } - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); } @@ -XXX,XX +XXX,XX @@ networkAddGeneralIPv6FirewallRules(virFirewall *fw, } /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { /* allow DNS over IPv6 & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); /* allow DHCPv6 & back out */ - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); } } @@ -XXX,XX +XXX,XX @@ networkRemoveGeneralIPv6FirewallRules(virFirewall *fw, } if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); } /* the following rules are there if no IPv6 address has been defined * but def->ipv6nogw == true */ - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, } /** - * iptablesAddTcpInput: + * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to add @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, * the given @iface interface for TCP packets */ void -iptablesAddTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } /** - * iptablesRemoveTcpInput: + * virNetfilterRemoveTcpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to remove @@ -XXX,XX +XXX,XX @@ iptablesAddTcpInput(virFirewall *fw, * @port on the given @iface interface for TCP packets */ void -iptablesRemoveTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } /** - * iptablesAddUdpInput: + * virNetfilterAddUdpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to add @@ -XXX,XX +XXX,XX @@ iptablesRemoveTcpInput(virFirewall *fw, * the given @iface interface for UDP packets */ void -iptablesAddUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } /** - * iptablesRemoveUdpInput: + * virNetfilterRemoveUdpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove @@ -XXX,XX +XXX,XX @@ iptablesAddUdpInput(virFirewall *fw, * @port on the given @iface interface for UDP packets */ void -iptablesRemoveUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } /** - * iptablesAddTcpOutput: + * virNetfilterAddTcpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to add @@ -XXX,XX +XXX,XX @@ iptablesRemoveUdpInput(virFirewall *fw, * the given @iface interface for TCP packets */ void -iptablesAddTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } /** - * iptablesRemoveTcpOutput: + * virNetfilterRemoveTcpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove @@ -XXX,XX +XXX,XX @@ iptablesAddTcpOutput(virFirewall *fw, * @port from the given @iface interface for TCP packets */ void -iptablesRemoveTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } /** - * iptablesAddUdpOutput: + * virNetfilterAddUdpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to add @@ -XXX,XX +XXX,XX @@ iptablesRemoveTcpOutput(virFirewall *fw, * the given @iface interface for UDP packets */ void -iptablesAddUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } /** - * iptablesRemoveUdpOutput: + * virNetfilterRemoveUdpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove @@ -XXX,XX +XXX,XX @@ iptablesAddUdpOutput(virFirewall *fw, * @port from the given @iface interface for UDP packets */ void -iptablesRemoveUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, } /** - * iptablesAddForwardAllowOut: + * virNetfilterAddForwardAllowOut: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the source interface name @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveForwardAllowOut: + * virNetfilterRemoveForwardAllowOut: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the source interface name @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_DELETE); @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, } /** - * iptablesAddForwardAllowRelatedIn: + * virNetfilterAddForwardAllowRelatedIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveForwardAllowRelatedIn: + * virNetfilterRemoveForwardAllowRelatedIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_DELETE); @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, } /** - * iptablesAddForwardAllowIn: + * virNetfilterAddForwardAllowIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveForwardAllowIn: + * virNetfilterRemoveForwardAllowIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_DELETE); @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, } /** - * iptablesAddForwardAllowCross: + * virNetfilterAddForwardAllowCross: * @ctx: pointer to the IP table context * @iface: the input/output interface name * @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveForwardAllowCross: + * virNetfilterRemoveForwardAllowCross: * @ctx: pointer to the IP table context * @iface: the input/output interface name * @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowCross(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); } @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, } /** - * iptablesAddForwardRejectOut: + * virNetfilterAddForwardRejectOut: * @ctx: pointer to the IP table context * @iface: the output interface name * @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesAddForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveForwardRejectOut: + * virNetfilterRemoveForwardRejectOut: * @ctx: pointer to the IP table context * @iface: the output interface name * @@ -XXX,XX +XXX,XX @@ iptablesAddForwardRejectOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); } @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, } /** - * iptablesAddForwardRejectIn: + * virNetfilterAddForwardRejectIn: * @ctx: pointer to the IP table context * @iface: the input interface name * @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesAddForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveForwardRejectIn: + * virNetfilterRemoveForwardRejectIn: * @ctx: pointer to the IP table context * @iface: the input interface name * @@ -XXX,XX +XXX,XX @@ iptablesAddForwardRejectIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); } @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, } /** - * iptablesAddForwardMasquerade: + * virNetfilterAddForwardMasquerade: * @ctx: pointer to the IP table context * @network: the source network name * @physdev: the physical input device or NULL @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) +virNetfilterAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardMasquerade(virFirewall *fw, } /** - * iptablesRemoveForwardMasquerade: + * virNetfilterRemoveForwardMasquerade: * @ctx: pointer to the IP table context * @network: the source network name * @physdev: the physical input device or NULL @@ -XXX,XX +XXX,XX @@ iptablesAddForwardMasquerade(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) +virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, } /** - * iptablesAddDontMasquerade: + * virNetfilterAddDontMasquerade: * @netaddr: the source network name * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr * @physdev: the physical output device or NULL @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, * * Add rules to the IP table context to avoid masquerading from * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables, it must not depend on user input or + * directly consumable by iptables/nftables, it must not depend on user input or * configuration. * * Returns 0 in case of success or an error code otherwise. */ int -iptablesAddDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) +virNetfilterAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, VIR_NETFILTER_INSERT); } /** - * iptablesRemoveDontMasquerade: + * virNetfilterRemoveDontMasquerade: * @netaddr: the source network name * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr * @physdev: the physical output device or NULL @@ -XXX,XX +XXX,XX @@ iptablesAddDontMasquerade(virFirewall *fw, * * Remove rules from the IP table context that prevent masquerading from * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables, it must not depend on user input or + * directly consumable by iptables/nftables, it must not depend on user input or * configuration. * * Returns 0 in case of success or an error code otherwise. */ int -iptablesRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) +virNetfilterRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -XXX,XX +XXX,XX @@ int iptablesSetupPrivateChains (virFirewallLayer layer); -void iptablesAddTcpInput (virFirewall *fw, +void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveTcpInput (virFirewall *fw, +void virNetfilterRemoveTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesAddUdpInput (virFirewall *fw, +void virNetfilterAddUdpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveUdpInput (virFirewall *fw, +void virNetfilterRemoveUdpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesAddTcpOutput (virFirewall *fw, +void virNetfilterAddTcpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveTcpOutput (virFirewall *fw, +void virNetfilterRemoveTcpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesAddUdpOutput (virFirewall *fw, +void virNetfilterAddUdpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveUdpOutput (virFirewall *fw, +void virNetfilterRemoveUdpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -int iptablesAddForwardAllowOut (virFirewall *fw, +int virNetfilterAddForwardAllowOut (virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +int virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddForwardAllowIn (virFirewall *fw, +int virNetfilterAddForwardAllowIn (virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowIn (virFirewall *fw, +int virNetfilterRemoveForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -void iptablesAddForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardAllowCross (virFirewall *fw, +void virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface); +void virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface); -void iptablesAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectOut (virFirewall *fw, +void virNetfilterAddForwardRejectOut (virFirewall *fw, virFirewallLayer layer, const char *iface); +void virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface); -void iptablesAddForwardRejectIn (virFirewall *fw, +void virNetfilterAddForwardRejectIn (virFirewall *fw, virFirewallLayer layer, const char *iface); -void iptablesRemoveForwardRejectIn (virFirewall *fw, - virFirewallLayer layery, - const char *iface); +void virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layery, + const char *iface); -int iptablesAddForwardMasquerade (virFirewall *fw, +int virNetfilterAddForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -XXX,XX +XXX,XX @@ int iptablesAddForwardMasquerade (virFirewall *fw, virPortRange *port, const char *protocol) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) +int virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddDontMasquerade (virFirewall *fw, +int virNetfilterAddDontMasquerade (virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, const char *destaddr) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveDontMasquerade (virFirewall *fw, +int virNetfilterRemoveDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, -- 2.39.2
These function are all moved into virnetfilter.[ch]. The only functions from viriptables.[ch] that are still called from the consumer (network bridge driver) are iptablesSetupPrivateChains() (which creates the private chains that all iptables rules will be added to), and iptablesAddOutputFixUdpChecksum() and iptablesRemoveOutputFixUdpChecksum() (which add/remove rules to fix improper checksum of DHCP packets, which is something not supported by nftables) Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 51 +-- src/network/bridge_driver_linux.c | 1 + src/util/meson.build | 1 + src/util/viriptables.c | 522 +-------------------------- src/util/viriptables.h | 212 +++++------ src/util/virnetfilter.c | 570 ++++++++++++++++++++++++++++++ src/util/virnetfilter.h | 151 ++++++++ 7 files changed, 849 insertions(+), 659 deletions(-) create mode 100644 src/util/virnetfilter.c create mode 100644 src/util/virnetfilter.h diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virInitctlSetRunLevel; iptablesAddOutputFixUdpChecksum; iptablesRemoveOutputFixUdpChecksum; iptablesSetupPrivateChains; -virNetfilterAddDontMasquerade; -virNetfilterAddForwardAllowCross; -virNetfilterAddForwardAllowIn; -virNetfilterAddForwardAllowOut; -virNetfilterAddForwardAllowRelatedIn; -virNetfilterAddForwardMasquerade; -virNetfilterAddForwardRejectIn; -virNetfilterAddForwardRejectOut; -virNetfilterAddTcpInput; -virNetfilterAddTcpOutput; -virNetfilterAddUdpInput; -virNetfilterAddUdpOutput; -virNetfilterRemoveDontMasquerade; -virNetfilterRemoveForwardAllowCross; -virNetfilterRemoveForwardAllowIn; -virNetfilterRemoveForwardAllowOut; -virNetfilterRemoveForwardAllowRelatedIn; -virNetfilterRemoveForwardMasquerade; -virNetfilterRemoveForwardRejectIn; -virNetfilterRemoveForwardRejectOut; -virNetfilterRemoveTcpInput; -virNetfilterRemoveTcpOutput; -virNetfilterRemoveUdpInput; -virNetfilterRemoveUdpOutput; # util/viriscsi.h @@ -XXX,XX +XXX,XX @@ virNetDevVPortProfileOpTypeFromString; virNetDevVPortProfileOpTypeToString; +# util/virnetfilter.h +virNetfilterAddDontMasquerade; +virNetfilterAddForwardAllowCross; +virNetfilterAddForwardAllowIn; +virNetfilterAddForwardAllowOut; +virNetfilterAddForwardAllowRelatedIn; +virNetfilterAddForwardMasquerade; +virNetfilterAddForwardRejectIn; +virNetfilterAddForwardRejectOut; +virNetfilterAddTcpInput; +virNetfilterAddTcpOutput; +virNetfilterAddUdpInput; +virNetfilterAddUdpOutput; +virNetfilterRemoveDontMasquerade; +virNetfilterRemoveForwardAllowCross; +virNetfilterRemoveForwardAllowIn; +virNetfilterRemoveForwardAllowOut; +virNetfilterRemoveForwardAllowRelatedIn; +virNetfilterRemoveForwardMasquerade; +virNetfilterRemoveForwardRejectIn; +virNetfilterRemoveForwardRejectOut; +virNetfilterRemoveTcpInput; +virNetfilterRemoveTcpOutput; +virNetfilterRemoveUdpInput; +virNetfilterRemoveUdpOutput; + + # util/virnetlink.h virNetlinkCommand; virNetlinkDelLink; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ #include <config.h> #include "virfile.h" +#include "virnetfilter.h" #include "viriptables.h" #include "virstring.h" #include "virlog.h" diff --git a/src/util/meson.build b/src/util/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -XXX,XX +XXX,XX @@ util_sources = [ 'virnetdevveth.c', 'virnetdevvlan.c', 'virnetdevvportprofile.c', + 'virnetfilter.c', 'virnetlink.c', 'virnodesuspend.c', 'virnuma.c', diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ #include <sys/stat.h> #include "internal.h" +#include "virnetfilter.h" #include "viriptables.h" #include "virfirewalld.h" #include "virerror.h" @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE -enum { - VIR_NETFILTER_INSERT = 0, - VIR_NETFILTER_DELETE -}; - typedef struct { const char *parent; const char *child; @@ -XXX,XX +XXX,XX @@ iptablesSetupPrivateChains(virFirewallLayer layer) } -static void +void iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, NULL); } -static void +void iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, NULL); } -/** - * virNetfilterAddTcpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to add - * - * Add an input to the IP table allowing access to the given @port on - * the given @iface interface for TCP packets - */ -void -virNetfilterAddTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); -} - -/** - * virNetfilterRemoveTcpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to remove - * - * Removes an input from the IP table, hence forbidding access to the given - * @port on the given @iface interface for TCP packets - */ -void -virNetfilterRemoveTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); -} - -/** - * virNetfilterAddUdpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to add - * - * Add an input to the IP table allowing access to the given @port on - * the given @iface interface for UDP packets - */ -void -virNetfilterAddUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); -} - -/** - * virNetfilterRemoveUdpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an input from the IP table, hence forbidding access to the given - * @port on the given @iface interface for UDP packets - */ -void -virNetfilterRemoveUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); -} - -/** - * virNetfilterAddTcpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to add - * - * Add an output to the IP table allowing access to the given @port from - * the given @iface interface for TCP packets - */ -void -virNetfilterAddTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); -} - -/** - * virNetfilterRemoveTcpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an output from the IP table, hence forbidding access to the given - * @port from the given @iface interface for TCP packets - */ -void -virNetfilterRemoveTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); -} - -/** - * virNetfilterAddUdpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to add - * - * Add an output to the IP table allowing access to the given @port from - * the given @iface interface for UDP packets - */ -void -virNetfilterAddUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); -} - -/** - * virNetfilterRemoveUdpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an output from the IP table, hence forbidding access to the given - * @port from the given @iface interface for UDP packets - */ -void -virNetfilterRemoveUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); -} - /* Allow all traffic coming from the bridge, with a valid network address * to proceed to WAN */ -static int +int iptablesForwardAllowOut(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, return 0; } -/** - * virNetfilterAddForwardAllowOut: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the source interface name - * @physdev: the physical output device - * - * Add a rule to the IP table context to allow the traffic for the - * network @network via interface @iface to be forwarded to - * @physdev device. This allow the outbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardAllowOut: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the source interface name - * @physdev: the physical output device - * - * Remove a rule from the IP table context hence forbidding forwarding - * of the traffic for the network @network via interface @iface - * to the @physdev device output. This stops the outbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - /* Allow all traffic destined to the bridge, with a valid network address * and associated with an existing connection */ -static int +int iptablesForwardAllowRelatedIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, return 0; } -/** - * virNetfilterAddForwardAllowRelatedIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Add rules to the IP table context to allow the traffic for the - * network @network on @physdev device to be forwarded to - * interface @iface, if it is part of an existing connection. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardAllowRelatedIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Remove rules from the IP table context hence forbidding the traffic for - * network @network on @physdev device to be forwarded to - * interface @iface, if it is part of an existing connection. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} /* Allow all traffic destined to the bridge, with a valid network address */ -static int +int iptablesForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, return 0; } -/** - * virNetfilterAddForwardAllowIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Add rules to the IP table context to allow the traffic for the - * network @network on @physdev device to be forwarded to - * interface @iface. This allow the inbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} -/** - * virNetfilterRemoveForwardAllowIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Remove rules from the IP table context hence forbidding the traffic for - * network @network on @physdev device to be forwarded to - * interface @iface. This stops the inbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - -static void +void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, NULL); } -/** - * virNetfilterAddForwardAllowCross: - * @ctx: pointer to the IP table context - * @iface: the input/output interface name - * - * Add rules to the IP table context to allow traffic to cross that - * interface. It allows all traffic between guests on the same bridge - * represented by that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); -} -/** - * virNetfilterRemoveForwardAllowCross: - * @ctx: pointer to the IP table context - * @iface: the input/output interface name - * - * Remove rules to the IP table context to block traffic to cross that - * interface. It forbids traffic between guests on the same bridge - * represented by that interface. - * - * Returns 0 in case of success or an error code otherwise - */ void -virNetfilterRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); -} - -static void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, NULL); } -/** - * virNetfilterAddForwardRejectOut: - * @ctx: pointer to the IP table context - * @iface: the output interface name - * - * Add rules to the IP table context to forbid all traffic to that - * interface. It forbids forwarding from the bridge to that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterAddForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); -} -/** - * virNetfilterRemoveForwardRejectOut: - * @ctx: pointer to the IP table context - * @iface: the output interface name - * - * Remove rules from the IP table context forbidding all traffic to that - * interface. It reallow forwarding from the bridge to that interface. - * - * Returns 0 in case of success or an error code otherwise - */ void -virNetfilterRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); -} - - -static void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, NULL); } -/** - * virNetfilterAddForwardRejectIn: - * @ctx: pointer to the IP table context - * @iface: the input interface name - * - * Add rules to the IP table context to forbid all traffic from that - * interface. It forbids forwarding from that interface to the bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterAddForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardRejectIn: - * @ctx: pointer to the IP table context - * @iface: the input interface name - * - * Remove rules from the IP table context forbidding all traffic from that - * interface. It allows forwarding from that interface to the bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); -} - /* Masquerade all traffic coming from the network associated * with the bridge */ -static int +int iptablesForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, return 0; } -/** - * virNetfilterAddForwardMasquerade: - * @ctx: pointer to the IP table context - * @network: the source network name - * @physdev: the physical input device or NULL - * @protocol: the network protocol or NULL - * - * Add rules to the IP table context to allow masquerading - * network @network on @physdev. This allow the bridge to - * masquerade for that network (on @physdev). - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) -{ - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardMasquerade: - * @ctx: pointer to the IP table context - * @network: the source network name - * @physdev: the physical input device or NULL - * @protocol: the network protocol or NULL - * - * Remove rules from the IP table context to stop masquerading - * network @network on @physdev. This stops the bridge from - * masquerading for that network (on @physdev). - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) -{ - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); -} - /* Don't masquerade traffic coming from the network associated with the bridge * if said traffic targets @destaddr. */ -static int +int iptablesForwardDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, return 0; } -/** - * virNetfilterAddDontMasquerade: - * @netaddr: the source network name - * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr - * @physdev: the physical output device or NULL - * @destaddr: the destination network not to masquerade for - * - * Add rules to the IP table context to avoid masquerading from - * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables/nftables, it must not depend on user input or - * configuration. - * - * Returns 0 in case of success or an error code otherwise. - */ -int -virNetfilterAddDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) -{ - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveDontMasquerade: - * @netaddr: the source network name - * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr - * @physdev: the physical output device or NULL - * @destaddr: the destination network not to masquerade for - * - * Remove rules from the IP table context that prevent masquerading from - * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables/nftables, it must not depend on user input or - * configuration. - * - * Returns 0 in case of success or an error code otherwise. - */ -int -virNetfilterRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) -{ - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_NETFILTER_DELETE); -} - static void iptablesOutputFixUdpChecksum(virFirewall *fw, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -XXX,XX +XXX,XX @@ #include "virsocketaddr.h" #include "virfirewall.h" +/* These functions are (currently) called directly from the consumer + * (e.g. the network driver), and only when the iptables backend is + * selected. (Possibly/probably functions should be added to the + * netfilter*() API that will call them instead, but that first + * requires untangling all the special cases for setting up private + * chains that are necessitated by firewalld reloads). + */ int iptablesSetupPrivateChains (virFirewallLayer layer); -void virNetfilterAddTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void virNetfilterAddUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void virNetfilterAddTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterAddUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -int virNetfilterAddForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -int virNetfilterAddForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -void virNetfilterAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void virNetfilterRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void virNetfilterAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void virNetfilterRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void virNetfilterAddForwardRejectIn (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void virNetfilterRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layery, - const char *iface); - -int virNetfilterAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterAddDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; void iptablesAddOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); + +/* These functions are only called from virnetfilter.c. Each can be + * called with an action of VIR_NETFILTER_INSERT or + * VIR_NETFILTER_DELETE, to add or remove the described rule(s) in the + * appropriate chain. + */ + +void +iptablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int action, + int tcp); + +void +iptablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int action, + int tcp); + +int +iptablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action); + +int +iptablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action); + +int +iptablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action); + + +void +iptablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action); + +void +iptablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action); + +void +iptablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action); + +int +iptablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + int action); + +int +iptablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + int action); diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/util/virnetfilter.c @@ -XXX,XX +XXX,XX @@ +/* + * virnetfilter.c: backend-agnostic packet filter helper APIs + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include <stdarg.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include "internal.h" +#include "virnetfilter.h" +#include "viriptables.h" +#include "vircommand.h" +#include "viralloc.h" +#include "virerror.h" +#include "virfile.h" +#include "virlog.h" +#include "virthread.h" +#include "virstring.h" +#include "virutil.h" +#include "virhash.h" + +VIR_LOG_INIT("util.netfilter"); + +#define VIR_FROM_THIS VIR_FROM_NONE + + +/** + * virNetfilterAddTcpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an input to the IP table allowing access to the given @port on + * the given @iface interface for TCP packets + */ +void +virNetfilterAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); +} + + +/** + * virNetfilterRemoveTcpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to remove + * + * Removes an input from the IP table, hence forbidding access to the given + * @port on the given @iface interface for TCP packets + */ +void +virNetfilterRemoveTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); +} + + +/** + * virNetfilterAddUdpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to add + * + * Add an input to the IP table allowing access to the given @port on + * the given @iface interface for UDP packets + */ +void +virNetfilterAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); +} + + +/** + * virNetfilterRemoveUdpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an input from the IP table, hence forbidding access to the given + * @port on the given @iface interface for UDP packets + */ +void +virNetfilterRemoveUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); +} + + +/** + * virNetfilterAddTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for TCP packets + */ +void +virNetfilterAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); +} + + +/** + * virNetfilterRemoveTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the given + * @port from the given @iface interface for TCP packets + */ +void +virNetfilterRemoveTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); +} + + +/** + * virNetfilterAddUdpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for UDP packets + */ +void +virNetfilterAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); +} + + +/** + * virNetfilterRemoveUdpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the given + * @port from the given @iface interface for UDP packets + */ +void +virNetfilterRemoveUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); +} + + +/** + * virNetfilterAddForwardAllowOut: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the source interface name + * @physdev: the physical output device + * + * Add a rule to the IP table context to allow the traffic for the + * network @network via interface @iface to be forwarded to + * @physdev device. This allow the outbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowOut: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the source interface name + * @physdev: the physical output device + * + * Remove a rule from the IP table context hence forbidding forwarding + * of the traffic for the network @network via interface @iface + * to the @physdev device output. This stops the outbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardAllowRelatedIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Add rules to the IP table context to allow the traffic for the + * network @network on @physdev device to be forwarded to + * interface @iface, if it is part of an existing connection. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowRelatedIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Remove rules from the IP table context hence forbidding the traffic for + * network @network on @physdev device to be forwarded to + * interface @iface, if it is part of an existing connection. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardAllowIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Add rules to the IP table context to allow the traffic for the + * network @network on @physdev device to be forwarded to + * interface @iface. This allow the inbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Remove rules from the IP table context hence forbidding the traffic for + * network @network on @physdev device to be forwarded to + * interface @iface. This stops the inbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardAllowCross: + * @ctx: pointer to the IP table context + * @iface: the input/output interface name + * + * Add rules to the IP table context to allow traffic to cross that + * interface. It allows all traffic between guests on the same bridge + * represented by that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowCross: + * @ctx: pointer to the IP table context + * @iface: the input/output interface name + * + * Remove rules to the IP table context to block traffic to cross that + * interface. It forbids traffic between guests on the same bridge + * represented by that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardRejectOut: + * @ctx: pointer to the IP table context + * @iface: the output interface name + * + * Add rules to the IP table context to forbid all traffic to that + * interface. It forbids forwarding from the bridge to that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); +} + +/** + * virNetfilterRemoveForwardRejectOut: + * @ctx: pointer to the IP table context + * @iface: the output interface name + * + * Remove rules from the IP table context forbidding all traffic to that + * interface. It reallow forwarding from the bridge to that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardRejectIn: + * @ctx: pointer to the IP table context + * @iface: the input interface name + * + * Add rules to the IP table context to forbid all traffic from that + * interface. It forbids forwarding from that interface to the bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardRejectIn: + * @ctx: pointer to the IP table context + * @iface: the input interface name + * + * Remove rules from the IP table context forbidding all traffic from that + * interface. It allows forwarding from that interface to the bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardMasquerade: + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL + * @protocol: the network protocol or NULL + * + * Add rules to the IP table context to allow masquerading + * network @network on @physdev. This allow the bridge to + * masquerade for that network (on @physdev). + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + return iptablesForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardMasquerade: + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL + * @protocol: the network protocol or NULL + * + * Remove rules from the IP table context to stop masquerading + * network @network on @physdev. This stops the bridge from + * masquerading for that network (on @physdev). + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + return iptablesForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddDontMasquerade: + * @netaddr: the source network name + * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr + * @physdev: the physical output device or NULL + * @destaddr: the destination network not to masquerade for + * + * Add rules to the IP table context to avoid masquerading from + * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format + * directly consumable by iptables/nftables, it must not depend on user input or + * configuration. + * + * Returns 0 in case of success or an error code otherwise. + */ +int +virNetfilterAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveDontMasquerade: + * @netaddr: the source network name + * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr + * @physdev: the physical output device or NULL + * @destaddr: the destination network not to masquerade for + * + * Remove rules from the IP table context that prevent masquerading from + * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format + * directly consumable by iptables/nftables, it must not depend on user input or + * configuration. + * + * Returns 0 in case of success or an error code otherwise. + */ +int +virNetfilterRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_NETFILTER_DELETE); +} diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/util/virnetfilter.h @@ -XXX,XX +XXX,XX @@ +/* + * virnetfilter.h: backend-agnostic packet filter helper APIs + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "virsocketaddr.h" +#include "virfirewall.h" + +enum { + VIR_NETFILTER_INSERT = 0, + VIR_NETFILTER_DELETE +}; + +void virNetfilterAddTcpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveTcpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterAddUdpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveUdpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +void virNetfilterAddTcpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveTcpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterAddUdpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveUdpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +int virNetfilterAddForwardAllowOut (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; + +int virNetfilterAddForwardAllowIn (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; + +void virNetfilterAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface); + +void virNetfilterAddForwardRejectOut (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface); + +void virNetfilterAddForwardRejectIn (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layery, + const char *iface); + +int virNetfilterAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterAddDontMasquerade (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) + G_GNUC_WARN_UNUSED_RESULT; -- 2.39.2
and take advantage of this to replace all the ternary operators when calling virFirewallAddRule() with virIptablesActionTypeToString(). (NB: the VIR_ENUM declaration uses "virIptablesAction" rather than "virFirewallAction" because the string it produces is specific to the iptables backend. A separate VIR_ENUM for "virNftablesAction", producing slightly different strings, will be added later for the nftables backend.) Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/virfirewall.h | 8 +++++ src/util/viriptables.c | 69 ++++++++++++++++++++++++----------------- src/util/viriptables.h | 21 +++++++------ src/util/virnetfilter.c | 49 +++++++++++++++-------------- src/util/virnetfilter.h | 5 --- 5 files changed, 84 insertions(+), 68 deletions(-) diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ typedef enum { VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; +typedef enum { + VIR_FIREWALL_ACTION_INSERT, + VIR_FIREWALL_ACTION_APPEND, + VIR_FIREWALL_ACTION_DELETE, + + VIR_FIREWALL_ACTION_LAST +} virFirewallAction; + virFirewall *virFirewallNew(void); void virFirewallFree(virFirewall *firewall); diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ #include "virerror.h" #include "virlog.h" #include "virhash.h" +#include "virenum.h" VIR_LOG_INIT("util.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE + +VIR_ENUM_DECL(virIptablesAction); +VIR_ENUM_IMPL(virIptablesAction, + VIR_FIREWALL_ACTION_LAST, + "--insert", + "--append", + "--delete", +); + + typedef struct { const char *parent; const char *child; @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp) { g_autofree char *portstr = g_strdup_printf("%d", port); virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_INP", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp) { g_autofree char *portstr = g_strdup_printf("%d", port); virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_OUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + virFirewallAction action) { g_autofree char *networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + virFirewallAction action) { virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + virFirewallAction action) { virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + virFirewallAction action) { virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWX", "--in-interface", iface, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + virFirewallAction action) { virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWO", "--in-interface", iface, "--jump", "REJECT", @@ -XXX,XX +XXX,XX @@ void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + virFirewallAction action) { virFirewallAddRule(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--out-interface", iface, "--jump", "REJECT", @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, virSocketAddrRange *addr, virPortRange *port, const char *protocol, - int action) + virFirewallAction action) { g_autofree char *networkstr = NULL; g_autofree char *addrStartStr = NULL; @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, if (protocol && protocol[0]) { rule = virFirewallAddRule(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--source", networkstr, "-p", protocol, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, } else { rule = virFirewallAddRule(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--source", networkstr, "!", "--destination", networkstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, unsigned int prefix, const char *physdev, const char *destaddr, - int action) + virFirewallAction action) { g_autofree char *networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--out-interface", physdev, "--source", networkstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--source", networkstr, "--destination", destaddr, @@ -XXX,XX +XXX,XX @@ static void iptablesOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port, - int action) + virFirewallAction action) { g_autofree char *portstr = g_strdup_printf("%d", port); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--out-interface", iface, "--protocol", "udp", @@ -XXX,XX +XXX,XX @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_FIREWALL_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_FIREWALL_ACTION_DELETE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -XXX,XX +XXX,XX @@ #include "virsocketaddr.h" #include "virfirewall.h" +#include "virnetfilter.h" /* These functions are (currently) called directly from the consumer * (e.g. the network driver), and only when the iptables backend is @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp); void @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp); int @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action); + virFirewallAction action); int iptablesForwardAllowRelatedIn(virFirewall *fw, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action); + virFirewallAction action); int iptablesForwardAllowIn(virFirewall *fw, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action); + virFirewallAction action); void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action); + virFirewallAction action); void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action); + virFirewallAction action); void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action); + virFirewallAction action); int iptablesForwardMasquerade(virFirewall *fw, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, virSocketAddrRange *addr, virPortRange *port, const char *protocol, - int action); + virFirewallAction action); int iptablesForwardDontMasquerade(virFirewall *fw, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, unsigned int prefix, const char *physdev, const char *destaddr, - int action); + virFirewallAction action); diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -XXX,XX +XXX,XX @@ virNetfilterAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_INSERT); + physdev, destaddr, + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveDontMasquerade(virFirewall *fw, { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -XXX,XX +XXX,XX @@ #include "virsocketaddr.h" #include "virfirewall.h" -enum { - VIR_NETFILTER_INSERT = 0, - VIR_NETFILTER_DELETE -}; - void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, -- 2.39.2
This is done so that we can be sure we're using the same chain name for iptables and nftables. Not strictly necessary, but it will make documentation and troubleshooting simpler. Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/viriptables.c | 44 ++++++++++++++++++++--------------------- src/util/virnetfilter.h | 7 +++++++ 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ iptablesSetupPrivateChains(virFirewallLayer layer) { g_autoptr(virFirewall) fw = virFirewallNew(); iptablesGlobalChain filter_chains[] = { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, + {"INPUT", VIR_NETFILTER_INPUT_CHAIN}, + {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN}, }; iptablesGlobalChain natmangle_chains[] = { - {"POSTROUTING", "LIBVIRT_PRT"}, + {"POSTROUTING", VIR_NETFILTER_NAT_POSTROUTE_CHAIN}, }; bool changed = false; iptablesGlobalChainData data[] = { @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_INP", + VIR_NETFILTER_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_OUT", + VIR_NETFILTER_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWX", + VIR_NETFILTER_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", NULL); @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", NULL); @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, rule = virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, rule = virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -XXX,XX +XXX,XX @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -XXX,XX +XXX,XX @@ #include "virsocketaddr.h" #include "virfirewall.h" +#define VIR_NETFILTER_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_NETFILTER_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_NETFILTER_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_NETFILTER_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, -- 2.39.2
This is the only iptables-specific function in all of virfirewall.c. By moving it to viriptables.c (with appropriate renaming), and calling it indirectly through a similarly named wrapper function in virnetfilter.c, we have made virfirewall.c backend agnostic (the new wrapper function will soon be calling either virIptablesApplyFirewallRule() or (to-be-created) virNftablesApplyFirewallRule() depending on the backend chosen when creating the virFirewall object). Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 72 ++----------------------------------- src/util/viriptables.c | 78 ++++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 6 ++++ src/util/virnetfilter.c | 19 ++++++++++ src/util/virnetfilter.h | 3 ++ 6 files changed, 110 insertions(+), 70 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virInitctlSetRunLevel; iptablesAddOutputFixUdpChecksum; iptablesRemoveOutputFixUdpChecksum; iptablesSetupPrivateChains; +virIptablesApplyFirewallRule; # util/viriscsi.h @@ -XXX,XX +XXX,XX @@ virNetfilterAddTcpInput; virNetfilterAddTcpOutput; virNetfilterAddUdpInput; virNetfilterAddUdpOutput; +virNetfilterApplyFirewallRule; virNetfilterRemoveDontMasquerade; virNetfilterRemoveForwardAllowCross; virNetfilterRemoveForwardAllowIn; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ #include "virfirewall.h" #include "virfirewalld.h" +#include "virnetfilter.h" #include "viralloc.h" #include "virerror.h" #include "vircommand.h" @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.firewall"); typedef struct _virFirewallGroup virFirewallGroup; -VIR_ENUM_DECL(virFirewallLayerCommand); -VIR_ENUM_IMPL(virFirewallLayerCommand, - VIR_FIREWALL_LAYER_LAST, - EBTABLES, - IPTABLES, - IP6TABLES, -); - struct _virFirewallRule { virFirewallLayer layer; @@ -XXX,XX +XXX,XX @@ virFirewallRuleToString(const char *cmd, } -static int -virFirewallApplyRuleDirect(virFirewallRule *rule, - char **output) -{ - size_t i; - const char *bin = virFirewallLayerCommandTypeToString(rule->layer); - g_autoptr(virCommand) cmd = NULL; - g_autofree char *cmdStr = NULL; - int status; - g_autofree char *error = NULL; - - if (!bin) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Unknown firewall layer %1$d"), - rule->layer); - return -1; - } - - cmd = virCommandNewArgList(bin, NULL); - - /* lock to assure nobody else is messing with the tables while we are */ - switch (rule->layer) { - case VIR_FIREWALL_LAYER_ETHERNET: - virCommandAddArg(cmd, "--concurrent"); - break; - case VIR_FIREWALL_LAYER_IPV4: - case VIR_FIREWALL_LAYER_IPV6: - virCommandAddArg(cmd, "-w"); - break; - case VIR_FIREWALL_LAYER_LAST: - break; - } - - for (i = 0; i < rule->argsLen; i++) - virCommandAddArg(cmd, rule->args[i]); - - cmdStr = virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); - - virCommandSetOutputBuffer(cmd, output); - virCommandSetErrorBuffer(cmd, &error); - - if (virCommandRun(cmd, &status) < 0) - return -1; - - if (status != 0) { - if (virFirewallRuleGetIgnoreErrors(rule)) { - VIR_DEBUG("Ignoring error running command"); - } else { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Failed to apply firewall rules %1$s: %2$s"), - NULLSTR(cmdStr), NULLSTR(error)); - VIR_FREE(*output); - return -1; - } - } - - return 0; -} - - static int virFirewallApplyRule(virFirewall *firewall, virFirewallRule *rule) @@ -XXX,XX +XXX,XX @@ virFirewallApplyRule(virFirewall *firewall, g_autofree char *output = NULL; g_auto(GStrv) lines = NULL; - if (virFirewallApplyRuleDirect(rule, &output) < 0) + if (virNetfilterApplyFirewallRule(firewall, rule, &output) < 0) return -1; if (rule->queryCB && output) { diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ #include "viriptables.h" #include "virfirewalld.h" #include "virerror.h" +#include "viralloc.h" +#include "vircommand.h" #include "virlog.h" #include "virhash.h" #include "virenum.h" @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE +/* iptables backend uses a different program for each layer. This + * gives us a convenient function for converting VIR_FIREWALL_LAYER_* + * enum from a virFirewallRule into a binary name. + */ +VIR_ENUM_DECL(virIptablesLayerCommand); +VIR_ENUM_IMPL(virIptablesLayerCommand, + VIR_FIREWALL_LAYER_LAST, + EBTABLES, + IPTABLES, + IP6TABLES, +); + + VIR_ENUM_DECL(virIptablesAction); VIR_ENUM_IMPL(virIptablesAction, VIR_FIREWALL_ACTION_LAST, @@ -XXX,XX +XXX,XX @@ VIR_ENUM_IMPL(virIptablesAction, ); +int +virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, + virFirewallRule *rule, + char **output) +{ + virFirewallLayer layer = virFirewallRuleGetLayer(rule); + const char *bin = virIptablesLayerCommandTypeToString(layer); + g_autoptr(virCommand) cmd = NULL; + g_autofree char *cmdStr = NULL; + g_autofree char *error = NULL; + size_t i, count; + int status; + + if (!bin) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unknown firewall layer %1$d"), layer); + return -1; + } + + cmd = virCommandNewArgList(bin, NULL); + + /* lock to assure nobody else is messing with the tables while we are */ + switch (layer) { + case VIR_FIREWALL_LAYER_ETHERNET: + virCommandAddArg(cmd, "--concurrent"); + break; + case VIR_FIREWALL_LAYER_IPV4: + case VIR_FIREWALL_LAYER_IPV6: + virCommandAddArg(cmd, "-w"); + break; + case VIR_FIREWALL_LAYER_LAST: + break; + } + + count = virFirewallRuleGetArgCount(rule); + for (i = 0; i < count; i++) + virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); + + cmdStr = virCommandToString(cmd, false); + VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + + virCommandSetOutputBuffer(cmd, output); + virCommandSetErrorBuffer(cmd, &error); + + if (virCommandRun(cmd, &status) < 0) + return -1; + + if (status != 0) { + if (virFirewallRuleGetIgnoreErrors(rule)) { + VIR_DEBUG("Ignoring error running command"); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to apply firewall rules %1$s: %2$s"), + NULLSTR(cmdStr), NULLSTR(error)); + VIR_FREE(*output); + return -1; + } + } + + return 0; +} + + typedef struct { const char *parent; const char *child; diff --git a/src/util/viriptables.h b/src/util/viriptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -XXX,XX +XXX,XX @@ #include "virfirewall.h" #include "virnetfilter.h" +/* virIptablesApplyFirewallRule should be called only from virnetfilter.c */ +int +virIptablesApplyFirewallRule(virFirewall *firewall, + virFirewallRule *rule, + char **output); + /* These functions are (currently) called directly from the consumer * (e.g. the network driver), and only when the iptables backend is * selected. (Possibly/probably functions should be added to the diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.netfilter"); #define VIR_FROM_THIS VIR_FROM_NONE +/** + * virNetfilterApplyFirewallRule: + * @fw: the virFirewall this rule is part of (currently unused) + * @rule: this particular rule + * @ignoreErrors: true if errors should be ignored + * @output: everything that appears on stdout as a result of applying the rule + * + * Applies @rule to the host's network filtering. returns 0 on success + * -1 on failure. + */ +int +virNetfilterApplyFirewallRule(virFirewall *fw, + virFirewallRule *rule, + char **output) +{ + return virIptablesApplyFirewallRule(fw, rule, output); +} + + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -XXX,XX +XXX,XX @@ #define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX" #define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" +int virNetfilterApplyFirewallRule (virFirewall *fw, + virFirewallRule *rule, + char **output); void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, -- 2.39.2
In the past, virFirewallBackend was a private static in virfirewall.c that was set at daemon init time, and used to globally (i.e. for all drivers in the daemon) determine whether to directly execute iptables commands, or to run them indirectly via the firewalld passthrough API. This was removed in commit d566cc55, since we decided that using the firewalld passthrough API is never appropriate. Now the virFirewallBackend enum is being reintroduced, with a slightly different meaning and usage pattern. It will be used to pick between using nftables commands or iptables commands (in either case directly handled by libvirt, *not* via firewalld). Additionally, rather than being a static known only within virfirewall.c and applying to all firewall commands for all drivers, each virFirewall object will have its own backend setting, which will be set during virFirewallNew() by the driver who wants to add a firewall rule. This will allow the nwfilter and network drivers to each have their own backend setting, even when they coexist in a single unified daemon. At least as important as that, it will also allow an instance of the network driver to remove iptables rules that had been added by a previous instance, and then add nftables rules for the new instance (in the case that an admin, or possibly an update, switches the driver backend from iptables to nftable) Initially, the enum will only have one usable value - VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all calls to virFirewallNew(). The other enum value (along with a method of setting it for each driver) will be added later, when it can be used (when the nftables backend is in the code). Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 3 +++ src/network/bridge_driver_linux.c | 4 ++-- src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++++++++-------- src/util/virebtables.c | 4 ++-- src/util/virfirewall.c | 16 +++++++++++++++- src/util/virfirewall.h | 12 +++++++++++- src/util/viriptables.c | 2 +- tests/virfirewalltest.c | 20 ++++++++++---------- 8 files changed, 52 insertions(+), 25 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddRuleFull; virFirewallApply; +virFirewallBackendTypeFromString; +virFirewallBackendTypeToString; virFirewallFree; +virFirewallGetBackend; virFirewallNew; virFirewallRemoveRule; virFirewallRuleAddArg; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ int networkAddFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -XXX,XX +XXX,XX @@ void networkRemoveFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); networkRemoveChecksumFirewallRules(fw, def); diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -XXX,XX +XXX,XX @@ static int ebtablesApplyBasicRules(const char *ifname, const virMacAddr *macaddr) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); char chain[MAX_CHAINNAME_LENGTH]; char chainPrefix = CHAINPREFIX_HOST_IN_TEMP; char macaddr_str[VIR_MAC_STRING_BUFLEN]; @@ -XXX,XX +XXX,XX @@ ebtablesApplyDHCPOnlyRules(const char *ifname, char macaddr_str[VIR_MAC_STRING_BUFLEN]; unsigned int idx = 0; unsigned int num_dhcpsrvrs; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virMacAddrFormat(macaddr, macaddr_str); @@ -XXX,XX +XXX,XX @@ ebtablesApplyDropAllRules(const char *ifname) { char chain_in [MAX_CHAINNAME_LENGTH], chain_out[MAX_CHAINNAME_LENGTH]; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); if (ebiptablesAllTeardown(ifname) < 0) return -1; @@ -XXX,XX +XXX,XX @@ ebtablesRemoveBasicRules(const char *ifname) static int ebtablesCleanAll(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -XXX,XX +XXX,XX @@ ebiptablesApplyNewRules(const char *ifname, size_t nrules) { size_t i, j; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); g_autoptr(GHashTable) chains_in_set = virHashNew(NULL); g_autoptr(GHashTable) chains_out_set = virHashNew(NULL); bool haveEbtables = false; @@ -XXX,XX +XXX,XX @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char *ifname) static int ebiptablesTearNewRules(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -XXX,XX +XXX,XX @@ ebiptablesTearNewRules(const char *ifname) static int ebiptablesTearOldRules(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -XXX,XX +XXX,XX @@ ebiptablesTearOldRules(const char *ifname) static int ebiptablesAllTeardown(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); diff --git a/src/util/virebtables.c b/src/util/virebtables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -XXX,XX +XXX,XX @@ ebtablesContextFree(ebtablesContext *ctx) int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, @@ -XXX,XX +XXX,XX @@ ebtablesForwardAllowIn(ebtablesContext *ctx, const char *macaddr, int action) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, 0); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.firewall"); +VIR_ENUM_IMPL(virFirewallBackend, + VIR_FIREWALL_BACKEND_LAST, + "UNSET", /* not yet set */ + "iptables"); + typedef struct _virFirewallGroup virFirewallGroup; struct _virFirewallRule { @@ -XXX,XX +XXX,XX @@ struct _virFirewall { size_t ngroups; virFirewallGroup **groups; size_t currentGroup; + virFirewallBackend backend; }; static virMutex ruleLock = VIR_MUTEX_INITIALIZER; @@ -XXX,XX +XXX,XX @@ virFirewallGroupNew(void) * * Returns the new firewall ruleset */ -virFirewall *virFirewallNew(void) +virFirewall *virFirewallNew(virFirewallBackend backend) { virFirewall *firewall = g_new0(virFirewall, 1); + firewall->backend = backend; return firewall; } +virFirewallBackend +virFirewallGetBackend(virFirewall *firewall) +{ + return firewall->backend; +} + + static void virFirewallRuleFree(virFirewallRule *rule) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ #pragma once #include "internal.h" +#include "virenum.h" typedef struct _virFirewall virFirewall; @@ -XXX,XX +XXX,XX @@ typedef enum { VIR_FIREWALL_ACTION_LAST } virFirewallAction; -virFirewall *virFirewallNew(void); +typedef enum { + VIR_FIREWALL_BACKEND_UNSET, + VIR_FIREWALL_BACKEND_IPTABLES, + + VIR_FIREWALL_BACKEND_LAST, +} virFirewallBackend; + +VIR_ENUM_DECL(virFirewallBackend); +virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); +virFirewallBackend virFirewallGetBackend(virFirewall *firewall); /** * virFirewallAddRule: diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ iptablesPrivateChainCreate(virFirewall *fw, int iptablesSetupPrivateChains(virFirewallLayer layer) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); iptablesGlobalChain filter_chains[] = { {"INPUT", VIR_NETFILTER_INPUT_CHAIN}, {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN}, diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -XXX,XX +XXX,XX @@ static int testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" -- 2.39.2
Signed-off-by: Laine Stump <laine@redhat.com> --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug | 36 ++++++++++++++++++++++++ src/network/meson.build | 11 ++++++++ src/network/network.conf | 3 ++ src/network/test_libvirtd_network.aug.in | 2 ++ 5 files changed, 55 insertions(+) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf create mode 100644 src/network/test_libvirtd_network.aug.in diff --git a/libvirt.spec.in b/libvirt.spec.in index XXXXXXX..XXXXXXX 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -XXX,XX +XXX,XX @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf %{_datadir}/augeas/lenses/virtnetworkd.aug %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug +%config(noreplace) %{_sysconfdir}/libvirt/network.conf +%{_datadir}/augeas/lenses/libvirtd_network.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug %{_unitdir}/virtnetworkd.service %{_unitdir}/virtnetworkd.socket %{_unitdir}/virtnetworkd-ro.socket diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/libvirtd_network.aug @@ -XXX,XX +XXX,XX @@ +(* /etc/libvirt/network.conf *) + +module Libvirtd_network = + autoload xfm + + let eol = del /[ \t]*\n/ "\n" + let value_sep = del /[ \t]*=[ \t]*/ " = " + let indent = del /[ \t]*/ "" + + let array_sep = del /,[ \t\n]*/ ", " + let array_start = del /\[[ \t\n]*/ "[ " + let array_end = del /\]/ "]" + + let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\"" + let bool_val = store /0|1/ + let int_val = store /[0-9]+/ + let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ "" + let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end + + let str_entry (kw:string) = [ key kw . value_sep . str_val ] + let bool_entry (kw:string) = [ key kw . value_sep . bool_val ] + let int_entry (kw:string) = [ key kw . value_sep . int_val ] + let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ] + + (* Each entry in the config is one of the following *) + let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] + let empty = [ label "#empty" . eol ] + + let record = indent . eol + + let lns = ( record | comment | empty ) * + + let filter = incl "/etc/libvirt/network.conf" + . Util.stdexcl + + let xfm = transform lns filter diff --git a/src/network/meson.build b/src/network/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -XXX,XX +XXX,XX @@ if conf.has('WITH_NETWORK') ], } + virt_conf_files += files('network.conf') + virt_aug_files += files('libvirtd_network.aug') + virt_test_aug_files += { + 'name': 'test_libvirtd_network.aug', + 'aug': files('test_libvirtd_network.aug.in'), + 'conf': files('network.conf'), + 'test_name': 'libvirtd_network', + 'test_srcdir': meson.current_source_dir(), + 'test_builddir': meson.current_build_dir(), + } + virt_daemon_confs += { 'name': 'virtnetworkd', } diff --git a/src/network/network.conf b/src/network/network.conf new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/network.conf @@ -XXX,XX +XXX,XX @@ +# Master configuration file for the network driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/test_libvirtd_network.aug.in @@ -XXX,XX +XXX,XX @@ +module Test_libvirtd_network = + @CONFIG@ -- 2.39.2
It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=nftables" in /etc/libvirt/network.conf. If firewall_backend isn't set in network.conf, then libvirt will check to see if the iptables binary is present on the system and set firewallBackend to iptables; if not, it will be left as "unset", which (once multiple backends are available) will trigger an appropriate error message the first time we attempt to add a rule. Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver.c | 22 +++++++------ src/network/bridge_driver_conf.c | 40 ++++++++++++++++++++++++ src/network/bridge_driver_conf.h | 3 ++ src/network/bridge_driver_linux.c | 12 ++++--- src/network/bridge_driver_nop.c | 6 ++-- src/network/bridge_driver_platform.h | 6 ++-- src/network/libvirtd_network.aug | 5 ++- src/network/network.conf | 8 +++++ src/network/test_libvirtd_network.aug.in | 3 ++ tests/networkxml2firewalltest.c | 2 +- 10 files changed, 87 insertions(+), 20 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ static int networkReloadFirewallRulesHelper(virNetworkObj *obj, void *opaque G_GNUC_UNUSED) { + g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(networkGetDriver()); VIR_LOCK_GUARD lock = virObjectLockGuard(obj); virNetworkDef *def = virNetworkObjGetDef(obj); @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward='open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def); - ignore_value(networkAddFirewallRules(def)); + networkRemoveFirewallRules(def, cfg->firewallBackend); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); break; case VIR_NETWORK_FORWARD_OPEN: @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, /* Add "once per network" rules */ if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def) < 0) + networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto error; firewalRulesAdded = true; @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, if (firewalRulesAdded && def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); virNetworkObjUnrefMacMap(obj); @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, static int -networkShutdownNetworkVirtual(virNetworkObj *obj) +networkShutdownNetworkVirtual(virNetworkObj *obj, + virNetworkDriverConfig *cfg) { virNetworkDef *def = virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -XXX,XX +XXX,XX @@ networkShutdownNetworkVirtual(virNetworkObj *obj) ignore_value(virNetDevSetOnline(def->bridge, false)); if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); ignore_value(virNetDevBridgeDelete(def->bridge)); @@ -XXX,XX +XXX,XX @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret = networkShutdownNetworkVirtual(obj); + ret = networkShutdownNetworkVirtual(obj, cfg); break; case VIR_NETWORK_FORWARD_BRIDGE: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); needFirewallRefresh = true; break; default: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, parentIndex, xml, network_driver->xmlopt, flags) < 0) { if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def)); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); goto cleanup; } /* @def is replaced */ def = virNetworkObjGetDef(obj); - if (needFirewallRefresh && networkAddFirewallRules(def) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto cleanup; if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -XXX,XX +XXX,XX @@ #include "datatypes.h" #include "virlog.h" #include "virerror.h" +#include "virfile.h" #include "virutil.h" #include "bridge_driver_conf.h" @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, const char *filename) { g_autoptr(virConf) conf = NULL; + g_autofree char *firewallBackendStr = NULL; /* if file doesn't exist or is unreadable, ignore the "error" */ if (access(filename, R_OK) == -1) @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */ + if (virConfGetValueString(conf, "firewall_backend", &firewallBackendStr) < 0) + return -1; + + if (firewallBackendStr) { + int backend = virFirewallBackendTypeFromString(firewallBackendStr); + + if (backend < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown value for 'firewall_backend' in network.conf: '%1$s'"), + firewallBackendStr); + return -1; + } + + cfg->firewallBackend = backend; + VIR_INFO("using firewall_backend setting from network.conf: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + + } else { + + /* no .conf setting, so see what this host supports by looking + * for binaries used by the backends, and set accordingly. + */ + g_autofree char *iptablesInPath = NULL; + + /* virFindFileInPath() uses g_find_program_in_path(), + * which allows absolute paths, and verifies that + * the file is executable. + */ + if ((iptablesInPath = virFindFileInPath(IPTABLES))) + cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES; + + if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET) + VIR_INFO("firewall_backend not set, and no usable backend auto-detected"); + else + VIR_INFO("using auto-detected firewall_backend: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + } + return 0; } diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_conf.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.h +++ b/src/network/bridge_driver_conf.h @@ -XXX,XX +XXX,XX @@ #include "virdnsmasq.h" #include "virnetworkobj.h" #include "object_event.h" +#include "virfirewall.h" typedef struct _virNetworkDriverConfig virNetworkDriverConfig; struct _virNetworkDriverConfig { @@ -XXX,XX +XXX,XX @@ struct _virNetworkDriverConfig { char *stateDir; char *pidDir; char *dnsmasqStateDir; + + virFirewallBackend firewallBackend; }; G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, /* Add all rules for all ip addresses (and general rules) on a network */ -int networkAddFirewallRules(virNetworkDef *def) +int +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); + g_autoptr(virFirewall) fw = virFirewallNew(firewallBackend); if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -XXX,XX +XXX,XX @@ int networkAddFirewallRules(virNetworkDef *def) } /* Remove all rules for all ip addresses (and general rules) on a network */ -void networkRemoveFirewallRules(virNetworkDef *def) +void +networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); + g_autoptr(virFirewall) fw = virFirewallNew(firewallBackend); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); networkRemoveChecksumFirewallRules(fw, def); diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) return 0; } -int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { return 0; } -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -XXX,XX +XXX,XX @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); -int networkAddFirewallRules(virNetworkDef *def); +int networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); -void networkRemoveFirewallRules(virNetworkDef *def); +void networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug index XXXXXXX..XXXXXXX 100644 --- a/src/network/libvirtd_network.aug +++ b/src/network/libvirtd_network.aug @@ -XXX,XX +XXX,XX @@ module Libvirtd_network = let int_entry (kw:string) = [ key kw . value_sep . int_val ] let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ] + let firewall_backend_entry = str_entry "firewall_backend" + (* Each entry in the config is one of the following *) + let entry = firewall_backend_entry let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] let empty = [ label "#empty" . eol ] - let record = indent . eol + let record = indent . entry . eol let lns = ( record | comment | empty ) * diff --git a/src/network/network.conf b/src/network/network.conf index XXXXXXX..XXXXXXX 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -XXX,XX +XXX,XX @@ # Master configuration file for the network driver. # All settings described here are optional - if omitted, sensible # defaults are used. + +# firewall_backend: +# +# determines which subsystem to use to setup firewall packet +# filtering rules for virtual networks. Currently the only supported +# selection is "iptables". +# +#firewall_backend = "iptables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in index XXXXXXX..XXXXXXX 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -XXX,XX +XXX,XX @@ module Test_libvirtd_network = @CONFIG@ + + test Libvirtd_network.lns get conf = +{ "firewall_backend" = "iptables" } diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); -- 2.39.2
Long long ago (commit fd5b15ff in July 2010), we determined that the combination of virtio-net + vhost packet handling (i.e. handling packets in the kernel rather than userspace) + very old guest OSes (e.g. RHEL5, but not even RHEL6) would result in the checksum of dhcp packets being unset, which would cause the packet to be dropped, and the guest would never acquire an IP address. The fix for this was for iptables to create a new rule that would fixup packet checksums for certain packets, and for libvirt to add one of these rules to the iptables "mangle" table. This was considered a horrid hack even at the time, and when nftables was created, the functionality wasn't replicated there. So when we add rules using nftables, there is no way to add such a rule, and your options are thus: 1) stop using outdated, out of support guest OSes 2) Don't use vhost=on for the guest virtio interface, ie. add <driver name='qemu'/> to the <interface> definition. 3) continue having libvirt use iptables for its rules (I'm not certain, but I think even this may fail depending on which iptables compatability packages are being used). All of this is to explain why we simply ignore calls to add a "checksum fixup" rule when the firewall backend isn't iptables. I could have plumbed this function all the way through virNetfilter* -> virNftables* and then done an empty return from there, but figured since it is a hack I'd rather keep it as localized as possible, and just cut it off right at the top of the call chain in the network driver. P.S. This specific behavior is really the only concrete reason for keeping around an iptables backend, rather than just replacing it with nftables. Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver_linux.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ networkAddChecksumFirewallRules(virFirewall *fw, size_t i; virNetworkIPDef *ipv4def; + /* these rules are only supported by the iptables + * backend. nftables doesn't have equivalent functionality, + * because it was always seen as an ugly hack. Fortunately this + * hack was only ever needed for *very* old guest OSes (RHEL5 era) + * using virtio network device with vhost enabled. + */ + if (virFirewallGetBackend(fw) != VIR_FIREWALL_BACKEND_IPTABLES) + return; + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ /* We support dhcp config on 1 IPv4 interface only. */ for (i = 0; @@ -XXX,XX +XXX,XX @@ networkRemoveChecksumFirewallRules(virFirewall *fw, size_t i; virNetworkIPDef *ipv4def; + /* iptables backend only */ + if (virFirewallGetBackend(fw) != VIR_FIREWALL_BACKEND_IPTABLES) + return; + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ /* We support dhcp config on 1 IPv4 interface only. */ for (i = 0; -- 2.39.2
Instead of calling iptableSetupPrivateChains(), the network driver now calls virNetfilterSetupPrivateChains() (which right now always calls the iptables version of the function, but in the future might instead call the nftables version). virNetFilterSetupPrivateChains() needs an argument to know which backend to call, and that means that networkSetupPrivateChains() has to take an argument (we can't rely on getting the setting from the driver config, because the unit tests don't initialize the network driver). But networkSetupPrivateChains() was being called with virOnce(), and virOnce() doesn't support calling functions that require an argument (it's based on pthread_once(), which accepts no arguments, so it's not something we can easily fix in our implementation of virOnce()). So instead this patch changes things to handle the "do it once" functionality by adding a static lock, and putting all of networkSetupPrivateChains() (including the setting of "chainInitDone") inside a lock guard - now the places that used to call it via virOnce(), just call it directly instead. (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 1 + src/network/bridge_driver_linux.c | 30 +++++++++++++++--------------- src/util/viriptables.h | 7 ++++--- src/util/virnetfilter.c | 16 ++++++++++++++++ src/util/virnetfilter.h | 3 +++ 5 files changed, 39 insertions(+), 18 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveTcpInput; virNetfilterRemoveTcpOutput; virNetfilterRemoveUdpInput; virNetfilterRemoveUdpOutput; +virNetfilterSetupPrivateChains; # util/virnetlink.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.bridge_driver_linux"); #define PROC_NET_ROUTE "/proc/net/route" -static virOnceControl createdOnce; +static virMutex chainInitLock = VIR_MUTEX_INITIALIZER; static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */ static virErrorPtr errInitV4; static virErrorPtr errInitV6; -/* Usually only called via virOnce, but can also be called directly in - * response to firewalld reload (if chainInitDone == true) - */ -static void networkSetupPrivateChains(void) +static void networkSetupPrivateChains(virFirewallBackend backend, bool force) { + VIR_LOCK_GUARD lock = virLockGuardLock(&chainInitLock); int rc; + if (chainInitDone && !force) + return; + VIR_DEBUG("Setting up global firewall chains"); g_clear_pointer(&errInitV4, virFreeError); g_clear_pointer(&errInitV6, virFreeError); - rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); + rc = virNetfilterSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV4); if (rc < 0) { VIR_DEBUG("Failed to create global IPv4 chains: %s", virGetLastErrorMessage()); @@ -XXX,XX +XXX,XX @@ static void networkSetupPrivateChains(void) VIR_DEBUG("Global IPv4 chains already exist"); } - rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); + rc = virNetfilterSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV6); if (rc < 0) { VIR_DEBUG("Failed to create global IPv6 chains: %s", virGetLastErrorMessage()); @@ -XXX,XX +XXX,XX @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, bool startup G_GNUC_UNUSED, bool force) { + g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(driver); /* * If there are any running networks, we need to * create the global rules upfront. This allows us @@ -XXX,XX +XXX,XX @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, */ if (chainInitDone && force) { /* The Private chains have already been initialized once - * during this run of libvirtd, so 1) we can't do it again via - * virOnce(), and 2) we need to re-add the private chains even + * during this run of libvirtd (known because chainInitDone == true) + * so we need to re-add the private chains even * if there are currently no running networks, because the * next time a network is started, libvirt will expect that - * the chains have already been added. So we call directly - * instead of via virOnce(). + * the chains have already been added. So we force the init. */ - networkSetupPrivateChains(); + networkSetupPrivateChains(cfg->firewallBackend, true); } else { if (!networkHasRunningNetworksWithFW(driver)) { @@ -XXX,XX +XXX,XX @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, return; } - ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); + networkSetupPrivateChains(cfg->firewallBackend, false); } } @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def, virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw = virFirewallNew(firewallBackend); - if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) - return -1; + networkSetupPrivateChains(firewallBackend, false); if (errInitV4 && (virNetworkDefGetIPByIndex(def, AF_INET, 0) || diff --git a/src/util/viriptables.h b/src/util/viriptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall, * requires untangling all the special cases for setting up private * chains that are necessitated by firewalld reloads). */ -int iptablesSetupPrivateChains (virFirewallLayer layer); - void iptablesAddOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); @@ -XXX,XX +XXX,XX @@ void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); -/* These functions are only called from virnetfilter.c. Each can be +/* These functions are only called from virnetfilter.c. Most can be * called with an action of VIR_NETFILTER_INSERT or * VIR_NETFILTER_DELETE, to add or remove the described rule(s) in the * appropriate chain. */ +int +iptablesSetupPrivateChains(virFirewallLayer layer); + void iptablesInput(virFirewall *fw, virFirewallLayer layer, diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -XXX,XX +XXX,XX @@ virNetfilterApplyFirewallRule(virFirewall *fw, } +/** + * virNetFilterSetupPrivateChains: + * @layer: VIR_NETFILTER_LAYER_IPV(4|6) + * + * Check if the private tables/chains needed for libvirt virtual + * networks exist in the systems filters, and add them if they're not + * already there. + * + */ +int +virNetfilterSetupPrivateChains(virFirewallBackend backend G_GNUC_UNUSED, + virFirewallLayer layer) +{ + return iptablesSetupPrivateChains(layer); +} + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -XXX,XX +XXX,XX @@ int virNetfilterApplyFirewallRule (virFirewall *fw, virFirewallRule *rule, char **output); + +int virNetfilterSetupPrivateChains (virFirewallBackend backend, + virFirewallLayer layer); void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, -- 2.39.2
Many of the functions in virnetfilter.c are nearly identical to one or more other functions (e.g. they just call the same iptables function, but with INSERT|DELETE action). Rather than adding a switch(backend) into all 24 of these functions, make small wrappers for the 10 iptables* functions that those 24 call, and put switch(backend) in *those* functions. This is more work now, but will make shorter work of adding in nftables backend support. (To be truthful, I've gotten this far basically ignoring the details of the plethora of functions in the viriptables.c API, just faithfully tooling it around while keeping the callers unchanged (aside from the function renaming back at the beginning of the series). I'm now thinking maybe the original API should be simplified, and the callers (i.e. the network driver) modified to use that simplified API instead. But I've gotten this far so I might as well demonstrate working patches and ask for opinions rather than throwing away multiple patches and dealing with associated local merge/rebase conflicts due to changing patches early in the series for possibly no reason.) Signed-off-by: Laine Stump <laine@redhat.com> --- po/POTFILES | 1 + src/util/virfirewall.c | 14 +- src/util/virnetfilter.c | 320 +++++++++++++++++++++++++++++++++++----- 3 files changed, 293 insertions(+), 42 deletions(-) diff --git a/po/POTFILES b/po/POTFILES index XXXXXXX..XXXXXXX 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -XXX,XX +XXX,XX @@ src/util/virnetdevopenvswitch.c src/util/virnetdevtap.c src/util/virnetdevveth.c src/util/virnetdevvportprofile.c +src/util/virnetfilter.c src/util/virnetlink.c src/util/virnodesuspend.c src/util/virnuma.c diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallGroupNew(void) */ virFirewall *virFirewallNew(virFirewallBackend backend) { - virFirewall *firewall = g_new0(virFirewall, 1); + virFirewall *firewall = NULL; + + /* If we arrive here and backend is _UNSET, then either there is a + * bug in our code, or we couldn't find the necessary binaries for + * a working backend (e.g. no iptables of nft binary). + */ + if (backend == VIR_FIREWALL_BACKEND_UNSET) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setting could be auto-detected")); + return NULL; + } + + firewall = g_new0(virFirewall, 1); firewall->backend = backend; return firewall; diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.netfilter"); #define VIR_FROM_THIS VIR_FROM_NONE +static void +virNetFilterBackendUnsetError(void) +{ + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setting could be auto-detected")); +} + + +/* All functions with a switch checking virFirewallGetBackend(fw) will + * need a case in the switch for each backend. + */ + /** * virNetfilterApplyFirewallRule: * @fw: the virFirewall this rule is part of (currently unused) @@ -XXX,XX +XXX,XX @@ virNetfilterApplyFirewallRule(virFirewall *fw, virFirewallRule *rule, char **output) { - return virIptablesApplyFirewallRule(fw, rule, output); + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return virIptablesApplyFirewallRule(fw, rule, output); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; } @@ -XXX,XX +XXX,XX @@ virNetfilterApplyFirewallRule(virFirewall *fw, * */ int -virNetfilterSetupPrivateChains(virFirewallBackend backend G_GNUC_UNUSED, +virNetfilterSetupPrivateChains(virFirewallBackend backend, virFirewallLayer layer) { - return iptablesSetupPrivateChains(layer); + switch (backend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesSetupPrivateChains(layer); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +virNetfilterInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesInput(fw, layer, iface, port, action, tcp); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesOutput(fw, layer, iface, port, action, tcp); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static int +virNetfilterForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowOut(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static int +virNetfilterForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; } + +static int +virNetfilterForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowIn(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +virNetfilterForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardAllowCross(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardRejectOut(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardRejectIn(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static int +virNetfilterForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, + addr, port, protocol, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static int +virNetfilterForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context @@ -XXX,XX +XXX,XX @@ virNetfilterAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } + /** * virNetfilterRemoveForwardRejectOut: * @ctx: pointer to the IP table context @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_FIREWALL_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ virNetfilterAddDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_FIREWALL_ACTION_INSERT); } @@ -XXX,XX +XXX,XX @@ virNetfilterRemoveDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_FIREWALL_ACTION_DELETE); } -- 2.39.2
and include it in BuildRequires and Requires of the rpm specfile to make sure it's available when doing official distro builds. Signed-off-by: Laine Stump <laine@redhat.com> --- libvirt.spec.in | 2 ++ meson.build | 1 + 2 files changed, 3 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index XXXXXXX..XXXXXXX 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -XXX,XX +XXX,XX @@ BuildRequires: libnl3-devel BuildRequires: libselinux-devel BuildRequires: iptables BuildRequires: ebtables +BuildRequires: nftables BuildRequires: module-init-tools BuildRequires: cyrus-sasl-devel BuildRequires: polkit >= 0.112 @@ -XXX,XX +XXX,XX @@ Requires: libvirt-daemon-common = %{version}-%{release} Requires: libvirt-libs = %{version}-%{release} Requires: dnsmasq >= 2.41 Requires: iptables +Requires: nftables %description daemon-driver-network The network driver plugin for the libvirtd daemon, providing diff --git a/meson.build b/meson.build index XXXXXXX..XXXXXXX 100644 --- a/meson.build +++ b/meson.build @@ -XXX,XX +XXX,XX @@ optional_programs = [ 'mdevctl', 'mm-ctl', 'modprobe', + 'nft', 'ovs-vsctl', 'passt', 'pdwtags', -- 2.39.2
Signed-off-by: Laine Stump <laine@redhat.com> --- po/POTFILES | 1 + src/network/bridge_driver_conf.c | 4 + src/network/network.conf | 17 +- src/util/meson.build | 1 + src/util/virfirewall.c | 3 +- src/util/virfirewall.h | 1 + src/util/virnetfilter.c | 48 +++ src/util/virnftables.c | 594 +++++++++++++++++++++++++++++++ src/util/virnftables.h | 118 ++++++ 9 files changed, 784 insertions(+), 3 deletions(-) create mode 100644 src/util/virnftables.c create mode 100644 src/util/virnftables.h diff --git a/po/POTFILES b/po/POTFILES index XXXXXXX..XXXXXXX 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -XXX,XX +XXX,XX @@ src/util/virnetdevveth.c src/util/virnetdevvportprofile.c src/util/virnetfilter.c src/util/virnetlink.c +src/util/virnftables.c src/util/virnodesuspend.c src/util/virnuma.c src/util/virnvme.c diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, * for binaries used by the backends, and set accordingly. */ g_autofree char *iptablesInPath = NULL; + g_autofree char *nftInPath = NULL; /* virFindFileInPath() uses g_find_program_in_path(), * which allows absolute paths, and verifies that @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, */ if ((iptablesInPath = virFindFileInPath(IPTABLES))) cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES; + else if ((nftInPath = virFindFileInPath(NFT))) + cfg->firewallBackend = VIR_FIREWALL_BACKEND_NFTABLES; + if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET) VIR_INFO("firewall_backend not set, and no usable backend auto-detected"); diff --git a/src/network/network.conf b/src/network/network.conf index XXXXXXX..XXXXXXX 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -XXX,XX +XXX,XX @@ # firewall_backend: # # determines which subsystem to use to setup firewall packet -# filtering rules for virtual networks. Currently the only supported -# selection is "iptables". +# filtering rules for virtual networks. +# +# Supported settings: +# +# iptables - use iptables commands to construct the firewall +# nftables - use nft commands to construct the firewall +# +# For backward compatibility, and to reduce surprises, the +# default setting is "iptables". +# +# (NB: switching from one backend to another while there are active +# virtual networks *is* supported. The change will take place the +# next time that libvirtd/virtnetworkd is restarted - all existing +# virtual networks will have their old firewalls removed, and then +# reloaded using the new backend.) # #firewall_backend = "iptables" diff --git a/src/util/meson.build b/src/util/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -XXX,XX +XXX,XX @@ util_sources = [ 'virnetdevvportprofile.c', 'virnetfilter.c', 'virnetlink.c', + 'virnftables.c', 'virnodesuspend.c', 'virnuma.c', 'virnvme.c', diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.firewall"); VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, "UNSET", /* not yet set */ - "iptables"); + "iptables", + "nftables"); typedef struct _virFirewallGroup virFirewallGroup; diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ typedef enum { typedef enum { VIR_FIREWALL_BACKEND_UNSET, VIR_FIREWALL_BACKEND_IPTABLES, + VIR_FIREWALL_BACKEND_NFTABLES, VIR_FIREWALL_BACKEND_LAST, } virFirewallBackend; diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -XXX,XX +XXX,XX @@ #include "internal.h" #include "virnetfilter.h" #include "viriptables.h" +#include "virnftables.h" #include "vircommand.h" #include "viralloc.h" #include "virerror.h" @@ -XXX,XX +XXX,XX @@ virNetfilterApplyFirewallRule(virFirewall *fw, case VIR_FIREWALL_BACKEND_IPTABLES: return virIptablesApplyFirewallRule(fw, rule, output); + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesApplyFirewallRule(fw, rule, output); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -XXX,XX +XXX,XX @@ virNetfilterSetupPrivateChains(virFirewallBackend backend, case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesSetupPrivateChains(layer); + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesSetupPrivateChains(layer); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -XXX,XX +XXX,XX @@ virNetfilterInput(virFirewall *fw, iptablesInput(fw, layer, iface, port, action, tcp); break; + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesInput(fw, layer, iface, port, action, tcp); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -XXX,XX +XXX,XX @@ virNetfilterOutput(virFirewall *fw, iptablesOutput(fw, layer, iface, port, action, tcp); break; + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesOutput(fw, layer, iface, port, action, tcp); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -XXX,XX +XXX,XX @@ virNetfilterForwardAllowOut(virFirewall *fw, return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, action); + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardAllowOut(fw, netaddr, prefix, + iface, physdev, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -XXX,XX +XXX,XX @@ virNetfilterForwardAllowRelatedIn(virFirewall *fw, return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, action); + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardAllowRelatedIn(fw, netaddr, prefix, + iface, physdev, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -XXX,XX +XXX,XX @@ virNetfilterForwardAllowIn(virFirewall *fw, return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, action); + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardAllowIn(fw, netaddr, prefix, + iface, physdev, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -XXX,XX +XXX,XX @@ virNetfilterForwardAllowCross(virFirewall *fw, iptablesForwardAllowCross(fw, layer, iface, action); break; + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesForwardAllowCross(fw, layer, iface, action); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -XXX,XX +XXX,XX @@ virNetfilterForwardRejectOut(virFirewall *fw, iptablesForwardRejectOut(fw, layer, iface, action); break; + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesForwardRejectOut(fw, layer, iface, action); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -XXX,XX +XXX,XX @@ virNetfilterForwardRejectIn(virFirewall *fw, iptablesForwardRejectIn(fw, layer, iface, action); break; + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesForwardRejectIn(fw, layer, iface, action); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -XXX,XX +XXX,XX @@ virNetfilterForwardMasquerade(virFirewall *fw, return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, action); + + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardMasquerade(fw, netaddr, prefix, physdev, + addr, port, protocol, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -XXX,XX +XXX,XX @@ virNetfilterForwardDontMasquerade(virFirewall *fw, return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, action); + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); diff --git a/src/util/virnftables.c b/src/util/virnftables.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/util/virnftables.c @@ -XXX,XX +XXX,XX @@ +/* + * virnftables.c: helper APIs for managing nftables filter rules + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include <stdarg.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include "internal.h" +#include "virnetfilter.h" +#include "virnftables.h" +#include "virfirewalld.h" +#include "vircommand.h" +#include "viralloc.h" +#include "virerror.h" +#include "virfile.h" +#include "virlog.h" +#include "virthread.h" +#include "virstring.h" +#include "virutil.h" +#include "virhash.h" + +VIR_LOG_INIT("util.nftables"); + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define VIR_NFTABLES_PRIVATE_TABLE "libvirt" + +/* nftables backend uses the same binary (nft) for all layers, but + * IPv4 and IPv6 have their rules in separate classes of tables, + * either "ip" or "ip6". (there is also an "inet" class of tables that + * would examined for both IPv4 and IPv6 traffic, but since we want + * different rules for each family, we only use the family-specific + * table classes). + */ +VIR_ENUM_DECL(virNftablesLayer); +VIR_ENUM_IMPL(virNftablesLayer, + VIR_FIREWALL_LAYER_LAST, + "", + "ip", + "ip6", +); + + +VIR_ENUM_DECL(virNftablesAction); +VIR_ENUM_IMPL(virNftablesAction, + VIR_FIREWALL_ACTION_LAST, + "insert", + "append", + "delete", +); + + +int +virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, + virFirewallRule *rule, + char **output) +{ + size_t count = virFirewallRuleGetArgCount(rule); + g_autoptr(virCommand) cmd = NULL; + g_autofree char *cmdStr = NULL; + g_autofree char *error = NULL; + size_t i; + int status; + + if (count == 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Can't apply empty firewall command")); + return -1; + } + + cmd = virCommandNew(NFT); + + for (i = 0; i < count; i++) + virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); + + cmdStr = virCommandToString(cmd, false); + VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + + virCommandSetOutputBuffer(cmd, output); + virCommandSetErrorBuffer(cmd, &error); + + if (virCommandRun(cmd, &status) < 0) + return -1; + + if (status != 0) { + if (STREQ_NULLABLE(virFirewallRuleGetArg(rule, 0), "list")) { + /* nft returns error status when the target of a "list" + * command doesn't exist, but we always want to just have + * an empty result, so this is not actually an error. + */ + } else if (virFirewallRuleGetIgnoreErrors(rule)) { + VIR_DEBUG("Ignoring error running command"); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to apply firewall command '%1$s': %2$s"), + NULLSTR(cmdStr), NULLSTR(error)); + VIR_FREE(*output); + return -1; + } + } + + return 0; +} + + +typedef struct { + const char *parent; + const char *child; + const char *extraArgs; +} virNftablesGlobalChain; + +typedef struct { + virFirewallLayer layer; + virNftablesGlobalChain *chains; + size_t nchains; + bool *changed; +} virNftablesGlobalChainData; + + +static int +virNftablesPrivateChainCreate(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + virNftablesGlobalChainData *data = opaque; + g_autoptr(GHashTable) chains = virHashNew(NULL); + g_autoptr(GHashTable) links = virHashNew(NULL); + const char *const *line; + const char *chain = NULL; + size_t i; + bool tableMatch = false; + const char *layerStr = virNftablesLayerTypeToString(layer); + g_autofree char *tableStr = g_strdup_printf("table %s libvirt {", + virNftablesLayerTypeToString(layer)); + line = lines; + while (line && *line) { + const char *pos = *line; + + virSkipSpaces(&pos); + if (STREQ(pos, tableStr)) { + /* "table ip libvirt {" */ + + tableMatch = true; + + } else if (STRPREFIX(pos, "chain ")) { + /* "chain LIBVIRT_OUT {" */ + + chain = pos + 6; + pos = strchr(chain, ' '); + if (pos) { + *(char *)pos = '\0'; + if (virHashUpdateEntry(chains, chain, (void *)0x1) < 0) + return -1; + } + + } else if ((pos = strstr(pos, "jump "))) { + /* "counter packets 20189046 bytes 3473108889 jump LIBVIRT_OUT" */ + + pos += 5; + if (chain) { + if (virHashUpdateEntry(links, pos, (char *)chain) < 0) + return -1; + } + + } + line++; + } + + if (!tableMatch) { + virFirewallAddRule(fw, layer, "add", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + } + + for (i = 0; i < data->nchains; i++) { + if (!(tableMatch && virHashLookup(chains, data->chains[i].child))) { + virFirewallAddRule(fw, layer, "add", "chain", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].child, + data->chains[i].extraArgs, NULL); + *data->changed = true; + } + + if (data->chains[i].parent) { + const char *from = virHashLookup(links, data->chains[i].child); + + if (!from || STRNEQ(from, data->chains[i].parent)) { + virFirewallAddRule(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].parent, "counter", + "jump", data->chains[i].child, NULL); + } + } + } + + return 0; +} + + +int +virNftablesSetupPrivateChains(virFirewallLayer layer) +{ + bool changed = false; + virNftablesGlobalChain chains[] = { + /* chains for filter rules */ + {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }"}, + {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accept; }"}, + {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept; }"}, + {"INPUT", VIR_NETFILTER_INPUT_CHAIN, NULL}, + {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN, NULL}, + {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN, NULL}, + {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN, NULL}, + {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN, NULL}, + + /* chains for NAT rules */ + {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; policy accept; }"}, + {"POSTROUTING", VIR_NETFILTER_NAT_POSTROUTE_CHAIN, NULL}, + }; + virNftablesGlobalChainData data = { layer, chains, G_N_ELEMENTS(chains), &changed }; + + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_NFTABLES); + const char *layerStr = virNftablesLayerTypeToString(layer); + + virFirewallStartTransaction(fw, 0); + + /* the output of "nft list table ip[6] libvirt" will be parsed by + * the callback virNftablesPrivateChainCreate which will add any + * needed commands to add missing chains (or possibly even add the + * "ip[6] libvirt" table itself + */ + virFirewallAddRuleFull(fw, layer, false, + virNftablesPrivateChainCreate, &data, + "list", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + + if (virFirewallApply(fw) < 0) + return -1; + + return changed ? 1 : 0; +} + + +void +virNftablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + const char *layerStr = virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_INPUT_CHAIN, + "iifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + +void +virNftablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + const char *layerStr = virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_OUTPUT_CHAIN, + "oifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + + +/* Allow all traffic coming from the bridge, with a valid network address + * to proceed to WAN + */ +int +virNftablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + g_autofree char *networkstr = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = virNftablesLayerTypeToString(layer); + virFirewallRule *rule; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + rule = virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_OUT_CHAIN, + layerStr, "saddr", networkstr, + "iifname", iface, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "oifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, "counter", "accept", NULL); + + return 0; +} + + +/* Allow all traffic destined to the bridge, with a valid network address + * and associated with an existing connection + */ +int +virNftablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = virNftablesLayerTypeToString(layer); + g_autofree char *networkstr = NULL; + virFirewallRule *rule; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + rule = virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_IN_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "iifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, "oifname", iface, + layerStr, "daddr", networkstr, + "ct", "state", "related,established", + "counter", "accept", NULL); + return 0; +} + + +/* Allow all traffic destined to the bridge, with a valid network address + */ +int +virNftablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = virNftablesLayerTypeToString(layer); + g_autofree char *networkstr = NULL; + virFirewallRule *rule; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + rule = virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_IN_CHAIN, + layerStr, "daddr", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "iifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, "oifname", iface, + "counter", "accept", NULL); + return 0; +} + + +void +virNftablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + const char *layerStr = virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_X_CHAIN, + "iifname", iface, + "oifname", iface, + "counter", "accept", + NULL); +} + + +void +virNftablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + const char *layerStr = virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_OUT_CHAIN, + "iifname", iface, + "counter", "reject", + NULL); +} + + +void +virNftablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + const char *layerStr = virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_IN_CHAIN, + "oifname", iface, + "counter", "reject", + NULL); +} + + +/* Masquerade all traffic coming from the network associated + * with the bridge + */ +int +virNftablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action) +{ + g_autofree char *networkstr = NULL; + g_autofree char *addrStartStr = NULL; + g_autofree char *addrEndStr = NULL; + g_autofree char *portRangeStr = NULL; + g_autofree char *natRangeStr = NULL; + virFirewallRule *rule; + int af = VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer = af == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = virNftablesLayerTypeToString(layer); + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { + if (!(addrStartStr = virSocketAddrFormat(&addr->start))) + return -1; + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { + if (!(addrEndStr = virSocketAddrFormat(&addr->end))) + return -1; + } + } + + rule = virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, NULL); + + if (protocol && protocol[0]) { + virFirewallRuleAddArgList(fw, rule, + layerStr, "protocol", protocol, NULL); + } + + virFirewallRuleAddArgList(fw, rule, + layerStr, "saddr", networkstr, + layerStr, "daddr", "!=", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "oifname", physdev, NULL); + + if (protocol && protocol[0]) { + if (port->start == 0 && port->end == 0) { + port->start = 1024; + port->end = 65535; + } + + if (port->start < port->end && port->end < 65536) { + portRangeStr = g_strdup_printf(":%u-%u", port->start, port->end); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid port range '%1$u-%2$u'."), + port->start, port->end); + return -1; + } + } + + /* Use snat if public address is specified */ + if (addrStartStr && addrStartStr[0]) { + if (addrEndStr && addrEndStr[0]) { + natRangeStr = g_strdup_printf("%s-%s%s", addrStartStr, addrEndStr, + portRangeStr ? portRangeStr : ""); + } else { + natRangeStr = g_strdup_printf("%s%s", addrStartStr, + portRangeStr ? portRangeStr : ""); + } + + virFirewallRuleAddArgList(fw, rule, "counter", "snat", "to", natRangeStr, NULL); + } else { + virFirewallRuleAddArgList(fw, rule, "counter", "masquerade", NULL); + + if (portRangeStr && portRangeStr[0]) + virFirewallRuleAddArgList(fw, rule, "to", portRangeStr, NULL); + } + + return 0; +} + + +/* Don't masquerade traffic coming from the network associated with the bridge + * if said traffic targets @destaddr. + */ +int +virNftablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action) +{ + g_autofree char *networkstr = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = virNftablesLayerTypeToString(layer); + virFirewallRule *rule; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + rule = virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "oifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, + layerStr, "saddr", networkstr, + layerStr, "daddr", destaddr, + "counter", "return", NULL); + return 0; +} diff --git a/src/util/virnftables.h b/src/util/virnftables.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/util/virnftables.h @@ -XXX,XX +XXX,XX @@ +/* + * virnftables.h: helper APIs for managing nftables packet filters + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "virsocketaddr.h" +#include "virfirewall.h" +#include "virnetfilter.h" + +/* virNftablesApplyFirewallRule should be called only from virnetfilter.c */ + +int +virNftablesApplyFirewallRule(virFirewall *firewall, + virFirewallRule *rule, + char **output); + + +/* All the following functions can either insert or delete the given + * type of filter rule, depending on whether action is + * VIR_NETFILTER_INSERT or VIR_NETFILTER_DELETE. + */ + +int +virNftablesSetupPrivateChains(virFirewallLayer layer); + +void +virNftablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp); + +void +virNftablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp); + +int +virNftablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action); + +int +virNftablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action); + +int +virNftablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action); + + +void +virNftablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action); + +void +virNftablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action); + +void +virNftablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action); + +int +virNftablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action); + +int +virNftablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action); -- 2.39.2
Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump <laine@redhat.com> --- .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++++++++++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++++++ ...pv6-linux.args => nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++++++++ ...rgs => nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++ ...linux.args => nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 ++++++++++++++++++ ...-linux.args => nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++++++++ ...ftp-linux.args => nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++++++ ...inux.args => route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++++ tests/networkxml2firewalltest.c | 47 +- 17 files changed, 2670 insertions(+), 13 deletions(-) rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2firewalldata/base.iptables similarity index 100% rename from tests/networkxml2firewalldata/base.args rename to tests/networkxml2firewalldata/base.iptables diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-default-linux.args rename to tests/networkxml2firewalldata/nat-default-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +protocol \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +protocol \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-many-ips-linux.args rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-tftp-linux.args rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/route-default-linux.args rename to tests/networkxml2firewalldata/route-default-linux.iptables diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv = NULL; g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) + if (networkAddFirewallRules(def, backend) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; @@ -XXX,XX +XXX,XX @@ testCompareXMLToIPTablesHelper(const void *data) xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); - result = testCompareXMLToArgvFiles(xml, args, info->baseargs); + result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend); return result; } @@ -XXX,XX +XXX,XX @@ static int mymain(void) { int ret = 0; - g_autofree char *basefile = NULL; - g_autofree char *baseargs = NULL; + g_autofree char *basefileIptables = NULL; + g_autofree char *basefileNftables = NULL; + g_autofree char *baseargsIptables = NULL; + g_autofree char *baseargsNftables = NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info = { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToString(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret = -1; \ } while (0) - basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args", abs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); + + + basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables; - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) return EXIT_FAILURE; + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); -- 2.39.2
In the past virFirewall required all rollback rules for a group (those commands necessary to "undo" any rules that had been added in that group in case of a later failure) to be manually added by switching into "rollback mode" and then re-calling the inverse of the exact virFirewallAddRule*() APIs that had been called to add the original rules (ie. for each --insert command, for rollback we would need to add a rule with all arguments identical except that "--insert" would be replaced by "--delete"). Because nftables can't search for rules to remove by comparing all the arguments (it instead expects *only* a handle that was issued when the rule was originally added), we want for the backends' vir*ApplyRule() functions to be able to automatically add a single rollback rule to the virFirewall object while applying its existing rules (this automatically added rule would then be able to include the handle returned by "nft add rule"). In order to make this happen, we need to be able to 1) learn whether the user of the virFirewall API desires this behavior (handled by a new transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that can be retrieved with the new virFirewallTransactionGetFlags() API), and 2) add a new rule to the current group's rollback rule list (with the new virFirewallAddRollbackRule()). We will actually use these in the backends in an upcoming patch. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 53 ++++++++++++++++++++++++++++++++++++---- src/util/virfirewall.h | 10 ++++++++ 3 files changed, 60 insertions(+), 5 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFileCacheSetPriv; # util/virfirewall.h +virFirewallAddRollbackRule; virFirewallAddRuleFull; virFirewallApply; virFirewallBackendTypeFromString; @@ -XXX,XX +XXX,XX @@ virFirewallRuleGetLayer; virFirewallRuleToString; virFirewallStartRollback; virFirewallStartTransaction; +virFirewallTransactionGetFlags; # util/virfirewalld.h diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ static virFirewallRule * virFirewallAddRuleFullV(virFirewall *firewall, virFirewallLayer layer, bool ignoreErrors, + bool isRollback, virFirewallQueryCallback cb, void *opaque, va_list args) @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, } group = firewall->groups[firewall->currentGroup]; - rule = g_new0(virFirewallRule, 1); rule->layer = layer; - rule->queryCB = cb; - rule->queryOpaque = opaque; while ((str = va_arg(args, char *)) != NULL) ADD_ARG(rule, str); - if (group->addingRollback) { + if (isRollback || group->addingRollback) { rule->ignoreErrors = true; /* always ignore errors when rolling back */ + rule->queryCB = NULL; /* rollback rules can't have a callback */ + rule->queryOpaque = NULL; VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); } else { /* when not rolling back, ignore errors if this group (transaction) @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, */ rule->ignoreErrors = ignoreErrors || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + rule->queryCB = cb; + rule->queryOpaque = opaque; VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); } @@ -XXX,XX +XXX,XX @@ virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, virFirewallRule *rule; va_list args; va_start(args, opaque); - rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args); + rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, false, cb, opaque, args); + va_end(args); + return rule; +} + + +/** + * virFirewallAddRollbackRule: + * @firewall: firewall ruleset to add to + * @layer: the firewall layer to change + * @...: NULL terminated list of strings for the rule + * + * Add a rule to the current firewall group "rollback" + * ruleset. Rollback rules always ignore errors and don't support any + * callbacks. + * + * Returns the new rule + */ +virFirewallRule * +virFirewallAddRollbackRule(virFirewall *firewall, + virFirewallLayer layer, + ...) +{ + virFirewallRule *rule; + va_list args; + va_start(args, layer); + rule = virFirewallAddRuleFullV(firewall, layer, true, true, NULL, NULL, args); va_end(args); return rule; } @@ -XXX,XX +XXX,XX @@ void virFirewallStartTransaction(virFirewall *firewall, firewall->currentGroup = firewall->ngroups - 1; } + +/** + * virFirewallTransactionGetFlags: + * @firewall: the firewall to look at + * + * Returns the virFirewallTransactionFlags for the currently active + * group (transaction) in @firewall. + */ +virFirewallTransactionFlags +virFirewallTransactionGetFlags(virFirewall *firewall) +{ + return firewall->groups[firewall->currentGroup]->actionFlags; +} + + /** * virFirewallBeginRollback: * @firewall: the firewall ruleset diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, ...) G_GNUC_NULL_TERMINATED; +virFirewallRule *virFirewallAddRollbackRule(virFirewall *firewall, + virFirewallLayer layer, + ...) + G_GNUC_NULL_TERMINATED; + void virFirewallRemoveRule(virFirewall *firewall, virFirewallRule *rule); @@ -XXX,XX +XXX,XX @@ typedef enum { /* Ignore all errors when applying rules, so no * rollback block will be required */ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS = (1 << 0), + /* Set to auto-add a rollback rule for each rule that is applied */ + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK = (1 << 1), } virFirewallTransactionFlags; void virFirewallStartTransaction(virFirewall *firewall, unsigned int flags); +virFirewallTransactionFlags +virFirewallTransactionGetFlags(virFirewall *firewall); + typedef enum { /* Execute previous rollback block before this * one, to chain cleanup */ -- 2.39.2
In normal practice a firewall rule should never have 0 args by the time it gets to the Apply stage, but at some time while debugging auto-rollback exactly that happened (due to a bug that was since squashed), and having a check for it helped debugging, so let's permanently check for it (the nftables version of ApplyRule already has this check). Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/viriptables.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, { virFirewallLayer layer = virFirewallRuleGetLayer(rule); const char *bin = virIptablesLayerCommandTypeToString(layer); + size_t count = virFirewallRuleGetArgCount(rule); g_autoptr(virCommand) cmd = NULL; g_autofree char *cmdStr = NULL; g_autofree char *error = NULL; - size_t i, count; + size_t i; int status; if (!bin) { @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, return -1; } + if (count == 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Can't apply empty firewall rule")); + return -1; + } + cmd = virCommandNewArgList(bin, NULL); /* lock to assure nobody else is messing with the tables while we are */ @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, break; } - count = virFirewallRuleGetArgCount(rule); for (i = 0; i < count; i++) virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); -- 2.39.2
This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/viriptables.c | 49 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -XXX,XX +XXX,XX @@ VIR_ENUM_IMPL(virIptablesAction, "--delete", ); +#define VIR_ARG_IS_INSERT(arg) \ + (STREQ(arg, "--insert") || STREQ(arg, "-I") \ + || STREQ(arg, "--append") || STREQ(arg, "-A")) int -virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, +virIptablesApplyFirewallRule(virFirewall *firewall, virFirewallRule *rule, char **output) { virFirewallLayer layer = virFirewallRuleGetLayer(rule); const char *bin = virIptablesLayerCommandTypeToString(layer); size_t count = virFirewallRuleGetArgCount(rule); + bool checkRollback = (virFirewallTransactionGetFlags(firewall) + & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); + bool needRollback = false; g_autoptr(virCommand) cmd = NULL; g_autofree char *cmdStr = NULL; g_autofree char *error = NULL; @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, break; } - for (i = 0; i < count; i++) - virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); + for (i = 0; i < count; i++) { + const char *arg = virFirewallRuleGetArg(rule, i); + + /* the -I/-A arg could be at any position in the list */ + if (checkRollback && VIR_ARG_IS_INSERT(arg)) + needRollback = true; + + virCommandAddArg(cmd, arg); + } cmdStr = virCommandToString(cmd, false); VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, return -1; if (status != 0) { + /* the command failed, decide whether or not to report it */ if (virFirewallRuleGetIgnoreErrors(rule)) { VIR_DEBUG("Ignoring error running command"); + return 0; } else { virReportError(VIR_ERR_INTERNAL_ERROR, _("Failed to apply firewall rules %1$s: %2$s"), @@ -XXX,XX +XXX,XX @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, } } + /* the command was successful, see if we need to add a + * rollback rule + */ + + if (needRollback) { + virFirewallRule *rollback + = virFirewallAddRollbackRule(firewall, layer, NULL); + g_autofree char *rollbackStr = NULL; + + for (i = 0; i < count; i++) { + const char *arg = virFirewallRuleGetArg(rule, i); + + /* iptables --delete wants the entire commandline that + * was used for --insert but with s/insert/delete/ + */ + if (VIR_ARG_IS_INSERT(arg)) { + virFirewallRuleAddArg(firewall, rollback, "--delete"); + } else { + virFirewallRuleAddArg(firewall, rollback, arg); + } + } + + rollbackStr + = virFirewallRuleToString(virIptablesLayerCommandTypeToString(layer), + rollback); + VIR_DEBUG("Recording Rollback rule '%s'", NULLSTR(rollbackStr)); + } + return 0; } -- 2.39.2
Determining the correct rollback rule for nftables is more complicated than iptables - nftables give each new table/chain/rule a handle, and the nft delete command to delete the object must contain that handle (rather than just replicating the entire original commandline as is done for iptables). The handle is obtained by adding an extra "-ae" option to the original nft commandline, and then parsing stdout of the command looking for "# handle n" (where "n" is a decimal integer). This code isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump <laine@redhat.com> --- src/util/virnftables.c | 106 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 105 insertions(+), 1 deletion(-) diff --git a/src/util/virnftables.c b/src/util/virnftables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virnftables.c +++ b/src/util/virnftables.c @@ -XXX,XX +XXX,XX @@ VIR_ENUM_IMPL(virNftablesAction, ); +#define VIR_ARG_IS_INSERT(arg) \ + (STREQ(arg, "insert") || STREQ(arg, "add") || STREQ(arg, "create")) + int virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, virFirewallRule *rule, char **output) { size_t count = virFirewallRuleGetArgCount(rule); + bool needRollback = false; + size_t cmdIdx = 0; + const char *objectType = NULL; g_autoptr(virCommand) cmd = NULL; g_autofree char *cmdStr = NULL; g_autofree char *error = NULL; @@ -XXX,XX +XXX,XX @@ virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, cmd = virCommandNew(NFT); + if ((virFirewallTransactionGetFlags(firewall) + & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) + && count > 1) { + /* skip any leading options to get to command verb */ + for (i = 0; i < count - 1; i++) { + if (virFirewallRuleGetArg(rule, i)[0] != '-') + break; + } + + if (i + 1 < count + && VIR_ARG_IS_INSERT(virFirewallRuleGetArg(rule, i))) { + + cmdIdx = i; + objectType = virFirewallRuleGetArg(rule, i + 1); + + /* we currently only handle auto-rollback for rules, + * chains, and tables, and those all can be "rolled + * back" by a delete command using the handle that is + * returned when "-ae" is added to the add/insert + * command. + */ + if (STREQ_NULLABLE(objectType, "rule") + || STREQ_NULLABLE(objectType, "chain") + || STREQ_NULLABLE(objectType, "table")) { + + needRollback = true; + /* this option to nft instructs it to add the + * "handle" of the created object to stdout + */ + virCommandAddArg(cmd, "-ae"); + } + } + } + for (i = 0; i < count; i++) virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); cmdStr = virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + VIR_INFO("Applying '%s'", NULLSTR(cmdStr)); virCommandSetOutputBuffer(cmd, output); virCommandSetErrorBuffer(cmd, &error); @@ -XXX,XX +XXX,XX @@ virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, VIR_FREE(*output); return -1; } + + /* there was an error, so we won't be building any rollback rule, + * but the error should be ignored, so we return success + */ + return 0; } + if (needRollback) { + virFirewallRule *rollback + = virFirewallAddRollbackRule(firewall, + virFirewallRuleGetLayer(rule), NULL); + const char *handleStart = NULL; + size_t handleLen = 0; + g_autofree char *handleStr = NULL; + g_autofree char *rollbackStr = NULL; + + /* Search for "# handle n" in stdout of the nft add command - + * that is the handle of the table/rule/chain that will later + * need to be deleted. + */ + + if ((handleStart = strstr(*output, "# handle "))) { + handleStart += 9; /* move past "# handle " */ + handleLen = strspn(handleStart, "0123456789"); + } + + if (!handleLen) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("couldn't register rollback command - command '%1$s' had no valid handle in output ('%2$s')"), + NULLSTR(cmdStr), NULLSTR(*output)); + return -1; + } + + handleStr = g_strdup_printf("%.*s", (int)handleLen, handleStart); + + /* The rollback rule is created from the original rule like this: + * + * 1) skip any leading options + * 2) replace add/insert with delete + * 3) keep the type of item being added (rule/chain/table) + * 4) keep the class (ip/ip6/inet) + * 5) for chain/rule, keep the table name + * 6) for rule, keep the chain name + * 7) add "handle n" where "n" is parsed from the + * stdout of the nft command + */ + virFirewallRuleAddArgList(firewall, rollback, "delete", objectType, + virFirewallRuleGetArg(rule, cmdIdx + 2), /* ip/ip6/inet */ + NULL); + + if (STREQ_NULLABLE(objectType, "rule") + || STREQ_NULLABLE(objectType, "chain")) { + /* include table name in command */ + virFirewallRuleAddArg(firewall, rollback, + virFirewallRuleGetArg(rule, cmdIdx + 3)); + } + if (STREQ_NULLABLE(objectType, "rule")) { + /* include chain name in command */ + virFirewallRuleAddArg(firewall, rollback, + virFirewallRuleGetArg(rule, cmdIdx + 4)); + } + virFirewallRuleAddArgList(firewall, rollback, "handle", handleStr, NULL); + + rollbackStr = virFirewallRuleToString(NFT, rollback); + VIR_DEBUG("Recording Rollback command '%s'", NULLSTR(rollbackStr)); + } return 0; } -- 2.39.2
So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Note that the test case data changed because enabling auto-rollback will cause the nftables backend to add "-ae" to each commandline in order to retrieve the handle for the newly created table/chain/rule. (in our simplistic unit-test world, the handle is always "5309"). Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver_linux.c | 15 +---- .../nat-default-linux.nftables | 36 +++++----- .../nat-ipv6-linux.nftables | 58 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 66 +++++++++---------- .../nat-many-ips-linux.nftables | 64 +++++++++--------- .../nat-no-dhcp-linux.nftables | 58 ++++++++-------- .../nat-tftp-linux.nftables | 40 +++++------ .../route-default-linux.nftables | 26 ++++---- tests/networkxml2firewalltest.c | 9 ++- 9 files changed, 185 insertions(+), 187 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def, } } - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); networkAddGeneralFirewallRules(fw, def); @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def, return -1; } - virFirewallStartRollback(fw, 0); - - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS + | VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK)); networkAddChecksumFirewallRules(fw, def); return virFirewallApply(fw); diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -XXX,XX +XXX,XX @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status = 0; - *output = g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output = g_strdup("# handle 5309"); + else + *output = g_strdup(""); *error = g_strdup(""); } -- 2.39.2
virFirewallNewFromRollback() creates a new virFirewall object that contains a copy of the "rollback" rules from an existing virFirewall object, but in reverse order. The intent is that this virFirewall be saved and used later to remove the firewall rules that were added for a network. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 59 ++++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 1 + 3 files changed, 61 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFirewallBackendTypeToString; virFirewallFree; virFirewallGetBackend; virFirewallNew; +virFirewallNewFromRollback; virFirewallRemoveRule; virFirewallRuleAddArg; virFirewallRuleAddArgFormat; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallApply(virFirewall *firewall) return 0; } + + +/** + * virFirewallNewFromRollback: + + * @original: the original virFirewall object containing the rollback + * of interest + * @fwRemoval: a firewall object that, when applied, will remove @original + * + * Copy the rollback rules from the current virFirewall object as a + * new virFirewall. This virFirewall can then be saved to apply later + * and counteract everything done by the original. + * + * Returns 0 on success, -1 on error + */ +int +virFirewallNewFromRollback(virFirewall *original, + virFirewall **fwRemoval) +{ + size_t g; + g_autoptr(virFirewall) firewall = NULL; + + if (original->err) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("error in original firewall object")); + return -1; + } + + firewall = virFirewallNew(original->backend); + + /* add the rollback commands in reverse order of actions/groups of + * what was applied in the original firewall. + */ + for (g = original->ngroups; g > 0; g--) { + size_t r; + virFirewallGroup *group = original->groups[g - 1]; + + if (group->nrollback == 0) + continue; + + virFirewallStartTransaction(firewall, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (r = group->nrollback; r > 0; r--) { + size_t i; + virFirewallRule *origRule = group->rollback[r - 1]; + virFirewallRule *rule = virFirewallAddRule(firewall, origRule->layer, NULL); + + for (i = 0; i < origRule->argsLen; i++) + ADD_ARG(rule, origRule->args[i]); + } + } + + if (firewall->ngroups == 0) + VIR_DEBUG("original firewall object is empty"); + else + *fwRemoval = g_steal_pointer(&firewall); + + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ typedef enum { VIR_ENUM_DECL(virFirewallBackend); virFirewall *virFirewallNew(virFirewallBackend backend); +int virFirewallNewFromRollback(virFirewall *original, virFirewall **fwRemoval); void virFirewallFree(virFirewall *firewall); virFirewallBackend virFirewallGetBackend(virFirewall *firewall); -- 2.39.2
These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 2 + src/util/virfirewall.c | 220 +++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 9 ++ 3 files changed, 231 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFull; virFirewallApply; virFirewallBackendTypeFromString; virFirewallBackendTypeToString; +virFirewallFormat; virFirewallFree; virFirewallGetBackend; virFirewallNew; virFirewallNewFromRollback; +virFirewallParseXML; virFirewallRemoveRule; virFirewallRuleAddArg; virFirewallRuleAddArgFormat; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_ENUM_IMPL(virFirewallBackend, "iptables", "nftables"); +VIR_ENUM_DECL(virFirewallLayer); +VIR_ENUM_IMPL(virFirewallLayer, + VIR_FIREWALL_LAYER_LAST, + "ethernet", + "ipv4", + "ipv6", +); + typedef struct _virFirewallGroup virFirewallGroup; struct _virFirewallRule { @@ -XXX,XX +XXX,XX @@ virFirewallNewFromRollback(virFirewall *original, return 0; } + + +/* virFirewallGetFlagsFromNode: + * @node: the xmlNode to check for an ignoreErrors attribute + * + * A short helper to get the setting of the ignorErrors attribute from + * an xmlNode. Returns -1 on error (with error reported), or the + * VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS bit set/reset according to + * the value of the attribute. + */ +static int +virFirewallGetFlagsFromNode(xmlNodePtr node) +{ + virTristateBool ignoreErrors; + + if (virXMLPropTristateBool(node, "ignoreErrors", VIR_XML_PROP_NONE, &ignoreErrors) < 0) + return -1; + + if (ignoreErrors == VIR_TRISTATE_BOOL_YES) + return VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS; + return 0; +} + + +/** + * virFirewallParseXML: + * @firewall: pointer to virFirewall* to fill in with new virFirewall object + * + * Construct a new virFirewall object according to the XML in + * xmlNodePtr. Return 0 (and new object) on success, or -1 (with + * error reported) on error. + * + * Example of <firewall> element XML: + * + * <firewall backend='iptables|nftables'> + * <group ignoreErrors='yes|no'> + * <action layer='ethernet|ipv4|ipv6' ignoreErrors='yes|no'> + * <args> + * <item>arg1</item> + * <item>arg2</item> + * ... + * </args> + * </action> + * <action ...> + * ... + </action> + * ... + * </group> + * ... + * </firewall> + */ +int +virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt) +{ + g_autoptr(virFirewall) newfw = NULL; + virFirewallBackend backend; + g_autofree xmlNodePtr *groupNodes = NULL; + ssize_t ngroups; + size_t g; + VIR_XPATH_NODE_AUTORESTORE(ctxt); + + ctxt->node = node; + + ngroups = virXPathNodeSet("./group", ctxt, &groupNodes); + if (ngroups < 0) + return -1; + if (ngroups == 0) + return 0; + + if (virXMLPropEnum(node, "backend", virFirewallBackendTypeFromString, + VIR_XML_PROP_REQUIRED, &backend) < 0) { + return -1; + } + + newfw = virFirewallNew(backend); + + for (g = 0; g < ngroups; g++) { + int flags = 0; + g_autofree xmlNodePtr *actionNodes = NULL; + ssize_t nactions; + size_t a; + + ctxt->node = groupNodes[g]; + nactions = virXPathNodeSet("./action", ctxt, &actionNodes); + if (nactions < 0) + return -1; + if (nactions == 0) + continue; + + if ((flags = virFirewallGetFlagsFromNode(groupNodes[g])) < 0) + return -1; + + virFirewallStartTransaction(newfw, flags); + + for (a = 0; a < nactions; a++) { + g_autofree xmlNodePtr *argsNodes = NULL; + ssize_t nargs; + size_t i; + virFirewallLayer layer; + virFirewallRule *action; + bool ignoreErrors; + + ctxt->node = actionNodes[a]; + + if (!(ctxt->node = virXPathNode("./args", ctxt))) + continue; + + if ((flags = virFirewallGetFlagsFromNode(actionNodes[a])) < 0) + return -1; + + ignoreErrors = flags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS; + + if (virXMLPropEnum(actionNodes[a], "layer", + virFirewallLayerTypeFromString, + VIR_XML_PROP_REQUIRED, &layer) < 0) { + return -1; + } + + nargs = virXPathNodeSet("./item", ctxt, &argsNodes); + if (nargs < 0) + return -1; + if (nargs == 0) + continue; + + action = virFirewallAddRuleFull(newfw, layer, ignoreErrors, + NULL, NULL, NULL); + for (i = 0; i < nargs; i++) { + + char *arg = virXMLNodeContentString(argsNodes[i]); + if (!arg) + return -1; + + virFirewallRuleAddArg(newfw, action, arg); + } + } + } + + *firewall = g_steal_pointer(&newfw); + return 0; +} + + +/** + * virFirewallFormat: + * @buf: output buffer + * @firewall: the virFirewall object to format as XML + * + * Format virFirewall object @firewall into @buf as XML. + * Returns 0 on success, -1 on failure. + * + */ +int +virFirewallFormat(virBuffer *buf, + virFirewall *firewall) +{ + size_t g; + + if (firewall->ngroups == 0) + return 0; + + virBufferAsprintf(buf, "<firewall backend='%s'>\n", + virFirewallBackendTypeToString(virFirewallGetBackend(firewall))); + virBufferAdjustIndent(buf, 2); + for (g = 0; g < firewall->ngroups; g++) { + virFirewallGroup *group = firewall->groups[g]; + bool groupIgnoreErrors = (group->actionFlags + & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + size_t a; + + virBufferAddLit(buf, "<group"); + if (groupIgnoreErrors) + virBufferAddLit(buf, " ignoreErrors='yes'"); + virBufferAddLit(buf, ">\n"); + virBufferAdjustIndent(buf, 2); + + for (a = 0; a < group->naction; a++) { + virFirewallRule *action = group->action[a]; + size_t i; + + virBufferAsprintf(buf, "<action layer='%s'", + virFirewallLayerTypeToString(virFirewallRuleGetLayer(action))); + /* if the entire group has ignoreErrors='yes', then it's + * redundant to have it for an action of the group + */ + if (virFirewallRuleGetIgnoreErrors(action) + && !groupIgnoreErrors) + virBufferAddLit(buf, " ignoreErrors='yes'"); + virBufferAddLit(buf, ">\n"); + + virBufferAdjustIndent(buf, 2); + virBufferAddLit(buf, "<args>\n"); + virBufferAdjustIndent(buf, 2); + for (i = 0; i < virFirewallRuleGetArgCount(action); i++) { + virBufferEscapeString(buf, "<item>%s</item>\n", + virFirewallRuleGetArg(action, i)); + } + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "</args>\n"); + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "</action>\n"); + } + + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "</group>\n"); + } + + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "</firewall>\n"); + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ #include "internal.h" #include "virenum.h" +#include "virbuffer.h" +#include "virxml.h" typedef struct _virFirewall virFirewall; @@ -XXX,XX +XXX,XX @@ void virFirewallStartRollback(virFirewall *firewall, int virFirewallApply(virFirewall *firewall); +int virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt); + +int virFirewallFormat(virBuffer *buf, + virFirewall *firewall); + G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); -- 2.39.2
This virFirewall object will store the list of actions required to remove the firewall that was added for the currently active instance of the network, so it has been named "fwRemoval". There are no uses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and freeing the virFirewall object with the virNetworkObj is freed. Signed-off-by: Laine Stump <laine@redhat.com> --- src/conf/virnetworkobj.c | 39 +++++++++++++++++++++++++++++++++++++++ src/conf/virnetworkobj.h | 11 +++++++++++ src/libvirt_private.syms | 3 +++ 3 files changed, 53 insertions(+) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index XXXXXXX..XXXXXXX 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -XXX,XX +XXX,XX @@ struct _virNetworkObj { unsigned int taint; + /* fwRemoval contains all commands needed to remove the firewall + * that was added for this network. + */ + virFirewall *fwRemoval; + /* Immutable pointer, self locking APIs */ virMacMap *macmap; @@ -XXX,XX +XXX,XX @@ virNetworkObjSetFloorSum(virNetworkObj *obj, } +virFirewall ** +virNetworkObjGetFwRemovalPtr(virNetworkObj *obj) +{ + return &obj->fwRemoval; +} + + +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj) +{ + return obj->fwRemoval; +} + + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval) +{ + obj->fwRemoval = fwRemoval; +} + + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap) @@ -XXX,XX +XXX,XX @@ virNetworkObjDispose(void *opaque) virNetworkDefFree(obj->newDef); virBitmapFree(obj->classIdMap); virObjectUnref(obj->macmap); + virFirewallFree(obj->fwRemoval); } @@ -XXX,XX +XXX,XX @@ virNetworkObjFormat(virNetworkObj *obj, if (virNetworkDefFormatBuf(&buf, obj->def, xmlopt, flags) < 0) return NULL; + if (obj->fwRemoval && virFirewallFormat(&buf, obj->fwRemoval) < 0) + return NULL; + virBufferAdjustIndent(&buf, -2); virBufferAddLit(&buf, "</networkstatus>"); @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *configFile = NULL; g_autoptr(virNetworkDef) def = NULL; virNetworkObj *obj = NULL; + g_autoptr(virFirewall) fwRemoval = NULL; g_autoptr(xmlDoc) xml = NULL; xmlNodePtr node = NULL; g_autoptr(xmlXPathContext) ctxt = NULL; @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *classIdStr = NULL; g_autofree char *floor_sum = NULL; g_autofree xmlNodePtr *nodes = NULL; + xmlNodePtr fwNode; ctxt->node = node; if ((classIdStr = virXPathString("string(./class_id[1]/@bitmap)", @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, taint |= (1 << flag); } } + if ((fwNode = virXPathNode("./firewall", ctxt)) + && virFirewallParseXML(&fwRemoval, fwNode, ctxt) < 0) { + return NULL; + } } /* create the object */ @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, def = NULL; + virNetworkObjSetFwRemoval(obj, g_steal_pointer(&fwRemoval)); + /* assign status data stored in the network object */ if (classIdMap) { virBitmapFree(obj->classIdMap); diff --git a/src/conf/virnetworkobj.h b/src/conf/virnetworkobj.h index XXXXXXX..XXXXXXX 100644 --- a/src/conf/virnetworkobj.h +++ b/src/conf/virnetworkobj.h @@ -XXX,XX +XXX,XX @@ #include "network_conf.h" #include "virnetworkportdef.h" +#include "virfirewall.h" typedef struct _virNetworkObj virNetworkObj; @@ -XXX,XX +XXX,XX @@ void virNetworkObjSetFloorSum(virNetworkObj *obj, unsigned long long floor_sum); +virFirewall ** +virNetworkObjGetFwRemovalPtr(virNetworkObj *obj); + +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj); + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval); + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virNetworkObjGetClassIdMap; virNetworkObjGetDef; virNetworkObjGetDnsmasqPid; virNetworkObjGetFloorSum; +virNetworkObjGetFwRemoval; +virNetworkObjGetFwRemovalPtr; virNetworkObjGetMacMap; virNetworkObjGetNewDef; virNetworkObjGetPersistentDef; @@ -XXX,XX +XXX,XX @@ virNetworkObjSetDef; virNetworkObjSetDefTransient; virNetworkObjSetDnsmasqPid; virNetworkObjSetFloorSum; +virNetworkObjSetFwRemoval; virNetworkObjSetMacMap; virNetworkObjTaint; virNetworkObjUnrefMacMap; -- 2.39.2
When destroying a network, the network driver has always assumed that it knew what firewall rules had been added as the network was started. This was usually correct, but if the exact rules used for a network were ever changed from one build/version of libvirt to another, then we would end up attempting to remove rules that hadn't been added, and could possibly *not* remove rules that had been added. The solution to this to not make such brash assumptions about the past, but instead to save (in the network status object at network start time) a list of all the rules needed to remove the rules that were added for the network, and then use that saved list during network destroy to remove exactly what was previous added. As a result of doing this, not only can we change the details of the rules we add for networks from one build/release of libvirt to another and painlessly upgrade, but the user can also switch from one firewall backend to another by simply changing the setting in network.conf and restarting libvirtd/virtnetworkd. Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver.c | 34 +++++++++++------ src/network/bridge_driver_linux.c | 56 +++++++++++++++++++++------- src/network/bridge_driver_nop.c | 4 +- src/network/bridge_driver_platform.h | 4 +- tests/networkxml2firewalltest.c | 2 +- 5 files changed, 70 insertions(+), 30 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward='open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def, cfg->firewallBackend); - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); + networkRemoveFirewallRules(obj); + ignore_value(networkAddFirewallRules(def, + virNetworkObjGetFwRemovalPtr(obj), + cfg->firewallBackend)); break; case VIR_NETWORK_FORWARD_OPEN: @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, /* Add "once per network" rules */ if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def, cfg->firewallBackend) < 0) + networkAddFirewallRules(def, + virNetworkObjGetFwRemovalPtr(obj), + cfg->firewallBackend) < 0) { goto error; + } firewalRulesAdded = true; @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, if (firewalRulesAdded && def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); virNetworkObjUnrefMacMap(obj); @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, static int -networkShutdownNetworkVirtual(virNetworkObj *obj, - virNetworkDriverConfig *cfg) +networkShutdownNetworkVirtual(virNetworkObj *obj) { virNetworkDef *def = virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -XXX,XX +XXX,XX @@ networkShutdownNetworkVirtual(virNetworkObj *obj, ignore_value(virNetDevSetOnline(def->bridge, false)); if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); ignore_value(virNetDevBridgeDelete(def->bridge)); @@ -XXX,XX +XXX,XX @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret = networkShutdownNetworkVirtual(obj, cfg); + ret = networkShutdownNetworkVirtual(obj); break; case VIR_NETWORK_FORWARD_BRIDGE: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); needFirewallRefresh = true; break; default: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, if (virNetworkObjUpdate(obj, command, section, parentIndex, xml, network_driver->xmlopt, flags) < 0) { - if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); + if (needFirewallRefresh) { + ignore_value(networkAddFirewallRules(def, + virNetworkObjGetFwRemovalPtr(obj), + cfg->firewallBackend)); + } goto cleanup; } /* @def is replaced */ def = virNetworkObjGetDef(obj); - if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallBackend) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, + virNetworkObjGetFwRemovalPtr(obj), + cfg->firewallBackend) < 0) { goto cleanup; + } if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { /* save updated persistent config to disk */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, /* Add all rules for all ip addresses (and general rules) on a network */ int networkAddFirewallRules(virNetworkDef *def, + virFirewall **fwRemoval, virFirewallBackend firewallBackend) { size_t i; @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def, | VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK)); networkAddChecksumFirewallRules(fw, def); - return virFirewallApply(fw); + if (virFirewallApply(fw) < 0) + return -1; + + if (fwRemoval) { + /* caller wants us to create a virFirewall object that can be + * applied to undo everything that was just done by + * virFirewallApply() + */ + if (virFirewallNewFromRollback(fw, fwRemoval) < 0) + return -1; + } + + return 0; } /* Remove all rules for all ip addresses (and general rules) on a network */ void -networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend) +networkRemoveFirewallRules(virNetworkObj *obj) { size_t i; + virNetworkDef *def = virNetworkObjGetDef(obj); virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(firewallBackend); + g_autoptr(virFirewall) fw = NULL; + + if ((fw = virNetworkObjGetFwRemoval(obj))) { + /* exact list of removal rules was saved + * when the firewall rules were originally added + */ + VIR_DEBUG("Removing exact firewall rules previously saved"); + virNetworkObjSetFwRemoval(obj, NULL); - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); - networkRemoveChecksumFirewallRules(fw, def); + } else { + /* The firewall rules were added by an older libvirt that + * didn't automatically save removal rules, so we guess + * at what rules were added (NB: any libvirt old enough + * to require this only supported the iptables backend) + */ + VIR_DEBUG("Removing a guess at what firewall rules were previously saved"); + fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + networkRemoveChecksumFirewallRules(fw, def); - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return; + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (i = 0; + (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) + return; + } + networkRemoveGeneralFirewallRules(fw, def); } - networkRemoveGeneralFirewallRules(fw, def); virFirewallApply(fw); } diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) } int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewall **fwRemoval G_GNUC_UNUSED, virFirewallBackend firewallBackend G_GNUC_UNUSED) { return 0; } -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -XXX,XX +XXX,XX @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); int networkAddFirewallRules(virNetworkDef *def, + virFirewall **fwRemoval, virFirewallBackend firewallBackend); -void networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend); +void networkRemoveFirewallRules(virNetworkObj *obj); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def, backend) < 0) + if (networkAddFirewallRules(def, NULL, backend) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); -- 2.39.2
Signed-off-by: Laine Stump <laine@redhat.com> --- src/conf/virnetworkobj.c | 1 + src/network/bridge_driver.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index XXXXXXX..XXXXXXX 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -XXX,XX +XXX,XX @@ virNetworkObjSaveStatus(const char *statusDir, int flags = 0; g_autofree char *xml = NULL; + VIR_DEBUG("Writing network status to disk"); if (!(xml = virNetworkObjFormat(obj, xmlopt, flags))) return -1; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(networkGetDriver()); VIR_LOCK_GUARD lock = virObjectLockGuard(obj); virNetworkDef *def = virNetworkObjGetDef(obj); + bool saveStatus = false; if (virNetworkObjIsActive(obj)) { switch ((virNetworkForwardType) def->forward.type) { @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, ignore_value(networkAddFirewallRules(def, virNetworkObjGetFwRemovalPtr(obj), cfg->firewallBackend)); + saveStatus = true; break; case VIR_NETWORK_FORWARD_OPEN: @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, } } + if (saveStatus) { + ignore_value(virNetworkObjSaveStatus(cfg->stateDir, obj, + network_driver->xmlopt)); + } + return 0; } @@ -XXX,XX +XXX,XX @@ networkStartNetwork(virNetworkDriverState *driver, /* Persist the live configuration now that anything autogenerated * is setup. */ - VIR_DEBUG("Writing network status to disk"); if (virNetworkObjSaveStatus(cfg->stateDir, obj, network_driver->xmlopt) < 0) goto cleanup; -- 2.39.2
It's not always iptables rules that are being reloaded, could be nftables. Also the message previously didn't clarify that this is only reloading the rules for active virtual networks (and not for nwfilter, for example). Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRules(virNetworkDriverState *driver, bool startup, bool force) { - VIR_INFO("Reloading iptables rules"); + VIR_INFO("Reloading firewall rules for active virtual networks"); /* Ideally we'd not even register the driver when unprivilegd * but until we untangle the virt driver that's not viable */ if (!driver->privileged) -- 2.39.2
V4: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN/#HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN V3: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HOCDIMI3SHS6UFFZJUAXUE6VLXE6SVHV/ V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/ This patch series enables libvirt to use nftables rules rather than iptables *when setting up virtual networks* (it does *not* add nftables support to the nwfilter driver). Changes from V4: * changed the way that default firewall backends are specified in meson_options.txt/on the meson commandline - instead of using a #defined constant string, there are now one of these for each backend that should be tried when none is specified: #define FIREWALL_BACKEND_DEFAULT_n VIR_FIREWALL_BACKEND_xyzzy The "n" will be 1-[number of backends], and the code will try each in ascending order to see if it is usable. * properly handle the case where network.conf doesn't exist (from Patch 12/30 in V3) * In RPM specfile, Require: nftables for Fedora >= 41 /RHEL >= 10, while continuining to Require: iptables for anything else (specifically older RHEL/Fedora) * use VIR_NFTABLES_FORWARD_CHAIN instead of hardcoded "forward" in array of chains needed for the nftable backend. The patches that haven't yet gotten an R-B (and/or were changed enough from V3 to warrant removing the R-B): 12 - network: support setting firewallBackend from network.conf 17 - util: add name attribute to virFirewall (so that the element in the status XML is appropriately identifiable) 18 - util: new function virFirewallNewFromRollback() 19 - util: new functions virFirewallParseXML() and virFirewallFormat() 24 - network: add an nftables backend for network driver's firewall construction 26: network: prefer the nftables backend over iptables (I didn't remove the R-B for patch 27 ("require nftables rather than iptables for newer RHEl/Fedora") for example, because the change is very small, and was exactly copy-pasted from Daniel's suggestion). Changes from V3: * Fixed a bug (newly added in V3) that resulted in the firewall name attribute not being added to the XML. * renamed the table to "libvirt_network" * renamed the chains to be more descriptive, and lower case rather than all caps. * eliminated all the guest->host and host->guest rules since they are redundant in nftables. Laine Stump (30): util/network: move viriptables.[ch] from util to network directory network: move all functions manipulating iptables rules into network_iptables.c network: make all iptables functions used only in network_iptables.c static util: #define the names used for private packet filter chains util: change name of virFirewallRule to virFirewallCmd util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL util: check for 0 args when applying iptables rule util: add -w/--concurrent when applying a FirewallCmd rather than when building it util: determine ignoreErrors value when creating virFirewallCmd, not when applying util/network: new virFirewallBackend enum network: add (empty) network.conf file to distribution files network: support setting firewallBackend from network.conf network: framework to call backend-specific function to init private filter chains util: new functions to support adding individual firewall rollback commands util: implement rollback rule autocreation for iptables commands network: turn on auto-rollback for the rules added for virtual networks util: add name attribute to virFirewall util: new function virFirewallNewFromRollback() util: new functions virFirewallParseXML() and virFirewallFormat() conf: add a virFirewall object to virNetworkObj network: use previously saved list of firewall removal commands network: save network status when firewall rules are reloaded meson: stop looking for iptables/ip6tables/ebtables at build time network: add an nftables backend for network driver's firewall construction tests: test cases for nftables backend network: prefer the nftables backend over iptables spec: require nftables rather than iptables for newer RHEL/Fedora network: name the nftables table "libvirt_network" rather than "libvirt" network: rename chains used by network driver nftables backend network: eliminate pointless host input/output rules from nftables backend libvirt.spec.in | 9 +- meson.build | 12 +- meson_options.txt | 2 + po/POTFILES | 3 +- src/conf/virnetworkobj.c | 41 + src/conf/virnetworkobj.h | 8 + src/libvirt_private.syms | 58 +- src/network/bridge_driver.c | 39 +- src/network/bridge_driver_conf.c | 86 +- src/network/bridge_driver_conf.h | 3 + src/network/bridge_driver_linux.c | 630 +------ src/network/bridge_driver_nop.c | 6 +- src/network/bridge_driver_platform.h | 6 +- src/network/libvirtd_network.aug | 39 + src/network/meson.build | 36 + src/network/network.conf.in | 28 + src/network/network_iptables.c | 1677 +++++++++++++++++ src/network/network_iptables.h | 30 + src/network/network_nftables.c | 968 ++++++++++ src/network/network_nftables.h | 28 + src/network/test_libvirtd_network.aug.in | 5 + src/nwfilter/nwfilter_ebiptables_driver.c | 1004 +++++----- src/util/meson.build | 1 - src/util/virebtables.c | 36 +- src/util/virfirewall.c | 820 ++++++-- src/util/virfirewall.h | 87 +- src/util/viriptables.c | 1072 ----------- src/util/viriptables.h | 155 -- .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 +++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 144 ++ ...pv6-linux.args => nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 202 ++ ...rgs => nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 274 +++ ...linux.args => nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 368 ++++ ...-linux.args => nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 202 ++ ...ftp-linux.args => nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 144 ++ ...inux.args => route-default-linux.iptables} | 0 .../route-default-linux.nftables | 58 + tests/networkxml2firewalltest.c | 56 +- tests/virfirewalltest.c | 424 ++--- 46 files changed, 6258 insertions(+), 2759 deletions(-) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf.in create mode 100644 src/network/network_iptables.c create mode 100644 src/network/network_iptables.h create mode 100644 src/network/network_nftables.c create mode 100644 src/network/network_nftables.h create mode 100644 src/network/test_libvirtd_network.aug.in delete mode 100644 src/util/viriptables.c delete mode 100644 src/util/viriptables.h rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables -- 2.45.0
These functions are only ever used by the network driver, and are so specific to the network driver's usage of iptables that they likely won't ever be used elsewhere. The files are renamed to network_iptables.[ch] to be more in line with driver-specific file naming conventions. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- po/POTFILES | 2 +- src/libvirt_private.syms | 31 ------------------- src/network/bridge_driver_linux.c | 2 +- src/network/meson.build | 1 + .../network_iptables.c} | 6 ++-- .../network_iptables.h} | 2 +- src/util/meson.build | 1 - 7 files changed, 7 insertions(+), 38 deletions(-) rename src/{util/viriptables.c => network/network_iptables.c} (99%) rename src/{util/viriptables.h => network/network_iptables.h} (99%) diff --git a/po/POTFILES b/po/POTFILES index XXXXXXX..XXXXXXX 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -XXX,XX +XXX,XX @@ src/network/bridge_driver.c src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c src/network/leaseshelper.c +src/network/network_iptables.c src/node_device/node_device_driver.c src/node_device/node_device_udev.c src/nwfilter/nwfilter_dhcpsnoop.c @@ -XXX,XX +XXX,XX @@ src/util/virhostmem.c src/util/virhostuptime.c src/util/viridentity.c src/util/virinitctl.c -src/util/viriptables.c src/util/viriscsi.c src/util/virjson.c src/util/virlease.c diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virIdentitySetX509DName; virInitctlFifos; virInitctlSetRunLevel; - -# util/viriptables.h -iptablesAddDontMasquerade; -iptablesAddForwardAllowCross; -iptablesAddForwardAllowIn; -iptablesAddForwardAllowOut; -iptablesAddForwardAllowRelatedIn; -iptablesAddForwardMasquerade; -iptablesAddForwardRejectIn; -iptablesAddForwardRejectOut; -iptablesAddOutputFixUdpChecksum; -iptablesAddTcpInput; -iptablesAddTcpOutput; -iptablesAddUdpInput; -iptablesAddUdpOutput; -iptablesRemoveDontMasquerade; -iptablesRemoveForwardAllowCross; -iptablesRemoveForwardAllowIn; -iptablesRemoveForwardAllowOut; -iptablesRemoveForwardAllowRelatedIn; -iptablesRemoveForwardMasquerade; -iptablesRemoveForwardRejectIn; -iptablesRemoveForwardRejectOut; -iptablesRemoveOutputFixUdpChecksum; -iptablesRemoveTcpInput; -iptablesRemoveTcpOutput; -iptablesRemoveUdpInput; -iptablesRemoveUdpOutput; -iptablesSetupPrivateChains; - - # util/viriscsi.h virISCSIConnectionLogin; virISCSIConnectionLogout; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ #include <config.h> #include "virfile.h" -#include "viriptables.h" #include "virstring.h" #include "virlog.h" #include "virfirewall.h" #include "virfirewalld.h" +#include "network_iptables.h" #define VIR_FROM_THIS VIR_FROM_NONE diff --git a/src/network/meson.build b/src/network/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -XXX,XX +XXX,XX @@ network_driver_sources = [ 'bridge_driver.c', 'bridge_driver_conf.c', 'bridge_driver_platform.c', + 'network_iptables.c', ] driver_source_files += files(network_driver_sources) diff --git a/src/util/viriptables.c b/src/network/network_iptables.c similarity index 99% rename from src/util/viriptables.c rename to src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ /* - * viriptables.c: helper APIs for managing iptables + * network_iptables.c: helper APIs for managing iptables in network driver * * Copyright (C) 2007-2014 Red Hat, Inc. * @@ -XXX,XX +XXX,XX @@ #include <sys/stat.h> #include "internal.h" -#include "viriptables.h" #include "virfirewalld.h" #include "virerror.h" #include "virlog.h" #include "virhash.h" +#include "network_iptables.h" -VIR_LOG_INIT("util.iptables"); +VIR_LOG_INIT("network.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE diff --git a/src/util/viriptables.h b/src/network/network_iptables.h similarity index 99% rename from src/util/viriptables.h rename to src/network/network_iptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/viriptables.h +++ b/src/network/network_iptables.h @@ -XXX,XX +XXX,XX @@ /* - * viriptables.h: helper APIs for managing iptables + * network_iptables.h: helper APIs for managing iptables in network driver * * Copyright (C) 2007, 2008 Red Hat, Inc. * diff --git a/src/util/meson.build b/src/util/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -XXX,XX +XXX,XX @@ util_sources = [ 'virhostuptime.c', 'viridentity.c', 'virinitctl.c', - 'viriptables.c', 'viriscsi.c', 'virjson.c', 'virkeycode.c', -- 2.45.0
Although initially we will add exactly the same rules for the nftables backend, the two may (hopefully) soon diverge as we take advantage of nftables features that weren't available in iptables. When we do that, there will need to be a different version of these functions (currently in bridge_driver_linux.c) for each backend: networkAddFirewallRules() networkRemoveFirewallRules() networkSetupPrivateChains() Although it will mean duplicating some amount of code (with just the function names changed) for the nftables backend, this patch moves all of the rule-related code in the above three functions into iptables*() functions in network_iptables.c, and changes the functions in bridge_driver_linux.c to call the iptables*() functions. When we make a different backend, it will only need to make equivalents of those 3 functions publicly available to the upper layer. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/bridge_driver_linux.c | 556 +---------------------------- src/network/network_iptables.c | 562 +++++++++++++++++++++++++++++- src/network/network_iptables.h | 7 +- 3 files changed, 574 insertions(+), 551 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def) return 0; } -static const char networkLocalMulticastIPv4[] = "224.0.0.0/24"; -static const char networkLocalMulticastIPv6[] = "ff02::/16"; -static const char networkLocalBroadcast[] = "255.255.255.255/32"; -static int -networkAddMasqueradingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix = virNetworkIPDefPrefix(ipdef); - const char *forwardIf = virNetworkDefForwardIf(def, 0); - bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); - - if (prefix < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Invalid prefix or netmask for '%1$s'"), - def->bridge); - return -1; - } - - /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - /* allow forwarding packets to the bridge interface if they are - * part of an existing connection - */ - if (iptablesAddForwardAllowRelatedIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - /* - * Enable masquerading. - * - * We need to end up with 5 rules in the table in this order - * - * 1. do not masquerade packets targeting 224.0.0.0/24 - * 2. do not masquerade packets targeting 255.255.255.255/32 - * 3. masquerade protocol=tcp with sport mapping restriction - * 4. masquerade protocol=udp with sport mapping restriction - * 5. generic, masquerade any protocol - * - * 224.0.0.0/24 is the local network multicast range. Packets are not - * forwarded outside. - * - * 255.255.255.255/32 is the broadcast address of any local network. Again, - * such packets are never forwarded, but strict DHCP clients don't accept - * DHCP replies with changed source ports. - * - * The sport mappings are required, because default IPtables - * MASQUERADE maintain port numbers unchanged where possible. - * - * NFS can be configured to only "trust" port numbers < 1023. - * - * Guests using NAT thus need to be prevented from having port - * numbers < 1023, otherwise they can bypass the NFS "security" - * check on the source port number. - * - * Since we use '--insert' to add rules to the header of the - * chain, we actually need to add them in the reverse of the - * order just mentioned ! - */ - - /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - NULL) < 0) - return -1; - - /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "udp") < 0) - return -1; - - /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "tcp") < 0) - return -1; - - /* exempt local network broadcast address as destination */ - if (isIPv4 && - iptablesAddDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - networkLocalBroadcast) < 0) - return -1; - - /* exempt local multicast range as destination */ - if (iptablesAddDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - isIPv4 ? networkLocalMulticastIPv4 : - networkLocalMulticastIPv6) < 0) - return -1; - - return 0; -} - -static int -networkRemoveMasqueradingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix = virNetworkIPDefPrefix(ipdef); - const char *forwardIf = virNetworkDefForwardIf(def, 0); - bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); - - if (prefix < 0) - return 0; - - if (iptablesRemoveDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - isIPv4 ? networkLocalMulticastIPv4 : - networkLocalMulticastIPv6) < 0) - return -1; - - if (isIPv4 && - iptablesRemoveDontMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - networkLocalBroadcast) < 0) - return -1; - - if (iptablesRemoveForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "tcp") < 0) - return -1; - - if (iptablesRemoveForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - "udp") < 0) - return -1; - - if (iptablesRemoveForwardMasquerade(fw, - &ipdef->address, - prefix, - forwardIf, - &def->forward.addr, - &def->forward.port, - NULL) < 0) - return -1; - - if (iptablesRemoveForwardAllowRelatedIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - if (iptablesRemoveForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - return 0; -} - - -static int -networkAddRoutingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix = virNetworkIPDefPrefix(ipdef); - const char *forwardIf = virNetworkDefForwardIf(def, 0); - - if (prefix < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Invalid prefix or netmask for '%1$s'"), - def->bridge); - return -1; - } - - /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - return 0; -} - - -static int -networkRemoveRoutingFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - int prefix = virNetworkIPDefPrefix(ipdef); - const char *forwardIf = virNetworkDefForwardIf(def, 0); - - if (prefix < 0) - return 0; - - if (iptablesRemoveForwardAllowIn(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - if (iptablesRemoveForwardAllowOut(fw, - &ipdef->address, - prefix, - def->bridge, - forwardIf) < 0) - return -1; - - return 0; -} - - -static void -networkAddGeneralIPv4FirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - /* First look for first IPv4 address that has dhcp or tftpboot defined. */ - /* We support dhcp config on 1 IPv4 interface only. */ - for (i = 0; - (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) - break; - } - - /* allow DHCP requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - - /* allow DNS requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - - /* allow TFTP requests through to dnsmasq if necessary & back out */ - if (ipv4def && ipv4def->tftproot) { - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - } - - /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - - /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); -} - -static void -networkRemoveGeneralIPv4FirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - for (i = 0; - (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) - break; - } - - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - - if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - } - - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); -} - - -/* Add all once/network rules required for IPv6. - * If no IPv6 addresses are defined and <network ipv6='yes'> is - * specified, then allow IPv6 communications between virtual systems. - * If any IPv6 addresses are defined, then add the rules for regular operation. - */ -static void -networkAddGeneralIPv6FirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && - !def->ipv6nogw) { - return; - } - - /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - - /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - - if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - /* allow DNS over IPv6 & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - /* allow DHCPv6 & back out */ - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); - } -} - -static void -networkRemoveGeneralIPv6FirewallRules(virFirewall *fw, - virNetworkDef *def) +int +networkAddFirewallRules(virNetworkDef *def) { - if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && - !def->ipv6nogw) { - return; - } - - if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - } - - /* the following rules are there if no IPv6 address has been defined - * but def->ipv6nogw == true - */ - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); -} - - -static void -networkAddGeneralFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - networkAddGeneralIPv4FirewallRules(fw, def); - networkAddGeneralIPv6FirewallRules(fw, def); -} - - -static void -networkRemoveGeneralFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - networkRemoveGeneralIPv4FirewallRules(fw, def); - networkRemoveGeneralIPv6FirewallRules(fw, def); -} - -static void -networkAddChecksumFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - /* First look for first IPv4 address that has dhcp or tftpboot defined. */ - /* We support dhcp config on 1 IPv4 interface only. */ - for (i = 0; - (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts) - break; - } - - /* If we are doing local DHCP service on this network, attempt to - * add a rule that will fixup the checksum of DHCP response - * packets back to the guests (but report failure without - * aborting, since not all iptables implementations support it). - */ - if (ipv4def) - iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68); -} - - -static void -networkRemoveChecksumFirewallRules(virFirewall *fw, - virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipv4def; - - /* First look for first IPv4 address that has dhcp or tftpboot defined. */ - /* We support dhcp config on 1 IPv4 interface only. */ - for (i = 0; - (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); - i++) { - if (ipv4def->nranges || ipv4def->nhosts) - break; - } - - if (ipv4def) - iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68); -} - - -static int -networkAddIPSpecificFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - /* NB: in the case of IPv6, routing rules are added when the - * forward mode is NAT. This is because IPv6 has no NAT. - */ - - if (def->forward.type == VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || - def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES) - return networkAddMasqueradingFirewallRules(fw, def, ipdef); - else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkAddRoutingFirewallRules(fw, def, ipdef); - } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - return networkAddRoutingFirewallRules(fw, def, ipdef); - } - return 0; -} - - -static int -networkRemoveIPSpecificFirewallRules(virFirewall *fw, - virNetworkDef *def, - virNetworkIPDef *ipdef) -{ - if (def->forward.type == VIR_NETWORK_FORWARD_NAT) { - if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || - def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES) - return networkRemoveMasqueradingFirewallRules(fw, def, ipdef); - else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkRemoveRoutingFirewallRules(fw, def, ipdef); - } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - return networkRemoveRoutingFirewallRules(fw, def, ipdef); - } - return 0; -} - - -/* Add all rules for all ip addresses (and general rules) on a network */ -int networkAddFirewallRules(virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); - if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -XXX,XX +XXX,XX @@ int networkAddFirewallRules(virNetworkDef *def) } } - virFirewallStartTransaction(fw, 0); - - networkAddGeneralFirewallRules(fw, def); - - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkAddIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - - virFirewallStartRollback(fw, 0); - - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); - networkAddChecksumFirewallRules(fw, def); - - return virFirewallApply(fw); + return iptablesAddFirewallRules(def); } -/* Remove all rules for all ip addresses (and general rules) on a network */ -void networkRemoveFirewallRules(virNetworkDef *def) -{ - size_t i; - virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); - networkRemoveChecksumFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallApply(fw); +void +networkRemoveFirewallRules(virNetworkDef *def) +{ + iptablesRemoveFirewallRules(def); } diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ /* - * network_iptables.c: helper APIs for managing iptables in network driver + * network_iptables.c: iptables-based firewall implementation for + * virtual networks. * * Copyright (C) 2007-2014 Red Hat, Inc. * @@ -XXX,XX +XXX,XX @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, { iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); } + + +static const char networkLocalMulticastIPv4[] = "224.0.0.0/24"; +static const char networkLocalMulticastIPv6[] = "ff02::/16"; +static const char networkLocalBroadcast[] = "255.255.255.255/32"; + +static int +iptablesAddMasqueradingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix = virNetworkIPDefPrefix(ipdef); + const char *forwardIf = virNetworkDefForwardIf(def, 0); + bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow forwarding packets from the bridge interface */ + if (iptablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow forwarding packets to the bridge interface if they are + * part of an existing connection + */ + if (iptablesAddForwardAllowRelatedIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* + * Enable masquerading. + * + * We need to end up with 5 rules in the table in this order + * + * 1. do not masquerade packets targeting 224.0.0.0/24 + * 2. do not masquerade packets targeting 255.255.255.255/32 + * 3. masquerade protocol=tcp with sport mapping restriction + * 4. masquerade protocol=udp with sport mapping restriction + * 5. generic, masquerade any protocol + * + * 224.0.0.0/24 is the local network multicast range. Packets are not + * forwarded outside. + * + * 255.255.255.255/32 is the broadcast address of any local network. Again, + * such packets are never forwarded, but strict DHCP clients don't accept + * DHCP replies with changed source ports. + * + * The sport mappings are required, because default IPtables + * MASQUERADE maintain port numbers unchanged where possible. + * + * NFS can be configured to only "trust" port numbers < 1023. + * + * Guests using NAT thus need to be prevented from having port + * numbers < 1023, otherwise they can bypass the NFS "security" + * check on the source port number. + * + * Since we use '--insert' to add rules to the header of the + * chain, we actually need to add them in the reverse of the + * order just mentioned ! + */ + + /* First the generic masquerade rule for other protocols */ + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + NULL) < 0) + return -1; + + /* UDP with a source port restriction */ + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "udp") < 0) + return -1; + + /* TCP with a source port restriction */ + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "tcp") < 0) + return -1; + + /* exempt local network broadcast address as destination */ + if (isIPv4 && + iptablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + /* exempt local multicast range as destination */ + if (iptablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) + return -1; + + return 0; +} + +static int +iptablesRemoveMasqueradingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix = virNetworkIPDefPrefix(ipdef); + const char *forwardIf = virNetworkDefForwardIf(def, 0); + bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); + + if (prefix < 0) + return 0; + + if (iptablesRemoveDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) + return -1; + + if (isIPv4 && + iptablesRemoveDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "tcp") < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "udp") < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + NULL) < 0) + return -1; + + if (iptablesRemoveForwardAllowRelatedIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + if (iptablesRemoveForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static int +iptablesAddRoutingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix = virNetworkIPDefPrefix(ipdef); + const char *forwardIf = virNetworkDefForwardIf(def, 0); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow routing packets from the bridge interface */ + if (iptablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow routing packets to the bridge interface */ + if (iptablesAddForwardAllowIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static int +iptablesRemoveRoutingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix = virNetworkIPDefPrefix(ipdef); + const char *forwardIf = virNetworkDefForwardIf(def, 0); + + if (prefix < 0) + return 0; + + if (iptablesRemoveForwardAllowIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + if (iptablesRemoveForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static void +iptablesAddGeneralIPv4FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i = 0; + (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) + break; + } + + /* allow DHCP requests through to dnsmasq & back out */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + + /* allow DNS requests through to dnsmasq & back out */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + + /* allow TFTP requests through to dnsmasq if necessary & back out */ + if (ipv4def && ipv4def->tftproot) { + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } + + /* Catch all rules to block forwarding to/from bridges */ + iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + + /* Allow traffic between guests on the same bridge */ + iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); +} + +static void +iptablesRemoveGeneralIPv4FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + for (i = 0; + (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) + break; + } + + iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + + if (ipv4def && ipv4def->tftproot) { + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } + + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); +} + + +/* Add all once/network rules required for IPv6. + * If no IPv6 addresses are defined and <network ipv6='yes'> is + * specified, then allow IPv6 communications between virtual systems. + * If any IPv6 addresses are defined, then add the rules for regular operation. + */ +static void +iptablesAddGeneralIPv6FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && + !def->ipv6nogw) { + return; + } + + /* Catch all rules to block forwarding to/from bridges */ + iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + /* Allow traffic between guests on the same bridge */ + iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + /* allow DNS over IPv6 & back out */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + /* allow DHCPv6 & back out */ + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); + } +} + +static void +iptablesRemoveGeneralIPv6FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && + !def->ipv6nogw) { + return; + } + + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + } + + /* the following rules are there if no IPv6 address has been defined + * but def->ipv6nogw == true + */ + iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); +} + + +static void +iptablesAddGeneralFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + iptablesAddGeneralIPv4FirewallRules(fw, def); + iptablesAddGeneralIPv6FirewallRules(fw, def); +} + + +static void +iptablesRemoveGeneralFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + iptablesRemoveGeneralIPv4FirewallRules(fw, def); + iptablesRemoveGeneralIPv6FirewallRules(fw, def); +} + +static void +iptablesAddChecksumFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i = 0; + (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts) + break; + } + + /* If we are doing local DHCP service on this network, attempt to + * add a rule that will fixup the checksum of DHCP response + * packets back to the guests (but report failure without + * aborting, since not all iptables implementations support it). + */ + if (ipv4def) + iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68); +} + + +static void +iptablesRemoveChecksumFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i = 0; + (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts) + break; + } + + if (ipv4def) + iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68); +} + + +static int +iptablesAddIPSpecificFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + /* NB: in the case of IPv6, routing rules are added when the + * forward mode is NAT. This is because IPv6 has no NAT. + */ + + if (def->forward.type == VIR_NETWORK_FORWARD_NAT) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES) + return iptablesAddMasqueradingFirewallRules(fw, def, ipdef); + else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) + return iptablesAddRoutingFirewallRules(fw, def, ipdef); + } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { + return iptablesAddRoutingFirewallRules(fw, def, ipdef); + } + return 0; +} + + +static int +iptablesRemoveIPSpecificFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + if (def->forward.type == VIR_NETWORK_FORWARD_NAT) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES) + return iptablesRemoveMasqueradingFirewallRules(fw, def, ipdef); + else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) + return iptablesRemoveRoutingFirewallRules(fw, def, ipdef); + } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { + return iptablesRemoveRoutingFirewallRules(fw, def, ipdef); + } + return 0; +} + + +/* Add all rules for all ip addresses (and general rules) on a network */ +int +iptablesAddFirewallRules(virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipdef; + g_autoptr(virFirewall) fw = virFirewallNew(); + + virFirewallStartTransaction(fw, 0); + + iptablesAddGeneralFirewallRules(fw, def); + + for (i = 0; + (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (iptablesAddIPSpecificFirewallRules(fw, def, ipdef) < 0) + return -1; + } + + virFirewallStartRollback(fw, 0); + + for (i = 0; + (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) + return -1; + } + iptablesRemoveGeneralFirewallRules(fw, def); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + iptablesAddChecksumFirewallRules(fw, def); + + return virFirewallApply(fw); +} + +/* Remove all rules for all ip addresses (and general rules) on a network */ +void +iptablesRemoveFirewallRules(virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipdef; + g_autoptr(virFirewall) fw = virFirewallNew(); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + iptablesRemoveChecksumFirewallRules(fw, def); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (i = 0; + (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) + return; + } + iptablesRemoveGeneralFirewallRules(fw, def); + + virFirewallApply(fw); +} diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.h +++ b/src/network/network_iptables.h @@ -XXX,XX +XXX,XX @@ #include "virsocketaddr.h" #include "virfirewall.h" +#include "network_conf.h" -int iptablesSetupPrivateChains (virFirewallLayer layer); +int iptablesAddFirewallRules(virNetworkDef *def); + +void iptablesRemoveFirewallRules(virNetworkDef *def); + +int iptablesSetupPrivateChains(virFirewallLayer layer); void iptablesAddTcpInput (virFirewall *fw, virFirewallLayer layer, -- 2.45.0
Now that the toplevel iptables functions have been moved out of the linux bridge driver into network_iptables.c, all of the utility functions are used only within that same file, so simplify it. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_iptables.c | 52 ++++++------- src/network/network_iptables.h | 130 --------------------------------- 2 files changed, 26 insertions(+), 156 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, * Add an input to the IP table allowing access to the given @port on * the given @iface interface for TCP packets */ -void +static void iptablesAddTcpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesAddTcpInput(virFirewall *fw, * Removes an input from the IP table, hence forbidding access to the given * @port on the given @iface interface for TCP packets */ -void +static void iptablesRemoveTcpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesRemoveTcpInput(virFirewall *fw, * Add an input to the IP table allowing access to the given @port on * the given @iface interface for UDP packets */ -void +static void iptablesAddUdpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesAddUdpInput(virFirewall *fw, * Removes an input from the IP table, hence forbidding access to the given * @port on the given @iface interface for UDP packets */ -void +static void iptablesRemoveUdpInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesRemoveUdpInput(virFirewall *fw, * Add an output to the IP table allowing access to the given @port from * the given @iface interface for TCP packets */ -void +static void iptablesAddTcpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesAddTcpOutput(virFirewall *fw, * Removes an output from the IP table, hence forbidding access to the given * @port from the given @iface interface for TCP packets */ -void +static void iptablesRemoveTcpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesRemoveTcpOutput(virFirewall *fw, * Add an output to the IP table allowing access to the given @port from * the given @iface interface for UDP packets */ -void +static void iptablesAddUdpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesAddUdpOutput(virFirewall *fw, * Removes an output from the IP table, hence forbidding access to the given * @port from the given @iface interface for UDP packets */ -void +static void iptablesRemoveUdpOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardAllowOut(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardAllowOut(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardAllowRelatedIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowCross(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -XXX,XX +XXX,XX @@ iptablesAddForwardRejectOut(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -XXX,XX +XXX,XX @@ iptablesAddForwardRejectIn(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -void +static void iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesAddForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise */ -int +static int iptablesRemoveForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise. */ -int +static int iptablesAddDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesAddDontMasquerade(virFirewall *fw, * * Returns 0 in case of success or an error code otherwise. */ -int +static int iptablesRemoveDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -XXX,XX +XXX,XX @@ iptablesOutputFixUdpChecksum(virFirewall *fw, * the given @iface interface for TCP packets. * */ -void +static void iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) @@ -XXX,XX +XXX,XX @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, * Removes the checksum fixup rule that was previous added with * iptablesAddOutputFixUdpChecksum. */ -void +static void iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.h +++ b/src/network/network_iptables.h @@ -XXX,XX +XXX,XX @@ #pragma once -#include "virsocketaddr.h" #include "virfirewall.h" #include "network_conf.h" @@ -XXX,XX +XXX,XX @@ int iptablesAddFirewallRules(virNetworkDef *def); void iptablesRemoveFirewallRules(virNetworkDef *def); int iptablesSetupPrivateChains(virFirewallLayer layer); - -void iptablesAddTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void iptablesAddUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void iptablesAddTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesAddUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -int iptablesAddForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -int iptablesAddForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -void iptablesAddForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void iptablesAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void iptablesAddForwardRejectIn (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectIn (virFirewall *fw, - virFirewallLayer layery, - const char *iface); - -int iptablesAddForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -void iptablesAddOutputFixUdpChecksum (virFirewall *fw, - const char *iface, - int port); -void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, - const char *iface, - int port); -- 2.45.0
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_iptables.c | 51 +++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE +#define VIR_IPTABLES_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_IPTABLES_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_IPTABLES_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_IPTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + enum { VIR_NETFILTER_INSERT = 0, VIR_NETFILTER_DELETE @@ -XXX,XX +XXX,XX @@ iptablesSetupPrivateChains(virFirewallLayer layer) { g_autoptr(virFirewall) fw = virFirewallNew(); iptablesGlobalChain filter_chains[] = { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, + {"INPUT", VIR_IPTABLES_INPUT_CHAIN}, + {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN}, + {"FORWARD", VIR_IPTABLES_FWD_OUT_CHAIN}, + {"FORWARD", VIR_IPTABLES_FWD_IN_CHAIN}, + {"FORWARD", VIR_IPTABLES_FWD_X_CHAIN}, }; iptablesGlobalChain natmangle_chains[] = { - {"POSTROUTING", "LIBVIRT_PRT"}, + {"POSTROUTING", VIR_IPTABLES_NAT_POSTROUTE_CHAIN}, }; bool changed = false; iptablesGlobalChainData data[] = { @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_INP", + VIR_IPTABLES_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_OUT", + VIR_IPTABLES_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWO", + VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWO", + VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWX", + VIR_IPTABLES_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWO", + VIR_IPTABLES_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", NULL); @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", + VIR_IPTABLES_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", NULL); @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, rule = virFirewallAddRule(fw, layer, "--table", "nat", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, rule = virFirewallAddRule(fw, layer, "--table", "nat", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -XXX,XX +XXX,XX @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, -- 2.45.0
These objects aren't rules, they are commands that are executed that may create a firewall rule, delete a firewall rule, or simply list the existing firewall rules. It's confusing for the objects to be called "Rule" (especially in the case of the function virFirewallRemoveRule(), which doesn't remove a rule from the firewall, it takes one of the objects out of the list of commands to execute! In order to remove a rule from the host's firewall, you have to Add a "rule" (now "cmd" aka command) to the list that will, when applied/run, remove a rule from the host firewall.) Changing the name to virFirewallCmd makes it all much less confusing. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt_private.syms | 16 +- src/network/network_iptables.c | 286 +++---- src/nwfilter/nwfilter_ebiptables_driver.c | 988 +++++++++++----------- src/util/virebtables.c | 32 +- src/util/virfirewall.c | 223 +++-- src/util/virfirewall.h | 54 +- tests/virfirewalltest.c | 404 ++++----- 7 files changed, 1000 insertions(+), 1003 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFileCacheSetPriv; # util/virfirewall.h -virFirewallAddRuleFull; +virFirewallAddCmdFull; virFirewallApply; +virFirewallCmdAddArg; +virFirewallCmdAddArgFormat; +virFirewallCmdAddArgList; +virFirewallCmdAddArgSet; +virFirewallCmdGetArgCount; +virFirewallCmdToString; virFirewallFree; virFirewallNew; -virFirewallRemoveRule; -virFirewallRuleAddArg; -virFirewallRuleAddArgFormat; -virFirewallRuleAddArgList; -virFirewallRuleAddArgSet; -virFirewallRuleGetArgCount; -virFirewallRuleToString; +virFirewallRemoveCmd; virFirewallStartRollback; virFirewallStartTransaction; diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ iptablesPrivateChainCreate(virFirewall *fw, for (i = 0; i < data->nchains; i++) { const char *from; if (!virHashLookup(chains, data->chains[i].child)) { - virFirewallAddRule(fw, layer, - "--table", data->table, - "--new-chain", data->chains[i].child, NULL); + virFirewallAddCmd(fw, layer, + "--table", data->table, + "--new-chain", data->chains[i].child, NULL); *data->changed = true; } from = virHashLookup(links, data->chains[i].child); if (!from || STRNEQ(from, data->chains[i].parent)) - virFirewallAddRule(fw, layer, - "--table", data->table, - "--insert", data->chains[i].parent, - "--jump", data->chains[i].child, NULL); + virFirewallAddCmd(fw, layer, + "--table", data->table, + "--insert", data->chains[i].parent, + "--jump", data->chains[i].child, NULL); } return 0; @@ -XXX,XX +XXX,XX @@ iptablesSetupPrivateChains(virFirewallLayer layer) virFirewallStartTransaction(fw, 0); for (i = 0; i < G_N_ELEMENTS(data); i++) - virFirewallAddRuleFull(fw, data[i].layer, - false, iptablesPrivateChainCreate, - &(data[i]), "--table", data[i].table, - "--list-rules", NULL); + virFirewallAddCmdFull(fw, data[i].layer, + false, iptablesPrivateChainCreate, + &(data[i]), "--table", data[i].table, + "--list-rules", NULL); if (virFirewallApply(fw) < 0) return -1; @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, { g_autofree char *portstr = g_strdup_printf("%d", port); - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_INPUT_CHAIN, - "--in-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_INPUT_CHAIN, + "--in-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } static void @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, { g_autofree char *portstr = g_strdup_printf("%d", port); - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_OUTPUT_CHAIN, - "--out-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_OUTPUT_CHAIN, + "--out-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } /** @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, return -1; if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--source", networkstr, - "--in-interface", iface, - "--out-interface", physdev, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--source", networkstr, + "--in-interface", iface, + "--out-interface", physdev, + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--source", networkstr, - "--in-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--source", networkstr, + "--in-interface", iface, + "--jump", "ACCEPT", + NULL); return 0; } @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, return -1; if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); return 0; } @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, return -1; if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); return 0; } @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowCross(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_X_CHAIN, - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_X_CHAIN, + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); } /** @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectOut(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--in-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--in-interface", iface, + "--jump", "REJECT", + NULL); } /** @@ -XXX,XX +XXX,XX @@ iptablesForwardRejectIn(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--out-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--out-interface", iface, + "--jump", "REJECT", + NULL); } /** @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, g_autofree char *addrEndStr = NULL; g_autofree char *portRangeStr = NULL; g_autofree char *natRangeStr = NULL; - virFirewallRule *rule; + virFirewallCmd *fwCmd; int af = VIR_SOCKET_ADDR_FAMILY(netaddr); virFirewallLayer layer = af == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, } if (protocol && protocol[0]) { - rule = virFirewallAddRule(fw, layer, + fwCmd = virFirewallAddCmd(fw, layer, "--table", "nat", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", VIR_IPTABLES_NAT_POSTROUTE_CHAIN, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, "!", "--destination", networkstr, NULL); } else { - rule = virFirewallAddRule(fw, layer, + fwCmd = virFirewallAddCmd(fw, layer, "--table", "nat", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", VIR_IPTABLES_NAT_POSTROUTE_CHAIN, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, } if (physdev && physdev[0]) - virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NULL); if (protocol && protocol[0]) { if (port->start == 0 && port->end == 0) { @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, portRangeStr ? portRangeStr : ""); } - virFirewallRuleAddArgList(fw, rule, - "--jump", "SNAT", - "--to-source", natRangeStr, NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--jump", "SNAT", + "--to-source", natRangeStr, NULL); } else { - virFirewallRuleAddArgList(fw, rule, - "--jump", "MASQUERADE", NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--jump", "MASQUERADE", NULL); if (portRangeStr && portRangeStr[0]) - virFirewallRuleAddArgList(fw, rule, - "--to-ports", &portRangeStr[1], NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--to-ports", &portRangeStr[1], NULL); } return 0; @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, return -1; if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--out-interface", physdev, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "nat", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--out-interface", physdev, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "nat", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); return 0; } @@ -XXX,XX +XXX,XX @@ iptablesOutputFixUdpChecksum(virFirewall *fw, { g_autofree char *portstr = g_strdup_printf("%d", port); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "--table", "mangle", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--out-interface", iface, - "--protocol", "udp", - "--destination-port", portstr, - "--jump", "CHECKSUM", "--checksum-fill", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "mangle", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--out-interface", iface, + "--protocol", "udp", + "--destination-port", portstr, + "--jump", "CHECKSUM", "--checksum-fill", + NULL); } /** diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -XXX,XX +XXX,XX @@ printDataTypeAsHex(virNWFilterVarCombIter *vars, static int ebtablesHandleEthHdr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ethHdrDataDef *ethHdr, bool reverse) @@ -XXX,XX +XXX,XX @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataSrcMACAddr) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - reverse ? "-d" : "-s", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + reverse ? "-d" : "-s", + NULL); if (ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataSrcMACMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", macaddr, macmask); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", macaddr, macmask); } else { - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, macaddr); } } @@ -XXX,XX +XXX,XX @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataDstMACAddr) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - reverse ? "-s" : "-d", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + reverse ? "-s" : "-d", + NULL); if (ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataDstMACMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", macaddr, macmask); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", macaddr, macmask); } else { - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, macaddr); } } @@ -XXX,XX +XXX,XX @@ static void iptablesCreateBaseChainsFW(virFirewall *fw, virFirewallLayer layer) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_OUT_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", HOST_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", HOST_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); } @@ -XXX,XX +XXX,XX @@ iptablesCreateTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, layer, - "-N", chain, NULL); + virFirewallAddCmd(fw, layer, + "-N", chain, NULL); } @@ -XXX,XX +XXX,XX @@ _iptablesRemoveRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-F", chain, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-X", chain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-F", chain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-X", chain, NULL); } @@ -XXX,XX +XXX,XX @@ iptablesLinkTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); if (incoming) - virFirewallAddRule(fw, layer, - "-A", basechain, - MATCH_PHYSDEV_IN_FW, - ifname, - "-g", chain, NULL); + virFirewallAddCmd(fw, layer, + "-A", basechain, + MATCH_PHYSDEV_IN_FW, + ifname, + "-g", chain, NULL); else - virFirewallAddRule(fw, layer, - "-A", basechain, - MATCH_PHYSDEV_OUT_FW, - ifname, - "-g", chain, NULL); + virFirewallAddCmd(fw, layer, + "-A", basechain, + MATCH_PHYSDEV_OUT_FW, + ifname, + "-g", chain, NULL); } @@ -XXX,XX +XXX,XX @@ iptablesSetupVirtInPostFW(virFirewall *fw G_GNUC_UNUSED, virFirewallLayer layer G_GNUC_UNUSED, const char *ifname G_GNUC_UNUSED) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, layer, - "-A", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, layer, + "-A", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); } @@ -XXX,XX +XXX,XX @@ iptablesClearVirtInPostFW(virFirewall *fw, virFirewallLayer layer, const char *ifname) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); } @@ -XXX,XX +XXX,XX @@ _iptablesUnlinkRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); if (incoming) - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_IN_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_IN_FW, ifname, + "-g", chain, + NULL); else - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_OUT_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_OUT_FW, ifname, + "-g", chain, + NULL); /* * Previous versions of libvirt may have created a rule @@ -XXX,XX +XXX,XX @@ _iptablesUnlinkRootChainFW(virFirewall *fw, * as well. */ if (!incoming) - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_OUT_OLD_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_OUT_OLD_FW, ifname, + "-g", chain, + NULL); } @@ -XXX,XX +XXX,XX @@ iptablesRenameTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, layer, - "-E", tmpchain, chain, NULL); + virFirewallAddCmd(fw, layer, + "-E", tmpchain, chain, NULL); } @@ -XXX,XX +XXX,XX @@ iptablesRenameTmpRootChainsFW(virFirewall *fw, static int iptablesHandleSrcMacAddr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, nwItemDesc *srcMacAddr, bool directionIn, @@ -XXX,XX +XXX,XX @@ iptablesHandleSrcMacAddr(virFirewall *fw, srcMacAddr) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-m", "mac", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "mac", + NULL); if (ENTRY_WANT_NEG_SIGN(srcMacAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--mac-source", - macaddr, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--mac-source", + macaddr, + NULL); } return 0; @@ -XXX,XX +XXX,XX @@ iptablesHandleSrcMacAddr(virFirewall *fw, static int iptablesHandleIPHdr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ipHdrDataDef *ipHdr, bool directionIn, @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, return -1; if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, src); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, src); if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) { @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPFrom) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-m", "iprange", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "iprange", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, srcrange); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, srcrange); if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) { @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPTo) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s-%s", ipaddr, ipaddralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, return -1; if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dst); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dst); if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPFrom) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-m", "iprange", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "iprange", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dstrange); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dstrange); if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPTo) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s-%s", ipaddr, ipaddralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDSCP) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-m", "dscp", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "dscp", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--dscp", number, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--dscp", number, + NULL); } if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) { @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdr(virFirewall *fw, static int iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ipHdrDataDef *ipHdr, bool directionIn) @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, &ipHdr->dataIPSet) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-m", "set", - "--match-set", str, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "set", + "--match-set", str, + NULL); if (printDataTypeDirection(vars, str, sizeof(str), &ipHdr->dataIPSetFlags, directionIn) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, str); + virFirewallCmdAddArg(fw, fwrule, str); } if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) { @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, /* place connlimit after potential -m state --state ... since this is the most useful order */ - virFirewallRuleAddArgList(fw, fwrule, - "-m", "connlimit", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "connlimit", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--connlimit-above", number, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--connlimit-above", number, + NULL); } } if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) { /* keep comments behind everything else -- they are packet eval. no-ops */ - virFirewallRuleAddArgList(fw, fwrule, - "-m", "comment", - "--comment", ipHdr->dataComment.u.string, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "comment", + "--comment", ipHdr->dataComment.u.string, + NULL); } return 0; @@ -XXX,XX +XXX,XX @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, static int iptablesHandlePortData(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, portDataDef *portData, bool directionIn) @@ -XXX,XX +XXX,XX @@ iptablesHandlePortData(virFirewall *fw, return -1; if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, sport); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, sport); if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ iptablesHandlePortData(virFirewall *fw, &portData->dataSrcPortEnd) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", portstr, portstralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", portstr, portstralt); } else { - virFirewallRuleAddArg(fw, fwrule, portstr); + virFirewallCmdAddArg(fw, fwrule, portstr); } } @@ -XXX,XX +XXX,XX @@ iptablesHandlePortData(virFirewall *fw, return -1; if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dport); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dport); if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ iptablesHandlePortData(virFirewall *fw, &portData->dataDstPortEnd) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", portstr, portstralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", portstr, portstralt); } else { - virFirewallRuleAddArg(fw, fwrule, portstr); + virFirewallCmdAddArg(fw, fwrule, portstr); } } @@ -XXX,XX +XXX,XX @@ iptablesHandlePortData(virFirewall *fw, static void iptablesEnforceDirection(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, bool directionIn, virNWFilterRuleDef *rule) { if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT) - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctdir", - (directionIn ? - "Reply" : - "Original"), - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctdir", + (directionIn ? + "Reply" : + "Original"), + NULL); } @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, bool skipRule = false; bool skipMatch = false; bool hasICMPType = false; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; size_t fwruleargs; PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, switch ((int)rule->prtclType) { case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "tcp", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "tcp", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, g_autofree char *mask = NULL; g_autofree char *flags = NULL; if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, "--tcp-flags"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "--tcp-flags"); if (!(mask = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask))) return -1; - virFirewallRuleAddArg(fw, fwrule, mask); + virFirewallCmdAddArg(fw, fwrule, mask); if (!(flags = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags))) return -1; - virFirewallRuleAddArg(fw, fwrule, flags); + virFirewallCmdAddArg(fw, fwrule, flags); } if (iptablesHandlePortData(fw, fwrule, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, return -1; if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--tcp-option", number, NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--tcp-option", number, NULL); } break; case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "udp", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "udp", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "udplite", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "udplite", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "esp", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "esp", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "ah", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "ah", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "sctp", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "sctp", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + NULL); if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP) - virFirewallRuleAddArgList(fw, fwrule, - "-p", "icmp", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "icmp", NULL); else - virFirewallRuleAddArgList(fw, fwrule, - "-p", "icmpv6", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "icmpv6", NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, hasICMPType = true; if (maySkipICMP) { - virFirewallRemoveRule(fw, fwrule); + virFirewallRemoveCmd(fw, fwrule); return 0; } @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, return -1; if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, parm); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, parm); if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, &rule->p.icmpHdrFilter.dataICMPCode) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } break; case VIR_NWFILTER_RULE_PROTOCOL_IGMP: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "igmp", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "igmp", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: - fwrule = virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "all", - NULL); + fwrule = virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "all", + NULL); - fwruleargs = virFirewallRuleGetArgCount(fwrule); + fwruleargs = virFirewallCmdGetArgCount(fwrule); if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, } if ((srcMacSkipped && - fwruleargs == virFirewallRuleGetArgCount(fwrule)) || + fwruleargs == virFirewallCmdGetArgCount(fwrule)) || skipRule) { - virFirewallRemoveRule(fw, fwrule); + virFirewallRemoveCmd(fw, fwrule); return 0; } @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, } if (match && !skipMatch) { - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctstate", match, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctstate", match, + NULL); } if (defMatch && match != NULL && !skipMatch && !hasICMPType) @@ -XXX,XX +XXX,XX @@ _iptablesCreateRuleInstance(virFirewall *fw, directionIn) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-j", target, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", target, NULL); return 0; } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, char chain[MAX_CHAINNAME_LENGTH]; const char *target; bool hasMask = false; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; if (STREQ(chainSuffix, virNWFilterChainSuffixTypeToString( @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, field, sizeof(field), \ &rule->p.STRUCT.ITEM) < 0) \ return -1; \ - virFirewallRuleAddArg(fw, fwrule, CLI); \ + virFirewallCmdAddArg(fw, fwrule, CLI); \ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \ - virFirewallRuleAddArg(fw, fwrule, "!"); \ - virFirewallRuleAddArg(fw, fwrule, field); \ + virFirewallCmdAddArg(fw, fwrule, "!"); \ + virFirewallCmdAddArg(fw, fwrule, field); \ } #define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \ @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, field, sizeof(field), \ &rule->p.STRUCT.ITEM) < 0) \ return -1; \ - virFirewallRuleAddArg(fw, fwrule, CLI); \ + virFirewallCmdAddArg(fw, fwrule, CLI); \ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \ - virFirewallRuleAddArg(fw, fwrule, "!"); \ + virFirewallCmdAddArg(fw, fwrule, "!"); \ if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \ if (printDataType(vars, \ fieldalt, sizeof(fieldalt), \ &rule->p.STRUCT.ITEM_HI) < 0) \ return -1; \ - virFirewallRuleAddArgFormat(fw, fwrule, \ - "%s%s%s", field, SEP, fieldalt); \ + virFirewallCmdAddArgFormat(fw, fwrule, \ + "%s%s%s", field, SEP, fieldalt); \ } else { \ - virFirewallRuleAddArg(fw, fwrule, field); \ + virFirewallCmdAddArg(fw, fwrule, field); \ } \ } #define INST_ITEM_RANGE(S, I, I_HI, C) \ @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, switch ((int)rule->prtclType) { case VIR_NWFILTER_RULE_PROTOCOL_MAC: - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", - "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", + "-A", chain, NULL); if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.ethHdrFilter.dataProtocolID) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArg(fw, fwrule, "-p"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } break; case VIR_NWFILTER_RULE_PROTOCOL_VLAN: - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-p", "0x8100", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "0x8100", NULL); INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id") INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap") @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, return -1; } - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-d", NWFILTER_MAC_BGA, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-d", NWFILTER_MAC_BGA, NULL); INST_ITEM(stpHdrFilter, dataType, "--stp-type") INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags") @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, case VIR_NWFILTER_RULE_PROTOCOL_ARP: case VIR_NWFILTER_RULE_PROTOCOL_RARP: - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "-p"); - virFirewallRuleAddArgFormat(fw, fwrule, "0x%x", - (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP) - ? l3_protocols[L3_PROTO_ARP_IDX].attr - : l3_protocols[L3_PROTO_RARP_IDX].attr); + virFirewallCmdAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArgFormat(fw, fwrule, "0x%x", + (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP) + ? l3_protocols[L3_PROTO_ARP_IDX].attr + : l3_protocols[L3_PROTO_RARP_IDX].attr); if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) { if (printDataType(vars, number, sizeof(number), &rule->p.arpHdrFilter.dataHWType) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-htype"); + virFirewallCmdAddArg(fw, fwrule, "--arp-htype"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.arpHdrFilter.dataOpcode) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-opcode"); + virFirewallCmdAddArg(fw, fwrule, "--arp-opcode"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.arpHdrFilter.dataProtocolType) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-ptype"); + virFirewallCmdAddArg(fw, fwrule, "--arp-ptype"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, hasMask = true; } - virFirewallRuleAddArg(fw, fwrule, + virFirewallCmdAddArg(fw, fwrule, reverse ? "--arp-ip-dst" : "--arp-ip-src"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, hasMask ? ipmask : "32"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask : "32"); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, hasMask = true; } - virFirewallRuleAddArg(fw, fwrule, + virFirewallCmdAddArg(fw, fwrule, reverse ? "--arp-ip-src" : "--arp-ip-dst"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, hasMask ? ipmask : "32"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask : "32"); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--arp-mac-dst" : "--arp-mac-src"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--arp-mac-dst" : "--arp-mac-src"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, macaddr); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.arpHdrFilter.dataARPDstMACAddr) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--arp-mac-src" : "--arp-mac-dst"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--arp-mac-src" : "--arp-mac-dst"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, macaddr); } if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) && rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) { if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "--arp-gratuitous"); } break; case VIR_NWFILTER_RULE_PROTOCOL_IP: - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-p", "ipv4", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "ipv4", NULL); if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-destination" : "--ip-source"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-destination" : "--ip-source"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-source" : "--ip-destination"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-source" : "--ip-destination"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipHdrFilter.ipHdr.dataDstIPMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataProtocolID) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--ip-protocol"); + virFirewallCmdAddArg(fw, fwrule, "--ip-protocol"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataSrcPortStart) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-destination-port" : "--ip-source-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-destination-port" : "--ip-source-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEnd)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataSrcPortEnd) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataDstPortStart) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-source-port" : "--ip-destination-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-source-port" : "--ip-destination-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEnd)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataDstPortEnd) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataDSCP) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--ip-tos"); + virFirewallCmdAddArg(fw, fwrule, "--ip-tos"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } break; case VIR_NWFILTER_RULE_PROTOCOL_IPV6: - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; - virFirewallRuleAddArgList(fw, fwrule, - "-p", "ipv6", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "ipv6", NULL); if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-destination" : "--ip6-source"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-destination" : "--ip6-source"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipv6addr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipv6addr); + virFirewallCmdAddArg(fw, fwrule, ipv6addr); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-source" : "--ip6-destination"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-source" : "--ip6-destination"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipv6addr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipv6addr); + virFirewallCmdAddArg(fw, fwrule, ipv6addr); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol"); + virFirewallCmdAddArg(fw, fwrule, "--ip6-protocol"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)) { @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataSrcPortStart) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-destination-port" : "--ip6-source-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-destination-port" : "--ip6-source-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataSrcPortEnd) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataDstPortStart) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-source-port" : "--ip6-destination-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-source-port" : "--ip6-destination-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDstPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataDstPortEnd) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; g_autofree char *r = NULL; - virFirewallRuleAddArg(fw, fwrule, - "--ip6-icmp-type"); + virFirewallCmdAddArg(fw, fwrule, + "--ip6-icmp-type"); if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) { if (printDataType(vars, @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, virBufferStrcat(&buf, numberalt, NULL); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); r = virBufferContentAndReset(&buf); - virFirewallRuleAddArg(fw, fwrule, r); + virFirewallCmdAddArg(fw, fwrule, r); } break; case VIR_NWFILTER_RULE_PROTOCOL_NONE: - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); break; default: @@ -XXX,XX +XXX,XX @@ ebtablesCreateRuleInstance(virFirewall *fw, target = virNWFilterJumpTargetTypeToString(rule->action); } - virFirewallRuleAddArgList(fw, fwrule, - "-j", target, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", target, NULL); #undef INST_ITEM_RANGE #undef INST_ITEM_MASK @@ -XXX,XX +XXX,XX @@ ebtablesCreateTmpRootChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-N", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-N", chain, NULL); } @@ -XXX,XX +XXX,XX @@ ebtablesLinkTmpRootChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", - incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, - incoming ? "-i" : "-o", - ifname, "-j", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", + incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, + incoming ? "-i" : "-o", + ifname, "-j", chain, NULL); } @@ -XXX,XX +XXX,XX @@ _ebtablesRemoveRootChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-F", chain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-X", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-F", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-X", chain, NULL); } @@ -XXX,XX +XXX,XX @@ _ebtablesUnlinkRootChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-D", - incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, - incoming ? "-i" : "-o", - ifname, "-j", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-D", + incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, + incoming ? "-i" : "-o", + ifname, "-j", chain, NULL); } @@ -XXX,XX +XXX,XX @@ ebtablesCreateTmpSubChainFW(virFirewall *fw, char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_OUT_TEMP; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); PRINT_CHAIN(chain, chainPrefix, ifname, (filtername) ? filtername : l3_protocols[protoidx].val); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-F", chain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-X", chain, NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-N", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-F", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-X", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-N", chain, NULL); - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", rootchain, NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", rootchain, NULL); switch ((int)protoidx) { case L2_PROTO_MAC_IDX: break; case L2_PROTO_STP_IDX: - virFirewallRuleAddArgList(fw, fwrule, - "-d", NWFILTER_MAC_BGA, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-d", NWFILTER_MAC_BGA, NULL); break; default: - virFirewallRuleAddArg(fw, fwrule, "-p"); - virFirewallRuleAddArgFormat(fw, fwrule, - "0x%04x", - l3_protocols[protoidx].attr); + virFirewallCmdAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArgFormat(fw, fwrule, + "0x%04x", + l3_protocols[protoidx].attr); break; } - virFirewallRuleAddArgList(fw, fwrule, - "-j", chain, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", chain, NULL); } @@ -XXX,XX +XXX,XX @@ ebtablesRemoveSubChainsQuery(virFirewall *fw, if (tmp[0] == chainprefixes[j] && tmp[1] == '-') { VIR_DEBUG("Processing chain '%s'", tmp); - virFirewallAddRuleFull(fw, layer, - false, ebtablesRemoveSubChainsQuery, - (void *)chainprefixes, - "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-F", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-X", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + false, ebtablesRemoveSubChainsQuery, + (void *)chainprefixes, + "-t", "nat", "-L", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-F", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-X", tmp, NULL); } } } @@ -XXX,XX +XXX,XX @@ _ebtablesRemoveSubChainsFW(virFirewall *fw, for (i = 0; chainprefixes[i] != 0; i++) { PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - false, ebtablesRemoveSubChainsQuery, - (void *)chainprefixes, - "-t", "nat", "-L", rootchain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, ebtablesRemoveSubChainsQuery, + (void *)chainprefixes, + "-t", "nat", "-L", rootchain, NULL); } } @@ -XXX,XX +XXX,XX @@ ebtablesRenameTmpSubChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); } - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-E", tmpchain, chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-E", tmpchain, chain, NULL); } static void @@ -XXX,XX +XXX,XX @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewall *fw, else newchain[0] = CHAINPREFIX_HOST_OUT; VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain); - virFirewallAddRuleFull(fw, layer, - false, ebtablesRenameTmpSubAndRootChainsQuery, - NULL, - "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-F", newchain, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-X", newchain, NULL); - virFirewallAddRule(fw, layer, - "-t", "nat", "-E", tmp, newchain, NULL); + virFirewallAddCmdFull(fw, layer, + false, ebtablesRenameTmpSubAndRootChainsQuery, + NULL, + "-t", "nat", "-L", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-F", newchain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-X", newchain, NULL); + virFirewallAddCmd(fw, layer, + "-t", "nat", "-E", tmp, newchain, NULL); } return 0; @@ -XXX,XX +XXX,XX @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewall *fw, }; for (i = 0; chains[i] != 0; i++) { PRINT_ROOT_CHAIN(rootchain, chains[i], ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - false, ebtablesRenameTmpSubAndRootChainsQuery, - NULL, - "-t", "nat", "-L", rootchain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, ebtablesRenameTmpSubAndRootChainsQuery, + NULL, + "-t", "nat", "-L", rootchain, NULL); } ebtablesRenameTmpRootChainFW(fw, true, ifname); @@ -XXX,XX +XXX,XX @@ ebtablesApplyBasicRules(const char *ifname, ebtablesCreateTmpRootChainFW(fw, true, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-s", "!", macaddr_str, - "-j", "DROP", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-p", "IPv4", - "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-p", "ARP", - "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-s", "!", macaddr_str, + "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-p", "IPv4", + "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-p", "ARP", + "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-j", "DROP", NULL); ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesRenameTmpRootChainFW(fw, true, ifname); @@ -XXX,XX +XXX,XX @@ ebtablesApplyDHCPOnlyRules(const char *ifname, PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-s", macaddr_str, - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-sport", "68", "--ip-dport", "67", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-s", macaddr_str, + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-sport", "68", "--ip-dport", "67", + "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-j", "DROP", NULL); num_dhcpsrvrs = (dhcpsrvrs != NULL) ? virNWFilterVarValueGetCardinality(dhcpsrvrs) @@ -XXX,XX +XXX,XX @@ ebtablesApplyDHCPOnlyRules(const char *ifname, */ for (ctr = 0; ctr < 2; ctr++) { if (dhcpserver) - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff", - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-src", dhcpserver, - "--ip-sport", "67", "--ip-dport", "68", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff", + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-src", dhcpserver, + "--ip-sport", "67", "--ip-dport", "68", + "-j", "ACCEPT", NULL); else - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff", - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-sport", "67", "--ip-dport", "68", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff", + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-sport", "67", "--ip-dport", "68", + "-j", "ACCEPT", NULL); } idx++; @@ -XXX,XX +XXX,XX @@ ebtablesApplyDHCPOnlyRules(const char *ifname, break; } - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-j", "DROP", NULL); ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesLinkTmpRootChainFW(fw, false, ifname); @@ -XXX,XX +XXX,XX @@ ebtablesApplyDropAllRules(const char *ifname) PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-j", "DROP", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-j", "DROP", NULL); ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesLinkTmpRootChainFW(fw, false, ifname); diff --git a/src/util/virebtables.c b/src/util/virebtables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -XXX,XX +XXX,XX @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx) g_autoptr(virFirewall) fw = virFirewallNew(); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "--new-chain", ctx->chain, - NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "--insert", "FORWARD", - "--jump", ctx->chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "--new-chain", ctx->chain, + NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "--insert", "FORWARD", + "--jump", ctx->chain, NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-P", ctx->chain, "DROP", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-P", ctx->chain, "DROP", + NULL); return virFirewallApply(fw); } @@ -XXX,XX +XXX,XX @@ ebtablesForwardAllowIn(ebtablesContext *ctx, g_autoptr(virFirewall) fw = virFirewallNew(); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - action == ADD ? "--insert" : "--delete", - ctx->chain, - "--in-interface", iface, - "--source", macaddr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + action == ADD ? "--insert" : "--delete", + ctx->chain, + "--in-interface", iface, + "--source", macaddr, + "--jump", "ACCEPT", + NULL); return virFirewallApply(fw); } diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_ENUM_IMPL(virFirewallLayerCommand, IP6TABLES, ); -struct _virFirewallRule { +struct _virFirewallCmd { virFirewallLayer layer; virFirewallQueryCallback queryCB; @@ -XXX,XX +XXX,XX @@ struct _virFirewallGroup { unsigned int rollbackFlags; size_t naction; - virFirewallRule **action; + virFirewallCmd **action; size_t nrollback; - virFirewallRule **rollback; + virFirewallCmd **rollback; bool addingRollback; }; @@ -XXX,XX +XXX,XX @@ struct _virFirewall { size_t currentGroup; }; -static virMutex ruleLock = VIR_MUTEX_INITIALIZER; +static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER; static virFirewallGroup * virFirewallGroupNew(void) @@ -XXX,XX +XXX,XX @@ virFirewall *virFirewallNew(void) static void -virFirewallRuleFree(virFirewallRule *rule) +virFirewallCmdFree(virFirewallCmd *fwCmd) { size_t i; - if (!rule) + if (!fwCmd) return; - for (i = 0; i < rule->argsLen; i++) - g_free(rule->args[i]); - g_free(rule->args); - g_free(rule); + for (i = 0; i < fwCmd->argsLen; i++) + g_free(fwCmd->args[i]); + g_free(fwCmd->args); + g_free(fwCmd); } @@ -XXX,XX +XXX,XX @@ virFirewallGroupFree(virFirewallGroup *group) return; for (i = 0; i < group->naction; i++) - virFirewallRuleFree(group->action[i]); + virFirewallCmdFree(group->action[i]); g_free(group->action); for (i = 0; i < group->nrollback; i++) - virFirewallRuleFree(group->rollback[i]); + virFirewallCmdFree(group->rollback[i]); g_free(group->rollback); g_free(group); @@ -XXX,XX +XXX,XX @@ void virFirewallFree(virFirewall *firewall) return; \ } while (0) -#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\ +#define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\ do { \ - if (!firewall || firewall->err || !rule) \ + if (!firewall || firewall->err || !fwCmd) \ return; \ } while (0) @@ -XXX,XX +XXX,XX @@ void virFirewallFree(virFirewall *firewall) return NULL; \ } while (0) -#define ADD_ARG(rule, str) \ +#define ADD_ARG(fwCmd, str) \ do { \ - VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \ - rule->args[rule->argsLen++] = g_strdup(str); \ + VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \ + fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \ } while (0) -static virFirewallRule * -virFirewallAddRuleFullV(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - va_list args) +static virFirewallCmd * +virFirewallAddCmdFullV(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + va_list args) { virFirewallGroup *group; - virFirewallRule *rule; + virFirewallCmd *fwCmd; char *str; VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall); @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, group = firewall->groups[firewall->currentGroup]; - rule = g_new0(virFirewallRule, 1); + fwCmd = g_new0(virFirewallCmd, 1); - rule->layer = layer; - rule->queryCB = cb; - rule->queryOpaque = opaque; - rule->ignoreErrors = ignoreErrors; + fwCmd->layer = layer; + fwCmd->queryCB = cb; + fwCmd->queryOpaque = opaque; + fwCmd->ignoreErrors = ignoreErrors; - switch (rule->layer) { + switch (fwCmd->layer) { case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(rule, "--concurrent"); + ADD_ARG(fwCmd, "--concurrent"); break; case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(rule, "-w"); + ADD_ARG(fwCmd, "-w"); break; case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(rule, "-w"); + ADD_ARG(fwCmd, "-w"); break; case VIR_FIREWALL_LAYER_LAST: break; } while ((str = va_arg(args, char *)) != NULL) - ADD_ARG(rule, str); + ADD_ARG(fwCmd, str); if (group->addingRollback) { - VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); + VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { - VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); + VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } - return rule; + return fwCmd; } /** - * virFirewallAddRuleFull: + * virFirewallAddCmdFull: * @firewall: firewall ruleset to add to * @layer: the firewall layer to change * @ignoreErrors: true to ignore failure of the command @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, * Add any type of rule to the firewall ruleset. Any output * generated by the addition will be fed into the query * callback @cb. This callback is permitted to create new - * rules by invoking the virFirewallAddRule method, but + * rules by invoking the virFirewallAddCmd method, but * is not permitted to start new transactions. * * If @ignoreErrors is set to TRUE, then any failure of @@ -XXX,XX +XXX,XX @@ virFirewallAddRuleFullV(virFirewall *firewall, * * Returns the new rule */ -virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - ...) +virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + ...) { - virFirewallRule *rule; + virFirewallCmd *fwCmd; va_list args; va_start(args, opaque); - rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args); + fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args); va_end(args); - return rule; + return fwCmd; } /** - * virFirewallRemoveRule: + * virFirewallRemoveCmd: * @firewall: firewall ruleset to remove from * @rule: the rule to remove * * Remove a rule from the current transaction */ -void virFirewallRemoveRule(virFirewall *firewall, - virFirewallRule *rule) +void virFirewallRemoveCmd(virFirewall *firewall, + virFirewallCmd *fwCmd) { size_t i; virFirewallGroup *group; @@ -XXX,XX +XXX,XX @@ void virFirewallRemoveRule(virFirewall *firewall, if (group->addingRollback) { for (i = 0; i < group->nrollback; i++) { - if (group->rollback[i] == rule) { + if (group->rollback[i] == fwCmd) { VIR_DELETE_ELEMENT(group->rollback, i, group->nrollback); - virFirewallRuleFree(rule); + virFirewallCmdFree(fwCmd); break; } } } else { for (i = 0; i < group->naction; i++) { - if (group->action[i] == rule) { + if (group->action[i] == fwCmd) { VIR_DELETE_ELEMENT(group->action, i, group->naction); - virFirewallRuleFree(rule); + virFirewallCmdFree(fwCmd); return; } } @@ -XXX,XX +XXX,XX @@ void virFirewallRemoveRule(virFirewall *firewall, } -void virFirewallRuleAddArg(virFirewall *firewall, - virFirewallRule *rule, - const char *arg) +void virFirewallCmdAddArg(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *arg) { - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); - ADD_ARG(rule, arg); + ADD_ARG(fwCmd, arg); return; } -void virFirewallRuleAddArgFormat(virFirewall *firewall, - virFirewallRule *rule, - const char *fmt, ...) +void virFirewallCmdAddArgFormat(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *fmt, ...) { g_autofree char *arg = NULL; va_list list; - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); va_start(list, fmt); arg = g_strdup_vprintf(fmt, list); va_end(list); - ADD_ARG(rule, arg); + ADD_ARG(fwCmd, arg); return; } -void virFirewallRuleAddArgSet(virFirewall *firewall, - virFirewallRule *rule, - const char *const *args) +void virFirewallCmdAddArgSet(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *const *args) { - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); while (*args) { - ADD_ARG(rule, *args); + ADD_ARG(fwCmd, *args); args++; } @@ -XXX,XX +XXX,XX @@ void virFirewallRuleAddArgSet(virFirewall *firewall, } -void virFirewallRuleAddArgList(virFirewall *firewall, - virFirewallRule *rule, - ...) +void virFirewallCmdAddArgList(virFirewall *firewall, + virFirewallCmd *fwCmd, + ...) { va_list list; const char *str; - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); - va_start(list, rule); + va_start(list, fwCmd); while ((str = va_arg(list, char *)) != NULL) - ADD_ARG(rule, str); + ADD_ARG(fwCmd, str); va_end(list); @@ -XXX,XX +XXX,XX @@ void virFirewallRuleAddArgList(virFirewall *firewall, } -size_t virFirewallRuleGetArgCount(virFirewallRule *rule) +size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd) { - if (!rule) + if (!fwCmd) return 0; - return rule->argsLen; + return fwCmd->argsLen; } @@ -XXX,XX +XXX,XX @@ void virFirewallStartRollback(virFirewall *firewall, char * -virFirewallRuleToString(const char *cmd, - virFirewallRule *rule) +virFirewallCmdToString(const char *cmd, + virFirewallCmd *fwCmd) { g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; size_t i; virBufferAdd(&buf, cmd, -1); - for (i = 0; i < rule->argsLen; i++) { + for (i = 0; i < fwCmd->argsLen; i++) { virBufferAddLit(&buf, " "); - virBufferAdd(&buf, rule->args[i], -1); + virBufferAdd(&buf, fwCmd->args[i], -1); } return virBufferContentAndReset(&buf); @@ -XXX,XX +XXX,XX @@ virFirewallRuleToString(const char *cmd, static int -virFirewallApplyRuleDirect(virFirewallRule *rule, - bool ignoreErrors, - char **output) +virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, + bool ignoreErrors, + char **output) { size_t i; - const char *bin = virFirewallLayerCommandTypeToString(rule->layer); + const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer); g_autoptr(virCommand) cmd = NULL; g_autofree char *cmdStr = NULL; int status; @@ -XXX,XX +XXX,XX @@ virFirewallApplyRuleDirect(virFirewallRule *rule, if (!bin) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Unknown firewall layer %1$d"), - rule->layer); + fwCmd->layer); return -1; } cmd = virCommandNewArgList(bin, NULL); - for (i = 0; i < rule->argsLen; i++) - virCommandAddArg(cmd, rule->args[i]); + for (i = 0; i < fwCmd->argsLen; i++) + virCommandAddArg(cmd, fwCmd->args[i]); cmdStr = virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr)); virCommandSetOutputBuffer(cmd, output); virCommandSetErrorBuffer(cmd, &error); @@ -XXX,XX +XXX,XX @@ virFirewallApplyRuleDirect(virFirewallRule *rule, VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, - _("Failed to apply firewall rules %1$s: %2$s"), + _("Failed to run firewall command %1$s: %2$s"), NULLSTR(cmdStr), NULLSTR(error)); VIR_FREE(*output); return -1; @@ -XXX,XX +XXX,XX @@ virFirewallApplyRuleDirect(virFirewallRule *rule, static int -virFirewallApplyRule(virFirewall *firewall, - virFirewallRule *rule, - bool ignoreErrors) +virFirewallApplyCmd(virFirewall *firewall, + virFirewallCmd *fwCmd, + bool ignoreErrors) { g_autofree char *output = NULL; g_auto(GStrv) lines = NULL; - if (rule->ignoreErrors) - ignoreErrors = rule->ignoreErrors; + if (fwCmd->ignoreErrors) + ignoreErrors = fwCmd->ignoreErrors; - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) + if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) return -1; - if (rule->queryCB && output) { + if (fwCmd->queryCB && output) { if (!(lines = g_strsplit(output, "\n", -1))) return -1; - VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output); - if (rule->queryCB(firewall, rule->layer, (const char *const *)lines, rule->queryOpaque) < 0) + VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB, output); + if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)lines, fwCmd->queryOpaque) < 0) return -1; if (firewall->err) { virReportSystemError(firewall->err, "%s", - _("Unable to create rule")); + _("Unable to create firewall command")); return -1; } @@ -XXX,XX +XXX,XX @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup = idx; group->addingRollback = false; for (i = 0; i < group->naction; i++) { - if (virFirewallApplyRule(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyCmd(firewall, + group->action[i], + ignoreErrors) < 0) return -1; } return 0; @@ -XXX,XX +XXX,XX @@ virFirewallRollbackGroup(virFirewall *firewall, VIR_INFO("Starting rollback for group %p", group); firewall->currentGroup = idx; group->addingRollback = true; - for (i = 0; i < group->nrollback; i++) { - ignore_value(virFirewallApplyRule(firewall, - group->rollback[i], - true)); - } + for (i = 0; i < group->nrollback; i++) + ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true)); } @@ -XXX,XX +XXX,XX @@ int virFirewallApply(virFirewall *firewall) { size_t i, j; - VIR_LOCK_GUARD lock = virLockGuardLock(&ruleLock); + VIR_LOCK_GUARD lock = virLockGuardLock(&fwCmdLock); if (!firewall || firewall->err) { int err = EINVAL; @@ -XXX,XX +XXX,XX @@ virFirewallApply(virFirewall *firewall) if (firewall) err = firewall->err; - virReportSystemError(err, "%s", _("Unable to create rule")); + virReportSystemError(err, "%s", _("Unable to create firewall command")); return -1; } diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ typedef struct _virFirewall virFirewall; -typedef struct _virFirewallRule virFirewallRule; +typedef struct _virFirewallCmd virFirewallCmd; typedef enum { VIR_FIREWALL_LAYER_ETHERNET, @@ -XXX,XX +XXX,XX @@ virFirewall *virFirewallNew(void); void virFirewallFree(virFirewall *firewall); /** - * virFirewallAddRule: + * virFirewallAddCmd: * @firewall: firewall ruleset to add to * @layer: the firewall layer to change * @...: NULL terminated list of strings for the rule @@ -XXX,XX +XXX,XX @@ void virFirewallFree(virFirewall *firewall); * * Returns the new rule */ -#define virFirewallAddRule(firewall, layer, ...) \ - virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__) +#define virFirewallAddCmd(firewall, layer, ...) \ + virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_ARGS__) typedef int (*virFirewallQueryCallback)(virFirewall *firewall, virFirewallLayer layer, const char *const *lines, void *opaque); -virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - ...) +virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + ...) G_GNUC_NULL_TERMINATED; -void virFirewallRemoveRule(virFirewall *firewall, - virFirewallRule *rule); +void virFirewallRemoveCmd(virFirewall *firewall, + virFirewallCmd *rule); -void virFirewallRuleAddArg(virFirewall *firewall, - virFirewallRule *rule, - const char *arg) +void virFirewallCmdAddArg(virFirewall *firewall, + virFirewallCmd *rule, + const char *arg) ATTRIBUTE_NONNULL(3); -void virFirewallRuleAddArgFormat(virFirewall *firewall, - virFirewallRule *rule, - const char *fmt, ...) +void virFirewallCmdAddArgFormat(virFirewall *firewall, + virFirewallCmd *rule, + const char *fmt, ...) ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4); -void virFirewallRuleAddArgSet(virFirewall *firewall, - virFirewallRule *rule, - const char *const *args) +void virFirewallCmdAddArgSet(virFirewall *firewall, + virFirewallCmd *rule, + const char *const *args) ATTRIBUTE_NONNULL(3); -void virFirewallRuleAddArgList(virFirewall *firewall, - virFirewallRule *rule, - ...) +void virFirewallCmdAddArgList(virFirewall *firewall, + virFirewallCmd *rule, + ...) G_GNUC_NULL_TERMINATED; -size_t virFirewallRuleGetArgCount(virFirewallRule *rule); +size_t virFirewallCmdGetArgCount(virFirewallCmd *rule); -char *virFirewallRuleToString(const char *cmd, - virFirewallRule *rule); +char *virFirewallCmdToString(const char *cmd, + virFirewallCmd *rule); typedef enum { /* Ignore all errors when applying rules, so no diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -XXX,XX +XXX,XX @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); if (virFirewallApply(fw) < 0) return -1; @@ -XXX,XX +XXX,XX @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew(); virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source"); - virFirewallRemoveRule(fw, fwrule); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", NULL); + virFirewallCmdAddArg(fw, fwrule, "--source"); + virFirewallRemoveCmd(fw, fwrule); - fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source"); - virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); - virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL); + fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", NULL); + virFirewallCmdAddArg(fw, fwrule, "--source"); + virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); + virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL); if (virFirewallApply(fw) < 0) return -1; @@ -XXX,XX +XXX,XX @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); if (virFirewallApply(fw) < 0) @@ -XXX,XX +XXX,XX @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); if (virFirewallApply(fw) < 0) @@ -XXX,XX +XXX,XX @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - true, NULL, NULL, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + true, NULL, NULL, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); if (virFirewallApply(fw) < 0) @@ -XXX,XX +XXX,XX @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); if (virFirewallApply(fw) == 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -XXX,XX +XXX,XX @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); virFirewallStartRollback(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); if (virFirewallApply(fw) == 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -XXX,XX +XXX,XX @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); virFirewallStartRollback(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); virFirewallStartRollback(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); if (virFirewallApply(fw) == 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -XXX,XX +XXX,XX @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); virFirewallStartRollback(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); virFirewallStartRollback(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); if (virFirewallApply(fw) == 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -XXX,XX +XXX,XX @@ testFirewallQueryCallback(virFirewall *fw, void *opaque G_GNUC_UNUSED) { size_t i; - virFirewallAddRule(fw, layer, - "-A", "INPUT", - "--source", "!192.168.122.129", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, layer, + "-A", "INPUT", + "--source", "!192.168.122.129", + "--jump", "REJECT", NULL); for (i = 0; lines[i] != NULL; i++) { if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) { @@ -XXX,XX +XXX,XX @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); - - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, - testFirewallQueryCallback, - NULL, - "-L", NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, - testFirewallQueryCallback, - NULL, + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); + + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + false, + testFirewallQueryCallback, + NULL, + "-L", NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + false, + testFirewallQueryCallback, + NULL, "-t", "nat", "-L", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.130", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.130", + "--jump", "REJECT", NULL); virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.128", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.128", + "--jump", "REJECT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); if (virFirewallApply(fw) < 0) return -1; -- 2.45.0
I had originally named these as VIR_NETFILTER_* because I assumed the same enum would eventually be used by our nftables backend as well as iptables. But it turns out that in most cases it's not possible to delete an nftables rule, so we just never used the enum anyway, so this patch is renaming the values to IPTABLES_ACTION_*, and taking advantage of the newly defined (via VIR_ENUM_DECL/IMPL) iptablesActionTypeToString() to replace all the ternary operators used to translate the enum into a string for the iptables commandline with iptablesActionTypeToString(). Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_iptables.c | 126 ++++++++++++++++++--------------- 1 file changed, 69 insertions(+), 57 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ #include "virerror.h" #include "virlog.h" #include "virhash.h" +#include "virenum.h" #include "network_iptables.h" VIR_LOG_INIT("network.iptables"); @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.iptables"); #define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX" #define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" -enum { - VIR_NETFILTER_INSERT = 0, - VIR_NETFILTER_DELETE -}; +typedef enum { + IPTABLES_ACTION_INSERT, + IPTABLES_ACTION_APPEND, + IPTABLES_ACTION_DELETE, + + IPTABLES_ACTION_LAST +} iptablesAction; + +VIR_ENUM_DECL(iptablesAction); +VIR_ENUM_IMPL(iptablesAction, + IPTABLES_ACTION_LAST, + "--insert", + "--append", + "--delete", +); typedef struct { const char *parent; @@ -XXX,XX +XXX,XX @@ iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + iptablesAction action, int tcp) { g_autofree char *portstr = g_strdup_printf("%d", port); virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -XXX,XX +XXX,XX @@ iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + iptablesAction action, int tcp) { g_autofree char *portstr = g_strdup_printf("%d", port); virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -XXX,XX +XXX,XX @@ iptablesAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1); } /** @@ -XXX,XX +XXX,XX @@ iptablesAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0); } /** @@ -XXX,XX +XXX,XX @@ iptablesAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1); } /** @@ -XXX,XX +XXX,XX @@ iptablesAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0); } @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + iptablesAction action) { g_autofree char *networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowOut(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + iptablesAction action) { virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowRelatedIn(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } /* Allow all traffic destined to the bridge, with a valid network address @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + iptablesAction action) { virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, @@ -XXX,XX +XXX,XX @@ iptablesForwardAllowIn(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } static void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + iptablesAction action) { virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_DELETE); } static void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + iptablesAction action) { virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", @@ -XXX,XX +XXX,XX @@ iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ static void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + iptablesAction action) { virFirewallAddCmd(fw, layer, "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", @@ -XXX,XX +XXX,XX @@ iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, virSocketAddrRange *addr, virPortRange *port, const char *protocol, - int action) + iptablesAction action) { g_autofree char *networkstr = NULL; g_autofree char *addrStartStr = NULL; @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, if (protocol && protocol[0]) { fwCmd = virFirewallAddCmd(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, @@ -XXX,XX +XXX,XX @@ iptablesForwardMasquerade(virFirewall *fw, } else { fwCmd = virFirewallAddCmd(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, @@ -XXX,XX +XXX,XX @@ iptablesAddForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); + IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, unsigned int prefix, const char *physdev, const char *destaddr, - int action) + iptablesAction action) { g_autofree char *networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddCmd(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, @@ -XXX,XX +XXX,XX @@ iptablesForwardDontMasquerade(virFirewall *fw, else virFirewallAddCmd(fw, layer, "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, @@ -XXX,XX +XXX,XX @@ iptablesAddDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_INSERT); + physdev, destaddr, IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveDontMasquerade(virFirewall *fw, { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - VIR_NETFILTER_DELETE); + IPTABLES_ACTION_DELETE); } @@ -XXX,XX +XXX,XX @@ static void iptablesOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port, - int action) + iptablesAction action) { g_autofree char *portstr = g_strdup_printf("%d", port); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + iptablesActionTypeToString(action), VIR_IPTABLES_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", @@ -XXX,XX +XXX,XX @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); + iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_INSERT); } /** @@ -XXX,XX +XXX,XX @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); + iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_DELETE); } -- 2.45.0
In normal practice a virFirewallCmd should never have 0 args by the time it gets to the Apply stage, but at some time while debugging one of the other patches in this series, exactly that happened (due to a bug that was since squashed), and having a check for it helped debugging, so let's permanently check for it. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/virfirewall.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmd(virFirewall *firewall, if (fwCmd->ignoreErrors) ignoreErrors = fwCmd->ignoreErrors; + if (fwCmd->argsLen == 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Can't apply empty firewall command")); + return -1; + } + if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) return -1; -- 2.45.0
We will already need a separate function for virFirewallApplyCmd for iptables vs. nftables, but the only reason for needing a separate function for virFirewallAddCmd* is that iptables/ebtables need to have an extra arg added for locking (to prevent multiple iptables commands from running at the same time). We can just as well add in the -w/--concurrent during virFirewallApplyCmd, so move the arg-add to ApplyCmd to keep AddCmd simple. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/virfirewall.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallAddCmdFullV(virFirewall *firewall, fwCmd->queryOpaque = opaque; fwCmd->ignoreErrors = ignoreErrors; - switch (fwCmd->layer) { - case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(fwCmd, "--concurrent"); - break; - case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(fwCmd, "-w"); - break; - case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(fwCmd, "-w"); - break; - case VIR_FIREWALL_LAYER_LAST: - break; - } - while ((str = va_arg(args, char *)) != NULL) ADD_ARG(fwCmd, str); @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, cmd = virCommandNewArgList(bin, NULL); + /* lock to assure nobody else is messing with the tables while we are */ + switch (fwCmd->layer) { + case VIR_FIREWALL_LAYER_ETHERNET: + virCommandAddArg(cmd, "--concurrent"); + break; + case VIR_FIREWALL_LAYER_IPV4: + case VIR_FIREWALL_LAYER_IPV6: + virCommandAddArg(cmd, "-w"); + break; + case VIR_FIREWALL_LAYER_LAST: + break; + } + for (i = 0; i < fwCmd->argsLen; i++) virCommandAddArg(cmd, fwCmd->args[i]); -- 2.45.0
We know at the time a virFirewallCmd is created (with virFirewallAddCmd*()) whether or not we will later want to ignore errors encountered when attempting to apply that command - if ignoreErrors is set in the AddCmd or if the group has already had VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS set, then we ignore the errors. Rather than setting the fwCmd->ignoreErrors only according to the arg sent to virFirewallAddCmdFull(), and then later (at ApplyCmd-time) combining that with the group transactionFlags setting (and passing it all the way down the call chain), just combine the two flags right away and store this final value in fwCmd->ignoreErrors when the virFirewallCmd is created (thus avoiding the need to look at anything other than fwCmd->ignoreErrors at the time the command is applied). Once that is done, we can simply grab ignoreErrors from the object down in virFirewallApply() rather than cluttering up the argument list on the entire call chain. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/virfirewall.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallAddCmdFullV(virFirewall *firewall, fwCmd->layer = layer; fwCmd->queryCB = cb; fwCmd->queryOpaque = opaque; - fwCmd->ignoreErrors = ignoreErrors; while ((str = va_arg(args, char *)) != NULL) ADD_ARG(fwCmd, str); if (group->addingRollback) { + fwCmd->ignoreErrors = true; /* always ignore errors when rolling back */ VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { + /* when not rolling back, ignore errors if this group (transaction) + * was started with VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS *or* + * if this specific rule was created with ignoreErrors == true + */ + fwCmd->ignoreErrors = ignoreErrors || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } @@ -XXX,XX +XXX,XX @@ virFirewallCmdToString(const char *cmd, static int virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, - bool ignoreErrors, - char **output) + char **output) { size_t i; const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer); @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, return -1; if (status != 0) { - if (ignoreErrors) { + if (fwCmd->ignoreErrors) { VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, static int virFirewallApplyCmd(virFirewall *firewall, - virFirewallCmd *fwCmd, - bool ignoreErrors) + virFirewallCmd *fwCmd) { g_autofree char *output = NULL; g_auto(GStrv) lines = NULL; - if (fwCmd->ignoreErrors) - ignoreErrors = fwCmd->ignoreErrors; - if (fwCmd->argsLen == 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Can't apply empty firewall command")); return -1; } - if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) + if (virFirewallApplyCmdDirect(fwCmd, &output) < 0) return -1; if (fwCmd->queryCB && output) { @@ -XXX,XX +XXX,XX @@ virFirewallApplyGroup(virFirewall *firewall, size_t idx) { virFirewallGroup *group = firewall->groups[idx]; - bool ignoreErrors = (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + size_t i; VIR_INFO("Starting transaction for firewall=%p group=%p flags=0x%x", @@ -XXX,XX +XXX,XX @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup = idx; group->addingRollback = false; for (i = 0; i < group->naction; i++) { - if (virFirewallApplyCmd(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyCmd(firewall, group->action[i]) < 0) return -1; } return 0; @@ -XXX,XX +XXX,XX @@ virFirewallRollbackGroup(virFirewall *firewall, firewall->currentGroup = idx; group->addingRollback = true; for (i = 0; i < group->nrollback; i++) - ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true)); + ignore_value(virFirewallApplyCmd(firewall, group->rollback[i])); } -- 2.45.0
(This paragraph is for historical reference only, described only to avoid confusion of past use of the name with its new use) In a past life, virFirewallBackend had been a private static in virfirewall.c that was set at daemon init time, and used to globally (i.e. for all drivers in the daemon) determine whether to directly execute iptables commands, or to run them indirectly via the firewalld passthrough API. This was removed in commit d566cc55, since we decided that using the firewalld passthrough API is never appropriate. Now the same enum, virFirewallBackend, is being reintroduced, with a different meaning and usage pattern. It will be used to pick between using nftables commands or iptables commands (in either case directly handled by libvirt, *not* via firewalld). Additionally, rather than being a static known only within virfirewall.c and applying to all firewall commands for all drivers, each virFirewall object will have its own backend setting, which will be set during virFirewallNew() by the driver who wants to add a firewall rule. This will allow the nwfilter and network drivers to each have their own backend setting, even when they coexist in a single unified daemon. At least as important as that, it will also allow an instance of the network driver to remove iptables rules that had been added by a previous instance, and then add nftables rules for the new instance (in the case that an admin, or possibly an update, switches the driver backend from iptables to nftable) Initially, the enum will only have one usable value - VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all calls to virFirewallNew(). The other enum value (along with a method of setting it for each driver) will be added later, when it can be used (when the nftables backend is in the code). Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt_private.syms | 3 +++ src/network/network_iptables.c | 6 +++--- src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++++++++-------- src/util/virebtables.c | 4 ++-- src/util/virfirewall.c | 15 ++++++++++++++- src/util/virfirewall.h | 11 ++++++++++- tests/virfirewalltest.c | 20 ++++++++++---------- 7 files changed, 50 insertions(+), 25 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddCmdFull; virFirewallApply; +virFirewallBackendTypeFromString; +virFirewallBackendTypeToString; virFirewallCmdAddArg; virFirewallCmdAddArgFormat; virFirewallCmdAddArgList; @@ -XXX,XX +XXX,XX @@ virFirewallCmdAddArgSet; virFirewallCmdGetArgCount; virFirewallCmdToString; virFirewallFree; +virFirewallGetBackend; virFirewallNew; virFirewallRemoveCmd; virFirewallStartRollback; diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ iptablesPrivateChainCreate(virFirewall *fw, int iptablesSetupPrivateChains(virFirewallLayer layer) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); iptablesGlobalChain filter_chains[] = { {"INPUT", VIR_IPTABLES_INPUT_CHAIN}, {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN}, @@ -XXX,XX +XXX,XX @@ iptablesAddFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, 0); @@ -XXX,XX +XXX,XX @@ iptablesRemoveFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); iptablesRemoveChecksumFirewallRules(fw, def); diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -XXX,XX +XXX,XX @@ static int ebtablesApplyBasicRules(const char *ifname, const virMacAddr *macaddr) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); char chain[MAX_CHAINNAME_LENGTH]; char chainPrefix = CHAINPREFIX_HOST_IN_TEMP; char macaddr_str[VIR_MAC_STRING_BUFLEN]; @@ -XXX,XX +XXX,XX @@ ebtablesApplyDHCPOnlyRules(const char *ifname, char macaddr_str[VIR_MAC_STRING_BUFLEN]; unsigned int idx = 0; unsigned int num_dhcpsrvrs; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virMacAddrFormat(macaddr, macaddr_str); @@ -XXX,XX +XXX,XX @@ ebtablesApplyDropAllRules(const char *ifname) { char chain_in [MAX_CHAINNAME_LENGTH], chain_out[MAX_CHAINNAME_LENGTH]; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); if (ebiptablesAllTeardown(ifname) < 0) return -1; @@ -XXX,XX +XXX,XX @@ ebtablesRemoveBasicRules(const char *ifname) static int ebtablesCleanAll(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -XXX,XX +XXX,XX @@ ebiptablesApplyNewRules(const char *ifname, size_t nrules) { size_t i, j; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); g_autoptr(GHashTable) chains_in_set = virHashNew(NULL); g_autoptr(GHashTable) chains_out_set = virHashNew(NULL); bool haveEbtables = false; @@ -XXX,XX +XXX,XX @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char *ifname) static int ebiptablesTearNewRules(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -XXX,XX +XXX,XX @@ ebiptablesTearNewRules(const char *ifname) static int ebiptablesTearOldRules(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -XXX,XX +XXX,XX @@ ebiptablesTearOldRules(const char *ifname) static int ebiptablesAllTeardown(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); diff --git a/src/util/virebtables.c b/src/util/virebtables.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -XXX,XX +XXX,XX @@ ebtablesContextFree(ebtablesContext *ctx) int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, @@ -XXX,XX +XXX,XX @@ ebtablesForwardAllowIn(ebtablesContext *ctx, const char *macaddr, int action) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, 0); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.firewall"); +VIR_ENUM_IMPL(virFirewallBackend, + VIR_FIREWALL_BACKEND_LAST, + "iptables"); + typedef struct _virFirewallGroup virFirewallGroup; VIR_ENUM_DECL(virFirewallLayerCommand); @@ -XXX,XX +XXX,XX @@ struct _virFirewall { size_t ngroups; virFirewallGroup **groups; size_t currentGroup; + virFirewallBackend backend; }; static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER; @@ -XXX,XX +XXX,XX @@ virFirewallGroupNew(void) * * Returns the new firewall ruleset */ -virFirewall *virFirewallNew(void) +virFirewall *virFirewallNew(virFirewallBackend backend) { virFirewall *firewall = g_new0(virFirewall, 1); + firewall->backend = backend; return firewall; } +virFirewallBackend +virFirewallGetBackend(virFirewall *firewall) +{ + return firewall->backend; +} + + static void virFirewallCmdFree(virFirewallCmd *fwCmd) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ #pragma once #include "internal.h" +#include "virenum.h" typedef struct _virFirewall virFirewall; @@ -XXX,XX +XXX,XX @@ typedef enum { VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; -virFirewall *virFirewallNew(void); +typedef enum { + VIR_FIREWALL_BACKEND_IPTABLES, + + VIR_FIREWALL_BACKEND_LAST, +} virFirewallBackend; + +VIR_ENUM_DECL(virFirewallBackend); +virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); +virFirewallBackend virFirewallGetBackend(virFirewall *firewall); /** * virFirewallAddCmd: diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -XXX,XX +XXX,XX @@ static int testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -XXX,XX +XXX,XX @@ static int testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" -- 2.45.0
This file is generated from network.conf.in because it will soon have an item that must be modified according to meson buildtime config. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug | 36 ++++++++++++++++++++++++ src/network/meson.build | 16 +++++++++++ src/network/network.conf.in | 3 ++ src/network/test_libvirtd_network.aug.in | 2 ++ 5 files changed, 60 insertions(+) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf.in create mode 100644 src/network/test_libvirtd_network.aug.in diff --git a/libvirt.spec.in b/libvirt.spec.in index XXXXXXX..XXXXXXX 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -XXX,XX +XXX,XX @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf %{_datadir}/augeas/lenses/virtnetworkd.aug %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug +%config(noreplace) %{_sysconfdir}/libvirt/network.conf +%{_datadir}/augeas/lenses/libvirtd_network.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug %{_unitdir}/virtnetworkd.service %{_unitdir}/virtnetworkd.socket %{_unitdir}/virtnetworkd-ro.socket diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/libvirtd_network.aug @@ -XXX,XX +XXX,XX @@ +(* /etc/libvirt/network.conf *) + +module Libvirtd_network = + autoload xfm + + let eol = del /[ \t]*\n/ "\n" + let value_sep = del /[ \t]*=[ \t]*/ " = " + let indent = del /[ \t]*/ "" + + let array_sep = del /,[ \t\n]*/ ", " + let array_start = del /\[[ \t\n]*/ "[ " + let array_end = del /\]/ "]" + + let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\"" + let bool_val = store /0|1/ + let int_val = store /[0-9]+/ + let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ "" + let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end + + let str_entry (kw:string) = [ key kw . value_sep . str_val ] + let bool_entry (kw:string) = [ key kw . value_sep . bool_val ] + let int_entry (kw:string) = [ key kw . value_sep . int_val ] + let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ] + + (* Each entry in the config is one of the following *) + let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] + let empty = [ label "#empty" . eol ] + + let record = indent . eol + + let lns = ( record | comment | empty ) * + + let filter = incl "/etc/libvirt/network.conf" + . Util.stdexcl + + let xfm = transform lns filter diff --git a/src/network/meson.build b/src/network/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -XXX,XX +XXX,XX @@ if conf.has('WITH_NETWORK') ], } + network_conf = configure_file( + input: 'network.conf.in', + output: 'network.conf', + configuration: configmake_conf, + ) + virt_conf_files += network_conf + virt_aug_files += files('libvirtd_network.aug') + virt_test_aug_files += { + 'name': 'test_libvirtd_network.aug', + 'aug': files('test_libvirtd_network.aug.in'), + 'conf': network_conf, + 'test_name': 'libvirtd_network', + 'test_srcdir': meson.current_source_dir(), + 'test_builddir': meson.current_build_dir(), + } + virt_daemon_confs += { 'name': 'virtnetworkd', } diff --git a/src/network/network.conf.in b/src/network/network.conf.in new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/network.conf.in @@ -XXX,XX +XXX,XX @@ +# Master configuration file for the network driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/test_libvirtd_network.aug.in @@ -XXX,XX +XXX,XX @@ +module Test_libvirtd_network = + @CONFIG@ -- 2.45.0
It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=nftables" in /etc/libvirt/network.conf. If firewall_backend isn't set in network.conf, then libvirt will check to see if FIREWALL_BACKEND_DEFAULT_1 is available and, if so, set that. (Since FIREWALL_BACKEND_DEFAULT_1 is currently "iptables", this means checking to see it the iptables binary is present on the system). If the default backend isn't available, that is considered a fatal error (since no networks can be started anyway), so an error is logged and startup of the network driver fails. NB: network.conf is itself created from network.conf.in at build time, and the advertised default setting of firewall_backend (in a commented out line) is set from the meson_options.txt setting "firewall_backend_default_1". This way the conf file will have correct information no matter what ordering is chosen for default backend at build time (as more backends are added, settings will be added for "firewall_backend_default_n", and those will be settable in meson_options.txt and on the meson commandline to change the ordering of the auto-detection when no backend is set in network.conf). virNetworkLoadDriverConfig() may look more complicated than necessary, but as additional backends are added, it will be easier to add checks for those backends (and to re-order the checks based on builders' preferences). Signed-off-by: Laine Stump <laine@redhat.com> --- meson.build | 4 ++ meson_options.txt | 1 + src/network/bridge_driver.c | 22 +++---- src/network/bridge_driver_conf.c | 75 +++++++++++++++++++++--- src/network/bridge_driver_conf.h | 3 + src/network/bridge_driver_linux.c | 6 +- src/network/bridge_driver_nop.c | 6 +- src/network/bridge_driver_platform.h | 6 +- src/network/libvirtd_network.aug | 5 +- src/network/meson.build | 22 ++++++- src/network/network.conf.in | 8 +++ src/network/test_libvirtd_network.aug.in | 3 + tests/networkxml2firewalltest.c | 2 +- 13 files changed, 134 insertions(+), 29 deletions(-) diff --git a/meson.build b/meson.build index XXXXXXX..XXXXXXX 100644 --- a/meson.build +++ b/meson.build @@ -XXX,XX +XXX,XX @@ endif if not get_option('driver_network').disabled() and conf.has('WITH_LIBVIRTD') conf.set('WITH_NETWORK', 1) + firewall_backend_default_1 = get_option('firewall_backend_default_1') + firewall_backend_default_conf = firewall_backend_default_1 + firewall_backend_default_1 = 'VIR_FIREWALL_BACKEND_' + firewall_backend_default_1.to_upper() + conf.set('FIREWALL_BACKEND_DEFAULT_1', firewall_backend_default_1) elif get_option('driver_network').enabled() error('libvirtd must be enabled to build the network driver') endif diff --git a/meson_options.txt b/meson_options.txt index XXXXXXX..XXXXXXX 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -XXX,XX +XXX,XX @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support') # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone') +option('firewall_backend_default_1', type: 'string', value: 'iptables', description: 'first firewall backend to try when none is specified') option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.') diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ static int networkReloadFirewallRulesHelper(virNetworkObj *obj, void *opaque G_GNUC_UNUSED) { + g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(networkGetDriver()); VIR_LOCK_GUARD lock = virObjectLockGuard(obj); virNetworkDef *def = virNetworkObjGetDef(obj); @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward='open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def); - ignore_value(networkAddFirewallRules(def)); + networkRemoveFirewallRules(def, cfg->firewallBackend); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); break; case VIR_NETWORK_FORWARD_OPEN: @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, /* Add "once per network" rules */ if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def) < 0) + networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto error; firewalRulesAdded = true; @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, if (firewalRulesAdded && def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); virNetworkObjUnrefMacMap(obj); @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, static int -networkShutdownNetworkVirtual(virNetworkObj *obj) +networkShutdownNetworkVirtual(virNetworkObj *obj, + virNetworkDriverConfig *cfg) { virNetworkDef *def = virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -XXX,XX +XXX,XX @@ networkShutdownNetworkVirtual(virNetworkObj *obj) ignore_value(virNetDevSetOnline(def->bridge, false)); if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); ignore_value(virNetDevBridgeDelete(def->bridge)); @@ -XXX,XX +XXX,XX @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret = networkShutdownNetworkVirtual(obj); + ret = networkShutdownNetworkVirtual(obj, cfg); break; case VIR_NETWORK_FORWARD_BRIDGE: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); needFirewallRefresh = true; break; default: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, parentIndex, xml, network_driver->xmlopt, flags) < 0) { if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def)); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); goto cleanup; } /* @def is replaced */ def = virNetworkObjGetDef(obj); - if (needFirewallRefresh && networkAddFirewallRules(def) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto cleanup; if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -XXX,XX +XXX,XX @@ #include "datatypes.h" #include "virlog.h" #include "virerror.h" +#include "virfile.h" #include "virutil.h" #include "bridge_driver_conf.h" @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.bridge_driver"); - static virClass *virNetworkDriverConfigClass; static void virNetworkDriverConfigDispose(void *obj); @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, const char *filename) { g_autoptr(virConf) conf = NULL; + g_autofree char *fwBackendStr = NULL; + bool fwBackendSelected = false; + size_t i; + int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 }; + G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST); + + if (access(filename, R_OK) == 0) { + + conf = virConfReadFile(filename, 0); + if (!conf) + return -1; + + /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */ + + if (virConfGetValueString(conf, "firewall_backend", &fwBackendStr) < 0) + return -1; + + if (fwBackendStr) { + fwBackends[0] = virFirewallBackendTypeFromString(fwBackendStr); + + if (fwBackends[0] < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("unrecognized 'firewall_backend = '%1$s' set in network driver config file %2$s"), + fwBackendStr, filename); + return -1; + } + VIR_INFO("firewall_backend setting requested from config file %s: '%s'", + virFirewallBackendTypeToString(fwBackends[0]), filename); + } + } - /* if file doesn't exist or is unreadable, ignore the "error" */ - if (access(filename, R_OK) == -1) - return 0; + for (i = 0; i < G_N_ELEMENTS(fwBackends) && !fwBackendSelected; i++) { - conf = virConfReadFile(filename, 0); - if (!conf) - return -1; + switch ((virFirewallBackend)fwBackends[i]) { + case VIR_FIREWALL_BACKEND_IPTABLES: { + g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES); - /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */ + if (iptablesInPath) + fwBackendSelected = true; + break; + } + case VIR_FIREWALL_BACKEND_LAST: + virReportEnumRangeError(virFirewallBackend, fwBackends[i]); + return -1; + } - return 0; + if (fwBackendSelected) { + + cfg->firewallBackend = fwBackends[i]; + + } else if (fwBackendStr) { + + /* explicitly requested backend not found - this is a failure */ + virReportError(VIR_ERR_INTERNAL_ERROR, + _("requested firewall_backend '%1$s' is not available"), + virFirewallBackendTypeToString(fwBackends[i])); + return -1; + } + } + + if (fwBackendSelected) { + VIR_INFO("using firewall_backend: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + return 0; + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("could not find a usable firewall backend")); + return -1; + } } diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_conf.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.h +++ b/src/network/bridge_driver_conf.h @@ -XXX,XX +XXX,XX @@ #include "virdnsmasq.h" #include "virnetworkobj.h" #include "object_event.h" +#include "virfirewall.h" typedef struct _virNetworkDriverConfig virNetworkDriverConfig; struct _virNetworkDriverConfig { @@ -XXX,XX +XXX,XX @@ struct _virNetworkDriverConfig { char *stateDir; char *pidDir; char *dnsmasqStateDir; + + virFirewallBackend firewallBackend; }; G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def) int -networkAddFirewallRules(virNetworkDef *def) +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def) void -networkRemoveFirewallRules(virNetworkDef *def) +networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { iptablesRemoveFirewallRules(def); } diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) return 0; } -int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { return 0; } -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -XXX,XX +XXX,XX @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); -int networkAddFirewallRules(virNetworkDef *def); +int networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); -void networkRemoveFirewallRules(virNetworkDef *def); +void networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug index XXXXXXX..XXXXXXX 100644 --- a/src/network/libvirtd_network.aug +++ b/src/network/libvirtd_network.aug @@ -XXX,XX +XXX,XX @@ module Libvirtd_network = let int_entry (kw:string) = [ key kw . value_sep . int_val ] let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ] + let firewall_backend_entry = str_entry "firewall_backend" + (* Each entry in the config is one of the following *) + let entry = firewall_backend_entry let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] let empty = [ label "#empty" . eol ] - let record = indent . eol + let record = indent . entry . eol let lns = ( record | comment | empty ) * diff --git a/src/network/meson.build b/src/network/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -XXX,XX +XXX,XX @@ if conf.has('WITH_NETWORK') ], } + network_options_conf = configuration_data({ + 'FIREWALL_BACKEND': firewall_backend_default_conf, + }) + network_conf = configure_file( input: 'network.conf.in', output: 'network.conf', - configuration: configmake_conf, + configuration: network_options_conf, ) + + network_options_hack_conf = configuration_data({ + 'FIREWALL_BACKEND': firewall_backend_default_conf, + # This hack is necessary because the output file is going to be + # used as input for another configure_file() call later, which + # will take care of substituting @CONFIG@ with useful data + 'CONFIG': '@CONFIG@', + }) + test_libvirtd_network_aug_tmp = configure_file( + input: 'test_libvirtd_network.aug.in', + output: 'test_libvirtd_network.aug.tmp', + configuration: network_options_hack_conf, + ) + virt_conf_files += network_conf virt_aug_files += files('libvirtd_network.aug') virt_test_aug_files += { 'name': 'test_libvirtd_network.aug', - 'aug': files('test_libvirtd_network.aug.in'), + 'aug': test_libvirtd_network_aug_tmp, 'conf': network_conf, 'test_name': 'libvirtd_network', 'test_srcdir': meson.current_source_dir(), diff --git a/src/network/network.conf.in b/src/network/network.conf.in index XXXXXXX..XXXXXXX 100644 --- a/src/network/network.conf.in +++ b/src/network/network.conf.in @@ -XXX,XX +XXX,XX @@ # Master configuration file for the network driver. # All settings described here are optional - if omitted, sensible # defaults are used. + +# firewall_backend: +# +# determines which subsystem to use to setup firewall packet +# filtering rules for virtual networks. Currently the only supported +# selection is "iptables". +# +#firewall_backend = "@FIREWALL_BACKEND@" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in index XXXXXXX..XXXXXXX 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -XXX,XX +XXX,XX @@ module Test_libvirtd_network = @CONFIG@ + + test Libvirtd_network.lns get conf = +{ "firewall_backend" = "@FIREWALL_BACKEND@" } diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); -- 2.45.0
Modify networkSetupPrivateChains() in the network driver to accept a firewallBackend argument so it will know which backend to call. (right now it always calls the iptables version of the lower level function, but in the future it could instead call the nftables version based on configuration). But networkSetupPrivateChains() was being called with virOnce(), and virOnce() doesn't support calling functions that require an argument (it's based on pthread_once(), which accepts no arguments, so it's not something we can easily fix in our implementation of virOnce()). To solve this dilemma, this patch eliminates use of virOnce() by adding a static lock, and putting all of networkSetupPrivateChains() (including the setting of "chainInitDone") inside a lock guard - now the places that used to call it via virOnce() can safely call it directly instead (adding in the necessary argument to specify backend). (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/bridge_driver_linux.c | 57 +++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.bridge_driver_linux"); #define PROC_NET_ROUTE "/proc/net/route" -static virOnceControl createdOnce; +static virMutex chainInitLock = VIR_MUTEX_INITIALIZER; static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */ static virErrorPtr errInitV4; static virErrorPtr errInitV6; -/* Usually only called via virOnce, but can also be called directly in - * response to firewalld reload (if chainInitDone == true) - */ -static void networkSetupPrivateChains(void) + +static int +networkFirewallSetupPrivateChains(virFirewallBackend backend, + virFirewallLayer layer) +{ + switch (backend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesSetupPrivateChains(layer); + + case VIR_FIREWALL_BACKEND_LAST: + virReportEnumRangeError(virFirewallBackend, backend); + return -1; + } + return 0; +} + + +static void +networkSetupPrivateChains(virFirewallBackend backend, + bool force) { + VIR_LOCK_GUARD lock = virLockGuardLock(&chainInitLock); int rc; + if (chainInitDone && !force) + return; + VIR_DEBUG("Setting up global firewall chains"); g_clear_pointer(&errInitV4, virFreeError); g_clear_pointer(&errInitV6, virFreeError); - rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); + rc = networkFirewallSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV4); if (rc < 0) { VIR_DEBUG("Failed to create global IPv4 chains: %s", virGetLastErrorMessage()); @@ -XXX,XX +XXX,XX @@ static void networkSetupPrivateChains(void) VIR_DEBUG("Global IPv4 chains already exist"); } - rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); + rc = networkFirewallSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV6); if (rc < 0) { VIR_DEBUG("Failed to create global IPv6 chains: %s", virGetLastErrorMessage()); @@ -XXX,XX +XXX,XX @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, bool startup G_GNUC_UNUSED, bool force) { + g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(driver); /* * If there are any running networks, we need to * create the global rules upfront. This allows us @@ -XXX,XX +XXX,XX @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, */ if (chainInitDone && force) { /* The Private chains have already been initialized once - * during this run of libvirtd, so 1) we can't do it again via - * virOnce(), and 2) we need to re-add the private chains even - * if there are currently no running networks, because the - * next time a network is started, libvirt will expect that - * the chains have already been added. So we call directly - * instead of via virOnce(). + * during this run of libvirtd/virtnetworkd (known because + * chainInitDone == true) so we need to re-add the private + * chains even if there are currently no running networks, + * because the next time a network is started, libvirt will + * expect that the chains have already been added. So we force + * the init. */ - networkSetupPrivateChains(); + networkSetupPrivateChains(cfg->firewallBackend, true); } else { if (!networkHasRunningNetworksWithFW(driver)) { @@ -XXX,XX +XXX,XX @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, return; } - ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); + networkSetupPrivateChains(cfg->firewallBackend, false); } } @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def) int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend G_GNUC_UNUSED) + virFirewallBackend firewallBackend) { - if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) - return -1; + + networkSetupPrivateChains(firewallBackend, false); if (errInitV4 && (virNetworkDefGetIPByIndex(def, AF_INET, 0) || -- 2.45.0
In the past virFirewall required all rollback commands for a group (those commands necessary to "undo" any rules that had been added in that group in case of a later failure) to be manually added by switching into the virFirewall object into "rollback mode" and then re-calling the inverse of the exact virFirewallAddCmd*() APIs that had been called to add the original rules (ie. for each "iptables --insert" command, for rollback we would need to add a command with all arguments identical except that "--insert" would be replaced by "--delete"). Because nftables can't search for rules to remove by comparing all the arguments (it instead expects *only* a handle that is provided via stdout when the rule was originally added), we won't be able to follow the iptables method and manually construct the command to undo any given nft command by just duplicating all the args of the command (except the action). Instead we will need to be able to automatically create a rollback command at the time the rule-adding command is executed (e.g. an "nft delete rule" command that would include the rule handle returned in stdout by an "nft add rule" command). In order to make this happen, we need to be able to 1) learn whether the user of the virFirewall API desires this behavior (handled by a new transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that can be retrieved with the new virFirewallTransactionGetFlags() API), and 2) add a new command to the current group's rollback command list (with the new virFirewallAddRollbackCmd()). We will actually use this capability in an upcoming patch. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 55 +++++++++++++++++++++++++++++++++++----- src/util/virfirewall.h | 7 +++++ 3 files changed, 57 insertions(+), 6 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddCmdFull; +virFirewallAddRollbackCmd; virFirewallApply; virFirewallBackendTypeFromString; virFirewallBackendTypeToString; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ void virFirewallFree(virFirewall *firewall) fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \ } while (0) + static virFirewallCmd * virFirewallAddCmdFullV(virFirewall *firewall, virFirewallLayer layer, bool ignoreErrors, + bool isRollback, virFirewallQueryCallback cb, void *opaque, va_list args) @@ -XXX,XX +XXX,XX @@ virFirewallAddCmdFullV(virFirewall *firewall, } group = firewall->groups[firewall->currentGroup]; - fwCmd = g_new0(virFirewallCmd, 1); - fwCmd->layer = layer; - fwCmd->queryCB = cb; - fwCmd->queryOpaque = opaque; while ((str = va_arg(args, char *)) != NULL) ADD_ARG(fwCmd, str); - if (group->addingRollback) { + if (isRollback || group->addingRollback) { fwCmd->ignoreErrors = true; /* always ignore errors when rolling back */ + fwCmd->queryCB = NULL; /* rollback commands can't have a callback */ + fwCmd->queryOpaque = NULL; VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { /* when not rolling back, ignore errors if this group (transaction) @@ -XXX,XX +XXX,XX @@ virFirewallAddCmdFullV(virFirewall *firewall, * if this specific rule was created with ignoreErrors == true */ fwCmd->ignoreErrors = ignoreErrors || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + fwCmd->queryCB = cb; + fwCmd->queryOpaque = opaque; VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } @@ -XXX,XX +XXX,XX @@ virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, virFirewallCmd *fwCmd; va_list args; va_start(args, opaque); - fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args); + fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, false, cb, opaque, args); + va_end(args); + return fwCmd; +} + + +/** + * virFirewallAddRollbackCmd: + * @firewall: firewall commands to add to + * @layer: the firewall layer to change + * @...: NULL terminated list of strings for the command + * + * Add a command to the current firewall command group "rollback". + * Rollback commands always ignore errors and don't support any + * callbacks. + * + * Returns the new Command + */ +virFirewallCmd * +virFirewallAddRollbackCmd(virFirewall *firewall, + virFirewallLayer layer, + ...) +{ + virFirewallCmd *fwCmd; + va_list args; + va_start(args, layer); + fwCmd = virFirewallAddCmdFullV(firewall, layer, true, true, NULL, NULL, args); va_end(args); return fwCmd; } @@ -XXX,XX +XXX,XX @@ void virFirewallStartTransaction(virFirewall *firewall, firewall->currentGroup = firewall->ngroups - 1; } + +/** + * virFirewallTransactionGetFlags: + * @firewall: the firewall to look at + * + * Returns the virFirewallTransactionFlags for the currently active + * group (transaction) in @firewall. + */ +static virFirewallTransactionFlags G_GNUC_UNUSED +virFirewallTransactionGetFlags(virFirewall *firewall) +{ + return firewall->groups[firewall->currentGroup]->actionFlags; +} + + /** * virFirewallBeginRollback: * @firewall: the firewall ruleset diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, ...) G_GNUC_NULL_TERMINATED; +virFirewallCmd *virFirewallAddRollbackCmd(virFirewall *firewall, + virFirewallLayer layer, + ...) + G_GNUC_NULL_TERMINATED; + void virFirewallRemoveCmd(virFirewall *firewall, virFirewallCmd *rule); @@ -XXX,XX +XXX,XX @@ typedef enum { /* Ignore all errors when applying rules, so no * rollback block will be required */ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS = (1 << 0), + /* Set to auto-add a rollback rule for each rule that is applied */ + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK = (1 << 1), } virFirewallTransactionFlags; void virFirewallStartTransaction(virFirewall *firewall, -- 2.45.0
If the VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK flag is set, each time an iptables command is executed that is adding a rule or chain, a corresponding command that will *delete* the same rule/chain is constructed and added to the list of rollback commands. If we later want to undo the entire firewall, we can just run those commands. This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/virfirewall.c | 55 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ void virFirewallStartTransaction(virFirewall *firewall, * Returns the virFirewallTransactionFlags for the currently active * group (transaction) in @firewall. */ -static virFirewallTransactionFlags G_GNUC_UNUSED +static virFirewallTransactionFlags virFirewallTransactionGetFlags(virFirewall *firewall) { return firewall->groups[firewall->currentGroup]->actionFlags; @@ -XXX,XX +XXX,XX @@ virFirewallCmdToString(const char *cmd, } +#define VIR_IPTABLES_ARG_IS_CREATE(arg) \ + (STREQ(arg, "--insert") || STREQ(arg, "-I") || \ + STREQ(arg, "--append") || STREQ(arg, "-A")) + + static int -virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, - char **output) +virFirewallCmdIptablesApply(virFirewall *firewall, + virFirewallCmd *fwCmd, + char **output) { - size_t i; const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer); + bool checkRollback = (virFirewallTransactionGetFlags(firewall) & + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); + bool needRollback = false; g_autoptr(virCommand) cmd = NULL; g_autofree char *cmdStr = NULL; - int status; g_autofree char *error = NULL; + size_t i; + int status; if (!bin) { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, break; } - for (i = 0; i < fwCmd->argsLen; i++) + for (i = 0; i < fwCmd->argsLen; i++) { + /* the -I/-A arg could be at any position in the list */ + if (checkRollback && VIR_IPTABLES_ARG_IS_CREATE(fwCmd->args[i])) + needRollback = true; + virCommandAddArg(cmd, fwCmd->args[i]); + } cmdStr = virCommandToString(cmd, false); VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr)); @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, return -1; if (status != 0) { + /* the command failed, decide whether or not to report it */ if (fwCmd->ignoreErrors) { VIR_DEBUG("Ignoring error running command"); + return 0; } else { virReportError(VIR_ERR_INTERNAL_ERROR, _("Failed to run firewall command %1$s: %2$s"), @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, } } + /* the command was successful, see if we need to add a + * rollback command + */ + + if (needRollback) { + virFirewallCmd *rollback + = virFirewallAddRollbackCmd(firewall, fwCmd->layer, NULL); + g_autofree char *rollbackStr = NULL; + + for (i = 0; i < fwCmd->argsLen; i++) { + /* iptables --delete wants the entire commandline that + * was used for --insert but with s/insert/delete/ + */ + if (VIR_IPTABLES_ARG_IS_CREATE(fwCmd->args[i])) { + virFirewallCmdAddArg(firewall, rollback, "--delete"); + } else { + virFirewallCmdAddArg(firewall, rollback, fwCmd->args[i]); + } + } + + rollbackStr = virFirewallCmdToString(virFirewallLayerCommandTypeToString(fwCmd->layer), + rollback); + VIR_DEBUG("Recording Rollback command '%s'", NULLSTR(rollbackStr)); + } + return 0; } @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmd(virFirewall *firewall, return -1; } - if (virFirewallApplyCmdDirect(fwCmd, &output) < 0) + if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) return -1; if (fwCmd->queryCB && output) { -- 2.45.0
So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_iptables.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ iptablesAddFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); iptablesAddGeneralFirewallRules(fw, def); @@ -XXX,XX +XXX,XX @@ iptablesAddFirewallRules(virNetworkDef *def) return -1; } - virFirewallStartRollback(fw, 0); - - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - iptablesRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS | + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK)); iptablesAddChecksumFirewallRules(fw, def); return virFirewallApply(fw); -- 2.45.0
This will be used to label (via "name='blah'") a firewall when it is formatted to XML and written to the network status. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 20 +++++++++++++++++++- src/util/virfirewall.h | 2 ++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFirewallCmdGetArgCount; virFirewallCmdToString; virFirewallFree; virFirewallGetBackend; +virFirewallGetName; virFirewallNew; virFirewallRemoveCmd; +virFirewallSetName; virFirewallStartRollback; virFirewallStartTransaction; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ struct _virFirewallGroup { struct _virFirewall { int err; + char *name; size_t ngroups; virFirewallGroup **groups; size_t currentGroup; @@ -XXX,XX +XXX,XX @@ virFirewallGetBackend(virFirewall *firewall) } +const char * +virFirewallGetName(virFirewall *firewall) +{ + return firewall->name; +} + + +void +virFirewallSetName(virFirewall *firewall, + const char *name) +{ + g_free(firewall->name); + firewall->name = g_strdup(name); +} + + static void virFirewallCmdFree(virFirewallCmd *fwCmd) { @@ -XXX,XX +XXX,XX @@ void virFirewallFree(virFirewall *firewall) for (i = 0; i < firewall->ngroups; i++) virFirewallGroupFree(firewall->groups[i]); - g_free(firewall->groups); + g_free(firewall->groups); + g_free(firewall->name); g_free(firewall); } diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ VIR_ENUM_DECL(virFirewallBackend); virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); virFirewallBackend virFirewallGetBackend(virFirewall *firewall); +const char *virFirewallGetName(virFirewall *firewall); +void virFirewallSetName(virFirewall *firewall, const char *name); /** * virFirewallAddCmd: -- 2.45.0
virFirewallNewFromRollback() creates a new virFirewall object that contains a copy of the "rollback" commands from an existing virFirewall object, but in reverse order. The intent is that this virFirewall be saved and used later to remove the firewall rules that were added for a network. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 59 ++++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 1 + 3 files changed, 61 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFirewallFree; virFirewallGetBackend; virFirewallGetName; virFirewallNew; +virFirewallNewFromRollback; virFirewallRemoveCmd; virFirewallSetName; virFirewallStartRollback; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ virFirewallApply(virFirewall *firewall) return 0; } + + +/** + * virFirewallNewFromRollback: + + * @original: the original virFirewall object containing the rollback + * of interest + * @fwRemoval: a firewall object that, when applied, will remove @original + * + * Copy the rollback rules from the current virFirewall object as a + * new virFirewall. This virFirewall can then be saved to apply later + * and counteract everything done by the original. + * + * Returns 0 on success, -1 on error + */ +int +virFirewallNewFromRollback(virFirewall *original, + virFirewall **fwRemoval) +{ + size_t g; + g_autoptr(virFirewall) firewall = NULL; + + if (original->err) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("error in original firewall object")); + return -1; + } + + firewall = virFirewallNew(original->backend); + + /* add the rollback commands in reverse order of actions/groups of + * what was applied in the original firewall. + */ + for (g = original->ngroups; g > 0; g--) { + size_t r; + virFirewallGroup *group = original->groups[g - 1]; + + if (group->nrollback == 0) + continue; + + virFirewallStartTransaction(firewall, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (r = group->nrollback; r > 0; r--) { + size_t i; + virFirewallCmd *origCmd = group->rollback[r - 1]; + virFirewallCmd *rbCmd = virFirewallAddCmd(firewall, origCmd->layer, NULL); + + for (i = 0; i < origCmd->argsLen; i++) + ADD_ARG(rbCmd, origCmd->args[i]); + } + } + + if (firewall->ngroups == 0) + VIR_DEBUG("original firewall object is empty"); + else + *fwRemoval = g_steal_pointer(&firewall); + + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ typedef enum { VIR_ENUM_DECL(virFirewallBackend); virFirewall *virFirewallNew(virFirewallBackend backend); +int virFirewallNewFromRollback(virFirewall *original, virFirewall **fwRemoval); void virFirewallFree(virFirewall *firewall); virFirewallBackend virFirewallGetBackend(virFirewall *firewall); const char *virFirewallGetName(virFirewall *firewall); -- 2.45.0
These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 2 + src/util/virfirewall.c | 219 +++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 9 ++ 3 files changed, 230 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virFirewallCmdAddArgList; virFirewallCmdAddArgSet; virFirewallCmdGetArgCount; virFirewallCmdToString; +virFirewallFormat; virFirewallFree; virFirewallGetBackend; virFirewallGetName; virFirewallNew; virFirewallNewFromRollback; +virFirewallParseXML; virFirewallRemoveCmd; virFirewallSetName; virFirewallStartRollback; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, "iptables"); +VIR_ENUM_DECL(virFirewallLayer); +VIR_ENUM_IMPL(virFirewallLayer, + VIR_FIREWALL_LAYER_LAST, + "ethernet", + "ipv4", + "ipv6", +); + typedef struct _virFirewallGroup virFirewallGroup; VIR_ENUM_DECL(virFirewallLayerCommand); @@ -XXX,XX +XXX,XX @@ virFirewallNewFromRollback(virFirewall *original, return 0; } + + +/* virFirewallGetFlagsFromNode: + * @node: the xmlNode to check for an ignoreErrors attribute + * + * A short helper to get the setting of the ignorErrors attribute from + * an xmlNode. Returns -1 on error (with error reported), or the + * VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS bit set/reset according to + * the value of the attribute. + */ +static int +virFirewallGetFlagsFromNode(xmlNodePtr node) +{ + virTristateBool ignoreErrors; + + if (virXMLPropTristateBool(node, "ignoreErrors", VIR_XML_PROP_NONE, &ignoreErrors) < 0) + return -1; + + if (ignoreErrors == VIR_TRISTATE_BOOL_YES) + return VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS; + return 0; +} + + +/** + * virFirewallParseXML: + * @firewall: pointer to virFirewall* to fill in with new virFirewall object + * + * Construct a new virFirewall object according to the XML in + * xmlNodePtr. Return 0 (and new object) on success, or -1 (with + * error reported) on error. + * + * Example of <firewall> element XML: + * + * <firewall backend='iptables|nftables'> + * <group ignoreErrors='yes|no'> + * <action layer='ethernet|ipv4|ipv6' ignoreErrors='yes|no'> + * <args> + * <item>arg1</item> + * <item>arg2</item> + * ... + * </args> + * </action> + * <action ...> + * ... + </action> + * ... + * </group> + * ... + * </firewall> + */ +int +virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt) +{ + g_autoptr(virFirewall) newfw = NULL; + virFirewallBackend backend; + g_autofree xmlNodePtr *groupNodes = NULL; + ssize_t ngroups; + size_t g; + VIR_XPATH_NODE_AUTORESTORE(ctxt); + + ctxt->node = node; + + if (virXMLPropEnum(node, "backend", virFirewallBackendTypeFromString, + VIR_XML_PROP_REQUIRED, &backend) < 0) { + return -1; + } + + newfw = virFirewallNew(backend); + + newfw->name = virXMLPropString(node, "name"); + + ngroups = virXPathNodeSet("./group", ctxt, &groupNodes); + if (ngroups < 0) + return -1; + + for (g = 0; g < ngroups; g++) { + int flags = 0; + g_autofree xmlNodePtr *actionNodes = NULL; + ssize_t nactions; + size_t a; + + ctxt->node = groupNodes[g]; + nactions = virXPathNodeSet("./action", ctxt, &actionNodes); + if (nactions < 0) + return -1; + if (nactions == 0) + continue; + + if ((flags = virFirewallGetFlagsFromNode(groupNodes[g])) < 0) + return -1; + + virFirewallStartTransaction(newfw, flags); + + for (a = 0; a < nactions; a++) { + g_autofree xmlNodePtr *argsNodes = NULL; + ssize_t nargs; + size_t i; + virFirewallLayer layer; + virFirewallCmd *action; + bool ignoreErrors; + + ctxt->node = actionNodes[a]; + + if (!(ctxt->node = virXPathNode("./args", ctxt))) + continue; + + if ((flags = virFirewallGetFlagsFromNode(actionNodes[a])) < 0) + return -1; + + ignoreErrors = flags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS; + + if (virXMLPropEnum(actionNodes[a], "layer", + virFirewallLayerTypeFromString, + VIR_XML_PROP_REQUIRED, &layer) < 0) { + return -1; + } + + nargs = virXPathNodeSet("./item", ctxt, &argsNodes); + if (nargs < 0) + return -1; + if (nargs == 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Invalid firewall command has 0 arguments")); + return -1; + } + + action = virFirewallAddCmdFull(newfw, layer, ignoreErrors, + NULL, NULL, NULL); + for (i = 0; i < nargs; i++) { + + char *arg = virXMLNodeContentString(argsNodes[i]); + if (!arg) + return -1; + + virFirewallCmdAddArg(newfw, action, arg); + } + } + } + + *firewall = g_steal_pointer(&newfw); + return 0; +} + + +/** + * virFirewallFormat: + * @buf: output buffer + * @firewall: the virFirewall object to format as XML + * + * Format virFirewall object @firewall into @buf as XML. + * Returns 0 on success, -1 on failure. + * + */ +int +virFirewallFormat(virBuffer *buf, + virFirewall *firewall) +{ + size_t g; + g_auto(virBuffer) attrBuf = VIR_BUFFER_INITIALIZER; + g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf); + + virBufferEscapeString(&attrBuf, " name='%s'", firewall->name); + virBufferAsprintf(&attrBuf, " backend='%s'", + virFirewallBackendTypeToString(virFirewallGetBackend(firewall))); + + for (g = 0; g < firewall->ngroups; g++) { + virFirewallGroup *group = firewall->groups[g]; + bool groupIgnoreErrors = (group->actionFlags & + VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + size_t a; + + virBufferAddLit(&childBuf, "<group"); + if (groupIgnoreErrors) + virBufferAddLit(&childBuf, " ignoreErrors='yes'"); + virBufferAddLit(&childBuf, ">\n"); + virBufferAdjustIndent(&childBuf, 2); + + for (a = 0; a < group->naction; a++) { + virFirewallCmd *action = group->action[a]; + size_t i; + + virBufferAsprintf(&childBuf, "<action layer='%s'", + virFirewallLayerTypeToString(action->layer)); + /* if the entire group has ignoreErrors='yes', then it's + * redundant to have it for an action of the group + */ + if (action->ignoreErrors && !groupIgnoreErrors) + virBufferAddLit(&childBuf, " ignoreErrors='yes'"); + virBufferAddLit(&childBuf, ">\n"); + + virBufferAdjustIndent(&childBuf, 2); + virBufferAddLit(&childBuf, "<args>\n"); + virBufferAdjustIndent(&childBuf, 2); + for (i = 0; i < virFirewallCmdGetArgCount(action); i++) + virBufferEscapeString(&childBuf, "<item>%s</item>\n", action->args[i]); + virBufferAdjustIndent(&childBuf, -2); + virBufferAddLit(&childBuf, "</args>\n"); + virBufferAdjustIndent(&childBuf, -2); + virBufferAddLit(&childBuf, "</action>\n"); + } + + virBufferAdjustIndent(&childBuf, -2); + virBufferAddLit(&childBuf, "</group>\n"); + } + + virXMLFormatElement(buf, "firewall", &attrBuf, &childBuf); + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ #include "internal.h" #include "virenum.h" +#include "virbuffer.h" +#include "virxml.h" typedef struct _virFirewall virFirewall; @@ -XXX,XX +XXX,XX @@ void virFirewallStartRollback(virFirewall *firewall, int virFirewallApply(virFirewall *firewall); +int virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt); + +int virFirewallFormat(virBuffer *buf, + virFirewall *firewall); + G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); -- 2.45.0
This virFirewall object will store the list of actions required to remove the firewall that was added for the currently active instance of the network, so it has been named "fwRemoval" (and when parsed into XML, the <firewall> element will have the name "fwRemoval"). There are no uses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and free the virFirewall object when the virNetworkObj is freed. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/conf/virnetworkobj.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/conf/virnetworkobj.h | 8 ++++++++ src/libvirt_private.syms | 2 ++ 3 files changed, 50 insertions(+) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index XXXXXXX..XXXXXXX 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -XXX,XX +XXX,XX @@ struct _virNetworkObj { unsigned int taint; + /* fwRemoval contains all commands needed to remove the firewall + * that was added for this network. + */ + virFirewall *fwRemoval; + /* Immutable pointer, self locking APIs */ virMacMap *macmap; @@ -XXX,XX +XXX,XX @@ virNetworkObjSetFloorSum(virNetworkObj *obj, } +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj) +{ + return obj->fwRemoval; +} + + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval) +{ + obj->fwRemoval = fwRemoval; + /* give it a name so it's identifiable in the XML */ + if (fwRemoval) + virFirewallSetName(fwRemoval, "fwRemoval"); +} + + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap) @@ -XXX,XX +XXX,XX @@ virNetworkObjDispose(void *opaque) virNetworkDefFree(obj->newDef); virBitmapFree(obj->classIdMap); virObjectUnref(obj->macmap); + virFirewallFree(obj->fwRemoval); } @@ -XXX,XX +XXX,XX @@ virNetworkObjFormat(virNetworkObj *obj, if (virNetworkDefFormatBuf(&buf, obj->def, xmlopt, flags) < 0) return NULL; + if (obj->fwRemoval && virFirewallFormat(&buf, obj->fwRemoval) < 0) + return NULL; + virBufferAdjustIndent(&buf, -2); virBufferAddLit(&buf, "</networkstatus>"); @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *configFile = NULL; g_autoptr(virNetworkDef) def = NULL; virNetworkObj *obj = NULL; + g_autoptr(virFirewall) fwRemoval = NULL; g_autoptr(xmlDoc) xml = NULL; xmlNodePtr node = NULL; g_autoptr(xmlXPathContext) ctxt = NULL; @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *classIdStr = NULL; g_autofree char *floor_sum = NULL; g_autofree xmlNodePtr *nodes = NULL; + xmlNodePtr fwNode; ctxt->node = node; if ((classIdStr = virXPathString("string(./class_id[1]/@bitmap)", @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, taint |= (1 << flag); } } + if ((fwNode = virXPathNode("./firewall", ctxt))) { + g_autoptr(virFirewall) fwTmp = NULL; + + if (virFirewallParseXML(&fwTmp, fwNode, ctxt) < 0) + return NULL; + + if (STREQ_NULLABLE(virFirewallGetName(fwTmp), "fwRemoval")) + fwRemoval = g_steal_pointer(&fwTmp); + } } /* create the object */ @@ -XXX,XX +XXX,XX @@ virNetworkLoadState(virNetworkObjList *nets, def = NULL; + virNetworkObjSetFwRemoval(obj, g_steal_pointer(&fwRemoval)); + /* assign status data stored in the network object */ if (classIdMap) { virBitmapFree(obj->classIdMap); diff --git a/src/conf/virnetworkobj.h b/src/conf/virnetworkobj.h index XXXXXXX..XXXXXXX 100644 --- a/src/conf/virnetworkobj.h +++ b/src/conf/virnetworkobj.h @@ -XXX,XX +XXX,XX @@ #include "network_conf.h" #include "virnetworkportdef.h" +#include "virfirewall.h" typedef struct _virNetworkObj virNetworkObj; @@ -XXX,XX +XXX,XX @@ void virNetworkObjSetFloorSum(virNetworkObj *obj, unsigned long long floor_sum); +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj); + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval); + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index XXXXXXX..XXXXXXX 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -XXX,XX +XXX,XX @@ virNetworkObjGetClassIdMap; virNetworkObjGetDef; virNetworkObjGetDnsmasqPid; virNetworkObjGetFloorSum; +virNetworkObjGetFwRemoval; virNetworkObjGetMacMap; virNetworkObjGetMetadata; virNetworkObjGetNewDef; @@ -XXX,XX +XXX,XX @@ virNetworkObjSetDef; virNetworkObjSetDefTransient; virNetworkObjSetDnsmasqPid; virNetworkObjSetFloorSum; +virNetworkObjSetFwRemoval; virNetworkObjSetMacMap; virNetworkObjSetMetadata; virNetworkObjTaint; -- 2.45.0
When destroying a network, the network driver has always assumed that it knew what firewall rules had been added as the network was started. This was usually correct - I only recall one time in the past that the firewall rules added by libvirt were changed. But if the exact rules used for a network *were* ever changed from one build/version of libvirt to another, then we would end up attempting to remove rules that hadn't been added, and could possibly *not* remove rules that had been added. The solution to this to not make such brash assumptions about the past, but instead to save (in the network status object at network start time) a list of all the rules needed to remove the rules that were added for the network, and then use that saved list during network destroy to remove exactly what was previous added. Beyond making net-destroy more precise, there are other benefits: 1) We can change the details of the rules we add for networks from one build/release of libvirt to another and painlessly upgrade. 2) The user can switch from one firewall backend to another by simply changing the setting in network.conf and restarting libvirtd/virtnetworkd. In both cases, the restarted libvirtd/virtnetworkd will remove all the rules that had been previously added (based on the network status), and then add new rules (saving the new removal commands back into the network status) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/bridge_driver.c | 35 ++++++++++++++-------- src/network/bridge_driver_linux.c | 26 +++++++++++++---- src/network/bridge_driver_nop.c | 6 ++-- src/network/bridge_driver_platform.h | 6 ++-- src/network/network_iptables.c | 43 +++++++++++++++++++++++++--- src/network/network_iptables.h | 2 +- tests/networkxml2firewalltest.c | 2 +- 7 files changed, 91 insertions(+), 29 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(networkGetDriver()); VIR_LOCK_GUARD lock = virObjectLockGuard(obj); virNetworkDef *def = virNetworkObjGetDef(obj); + virFirewall *fwRemoval = NULL; if (virNetworkObjIsActive(obj)) { switch ((virNetworkForwardType) def->forward.type) { @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward='open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def, cfg->firewallBackend); - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); + networkRemoveFirewallRules(obj); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval)); + virNetworkObjSetFwRemoval(obj, fwRemoval); break; case VIR_NETWORK_FORWARD_OPEN: @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, bool devOnline = false; bool firewalRulesAdded = false; virSocketAddr *dnsServer = NULL; + virFirewall *fwRemoval = NULL; /* Check to see if any network IP collides with an existing route */ if (networkCheckRouteCollision(def) < 0) @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, /* Add "once per network" rules */ if (def->forward.type != VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def, cfg->firewallBackend) < 0) + networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) { goto error; + } + virNetworkObjSetFwRemoval(obj, fwRemoval); firewalRulesAdded = true; for (i = 0; (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); i++) { @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, if (firewalRulesAdded && def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); virNetworkObjUnrefMacMap(obj); @@ -XXX,XX +XXX,XX @@ networkStartNetworkVirtual(virNetworkDriverState *driver, static int -networkShutdownNetworkVirtual(virNetworkObj *obj, - virNetworkDriverConfig *cfg) +networkShutdownNetworkVirtual(virNetworkObj *obj) { virNetworkDef *def = virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -XXX,XX +XXX,XX @@ networkShutdownNetworkVirtual(virNetworkObj *obj, ignore_value(virNetDevSetOnline(def->bridge, false)); if (def->forward.type != VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); ignore_value(virNetDevBridgeDelete(def->bridge)); @@ -XXX,XX +XXX,XX @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret = networkShutdownNetworkVirtual(obj, cfg); + ret = networkShutdownNetworkVirtual(obj); break; case VIR_NETWORK_FORWARD_BRIDGE: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, virNetworkIPDef *ipdef; bool oldDhcpActive = false; bool needFirewallRefresh = false; + virFirewall *fwRemoval = NULL; + virCheckFlags(VIR_NETWORK_UPDATE_AFFECT_LIVE | @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); needFirewallRefresh = true; break; default: @@ -XXX,XX +XXX,XX @@ networkUpdate(virNetworkPtr net, if (virNetworkObjUpdate(obj, command, section, parentIndex, xml, network_driver->xmlopt, flags) < 0) { - if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend)); + if (needFirewallRefresh) { + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval)); + virNetworkObjSetFwRemoval(obj, fwRemoval); + } goto cleanup; } /* @def is replaced */ def = virNetworkObjGetDef(obj); - if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallBackend) < 0) + if (needFirewallRefresh && + networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) { goto cleanup; + } + virNetworkObjSetFwRemoval(obj, fwRemoval); if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { /* save updated persistent config to disk */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def) int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend) + virFirewallBackend firewallBackend, + virFirewall **fwRemoval) { networkSetupPrivateChains(firewallBackend, false); @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def, } } - return iptablesAddFirewallRules(def); + return iptablesAddFirewallRules(def, fwRemoval); } void -networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend G_GNUC_UNUSED) +networkRemoveFirewallRules(virNetworkObj *obj) { - iptablesRemoveFirewallRules(def); + virFirewall *fw; + + if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) { + /* No information about firewall rules in the network status, + * so we assume the old iptables-based rules from 10.2.0 and + * earlier. + */ + VIR_DEBUG("No firewall info in network status, assuming old-style iptables"); + iptablesRemoveFirewallRules(virNetworkObjGetDef(obj)); + return; + } + + /* fwRemoval info was stored in the network status, so use that to + * remove the firewall + */ + VIR_DEBUG("Removing firewall rules with commands saved in network status"); + virFirewallApply(fw); } diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -XXX,XX +XXX,XX @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) } int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_UNUSED) + virFirewallBackend firewallBackend G_GNUC_UNUSED, + virFirewall **fwRemoval G_GNUC_UNUSED) { return 0; } -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -XXX,XX +XXX,XX @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); int networkAddFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend); + virFirewallBackend firewallBackend, + virFirewall **fwRemoval); -void networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend); +void networkRemoveFirewallRules(virNetworkObj *obj); diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -XXX,XX +XXX,XX @@ iptablesRemoveIPSpecificFirewallRules(virFirewall *fw, } -/* Add all rules for all ip addresses (and general rules) on a network */ +/* iptablesAddFirewallrules: + * + * @def - the network that needs an iptables firewall added + * @fwRemoval - if this is not NULL, it points to a pointer + * that should be filled in with a virFirewall object containing + * all the commands needed to remove this firewall at a later time. + * + * Add all rules for all ip addresses (and general rules) on a + * network, and optionally return a virFirewall object containing all + * the rules needed to later remove the firewall that has been added. +*/ int -iptablesAddFirewallRules(virNetworkDef *def) +iptablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval) { size_t i; virNetworkIPDef *ipdef; @@ -XXX,XX +XXX,XX @@ iptablesAddFirewallRules(virNetworkDef *def) VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK)); iptablesAddChecksumFirewallRules(fw, def); - return virFirewallApply(fw); + if (virFirewallApply(fw) < 0) + return -1; + + if (fwRemoval) { + /* caller wants us to create a virFirewall object that can be + * applied to undo everything that was just done by * virFirewallApply() + */ + + if (virFirewallNewFromRollback(fw, fwRemoval) < 0) + return -1; + } + + return 0; } -/* Remove all rules for all ip addresses (and general rules) on a network */ +/* iptablesRemoveFirewallRules: + * + * @def - the network that needs its iptables firewall rules removed + * + * Remove all rules for all ip addresses (and general rules) on a + * network that is being shut down. + * + * This function assumes the set of iptables rules that were added by + * all versions of libvirt prior to 10.4.0; any libvirt of that + * release or newer may or may not have this same set of rules, and + * should be using the list of commands saved in NetworkObj::fwRemoval + * (<fwRemoval> element in the network status XML) to remove the + * network's firewall rules. + */ void iptablesRemoveFirewallRules(virNetworkDef *def) { diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_iptables.h +++ b/src/network/network_iptables.h @@ -XXX,XX +XXX,XX @@ #include "virfirewall.h" #include "network_conf.h" -int iptablesAddFirewallRules(virNetworkDef *def); +int iptablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval); void iptablesRemoveFirewallRules(virNetworkDef *def); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); -- 2.45.0
In the case that a new version of libvirt is started that uses different rules to build the network firewall, we need to re-save the status so that when the network is destroyed (or the *next* time libvirt is restarted and wants to remove/re-add the firewall), it will have the proper information to perform the firewall removal. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/conf/virnetworkobj.c | 1 + src/network/bridge_driver.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index XXXXXXX..XXXXXXX 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -XXX,XX +XXX,XX @@ virNetworkObjSaveStatus(const char *statusDir, int flags = 0; g_autofree char *xml = NULL; + VIR_DEBUG("Writing network status to disk"); if (!(xml = virNetworkObjFormat(obj, xmlopt, flags))) return -1; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, VIR_LOCK_GUARD lock = virObjectLockGuard(obj); virNetworkDef *def = virNetworkObjGetDef(obj); virFirewall *fwRemoval = NULL; + bool saveStatus = false; if (virNetworkObjIsActive(obj)) { switch ((virNetworkForwardType) def->forward.type) { @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, networkRemoveFirewallRules(obj); ignore_value(networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval)); virNetworkObjSetFwRemoval(obj, fwRemoval); + saveStatus = true; break; case VIR_NETWORK_FORWARD_OPEN: @@ -XXX,XX +XXX,XX @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, } } + if (saveStatus) { + ignore_value(virNetworkObjSaveStatus(cfg->stateDir, obj, + network_driver->xmlopt)); + } + return 0; } @@ -XXX,XX +XXX,XX @@ networkStartNetwork(virNetworkDriverState *driver, /* Persist the live configuration now that anything autogenerated * is setup. */ - VIR_DEBUG("Writing network status to disk"); if (virNetworkObjSaveStatus(cfg->stateDir, obj, network_driver->xmlopt) < 0) goto cleanup; -- 2.45.0
This was the only reason we required the iptables and ebtables packages at build time, and many other external commands already have their binaries found at runtime by looking through $PATH (virCommand automatically does this), so we may as well do it for these commands as well. Since we no longer need iptables or iptables at build time, we can also drop the BuildRequires for them from the rpm specfile. Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575 Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- libvirt.spec.in | 2 -- meson.build | 3 --- src/network/bridge_driver_conf.c | 2 ++ src/util/virfirewall.h | 5 +++++ 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index XXXXXXX..XXXXXXX 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -XXX,XX +XXX,XX @@ BuildRequires: sanlock-devel >= 2.4 BuildRequires: libpcap-devel >= 1.5.0 BuildRequires: libnl3-devel BuildRequires: libselinux-devel -BuildRequires: iptables -BuildRequires: ebtables # For modprobe BuildRequires: kmod BuildRequires: cyrus-sasl-devel diff --git a/meson.build b/meson.build index XXXXXXX..XXXXXXX 100644 --- a/meson.build +++ b/meson.build @@ -XXX,XX +XXX,XX @@ optional_test_programs = [ optional_programs = [ 'dmidecode', - 'ebtables', 'ip', - 'ip6tables', - 'iptables', 'iscsiadm', 'mdevctl', 'mm-ctl', diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -XXX,XX +XXX,XX @@ #include "virerror.h" #include "virfile.h" #include "virutil.h" +#include "virfirewall.h" /* for binary names */ #include "bridge_driver_conf.h" + #define VIR_FROM_THIS VIR_FROM_NETWORK VIR_LOG_INIT("network.bridge_driver"); diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ #include "virbuffer.h" #include "virxml.h" +/* various external programs executed when applying firewalls */ +#define EBTABLES "ebtables" +#define IPTABLES "iptables" +#define IP6TABLES "ip6tables" + typedef struct _virFirewall virFirewall; typedef struct _virFirewallCmd virFirewallCmd; -- 2.45.0
Support using nftables to setup the firewall for each virtual network, rather than iptables. The initial implementation of the nftables backend creates (almost) exactly the same ruleset as the iptables backend, determined by running the following commands on a host that has an active virtual network: iptables-save >iptables.txt iptables-restore-translate -f iptables.txt (and the similar ip6tables-save/ip6tables-restore-translate for an IPv6 network). Correctness of the new backend was checked by comparing the output of: nft list ruleset when the backend is set to iptables and when it is set to nftables. This page was used as a guide: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables The only differences between the rules created by the nftables backed vs. the iptables backend (aside from a few inconsequential changes in display order of some chains/options) are: 1) When we add nftables rules, rather than adding them in the system-created "filter" and "nat" tables, we add them in a private table (ie only we should be using it) created by us called "libvirt" (the system-created "filter" and "nat" tables can't be used because adding any rules to those tables directly with nft will cause failure of any legacy application attempting to use iptables when it tries to list the iptables rules (e.g. "iptables -S"). (NB: in nftables only a single table is required for both nat and filter rules - the chains for each are differentiated by specifying different "hook" locations for the toplevel chain of each) 2) Since the rules that were added to allow tftp/dns/dhcp traffic from the guests to the host are unnecessary in the context of nftables, those rules aren't added. (Longer explanation: In the case of iptables, all rules were in a single table, and it was always assumed that there would be some "catch-all" REJECT rule added by "someone else" in the case that a packet didn't match any specific rules, so libvirt added these specific rules to ensure that, no matter what other rules were added by any other subsystem, the guests would still have functional tftp/dns/dhcp. For nftables though, the rules added by each subsystem are in a separate table, and in order for traffic to be accepted, it must be accepted by *all* tables, so just adding the specific rules to libvirt's table doesn't help anything (as the default for the libvirt table is ACCEPT anyway) and it just isn't practical/possible for libvirt to find *all* other tables and add rules in all of them to make sure the traffic is accepted. libvirt does this for firewalld (it creates a "libvirt" zone that allows tftp/dns/dhcp, and adds all virtual network bridges to that zone), however, so in that case no extra work is required of the sysadmin.) 3) nftables doesn't support the "checksum mangle" rule (or any equivalent functionality) that we have historically added to our iptables rules, so the nftables rules we add have nothing related to checksum mangling. (NB: The result of (3) is that if you a) have a very old guest (RHEL5 era or earlier) and b) that guest is using a virtio-net network device, and c) the virtio-net device is using vhost packet processing (the default) then DHCP on the guest will fail. You can work around this by adding <driver name='qemu'/> to the <interface> XML for the guest). There are certainly much better nftables rulesets that could be used instead of those implemented here, and everything is in place to make future changes to the rules that are used simple and free of surprises (e.g. the rules that are added have coresponding "removal" commands added to the network status so that we will always remove exactly the rules that were previously added rather than trying to remove the rules that "the current build of libvirt would have added" (which will be incorrect the first time we run a libvirt with a newly modified ruleset). For this initial implementation though, I wanted the nftables rules to be as identical to the iptables rules as possible, just to make it easier to verify that everything is working. The backend can be manually chosen using the firewall_backend setting in /etc/libvirt/network.conf. libvirtd/virtnetworkd will read this setting when it starts; if there is no explicit setting, it will check for availability of FIREWALL_BACKEND_DEFAULT_1 and then FIREWALL_BACKEND_DEFAULT_2 (which are set at build time in meson_options.txt or by adding -Dfirewall_backend_default_n=blah to the meson commandline), and use the first backend that is available (ie, that has the necessary programs installed). The standard meson_options.txt is set to check for nftables first, and then iptables. Although it should be very safe to change the default backend from iptables to nftables, that change is left for a later patch, to show how the change in default can be undone if someone really needs to do that. Signed-off-by: Laine Stump <laine@redhat.com> --- meson.build | 5 + meson_options.txt | 1 + po/POTFILES | 1 + src/network/bridge_driver_conf.c | 11 +- src/network/bridge_driver_linux.c | 17 +- src/network/meson.build | 1 + src/network/network.conf.in | 21 +- src/network/network_nftables.c | 940 ++++++++++++++++++++++++++++++ src/network/network_nftables.h | 28 + src/util/virfirewall.c | 167 +++++- src/util/virfirewall.h | 2 + 11 files changed, 1188 insertions(+), 6 deletions(-) create mode 100644 src/network/network_nftables.c create mode 100644 src/network/network_nftables.h diff --git a/meson.build b/meson.build index XXXXXXX..XXXXXXX 100644 --- a/meson.build +++ b/meson.build @@ -XXX,XX +XXX,XX @@ if not get_option('driver_network').disabled() and conf.has('WITH_LIBVIRTD') firewall_backend_default_conf = firewall_backend_default_1 firewall_backend_default_1 = 'VIR_FIREWALL_BACKEND_' + firewall_backend_default_1.to_upper() conf.set('FIREWALL_BACKEND_DEFAULT_1', firewall_backend_default_1) + + firewall_backend_default_2 = get_option('firewall_backend_default_2') + firewall_backend_default_2 = 'VIR_FIREWALL_BACKEND_' + firewall_backend_default_2.to_upper() + conf.set('FIREWALL_BACKEND_DEFAULT_2', firewall_backend_default_2) + elif get_option('driver_network').enabled() error('libvirtd must be enabled to build the network driver') endif diff --git a/meson_options.txt b/meson_options.txt index XXXXXXX..XXXXXXX 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -XXX,XX +XXX,XX @@ option('firewalld', type: 'feature', value: 'auto', description: 'firewalld supp # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone') option('firewall_backend_default_1', type: 'string', value: 'iptables', description: 'first firewall backend to try when none is specified') +option('firewall_backend_default_2', type: 'string', value: 'nftables', description: 'second firewall backend to try when none is specified (and first is unavailable)') option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.') diff --git a/po/POTFILES b/po/POTFILES index XXXXXXX..XXXXXXX 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -XXX,XX +XXX,XX @@ src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c src/network/leaseshelper.c src/network/network_iptables.c +src/network/network_nftables.c src/node_device/node_device_driver.c src/node_device/node_device_udev.c src/nwfilter/nwfilter_dhcpsnoop.c diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, g_autofree char *fwBackendStr = NULL; bool fwBackendSelected = false; size_t i; - int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 }; + int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1, FIREWALL_BACKEND_DEFAULT_2 }; G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST); if (access(filename, R_OK) == 0) { @@ -XXX,XX +XXX,XX @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, fwBackendSelected = true; break; } + + case VIR_FIREWALL_BACKEND_NFTABLES: { + g_autofree char *nftablesInPath = virFindFileInPath(NFT); + + if (nftablesInPath) + fwBackendSelected = true; + break; + } + case VIR_FIREWALL_BACKEND_LAST: virReportEnumRangeError(virFirewallBackend, fwBackends[i]); return -1; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -XXX,XX +XXX,XX @@ #include "virfirewall.h" #include "virfirewalld.h" #include "network_iptables.h" +#include "network_nftables.h" #define VIR_FROM_THIS VIR_FROM_NONE @@ -XXX,XX +XXX,XX @@ networkFirewallSetupPrivateChains(virFirewallBackend backend, case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesSetupPrivateChains(layer); + case VIR_FIREWALL_BACKEND_NFTABLES: + return nftablesSetupPrivateChains(layer); + case VIR_FIREWALL_BACKEND_LAST: virReportEnumRangeError(virFirewallBackend, backend); return -1; @@ -XXX,XX +XXX,XX @@ networkAddFirewallRules(virNetworkDef *def, } } - return iptablesAddFirewallRules(def, fwRemoval); + switch (firewallBackend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesAddFirewallRules(def, fwRemoval); + + case VIR_FIREWALL_BACKEND_NFTABLES: + return nftablesAddFirewallRules(def, fwRemoval); + + case VIR_FIREWALL_BACKEND_LAST: + virReportEnumRangeError(virFirewallBackend, firewallBackend); + return -1; + } + return 0; } diff --git a/src/network/meson.build b/src/network/meson.build index XXXXXXX..XXXXXXX 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -XXX,XX +XXX,XX @@ network_driver_sources = [ 'bridge_driver_conf.c', 'bridge_driver_platform.c', 'network_iptables.c', + 'network_nftables.c', ] driver_source_files += files(network_driver_sources) diff --git a/src/network/network.conf.in b/src/network/network.conf.in index XXXXXXX..XXXXXXX 100644 --- a/src/network/network.conf.in +++ b/src/network/network.conf.in @@ -XXX,XX +XXX,XX @@ # firewall_backend: # # determines which subsystem to use to setup firewall packet -# filtering rules for virtual networks. Currently the only supported -# selection is "iptables". +# filtering rules for virtual networks. +# +# Supported settings: +# +# iptables - use iptables commands to construct the firewall +# nftables - use nft commands to construct the firewall +# +# If firewall_backend isn't set in this file, libvirt will +# prefer the @FIREWALL_BACKEND@ backend *if the necessary package. +# binary is installed*, otherwise it will look for the package/binary +# needed for the other backend and use that if available. If neither +# is available on the host, then the network driver will fail to +# start, and an error will be logged. +# +# (NB: switching from one backend to another while there are active +# virtual networks *is* supported. The change will take place the +# next time that libvirtd/virtnetworkd is restarted - all existing +# virtual networks will have their old firewalls removed, and then +# reloaded using the new backend.) # #firewall_backend = "@FIREWALL_BACKEND@" diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/network_nftables.c @@ -XXX,XX +XXX,XX @@ +/* + * network_nftables.c: nftables-based firewall implementation for + * virtual networks. + * + * Copyright (C) 2007-2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include <stdarg.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include "internal.h" +#include "virfirewalld.h" +#include "virerror.h" +#include "virlog.h" +#include "virhash.h" +#include "virenum.h" +#include "virstring.h" +#include "network_nftables.h" + +VIR_LOG_INIT("network.nftables"); + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + +/* we must avoid using the standard "filter" table as used by + * iptables, as any subsequent attempts to use iptables commands will + * fail (due to the "filter" table having rules that are unexpected by + * the iptables-compat + */ + +#define VIR_NFTABLES_PRIVATE_TABLE "libvirt" + +/* nftables backend uses the same binary (nft) for all layers, but + * IPv4 and IPv6 have their rules in separate classes of tables, + * either "ip" or "ip6". (there is also an "inet" class of tables that + * would examined for both IPv4 and IPv6 traffic, but since we want + * different rules for each family, we only use the family-specific + * table classes). + */ +VIR_ENUM_DECL(nftablesLayer); +VIR_ENUM_IMPL(nftablesLayer, + VIR_FIREWALL_LAYER_LAST, + "", + "ip", + "ip6", +); + + +typedef struct { + const char *parent; + const char *child; + const char *extraArgs; +} nftablesGlobalChain; + +typedef struct { + virFirewallLayer layer; + nftablesGlobalChain *chains; + size_t nchains; + bool *changed; +} nftablesGlobalChainData; + + +nftablesGlobalChain nftablesChains[] = { + /* chains for filter rules */ + {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }"}, + {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accept; }"}, + {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept; }"}, + {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL}, + {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL}, + {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, + {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL}, + {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL}, + + /* chains for NAT rules */ + {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; policy accept; }"}, + {"POSTROUTING", VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL}, +}; + + +static int +nftablesPrivateChainCreate(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + nftablesGlobalChainData *data = opaque; + g_autoptr(GHashTable) chains = virHashNew(NULL); + g_autoptr(GHashTable) links = virHashNew(NULL); + const char *const *line; + const char *chain = NULL; + size_t i; + bool tableMatch = false; + const char *layerStr = nftablesLayerTypeToString(layer); + g_autofree char *tableStr = g_strdup_printf("table %s %s {", + layerStr, + VIR_NFTABLES_PRIVATE_TABLE); + + line = lines; + while (line && *line) { + const char *pos = *line; + + virSkipSpaces(&pos); + if (STREQ(pos, tableStr)) { + /* "table ip libvirt {" */ + + tableMatch = true; + + } else if (STRPREFIX(pos, "chain ")) { + /* "chain LIBVIRT_OUT {" */ + + chain = pos + 6; + pos = strchr(chain, ' '); + if (pos) { + *(char *)pos = '\0'; + if (virHashUpdateEntry(chains, chain, (void *)0x1) < 0) + return -1; + } + + } else if ((pos = strstr(pos, "jump "))) { + /* "counter packets 20189046 bytes 3473108889 jump LIBVIRT_OUT" */ + + pos += 5; + if (chain) { + if (virHashUpdateEntry(links, pos, (char *)chain) < 0) + return -1; + } + + } + line++; + } + + if (!tableMatch) { + virFirewallAddCmd(fw, layer, "add", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + } + + for (i = 0; i < data->nchains; i++) { + if (!(tableMatch && virHashLookup(chains, data->chains[i].child))) { + virFirewallAddCmd(fw, layer, "add", "chain", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].child, + data->chains[i].extraArgs, NULL); + *data->changed = true; + } + + if (data->chains[i].parent) { + const char *from = virHashLookup(links, data->chains[i].child); + + if (!from || STRNEQ(from, data->chains[i].parent)) { + virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].parent, "counter", + "jump", data->chains[i].child, NULL); + } + } + } + + return 0; +} + + +int +nftablesSetupPrivateChains(virFirewallLayer layer) +{ + bool changed = false; + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_NFTABLES); + const char *layerStr = nftablesLayerTypeToString(layer); + nftablesGlobalChainData data = { layer, nftablesChains, G_N_ELEMENTS(nftablesChains), &changed }; + + virFirewallStartTransaction(fw, 0); + + /* the output of "nft list table ip[6] libvirt" will be parsed by + * the callback nftablesPrivateChainCreate which will add any + * needed commands to add missing chains (or possibly even add the + * "ip[6] libvirt" table itself + */ + virFirewallAddCmdFull(fw, layer, false, + nftablesPrivateChainCreate, &data, + "list", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + + if (virFirewallApply(fw) < 0) + return -1; + + return changed ? 1 : 0; +} + + +static void +nftablesAddInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int tcp) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + const char *layerStr = nftablesLayerTypeToString(layer); + + virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_INPUT_CHAIN, + "iifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + + +static void +nftablesAddOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int tcp) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + const char *layerStr = nftablesLayerTypeToString(layer); + + virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_OUTPUT_CHAIN, + "oifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + + +/** + * nftablesAddTcpInput: + * + * Add a rule to @fw that will allow incoming TCP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddInput(fw, layer, iface, port, 1); +} + + +/** + * nftablesAddUdpInput: + * + * Add a rule to @fw that will allow incoming UDP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddInput(fw, layer, iface, port, 0); +} + + +/** + * nftablesAddTcpOutput: + * + * Add a rule to @fw that will allow outbound TCP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddOutput(fw, layer, iface, port, 1); +} + + +/** + * nftablesAddUdpOutput: + * + * Add a rule to @fw that will allow outbound UDP sessions to port + * @port on @iface with protocol @layer. + */ +static void +nftablesAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + nftablesAddOutput(fw, layer, iface, port, 0); +} + + +/** + * nftablesAddForwardAllowOut: + * + * Add a rule to @fw that allows all outbound traffic coming from + * @iface (the virtual network's bridge) to be forwarded out @physdev, + * as long as its source address is in @netaddr/@prefix. + */ +static int +nftablesAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + g_autofree char *networkstr = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = nftablesLayerTypeToString(layer); + virFirewallCmd *fwCmd; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_OUT_CHAIN, + layerStr, "saddr", networkstr, + "iifname", iface, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL); + + return 0; +} + +/** + * nftablesAddForwardAllowRelatedIn: + * + * Add a rule to @fw that allows all traffic coming in from @physdev + * and destined to @iface (the virtual network's bridge) that has a + * destination within @netaddr/@prefix and is associated with an + * existing connection. + */ +static int +nftablesAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = nftablesLayerTypeToString(layer); + g_autofree char *networkstr = NULL; + virFirewallCmd *fwCmd; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_IN_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + layerStr, "daddr", networkstr, + "ct", "state", "related,established", + "counter", "accept", NULL); + return 0; +} + + +/** + * nftablesAddForwardAllowIn: + * + * Add a rule to @fw that allows all traffic coming in from @physdev + * and destined to @iface (the virtual network's bridge) that has a + * destination within @netaddr/@prefix. + */ +static int +nftablesAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = nftablesLayerTypeToString(layer); + g_autofree char *networkstr = NULL; + virFirewallCmd *fwCmd; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_IN_CHAIN, + layerStr, "daddr", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + "counter", "accept", NULL); + return 0; +} + + +/** + * nftablesAddForwardAllowCross: + * + * Add a rule to @fw to allow traffic to go across @iface (the virtual + * network's bridge) from one port to another. This allows all traffic + * between guests on the same virtual network. + */ +static void +nftablesAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_X_CHAIN, + "iifname", iface, + "oifname", iface, + "counter", "accept", + NULL); +} + + +/** + * nftablesAddForwardRejectOut: + * + * Add a rule to @fw to forbid all outbound traffic through @iface + * (the virtual network's bridge). This is used as a catchall rule to + * reject traffic that hasn't already been explicitly allowed by + * another rule. + */ +static void +nftablesAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_OUT_CHAIN, + "iifname", iface, + "counter", "reject", + NULL); +} + + +/** + * nftablesAddForwardRejectIn: + * + * Add a rule to @fw to forbid all inbound traffic through @iface (the + * virtual network's bridge). This is used as a catchall rule to + * reject traffic that hasn't already been explicitly allowed by + * another rule. + */ +static void +nftablesAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_IN_CHAIN, + "oifname", iface, + "counter", "reject", + NULL); +} + + +/** + * nftablesAddForwardMasquerade: + * + * Add a rule to @fw that will masquerade outbound traffic from + * @netaddr/@prefix @iface to have the source IP/port from one of the + * range of @addr:@port (or something appropriate for the interface + * used for egress, if no address/port range is given) + */ +static int +nftablesAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + g_autofree char *networkstr = NULL; + g_autofree char *addrStartStr = NULL; + g_autofree char *addrEndStr = NULL; + g_autofree char *portRangeStr = NULL; + g_autofree char *natRangeStr = NULL; + virFirewallCmd *fwCmd; + int af = VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer = af == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = nftablesLayerTypeToString(layer); + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { + if (!(addrStartStr = virSocketAddrFormat(&addr->start))) + return -1; + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { + if (!(addrEndStr = virSocketAddrFormat(&addr->end))) + return -1; + } + } + + fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); + + if (protocol && protocol[0]) + virFirewallCmdAddArgList(fw, fwCmd, "meta", "l4proto", protocol, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, + layerStr, "saddr", networkstr, + layerStr, "daddr", "!=", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + + if (protocol && protocol[0]) { + if (port->start == 0 && port->end == 0) { + port->start = 1024; + port->end = 65535; + } + + if (port->start < port->end && port->end < 65536) { + portRangeStr = g_strdup_printf(":%u-%u", port->start, port->end); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid port range '%1$u-%2$u'."), + port->start, port->end); + return -1; + } + } + + /* Use snat if public address is specified */ + if (addrStartStr && addrStartStr[0]) { + if (addrEndStr && addrEndStr[0]) { + natRangeStr = g_strdup_printf("%s-%s%s", addrStartStr, addrEndStr, + portRangeStr ? portRangeStr : ""); + } else { + natRangeStr = g_strdup_printf("%s%s", addrStartStr, + portRangeStr ? portRangeStr : ""); + } + + virFirewallCmdAddArgList(fw, fwCmd, "counter", "snat", "to", natRangeStr, NULL); + } else { + virFirewallCmdAddArgList(fw, fwCmd, "counter", "masquerade", NULL); + + if (portRangeStr && portRangeStr[0]) + virFirewallCmdAddArgList(fw, fwCmd, "to", portRangeStr, NULL); + } + + return 0; +} + + +/** + * nftablesAddDontMasquerade: + * + * Add a rule to @fw that prevents masquerading traffic coming from + * the network associated with the bridge if said traffic targets + * @destaddr. + */ +static int +nftablesAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + g_autofree char *networkstr = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr = nftablesLayerTypeToString(layer); + virFirewallCmd *fwCmd; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + + virFirewallCmdAddArgList(fw, fwCmd, + layerStr, "saddr", networkstr, + layerStr, "daddr", destaddr, + "counter", "return", NULL); + return 0; +} + + +static const char networkLocalMulticastIPv4[] = "224.0.0.0/24"; +static const char networkLocalMulticastIPv6[] = "ff02::/16"; +static const char networkLocalBroadcast[] = "255.255.255.255/32"; + + +static int +nftablesAddMasqueradingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix = virNetworkIPDefPrefix(ipdef); + const char *forwardIf = virNetworkDefForwardIf(def, 0); + bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow forwarding packets from the bridge interface */ + if (nftablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow forwarding packets to the bridge interface if they are + * part of an existing connection + */ + if (nftablesAddForwardAllowRelatedIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* + * Enable masquerading. + * + * We need to end up with 5 rules in the table in this order + * + * 1. do not masquerade packets targeting 224.0.0.0/24 + * 2. do not masquerade packets targeting 255.255.255.255/32 + * 3. masquerade protocol=tcp with sport mapping restriction + * 4. masquerade protocol=udp with sport mapping restriction + * 5. generic, masquerade any protocol + * + * 224.0.0.0/24 is the local network multicast range. Packets are not + * forwarded outside. + * + * 255.255.255.255/32 is the broadcast address of any local network. Again, + * such packets are never forwarded, but strict DHCP clients don't accept + * DHCP replies with changed source ports. + * + * The sport mappings are required, because default Nftables + * MASQUERADE maintain port numbers unchanged where possible. + * + * NFS can be configured to only "trust" port numbers < 1023. + * + * Guests using NAT thus need to be prevented from having port + * numbers < 1023, otherwise they can bypass the NFS "security" + * check on the source port number. + * + * Since we use '--insert' to add rules to the header of the + * chain, we actually need to add them in the reverse of the + * order just mentioned ! + */ + + /* First the generic masquerade rule for other protocols */ + if (nftablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + NULL) < 0) + return -1; + + /* UDP with a source port restriction */ + if (nftablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "udp") < 0) + return -1; + + /* TCP with a source port restriction */ + if (nftablesAddForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &def->forward.addr, + &def->forward.port, + "tcp") < 0) + return -1; + + /* exempt local network broadcast address as destination */ + if (isIPv4 && + nftablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + /* exempt local multicast range as destination */ + if (nftablesAddDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + isIPv4 ? networkLocalMulticastIPv4 : + networkLocalMulticastIPv6) < 0) + return -1; + + return 0; +} + + +static int +nftablesAddRoutingFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + int prefix = virNetworkIPDefPrefix(ipdef); + const char *forwardIf = virNetworkDefForwardIf(def, 0); + + if (prefix < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid prefix or netmask for '%1$s'"), + def->bridge); + return -1; + } + + /* allow routing packets from the bridge interface */ + if (nftablesAddForwardAllowOut(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + /* allow routing packets to the bridge interface */ + if (nftablesAddForwardAllowIn(fw, + &ipdef->address, + prefix, + def->bridge, + forwardIf) < 0) + return -1; + + return 0; +} + + +static void +nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + size_t i; + virNetworkIPDef *ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i = 0; + (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot) + break; + } + + /* allow DHCP requests through to dnsmasq & back out */ + nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + + /* allow DNS requests through to dnsmasq & back out */ + nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + + /* allow TFTP requests through to dnsmasq if necessary & back out */ + if (ipv4def && ipv4def->tftproot) { + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } + + /* Catch all rules to block forwarding to/from bridges */ + nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + nftablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + + /* Allow traffic between guests on the same bridge */ + nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); +} + + +/* Add all once/network rules required for IPv6. + * If no IPv6 addresses are defined and <network ipv6='yes'> is + * specified, then allow IPv6 communications between virtual systems. + * If any IPv6 addresses are defined, then add the rules for regular operation. + */ +static void +nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) && + !def->ipv6nogw) { + return; + } + + /* Catch all rules to block forwarding to/from bridges */ + nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + nftablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + /* Allow traffic between guests on the same bridge */ + nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + /* allow DNS over IPv6 & back out */ + nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + /* allow DHCPv6 & back out */ + nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); + } +} + + +static void +nftablesAddGeneralFirewallRules(virFirewall *fw, + virNetworkDef *def) +{ + nftablesAddGeneralIPv4FirewallRules(fw, def); + nftablesAddGeneralIPv6FirewallRules(fw, def); +} + + +static int +nftablesAddIPSpecificFirewallRules(virFirewall *fw, + virNetworkDef *def, + virNetworkIPDef *ipdef) +{ + /* NB: in the case of IPv6, routing rules are added when the + * forward mode is NAT. This is because IPv6 has no NAT. + */ + + if (def->forward.type == VIR_NETWORK_FORWARD_NAT) { + if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) || + def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES) + return nftablesAddMasqueradingFirewallRules(fw, def, ipdef); + else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) + return nftablesAddRoutingFirewallRules(fw, def, ipdef); + } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { + return nftablesAddRoutingFirewallRules(fw, def, ipdef); + } + return 0; +} + + +/* nftablesAddFirewallrules: + * + * @def - the network that needs an nftables firewall added + * @fwRemoval - if this is not NULL, it points to a pointer + * that should be filled in with a virFirewall object containing + * all the commands needed to remove this firewall at a later time. + * + * Add all rules for all ip addresses (and general rules) on a + * network, and optionally return a virFirewall object containing all + * the rules needed to later remove the firewall that has been added. + */ +int +nftablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval) +{ + size_t i; + virNetworkIPDef *ipdef; + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_NFTABLES); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); + + nftablesAddGeneralFirewallRules(fw, def); + + for (i = 0; + (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (nftablesAddIPSpecificFirewallRules(fw, def, ipdef) < 0) + return -1; + } + + if (virFirewallApply(fw) < 0) + return -1; + + if (fwRemoval) { + /* caller wants us to create a virFirewall object that can be + * applied to undo everything that was just done by * virFirewallApply() + */ + + if (virFirewallNewFromRollback(fw, fwRemoval) < 0) + return -1; + } + + return 0; +} diff --git a/src/network/network_nftables.h b/src/network/network_nftables.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/src/network/network_nftables.h @@ -XXX,XX +XXX,XX @@ +/* + * network_nftables.h: helper APIs for managing nftables in network driver + * + * Copyright (C) 2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "virfirewall.h" +#include "network_conf.h" + +int nftablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval); + +int nftablesSetupPrivateChains(virFirewallLayer layer); diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("util.firewall"); VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, - "iptables"); + "iptables", + "nftables"); VIR_ENUM_DECL(virFirewallLayer); VIR_ENUM_IMPL(virFirewallLayer, @@ -XXX,XX +XXX,XX @@ virFirewallCmdIptablesApply(virFirewall *firewall, } +#define VIR_NFTABLES_ARG_IS_CREATE(arg) \ + (STREQ(arg, "insert") || STREQ(arg, "add") || STREQ(arg, "create")) + +static int +virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED, + virFirewallCmd *fwCmd, + char **output) +{ + bool needRollback = false; + size_t cmdIdx = 0; + const char *objectType = NULL; + g_autoptr(virCommand) cmd = NULL; + g_autofree char *cmdStr = NULL; + g_autofree char *error = NULL; + size_t i; + int status; + + cmd = virCommandNew(NFT); + + if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) && + fwCmd->argsLen > 1) { + /* skip any leading options to get to command verb */ + for (i = 0; i < fwCmd->argsLen - 1; i++) { + if (fwCmd->args[i][0] != '-') + break; + } + + if (i + 1 < fwCmd->argsLen && + VIR_NFTABLES_ARG_IS_CREATE(fwCmd->args[i])) { + + cmdIdx = i; + objectType = fwCmd->args[i + 1]; + + /* we currently only handle auto-rollback for rules, + * chains, and tables, and those all can be "rolled + * back" by a delete command using the handle that is + * returned when "-ae" is added to the add/insert + * command. + */ + if (STREQ_NULLABLE(objectType, "rule") || + STREQ_NULLABLE(objectType, "chain") || + STREQ_NULLABLE(objectType, "table")) { + + needRollback = true; + /* this option to nft instructs it to add the + * "handle" of the created object to stdout + */ + virCommandAddArg(cmd, "-ae"); + } + } + } + + for (i = 0; i < fwCmd->argsLen; i++) + virCommandAddArg(cmd, fwCmd->args[i]); + + cmdStr = virCommandToString(cmd, false); + VIR_INFO("Applying '%s'", NULLSTR(cmdStr)); + + virCommandSetOutputBuffer(cmd, output); + virCommandSetErrorBuffer(cmd, &error); + + if (virCommandRun(cmd, &status) < 0) + return -1; + + if (status != 0) { + if (STREQ_NULLABLE(fwCmd->args[0], "list")) { + /* nft returns error status when the target of a "list" + * command doesn't exist, but we always want to just have + * an empty result, so this is not actually an error. + */ + } else if (fwCmd->ignoreErrors) { + VIR_DEBUG("Ignoring error running command"); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to apply firewall command '%1$s': %2$s"), + NULLSTR(cmdStr), NULLSTR(error)); + VIR_FREE(*output); + return -1; + } + + /* there was an error, so we won't be building any rollback command, + * but the error should be ignored, so we return success + */ + return 0; + } + + if (needRollback) { + virFirewallCmd *rollback = virFirewallAddRollbackCmd(firewall, fwCmd->layer, NULL); + const char *handleStart = NULL; + size_t handleLen = 0; + g_autofree char *handleStr = NULL; + g_autofree char *rollbackStr = NULL; + + /* Search for "# handle n" in stdout of the nft add command - + * that is the handle of the table/rule/chain that will later + * need to be deleted. + */ + + if ((handleStart = strstr(*output, "# handle "))) { + handleStart += 9; /* move past "# handle " */ + handleLen = strspn(handleStart, "0123456789"); + } + + if (!handleLen) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("couldn't register rollback command - command '%1$s' had no valid handle in output ('%2$s')"), + NULLSTR(cmdStr), NULLSTR(*output)); + return -1; + } + + handleStr = g_strdup_printf("%.*s", (int)handleLen, handleStart); + + /* The rollback command is created from the original command like this: + * + * 1) skip any leading options + * 2) replace add/insert with delete + * 3) keep the type of item being added (rule/chain/table) + * 4) keep the class (ip/ip6/inet) + * 5) for chain/rule, keep the table name + * 6) for rule, keep the chain name + * 7) add "handle n" where "n" is parsed from the + * stdout of the original nft command + */ + virFirewallCmdAddArgList(firewall, rollback, "delete", objectType, + fwCmd->args[cmdIdx + 2], /* ip/ip6/inet */ + NULL); + + if (STREQ_NULLABLE(objectType, "rule") || + STREQ_NULLABLE(objectType, "chain")) { + /* include table name in command */ + virFirewallCmdAddArg(firewall, rollback, fwCmd->args[cmdIdx + 3]); + } + + if (STREQ_NULLABLE(objectType, "rule")) { + /* include chain name in command */ + virFirewallCmdAddArg(firewall, rollback, fwCmd->args[cmdIdx + 4]); + } + + virFirewallCmdAddArgList(firewall, rollback, "handle", handleStr, NULL); + + rollbackStr = virFirewallCmdToString(NFT, rollback); + VIR_DEBUG("Recording Rollback command '%s'", NULLSTR(rollbackStr)); + } + return 0; +} + + static int virFirewallApplyCmd(virFirewall *firewall, virFirewallCmd *fwCmd) @@ -XXX,XX +XXX,XX @@ virFirewallApplyCmd(virFirewall *firewall, return -1; } - if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) + switch (virFirewallGetBackend(firewall)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0) + return -1; + break; + + case VIR_FIREWALL_BACKEND_NFTABLES: + if (virFirewallCmdNftablesApply(firewall, fwCmd, &output) < 0) + return -1; + break; + + case VIR_FIREWALL_BACKEND_LAST: + default: + virReportEnumRangeError(virFirewallBackend, + virFirewallGetBackend(firewall)); return -1; + } if (fwCmd->queryCB && output) { if (!(lines = g_strsplit(output, "\n", -1))) diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index XXXXXXX..XXXXXXX 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -XXX,XX +XXX,XX @@ #define EBTABLES "ebtables" #define IPTABLES "iptables" #define IP6TABLES "ip6tables" +#define NFT "nft" typedef struct _virFirewall virFirewall; @@ -XXX,XX +XXX,XX @@ typedef enum { typedef enum { VIR_FIREWALL_BACKEND_IPTABLES, + VIR_FIREWALL_BACKEND_NFTABLES, VIR_FIREWALL_BACKEND_LAST, } virFirewallBackend; -- 2.45.0
Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++++++++++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++++++ ...pv6-linux.args => nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++++++++ ...rgs => nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++ ...linux.args => nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 ++++++++++++++++++ ...-linux.args => nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++++++++ ...ftp-linux.args => nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++++++ ...inux.args => route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++++ tests/networkxml2firewalltest.c | 56 ++- 17 files changed, 2678 insertions(+), 14 deletions(-) rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2firewalldata/base.iptables similarity index 100% rename from tests/networkxml2firewalldata/base.args rename to tests/networkxml2firewalldata/base.iptables diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-default-linux.args rename to tests/networkxml2firewalldata/nat-default-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-many-ips-linux.args rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-tftp-linux.args rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/route-default-linux.args rename to tests/networkxml2firewalldata/route-default-linux.iptables diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -XXX,XX +XXX,XX @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status = 0; - *output = g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output = g_strdup("# handle 5309"); + else + *output = g_strdup(""); *error = g_strdup(""); } static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv = NULL; g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0) + if (networkAddFirewallRules(def, backend, NULL) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); @@ -XXX,XX +XXX,XX @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; @@ -XXX,XX +XXX,XX @@ testCompareXMLToIPTablesHelper(const void *data) xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); - result = testCompareXMLToArgvFiles(xml, args, info->baseargs); + result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend); return result; } @@ -XXX,XX +XXX,XX @@ static int mymain(void) { int ret = 0; - g_autofree char *basefile = NULL; - g_autofree char *baseargs = NULL; + g_autofree char *basefileIptables = NULL; + g_autofree char *basefileNftables = NULL; + g_autofree char *baseargsIptables = NULL; + g_autofree char *baseargsNftables = NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info = { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToString(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret = -1; \ } while (0) - basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args", abs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + + basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) return EXIT_FAILURE; + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables; + + basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); -- 2.45.0
The patch that added the nftables backend for virtual networks left iptables as the default backend when both nftables and iptables are installed. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. Distros that aren't quite ready to default to nftables (e.g. maybe they're rebasing libvirt within a release and don't want to surprise anyone with an automatic switch from iptables to nftables) can simply run meson with "-Dfirewall_backend=iptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding "<driver name='qemu'/> to the guest <interface> element. Signed-off-by: Laine Stump <laine@redhat.com> --- meson_options.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meson_options.txt b/meson_options.txt index XXXXXXX..XXXXXXX 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -XXX,XX +XXX,XX @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support') # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone') -option('firewall_backend_default_1', type: 'string', value: 'iptables', description: 'first firewall backend to try when none is specified') -option('firewall_backend_default_2', type: 'string', value: 'nftables', description: 'second firewall backend to try when none is specified (and first is unavailable)') +option('firewall_backend_default_1', type: 'string', value: 'nftables', description: 'first firewall backend to try when none is specified') +option('firewall_backend_default_2', type: 'string', value: 'iptables', description: 'second firewall backend to try when none is specified (and first is unavailable)') option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items are separated by a colon.') -- 2.45.0
It will still be possible to install iptables and use the iptables backend, but we'll be showing a greater preference for nftables, which is the proper thing to be doing. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- libvirt.spec.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index XXXXXXX..XXXXXXX 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -XXX,XX +XXX,XX @@ Summary: Network driver plugin for the libvirtd daemon Requires: libvirt-daemon-common = %{version}-%{release} Requires: libvirt-libs = %{version}-%{release} Requires: dnsmasq >= 2.41 + %if 0%{?rhel} >= 10 || 0%{?fedora} >= 41 +Requires: nftables + %else Requires: iptables + %endif %description daemon-driver-network The network driver plugin for the libvirtd daemon, providing -- 2.45.0
This way when we implement nftables for the nwfilter driver, we can create a separate table called "libvirt_nwfilter" and everything will look all symmetrical and stuff. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_nftables.c | 2 +- .../nat-default-linux.nftables | 36 +++++----- .../nat-ipv6-linux.nftables | 58 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 66 +++++++++---------- .../nat-many-ips-linux.nftables | 64 +++++++++--------- .../nat-no-dhcp-linux.nftables | 58 ++++++++-------- .../nat-tftp-linux.nftables | 40 +++++------ .../route-default-linux.nftables | 26 ++++---- 8 files changed, 175 insertions(+), 175 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.nftables"); * the iptables-compat */ -#define VIR_NFTABLES_PRIVATE_TABLE "libvirt" +#define VIR_NFTABLES_PRIVATE_TABLE "libvirt_network" /* nftables backend uses the same binary (nft) for all layers, but * IPv4 and IPv6 have their rules in separate classes of tables, diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip6 \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ ip6 \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip6 \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip6 \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip6 \ saddr \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip6 \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip6 \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ ip6 \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ meta \ l4proto \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_PRT \ ip \ saddr \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_INP \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_OUT \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ oifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWX \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWO \ ip \ saddr \ @@ -XXX,XX +XXX,XX @@ nft \ -ae insert \ rule \ ip \ -libvirt \ +libvirt_network \ LIBVIRT_FWI \ ip \ daddr \ -- 2.45.0
Because the chains added by the network driver nftables backend will go into a table used only by libvirt, we don't need to have "libvirt" in the chain names. Instead, we can make them more descriptive and less abrasive (by using lower case, and using full words rather than abbreviations). Also (again because nobody else is using the private "libvirt_network" table) we can directly put our rules into the input ("guest_to_host"), output ("host_to_guest"), and postrouting ("guest_nat") chains rather than creating a subordinate chain as done in the iptables backend. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_nftables.c | 30 ++++----- .../nat-default-linux.nftables | 36 +++++----- .../nat-ipv6-linux.nftables | 58 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 66 +++++++++---------- .../nat-many-ips-linux.nftables | 64 +++++++++--------- .../nat-no-dhcp-linux.nftables | 58 ++++++++-------- .../nat-tftp-linux.nftables | 40 +++++------ .../route-default-linux.nftables | 26 ++++---- 8 files changed, 188 insertions(+), 190 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.nftables"); #define VIR_FROM_THIS VIR_FROM_NONE -#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP" -#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT" -#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI" -#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO" -#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX" -#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" +#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" +#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#define VIR_NFTABLES_FORWARD_CHAIN "forward" +#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input" +#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output" +#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross" +#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat" /* we must avoid using the standard "filter" table as used by * iptables, as any subsequent attempts to use iptables commands will @@ -XXX,XX +XXX,XX @@ typedef struct { nftablesGlobalChain nftablesChains[] = { /* chains for filter rules */ - {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }"}, - {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accept; }"}, - {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept; }"}, - {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL}, - {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL}, - {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, - {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL}, - {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL}, + {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy accept; }"}, + {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, + {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy accept; }"}, + {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, + {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL}, + {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL}, /* chains for NAT rules */ - {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; policy accept; }"}, - {"POSTROUTING", VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL}, + {NULL, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, "{ type nat hook postrouting priority 100; policy accept; }"}, }; diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip6 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.128.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.128.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.128.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.128.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.150.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.150.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.150.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.150.0/24 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip6 \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ ip \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ meta \ l4proto \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_PRT \ +guest_nat \ ip \ saddr \ 192.168.122.0/24 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_INP \ +guest_to_host \ iifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ tcp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_OUT \ +host_to_guest \ oifname \ virbr0 \ udp \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ iifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ oifname \ virbr0 \ counter \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWX \ +guest_cross \ iifname \ virbr0 \ oifname \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWO \ +guest_output \ ip \ saddr \ 192.168.122.0/24 \ @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -LIBVIRT_FWI \ +guest_input \ ip \ daddr \ 192.168.122.0/24 \ -- 2.45.0
The iptables backend (which was used as the model for the nftables backend) used the same "filter" and "nat" tables used by other services on the system (e.g. firewalld or any other host firewall management application), so it was possible that one of those other services would be blocking DNS, DHCP, or TFTP from guests to the host; we added our own rules at the beginning of the chain to allow this traffic no matter if someone else rejected it later. But with nftables, each service uses their own table, and all traffic must be acepted by all tables no matter what - it's not possible for us to just insert a higher priority/earlier rule that will override some reject rule put in by, e.g., firewalld. Instead the firewalld (or other) table must be setup by that service to allow the traffic. That, along with the fact that our table is already "accept by default", makes it possible to eliminate the individual accept rules for DHCP, DNS, and TFTP. And once those rules are eliminated, there is no longer any need for the guest_to_host or host_to_guest tables. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_nftables.c | 36 +++- .../nat-default-linux.nftables | 104 ---------- .../nat-ipv6-linux.nftables | 182 ------------------ .../nat-ipv6-masquerade-linux.nftables | 182 ------------------ .../nat-many-ips-linux.nftables | 104 ---------- .../nat-no-dhcp-linux.nftables | 182 ------------------ .../nat-tftp-linux.nftables | 130 ------------- .../route-default-linux.nftables | 104 ---------- 8 files changed, 33 insertions(+), 991 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -XXX,XX +XXX,XX @@ VIR_LOG_INIT("network.nftables"); #define VIR_FROM_THIS VIR_FROM_NONE -#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" -#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* The input and output tables aren't currently used */ +# define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" +# define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#endif + #define VIR_NFTABLES_FORWARD_CHAIN "forward" #define VIR_NFTABLES_FWD_IN_CHAIN "guest_input" #define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output" @@ -XXX,XX +XXX,XX @@ typedef struct { nftablesGlobalChain nftablesChains[] = { /* chains for filter rules */ + +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* nothing is being added to these chains now, so they are effective NOPs */ {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy accept; }"}, - {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy accept; }"}, +#endif + + {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL}, @@ -XXX,XX +XXX,XX @@ nftablesSetupPrivateChains(virFirewallLayer layer) } +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* currently these functions aren't used, but they remain in the + * source (uncompiled) as examples of adding specific rules to permit + * input/output of packets. in case the need arises in the future + */ static void nftablesAddInput(virFirewall *fw, virFirewallLayer layer, @@ -XXX,XX +XXX,XX @@ nftablesAddUdpOutput(virFirewall *fw, } +#endif + + /** * nftablesAddForwardAllowOut: * @@ -XXX,XX +XXX,XX @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, break; } +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* These rules copied from the iptables backend, have been removed + * from the nftab because they are redundant since we are using our own + * table that is default accept; there are no other users that + * could add a reject rule that we would need to / be able to + * override with these rules + */ + /* allow DHCP requests through to dnsmasq & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); @@ -XXX,XX +XXX,XX @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); } +#endif /* Catch all rules to block forwarding to/from bridges */ nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); @@ -XXX,XX +XXX,XX @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, /* Allow traffic between guests on the same bridge */ nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* see the note above in nftablesAddGeneralIPv4FirewallRules */ + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { /* allow DNS over IPv6 & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); @@ -XXX,XX +XXX,XX @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); } +#endif } diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -XXX,XX +XXX,XX @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ -- 2.45.0
iifname/oifname need to lookup the string that contains the name of the interface each time a packet is checked, while iif/oif compare the ifindex of the interface, which is included directly in the packet. Conveniently, the rule is created using the *name* of the interface (which gets converted to ifindex as the rule is added), so no extra work is required other than changing the commandline option. If it was the case that the interface could be deleted and re-added during the life of the rule, we would have to use Xifname (since deleting and re-adding the interface would result in ifindex changing), but for our uses this never happens, so Xif works for us, and undoubtedly improves performance by at least 0.0000001%. Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/network_nftables.c | 28 +++++++++---------- .../nat-default-linux.nftables | 12 ++++---- .../nat-ipv6-linux.nftables | 24 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 24 ++++++++-------- .../nat-many-ips-linux.nftables | 20 ++++++------- .../nat-no-dhcp-linux.nftables | 24 ++++++++-------- .../nat-tftp-linux.nftables | 12 ++++---- .../route-default-linux.nftables | 12 ++++---- 8 files changed, 78 insertions(+), 78 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index XXXXXXX..XXXXXXX 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -XXX,XX +XXX,XX @@ nftablesAddInput(virFirewall *fw, virFirewallAddCmd(fw, layer, "insert", "rule", layerStr, VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_INPUT_CHAIN, - "iifname", iface, + "iif", iface, tcp ? "tcp" : "udp", "dport", portstr, "counter", "accept", @@ -XXX,XX +XXX,XX @@ nftablesAddOutput(virFirewall *fw, virFirewallAddCmd(fw, layer, "insert", "rule", layerStr, VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_OUTPUT_CHAIN, - "oifname", iface, + "oif", iface, tcp ? "tcp" : "udp", "dport", portstr, "counter", "accept", @@ -XXX,XX +XXX,XX @@ nftablesAddForwardAllowOut(virFirewall *fw, layerStr, VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_OUT_CHAIN, layerStr, "saddr", networkstr, - "iifname", iface, NULL); + "iif", iface, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL); @@ -XXX,XX +XXX,XX @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw, VIR_NFTABLES_FWD_IN_CHAIN, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); - virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, layerStr, "daddr", networkstr, "ct", "state", "related,established", "counter", "accept", NULL); @@ -XXX,XX +XXX,XX @@ nftablesAddForwardAllowIn(virFirewall *fw, layerStr, "daddr", networkstr, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); - virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, "counter", "accept", NULL); return 0; } @@ -XXX,XX +XXX,XX @@ nftablesAddForwardAllowCross(virFirewall *fw, nftablesLayerTypeToString(layer), VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_X_CHAIN, - "iifname", iface, - "oifname", iface, + "iif", iface, + "oif", iface, "counter", "accept", NULL); } @@ -XXX,XX +XXX,XX @@ nftablesAddForwardRejectOut(virFirewall *fw, nftablesLayerTypeToString(layer), VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_OUT_CHAIN, - "iifname", iface, + "iif", iface, "counter", "reject", NULL); } @@ -XXX,XX +XXX,XX @@ nftablesAddForwardRejectIn(virFirewall *fw, nftablesLayerTypeToString(layer), VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_IN_CHAIN, - "oifname", iface, + "oif", iface, "counter", "reject", NULL); } @@ -XXX,XX +XXX,XX @@ nftablesAddForwardMasquerade(virFirewall *fw, layerStr, "daddr", "!=", networkstr, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); if (protocol && protocol[0]) { if (port->start == 0 && port->end == 0) { @@ -XXX,XX +XXX,XX @@ nftablesAddDontMasquerade(virFirewall *fw, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, layerStr, "saddr", networkstr, diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -XXX,XX +XXX,XX @@ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_input \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ -oifname \ +oif \ virbr0 \ counter \ accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -XXX,XX +XXX,XX @@ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip6 \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.128.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.150.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip6 \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -XXX,XX +XXX,XX @@ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_input \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ -oifname \ +oif \ virbr0 \ counter \ accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index XXXXXXX..XXXXXXX 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -XXX,XX +XXX,XX @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -XXX,XX +XXX,XX @@ guest_input \ ip \ daddr \ 192.168.122.0/24 \ -oifname \ +oif \ virbr0 \ counter \ accept -- 2.45.0