From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911277; cv=none; d=zohomail.com; s=zohoarc; b=Ep6MYeVpAfbCl5TvlF55/VibtKsVbUyCH2N37uRdCQWwOghgsLEq7/waLU+tFhdbOTy5GM0SEFwPVyoWwR0CT6GOUicSg0rjBaQ197M83J//XcCmpSL+r5R4hxa+eR4n2HxBHZTBns51ABF+6rE1cPZLeWY+5hnSNee/81gMuV8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911277; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=tEENFPWsO25/EGTDbHMhpXcxzOEwcyE6Jwz9WP85wqc=; b=AChXRuyEUbqGMciuC3leZ2MnhmD8LFeTeVnFb1u4WES14XsRMbefkUdD40aDcS6qbUqQ2QGfXdnmJ3uVAloeO4z4GRDl6NT65Y4ANljCzsdzBfCA2jGrruCJEuEd/0VQUSpsgpUHzYbKM8qL0DO37b44eF9Xxy0s7n3tP0uGL7M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911277623806.9992706437815; Sun, 30 Apr 2023 20:21:17 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-203-jMNoR76XPvq3fA-MNTFj0w-1; Sun, 30 Apr 2023 23:20:12 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F40981C02D43; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2C68951E3; Mon, 1 May 2023 03:20:07 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2DA151946A6A; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 9E32F1946587 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 28D21477F7F; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0F95040BB04 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911276; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=tEENFPWsO25/EGTDbHMhpXcxzOEwcyE6Jwz9WP85wqc=; b=PyNPrj7WxUbYpWWw36S5FRnnJhL+h95mK45kpI4XAVYMw2Dz8qDt/3hP2xye0YwuMig2Ut Hqco7438zqwNHPYz6mxszV0IxPO63ZwlBFGcoRd6OuwMHaY1niqMRK2iP5UOgCerNN5ip7 HpxlQ0kvYW7bRFkqI1Vm4Q4OuU/wZyo= X-MC-Unique: jMNoR76XPvq3fA-MNTFj0w-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 01/28] util: add -w/--concurrent when applying the rule rather than when building it Date: Sun, 30 Apr 2023 23:19:16 -0400 Message-Id: <20230501031943.288145-2-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911278284100009 Content-Type: text/plain; charset="utf-8"; x-default="true" We will already need a separate function for virFirewallApplyRule for iptables vs. nftables, but the only reason for needing a separate function for virFirewallAddRule* is that iptables/ebtables need to have an extra arg added for locking (to prevent multiple iptables commands from running at the same time). We can just as well add in the -w/--concurrent during virFirewallApplyRule, so move the arg-add to ApplyRule to keep AddRule simple. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 30e73f603e..e8e74621c8 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -213,20 +213,6 @@ virFirewallAddRuleFullV(virFirewall *firewall, rule->queryOpaque =3D opaque; rule->ignoreErrors =3D ignoreErrors; =20 - switch (rule->layer) { - case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(rule, "--concurrent"); - break; - case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(rule, "-w"); - break; - case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(rule, "-w"); - break; - case VIR_FIREWALL_LAYER_LAST: - break; - } - while ((str =3D va_arg(args, char *)) !=3D NULL) ADD_ARG(rule, str); =20 @@ -499,6 +485,19 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, =20 cmd =3D virCommandNewArgList(bin, NULL); =20 + /* lock to assure nobody else is messing with the tables while we are = */ + switch (rule->layer) { + case VIR_FIREWALL_LAYER_ETHERNET: + virCommandAddArg(cmd, "--concurrent"); + break; + case VIR_FIREWALL_LAYER_IPV4: + case VIR_FIREWALL_LAYER_IPV6: + virCommandAddArg(cmd, "-w"); + break; + case VIR_FIREWALL_LAYER_LAST: + break; + } + for (i =3D 0; i < rule->argsLen; i++) virCommandAddArg(cmd, rule->args[i]); =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911273; cv=none; d=zohomail.com; s=zohoarc; b=LWGi0MQwVvVolzwX2B8Gq5/UvOMgEmSal0B8vybjDH58Jba65iV4BrhY0nn0mUYpsbo0WyYcuAXw5BP41DGD3EsyxaGgdBRQm3qKacVneBDel0d0dvMn9DOqQ9KSAyD5kY0H3eztfDgx9AY7nTx2viKkyfceY3dzLHYMOh489Fs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911273; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=l+y0MnhbFAurCl+q/faz9todVJUF2Ga1WqFKDQYdkC0=; b=Cs7kit+jB3WYe7V/NR7ffhdJvF6vbeTdfrKHyRrAvVO5GetbtvZkWdSsjwAXh18ruoX/i0RsXT90jNIlSJgLv40LR+T95uCjuWFC31IurY/aXWRl4GinyAPp6rpdJWrLzsvRAFj8lg+Qt/9sthljK3jItN2AIWxBluSKTvid6HM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911273743212.18705621672984; Sun, 30 Apr 2023 20:21:13 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-387-sLlvjyoUNWKsndKKOoAINQ-1; Sun, 30 Apr 2023 23:20:12 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0099E857FB9; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8E68B40C2009; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 159C8194658D; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A20EA1946589 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 4CB2D400F4D; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3476B4750B3 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911272; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=l+y0MnhbFAurCl+q/faz9todVJUF2Ga1WqFKDQYdkC0=; b=LNQQIB6r5YttnVZ9e2L+yJcr5HngCva7L9UmNqMLrUEnU152g6vrsKWdFLihDtyV7MnroZ r6iroMvHjt/CKWvrbLjJZhxrwI6k2oxWRCM3KdTfjWoQBNyBciNkmsW3kt0r+78lDSzFpe ER1tb00vcmApp684oQmW7uTV2nFNiJI= X-MC-Unique: sLlvjyoUNWKsndKKOoAINQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 02/28] util: new virFirewallRuleGet*() APIs Date: Sun, 30 Apr 2023 23:19:17 -0400 Message-Id: <20230501031943.288145-3-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911274891100001 Content-Type: text/plain; charset="utf-8"; x-default="true" We will need access to these attributes of the object from outside virfirewall.c. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 3 +++ src/util/virfirewall.c | 30 ++++++++++++++++++++++++++++++ src/util/virfirewall.h | 10 ++++++++++ 3 files changed, 43 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 1247b67a39..73cccf38a1 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2380,7 +2380,10 @@ virFirewallRuleAddArg; virFirewallRuleAddArgFormat; virFirewallRuleAddArgList; virFirewallRuleAddArgSet; +virFirewallRuleGetArg; virFirewallRuleGetArgCount; +virFirewallRuleGetIgnoreErrors; +virFirewallRuleGetLayer; virFirewallRuleToString; virFirewallStartRollback; virFirewallStartTransaction; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index e8e74621c8..15c8db3702 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -388,6 +388,36 @@ size_t virFirewallRuleGetArgCount(virFirewallRule *rul= e) } =20 =20 +const char * +virFirewallRuleGetArg(virFirewallRule *rule, + int index) +{ + if (!rule || rule->argsLen <=3D index) + return NULL; + return rule->args[index]; +} + + +virFirewallLayer +virFirewallRuleGetLayer(virFirewallRule *rule) +{ + if (!rule) + return VIR_FIREWALL_LAYER_LAST; + + return rule->layer; +} + + +bool +virFirewallRuleGetIgnoreErrors(virFirewallRule *rule) +{ + if (!rule) + return false; + + return rule->ignoreErrors; +} + + /** * virFirewallStartTransaction: * @firewall: the firewall ruleset diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 187748b2bf..0f40dae859 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -89,6 +89,16 @@ void virFirewallRuleAddArgList(virFirewall *firewall, =20 size_t virFirewallRuleGetArgCount(virFirewallRule *rule); =20 +const char * +virFirewallRuleGetArg(virFirewallRule *rule, + int index); + +virFirewallLayer +virFirewallRuleGetLayer(virFirewallRule *rule); + +bool +virFirewallRuleGetIgnoreErrors(virFirewallRule *rule); + char *virFirewallRuleToString(const char *cmd, virFirewallRule *rule); =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911284; cv=none; d=zohomail.com; s=zohoarc; b=ZWBiY352aHKYFJV+ejNeeMhtQ6eYqHVkQKiKHdAUce5xzUeGhjMaEaMm/16g/iNUTSyH4sJkNoBJ49SHkS3A5BdHZnrrgZatOGrr51WTFFm3z4QbnI4wD++7Q9NiNvpS2/w0gPeQ5+F2X2dUZD8dEHgJCSPcu7A8feBUWx/a/b0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911284; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=blYS+D/WWzztTB1DWwadIdXqRai/6e0dj0S+mStoVm8=; b=iwargTXublZ5fM1UOSqG8YBbL53k4uJX0v7dzoyLkqB1i9TekyGa2lX8M9g0vS5vmlFs/FBUv/hT6FQQtlHNIJTmJ3ipo/yL2Em39G5xNc4loOXnBOrZLZIzsyG9beaeFPmaDiRWOMGsyZADAojjCi6uddRZNaBbDFYJhNFgPGs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911284102804.1409066009608; Sun, 30 Apr 2023 20:21:24 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-416-fiyD15cXNkmxo7XYniKv4A-1; Sun, 30 Apr 2023 23:20:13 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4A1FB1C075B7; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 338591121314; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 1E30C19465A2; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A02571946588 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 72F0740BB04; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5A4FD4750B3 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911283; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=blYS+D/WWzztTB1DWwadIdXqRai/6e0dj0S+mStoVm8=; b=PZoRJrEMpJj4bKOLe3w3Y6oQawx3YbprFmwCKuRrMhe2KbrosrdI3kpabgqXb60bu3d4Mf Qj2I313Q1cadhm2sEcW1T2upDX2k4mVgxCR0mulzNCGNnTTBfwa4i/qbxBX0R53uA3Y69b 56QFOcWhPzekqLFHFpXjSMo/XQeIGoQ= X-MC-Unique: fiyD15cXNkmxo7XYniKv4A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 03/28] util: determine ignoreErrors value when creating rule, not when applying Date: Sun, 30 Apr 2023 23:19:18 -0400 Message-Id: <20230501031943.288145-4-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911285577100001 Content-Type: text/plain; charset="utf-8"; x-default="true" We know at the time a virFirewallRule is created (with virFirewallAddRule*()) whether or not we will later want to ignore errors encountered when attempting to apply that rule - if ignoreErrors is set in the AddRule or if the group has already had VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS set, then we ignore the errors. Rather than setting the rule->ignoreErrors rule only according to the arg sent to virFirewallAddRuleFull(), and then later (at ApplyRule-time) combining that with the group transactionFlags setting (and passing it all the way down the call chain), just combine the two flags right away and store this final value in rule->ignoreErrors when the rule is created (thus avoiding the need to look at anything other than rule->ignoreErrors at the time the rule is applied). And since we now have an API for retrieving the setting of ignoreErrors from a rule, just grab that with the API down in vir*ApplyRule() rather than cluttering up the argument list on the entire call chain. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 15c8db3702..e3ba8f7846 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -211,14 +211,20 @@ virFirewallAddRuleFullV(virFirewall *firewall, rule->layer =3D layer; rule->queryCB =3D cb; rule->queryOpaque =3D opaque; - rule->ignoreErrors =3D ignoreErrors; =20 while ((str =3D va_arg(args, char *)) !=3D NULL) ADD_ARG(rule, str); =20 if (group->addingRollback) { + rule->ignoreErrors =3D true; /* always ignore errors when rolling = back */ VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); } else { + /* when not rolling back, ignore errors if this group (transaction) + * was started with VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS *or* + * if this specific rule was created with ignoreErrors =3D=3D true + */ + rule->ignoreErrors =3D ignoreErrors + || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S); VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); } =20 @@ -496,7 +502,6 @@ virFirewallRuleToString(const char *cmd, =20 static int virFirewallApplyRuleDirect(virFirewallRule *rule, - bool ignoreErrors, char **output) { size_t i; @@ -541,7 +546,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, return -1; =20 if (status !=3D 0) { - if (ignoreErrors) { + if (virFirewallRuleGetIgnoreErrors(rule)) { VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, @@ -558,16 +563,12 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, =20 static int virFirewallApplyRule(virFirewall *firewall, - virFirewallRule *rule, - bool ignoreErrors) + virFirewallRule *rule) { g_autofree char *output =3D NULL; g_auto(GStrv) lines =3D NULL; =20 - if (rule->ignoreErrors) - ignoreErrors =3D rule->ignoreErrors; - - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) + if (virFirewallApplyRuleDirect(rule, &output) < 0) return -1; =20 if (rule->queryCB && output) { @@ -594,7 +595,7 @@ virFirewallApplyGroup(virFirewall *firewall, size_t idx) { virFirewallGroup *group =3D firewall->groups[idx]; - bool ignoreErrors =3D (group->actionFlags & VIR_FIREWALL_TRANSACTION_I= GNORE_ERRORS); + size_t i; =20 VIR_INFO("Starting transaction for firewall=3D%p group=3D%p flags=3D0x= %x", @@ -602,9 +603,7 @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup =3D idx; group->addingRollback =3D false; for (i =3D 0; i < group->naction; i++) { - if (virFirewallApplyRule(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyRule(firewall, group->action[i]) < 0) return -1; } return 0; @@ -621,11 +620,8 @@ virFirewallRollbackGroup(virFirewall *firewall, VIR_INFO("Starting rollback for group %p", group); firewall->currentGroup =3D idx; group->addingRollback =3D true; - for (i =3D 0; i < group->nrollback; i++) { - ignore_value(virFirewallApplyRule(firewall, - group->rollback[i], - true)); - } + for (i =3D 0; i < group->nrollback; i++) + ignore_value(virFirewallApplyRule(firewall, group->rollback[i])); } =20 =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911223; cv=none; d=zohomail.com; s=zohoarc; b=M5+u0d7QFR/11sGo5hBY3+2gadi3YRaNPnfmhkskM770ETyJY5XRvD6eXAeqYmoOsfjndRHHlWi6jHd9gDd+VycWqiqVnQe4jm0hL/Cbcz43Y9ZzUT5rXwmnsE3qGIYkiFc1l21Z+vVejsetKbUz8619PHj//bRXDaN36F+1Tlg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911223; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jSPnq3+8lVAIfI1DN6pU0tDNskYu9nGF9pAY+GCbMHI=; b=k1MiTge03NpSd3aUE153U/L1gIe8n7vHbXJb9erMz3/S/y/8YDe46RRoUzzvjk7+bjxpEKd63bGEajuWzhQ8h2sML5CVvS84sIU0HeTJfsmRVQKQEhJAxWX1AM76rbyfWBc1ZYEeK1T5W5pevmLZvBy78fr0Emp1Orj4G1YPeFg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911223004222.81292988812584; Sun, 30 Apr 2023 20:20:23 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-113-R_6e1nGtOcispTESDtfADw-1; Sun, 30 Apr 2023 23:20:14 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 06028296A60C; Mon, 1 May 2023 03:20:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id E32CF1121319; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5C7391949749; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A3FAB194658C for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A4A504750B8; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 804C54750B3 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911221; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jSPnq3+8lVAIfI1DN6pU0tDNskYu9nGF9pAY+GCbMHI=; b=RGThiUjwACPRzl6ZXJIh2jjmfxRGY19e/PPvPHPzs2oRfFiHUxym9aiJ+N/zWVkBFMLJ42 /oA1jqQlZ4/xtk5waQP/wJH/qqiBnbEP2fTzfc2tvhSJMqYU5Hmvs4Kh2LT9dEovmcUHEu /IiaEUeoqVOixyy1PBoU2GfU+6PCU9M= X-MC-Unique: R_6e1nGtOcispTESDtfADw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 04/28] util: rename iptables helpers that will become the frontend for ip&nftables Date: Sun, 30 Apr 2023 23:19:19 -0400 Message-Id: <20230501031943.288145-5-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911223711100009 Content-Type: text/plain; charset="utf-8"; x-default="true" These toplevel functions have no iptables-specific code, except that they each call a lower-level internal function that *is* iptables specific. As a preparation to supporting use of either iptables or nftables, rename these functions from iptablesXXX to virNetfilterXXX. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 48 +++--- src/network/bridge_driver_linux.c | 124 +++++++------- src/util/viriptables.c | 260 +++++++++++++++--------------- src/util/viriptables.h | 96 +++++------ 4 files changed, 264 insertions(+), 264 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 73cccf38a1..9f3868bbac 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2547,33 +2547,33 @@ virInitctlSetRunLevel; =20 =20 # util/viriptables.h -iptablesAddDontMasquerade; -iptablesAddForwardAllowCross; -iptablesAddForwardAllowIn; -iptablesAddForwardAllowOut; -iptablesAddForwardAllowRelatedIn; -iptablesAddForwardMasquerade; -iptablesAddForwardRejectIn; -iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; -iptablesAddTcpInput; -iptablesAddTcpOutput; -iptablesAddUdpInput; -iptablesAddUdpOutput; -iptablesRemoveDontMasquerade; -iptablesRemoveForwardAllowCross; -iptablesRemoveForwardAllowIn; -iptablesRemoveForwardAllowOut; -iptablesRemoveForwardAllowRelatedIn; -iptablesRemoveForwardMasquerade; -iptablesRemoveForwardRejectIn; -iptablesRemoveForwardRejectOut; iptablesRemoveOutputFixUdpChecksum; -iptablesRemoveTcpInput; -iptablesRemoveTcpOutput; -iptablesRemoveUdpInput; -iptablesRemoveUdpOutput; iptablesSetupPrivateChains; +virNetfilterAddDontMasquerade; +virNetfilterAddForwardAllowCross; +virNetfilterAddForwardAllowIn; +virNetfilterAddForwardAllowOut; +virNetfilterAddForwardAllowRelatedIn; +virNetfilterAddForwardMasquerade; +virNetfilterAddForwardRejectIn; +virNetfilterAddForwardRejectOut; +virNetfilterAddTcpInput; +virNetfilterAddTcpOutput; +virNetfilterAddUdpInput; +virNetfilterAddUdpOutput; +virNetfilterRemoveDontMasquerade; +virNetfilterRemoveForwardAllowCross; +virNetfilterRemoveForwardAllowIn; +virNetfilterRemoveForwardAllowOut; +virNetfilterRemoveForwardAllowRelatedIn; +virNetfilterRemoveForwardMasquerade; +virNetfilterRemoveForwardRejectIn; +virNetfilterRemoveForwardRejectOut; +virNetfilterRemoveTcpInput; +virNetfilterRemoveTcpOutput; +virNetfilterRemoveUdpInput; +virNetfilterRemoveUdpOutput; =20 =20 # util/viriscsi.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 1ef5b9d917..da7d78a40a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -322,7 +322,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, } =20 /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, + if (virNetfilterAddForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -332,7 +332,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, /* allow forwarding packets to the bridge interface if they are * part of an existing connection */ - if (iptablesAddForwardAllowRelatedIn(fw, + if (virNetfilterAddForwardAllowRelatedIn(fw, &ipdef->address, prefix, def->bridge, @@ -372,7 +372,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, */ =20 /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(fw, + if (virNetfilterAddForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -382,7 +382,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, return -1; =20 /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, + if (virNetfilterAddForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -392,7 +392,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, return -1; =20 /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(fw, + if (virNetfilterAddForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -403,7 +403,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, =20 /* exempt local network broadcast address as destination */ if (isIPv4 && - iptablesAddDontMasquerade(fw, + virNetfilterAddDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -411,7 +411,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw, return -1; =20 /* exempt local multicast range as destination */ - if (iptablesAddDontMasquerade(fw, + if (virNetfilterAddDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -434,7 +434,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, if (prefix < 0) return 0; =20 - if (iptablesRemoveDontMasquerade(fw, + if (virNetfilterRemoveDontMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -443,14 +443,14 @@ networkRemoveMasqueradingFirewallRules(virFirewall *f= w, return -1; =20 if (isIPv4 && - iptablesRemoveDontMasquerade(fw, + virNetfilterRemoveDontMasquerade(fw, &ipdef->address, prefix, forwardIf, networkLocalBroadcast) < 0) return -1; =20 - if (iptablesRemoveForwardMasquerade(fw, + if (virNetfilterRemoveForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -459,7 +459,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, "tcp") < 0) return -1; =20 - if (iptablesRemoveForwardMasquerade(fw, + if (virNetfilterRemoveForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -468,7 +468,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw, "udp") < 0) return -1; =20 - if (iptablesRemoveForwardMasquerade(fw, + if (virNetfilterRemoveForwardMasquerade(fw, &ipdef->address, prefix, forwardIf, @@ -477,14 +477,14 @@ networkRemoveMasqueradingFirewallRules(virFirewall *f= w, NULL) < 0) return -1; =20 - if (iptablesRemoveForwardAllowRelatedIn(fw, + if (virNetfilterRemoveForwardAllowRelatedIn(fw, &ipdef->address, prefix, def->bridge, forwardIf) < 0) return -1; =20 - if (iptablesRemoveForwardAllowOut(fw, + if (virNetfilterRemoveForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -511,7 +511,7 @@ networkAddRoutingFirewallRules(virFirewall *fw, } =20 /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(fw, + if (virNetfilterAddForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -519,7 +519,7 @@ networkAddRoutingFirewallRules(virFirewall *fw, return -1; =20 /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(fw, + if (virNetfilterAddForwardAllowIn(fw, &ipdef->address, prefix, def->bridge, @@ -541,14 +541,14 @@ networkRemoveRoutingFirewallRules(virFirewall *fw, if (prefix < 0) return 0; =20 - if (iptablesRemoveForwardAllowIn(fw, + if (virNetfilterRemoveForwardAllowIn(fw, &ipdef->address, prefix, def->bridge, forwardIf) < 0) return -1; =20 - if (iptablesRemoveForwardAllowOut(fw, + if (virNetfilterRemoveForwardAllowOut(fw, &ipdef->address, prefix, def->bridge, @@ -576,29 +576,29 @@ networkAddGeneralIPv4FirewallRules(virFirewall *fw, } =20 /* allow DHCP requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); =20 /* allow DNS requests through to dnsmasq & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); =20 /* allow TFTP requests through to dnsmasq if necessary & back out */ if (ipv4def && ipv4def->tftproot) { - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 69); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge,= 69); } =20 /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->brid= ge); + virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridg= e); =20 /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); + virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bri= dge); } =20 static void @@ -615,24 +615,24 @@ networkRemoveGeneralIPv4FirewallRules(virFirewall *fw, break; } =20 - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->brid= ge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge= ); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridg= e); + virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->= bridge); + virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->br= idge); + virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->b= ridge); =20 if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 6= 9); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 69); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridg= e, 69); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->brid= ge, 69); } =20 - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 5= 3); + virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 5= 3); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 53); + virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 53); =20 - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 68); + virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 68); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 6= 7); + virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 6= 7); } =20 =20 @@ -651,21 +651,21 @@ networkAddGeneralIPv6FirewallRules(virFirewall *fw, } =20 /* Catch all rules to block forwarding to/from bridges */ - iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); - iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge); + virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e); =20 /* Allow traffic between guests on the same bridge */ - iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); + virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bri= dge); =20 if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { /* allow DNS over IPv6 & back out */ - iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); + virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge,= 53); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge,= 53); /* allow DHCPv6 & back out */ - iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); - iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546= ); + virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 547); + virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge,= 546); } } =20 @@ -679,20 +679,20 @@ networkRemoveGeneralIPv6FirewallRules(virFirewall *fw, } =20 if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 546); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 47); - iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); - iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); - iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); - iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge, 546); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e, 547); + virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge, 53); + virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge, 53); + virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e, 53); + virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e, 53); } =20 /* the following rules are there if no IPv6 address has been defined * but def->ipv6nogw =3D=3D true */ - iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->brid= ge); - iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge= ); - iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridg= e); + virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->= bridge); + virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->br= idge); + virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->b= ridge); } =20 =20 diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 018021bc1b..8db5bb3e4b 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -198,7 +198,7 @@ iptablesOutput(virFirewall *fw, } =20 /** - * iptablesAddTcpInput: + * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to add @@ -207,16 +207,16 @@ iptablesOutput(virFirewall *fw, * the given @iface interface for TCP packets */ void -iptablesAddTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } =20 /** - * iptablesRemoveTcpInput: + * virNetfilterRemoveTcpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to remove @@ -225,16 +225,16 @@ iptablesAddTcpInput(virFirewall *fw, * @port on the given @iface interface for TCP packets */ void -iptablesRemoveTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } =20 /** - * iptablesAddUdpInput: + * virNetfilterAddUdpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to add @@ -243,16 +243,16 @@ iptablesRemoveTcpInput(virFirewall *fw, * the given @iface interface for UDP packets */ void -iptablesAddUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } =20 /** - * iptablesRemoveUdpInput: + * virNetfilterRemoveUdpInput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove @@ -261,16 +261,16 @@ iptablesAddUdpInput(virFirewall *fw, * @port on the given @iface interface for UDP packets */ void -iptablesRemoveUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } =20 /** - * iptablesAddTcpOutput: + * virNetfilterAddTcpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to add @@ -279,16 +279,16 @@ iptablesRemoveUdpInput(virFirewall *fw, * the given @iface interface for TCP packets */ void -iptablesAddTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } =20 /** - * iptablesRemoveTcpOutput: + * virNetfilterRemoveTcpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove @@ -297,16 +297,16 @@ iptablesAddTcpOutput(virFirewall *fw, * @port from the given @iface interface for TCP packets */ void -iptablesRemoveTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } =20 /** - * iptablesAddUdpOutput: + * virNetfilterAddUdpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to add @@ -315,16 +315,16 @@ iptablesRemoveTcpOutput(virFirewall *fw, * the given @iface interface for UDP packets */ void -iptablesAddUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } =20 /** - * iptablesRemoveUdpOutput: + * virNetfilterRemoveUdpOutput: * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove @@ -333,10 +333,10 @@ iptablesAddUdpOutput(virFirewall *fw, * @port from the given @iface interface for UDP packets */ void -iptablesRemoveUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) +virNetfilterRemoveUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) { iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } @@ -384,7 +384,7 @@ iptablesForwardAllowOut(virFirewall *fw, } =20 /** - * iptablesAddForwardAllowOut: + * virNetfilterAddForwardAllowOut: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the source interface name @@ -397,18 +397,18 @@ iptablesForwardAllowOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_INSERT); } =20 /** - * iptablesRemoveForwardAllowOut: + * virNetfilterRemoveForwardAllowOut: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the source interface name @@ -421,11 +421,11 @@ iptablesAddForwardAllowOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_DELETE); @@ -478,7 +478,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, } =20 /** - * iptablesAddForwardAllowRelatedIn: + * virNetfilterAddForwardAllowRelatedIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -491,18 +491,18 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, VIR_NETFILTER_INSERT); } =20 /** - * iptablesRemoveForwardAllowRelatedIn: + * virNetfilterRemoveForwardAllowRelatedIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -515,11 +515,11 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, VIR_NETFILTER_DELETE); @@ -565,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw, } =20 /** - * iptablesAddForwardAllowIn: + * virNetfilterAddForwardAllowIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -578,18 +578,18 @@ iptablesForwardAllowIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_INSERT); } =20 /** - * iptablesRemoveForwardAllowIn: + * virNetfilterRemoveForwardAllowIn: * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name @@ -602,11 +602,11 @@ iptablesAddForwardAllowIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +virNetfilterRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, VIR_NETFILTER_DELETE); @@ -629,7 +629,7 @@ iptablesForwardAllowCross(virFirewall *fw, } =20 /** - * iptablesAddForwardAllowCross: + * virNetfilterAddForwardAllowCross: * @ctx: pointer to the IP table context * @iface: the input/output interface name * @@ -640,15 +640,15 @@ iptablesForwardAllowCross(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** - * iptablesRemoveForwardAllowCross: + * virNetfilterRemoveForwardAllowCross: * @ctx: pointer to the IP table context * @iface: the input/output interface name * @@ -659,9 +659,9 @@ iptablesAddForwardAllowCross(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); } @@ -682,7 +682,7 @@ iptablesForwardRejectOut(virFirewall *fw, } =20 /** - * iptablesAddForwardRejectOut: + * virNetfilterAddForwardRejectOut: * @ctx: pointer to the IP table context * @iface: the output interface name * @@ -692,15 +692,15 @@ iptablesForwardRejectOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesAddForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** - * iptablesRemoveForwardRejectOut: + * virNetfilterRemoveForwardRejectOut: * @ctx: pointer to the IP table context * @iface: the output interface name * @@ -710,9 +710,9 @@ iptablesAddForwardRejectOut(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); } @@ -734,7 +734,7 @@ iptablesForwardRejectIn(virFirewall *fw, } =20 /** - * iptablesAddForwardRejectIn: + * virNetfilterAddForwardRejectIn: * @ctx: pointer to the IP table context * @iface: the input interface name * @@ -744,15 +744,15 @@ iptablesForwardRejectIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesAddForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** - * iptablesRemoveForwardRejectIn: + * virNetfilterRemoveForwardRejectIn: * @ctx: pointer to the IP table context * @iface: the input interface name * @@ -762,9 +762,9 @@ iptablesAddForwardRejectIn(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ void -iptablesRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) +virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) { iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); } @@ -869,7 +869,7 @@ iptablesForwardMasquerade(virFirewall *fw, } =20 /** - * iptablesAddForwardMasquerade: + * virNetfilterAddForwardMasquerade: * @ctx: pointer to the IP table context * @network: the source network name * @physdev: the physical input device or NULL @@ -882,13 +882,13 @@ iptablesForwardMasquerade(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) +virNetfilterAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, @@ -896,7 +896,7 @@ iptablesAddForwardMasquerade(virFirewall *fw, } =20 /** - * iptablesRemoveForwardMasquerade: + * virNetfilterRemoveForwardMasquerade: * @ctx: pointer to the IP table context * @network: the source network name * @physdev: the physical input device or NULL @@ -909,13 +909,13 @@ iptablesAddForwardMasquerade(virFirewall *fw, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) +virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, @@ -965,7 +965,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, } =20 /** - * iptablesAddDontMasquerade: + * virNetfilterAddDontMasquerade: * @netaddr: the source network name * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr * @physdev: the physical output device or NULL @@ -973,24 +973,24 @@ iptablesForwardDontMasquerade(virFirewall *fw, * * Add rules to the IP table context to avoid masquerading from * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables, it must not depend on user input or + * directly consumable by iptables/nftables, it must not depend on user in= put or * configuration. * * Returns 0 in case of success or an error code otherwise. */ int -iptablesAddDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) +virNetfilterAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, VIR_NETFILTER_= INSERT); } =20 /** - * iptablesRemoveDontMasquerade: + * virNetfilterRemoveDontMasquerade: * @netaddr: the source network name * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr * @physdev: the physical output device or NULL @@ -998,17 +998,17 @@ iptablesAddDontMasquerade(virFirewall *fw, * * Remove rules from the IP table context that prevent masquerading from * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables, it must not depend on user input or + * directly consumable by iptables/nftables, it must not depend on user in= put or * configuration. * * Returns 0 in case of success or an error code otherwise. */ int -iptablesRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) +virNetfilterRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index bb13f3292d..610c4dccde 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -25,101 +25,101 @@ =20 int iptablesSetupPrivateChains (virFirewallLayer layer); =20 -void iptablesAddTcpInput (virFirewall *fw, +void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveTcpInput (virFirewall *fw, +void virNetfilterRemoveTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); =20 -void iptablesAddUdpInput (virFirewall *fw, +void virNetfilterAddUdpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveUdpInput (virFirewall *fw, +void virNetfilterRemoveUdpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); =20 -void iptablesAddTcpOutput (virFirewall *fw, +void virNetfilterAddTcpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveTcpOutput (virFirewall *fw, +void virNetfilterRemoveTcpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesAddUdpOutput (virFirewall *fw, +void virNetfilterAddUdpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); -void iptablesRemoveUdpOutput (virFirewall *fw, +void virNetfilterRemoveUdpOutput (virFirewall *fw, virFirewallLayer layer, const char *iface, int port); =20 -int iptablesAddForwardAllowOut (virFirewall *fw, +int virNetfilterAddForwardAllowOut (virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +int virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) +int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netad= dr, + unsigned int prefix, + const char *iface, + const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netadd= r, - unsigned int prefix, - const char *iface, - const char *physdev) +int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *ne= taddr, + unsigned int pref= ix, + const char *iface, + const char *physd= ev) G_GNUC_WARN_UNUSED_RESULT; =20 -int iptablesAddForwardAllowIn (virFirewall *fw, +int virNetfilterAddForwardAllowIn (virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowIn (virFirewall *fw, +int virNetfilterRemoveForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) G_GNUC_WARN_UNUSED_RESULT; =20 -void iptablesAddForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardAllowCross (virFirewall *fw, +void virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface); +void virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer laye= r, + const char *iface); =20 -void iptablesAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectOut (virFirewall *fw, +void virNetfilterAddForwardRejectOut (virFirewall *fw, virFirewallLayer layer, const char *iface); +void virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface); =20 -void iptablesAddForwardRejectIn (virFirewall *fw, +void virNetfilterAddForwardRejectIn (virFirewall *fw, virFirewallLayer layer, const char *iface); -void iptablesRemoveForwardRejectIn (virFirewall *fw, - virFirewallLayer layery, - const char *iface); +void virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layery, + const char *iface); =20 -int iptablesAddForwardMasquerade (virFirewall *fw, +int virNetfilterAddForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -127,21 +127,21 @@ int iptablesAddForwardMasquerade (vir= Firewall *fw, virPortRange *port, const char *protocol) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) +int virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netadd= r, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *a= ddr, + virPortRange *port, + const char *protocol) G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddDontMasquerade (virFirewall *fw, +int virNetfilterAddDontMasquerade (virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, const char *destaddr) G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveDontMasquerade (virFirewall *fw, +int virNetfilterRemoveDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911265; cv=none; d=zohomail.com; s=zohoarc; b=Sjls/ReqbeaTQ6eaEADKv7DBSadf+9GaNhoGlHb0RYHI0hIiIfPv7zt3Nut6epF0oeboxvqtRDyPjuIqLjcRfRbaE1+xFwW+rPB0vfvaBFOYuGPKm7kMEuu8ekX6NzGBLaCJSs2HdDrG8nLs3Lt1W7QZkcSUiezpzAmQfw7Ogrs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911265; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=pHDBLrIZ4auxbEiKc51vuHcRcyn6+4ic6/Q15p2q1hw=; b=FtKQxRnYNf3fia3B6lSwSUyjsO+JY+SvPaAVih5Q1Rm7IEvCNl7czpUnnMzp7Hh80wiPOAqLj0Za9FkVdZIvWzGBTO4ppvyaYhp3qdKCvvbKyKJbpnMoEYzSfM4oKGIIQOUEUomGPYsjFH1TW18YcnKXUis4weqTZ7zZUbT0hMk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911265899432.6938190725474; Sun, 30 Apr 2023 20:21:05 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-223-TLwQHMnYMLK9IK3Hv00LUw-1; Sun, 30 Apr 2023 23:20:12 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 072321049BAC; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 717EE1121314; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 87B6A1946A7C; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C6FEC1946587 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id D3AD540D1C5; Mon, 1 May 2023 03:19:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id B24D140F177 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911264; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=pHDBLrIZ4auxbEiKc51vuHcRcyn6+4ic6/Q15p2q1hw=; b=MmYtEysBvAIhsz+2Rllgd37dxaTvcFcQKbacmuiSgO49k27URnZPcmen6ZAW/8uyNpzAra RgTupANNoqAWue7NSBA430BBuwNDH3AS9H0L1BoZcJHH2GCJAVgs5qZGRF2O9MOEeoPD/G hQNB/ZIBCD/3Q34TX2MhioxnFYY6lSM= X-MC-Unique: TLwQHMnYMLK9IK3Hv00LUw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 05/28] util: move backend-agnostic virNetfilter*() functions to their own file Date: Sun, 30 Apr 2023 23:19:20 -0400 Message-Id: <20230501031943.288145-6-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911266257100005 Content-Type: text/plain; charset="utf-8"; x-default="true" These function are all moved into virnetfilter.[ch]. The only functions from viriptables.[ch] that are still called from the consumer (network bridge driver) are iptablesSetupPrivateChains() (which creates the private chains that all iptables rules will be added to), and iptablesAddOutputFixUdpChecksum() and iptablesRemoveOutputFixUdpChecksum() (which add/remove rules to fix improper checksum of DHCP packets, which is something not supported by nftables) Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 51 +-- src/network/bridge_driver_linux.c | 1 + src/util/meson.build | 1 + src/util/viriptables.c | 522 +-------------------------- src/util/viriptables.h | 212 +++++------ src/util/virnetfilter.c | 570 ++++++++++++++++++++++++++++++ src/util/virnetfilter.h | 151 ++++++++ 7 files changed, 849 insertions(+), 659 deletions(-) create mode 100644 src/util/virnetfilter.c create mode 100644 src/util/virnetfilter.h diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 9f3868bbac..11b84a866a 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2550,30 +2550,6 @@ virInitctlSetRunLevel; iptablesAddOutputFixUdpChecksum; iptablesRemoveOutputFixUdpChecksum; iptablesSetupPrivateChains; -virNetfilterAddDontMasquerade; -virNetfilterAddForwardAllowCross; -virNetfilterAddForwardAllowIn; -virNetfilterAddForwardAllowOut; -virNetfilterAddForwardAllowRelatedIn; -virNetfilterAddForwardMasquerade; -virNetfilterAddForwardRejectIn; -virNetfilterAddForwardRejectOut; -virNetfilterAddTcpInput; -virNetfilterAddTcpOutput; -virNetfilterAddUdpInput; -virNetfilterAddUdpOutput; -virNetfilterRemoveDontMasquerade; -virNetfilterRemoveForwardAllowCross; -virNetfilterRemoveForwardAllowIn; -virNetfilterRemoveForwardAllowOut; -virNetfilterRemoveForwardAllowRelatedIn; -virNetfilterRemoveForwardMasquerade; -virNetfilterRemoveForwardRejectIn; -virNetfilterRemoveForwardRejectOut; -virNetfilterRemoveTcpInput; -virNetfilterRemoveTcpOutput; -virNetfilterRemoveUdpInput; -virNetfilterRemoveUdpOutput; =20 =20 # util/viriscsi.h @@ -2960,6 +2936,33 @@ virNetDevVPortProfileOpTypeFromString; virNetDevVPortProfileOpTypeToString; =20 =20 +# util/virnetfilter.h +virNetfilterAddDontMasquerade; +virNetfilterAddForwardAllowCross; +virNetfilterAddForwardAllowIn; +virNetfilterAddForwardAllowOut; +virNetfilterAddForwardAllowRelatedIn; +virNetfilterAddForwardMasquerade; +virNetfilterAddForwardRejectIn; +virNetfilterAddForwardRejectOut; +virNetfilterAddTcpInput; +virNetfilterAddTcpOutput; +virNetfilterAddUdpInput; +virNetfilterAddUdpOutput; +virNetfilterRemoveDontMasquerade; +virNetfilterRemoveForwardAllowCross; +virNetfilterRemoveForwardAllowIn; +virNetfilterRemoveForwardAllowOut; +virNetfilterRemoveForwardAllowRelatedIn; +virNetfilterRemoveForwardMasquerade; +virNetfilterRemoveForwardRejectIn; +virNetfilterRemoveForwardRejectOut; +virNetfilterRemoveTcpInput; +virNetfilterRemoveTcpOutput; +virNetfilterRemoveUdpInput; +virNetfilterRemoveUdpOutput; + + # util/virnetlink.h virNetlinkCommand; virNetlinkDelLink; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index da7d78a40a..e03c17b259 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -22,6 +22,7 @@ #include =20 #include "virfile.h" +#include "virnetfilter.h" #include "viriptables.h" #include "virstring.h" #include "virlog.h" diff --git a/src/util/meson.build b/src/util/meson.build index c2175f1098..aa570ed02a 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -69,6 +69,7 @@ util_sources =3D [ 'virnetdevveth.c', 'virnetdevvlan.c', 'virnetdevvportprofile.c', + 'virnetfilter.c', 'virnetlink.c', 'virnodesuspend.c', 'virnuma.c', diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 8db5bb3e4b..a85f3ea603 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -27,6 +27,7 @@ #include =20 #include "internal.h" +#include "virnetfilter.h" #include "viriptables.h" #include "virfirewalld.h" #include "virerror.h" @@ -37,11 +38,6 @@ VIR_LOG_INIT("util.iptables"); =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 -enum { - VIR_NETFILTER_INSERT =3D 0, - VIR_NETFILTER_DELETE -}; - typedef struct { const char *parent; const char *child; @@ -155,7 +151,7 @@ iptablesSetupPrivateChains(virFirewallLayer layer) } =20 =20 -static void +void iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -176,7 +172,7 @@ iptablesInput(virFirewall *fw, NULL); } =20 -static void +void iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -197,155 +193,11 @@ iptablesOutput(virFirewall *fw, NULL); } =20 -/** - * virNetfilterAddTcpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to add - * - * Add an input to the IP table allowing access to the given @port on - * the given @iface interface for TCP packets - */ -void -virNetfilterAddTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); -} - -/** - * virNetfilterRemoveTcpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to remove - * - * Removes an input from the IP table, hence forbidding access to the given - * @port on the given @iface interface for TCP packets - */ -void -virNetfilterRemoveTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); -} - -/** - * virNetfilterAddUdpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to add - * - * Add an input to the IP table allowing access to the given @port on - * the given @iface interface for UDP packets - */ -void -virNetfilterAddUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); -} - -/** - * virNetfilterRemoveUdpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an input from the IP table, hence forbidding access to the given - * @port on the given @iface interface for UDP packets - */ -void -virNetfilterRemoveUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); -} - -/** - * virNetfilterAddTcpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to add - * - * Add an output to the IP table allowing access to the given @port from - * the given @iface interface for TCP packets - */ -void -virNetfilterAddTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); -} - -/** - * virNetfilterRemoveTcpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an output from the IP table, hence forbidding access to the giv= en - * @port from the given @iface interface for TCP packets - */ -void -virNetfilterRemoveTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); -} - -/** - * virNetfilterAddUdpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to add - * - * Add an output to the IP table allowing access to the given @port from - * the given @iface interface for UDP packets - */ -void -virNetfilterAddUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); -} - -/** - * virNetfilterRemoveUdpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an output from the IP table, hence forbidding access to the giv= en - * @port from the given @iface interface for UDP packets - */ -void -virNetfilterRemoveUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); -} - =20 /* Allow all traffic coming from the bridge, with a valid network address * to proceed to WAN */ -static int +int iptablesForwardAllowOut(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -383,59 +235,11 @@ iptablesForwardAllowOut(virFirewall *fw, return 0; } =20 -/** - * virNetfilterAddForwardAllowOut: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the source interface name - * @physdev: the physical output device - * - * Add a rule to the IP table context to allow the traffic for the - * network @network via interface @iface to be forwarded to - * @physdev device. This allow the outbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardAllowOut: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the source interface name - * @physdev: the physical output device - * - * Remove a rule from the IP table context hence forbidding forwarding - * of the traffic for the network @network via interface @iface - * to the @physdev device output. This stops the outbound traffic on a bri= dge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - =20 /* Allow all traffic destined to the bridge, with a valid network address * and associated with an existing connection */ -static int +int iptablesForwardAllowRelatedIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -477,57 +281,10 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, return 0; } =20 -/** - * virNetfilterAddForwardAllowRelatedIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Add rules to the IP table context to allow the traffic for the - * network @network on @physdev device to be forwarded to - * interface @iface, if it is part of an existing connection. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardAllowRelatedIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Remove rules from the IP table context hence forbidding the traffic for - * network @network on @physdev device to be forwarded to - * interface @iface, if it is part of an existing connection. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_NETFILTER_DELETE); -} =20 /* Allow all traffic destined to the bridge, with a valid network address */ -static int +int iptablesForwardAllowIn(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -564,55 +321,8 @@ iptablesForwardAllowIn(virFirewall *fw, return 0; } =20 -/** - * virNetfilterAddForwardAllowIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Add rules to the IP table context to allow the traffic for the - * network @network on @physdev device to be forwarded to - * interface @iface. This allow the inbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} =20 -/** - * virNetfilterRemoveForwardAllowIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Remove rules from the IP table context hence forbidding the traffic for - * network @network on @physdev device to be forwarded to - * interface @iface. This stops the inbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - -static void +void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -628,45 +338,8 @@ iptablesForwardAllowCross(virFirewall *fw, NULL); } =20 -/** - * virNetfilterAddForwardAllowCross: - * @ctx: pointer to the IP table context - * @iface: the input/output interface name - * - * Add rules to the IP table context to allow traffic to cross that - * interface. It allows all traffic between guests on the same bridge - * represented by that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); -} =20 -/** - * virNetfilterRemoveForwardAllowCross: - * @ctx: pointer to the IP table context - * @iface: the input/output interface name - * - * Remove rules to the IP table context to block traffic to cross that - * interface. It forbids traffic between guests on the same bridge - * represented by that interface. - * - * Returns 0 in case of success or an error code otherwise - */ void -virNetfilterRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); -} - -static void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -681,44 +354,8 @@ iptablesForwardRejectOut(virFirewall *fw, NULL); } =20 -/** - * virNetfilterAddForwardRejectOut: - * @ctx: pointer to the IP table context - * @iface: the output interface name - * - * Add rules to the IP table context to forbid all traffic to that - * interface. It forbids forwarding from the bridge to that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterAddForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); -} =20 -/** - * virNetfilterRemoveForwardRejectOut: - * @ctx: pointer to the IP table context - * @iface: the output interface name - * - * Remove rules from the IP table context forbidding all traffic to that - * interface. It reallow forwarding from the bridge to that interface. - * - * Returns 0 in case of success or an error code otherwise - */ void -virNetfilterRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); -} - - -static void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, @@ -733,47 +370,11 @@ iptablesForwardRejectIn(virFirewall *fw, NULL); } =20 -/** - * virNetfilterAddForwardRejectIn: - * @ctx: pointer to the IP table context - * @iface: the input interface name - * - * Add rules to the IP table context to forbid all traffic from that - * interface. It forbids forwarding from that interface to the bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterAddForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardRejectIn: - * @ctx: pointer to the IP table context - * @iface: the input interface name - * - * Remove rules from the IP table context forbidding all traffic from that - * interface. It allows forwarding from that interface to the bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -void -virNetfilterRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); -} - =20 /* Masquerade all traffic coming from the network associated * with the bridge */ -static int +int iptablesForwardMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -868,65 +469,11 @@ iptablesForwardMasquerade(virFirewall *fw, return 0; } =20 -/** - * virNetfilterAddForwardMasquerade: - * @ctx: pointer to the IP table context - * @network: the source network name - * @physdev: the physical input device or NULL - * @protocol: the network protocol or NULL - * - * Add rules to the IP table context to allow masquerading - * network @network on @physdev. This allow the bridge to - * masquerade for that network (on @physdev). - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) -{ - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); -} - -/** - * virNetfilterRemoveForwardMasquerade: - * @ctx: pointer to the IP table context - * @network: the source network name - * @physdev: the physical input device or NULL - * @protocol: the network protocol or NULL - * - * Remove rules from the IP table context to stop masquerading - * network @network on @physdev. This stops the bridge from - * masquerading for that network (on @physdev). - * - * Returns 0 in case of success or an error code otherwise - */ -int -virNetfilterRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) -{ - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); -} - =20 /* Don't masquerade traffic coming from the network associated with the br= idge * if said traffic targets @destaddr. */ -static int +int iptablesForwardDontMasquerade(virFirewall *fw, virSocketAddr *netaddr, unsigned int prefix, @@ -964,57 +511,6 @@ iptablesForwardDontMasquerade(virFirewall *fw, return 0; } =20 -/** - * virNetfilterAddDontMasquerade: - * @netaddr: the source network name - * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr - * @physdev: the physical output device or NULL - * @destaddr: the destination network not to masquerade for - * - * Add rules to the IP table context to avoid masquerading from - * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables/nftables, it must not depend on user in= put or - * configuration. - * - * Returns 0 in case of success or an error code otherwise. - */ -int -virNetfilterAddDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) -{ - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_= INSERT); -} - -/** - * virNetfilterRemoveDontMasquerade: - * @netaddr: the source network name - * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr - * @physdev: the physical output device or NULL - * @destaddr: the destination network not to masquerade for - * - * Remove rules from the IP table context that prevent masquerading from - * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables/nftables, it must not depend on user in= put or - * configuration. - * - * Returns 0 in case of success or an error code otherwise. - */ -int -virNetfilterRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) -{ - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_NETFILTER_DELETE); -} - =20 static void iptablesOutputFixUdpChecksum(virFirewall *fw, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 610c4dccde..6ea589121e 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -23,133 +23,101 @@ #include "virsocketaddr.h" #include "virfirewall.h" =20 +/* These functions are (currently) called directly from the consumer + * (e.g. the network driver), and only when the iptables backend is + * selected. (Possibly/probably functions should be added to the + * netfilter*() API that will call them instead, but that first + * requires untangling all the special cases for setting up private + * chains that are necessitated by firewalld reloads). + */ int iptablesSetupPrivateChains (virFirewallLayer layer); =20 -void virNetfilterAddTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void virNetfilterAddUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void virNetfilterAddTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterAddUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void virNetfilterRemoveUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -int virNetfilterAddForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netad= dr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *ne= taddr, - unsigned int pref= ix, - const char *iface, - const char *physd= ev) - G_GNUC_WARN_UNUSED_RESULT; - -int virNetfilterAddForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -void virNetfilterAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void virNetfilterRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer laye= r, - const char *iface); - -void virNetfilterAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void virNetfilterRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void virNetfilterAddForwardRejectIn (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void virNetfilterRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layery, - const char *iface); - -int virNetfilterAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netadd= r, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *a= ddr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterAddDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -int virNetfilterRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; void iptablesAddOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); + +/* These functions are only called from virnetfilter.c. Each can be + * called with an action of VIR_NETFILTER_INSERT or + * VIR_NETFILTER_DELETE, to add or remove the described rule(s) in the + * appropriate chain. + */ + +void +iptablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int action, + int tcp); + +void +iptablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int action, + int tcp); + +int +iptablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action); + +int +iptablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action); + +int +iptablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action); + + +void +iptablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action); + +void +iptablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action); + +void +iptablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action); + +int +iptablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + int action); + +int +iptablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + int action); diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c new file mode 100644 index 0000000000..efe2ca01dc --- /dev/null +++ b/src/util/virnetfilter.c @@ -0,0 +1,570 @@ +/* + * virnetfilter.c: backend-agnostic packet filter helper APIs + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include +#include +#include +#include +#include + +#include "internal.h" +#include "virnetfilter.h" +#include "viriptables.h" +#include "vircommand.h" +#include "viralloc.h" +#include "virerror.h" +#include "virfile.h" +#include "virlog.h" +#include "virthread.h" +#include "virstring.h" +#include "virutil.h" +#include "virhash.h" + +VIR_LOG_INIT("util.netfilter"); + +#define VIR_FROM_THIS VIR_FROM_NONE + + +/** + * virNetfilterAddTcpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an input to the IP table allowing access to the given @port on + * the given @iface interface for TCP packets + */ +void +virNetfilterAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); +} + + +/** + * virNetfilterRemoveTcpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to remove + * + * Removes an input from the IP table, hence forbidding access to the given + * @port on the given @iface interface for TCP packets + */ +void +virNetfilterRemoveTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); +} + + +/** + * virNetfilterAddUdpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to add + * + * Add an input to the IP table allowing access to the given @port on + * the given @iface interface for UDP packets + */ +void +virNetfilterAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); +} + + +/** + * virNetfilterRemoveUdpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an input from the IP table, hence forbidding access to the given + * @port on the given @iface interface for UDP packets + */ +void +virNetfilterRemoveUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); +} + + +/** + * virNetfilterAddTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for TCP packets + */ +void +virNetfilterAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); +} + + +/** + * virNetfilterRemoveTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the giv= en + * @port from the given @iface interface for TCP packets + */ +void +virNetfilterRemoveTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); +} + + +/** + * virNetfilterAddUdpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for UDP packets + */ +void +virNetfilterAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); +} + + +/** + * virNetfilterRemoveUdpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the giv= en + * @port from the given @iface interface for UDP packets + */ +void +virNetfilterRemoveUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); +} + + +/** + * virNetfilterAddForwardAllowOut: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the source interface name + * @physdev: the physical output device + * + * Add a rule to the IP table context to allow the traffic for the + * network @network via interface @iface to be forwarded to + * @physdev device. This allow the outbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowOut: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the source interface name + * @physdev: the physical output device + * + * Remove a rule from the IP table context hence forbidding forwarding + * of the traffic for the network @network via interface @iface + * to the @physdev device output. This stops the outbound traffic on a bri= dge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardAllowRelatedIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Add rules to the IP table context to allow the traffic for the + * network @network on @physdev device to be forwarded to + * interface @iface, if it is part of an existing connection. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowRelatedIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Remove rules from the IP table context hence forbidding the traffic for + * network @network on @physdev device to be forwarded to + * interface @iface, if it is part of an existing connection. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardAllowIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Add rules to the IP table context to allow the traffic for the + * network @network on @physdev device to be forwarded to + * interface @iface. This allow the inbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Remove rules from the IP table context hence forbidding the traffic for + * network @network on @physdev device to be forwarded to + * interface @iface. This stops the inbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardAllowCross: + * @ctx: pointer to the IP table context + * @iface: the input/output interface name + * + * Add rules to the IP table context to allow traffic to cross that + * interface. It allows all traffic between guests on the same bridge + * represented by that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardAllowCross: + * @ctx: pointer to the IP table context + * @iface: the input/output interface name + * + * Remove rules to the IP table context to block traffic to cross that + * interface. It forbids traffic between guests on the same bridge + * represented by that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardRejectOut: + * @ctx: pointer to the IP table context + * @iface: the output interface name + * + * Add rules to the IP table context to forbid all traffic to that + * interface. It forbids forwarding from the bridge to that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); +} + +/** + * virNetfilterRemoveForwardRejectOut: + * @ctx: pointer to the IP table context + * @iface: the output interface name + * + * Remove rules from the IP table context forbidding all traffic to that + * interface. It reallow forwarding from the bridge to that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardRejectIn: + * @ctx: pointer to the IP table context + * @iface: the input interface name + * + * Add rules to the IP table context to forbid all traffic from that + * interface. It forbids forwarding from that interface to the bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardRejectIn: + * @ctx: pointer to the IP table context + * @iface: the input interface name + * + * Remove rules from the IP table context forbidding all traffic from that + * interface. It allows forwarding from that interface to the bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +void +virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddForwardMasquerade: + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL + * @protocol: the network protocol or NULL + * + * Add rules to the IP table context to allow masquerading + * network @network on @physdev. This allow the bridge to + * masquerade for that network (on @physdev). + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + return iptablesForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_NETFILTER_INSERT); +} + + +/** + * virNetfilterRemoveForwardMasquerade: + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL + * @protocol: the network protocol or NULL + * + * Remove rules from the IP table context to stop masquerading + * network @network on @physdev. This stops the bridge from + * masquerading for that network (on @physdev). + * + * Returns 0 in case of success or an error code otherwise + */ +int +virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + return iptablesForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_NETFILTER_DELETE); +} + + +/** + * virNetfilterAddDontMasquerade: + * @netaddr: the source network name + * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr + * @physdev: the physical output device or NULL + * @destaddr: the destination network not to masquerade for + * + * Add rules to the IP table context to avoid masquerading from + * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format + * directly consumable by iptables/nftables, it must not depend on user in= put or + * configuration. + * + * Returns 0 in case of success or an error code otherwise. + */ +int +virNetfilterAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, VIR_NETFILTER_= INSERT); +} + + +/** + * virNetfilterRemoveDontMasquerade: + * @netaddr: the source network name + * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr + * @physdev: the physical output device or NULL + * @destaddr: the destination network not to masquerade for + * + * Remove rules from the IP table context that prevent masquerading from + * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format + * directly consumable by iptables/nftables, it must not depend on user in= put or + * configuration. + * + * Returns 0 in case of success or an error code otherwise. + */ +int +virNetfilterRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_NETFILTER_DELETE); +} diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h new file mode 100644 index 0000000000..c75f7eccbd --- /dev/null +++ b/src/util/virnetfilter.h @@ -0,0 +1,151 @@ +/* + * virnetfilter.h: backend-agnostic packet filter helper APIs + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "virsocketaddr.h" +#include "virfirewall.h" + +enum { + VIR_NETFILTER_INSERT =3D 0, + VIR_NETFILTER_DELETE +}; + +void virNetfilterAddTcpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveTcpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterAddUdpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveUdpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +void virNetfilterAddTcpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveTcpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterAddUdpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void virNetfilterRemoveUdpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +int virNetfilterAddForwardAllowOut (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netad= dr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *ne= taddr, + unsigned int pref= ix, + const char *iface, + const char *physd= ev) + G_GNUC_WARN_UNUSED_RESULT; + +int virNetfilterAddForwardAllowIn (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; + +void virNetfilterAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void virNetfilterRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer laye= r, + const char *iface); + +void virNetfilterAddForwardRejectOut (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void virNetfilterRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface); + +void virNetfilterAddForwardRejectIn (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void virNetfilterRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layery, + const char *iface); + +int virNetfilterAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netadd= r, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *a= ddr, + virPortRange *port, + const char *protocol) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterAddDontMasquerade (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) + G_GNUC_WARN_UNUSED_RESULT; +int virNetfilterRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) + G_GNUC_WARN_UNUSED_RESULT; --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911282; cv=none; d=zohomail.com; s=zohoarc; b=GayZmfgsSVVfy+Rhr+J0B9oHhhp5QlKESdjaE8FVVBL0SgU5D/Vdk2Yz7IPS6PxoIBGJed1UjEawpOrlqE8rx1kGzP6g+u2nZBbS3VOkMkvD5NiJpT9unw1Ho23jTOyk6WlLC86HSvvWPAMy4RolumEvuzDgWOApOZghWsAmBrM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911282; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=0boVLfDwy4w/fXIzsZ1bz3TC1asO9ayRx6x1hConAWU=; b=htt91jKoE3Ipdc2H3MMZx9qIS2tt9K8k5btUeWItAoLsrSfDlTdfWT3MUDwjkPaGZygTG8ThK74fXe9RHcHqmE0sVK8nkVTP9QQV6mPTsm1N3imAL7rNrdzVcxPXnUySOzatTNTZN4I2trwffK610vFSE2F2c1mn6oypiAZrCIg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911282042880.3862806690767; Sun, 30 Apr 2023 20:21:22 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-155-LzbinBDlNmC6zg6b-ZhGFw-1; Sun, 30 Apr 2023 23:20:31 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CB98D852AF8; Mon, 1 May 2023 03:20:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id AF84CC16026; Mon, 1 May 2023 03:20:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E32D4194F275; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C7724194658F for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 05A0A4750B3; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id E160040D1C8 for ; Mon, 1 May 2023 03:19:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911281; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=0boVLfDwy4w/fXIzsZ1bz3TC1asO9ayRx6x1hConAWU=; b=Xry6qn34jjHVtMjtTpz2vYQHkUY1Vpg9F6kQKrvsnFMri4VLiY88v9/FFlOcNa7UWwO6uW 3kXugsii7qnaskyN97gFs6GLfThBXYUU/wQWIeAixQPhRvGqVUVtJQ8hjgv/lIzZ2kh1h7 IQA5Gjb3cuHXBetSISd17IqNjrhF2JU= X-MC-Unique: LzbinBDlNmC6zg6b-ZhGFw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 06/28] util: make netfilter action a proper typedefed (virFirewall) enum Date: Sun, 30 Apr 2023 23:19:21 -0400 Message-Id: <20230501031943.288145-7-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911282304100015 Content-Type: text/plain; charset="utf-8"; x-default="true" and take advantage of this to replace all the ternary operators when calling virFirewallAddRule() with virIptablesActionTypeToString(). (NB: the VIR_ENUM declaration uses "virIptablesAction" rather than "virFirewallAction" because the string it produces is specific to the iptables backend. A separate VIR_ENUM for "virNftablesAction", producing slightly different strings, will be added later for the nftables backend.) Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/virfirewall.h | 8 +++++ src/util/viriptables.c | 69 ++++++++++++++++++++++++----------------- src/util/viriptables.h | 21 +++++++------ src/util/virnetfilter.c | 49 +++++++++++++++-------------- src/util/virnetfilter.h | 5 --- 5 files changed, 84 insertions(+), 68 deletions(-) diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 0f40dae859..ed0bc8b6f7 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -34,6 +34,14 @@ typedef enum { VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; =20 +typedef enum { + VIR_FIREWALL_ACTION_INSERT, + VIR_FIREWALL_ACTION_APPEND, + VIR_FIREWALL_ACTION_DELETE, + + VIR_FIREWALL_ACTION_LAST +} virFirewallAction; + virFirewall *virFirewallNew(void); =20 void virFirewallFree(virFirewall *firewall); diff --git a/src/util/viriptables.c b/src/util/viriptables.c index a85f3ea603..dc2a4335bf 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -33,11 +33,22 @@ #include "virerror.h" #include "virlog.h" #include "virhash.h" +#include "virenum.h" =20 VIR_LOG_INIT("util.iptables"); =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 + +VIR_ENUM_DECL(virIptablesAction); +VIR_ENUM_IMPL(virIptablesAction, + VIR_FIREWALL_ACTION_LAST, + "--insert", + "--append", + "--delete", +); + + typedef struct { const char *parent; const char *child; @@ -156,14 +167,14 @@ iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp) { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", + virIptablesActionTypeToString(action), "LIBVIRT_INP", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -177,14 +188,14 @@ iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp) { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", + virIptablesActionTypeToString(action), "LIBVIRT_OUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -203,7 +214,7 @@ iptablesForwardAllowOut(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + virFirewallAction action) { g_autofree char *networkstr =3D NULL; virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? @@ -215,7 +226,7 @@ iptablesForwardAllowOut(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -225,7 +236,7 @@ iptablesForwardAllowOut(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -245,7 +256,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + virFirewallAction action) { virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -257,7 +268,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -269,7 +280,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -290,7 +301,7 @@ iptablesForwardAllowIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action) + virFirewallAction action) { virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -302,7 +313,7 @@ iptablesForwardAllowIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -312,7 +323,7 @@ iptablesForwardAllowIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -326,11 +337,11 @@ void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + virFirewallAction action) { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWX", "--in-interface", iface, "--out-interface", iface, @@ -343,11 +354,11 @@ void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + virFirewallAction action) { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWO", "--in-interface", iface, "--jump", "REJECT", @@ -359,11 +370,11 @@ void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action) + virFirewallAction action) { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", + virIptablesActionTypeToString(action), "LIBVIRT_FWI", "--out-interface", iface, "--jump", "REJECT", @@ -382,7 +393,7 @@ iptablesForwardMasquerade(virFirewall *fw, virSocketAddrRange *addr, virPortRange *port, const char *protocol, - int action) + virFirewallAction action) { g_autofree char *networkstr =3D NULL; g_autofree char *addrStartStr =3D NULL; @@ -409,7 +420,7 @@ iptablesForwardMasquerade(virFirewall *fw, if (protocol && protocol[0]) { rule =3D virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--source", networkstr, "-p", protocol, @@ -418,7 +429,7 @@ iptablesForwardMasquerade(virFirewall *fw, } else { rule =3D virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--source", networkstr, "!", "--destination", networkstr, @@ -479,7 +490,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, unsigned int prefix, const char *physdev, const char *destaddr, - int action) + virFirewallAction action) { g_autofree char *networkstr =3D NULL; virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? @@ -491,7 +502,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--out-interface", physdev, "--source", networkstr, @@ -501,7 +512,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--source", networkstr, "--destination", destaddr, @@ -516,13 +527,13 @@ static void iptablesOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port, - int action) + virFirewallAction action) { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", + virIptablesActionTypeToString(action), "LIBVIRT_PRT", "--out-interface", iface, "--protocol", "udp", @@ -547,7 +558,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_FIREWALL_ACTION_INSE= RT); } =20 /** @@ -564,5 +575,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_FIREWALL_ACTION_DELE= TE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 6ea589121e..17f43a8fa8 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -22,6 +22,7 @@ =20 #include "virsocketaddr.h" #include "virfirewall.h" +#include "virnetfilter.h" =20 /* These functions are (currently) called directly from the consumer * (e.g. the network driver), and only when the iptables backend is @@ -50,7 +51,7 @@ iptablesInput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp); =20 void @@ -58,7 +59,7 @@ iptablesOutput(virFirewall *fw, virFirewallLayer layer, const char *iface, int port, - int action, + virFirewallAction action, int tcp); =20 int @@ -67,7 +68,7 @@ iptablesForwardAllowOut(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action); + virFirewallAction action); =20 int iptablesForwardAllowRelatedIn(virFirewall *fw, @@ -75,7 +76,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action); + virFirewallAction action); =20 int iptablesForwardAllowIn(virFirewall *fw, @@ -83,26 +84,26 @@ iptablesForwardAllowIn(virFirewall *fw, unsigned int prefix, const char *iface, const char *physdev, - int action); + virFirewallAction action); =20 =20 void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action); + virFirewallAction action); =20 void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action); + virFirewallAction action); =20 void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface, - int action); + virFirewallAction action); =20 int iptablesForwardMasquerade(virFirewall *fw, @@ -112,7 +113,7 @@ iptablesForwardMasquerade(virFirewall *fw, virSocketAddrRange *addr, virPortRange *port, const char *protocol, - int action); + virFirewallAction action); =20 int iptablesForwardDontMasquerade(virFirewall *fw, @@ -120,4 +121,4 @@ iptablesForwardDontMasquerade(virFirewall *fw, unsigned int prefix, const char *physdev, const char *destaddr, - int action); + virFirewallAction action); diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index efe2ca01dc..10c1a54e26 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -59,7 +59,7 @@ virNetfilterAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); } =20 =20 @@ -78,7 +78,7 @@ virNetfilterRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); } =20 =20 @@ -97,7 +97,7 @@ virNetfilterAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); } =20 =20 @@ -116,7 +116,7 @@ virNetfilterRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); } =20 =20 @@ -135,7 +135,7 @@ virNetfilterAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); } =20 =20 @@ -154,7 +154,7 @@ virNetfilterRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); } =20 =20 @@ -173,7 +173,7 @@ virNetfilterAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); } =20 =20 @@ -192,7 +192,7 @@ virNetfilterRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); + iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); } =20 =20 @@ -217,7 +217,7 @@ virNetfilterAddForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -242,7 +242,7 @@ virNetfilterRemoveForwardAllowOut(virFirewall *fw, const char *physdev) { return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -267,7 +267,7 @@ virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -292,7 +292,7 @@ virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -317,7 +317,7 @@ virNetfilterAddForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -342,7 +342,7 @@ virNetfilterRemoveForwardAllowIn(virFirewall *fw, const char *physdev) { return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -362,7 +362,7 @@ virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT= ); } =20 =20 @@ -382,7 +382,7 @@ virNetfilterRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE= ); } =20 =20 @@ -401,7 +401,7 @@ virNetfilterAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } =20 /** @@ -419,7 +419,7 @@ virNetfilterRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -438,7 +438,7 @@ virNetfilterAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); + iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -457,7 +457,7 @@ virNetfilterRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); + iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -485,7 +485,7 @@ virNetfilterAddForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -513,7 +513,7 @@ virNetfilterRemoveForwardMasquerade(virFirewall *fw, { return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -539,7 +539,8 @@ virNetfilterAddDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_= INSERT); + physdev, destaddr, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -566,5 +567,5 @@ virNetfilterRemoveDontMasquerade(virFirewall *fw, { return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - VIR_NETFILTER_DELETE); + VIR_FIREWALL_ACTION_DELETE); } diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index c75f7eccbd..c8b91f16eb 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -23,11 +23,6 @@ #include "virsocketaddr.h" #include "virfirewall.h" =20 -enum { - VIR_NETFILTER_INSERT =3D 0, - VIR_NETFILTER_DELETE -}; - void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911237; cv=none; d=zohomail.com; s=zohoarc; b=jwKetcs10chQT+Q3QeByQ9db+2HifI/NfWNoce43g86s9ND0RosWY20/hh6REZL+3kXiGWl/F91xEljKWdQRLyXIdAJd0Y+LggUOByyDzsH7zvjgnTzNXfO3utguckKZW9iRNyL51s42QK4kULgCoIV48nx6DlxKlX2d1ylc+o8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911237; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WIOaaylsseqypYUtaD8ON+dTNVsAv0YZZnkFcA5GcXQ=; b=X5TxoB8y+0GKbIK7FOWkPO7WoYSeR1w8BzVOXqxkUJFku70S3G/N1mEwkZSikknxsmiGyOgEpvUUTQHHFRvkjgtgIg1HEP6Mw7sUTDJVzv1/enjxUOHfvdHMHzRHaIXxm5f8vNYjz6fJNmxVGLDTM19j7ngQWQA2PrtdHIxk2Yc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 168291123691154.302125559411934; Sun, 30 Apr 2023 20:20:36 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-269-YGAPPYRfP2qwN_wGN8NJmA-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7854788563B; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5375140C6E70; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id F0D32194E110; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C7B451946594 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 2B3DA40F158; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1162D4750C0 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911235; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WIOaaylsseqypYUtaD8ON+dTNVsAv0YZZnkFcA5GcXQ=; b=fMbIZY6EyxPFZielXiJlP9eNjiENlF1CFt9h0bAnL2HnEQFktyqSvd+ZvXyfnKreIuIU/4 KVF803T4QsXQjXzq05+Jj/IHhh2/h8zHHvpGCkwzj1LAzFUOovYwGfrf5CbIgt8NFh222p Qrpf4yW65nrPRKz9Dk6RIS3Runy8DzY= X-MC-Unique: YGAPPYRfP2qwN_wGN8NJmA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 07/28] util: #define the names used for private packet filter chains Date: Sun, 30 Apr 2023 23:19:22 -0400 Message-Id: <20230501031943.288145-8-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911238022100003 Content-Type: text/plain; charset="utf-8"; x-default="true" This is done so that we can be sure we're using the same chain name for iptables and nftables. Not strictly necessary, but it will make documentation and troubleshooting simpler. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/viriptables.c | 44 ++++++++++++++++++++--------------------- src/util/virnetfilter.h | 7 +++++++ 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index dc2a4335bf..a0c35887c5 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -120,14 +120,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer) { g_autoptr(virFirewall) fw =3D virFirewallNew(); iptablesGlobalChain filter_chains[] =3D { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, + {"INPUT", VIR_NETFILTER_INPUT_CHAIN}, + {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN}, }; iptablesGlobalChain natmangle_chains[] =3D { - {"POSTROUTING", "LIBVIRT_PRT"}, + {"POSTROUTING", VIR_NETFILTER_NAT_POSTROUTE_CHAIN}, }; bool changed =3D false; iptablesGlobalChainData data[] =3D { @@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_INP", + VIR_NETFILTER_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -196,7 +196,7 @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_OUT", + VIR_NETFILTER_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -227,7 +227,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -237,7 +237,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -269,7 +269,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -281,7 +281,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -314,7 +314,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -324,7 +324,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -342,7 +342,7 @@ iptablesForwardAllowCross(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWX", + VIR_NETFILTER_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -359,7 +359,7 @@ iptablesForwardRejectOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", NULL); @@ -375,7 +375,7 @@ iptablesForwardRejectIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", NULL); @@ -421,7 +421,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -430,7 +430,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -503,7 +503,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -513,7 +513,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -534,7 +534,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index c8b91f16eb..b515512ad7 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -23,6 +23,13 @@ #include "virsocketaddr.h" #include "virfirewall.h" =20 +#define VIR_NETFILTER_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_NETFILTER_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_NETFILTER_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_NETFILTER_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911449; cv=none; d=zohomail.com; s=zohoarc; b=UUCo6p9WGm+vgNhwi8GeB7TSFsfNwzNTuVa60ukIs3YAotM3QTV7ux/LpOfOqK2q0f1d2AasQNOwF3ahuHx55QawHmytXxaMw0L8f2KUY6dFbZskoJQxEOCzMXAqSGhcS/mEkdv8gsHUF8bnmcpNgvaeXLBEoeeQ/7pV9WOG4Yc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911449; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Dn6YQe9ROUFCoJENCxxOriVzpFeDVBB4KE0iLk7ZzZA=; b=EpifkAc0PWPvGJSO5T1MjWw36wWT6AEx/rFhgLGJmPMWeuC133/hWjcPEiZuE5I7tiwx1kfDzP0aLrCL1ZtOY/qyAR/oVpzYkwb92wGTdrCiTATdeEqs79BoeV+uuGEca6iDaw3NFz79OWNA+flzrHE+YhlZ0HH0P4DEWbNqIoI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911449090828.8757549424492; Sun, 30 Apr 2023 20:24:09 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-281-tC1acGKtNB6Kc0GBndZoOg-1; Sun, 30 Apr 2023 23:20:31 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 51CB63C10235; Mon, 1 May 2023 03:20:20 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3C0B46E1B9; Mon, 1 May 2023 03:20:20 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A0630194F262; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C6FC11946586 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 5361940D1C8; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3A7674750C0 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911448; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Dn6YQe9ROUFCoJENCxxOriVzpFeDVBB4KE0iLk7ZzZA=; b=HKLubDbZw+l95NZJc2G+PGSs2j6d2sQIvkoUeHRE8RqvEI2u94poyO9NtmkYRdOwA4USjQ uoTPeDvK2WPcHomTEBEwoHs38JwxXXuveduvlOFids/+oBBDxNy9aRg8SIl7JQHKy1aUsz UH738GC/Q5pAA0KTLnrkgF942O50tzk= X-MC-Unique: tC1acGKtNB6Kc0GBndZoOg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 08/28] util: move/rename virFirewallApplyRuleDirect to virIptablesApplyFirewallRule Date: Sun, 30 Apr 2023 23:19:23 -0400 Message-Id: <20230501031943.288145-9-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911449701100003 Content-Type: text/plain; charset="utf-8"; x-default="true" This is the only iptables-specific function in all of virfirewall.c. By moving it to viriptables.c (with appropriate renaming), and calling it indirectly through a similarly named wrapper function in virnetfilter.c, we have made virfirewall.c backend agnostic (the new wrapper function will soon be calling either virIptablesApplyFirewallRule() or (to-be-created) virNftablesApplyFirewallRule() depending on the backend chosen when creating the virFirewall object). Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 72 ++----------------------------------- src/util/viriptables.c | 78 ++++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 6 ++++ src/util/virnetfilter.c | 19 ++++++++++ src/util/virnetfilter.h | 3 ++ 6 files changed, 110 insertions(+), 70 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 11b84a866a..cf68e4c942 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2550,6 +2550,7 @@ virInitctlSetRunLevel; iptablesAddOutputFixUdpChecksum; iptablesRemoveOutputFixUdpChecksum; iptablesSetupPrivateChains; +virIptablesApplyFirewallRule; =20 =20 # util/viriscsi.h @@ -2949,6 +2950,7 @@ virNetfilterAddTcpInput; virNetfilterAddTcpOutput; virNetfilterAddUdpInput; virNetfilterAddUdpOutput; +virNetfilterApplyFirewallRule; virNetfilterRemoveDontMasquerade; virNetfilterRemoveForwardAllowCross; virNetfilterRemoveForwardAllowIn; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index e3ba8f7846..6603fd6341 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -24,6 +24,7 @@ =20 #include "virfirewall.h" #include "virfirewalld.h" +#include "virnetfilter.h" #include "viralloc.h" #include "virerror.h" #include "vircommand.h" @@ -37,14 +38,6 @@ VIR_LOG_INIT("util.firewall"); =20 typedef struct _virFirewallGroup virFirewallGroup; =20 -VIR_ENUM_DECL(virFirewallLayerCommand); -VIR_ENUM_IMPL(virFirewallLayerCommand, - VIR_FIREWALL_LAYER_LAST, - EBTABLES, - IPTABLES, - IP6TABLES, -); - struct _virFirewallRule { virFirewallLayer layer; =20 @@ -500,67 +493,6 @@ virFirewallRuleToString(const char *cmd, } =20 =20 -static int -virFirewallApplyRuleDirect(virFirewallRule *rule, - char **output) -{ - size_t i; - const char *bin =3D virFirewallLayerCommandTypeToString(rule->layer); - g_autoptr(virCommand) cmd =3D NULL; - g_autofree char *cmdStr =3D NULL; - int status; - g_autofree char *error =3D NULL; - - if (!bin) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Unknown firewall layer %1$d"), - rule->layer); - return -1; - } - - cmd =3D virCommandNewArgList(bin, NULL); - - /* lock to assure nobody else is messing with the tables while we are = */ - switch (rule->layer) { - case VIR_FIREWALL_LAYER_ETHERNET: - virCommandAddArg(cmd, "--concurrent"); - break; - case VIR_FIREWALL_LAYER_IPV4: - case VIR_FIREWALL_LAYER_IPV6: - virCommandAddArg(cmd, "-w"); - break; - case VIR_FIREWALL_LAYER_LAST: - break; - } - - for (i =3D 0; i < rule->argsLen; i++) - virCommandAddArg(cmd, rule->args[i]); - - cmdStr =3D virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); - - virCommandSetOutputBuffer(cmd, output); - virCommandSetErrorBuffer(cmd, &error); - - if (virCommandRun(cmd, &status) < 0) - return -1; - - if (status !=3D 0) { - if (virFirewallRuleGetIgnoreErrors(rule)) { - VIR_DEBUG("Ignoring error running command"); - } else { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Failed to apply firewall rules %1$s: %2$s"), - NULLSTR(cmdStr), NULLSTR(error)); - VIR_FREE(*output); - return -1; - } - } - - return 0; -} - - static int virFirewallApplyRule(virFirewall *firewall, virFirewallRule *rule) @@ -568,7 +500,7 @@ virFirewallApplyRule(virFirewall *firewall, g_autofree char *output =3D NULL; g_auto(GStrv) lines =3D NULL; =20 - if (virFirewallApplyRuleDirect(rule, &output) < 0) + if (virNetfilterApplyFirewallRule(firewall, rule, &output) < 0) return -1; =20 if (rule->queryCB && output) { diff --git a/src/util/viriptables.c b/src/util/viriptables.c index a0c35887c5..9c7f7790c4 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -31,6 +31,8 @@ #include "viriptables.h" #include "virfirewalld.h" #include "virerror.h" +#include "viralloc.h" +#include "vircommand.h" #include "virlog.h" #include "virhash.h" #include "virenum.h" @@ -40,6 +42,19 @@ VIR_LOG_INIT("util.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE =20 =20 +/* iptables backend uses a different program for each layer. This + * gives us a convenient function for converting VIR_FIREWALL_LAYER_* + * enum from a virFirewallRule into a binary name. + */ +VIR_ENUM_DECL(virIptablesLayerCommand); +VIR_ENUM_IMPL(virIptablesLayerCommand, + VIR_FIREWALL_LAYER_LAST, + EBTABLES, + IPTABLES, + IP6TABLES, +); + + VIR_ENUM_DECL(virIptablesAction); VIR_ENUM_IMPL(virIptablesAction, VIR_FIREWALL_ACTION_LAST, @@ -49,6 +64,69 @@ VIR_ENUM_IMPL(virIptablesAction, ); =20 =20 +int +virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, + virFirewallRule *rule, + char **output) +{ + virFirewallLayer layer =3D virFirewallRuleGetLayer(rule); + const char *bin =3D virIptablesLayerCommandTypeToString(layer); + g_autoptr(virCommand) cmd =3D NULL; + g_autofree char *cmdStr =3D NULL; + g_autofree char *error =3D NULL; + size_t i, count; + int status; + + if (!bin) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unknown firewall layer %1$d"), layer); + return -1; + } + + cmd =3D virCommandNewArgList(bin, NULL); + + /* lock to assure nobody else is messing with the tables while we are = */ + switch (layer) { + case VIR_FIREWALL_LAYER_ETHERNET: + virCommandAddArg(cmd, "--concurrent"); + break; + case VIR_FIREWALL_LAYER_IPV4: + case VIR_FIREWALL_LAYER_IPV6: + virCommandAddArg(cmd, "-w"); + break; + case VIR_FIREWALL_LAYER_LAST: + break; + } + + count =3D virFirewallRuleGetArgCount(rule); + for (i =3D 0; i < count; i++) + virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); + + cmdStr =3D virCommandToString(cmd, false); + VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + + virCommandSetOutputBuffer(cmd, output); + virCommandSetErrorBuffer(cmd, &error); + + if (virCommandRun(cmd, &status) < 0) + return -1; + + if (status !=3D 0) { + if (virFirewallRuleGetIgnoreErrors(rule)) { + VIR_DEBUG("Ignoring error running command"); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to apply firewall rules %1$s: %2$s"), + NULLSTR(cmdStr), NULLSTR(error)); + VIR_FREE(*output); + return -1; + } + } + + return 0; +} + + typedef struct { const char *parent; const char *child; diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 17f43a8fa8..990cb2e25d 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -24,6 +24,12 @@ #include "virfirewall.h" #include "virnetfilter.h" =20 +/* virIptablesApplyFirewallRule should be called only from virnetfilter.c = */ +int +virIptablesApplyFirewallRule(virFirewall *firewall, + virFirewallRule *rule, + char **output); + /* These functions are (currently) called directly from the consumer * (e.g. the network driver), and only when the iptables backend is * selected. (Possibly/probably functions should be added to the diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index 10c1a54e26..ba0f292ea9 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -44,6 +44,25 @@ VIR_LOG_INIT("util.netfilter"); #define VIR_FROM_THIS VIR_FROM_NONE =20 =20 +/** + * virNetfilterApplyFirewallRule: + * @fw: the virFirewall this rule is part of (currently unused) + * @rule: this particular rule + * @ignoreErrors: true if errors should be ignored + * @output: everything that appears on stdout as a result of applying the = rule + * + * Applies @rule to the host's network filtering. returns 0 on success + * -1 on failure. + */ +int +virNetfilterApplyFirewallRule(virFirewall *fw, + virFirewallRule *rule, + char **output) +{ + return virIptablesApplyFirewallRule(fw, rule, output); +} + + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index b515512ad7..eff047cde0 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -30,6 +30,9 @@ #define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX" #define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" =20 +int virNetfilterApplyFirewallRule (virFirewall *fw, + virFirewallRule *rule, + char **output); void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911270; cv=none; d=zohomail.com; s=zohoarc; b=jcKVWaySEdHfj+MVPQOSuNEI3gAaHgi05tqEKLx5Koe1XO0c2p9CkIuYCnIRcWr+UQsbWwV/avWYm92MJFWHmESxGtpjJicLnabjxUGIU9aFmbmnxgU5gdq++MA9u7rnw9QLJCH8ZAx/8PxWZn0EMDsvXH/bTBX2143luVV+TJk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911270; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=dUElZeRLHVfKBO2+GgTYqwJ+jOXTjusoxbjhrLLp8ds=; b=eCjwtDLlMwEGASQnmO2SoQ/N7gOsqFMrZSISwApNNHehGSbWJHD4rQZdzEldw+7968kfFAd0DWNHiJxCYXzqA2/G2zPXuoesMzvKy/JX/v/N3k5gQc4Z+jk+qJV8W5EnemDpKr9eYkdFH7IxZMONdlxSQLFRZAkMSbMB7FsjaYQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911270894875.7092323427397; Sun, 30 Apr 2023 20:21:10 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-226-WVfqtbudPiOSEmltqM70TA-1; Sun, 30 Apr 2023 23:20:12 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3FF2E1818E50; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 298B4112131E; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C46E61946A54; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CAD8519465B3 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 7B9FD4750C1; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5F4AD4750C0 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911269; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=dUElZeRLHVfKBO2+GgTYqwJ+jOXTjusoxbjhrLLp8ds=; b=JsOr0Nmlv7u9bjJZ0rzD7pwMIJIQHR7C3OGGzjNXPnPIfdU/ktBmaTHg3WqxqetG/oiFzr vgSLIFljGgR20sp1GxEOgsuERL8VUm5IrDXJRHW4nxtNEmNY6oNXsgpZezs3yuLw0jW3mb AzaVjwof1OEhPIpofsvS7XBnQNsAp14= X-MC-Unique: WVfqtbudPiOSEmltqM70TA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 09/28] util/network: reintroduce virFirewallBackend, but different Date: Sun, 30 Apr 2023 23:19:24 -0400 Message-Id: <20230501031943.288145-10-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911271582100001 Content-Type: text/plain; charset="utf-8"; x-default="true" In the past, virFirewallBackend was a private static in virfirewall.c that was set at daemon init time, and used to globally (i.e. for all drivers in the daemon) determine whether to directly execute iptables commands, or to run them indirectly via the firewalld passthrough API. This was removed in commit d566cc55, since we decided that using the firewalld passthrough API is never appropriate. Now the virFirewallBackend enum is being reintroduced, with a slightly different meaning and usage pattern. It will be used to pick between using nftables commands or iptables commands (in either case directly handled by libvirt, *not* via firewalld). Additionally, rather than being a static known only within virfirewall.c and applying to all firewall commands for all drivers, each virFirewall object will have its own backend setting, which will be set during virFirewallNew() by the driver who wants to add a firewall rule. This will allow the nwfilter and network drivers to each have their own backend setting, even when they coexist in a single unified daemon. At least as important as that, it will also allow an instance of the network driver to remove iptables rules that had been added by a previous instance, and then add nftables rules for the new instance (in the case that an admin, or possibly an update, switches the driver backend from iptables to nftable) Initially, the enum will only have one usable value - VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all calls to virFirewallNew(). The other enum value (along with a method of setting it for each driver) will be added later, when it can be used (when the nftables backend is in the code). Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 3 +++ src/network/bridge_driver_linux.c | 4 ++-- src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++++++++-------- src/util/virebtables.c | 4 ++-- src/util/virfirewall.c | 16 +++++++++++++++- src/util/virfirewall.h | 12 +++++++++++- src/util/viriptables.c | 2 +- tests/virfirewalltest.c | 20 ++++++++++---------- 8 files changed, 52 insertions(+), 25 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index cf68e4c942..a09e5ae871 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2373,7 +2373,10 @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddRuleFull; virFirewallApply; +virFirewallBackendTypeFromString; +virFirewallBackendTypeToString; virFirewallFree; +virFirewallGetBackend; virFirewallNew; virFirewallRemoveRule; virFirewallRuleAddArg; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index e03c17b259..c6aab9b236 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -806,7 +806,7 @@ int networkAddFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -932,7 +932,7 @@ void networkRemoveFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); networkRemoveChecksumFirewallRules(fw, def); diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 99a74a60e5..9ed23c27a3 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2815,7 +2815,7 @@ static int ebtablesApplyBasicRules(const char *ifname, const virMacAddr *macaddr) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); char chain[MAX_CHAINNAME_LENGTH]; char chainPrefix =3D CHAINPREFIX_HOST_IN_TEMP; char macaddr_str[VIR_MAC_STRING_BUFLEN]; @@ -2888,7 +2888,7 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, char macaddr_str[VIR_MAC_STRING_BUFLEN]; unsigned int idx =3D 0; unsigned int num_dhcpsrvrs; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virMacAddrFormat(macaddr, macaddr_str); =20 @@ -2990,7 +2990,7 @@ ebtablesApplyDropAllRules(const char *ifname) { char chain_in [MAX_CHAINNAME_LENGTH], chain_out[MAX_CHAINNAME_LENGTH]; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 if (ebiptablesAllTeardown(ifname) < 0) return -1; @@ -3037,7 +3037,7 @@ ebtablesRemoveBasicRules(const char *ifname) static int ebtablesCleanAll(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3291,7 +3291,7 @@ ebiptablesApplyNewRules(const char *ifname, size_t nrules) { size_t i, j; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); g_autoptr(GHashTable) chains_in_set =3D virHashNew(NULL); g_autoptr(GHashTable) chains_out_set =3D virHashNew(NULL); bool haveEbtables =3D false; @@ -3513,7 +3513,7 @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char = *ifname) static int ebiptablesTearNewRules(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3525,7 +3525,7 @@ ebiptablesTearNewRules(const char *ifname) static int ebiptablesTearOldRules(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3560,7 +3560,7 @@ ebiptablesTearOldRules(const char *ifname) static int ebiptablesAllTeardown(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 diff --git a/src/util/virebtables.c b/src/util/virebtables.c index a1f5f7cf1e..f242186c52 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -78,7 +78,7 @@ ebtablesContextFree(ebtablesContext *ctx) int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, @@ -106,7 +106,7 @@ ebtablesForwardAllowIn(ebtablesContext *ctx, const char *macaddr, int action) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, 0); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 6603fd6341..e1fda162c4 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -36,6 +36,11 @@ =20 VIR_LOG_INIT("util.firewall"); =20 +VIR_ENUM_IMPL(virFirewallBackend, + VIR_FIREWALL_BACKEND_LAST, + "UNSET", /* not yet set */ + "iptables"); + typedef struct _virFirewallGroup virFirewallGroup; =20 struct _virFirewallRule { @@ -70,6 +75,7 @@ struct _virFirewall { size_t ngroups; virFirewallGroup **groups; size_t currentGroup; + virFirewallBackend backend; }; =20 static virMutex ruleLock =3D VIR_MUTEX_INITIALIZER; @@ -91,14 +97,22 @@ virFirewallGroupNew(void) * * Returns the new firewall ruleset */ -virFirewall *virFirewallNew(void) +virFirewall *virFirewallNew(virFirewallBackend backend) { virFirewall *firewall =3D g_new0(virFirewall, 1); =20 + firewall->backend =3D backend; return firewall; } =20 =20 +virFirewallBackend +virFirewallGetBackend(virFirewall *firewall) +{ + return firewall->backend; +} + + static void virFirewallRuleFree(virFirewallRule *rule) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index ed0bc8b6f7..020dd2bedb 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -21,6 +21,7 @@ #pragma once =20 #include "internal.h" +#include "virenum.h" =20 typedef struct _virFirewall virFirewall; =20 @@ -42,9 +43,18 @@ typedef enum { VIR_FIREWALL_ACTION_LAST } virFirewallAction; =20 -virFirewall *virFirewallNew(void); +typedef enum { + VIR_FIREWALL_BACKEND_UNSET, + VIR_FIREWALL_BACKEND_IPTABLES, + + VIR_FIREWALL_BACKEND_LAST, +} virFirewallBackend; + +VIR_ENUM_DECL(virFirewallBackend); =20 +virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); +virFirewallBackend virFirewallGetBackend(virFirewall *firewall); =20 /** * virFirewallAddRule: diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 9c7f7790c4..96b69daf68 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -196,7 +196,7 @@ iptablesPrivateChainCreate(virFirewall *fw, int iptablesSetupPrivateChains(virFirewallLayer layer) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); iptablesGlobalChain filter_chains[] =3D { {"INPUT", VIR_NETFILTER_INPUT_CHAIN}, {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN}, diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index e676a434c8..48300bf242 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -62,7 +62,7 @@ static int testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -102,7 +102,7 @@ static int testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -148,7 +148,7 @@ static int testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -222,7 +222,7 @@ static int testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -275,7 +275,7 @@ static int testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -327,7 +327,7 @@ static int testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -372,7 +372,7 @@ static int testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -437,7 +437,7 @@ static int testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -505,7 +505,7 @@ static int testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -682,7 +682,7 @@ static int testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911266; cv=none; d=zohomail.com; s=zohoarc; b=b1qMtUa7fckOzNy0a7vnyLeW4prlCp7C1Cztpd9X7XC5keuA7B/5Yc9toy3RkE7ILaQGPU28Lt5V+FTpX3jqr0tnAuVqTNCDzizCZqtwHArJRLtzeEar/90Y31+OuCRA44nIN+LXubSEgQAoTh43DuydKdtEbe8KxPdN0ajLFmQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911266; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mnUgnfy5h+dW+wQJmbueqL1MTvvk+6gkpB19gmAmWyE=; b=jLEusjcMyJJND4OMfwriYPYHpyeIWS0gwYEmjf7fzqCoUkziJi8/E+b0J4y1Lxbqg3zd7uAXeK4dvgCDpVCgS621fvks9gpoGEnSpA0S8LVG+xQRhXsuF2Thhkua0puDjo20yzsGtyfpvaT2k8dki9j8DiC01Q1JI6YEWa0a638= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911266642796.3015611825749; Sun, 30 Apr 2023 20:21:06 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-262-weDNwqnGNnmmRrzpYI6OBQ-1; Sun, 30 Apr 2023 23:20:15 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6C6321818218; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 586FE63F42; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 394EB1946A6E; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CA6EA19465A2 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A0A4F4750C0; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 87B5B40F169 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911265; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mnUgnfy5h+dW+wQJmbueqL1MTvvk+6gkpB19gmAmWyE=; b=G1mKk9AaWUQRwGJngt37aUbqdCLJ5j/Vo3n2ziJNrZIu3WJYdnE/ZdukDuLOziAqixOdNa HOuhD3cBOCnkc1uL2J10fdvxwqinzrLOLjixpOSa5noJn2SdT3RdU8IF72q+u8iqXaoVI9 ITJFZBvhOvhFmzW+WPUICIZZd54BE+g= X-MC-Unique: weDNwqnGNnmmRrzpYI6OBQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 10/28] network: add (empty) network.conf file to distribution files Date: Sun, 30 Apr 2023 23:19:25 -0400 Message-Id: <20230501031943.288145-11-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911267491100007 Content-Type: text/plain; charset="utf-8"; x-default="true" Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug | 36 ++++++++++++++++++++++++ src/network/meson.build | 11 ++++++++ src/network/network.conf | 3 ++ src/network/test_libvirtd_network.aug.in | 2 ++ 5 files changed, 55 insertions(+) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf create mode 100644 src/network/test_libvirtd_network.aug.in diff --git a/libvirt.spec.in b/libvirt.spec.in index dae9c87aa4..ba73efb0b7 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1979,6 +1979,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf %{_datadir}/augeas/lenses/virtnetworkd.aug %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug +%config(noreplace) %{_sysconfdir}/libvirt/network.conf +%{_datadir}/augeas/lenses/libvirtd_network.aug +%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug %{_unitdir}/virtnetworkd.service %{_unitdir}/virtnetworkd.socket %{_unitdir}/virtnetworkd-ro.socket diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_networ= k.aug new file mode 100644 index 0000000000..ae153d96a1 --- /dev/null +++ b/src/network/libvirtd_network.aug @@ -0,0 +1,36 @@ +(* /etc/libvirt/network.conf *) + +module Libvirtd_network =3D + autoload xfm + + let eol =3D del /[ \t]*\n/ "\n" + let value_sep =3D del /[ \t]*=3D[ \t]*/ " =3D " + let indent =3D del /[ \t]*/ "" + + let array_sep =3D del /,[ \t\n]*/ ", " + let array_start =3D del /\[[ \t\n]*/ "[ " + let array_end =3D del /\]/ "]" + + let str_val =3D del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\"" + let bool_val =3D store /0|1/ + let int_val =3D store /[0-9]+/ + let str_array_element =3D [ seq "el" . str_val ] . del /[ \t\n]*/ "" + let str_array_val =3D counter "el" . array_start . ( str_array_element = . ( array_sep . str_array_element ) * ) ? . array_end + + let str_entry (kw:string) =3D [ key kw . value_sep . str_val ] + let bool_entry (kw:string) =3D [ key kw . value_sep . bool_val ] + let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] + let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] + + (* Each entry in the config is one of the following *) + let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] + let empty =3D [ label "#empty" . eol ] + + let record =3D indent . eol + + let lns =3D ( record | comment | empty ) * + + let filter =3D incl "/etc/libvirt/network.conf" + . Util.stdexcl + + let xfm =3D transform lns filter diff --git a/src/network/meson.build b/src/network/meson.build index 0888d1beac..9a00b5d969 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -48,6 +48,17 @@ if conf.has('WITH_NETWORK') ], } =20 + virt_conf_files +=3D files('network.conf') + virt_aug_files +=3D files('libvirtd_network.aug') + virt_test_aug_files +=3D { + 'name': 'test_libvirtd_network.aug', + 'aug': files('test_libvirtd_network.aug.in'), + 'conf': files('network.conf'), + 'test_name': 'libvirtd_network', + 'test_srcdir': meson.current_source_dir(), + 'test_builddir': meson.current_build_dir(), + } + virt_daemon_confs +=3D { 'name': 'virtnetworkd', } diff --git a/src/network/network.conf b/src/network/network.conf new file mode 100644 index 0000000000..5c84003f6d --- /dev/null +++ b/src/network/network.conf @@ -0,0 +1,3 @@ +# Master configuration file for the network driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in new file mode 100644 index 0000000000..ffdca520ce --- /dev/null +++ b/src/network/test_libvirtd_network.aug.in @@ -0,0 +1,2 @@ +module Test_libvirtd_network =3D + @CONFIG@ --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911220; cv=none; d=zohomail.com; s=zohoarc; b=c0WiG3bvbT+3qtkdNQV/CnFr4mTmhgXVMZI0qiTnKyev7S+7T6HV1j/uGGid+KcQtSi7gSNJyLd27G0dPpyfIktRpJJgiTeMPBpm4seObopmVnPCQF+fjj7//kaLtgQMV4b2dBJuZ9T4DmFPR/uua5rPsfntzOn1P67roWPAW4U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911220; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9t5xqsgklcgTd8O5z04Iy0XYtzoYI9Qcd2iTWQ4xAyQ=; b=oEl4wyQrgwl61OSiz+u9l3esK79PNVyP2IoRa8rvgoL/zVHaqDIlmfkkdWtfKVmWUwomfWL/CEug4uTBDFt4d17ZnhZpGX5rlb3ZWUxpw0xvDr5QF/Z4wZSakGLG4CLMasS5BBbbd6IVcGn7KPRlMuUu4Fid7/Ge5zIT3Otm4zw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911220305795.3874702489735; Sun, 30 Apr 2023 20:20:20 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-342-v4iHYkUtMeuCzHRbPfOQ8w-1; Sun, 30 Apr 2023 23:20:16 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E4BCF10504BE; Mon, 1 May 2023 03:20:12 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id CF0E1BC88; Mon, 1 May 2023 03:20:12 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A307B1946A45; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CC7321946A40 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id C585247506B; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD12040F169 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911219; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9t5xqsgklcgTd8O5z04Iy0XYtzoYI9Qcd2iTWQ4xAyQ=; b=VeBLozIW+G2MvvLfPFVQttAIPQboauNnhhx8gJE4YEz+ZVAFLomQeydWZF3ehHFNqzgxcI 0Hlvo03gktL6hquslwXHEzz7JswDE4wLIQx4n4j4sKrbi5dGxDbonLwptzoUpKM1fr9w4F xXeb7TO2XEkyBg+egsPxxMVBT930rMk= X-MC-Unique: v4iHYkUtMeuCzHRbPfOQ8w-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 11/28] network: allow setting firewallBackend from network.conf Date: Sun, 30 Apr 2023 23:19:26 -0400 Message-Id: <20230501031943.288145-12-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911221692100007 Content-Type: text/plain; charset="utf-8"; x-default="true" It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=3Dnftables" in /etc/libvirt/network.conf. If firewall_backend isn't set in network.conf, then libvirt will check to see if the iptables binary is present on the system and set firewallBackend to iptables; if not, it will be left as "unset", which (once multiple backends are available) will trigger an appropriate error message the first time we attempt to add a rule. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/network/bridge_driver.c | 22 +++++++------ src/network/bridge_driver_conf.c | 40 ++++++++++++++++++++++++ src/network/bridge_driver_conf.h | 3 ++ src/network/bridge_driver_linux.c | 12 ++++--- src/network/bridge_driver_nop.c | 6 ++-- src/network/bridge_driver_platform.h | 6 ++-- src/network/libvirtd_network.aug | 5 ++- src/network/network.conf | 8 +++++ src/network/test_libvirtd_network.aug.in | 3 ++ tests/networkxml2firewalltest.c | 2 +- 10 files changed, 87 insertions(+), 20 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 9eb543a0a3..fb353e449a 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1684,6 +1684,7 @@ static int networkReloadFirewallRulesHelper(virNetworkObj *obj, void *opaque G_GNUC_UNUSED) { + g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(ne= tworkGetDriver()); VIR_LOCK_GUARD lock =3D virObjectLockGuard(obj); virNetworkDef *def =3D virNetworkObjGetDef(obj); =20 @@ -1697,8 +1698,8 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward=3D'open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def); - ignore_value(networkAddFirewallRules(def)); + networkRemoveFirewallRules(def, cfg->firewallBackend); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1949,7 +1950,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def) < 0) + networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto error; =20 firewalRulesAdded =3D true; @@ -2036,7 +2037,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 if (firewalRulesAdded && def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); =20 virNetworkObjUnrefMacMap(obj); =20 @@ -2048,7 +2049,8 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 =20 static int -networkShutdownNetworkVirtual(virNetworkObj *obj) +networkShutdownNetworkVirtual(virNetworkObj *obj, + virNetworkDriverConfig *cfg) { virNetworkDef *def =3D virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -2074,7 +2076,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) ignore_value(virNetDevSetOnline(def->bridge, false)); =20 if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -2378,7 +2380,7 @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret =3D networkShutdownNetworkVirtual(obj); + ret =3D networkShutdownNetworkVirtual(obj, cfg); break; =20 case VIR_NETWORK_FORWARD_BRIDGE: @@ -3241,7 +3243,7 @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); needFirewallRefresh =3D true; break; default: @@ -3269,14 +3271,14 @@ networkUpdate(virNetworkPtr net, parentIndex, xml, network_driver->xmlopt, flags) < 0) { if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def)); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); goto cleanup; } =20 /* @def is replaced */ def =3D virNetworkObjGetDef(obj); =20 - if (needFirewallRefresh && networkAddFirewallRules(def) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallB= ackend) < 0) goto cleanup; =20 if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index a2edafa837..9769ee06b5 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -25,6 +25,7 @@ #include "datatypes.h" #include "virlog.h" #include "virerror.h" +#include "virfile.h" #include "virutil.h" #include "bridge_driver_conf.h" =20 @@ -62,6 +63,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_= GNUC_UNUSED, const char *filename) { g_autoptr(virConf) conf =3D NULL; + g_autofree char *firewallBackendStr =3D NULL; =20 /* if file doesn't exist or is unreadable, ignore the "error" */ if (access(filename, R_OK) =3D=3D -1) @@ -73,6 +75,44 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G= _GNUC_UNUSED, =20 /* use virConfGetValue*(conf, ...) functions to read any settings into= cfg */ =20 + if (virConfGetValueString(conf, "firewall_backend", &firewallBackendSt= r) < 0) + return -1; + + if (firewallBackendStr) { + int backend =3D virFirewallBackendTypeFromString(firewallBackendSt= r); + + if (backend < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown value for 'firewall_backend' in netw= ork.conf: '%1$s'"), + firewallBackendStr); + return -1; + } + + cfg->firewallBackend =3D backend; + VIR_INFO("using firewall_backend setting from network.conf: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + + } else { + + /* no .conf setting, so see what this host supports by looking + * for binaries used by the backends, and set accordingly. + */ + g_autofree char *iptablesInPath =3D NULL; + + /* virFindFileInPath() uses g_find_program_in_path(), + * which allows absolute paths, and verifies that + * the file is executable. + */ + if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; + + if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) + VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); + else + VIR_INFO("using auto-detected firewall_backend: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + } + return 0; } =20 diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_c= onf.h index 426c16198d..8f221f391e 100644 --- a/src/network/bridge_driver_conf.h +++ b/src/network/bridge_driver_conf.h @@ -26,6 +26,7 @@ #include "virdnsmasq.h" #include "virnetworkobj.h" #include "object_event.h" +#include "virfirewall.h" =20 typedef struct _virNetworkDriverConfig virNetworkDriverConfig; struct _virNetworkDriverConfig { @@ -37,6 +38,8 @@ struct _virNetworkDriverConfig { char *stateDir; char *pidDir; char *dnsmasqStateDir; + + virFirewallBackend firewallBackend; }; =20 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index c6aab9b236..ff2f87054d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -802,11 +802,13 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, =20 =20 /* Add all rules for all ip addresses (and general rules) on a network */ -int networkAddFirewallRules(virNetworkDef *def) +int +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); + g_autoptr(virFirewall) fw =3D virFirewallNew(firewallBackend); =20 if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -928,11 +930,13 @@ int networkAddFirewallRules(virNetworkDef *def) } =20 /* Remove all rules for all ip addresses (and general rules) on a network = */ -void networkRemoveFirewallRules(virNetworkDef *def) +void +networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); + g_autoptr(virFirewall) fw =3D virFirewallNew(firewallBackend); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); networkRemoveChecksumFirewallRules(fw, def); diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 6eee6043e6..7d9a061e50 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -36,11 +36,13 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNU= C_UNUSED) return 0; } =20 -int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUS= ED) { return 0; } =20 -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_U= NUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index b720d343be..7443c3129f 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup); =20 int networkCheckRouteCollision(virNetworkDef *def); =20 -int networkAddFirewallRules(virNetworkDef *def); +int networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); =20 -void networkRemoveFirewallRules(virNetworkDef *def); +void networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_networ= k.aug index ae153d96a1..5d6d72dd92 100644 --- a/src/network/libvirtd_network.aug +++ b/src/network/libvirtd_network.aug @@ -22,11 +22,14 @@ module Libvirtd_network =3D let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] =20 + let firewall_backend_entry =3D str_entry "firewall_backend" + (* Each entry in the config is one of the following *) + let entry =3D firewall_backend_entry let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] let empty =3D [ label "#empty" . eol ] =20 - let record =3D indent . eol + let record =3D indent . entry . eol =20 let lns =3D ( record | comment | empty ) * =20 diff --git a/src/network/network.conf b/src/network/network.conf index 5c84003f6d..74c79e4cc6 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -1,3 +1,11 @@ # Master configuration file for the network driver. # All settings described here are optional - if omitted, sensible # defaults are used. + +# firewall_backend: +# +# determines which subsystem to use to setup firewall packet +# filtering rules for virtual networks. Currently the only supported +# selection is "iptables". +# +#firewall_backend =3D "iptables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in index ffdca520ce..3aa7b4cc22 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -1,2 +1,5 @@ module Test_libvirtd_network =3D @CONFIG@ + + test Libvirtd_network.lns get conf =3D +{ "firewall_backend" =3D "iptables" } diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index cb66a26294..3a9f409e2a 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -98,7 +98,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911218; cv=none; d=zohomail.com; s=zohoarc; b=ZJejFJhZVfa51z4VUl9VpsHM6yvnz0tu9tAfs7wA5t7/VYebBcUKnEItF+jKo39F7ZhGNN13zi0+FCcV9CWUYDQEOP/gByVE4LCjkQG9JtvC5VbpE9NM2rdGTE2Wwm7X55oDJ0qe6mcoC3RKC48ueUFUbWNHEBTSDbr6Gfrx7bo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911218; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=U1AmdvcFTSFeiIFIGNKYhqLKRJeCuuC86rDugP/i7Ks=; b=eYmPHExf9zRlcqjjjVhtvw/jGLMjiXSDjVzqkhmyopViedEVueaG7DOQkf6gycp27XCfT9MMLV1Sct9eOqTGnCCKAlQ1Kmfi0+n4CzsjdJWkRwKGUjvb3PolC/Yy2BDf34pq1HfdBhvwT+qg+QWq45RUpbjqJ4Wd64BZPqSDdHo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911218279287.2625235826324; Sun, 30 Apr 2023 20:20:18 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-203-pjkugBEUORej0iiGRl-nCg-1; Sun, 30 Apr 2023 23:20:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0163B2999B39; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 37CBA40C94AE; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 6B09D1946A75; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CB40E194658D for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id EA16340F177; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id D19AD475072 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911217; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=U1AmdvcFTSFeiIFIGNKYhqLKRJeCuuC86rDugP/i7Ks=; b=Mq425p+E+YTLzNDJs6rXaajrCxNCE0bLvkZSyxoE0lIJIAuTzb+DFoT1wZl3Mx3xfYsGNu Z9DKnXaDb2YKglEclOSouPvPVFO269cp3rUhtyiIgMRLZvygGkY73bC7uGrqFfnPBS6Eqh 04fPtUv3UpQXGbHRv0QhjlZipwhG3yo= X-MC-Unique: pjkugBEUORej0iiGRl-nCg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 12/28] network: do not add DHCP checksum mangle rule unless using iptables Date: Sun, 30 Apr 2023 23:19:27 -0400 Message-Id: <20230501031943.288145-13-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911219682100003 Content-Type: text/plain; charset="utf-8"; x-default="true" Long long ago (commit fd5b15ff in July 2010), we determined that the combination of virtio-net + vhost packet handling (i.e. handling packets in the kernel rather than userspace) + very old guest OSes (e.g. RHEL5, but not even RHEL6) would result in the checksum of dhcp packets being unset, which would cause the packet to be dropped, and the guest would never acquire an IP address. The fix for this was for iptables to create a new rule that would fixup packet checksums for certain packets, and for libvirt to add one of these rules to the iptables "mangle" table. This was considered a horrid hack even at the time, and when nftables was created, the functionality wasn't replicated there. So when we add rules using nftables, there is no way to add such a rule, and your options are thus: 1) stop using outdated, out of support guest OSes 2) Don't use vhost=3Don for the guest virtio interface, ie. add to the definition. 3) continue having libvirt use iptables for its rules (I'm not certain, but I think even this may fail depending on which iptables compatability packages are being used). All of this is to explain why we simply ignore calls to add a "checksum fixup" rule when the firewall backend isn't iptables. I could have plumbed this function all the way through virNetfilter* -> virNftables* and then done an empty return from there, but figured since it is a hack I'd rather keep it as localized as possible, and just cut it off right at the top of the call chain in the network driver. P.S. This specific behavior is really the only concrete reason for keeping around an iptables backend, rather than just replacing it with nftables. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/network/bridge_driver_linux.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index ff2f87054d..3efb669789 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -721,6 +721,15 @@ networkAddChecksumFirewallRules(virFirewall *fw, size_t i; virNetworkIPDef *ipv4def; =20 + /* these rules are only supported by the iptables + * backend. nftables doesn't have equivalent functionality, + * because it was always seen as an ugly hack. Fortunately this + * hack was only ever needed for *very* old guest OSes (RHEL5 era) + * using virtio network device with vhost enabled. + */ + if (virFirewallGetBackend(fw) !=3D VIR_FIREWALL_BACKEND_IPTABLES) + return; + /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ /* We support dhcp config on 1 IPv4 interface only. */ for (i =3D 0; @@ -747,6 +756,10 @@ networkRemoveChecksumFirewallRules(virFirewall *fw, size_t i; virNetworkIPDef *ipv4def; =20 + /* iptables backend only */ + if (virFirewallGetBackend(fw) !=3D VIR_FIREWALL_BACKEND_IPTABLES) + return; + /* First look for first IPv4 address that has dhcp or tftpboot defined= . */ /* We support dhcp config on 1 IPv4 interface only. */ for (i =3D 0; --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911235; cv=none; d=zohomail.com; s=zohoarc; b=e1YJ0wctGa3D7ylMtUiCY5RHRtddfD3+1jcvS+d6dQuYbno9dmPhrpo/Eq54FTztuiKM3+Pl8th/nv4/A2FFPojmTY6ZIfpN611j4NkaI7iqpyyvDTbj1LOEqBTgKulwXQXVqUGiOCK+sRVNEN1HglpYwKiFUcQR2huLiCiQ90s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911235; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=U2drYcc/BdliiABG1x5nLMbySJ6FXGxxaf3nvHSRbY0=; b=g7B7fYPkDzNsupXJHZ01pNJ8givoJIZ5LUOgHPaYSz7FGxQvnA2QXmZ1pZ+PAztaq3O86rQ4A7Teq+vjHKkLkLjQW+O1nc9VbEzhYVwi6poVclOIU6f9/hRbt5WMkfA1gsca0W3O+syohrXO+1fQlkyWpyQuRhd076E7ntSE84E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911235091692.584533148; Sun, 30 Apr 2023 20:20:35 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-470-thmAepWsNpGf4QT2X4BPwQ-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9187488B7AF; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 67FC4C164EE; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id B61F41940375; Mon, 1 May 2023 03:20:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CD37B1946A42 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 1B58240F169; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 022AA475072 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911234; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=U2drYcc/BdliiABG1x5nLMbySJ6FXGxxaf3nvHSRbY0=; b=DG1ehN0dCcUGEvOYze3m3FChhMF1IQoBtUUv0NZ6jSdDeuDAxzLal6+KIyONEzFPJcT9sF FvthX0MrfGOZmSKikxLrR0p+J6pYyAyMPmpg08r36SF7PCOVkBoUWKDQpw/x5yllftktJX 9VTj6xEWGyQeqQ7XM+D1Fxyn6yMEbik= X-MC-Unique: thmAepWsNpGf4QT2X4BPwQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 13/28] network: call backend agnostic function to init private filter chains Date: Sun, 30 Apr 2023 23:19:28 -0400 Message-Id: <20230501031943.288145-14-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911236762100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Instead of calling iptableSetupPrivateChains(), the network driver now calls virNetfilterSetupPrivateChains() (which right now always calls the iptables version of the function, but in the future might instead call the nftables version). virNetFilterSetupPrivateChains() needs an argument to know which backend to call, and that means that networkSetupPrivateChains() has to take an argument (we can't rely on getting the setting from the driver config, because the unit tests don't initialize the network driver). But networkSetupPrivateChains() was being called with virOnce(), and virOnce() doesn't support calling functions that require an argument (it's based on pthread_once(), which accepts no arguments, so it's not something we can easily fix in our implementation of virOnce()). So instead this patch changes things to handle the "do it once" functionality by adding a static lock, and putting all of networkSetupPrivateChains() (including the setting of "chainInitDone") inside a lock guard - now the places that used to call it via virOnce(), just call it directly instead. (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 + src/network/bridge_driver_linux.c | 30 +++++++++++++++--------------- src/util/viriptables.h | 7 ++++--- src/util/virnetfilter.c | 16 ++++++++++++++++ src/util/virnetfilter.h | 3 +++ 5 files changed, 39 insertions(+), 18 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index a09e5ae871..a93143638f 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2966,6 +2966,7 @@ virNetfilterRemoveTcpInput; virNetfilterRemoveTcpOutput; virNetfilterRemoveUdpInput; virNetfilterRemoveUdpOutput; +virNetfilterSetupPrivateChains; =20 =20 # util/virnetlink.h diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 3efb669789..058cfa1d80 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -35,25 +35,26 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 -static virOnceControl createdOnce; +static virMutex chainInitLock =3D VIR_MUTEX_INITIALIZER; static bool chainInitDone; /* true iff networkSetupPrivateChains was ever = called */ =20 static virErrorPtr errInitV4; static virErrorPtr errInitV6; =20 -/* Usually only called via virOnce, but can also be called directly in - * response to firewalld reload (if chainInitDone =3D=3D true) - */ -static void networkSetupPrivateChains(void) +static void networkSetupPrivateChains(virFirewallBackend backend, bool for= ce) { + VIR_LOCK_GUARD lock =3D virLockGuardLock(&chainInitLock); int rc; =20 + if (chainInitDone && !force) + return; + VIR_DEBUG("Setting up global firewall chains"); =20 g_clear_pointer(&errInitV4, virFreeError); g_clear_pointer(&errInitV6, virFreeError); =20 - rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); + rc =3D virNetfilterSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV4= ); if (rc < 0) { VIR_DEBUG("Failed to create global IPv4 chains: %s", virGetLastErrorMessage()); @@ -66,7 +67,7 @@ static void networkSetupPrivateChains(void) VIR_DEBUG("Global IPv4 chains already exist"); } =20 - rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); + rc =3D virNetfilterSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV6= ); if (rc < 0) { VIR_DEBUG("Failed to create global IPv6 chains: %s", virGetLastErrorMessage()); @@ -139,6 +140,7 @@ networkPreReloadFirewallRules(virNetworkDriverState *dr= iver, bool startup G_GNUC_UNUSED, bool force) { + g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(dr= iver); /* * If there are any running networks, we need to * create the global rules upfront. This allows us @@ -158,14 +160,13 @@ networkPreReloadFirewallRules(virNetworkDriverState *= driver, */ if (chainInitDone && force) { /* The Private chains have already been initialized once - * during this run of libvirtd, so 1) we can't do it again via - * virOnce(), and 2) we need to re-add the private chains even + * during this run of libvirtd (known because chainInitDone =3D=3D= true) + * so we need to re-add the private chains even * if there are currently no running networks, because the * next time a network is started, libvirt will expect that - * the chains have already been added. So we call directly - * instead of via virOnce(). + * the chains have already been added. So we force the init. */ - networkSetupPrivateChains(); + networkSetupPrivateChains(cfg->firewallBackend, true); =20 } else { if (!networkHasRunningNetworksWithFW(driver)) { @@ -173,7 +174,7 @@ networkPreReloadFirewallRules(virNetworkDriverState *dr= iver, return; } =20 - ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); + networkSetupPrivateChains(cfg->firewallBackend, false); } } =20 @@ -823,8 +824,7 @@ networkAddFirewallRules(virNetworkDef *def, virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(firewallBackend); =20 - if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) - return -1; + networkSetupPrivateChains(firewallBackend, false); =20 if (errInitV4 && (virNetworkDefGetIPByIndex(def, AF_INET, 0) || diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 990cb2e25d..496c6eaf51 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -37,8 +37,6 @@ virIptablesApplyFirewallRule(virFirewall *firewall, * requires untangling all the special cases for setting up private * chains that are necessitated by firewalld reloads). */ -int iptablesSetupPrivateChains (virFirewallLayer layer); - void iptablesAddOutputFixUdpChecksum (virFirewall *fw, const char *iface, int port); @@ -46,12 +44,15 @@ void iptablesRemoveOutputFixUdpChecksum (vi= rFirewall *fw, const char *iface, int port); =20 -/* These functions are only called from virnetfilter.c. Each can be +/* These functions are only called from virnetfilter.c. Most can be * called with an action of VIR_NETFILTER_INSERT or * VIR_NETFILTER_DELETE, to add or remove the described rule(s) in the * appropriate chain. */ =20 +int +iptablesSetupPrivateChains(virFirewallLayer layer); + void iptablesInput(virFirewall *fw, virFirewallLayer layer, diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index ba0f292ea9..f0fa0d5cd2 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -63,6 +63,22 @@ virNetfilterApplyFirewallRule(virFirewall *fw, } =20 =20 +/** + * virNetFilterSetupPrivateChains: + * @layer: VIR_NETFILTER_LAYER_IPV(4|6) + * + * Check if the private tables/chains needed for libvirt virtual + * networks exist in the systems filters, and add them if they're not + * already there. + * + */ +int +virNetfilterSetupPrivateChains(virFirewallBackend backend G_GNUC_UNUSED, + virFirewallLayer layer) +{ + return iptablesSetupPrivateChains(layer); +} + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index eff047cde0..70dede3c3f 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -33,6 +33,9 @@ int virNetfilterApplyFirewallRule (virFirewall *fw, virFirewallRule *rule, char **output); + +int virNetfilterSetupPrivateChains (virFirewallBackend backe= nd, + virFirewallLayer layer); void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911327; cv=none; d=zohomail.com; s=zohoarc; b=N8uLpsqQO42xM7LnRw8kctmxC+/EZEIA4K6b0gdvYgzcBMwnK63N/9T08+IZ9mU68Fn29lw3ksvhAwPIL0lUOWIq96uZ0qe/8AzZcFYbv2iXC4o2cHg4yC9hG7JP03KAdwqlyegQO1Q1ImThKfLryaEzs0xOdcaEtva/C79K3Zs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911327; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=uECXAfYBlDPzfOlQ1hu0dfj7fUJH8dbod6vpigvVx5I=; b=fUq/dc29oFMLLb/kvZosfjy1wdocDicgHzDd/hp4QoHU1SryezEHdkhfrr+QgWyWQNdb7hVEZi0FPwWkDaQpWdBjU3+2orRNjXDD/O+TUDPosIPq89lpgwUfeOLMfAgF1XoM0yUzFWaklGSkmyfxXavLgzRGoHUrEc+zI21Ltx4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911327003288.75481670350393; Sun, 30 Apr 2023 20:22:07 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-452-IxaxXaekNASyJvXw30-w1Q-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1C51DA0F3AE; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 06C2340C200A; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 7D2101946A45; Mon, 1 May 2023 03:20:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CBE5C19465B7 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 40D17475020; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 282A8475072 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911326; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=uECXAfYBlDPzfOlQ1hu0dfj7fUJH8dbod6vpigvVx5I=; b=ei4s2JzulhcKffA6k0bbN+Rq+yPEuj65cX+fDCq5MdxawbxpbYyP1ARrJhgaQOYrQIchow pda8mkgSH4D92NkScz8jKT+8IRZtbJpbZCXYVBwlZp8JMVvkJYNOtTLYlugTZ0FsODZr2c IT/ME8aQF6YiehFZY10t+x3YwjzeZ60= X-MC-Unique: IxaxXaekNASyJvXw30-w1Q-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 14/28] util: setup functions in virnetfilter which will call appropriate backend Date: Sun, 30 Apr 2023 23:19:29 -0400 Message-Id: <20230501031943.288145-15-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911328574100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Many of the functions in virnetfilter.c are nearly identical to one or more other functions (e.g. they just call the same iptables function, but with INSERT|DELETE action). Rather than adding a switch(backend) into all 24 of these functions, make small wrappers for the 10 iptables* functions that those 24 call, and put switch(backend) in *those* functions. This is more work now, but will make shorter work of adding in nftables backend support. (To be truthful, I've gotten this far basically ignoring the details of the plethora of functions in the viriptables.c API, just faithfully tooling it around while keeping the callers unchanged (aside from the function renaming back at the beginning of the series). I'm now thinking maybe the original API should be simplified, and the callers (i.e. the network driver) modified to use that simplified API instead. But I've gotten this far so I might as well demonstrate working patches and ask for opinions rather than throwing away multiple patches and dealing with associated local merge/rebase conflicts due to changing patches early in the series for possibly no reason.) Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- po/POTFILES | 1 + src/util/virfirewall.c | 14 +- src/util/virnetfilter.c | 320 +++++++++++++++++++++++++++++++++++----- 3 files changed, 293 insertions(+), 42 deletions(-) diff --git a/po/POTFILES b/po/POTFILES index b122f02818..d20ac36062 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -302,6 +302,7 @@ src/util/virnetdevopenvswitch.c src/util/virnetdevtap.c src/util/virnetdevveth.c src/util/virnetdevvportprofile.c +src/util/virnetfilter.c src/util/virnetlink.c src/util/virnodesuspend.c src/util/virnuma.c diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index e1fda162c4..fa21266fb2 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -99,7 +99,19 @@ virFirewallGroupNew(void) */ virFirewall *virFirewallNew(virFirewallBackend backend) { - virFirewall *firewall =3D g_new0(virFirewall, 1); + virFirewall *firewall =3D NULL; + + /* If we arrive here and backend is _UNSET, then either there is a + * bug in our code, or we couldn't find the necessary binaries for + * a working backend (e.g. no iptables of nft binary). + */ + if (backend =3D=3D VIR_FIREWALL_BACKEND_UNSET) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setti= ng could be auto-detected")); + return NULL; + } + + firewall =3D g_new0(virFirewall, 1); =20 firewall->backend =3D backend; return firewall; diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index f0fa0d5cd2..e6a748e877 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -44,6 +44,18 @@ VIR_LOG_INIT("util.netfilter"); #define VIR_FROM_THIS VIR_FROM_NONE =20 =20 +static void +virNetFilterBackendUnsetError(void) +{ + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setting c= ould be auto-detected")); +} + + +/* All functions with a switch checking virFirewallGetBackend(fw) will + * need a case in the switch for each backend. + */ + /** * virNetfilterApplyFirewallRule: * @fw: the virFirewall this rule is part of (currently unused) @@ -59,7 +71,16 @@ virNetfilterApplyFirewallRule(virFirewall *fw, virFirewallRule *rule, char **output) { - return virIptablesApplyFirewallRule(fw, rule, output); + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return virIptablesApplyFirewallRule(fw, rule, output); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; } =20 =20 @@ -73,12 +94,228 @@ virNetfilterApplyFirewallRule(virFirewall *fw, * */ int -virNetfilterSetupPrivateChains(virFirewallBackend backend G_GNUC_UNUSED, +virNetfilterSetupPrivateChains(virFirewallBackend backend, virFirewallLayer layer) { - return iptablesSetupPrivateChains(layer); + switch (backend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesSetupPrivateChains(layer); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +virNetfilterInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesInput(fw, layer, iface, port, action, tcp); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesOutput(fw, layer, iface, port, action, tcp); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static int +virNetfilterForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowOut(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static int +virNetfilterForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; } =20 + +static int +virNetfilterForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowIn(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +virNetfilterForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardAllowCross(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardRejectOut(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardRejectIn(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static int +virNetfilterForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, + addr, port, protocol, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static int +virNetfilterForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context @@ -94,7 +331,7 @@ virNetfilterAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, = 1); } =20 =20 @@ -113,7 +350,7 @@ virNetfilterRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, = 1); } =20 =20 @@ -132,7 +369,7 @@ virNetfilterAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, = 0); } =20 =20 @@ -151,7 +388,7 @@ virNetfilterRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, = 0); } =20 =20 @@ -170,7 +407,7 @@ virNetfilterAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT,= 1); } =20 =20 @@ -189,7 +426,7 @@ virNetfilterRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE,= 1); } =20 =20 @@ -208,7 +445,7 @@ virNetfilterAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT,= 0); } =20 =20 @@ -227,7 +464,7 @@ virNetfilterRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE,= 0); } =20 =20 @@ -251,8 +488,8 @@ virNetfilterAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -276,8 +513,8 @@ virNetfilterRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -301,8 +538,8 @@ virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowRelatedIn(fw, netaddr, prefix, iface, p= hysdev, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -326,8 +563,8 @@ virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowRelatedIn(fw, netaddr, prefix, iface, p= hysdev, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -351,8 +588,8 @@ virNetfilterAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -376,8 +613,8 @@ virNetfilterRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -397,7 +634,7 @@ virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT= ); + virNetfilterForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_IN= SERT); } =20 =20 @@ -417,7 +654,7 @@ virNetfilterRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE= ); + virNetfilterForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DE= LETE); } =20 =20 @@ -436,9 +673,10 @@ virNetfilterAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INS= ERT); } =20 + /** * virNetfilterRemoveForwardRejectOut: * @ctx: pointer to the IP table context @@ -454,7 +692,7 @@ virNetfilterRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DEL= ETE); } =20 =20 @@ -473,7 +711,7 @@ virNetfilterAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSE= RT); } =20 =20 @@ -492,7 +730,7 @@ virNetfilterRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELE= TE); } =20 =20 @@ -518,9 +756,9 @@ virNetfilterAddForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -546,9 +784,9 @@ virNetfilterRemoveForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -573,9 +811,9 @@ virNetfilterAddDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -600,7 +838,7 @@ virNetfilterRemoveDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_FIREWALL_ACTION_DELETE); } --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911263; cv=none; d=zohomail.com; s=zohoarc; b=UgF9FUuBKu18j8thz7nEcGtfRaU5c7C6F+9qkMBTK5bm5i0malDHBfnSeJeJnFxANYX3GGijOXayrwvJx0yG58g/UADEhK5kXP3YGMnNV082x2Wkr6JYxOopQeV7c1sgKOI/WSaIOHopsA0uQNnF7d7JUT2RT9eFAyORHlAKN1U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911263; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=+LMT6YDV2IBsvhSA8k2AiSRBsR73UmJ/ExjUChZgi5g=; b=OFbfdJL1+d5k2lF95lhBT6szT0b5w4eHIEFMAG1p7tBJIof+RjTT8OB7JpIx3vGoWJtP5PCC+n3ZDMZrKkolBmtwIMCGOQdiFsHx88MQ6HFlNQZeZWJ6iIF++j7Wx/ma1VcYG6GNGGryGHEorg5HvBZqcXHflBNM7hzosB6pCvk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 16829112639021014.0488732181449; Sun, 30 Apr 2023 20:21:03 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-583-x1Iniiz5PO26gEvAMmqPZA-1; Sun, 30 Apr 2023 23:20:16 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9C8E310504A2; Mon, 1 May 2023 03:20:13 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8175163F2D; Mon, 1 May 2023 03:20:13 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id B82E11940376; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id DF7EE1946A54 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 65CF9475072; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4C2AE463EC3 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911262; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=+LMT6YDV2IBsvhSA8k2AiSRBsR73UmJ/ExjUChZgi5g=; b=QIpVeboFq2mID9qgu3C+BPIa0j88zgYxqJpSonJCFVhyD0BUywOImkJ155LtnP5oq0Y9Cw z6ibuAGG8pvGdUmtOUH27dgGbe0N+mpOO1UDZdRhx5eV6yYiYy0Qx2MTvShNprlNlaTbLb dBM7lmypuVVxiKyKGtBqCG0kxG1+5+I= X-MC-Unique: x1Iniiz5PO26gEvAMmqPZA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 15/28] build: add nft to the list of binaries we attempt to locate Date: Sun, 30 Apr 2023 23:19:30 -0400 Message-Id: <20230501031943.288145-16-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911265809100003 Content-Type: text/plain; charset="utf-8"; x-default="true" and include it in BuildRequires and Requires of the rpm specfile to make sure it's available when doing official distro builds. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- libvirt.spec.in | 2 ++ meson.build | 1 + 2 files changed, 3 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index ba73efb0b7..7b73b38af8 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -302,6 +302,7 @@ BuildRequires: libnl3-devel BuildRequires: libselinux-devel BuildRequires: iptables BuildRequires: ebtables +BuildRequires: nftables BuildRequires: module-init-tools BuildRequires: cyrus-sasl-devel BuildRequires: polkit >=3D 0.112 @@ -541,6 +542,7 @@ Requires: libvirt-daemon-common =3D %{version}-%{releas= e} Requires: libvirt-libs =3D %{version}-%{release} Requires: dnsmasq >=3D 2.41 Requires: iptables +Requires: nftables =20 %description daemon-driver-network The network driver plugin for the libvirtd daemon, providing diff --git a/meson.build b/meson.build index 9a18767fbb..2d94acc226 100644 --- a/meson.build +++ b/meson.build @@ -801,6 +801,7 @@ optional_programs =3D [ 'mdevctl', 'mm-ctl', 'modprobe', + 'nft', 'ovs-vsctl', 'passt', 'pdwtags', --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911324; cv=none; d=zohomail.com; s=zohoarc; b=fidrasL3WQBX6jBmAKSk6lKxoES67ERdnIiW2Ov8UOmijUlnjF1TkMXQ51aKa68THAHcQtphdIqMMueLaIgVql4cox36om80opVrSZd8wx7Y8p44GMMWNL7FwyNL5u9a6tpDUtAw1yGukfKF+lbTtScvIblytbeczyVokxr1Nkg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911324; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=UKzEXZf2bxiQetg2LjSQBpi0PtOS5lN+tmCNohRLzOQ=; b=VKY3uI5+a8QFWrMiwgV0SsvhfNg3f3DYBqjUjqmUw6VPtk2KhJ4VyvA+hqE6SQRtElAgQDJ7EVvB2uCz3r7p4ltdi7TiF3B1ZKA5W2SvXAx9NhwCvAK0COdgkHqRqLgDwnTaoHpUoHoOBFvPLIm+0FXiWqi3qPsFQJ2D4qCJoio= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911324316639.6094655346253; Sun, 30 Apr 2023 20:22:04 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-146-fzAW399rMSqXbKaPeDjzJg-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CD0693C1410E; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id AE2D040C945A; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E9A3F193F511; Mon, 1 May 2023 03:20:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D12AC1946A44 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 8E47F475021; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 72674463ECA for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911323; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=UKzEXZf2bxiQetg2LjSQBpi0PtOS5lN+tmCNohRLzOQ=; b=Plm8XxMxzxSzj+x+Z+hWBV/lA/b/RPE15j7uUla6ENuIgcdhd7ap5YcC/pBS5OuTvkTdYn W5lHahuDU05Bb6ggDkr1gl7JeZhn74BSr2Y8Ro469eRIb+DQvyaQugqj4AwvwAL3rOR2yK hm+aiTia7bccbIF2ppfNB4dK3vWQn8w= X-MC-Unique: fzAW399rMSqXbKaPeDjzJg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 16/28] util: add nftables backend to virnetfilter API used by network driver Date: Sun, 30 Apr 2023 23:19:31 -0400 Message-Id: <20230501031943.288145-17-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911326237100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- po/POTFILES | 1 + src/network/bridge_driver_conf.c | 4 + src/network/network.conf | 17 +- src/util/meson.build | 1 + src/util/virfirewall.c | 3 +- src/util/virfirewall.h | 1 + src/util/virnetfilter.c | 48 +++ src/util/virnftables.c | 594 +++++++++++++++++++++++++++++++ src/util/virnftables.h | 118 ++++++ 9 files changed, 784 insertions(+), 3 deletions(-) create mode 100644 src/util/virnftables.c create mode 100644 src/util/virnftables.h diff --git a/po/POTFILES b/po/POTFILES index d20ac36062..4966f71eb3 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -304,6 +304,7 @@ src/util/virnetdevveth.c src/util/virnetdevvportprofile.c src/util/virnetfilter.c src/util/virnetlink.c +src/util/virnftables.c src/util/virnodesuspend.c src/util/virnuma.c src/util/virnvme.c diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index 9769ee06b5..d9f07cf448 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -98,6 +98,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_= GNUC_UNUSED, * for binaries used by the backends, and set accordingly. */ g_autofree char *iptablesInPath =3D NULL; + g_autofree char *nftInPath =3D NULL; =20 /* virFindFileInPath() uses g_find_program_in_path(), * which allows absolute paths, and verifies that @@ -105,6 +106,9 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg = G_GNUC_UNUSED, */ if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; + else if ((nftInPath =3D virFindFileInPath(NFT))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_NFTABLES; + =20 if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); diff --git a/src/network/network.conf b/src/network/network.conf index 74c79e4cc6..630c4387a1 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -5,7 +5,20 @@ # firewall_backend: # # determines which subsystem to use to setup firewall packet -# filtering rules for virtual networks. Currently the only supported -# selection is "iptables". +# filtering rules for virtual networks. +# +# Supported settings: +# +# iptables - use iptables commands to construct the firewall +# nftables - use nft commands to construct the firewall +# +# For backward compatibility, and to reduce surprises, the +# default setting is "iptables". +# +# (NB: switching from one backend to another while there are active +# virtual networks *is* supported. The change will take place the +# next time that libvirtd/virtnetworkd is restarted - all existing +# virtual networks will have their old firewalls removed, and then +# reloaded using the new backend.) # #firewall_backend =3D "iptables" diff --git a/src/util/meson.build b/src/util/meson.build index aa570ed02a..c0e71760b1 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -71,6 +71,7 @@ util_sources =3D [ 'virnetdevvportprofile.c', 'virnetfilter.c', 'virnetlink.c', + 'virnftables.c', 'virnodesuspend.c', 'virnuma.c', 'virnvme.c', diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index fa21266fb2..17acc2adc3 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -39,7 +39,8 @@ VIR_LOG_INIT("util.firewall"); VIR_ENUM_IMPL(virFirewallBackend, VIR_FIREWALL_BACKEND_LAST, "UNSET", /* not yet set */ - "iptables"); + "iptables", + "nftables"); =20 typedef struct _virFirewallGroup virFirewallGroup; =20 diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 020dd2bedb..4d03dc3b3b 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -46,6 +46,7 @@ typedef enum { typedef enum { VIR_FIREWALL_BACKEND_UNSET, VIR_FIREWALL_BACKEND_IPTABLES, + VIR_FIREWALL_BACKEND_NFTABLES, =20 VIR_FIREWALL_BACKEND_LAST, } virFirewallBackend; diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index e6a748e877..0fc541687e 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -29,6 +29,7 @@ #include "internal.h" #include "virnetfilter.h" #include "viriptables.h" +#include "virnftables.h" #include "vircommand.h" #include "viralloc.h" #include "virerror.h" @@ -75,6 +76,9 @@ virNetfilterApplyFirewallRule(virFirewall *fw, case VIR_FIREWALL_BACKEND_IPTABLES: return virIptablesApplyFirewallRule(fw, rule, output); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesApplyFirewallRule(fw, rule, output); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -101,6 +105,9 @@ virNetfilterSetupPrivateChains(virFirewallBackend backe= nd, case VIR_FIREWALL_BACKEND_IPTABLES: return iptablesSetupPrivateChains(layer); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesSetupPrivateChains(layer); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -123,6 +130,10 @@ virNetfilterInput(virFirewall *fw, iptablesInput(fw, layer, iface, port, action, tcp); break; =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesInput(fw, layer, iface, port, action, tcp); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -143,6 +154,10 @@ virNetfilterOutput(virFirewall *fw, iptablesOutput(fw, layer, iface, port, action, tcp); break; =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesOutput(fw, layer, iface, port, action, tcp); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -163,6 +178,10 @@ virNetfilterForwardAllowOut(virFirewall *fw, return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, action); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardAllowOut(fw, netaddr, prefix, + iface, physdev, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -185,6 +204,10 @@ virNetfilterForwardAllowRelatedIn(virFirewall *fw, return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, action); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardAllowRelatedIn(fw, netaddr, prefix, + iface, physdev, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -207,6 +230,10 @@ virNetfilterForwardAllowIn(virFirewall *fw, return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, action); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardAllowIn(fw, netaddr, prefix, + iface, physdev, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -227,6 +254,10 @@ virNetfilterForwardAllowCross(virFirewall *fw, iptablesForwardAllowCross(fw, layer, iface, action); break; =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesForwardAllowCross(fw, layer, iface, action); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -245,6 +276,10 @@ virNetfilterForwardRejectOut(virFirewall *fw, iptablesForwardRejectOut(fw, layer, iface, action); break; =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesForwardRejectOut(fw, layer, iface, action); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -263,6 +298,10 @@ virNetfilterForwardRejectIn(virFirewall *fw, iptablesForwardRejectIn(fw, layer, iface, action); break; =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + virNftablesForwardRejectIn(fw, layer, iface, action); + break; + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: break; @@ -285,6 +324,11 @@ virNetfilterForwardMasquerade(virFirewall *fw, return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, action); =20 + + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardMasquerade(fw, netaddr, prefix, physdev, + addr, port, protocol, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); @@ -307,6 +351,10 @@ virNetfilterForwardDontMasquerade(virFirewall *fw, return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, action); =20 + case VIR_FIREWALL_BACKEND_NFTABLES: + return virNftablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, action); + case VIR_FIREWALL_BACKEND_UNSET: case VIR_FIREWALL_BACKEND_LAST: virNetFilterBackendUnsetError(); diff --git a/src/util/virnftables.c b/src/util/virnftables.c new file mode 100644 index 0000000000..b43b14bb82 --- /dev/null +++ b/src/util/virnftables.c @@ -0,0 +1,594 @@ +/* + * virnftables.c: helper APIs for managing nftables filter rules + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include +#include +#include +#include +#include + +#include "internal.h" +#include "virnetfilter.h" +#include "virnftables.h" +#include "virfirewalld.h" +#include "vircommand.h" +#include "viralloc.h" +#include "virerror.h" +#include "virfile.h" +#include "virlog.h" +#include "virthread.h" +#include "virstring.h" +#include "virutil.h" +#include "virhash.h" + +VIR_LOG_INIT("util.nftables"); + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define VIR_NFTABLES_PRIVATE_TABLE "libvirt" + +/* nftables backend uses the same binary (nft) for all layers, but + * IPv4 and IPv6 have their rules in separate classes of tables, + * either "ip" or "ip6". (there is also an "inet" class of tables that + * would examined for both IPv4 and IPv6 traffic, but since we want + * different rules for each family, we only use the family-specific + * table classes). + */ +VIR_ENUM_DECL(virNftablesLayer); +VIR_ENUM_IMPL(virNftablesLayer, + VIR_FIREWALL_LAYER_LAST, + "", + "ip", + "ip6", +); + + +VIR_ENUM_DECL(virNftablesAction); +VIR_ENUM_IMPL(virNftablesAction, + VIR_FIREWALL_ACTION_LAST, + "insert", + "append", + "delete", +); + + +int +virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, + virFirewallRule *rule, + char **output) +{ + size_t count =3D virFirewallRuleGetArgCount(rule); + g_autoptr(virCommand) cmd =3D NULL; + g_autofree char *cmdStr =3D NULL; + g_autofree char *error =3D NULL; + size_t i; + int status; + + if (count =3D=3D 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Can't apply empty firewall command")); + return -1; + } + + cmd =3D virCommandNew(NFT); + + for (i =3D 0; i < count; i++) + virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); + + cmdStr =3D virCommandToString(cmd, false); + VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + + virCommandSetOutputBuffer(cmd, output); + virCommandSetErrorBuffer(cmd, &error); + + if (virCommandRun(cmd, &status) < 0) + return -1; + + if (status !=3D 0) { + if (STREQ_NULLABLE(virFirewallRuleGetArg(rule, 0), "list")) { + /* nft returns error status when the target of a "list" + * command doesn't exist, but we always want to just have + * an empty result, so this is not actually an error. + */ + } else if (virFirewallRuleGetIgnoreErrors(rule)) { + VIR_DEBUG("Ignoring error running command"); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to apply firewall command '%1$s': %2$= s"), + NULLSTR(cmdStr), NULLSTR(error)); + VIR_FREE(*output); + return -1; + } + } + + return 0; +} + + +typedef struct { + const char *parent; + const char *child; + const char *extraArgs; +} virNftablesGlobalChain; + +typedef struct { + virFirewallLayer layer; + virNftablesGlobalChain *chains; + size_t nchains; + bool *changed; +} virNftablesGlobalChainData; + + +static int +virNftablesPrivateChainCreate(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + virNftablesGlobalChainData *data =3D opaque; + g_autoptr(GHashTable) chains =3D virHashNew(NULL); + g_autoptr(GHashTable) links =3D virHashNew(NULL); + const char *const *line; + const char *chain =3D NULL; + size_t i; + bool tableMatch =3D false; + const char *layerStr =3D virNftablesLayerTypeToString(layer); + g_autofree char *tableStr =3D g_strdup_printf("table %s libvirt {", + virNftablesLayerTypeToStri= ng(layer)); + line =3D lines; + while (line && *line) { + const char *pos =3D *line; + + virSkipSpaces(&pos); + if (STREQ(pos, tableStr)) { + /* "table ip libvirt {" */ + + tableMatch =3D true; + + } else if (STRPREFIX(pos, "chain ")) { + /* "chain LIBVIRT_OUT {" */ + + chain =3D pos + 6; + pos =3D strchr(chain, ' '); + if (pos) { + *(char *)pos =3D '\0'; + if (virHashUpdateEntry(chains, chain, (void *)0x1) < 0) + return -1; + } + + } else if ((pos =3D strstr(pos, "jump "))) { + /* "counter packets 20189046 bytes 3473108889 jump LIBVIRT_OUT= " */ + + pos +=3D 5; + if (chain) { + if (virHashUpdateEntry(links, pos, (char *)chain) < 0) + return -1; + } + + } + line++; + } + + if (!tableMatch) { + virFirewallAddRule(fw, layer, "add", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + } + + for (i =3D 0; i < data->nchains; i++) { + if (!(tableMatch && virHashLookup(chains, data->chains[i].child)))= { + virFirewallAddRule(fw, layer, "add", "chain", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].child, + data->chains[i].extraArgs, NULL); + *data->changed =3D true; + } + + if (data->chains[i].parent) { + const char *from =3D virHashLookup(links, data->chains[i].chil= d); + + if (!from || STRNEQ(from, data->chains[i].parent)) { + virFirewallAddRule(fw, layer, "insert", "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + data->chains[i].parent, "counter", + "jump", data->chains[i].child, NULL); + } + } + } + + return 0; +} + + +int +virNftablesSetupPrivateChains(virFirewallLayer layer) +{ + bool changed =3D false; + virNftablesGlobalChain chains[] =3D { + /* chains for filter rules */ + {NULL, "INPUT", "{ type filter hook input priority 0; policy accep= t; }"}, + {NULL, "FORWARD", "{ type filter hook forward priority 0; policy a= ccept; }"}, + {NULL, "OUTPUT", "{ type filter hook output priority 0; policy acc= ept; }"}, + {"INPUT", VIR_NETFILTER_INPUT_CHAIN, NULL}, + {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN, NULL}, + {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN, NULL}, + {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN, NULL}, + {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN, NULL}, + + /* chains for NAT rules */ + {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; p= olicy accept; }"}, + {"POSTROUTING", VIR_NETFILTER_NAT_POSTROUTE_CHAIN, NULL}, + }; + virNftablesGlobalChainData data =3D { layer, chains, G_N_ELEMENTS(cha= ins), &changed }; + + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + virFirewallStartTransaction(fw, 0); + + /* the output of "nft list table ip[6] libvirt" will be parsed by + * the callback virNftablesPrivateChainCreate which will add any + * needed commands to add missing chains (or possibly even add the + * "ip[6] libvirt" table itself + */ + virFirewallAddRuleFull(fw, layer, false, + virNftablesPrivateChainCreate, &data, + "list", "table", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + + if (virFirewallApply(fw) < 0) + return -1; + + return changed ? 1 : 0; +} + + +void +virNftablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + g_autofree char *portstr =3D g_strdup_printf("%d", port); + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_INPUT_CHAIN, + "iifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + +void +virNftablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + g_autofree char *portstr =3D g_strdup_printf("%d", port); + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_OUTPUT_CHAIN, + "oifname", iface, + tcp ? "tcp" : "udp", + "dport", portstr, + "counter", "accept", + NULL); +} + + +/* Allow all traffic coming from the bridge, with a valid network address + * to proceed to WAN + */ +int +virNftablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + g_autofree char *networkstr =3D NULL; + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D virNftablesLayerTypeToString(layer); + virFirewallRule *rule; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + rule =3D virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule= ", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_OUT_CHAIN, + layerStr, "saddr", networkstr, + "iifname", iface, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "oifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, "counter", "accept", NULL); + + return 0; +} + + +/* Allow all traffic destined to the bridge, with a valid network address + * and associated with an existing connection + */ +int +virNftablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D virNftablesLayerTypeToString(layer); + g_autofree char *networkstr =3D NULL; + virFirewallRule *rule; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + rule =3D virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule= ", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_IN_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "iifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, "oifname", iface, + layerStr, "daddr", networkstr, + "ct", "state", "related,established", + "counter", "accept", NULL); + return 0; +} + + +/* Allow all traffic destined to the bridge, with a valid network address + */ +int +virNftablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D virNftablesLayerTypeToString(layer); + g_autofree char *networkstr =3D NULL; + virFirewallRule *rule; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + rule =3D virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule= ", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_IN_CHAIN, + layerStr, "daddr", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "iifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, "oifname", iface, + "counter", "accept", NULL); + return 0; +} + + +void +virNftablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_X_CHAIN, + "iifname", iface, + "oifname", iface, + "counter", "accept", + NULL); +} + + +void +virNftablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_OUT_CHAIN, + "iifname", iface, + "counter", "reject", + NULL); +} + + +void +virNftablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_FWD_IN_CHAIN, + "oifname", iface, + "counter", "reject", + NULL); +} + + +/* Masquerade all traffic coming from the network associated + * with the bridge + */ +int +virNftablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action) +{ + g_autofree char *networkstr =3D NULL; + g_autofree char *addrStartStr =3D NULL; + g_autofree char *addrEndStr =3D NULL; + g_autofree char *portRangeStr =3D NULL; + g_autofree char *natRangeStr =3D NULL; + virFirewallRule *rule; + int af =3D VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer =3D af =3D=3D AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D virNftablesLayerTypeToString(layer); + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { + if (!(addrStartStr =3D virSocketAddrFormat(&addr->start))) + return -1; + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { + if (!(addrEndStr =3D virSocketAddrFormat(&addr->end))) + return -1; + } + } + + rule =3D virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule= ", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, NULL); + + if (protocol && protocol[0]) { + virFirewallRuleAddArgList(fw, rule, + layerStr, "protocol", protocol, NULL); + } + + virFirewallRuleAddArgList(fw, rule, + layerStr, "saddr", networkstr, + layerStr, "daddr", "!=3D", networkstr, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "oifname", physdev, NULL); + + if (protocol && protocol[0]) { + if (port->start =3D=3D 0 && port->end =3D=3D 0) { + port->start =3D 1024; + port->end =3D 65535; + } + + if (port->start < port->end && port->end < 65536) { + portRangeStr =3D g_strdup_printf(":%u-%u", port->start, port->= end); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid port range '%1$u-%2$u'."), + port->start, port->end); + return -1; + } + } + + /* Use snat if public address is specified */ + if (addrStartStr && addrStartStr[0]) { + if (addrEndStr && addrEndStr[0]) { + natRangeStr =3D g_strdup_printf("%s-%s%s", addrStartStr, addrE= ndStr, + portRangeStr ? portRangeStr : ""= ); + } else { + natRangeStr =3D g_strdup_printf("%s%s", addrStartStr, + portRangeStr ? portRangeStr : ""= ); + } + + virFirewallRuleAddArgList(fw, rule, "counter", "snat", "to", natRa= ngeStr, NULL); + } else { + virFirewallRuleAddArgList(fw, rule, "counter", "masquerade", NULL); + + if (portRangeStr && portRangeStr[0]) + virFirewallRuleAddArgList(fw, rule, "to", portRangeStr, NULL); + } + + return 0; +} + + +/* Don't masquerade traffic coming from the network associated with the br= idge + * if said traffic targets @destaddr. + */ +int +virNftablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action) +{ + g_autofree char *networkstr =3D NULL; + virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + const char *layerStr =3D virNftablesLayerTypeToString(layer); + virFirewallRule *rule; + + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) + return -1; + + rule =3D virFirewallAddRule(fw, layer, + virNftablesActionTypeToString(action), "rule= ", + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, NULL); + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "oifname", physdev, NULL); + + virFirewallRuleAddArgList(fw, rule, + layerStr, "saddr", networkstr, + layerStr, "daddr", destaddr, + "counter", "return", NULL); + return 0; +} diff --git a/src/util/virnftables.h b/src/util/virnftables.h new file mode 100644 index 0000000000..5ea0f2452f --- /dev/null +++ b/src/util/virnftables.h @@ -0,0 +1,118 @@ +/* + * virnftables.h: helper APIs for managing nftables packet filters + * + * Copyright (C) 2023 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "virsocketaddr.h" +#include "virfirewall.h" +#include "virnetfilter.h" + +/* virNftablesApplyFirewallRule should be called only from virnetfilter.c= */ + +int +virNftablesApplyFirewallRule(virFirewall *firewall, + virFirewallRule *rule, + char **output); + + +/* All the following functions can either insert or delete the given + * type of filter rule, depending on whether action is + * VIR_NETFILTER_INSERT or VIR_NETFILTER_DELETE. + */ + +int +virNftablesSetupPrivateChains(virFirewallLayer layer); + +void +virNftablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp); + +void +virNftablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp); + +int +virNftablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action); + +int +virNftablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action); + +int +virNftablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action); + + +void +virNftablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action); + +void +virNftablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action); + +void +virNftablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action); + +int +virNftablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action); + +int +virNftablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action); --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911276; cv=none; d=zohomail.com; s=zohoarc; b=DztSVbz1WDrP3/oh4SNmKp+yB2rmu/Pl6R9B0zdOTC/P4kRi4rCLro4b/Iql4+XzIcGx70YpizH2cUsI9fAKwEZS1IBqGsfEFEur0jQLVzdBF+5b5DCGW7oU3P5KAlcL0RkuQ3Xib9Uq+pQe1QjE3OOnegfPpaVTatlggeL3tJc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911276; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=RmaJG9jHNCIZOqfJQ6IRYa4DwePhSdjCJewz91Zd2aY=; b=m1WAQVV/6ZqbawUisnADOyTRmX3QD69aCaZbXwQLizjL5Tcg7Fp0sTdCRf2Biw2wlenAWd8uVz403o9zt7vGl3dwnGsmshGMuxiqRnZUQWBwXt+MCw0tn+1W2d/5puBNNoDuwhSoteur+G6O8rbroBKekhiWMDcQVU5AAgjdSPA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911276273682.7433132531418; Sun, 30 Apr 2023 20:21:16 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-656-XB2u0fAjNtulCNztBQ1eOA-1; Sun, 30 Apr 2023 23:20:28 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8395B857AA1; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 65E7F63F42; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5AEB91946589; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D1A5C1946A45 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id BB2DC463EC3; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9AE3A475022 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911275; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=RmaJG9jHNCIZOqfJQ6IRYa4DwePhSdjCJewz91Zd2aY=; b=GwR/rOcke/OfU1e7nxCRWzppCEEhvRMeg2/v2EzVQU97qdwywKcbqKuRwWh3KWmOEuw006 ZKYSaYWJzlWlp6n49fW91bJmIkk+DKx6Hs1LXedy7AJhlXa34BsAzifhyhpMdflJovPsDT QgkD3duQSWDzQrP3Oxz4T6JG2X5CYwU= X-MC-Unique: XB2u0fAjNtulCNztBQ1eOA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 17/28] tests: test cases for nftables backend Date: Sun, 30 Apr 2023 23:19:32 -0400 Message-Id: <20230501031943.288145-18-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911276937100005 Content-Type: text/plain; charset="utf-8"; x-default="true" Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- .../{base.args =3D> base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++++++++++ ...-linux.args =3D> nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++++++ ...pv6-linux.args =3D> nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++++++++ ...rgs =3D> nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++ ...linux.args =3D> nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 ++++++++++++++++++ ...-linux.args =3D> nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++++++++ ...ftp-linux.args =3D> nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++++++ ...inux.args =3D> route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++++ tests/networkxml2firewalltest.c | 47 +- 17 files changed, 2670 insertions(+), 13 deletions(-) rename tests/networkxml2firewalldata/{base.args =3D> base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args =3D> nat-defa= ult-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args =3D> nat-ipv6-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =3D> = nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux= .nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =3D> nat-man= y-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftabl= es rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =3D> nat-no-d= hcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args =3D> nat-tftp-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args =3D> route-= default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftab= les diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2fir= ewalldata/base.iptables similarity index 100% rename from tests/networkxml2firewalldata/base.args rename to tests/networkxml2firewalldata/base.iptables diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml= 2firewalldata/base.nftables new file mode 100644 index 0000000000..4f1f475a85 --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -0,0 +1,256 @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-default-linux.args rename to tests/networkxml2firewalldata/nat-default-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index 0000000000..7e01ceba97 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -0,0 +1,248 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index 0000000000..3a75dfced7 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -0,0 +1,384 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index 0000000000..5959a920ff --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -0,0 +1,456 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +protocol \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +protocol \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-many-ips-linux.args rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index 0000000000..7cf989e040 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -0,0 +1,472 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index 0000000000..3a75dfced7 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -0,0 +1,384 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-tftp-linux.args rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index 0000000000..15ac92c46a --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -0,0 +1,274 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/route-default-linux.args rename to tests/networkxml2firewalldata/route-default-linux.iptables diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index 0000000000..f56cc2d0bc --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -0,0 +1,162 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 3a9f409e2a..ab1c7b217d 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -85,7 +85,8 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, =20 static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv =3D NULL; g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; @@ -98,7 +99,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) + if (networkAddFirewallRules(def, backend) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); @@ -119,6 +120,7 @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; =20 =20 @@ -132,10 +134,11 @@ testCompareXMLToIPTablesHelper(const void *data) =20 xml =3D g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); =20 - result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs); + result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs, info->= backend); =20 return result; } @@ -145,24 +148,42 @@ static int mymain(void) { int ret =3D 0; - g_autofree char *basefile =3D NULL; - g_autofree char *baseargs =3D NULL; + g_autofree char *basefileIptables =3D NULL; + g_autofree char *basefileNftables =3D NULL; + g_autofree char *baseargsIptables =3D NULL; + g_autofree char *baseargsNftables =3D NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; =20 -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info =3D { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label =3D g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToS= tring(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret =3D -1; \ } while (0) =20 - basefile =3D g_strdup_printf("%s/networkxml2firewalldata/base.args", a= bs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); + + + basefileIptables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] =3D baseargsIptables; =20 - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + basefileNftables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) return EXIT_FAILURE; =20 + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] =3D baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911217; cv=none; d=zohomail.com; s=zohoarc; b=Gs9/dJylceq185C6KzPs3Slf5MtSkvbUOBDkc4LyuCAD+CJWIsYd09KIOplYRy0QaTGj4yfUDOEfkKvQ2OqE5W+U3p72ypAGJYSmt+L7Wqwc/05HWkMCnkHb5oRe91TyBo4Yypl458gS98cWTeMeU8ucOzUL/2Tf+CR4bjiaACs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911217; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WOnPm4r8UJAiYjki43sVaBj7pEz6r97SZYNMHz46M4o=; b=IFIwzteDqcoaYPvmdFa2vlFakk+nf/1JXj88oS7xtIn5bHDjJIUrB7/ttdEf+eZxjgU1NbkEADjEOfabbh/3X3qwaKaWtZ/4WpWFHCCFI26P6rGkKtveOQzgWNed/by7ipTspIIx/Vy60+72c/CgMEDIDISP9I0nxASSGZ68gbg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911217292764.1081889245337; Sun, 30 Apr 2023 20:20:17 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-483-sstQBl3RM9y1FbuXPzpwVA-1; Sun, 30 Apr 2023 23:20:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 839AE885624; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6DBF840C94B1; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id F213219451FA; Mon, 1 May 2023 03:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D202E1946A47 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id DFF5F463ECA; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id C82D8475022 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911216; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WOnPm4r8UJAiYjki43sVaBj7pEz6r97SZYNMHz46M4o=; b=FKgkXmLofLY8We7elgUAwGt6Ix1gYA/ciANhEPPdc+xC7OLtdxecdIEBhRL4Kp6LBvRAzA Bs1NoQSpxdeLRqDIODu7qxG8wMMEx4nuxfH6K6PPZH1dAS9mFmWrqw9UPlMf2bMqqW/EPZ KliD8KB/uZGtQujsGRMBQhTFXJvP7yk= X-MC-Unique: sstQBl3RM9y1FbuXPzpwVA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 18/28] util: new functions to support adding individual rollback rules Date: Sun, 30 Apr 2023 23:19:33 -0400 Message-Id: <20230501031943.288145-19-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911219453100001 Content-Type: text/plain; charset="utf-8"; x-default="true" In the past virFirewall required all rollback rules for a group (those commands necessary to "undo" any rules that had been added in that group in case of a later failure) to be manually added by switching into "rollback mode" and then re-calling the inverse of the exact virFirewallAddRule*() APIs that had been called to add the original rules (ie. for each --insert command, for rollback we would need to add a rule with all arguments identical except that "--insert" would be replaced by "--delete"). Because nftables can't search for rules to remove by comparing all the arguments (it instead expects *only* a handle that was issued when the rule was originally added), we want for the backends' vir*ApplyRule() functions to be able to automatically add a single rollback rule to the virFirewall object while applying its existing rules (this automatically added rule would then be able to include the handle returned by "nft add rule"). In order to make this happen, we need to be able to 1) learn whether the user of the virFirewall API desires this behavior (handled by a new transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that can be retrieved with the new virFirewallTransactionGetFlags() API), and 2) add a new rule to the current group's rollback rule list (with the new virFirewallAddRollbackRule()). We will actually use these in the backends in an upcoming patch. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 53 ++++++++++++++++++++++++++++++++++++---- src/util/virfirewall.h | 10 ++++++++ 3 files changed, 60 insertions(+), 5 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index a93143638f..df84c5520c 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2371,6 +2371,7 @@ virFileCacheSetPriv; =20 =20 # util/virfirewall.h +virFirewallAddRollbackRule; virFirewallAddRuleFull; virFirewallApply; virFirewallBackendTypeFromString; @@ -2390,6 +2391,7 @@ virFirewallRuleGetLayer; virFirewallRuleToString; virFirewallStartRollback; virFirewallStartTransaction; +virFirewallTransactionGetFlags; =20 =20 # util/virfirewalld.h diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 17acc2adc3..c59166b843 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -209,6 +209,7 @@ static virFirewallRule * virFirewallAddRuleFullV(virFirewall *firewall, virFirewallLayer layer, bool ignoreErrors, + bool isRollback, virFirewallQueryCallback cb, void *opaque, va_list args) @@ -225,18 +226,17 @@ virFirewallAddRuleFullV(virFirewall *firewall, } group =3D firewall->groups[firewall->currentGroup]; =20 - rule =3D g_new0(virFirewallRule, 1); =20 rule->layer =3D layer; - rule->queryCB =3D cb; - rule->queryOpaque =3D opaque; =20 while ((str =3D va_arg(args, char *)) !=3D NULL) ADD_ARG(rule, str); =20 - if (group->addingRollback) { + if (isRollback || group->addingRollback) { rule->ignoreErrors =3D true; /* always ignore errors when rolling = back */ + rule->queryCB =3D NULL; /* rollback rules can't have a callback */ + rule->queryOpaque =3D NULL; VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); } else { /* when not rolling back, ignore errors if this group (transaction) @@ -245,6 +245,8 @@ virFirewallAddRuleFullV(virFirewall *firewall, */ rule->ignoreErrors =3D ignoreErrors || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S); + rule->queryCB =3D cb; + rule->queryOpaque =3D opaque; VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); } =20 @@ -285,7 +287,33 @@ virFirewallRule *virFirewallAddRuleFull(virFirewall *f= irewall, virFirewallRule *rule; va_list args; va_start(args, opaque); - rule =3D virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, op= aque, args); + rule =3D virFirewallAddRuleFullV(firewall, layer, ignoreErrors, false,= cb, opaque, args); + va_end(args); + return rule; +} + + +/** + * virFirewallAddRollbackRule: + * @firewall: firewall ruleset to add to + * @layer: the firewall layer to change + * @...: NULL terminated list of strings for the rule + * + * Add a rule to the current firewall group "rollback" + * ruleset. Rollback rules always ignore errors and don't support any + * callbacks. + * + * Returns the new rule + */ +virFirewallRule * +virFirewallAddRollbackRule(virFirewall *firewall, + virFirewallLayer layer, + ...) +{ + virFirewallRule *rule; + va_list args; + va_start(args, layer); + rule =3D virFirewallAddRuleFullV(firewall, layer, true, true, NULL, NU= LL, args); va_end(args); return rule; } @@ -472,6 +500,21 @@ void virFirewallStartTransaction(virFirewall *firewall, firewall->currentGroup =3D firewall->ngroups - 1; } =20 + +/** + * virFirewallTransactionGetFlags: + * @firewall: the firewall to look at + * + * Returns the virFirewallTransactionFlags for the currently active + * group (transaction) in @firewall. + */ +virFirewallTransactionFlags +virFirewallTransactionGetFlags(virFirewall *firewall) +{ + return firewall->groups[firewall->currentGroup]->actionFlags; +} + + /** * virFirewallBeginRollback: * @firewall: the firewall ruleset diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 4d03dc3b3b..f81b63567a 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -83,6 +83,11 @@ virFirewallRule *virFirewallAddRuleFull(virFirewall *fir= ewall, ...) G_GNUC_NULL_TERMINATED; =20 +virFirewallRule *virFirewallAddRollbackRule(virFirewall *firewall, + virFirewallLayer layer, + ...) + G_GNUC_NULL_TERMINATED; + void virFirewallRemoveRule(virFirewall *firewall, virFirewallRule *rule); =20 @@ -125,11 +130,16 @@ typedef enum { /* Ignore all errors when applying rules, so no * rollback block will be required */ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS =3D (1 << 0), + /* Set to auto-add a rollback rule for each rule that is applied */ + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK =3D (1 << 1), } virFirewallTransactionFlags; =20 void virFirewallStartTransaction(virFirewall *firewall, unsigned int flags); =20 +virFirewallTransactionFlags +virFirewallTransactionGetFlags(virFirewall *firewall); + typedef enum { /* Execute previous rollback block before this * one, to chain cleanup */ --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911263; cv=none; d=zohomail.com; s=zohoarc; b=MIsIJYxD/P3sazcBdXfjYeaiwL2EDGbn7BQv1l93v7Ok9VYnUg1EJuDl/qQjYqt27VkcnKmZWYcJcdPzb17PVRflA6AIDfyrWCk5VqL/w4b0BEDISq1bdWpgLkU2gnYwvrQnGvnvVEoGyTHBDz5o2/0LHnViCWbmbWLs4K67bwE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911263; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=GhRziREX5AieQZ0UJfu7NQ/YLZXXsyb45PEPoo/84hs=; b=L2NzN4FbzxsnBmhCl+zRXPolKPSK4ONnjwBa5VxKRlyAa33Kx6Bp0TSbRKxwfwGQ0URmojPsi6qAVtQyJuSU/X+nKizbp6Sd2qPQ9JKv24n1BZ9tRZ6SiJpoub3EOjVYRcl7hiTcK6nvQynLpsb9Sqp69ina48kyirBMoMpDUq8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911263966433.6587428443654; Sun, 30 Apr 2023 20:21:03 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-361-oBDoN7YKPRypwX5wQpSG2w-1; Sun, 30 Apr 2023 23:20:18 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C8FB7811E7E; Mon, 1 May 2023 03:20:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id B1BC351E3; Mon, 1 May 2023 03:20:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id DE127193F51C; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D22B11946A49 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 0FEF7463ECB; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id EBFFE475022 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911262; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=GhRziREX5AieQZ0UJfu7NQ/YLZXXsyb45PEPoo/84hs=; b=cahxmbGppkJntpsasG6pGZ5Xe9r2DWozKdZRAjIcUVVPUdszOUYBxZSTiRNSCjAk9dkO6F f77BblKfyVcAImxYSaN8UB+MerZ6Zvjwdeo/bE0OqpiWmAFNM0H8EQmCsKyLQjy6zqMeP6 4+xtAH3gPr9UCwooWLkdEZEo+7O9jw8= X-MC-Unique: oBDoN7YKPRypwX5wQpSG2w-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 19/28] util: check for 0 args when applying iptables rule Date: Sun, 30 Apr 2023 23:19:34 -0400 Message-Id: <20230501031943.288145-20-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911265495100001 Content-Type: text/plain; charset="utf-8"; x-default="true" In normal practice a firewall rule should never have 0 args by the time it gets to the Apply stage, but at some time while debugging auto-rollback exactly that happened (due to a bug that was since squashed), and having a check for it helped debugging, so let's permanently check for it (the nftables version of ApplyRule already has this check). Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/viriptables.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 96b69daf68..4e3188e4d1 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -71,10 +71,11 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GN= UC_UNUSED, { virFirewallLayer layer =3D virFirewallRuleGetLayer(rule); const char *bin =3D virIptablesLayerCommandTypeToString(layer); + size_t count =3D virFirewallRuleGetArgCount(rule); g_autoptr(virCommand) cmd =3D NULL; g_autofree char *cmdStr =3D NULL; g_autofree char *error =3D NULL; - size_t i, count; + size_t i; int status; =20 if (!bin) { @@ -83,6 +84,12 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNU= C_UNUSED, return -1; } =20 + if (count =3D=3D 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Can't apply empty firewall rule")); + return -1; + } + cmd =3D virCommandNewArgList(bin, NULL); =20 /* lock to assure nobody else is messing with the tables while we are = */ @@ -98,7 +105,6 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNU= C_UNUSED, break; } =20 - count =3D virFirewallRuleGetArgCount(rule); for (i =3D 0; i < count; i++) virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911455; cv=none; d=zohomail.com; s=zohoarc; b=X/MYwT10nm2bG4WaEyMi3nfK45C0hb2Jba4olMYn9plUT9VRktT5Hrngb6d/7cV7h9/fHDG6WmjBUoIYRK8MGMigeLzTblBg156Rch4HU5/ipP1u9J7D8QhsviqgQNI008U5++dBY6vLc5WDVU93DsxEkLgAwRGOiLcVqON2bTM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911455; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=tlWEN3ije9ggFDQpL7bUMlA81/SCKFTXrVwfTnd15qc=; b=IUXx9xxFNoQdOpk9l9oJrZAxAJIatJXdpworCTrpmaYmtZu3l3+gDD74pusWdec73Pg64HsYTei5M4ALgBuTXJvpDbkgPNyXjs6IwQxqNowFvhhHuK275YjHq7veYMZG21Y0Xp+UbrNBT2pR9YfTdInT+t0cj+JiTMIsQILGhPg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911455251869.8234474952138; Sun, 30 Apr 2023 20:24:15 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-141-37PXhqx1NnmywbpRh66L7g-1; Sun, 30 Apr 2023 23:20:35 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4100D84852B; Mon, 1 May 2023 03:20:25 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2D5B840C6E67; Mon, 1 May 2023 03:20:25 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2AD4519543B8; Mon, 1 May 2023 03:20:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D3F021946589 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 36AB2463ECF; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1D0B8475022 for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911454; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=tlWEN3ije9ggFDQpL7bUMlA81/SCKFTXrVwfTnd15qc=; b=PU7QEnovZb3/7bYyeAoKBZFrHlPYuHo8YhAv52jGfKiOfl6v8ru+To+oiJFMhysosPCo2L 1WgA1wc61XH7mCf65Ixgg2mg4KEDQdRJaFtoBSzz4wvD0fmmX/5aFBW4ynNorZSZ7IEoXN 78AxCq3LbBGXPY/FlWaJEW13xfUSeKw= X-MC-Unique: 37PXhqx1NnmywbpRh66L7g-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 20/28] util: implement rollback rule autosave for iptables backend Date: Sun, 30 Apr 2023 23:19:35 -0400 Message-Id: <20230501031943.288145-21-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911455716100001 Content-Type: text/plain; charset="utf-8"; x-default="true" This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/viriptables.c | 49 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 4e3188e4d1..b332c036cf 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -63,15 +63,21 @@ VIR_ENUM_IMPL(virIptablesAction, "--delete", ); =20 +#define VIR_ARG_IS_INSERT(arg) \ + (STREQ(arg, "--insert") || STREQ(arg, "-I") \ + || STREQ(arg, "--append") || STREQ(arg, "-A")) =20 int -virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, +virIptablesApplyFirewallRule(virFirewall *firewall, virFirewallRule *rule, char **output) { virFirewallLayer layer =3D virFirewallRuleGetLayer(rule); const char *bin =3D virIptablesLayerCommandTypeToString(layer); size_t count =3D virFirewallRuleGetArgCount(rule); + bool checkRollback =3D (virFirewallTransactionGetFlags(firewall) + & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); + bool needRollback =3D false; g_autoptr(virCommand) cmd =3D NULL; g_autofree char *cmdStr =3D NULL; g_autofree char *error =3D NULL; @@ -105,8 +111,15 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_G= NUC_UNUSED, break; } =20 - for (i =3D 0; i < count; i++) - virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); + for (i =3D 0; i < count; i++) { + const char *arg =3D virFirewallRuleGetArg(rule, i); + + /* the -I/-A arg could be at any position in the list */ + if (checkRollback && VIR_ARG_IS_INSERT(arg)) + needRollback =3D true; + + virCommandAddArg(cmd, arg); + } =20 cmdStr =3D virCommandToString(cmd, false); VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); @@ -118,8 +131,10 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_G= NUC_UNUSED, return -1; =20 if (status !=3D 0) { + /* the command failed, decide whether or not to report it */ if (virFirewallRuleGetIgnoreErrors(rule)) { VIR_DEBUG("Ignoring error running command"); + return 0; } else { virReportError(VIR_ERR_INTERNAL_ERROR, _("Failed to apply firewall rules %1$s: %2$s"), @@ -129,6 +144,34 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_G= NUC_UNUSED, } } =20 + /* the command was successful, see if we need to add a + * rollback rule + */ + + if (needRollback) { + virFirewallRule *rollback + =3D virFirewallAddRollbackRule(firewall, layer, NULL); + g_autofree char *rollbackStr =3D NULL; + + for (i =3D 0; i < count; i++) { + const char *arg =3D virFirewallRuleGetArg(rule, i); + + /* iptables --delete wants the entire commandline that + * was used for --insert but with s/insert/delete/ + */ + if (VIR_ARG_IS_INSERT(arg)) { + virFirewallRuleAddArg(firewall, rollback, "--delete"); + } else { + virFirewallRuleAddArg(firewall, rollback, arg); + } + } + + rollbackStr + =3D virFirewallRuleToString(virIptablesLayerCommandTypeToStrin= g(layer), + rollback); + VIR_DEBUG("Recording Rollback rule '%s'", NULLSTR(rollbackStr)); + } + return 0; } =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911446; cv=none; d=zohomail.com; s=zohoarc; b=TXXzOxTtoa5uAaa+nIRhKgr745uiOK0+bbKyL4GyZkwJkyeV5LOYn+5XytJiJh6gnwTCDiK3I8twFN06K09xBZw048G1voQwQEjQM+42vvh8iZC9hM832SebpNfPByhRbRQBLCxIwo2QjUA64nr5a9L6tBDtGhA1IDX2Ya5tc1s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911446; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=AB3E3/e+XDQMyWxIUhOIRLBH8clQwMxKGfYHzRt7T1I=; b=NfK76NmNoxi+rUSrVGuqBa9JyVGRKy5LxAQObo945ZmrKe2dvvFNyL5qt4eVKD7+xw4N35F8qjm7W1Qb6c6daqkWASYz9ARX8nraAQkwT5GBI8nEEbELs9U073yRzfvZ4GyXoG/NsQU0N0KkxWKFZ7e3dXwq146xY5eKKzFuWqU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911446499895.7909124342485; Sun, 30 Apr 2023 20:24:06 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-616-xWnLH4rVOfiLb228zr4bSA-1; Sun, 30 Apr 2023 23:20:30 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 177E2858297; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id E845D2166B2E; Mon, 1 May 2023 03:20:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 21BC219459FC; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D4CD31946588 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 5CECF475023; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 43903475022 for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911445; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=AB3E3/e+XDQMyWxIUhOIRLBH8clQwMxKGfYHzRt7T1I=; b=fz25HczJ2yWLKlQxruy1YSCZYHfWYoDRgyusz4T7CBxptREeoGomdk+b0mmf5fVW1vaOCR IMv8iVtpr2zaQyrsPQymADVkrzREXDVlcLKHUveJK93MHOY8iE2R16STjhdcS+iy4zL1Qo w5tnfMmQiYZxmeG64ByxbrAYGJwrIVU= X-MC-Unique: xWnLH4rVOfiLb228zr4bSA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 21/28] util: implement rollback rule autosave for nftables backend Date: Sun, 30 Apr 2023 23:19:36 -0400 Message-Id: <20230501031943.288145-22-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911448547100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Determining the correct rollback rule for nftables is more complicated than iptables - nftables give each new table/chain/rule a handle, and the nft delete command to delete the object must contain that handle (rather than just replicating the entire original commandline as is done for iptables). The handle is obtained by adding an extra "-ae" option to the original nft commandline, and then parsing stdout of the command looking for "# handle n" (where "n" is a decimal integer). This code isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/util/virnftables.c | 106 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 105 insertions(+), 1 deletion(-) diff --git a/src/util/virnftables.c b/src/util/virnftables.c index b43b14bb82..0cc09caaed 100644 --- a/src/util/virnftables.c +++ b/src/util/virnftables.c @@ -71,12 +71,18 @@ VIR_ENUM_IMPL(virNftablesAction, ); =20 =20 +#define VIR_ARG_IS_INSERT(arg) \ + (STREQ(arg, "insert") || STREQ(arg, "add") || STREQ(arg, "create")) + int virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED, virFirewallRule *rule, char **output) { size_t count =3D virFirewallRuleGetArgCount(rule); + bool needRollback =3D false; + size_t cmdIdx =3D 0; + const char *objectType =3D NULL; g_autoptr(virCommand) cmd =3D NULL; g_autofree char *cmdStr =3D NULL; g_autofree char *error =3D NULL; @@ -91,11 +97,45 @@ virNftablesApplyFirewallRule(virFirewall *firewall G_GN= UC_UNUSED, =20 cmd =3D virCommandNew(NFT); =20 + if ((virFirewallTransactionGetFlags(firewall) + & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) + && count > 1) { + /* skip any leading options to get to command verb */ + for (i =3D 0; i < count - 1; i++) { + if (virFirewallRuleGetArg(rule, i)[0] !=3D '-') + break; + } + + if (i + 1 < count + && VIR_ARG_IS_INSERT(virFirewallRuleGetArg(rule, i))) { + + cmdIdx =3D i; + objectType =3D virFirewallRuleGetArg(rule, i + 1); + + /* we currently only handle auto-rollback for rules, + * chains, and tables, and those all can be "rolled + * back" by a delete command using the handle that is + * returned when "-ae" is added to the add/insert + * command. + */ + if (STREQ_NULLABLE(objectType, "rule") + || STREQ_NULLABLE(objectType, "chain") + || STREQ_NULLABLE(objectType, "table")) { + + needRollback =3D true; + /* this option to nft instructs it to add the + * "handle" of the created object to stdout + */ + virCommandAddArg(cmd, "-ae"); + } + } + } + for (i =3D 0; i < count; i++) virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i)); =20 cmdStr =3D virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + VIR_INFO("Applying '%s'", NULLSTR(cmdStr)); =20 virCommandSetOutputBuffer(cmd, output); virCommandSetErrorBuffer(cmd, &error); @@ -118,8 +158,72 @@ virNftablesApplyFirewallRule(virFirewall *firewall G_G= NUC_UNUSED, VIR_FREE(*output); return -1; } + + /* there was an error, so we won't be building any rollback rule, + * but the error should be ignored, so we return success + */ + return 0; } =20 + if (needRollback) { + virFirewallRule *rollback + =3D virFirewallAddRollbackRule(firewall, + virFirewallRuleGetLayer(rule), NU= LL); + const char *handleStart =3D NULL; + size_t handleLen =3D 0; + g_autofree char *handleStr =3D NULL; + g_autofree char *rollbackStr =3D NULL; + + /* Search for "# handle n" in stdout of the nft add command - + * that is the handle of the table/rule/chain that will later + * need to be deleted. + */ + + if ((handleStart =3D strstr(*output, "# handle "))) { + handleStart +=3D 9; /* move past "# handle " */ + handleLen =3D strspn(handleStart, "0123456789"); + } + + if (!handleLen) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("couldn't register rollback command - command= '%1$s' had no valid handle in output ('%2$s')"), + NULLSTR(cmdStr), NULLSTR(*output)); + return -1; + } + + handleStr =3D g_strdup_printf("%.*s", (int)handleLen, handleStart); + + /* The rollback rule is created from the original rule like this: + * + * 1) skip any leading options + * 2) replace add/insert with delete + * 3) keep the type of item being added (rule/chain/table) + * 4) keep the class (ip/ip6/inet) + * 5) for chain/rule, keep the table name + * 6) for rule, keep the chain name + * 7) add "handle n" where "n" is parsed from the + * stdout of the nft command + */ + virFirewallRuleAddArgList(firewall, rollback, "delete", objectType, + virFirewallRuleGetArg(rule, cmdIdx + 2),= /* ip/ip6/inet */ + NULL); + + if (STREQ_NULLABLE(objectType, "rule") + || STREQ_NULLABLE(objectType, "chain")) { + /* include table name in command */ + virFirewallRuleAddArg(firewall, rollback, + virFirewallRuleGetArg(rule, cmdIdx + 3)); + } + if (STREQ_NULLABLE(objectType, "rule")) { + /* include chain name in command */ + virFirewallRuleAddArg(firewall, rollback, + virFirewallRuleGetArg(rule, cmdIdx + 4)); + } + virFirewallRuleAddArgList(firewall, rollback, "handle", handleStr,= NULL); + + rollbackStr =3D virFirewallRuleToString(NFT, rollback); + VIR_DEBUG("Recording Rollback command '%s'", NULLSTR(rollbackStr)); + } return 0; } =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911277; cv=none; d=zohomail.com; s=zohoarc; b=dG4B/U+GXbzdG9WeSrqhvSz/9r4BnHvsKTDuOa93O2KVAhpqkDr0R/Ck9g1aoQ2pYn/NZTQQrOtNnvoVU4WymlAKSCtS/jZ0U7JsulFlnt7xOJk3EOG3+VrbxW7i/JSMKSsr/sGn9XekTyhUhujL6vQLYuaXk/3Ws4ySp63tt1Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911277; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=OzzbUMF7T/WvobUyfNEvrX5gWckI93Vr3gUHT/zHrv4=; b=NuKLVgkVYhRGjUYZrro3rPVcG6xuMCFx/pDoqgD4qRHKCbucLUp4pzXT+IISzjpDJNZlwO0sw83UDma/JkRtGaS3lzd1NBwFL3qGNLGubYX+WMkk/fgd/Wl6eSKataK976jQNF4ZFQL3gEH9xYpdRtnFw2NK6AltonQq99CeyiE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911277646324.43932200333813; Sun, 30 Apr 2023 20:21:17 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-670-WlfAnxvsPV6w4s4IJWAtWA-1; Sun, 30 Apr 2023 23:20:29 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C3708A0F3A0; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id AEDF440C200B; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 1E8F4194E11A; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D41FC1946A4F for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 83B5F463ED0; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 69FAB463ECD for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911276; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=OzzbUMF7T/WvobUyfNEvrX5gWckI93Vr3gUHT/zHrv4=; b=FsY4+7WnU4d7WAYn2KeySEjtAoKKAL/TskkyTMvaEbzv07i25inKc0E1Vut6Ps7ixEfefr yWwiFzFB5/z29Yb/eYdjjAvBb+uXVBFWITZSo/h/sw5uA610lbT9By5SfKPxFO5Gxkumnv xkrVtxHPpBhpo+hkSyLWHVlTqLBcPV8= X-MC-Unique: WlfAnxvsPV6w4s4IJWAtWA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 22/28] network: turn on auto-rollback for the rules added for virtual networks Date: Sun, 30 Apr 2023 23:19:37 -0400 Message-Id: <20230501031943.288145-23-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911278029100007 Content-Type: text/plain; charset="utf-8"; x-default="true" So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Note that the test case data changed because enabling auto-rollback will cause the nftables backend to add "-ae" to each commandline in order to retrieve the handle for the newly created table/chain/rule. (in our simplistic unit-test world, the handle is always "5309"). Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/network/bridge_driver_linux.c | 15 +---- .../nat-default-linux.nftables | 36 +++++----- .../nat-ipv6-linux.nftables | 58 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 66 +++++++++---------- .../nat-many-ips-linux.nftables | 64 +++++++++--------- .../nat-no-dhcp-linux.nftables | 58 ++++++++-------- .../nat-tftp-linux.nftables | 40 +++++------ .../route-default-linux.nftables | 26 ++++---- tests/networkxml2firewalltest.c | 9 ++- 9 files changed, 185 insertions(+), 187 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 058cfa1d80..f6bae334aa 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -915,7 +915,7 @@ networkAddFirewallRules(virNetworkDef *def, } } =20 - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK= ); =20 networkAddGeneralFirewallRules(fw, def); =20 @@ -926,17 +926,8 @@ networkAddFirewallRules(virNetworkDef *def, return -1; } =20 - virFirewallStartRollback(fw, 0); - - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS + | VIR_FIREWALL_TRANSACTION_AUTO_ROLLB= ACK)); networkAddChecksumFirewallRules(fw, def); =20 return virFirewallApply(fw); diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables index 7e01ceba97..7d3c767cc4 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -148,7 +148,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -164,7 +164,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -179,7 +179,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -199,7 +199,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -219,7 +219,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -233,7 +233,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables index 3a75dfced7..1fcfd8f709 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -145,7 +145,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -155,7 +155,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -167,7 +167,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -180,7 +180,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -193,7 +193,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -206,7 +206,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -219,7 +219,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -232,7 +232,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -245,7 +245,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -258,7 +258,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -274,7 +274,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -289,7 +289,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -309,7 +309,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -329,7 +329,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -343,7 +343,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -357,7 +357,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -370,7 +370,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index 5959a920ff..c0594e8817 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -145,7 +145,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -155,7 +155,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -167,7 +167,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -180,7 +180,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -193,7 +193,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -206,7 +206,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -219,7 +219,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -232,7 +232,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -245,7 +245,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -258,7 +258,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -274,7 +274,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -289,7 +289,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -309,7 +309,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -329,7 +329,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -343,7 +343,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -357,7 +357,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -370,7 +370,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -386,7 +386,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -401,7 +401,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -421,7 +421,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -441,7 +441,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables index 7cf989e040..ac9b3fcfbb 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -148,7 +148,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -164,7 +164,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -179,7 +179,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -199,7 +199,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -219,7 +219,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -233,7 +233,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -247,7 +247,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -260,7 +260,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -276,7 +276,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -291,7 +291,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -311,7 +311,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -331,7 +331,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -345,7 +345,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -359,7 +359,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -372,7 +372,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -388,7 +388,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -403,7 +403,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -423,7 +423,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -443,7 +443,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -457,7 +457,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables index 3a75dfced7..1fcfd8f709 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -145,7 +145,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -155,7 +155,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -167,7 +167,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -180,7 +180,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -193,7 +193,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -206,7 +206,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -219,7 +219,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -232,7 +232,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -245,7 +245,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -258,7 +258,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -274,7 +274,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -289,7 +289,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -309,7 +309,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -329,7 +329,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -343,7 +343,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -357,7 +357,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -370,7 +370,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables index 15ac92c46a..2102aa97bc 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -116,7 +116,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -129,7 +129,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -139,7 +139,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -149,7 +149,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -161,7 +161,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -174,7 +174,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -190,7 +190,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -205,7 +205,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -225,7 +225,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -245,7 +245,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -259,7 +259,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables index f56cc2d0bc..834f6366ae 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -148,7 +148,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index ab1c7b217d..6e9eca0832 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -79,7 +79,14 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status =3D 0; - *output =3D g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output =3D g_strdup("# handle 5309"); + else + *output =3D g_strdup(""); *error =3D g_strdup(""); } =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911297; cv=none; d=zohomail.com; s=zohoarc; b=emG6GtYXb/wyG9rpdo/afX9q3LzxK25v+iMPYqilJy5Q3/h1q1uXDSRRhH5GKgfQ6JfQ1w0H5ENxRw9yVm3oBZXvUZx0uCWuiO7qX/AVRTPpINaLnpQ3I/uHfxy1dUQqjZguCfkWgxH8RAEoe586tR4GrBOEL5bcfkAsH04HIP8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911297; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=88rmEhQ+ZHG4S5k88x6vuAcBmaFjnIwwYgTis/w5EfE=; b=YPY+UY9UgYAn5g8kyFkdkT8sTB6KpRAefAKXR0utCA8imBhKuNeV1q48qfB+F6hdjN6BkSOR2gCeOxyLMeMZzCbTGnOAj0pe+HPpyfZbeQ1PImRR8GxDvIeV5KfUho/zXqqLsoDy5EaGo8cfDnEFiHxwtZzQvZQG6Z/JSKDs8A8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911297355381.3144827355553; Sun, 30 Apr 2023 20:21:37 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-632-bPdg1DwRMHi52P5Z2XMuZA-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3CF791C08977; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 20403C16044; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CE1FF194E104; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E10661946A5A for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A951A475024; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8F2D2475022 for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911296; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=88rmEhQ+ZHG4S5k88x6vuAcBmaFjnIwwYgTis/w5EfE=; b=g3Rn4kfeUGH+iqCtBrU9nyUtR9B7sAAxdl6HxDvRBN9t3vbpqLLo5TXGPhWBwNRJASIhhY HOa3azd8bouXmhI7PRC8Cw8B1t1NeQQYJA7L25XTMKTl3WMwNC3qQ0qmLcpVYdQhWQy+2v 5c2x0b/hIdtGtbAsFnYeC3aYe3eP5QQ= X-MC-Unique: bPdg1DwRMHi52P5Z2XMuZA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 23/28] util: new function virFirewallNewFromRollback() Date: Sun, 30 Apr 2023 23:19:38 -0400 Message-Id: <20230501031943.288145-24-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911297622100001 Content-Type: text/plain; charset="utf-8"; x-default="true" virFirewallNewFromRollback() creates a new virFirewall object that contains a copy of the "rollback" rules from an existing virFirewall object, but in reverse order. The intent is that this virFirewall be saved and used later to remove the firewall rules that were added for a network. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 59 ++++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 1 + 3 files changed, 61 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index df84c5520c..7eeed1efd4 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2379,6 +2379,7 @@ virFirewallBackendTypeToString; virFirewallFree; virFirewallGetBackend; virFirewallNew; +virFirewallNewFromRollback; virFirewallRemoveRule; virFirewallRuleAddArg; virFirewallRuleAddArgFormat; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index c59166b843..f598cc9d79 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -680,3 +680,62 @@ virFirewallApply(virFirewall *firewall) =20 return 0; } + + +/** + * virFirewallNewFromRollback: + + * @original: the original virFirewall object containing the rollback + * of interest + * @fwRemoval: a firewall object that, when applied, will remove @original + * + * Copy the rollback rules from the current virFirewall object as a + * new virFirewall. This virFirewall can then be saved to apply later + * and counteract everything done by the original. + * + * Returns 0 on success, -1 on error + */ +int +virFirewallNewFromRollback(virFirewall *original, + virFirewall **fwRemoval) +{ + size_t g; + g_autoptr(virFirewall) firewall =3D NULL; + + if (original->err) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("error in original firewall object")); + return -1; + } + + firewall =3D virFirewallNew(original->backend); + + /* add the rollback commands in reverse order of actions/groups of + * what was applied in the original firewall. + */ + for (g =3D original->ngroups; g > 0; g--) { + size_t r; + virFirewallGroup *group =3D original->groups[g - 1]; + + if (group->nrollback =3D=3D 0) + continue; + + virFirewallStartTransaction(firewall, VIR_FIREWALL_TRANSACTION_IGN= ORE_ERRORS); + + for (r =3D group->nrollback; r > 0; r--) { + size_t i; + virFirewallRule *origRule =3D group->rollback[r - 1]; + virFirewallRule *rule =3D virFirewallAddRule(firewall, origRul= e->layer, NULL); + + for (i =3D 0; i < origRule->argsLen; i++) + ADD_ARG(rule, origRule->args[i]); + } + } + + if (firewall->ngroups =3D=3D 0) + VIR_DEBUG("original firewall object is empty"); + else + *fwRemoval =3D g_steal_pointer(&firewall); + + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index f81b63567a..9017c12b5c 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -54,6 +54,7 @@ typedef enum { VIR_ENUM_DECL(virFirewallBackend); =20 virFirewall *virFirewallNew(virFirewallBackend backend); +int virFirewallNewFromRollback(virFirewall *original, virFirewall **fwRemo= val); void virFirewallFree(virFirewall *firewall); virFirewallBackend virFirewallGetBackend(virFirewall *firewall); =20 --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911220; cv=none; d=zohomail.com; s=zohoarc; b=SyEndlsKS+C4qpp5PsZgn5Rj9EJCuhDBXurkmfq2VNb6CsrQVq4Qa4+AUY2RjX5psf3LKbRD+drmW4ZOCe/0bMTvzeRmrsRpcoOuYjlqZz1t0br8OQfjxm4a2qEZ+eVet/GVzmwdjmfkxYjqpI9iMGZHxZqPZW38kXmVtF1c1IQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911220; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=dUFzO0Tde3CyzNvbK6ieJPO1PSamFlh6Gu2K1Y1jq+Q=; b=lVbbRcenPDKvI/L66WfCgf6Sf6CAHFrN5cEei7itJrd5FRykO+hxbjQLosdyz5uFuUynhsGhwQyhmpXzfX+JBAMRsSGI5e+PtauxFtGIgYE+I07y8mq4hqyYczSei00HEESOcIBxqHatIgtuj3nuTBc7vSQjDDZYyJT6K3vmqto= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911220090679.1182637743883; Sun, 30 Apr 2023 20:20:20 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-549-Fj1DFqCvMTK7IZ53wiwdZQ-1; Sun, 30 Apr 2023 23:20:14 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7AF02857FBA; Mon, 1 May 2023 03:20:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 594D0C16047; Mon, 1 May 2023 03:20:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 7A371194974F; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D4DE61946A50 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id D4D1E475022; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id BA23A463ED1 for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911219; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=dUFzO0Tde3CyzNvbK6ieJPO1PSamFlh6Gu2K1Y1jq+Q=; b=gxnKMmfiE+gmSCCxmw/A7vfT7pcHTmKlPtL1EeMHMIM/5Y+98AbdEi9Jjh74nY4Be2FbRB LXTs1EIxFv20F2IU+GuCJwNOhPxGh/aoScMOkZImnPJSfF0NLqIRf6tzcD5bmNVI6LLzjj UZQ9HYzuQNMra4N2kYpcBQo1K5/bkjs= X-MC-Unique: Fj1DFqCvMTK7IZ53wiwdZQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 24/28] util: new functions virFirewallParseXML() and virFirewallFormat() Date: Sun, 30 Apr 2023 23:19:39 -0400 Message-Id: <20230501031943.288145-25-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911221401100005 Content-Type: text/plain; charset="utf-8"; x-default="true" These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 2 + src/util/virfirewall.c | 220 +++++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 9 ++ 3 files changed, 231 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7eeed1efd4..1666da633d 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2376,10 +2376,12 @@ virFirewallAddRuleFull; virFirewallApply; virFirewallBackendTypeFromString; virFirewallBackendTypeToString; +virFirewallFormat; virFirewallFree; virFirewallGetBackend; virFirewallNew; virFirewallNewFromRollback; +virFirewallParseXML; virFirewallRemoveRule; virFirewallRuleAddArg; virFirewallRuleAddArgFormat; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index f598cc9d79..d292ef60c6 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -42,6 +42,14 @@ VIR_ENUM_IMPL(virFirewallBackend, "iptables", "nftables"); =20 +VIR_ENUM_DECL(virFirewallLayer); +VIR_ENUM_IMPL(virFirewallLayer, + VIR_FIREWALL_LAYER_LAST, + "ethernet", + "ipv4", + "ipv6", +); + typedef struct _virFirewallGroup virFirewallGroup; =20 struct _virFirewallRule { @@ -739,3 +747,215 @@ virFirewallNewFromRollback(virFirewall *original, =20 return 0; } + + +/* virFirewallGetFlagsFromNode: + * @node: the xmlNode to check for an ignoreErrors attribute + * + * A short helper to get the setting of the ignorErrors attribute from + * an xmlNode. Returns -1 on error (with error reported), or the + * VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS bit set/reset according to + * the value of the attribute. + */ +static int +virFirewallGetFlagsFromNode(xmlNodePtr node) +{ + virTristateBool ignoreErrors; + + if (virXMLPropTristateBool(node, "ignoreErrors", VIR_XML_PROP_NONE, &i= gnoreErrors) < 0) + return -1; + + if (ignoreErrors =3D=3D VIR_TRISTATE_BOOL_YES) + return VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS; + return 0; +} + + +/** + * virFirewallParseXML: + * @firewall: pointer to virFirewall* to fill in with new virFirewall obje= ct + * + * Construct a new virFirewall object according to the XML in + * xmlNodePtr. Return 0 (and new object) on success, or -1 (with + * error reported) on error. + * + * Example of element XML: + * + * + * + * + * + * arg1 + * arg2 + * ... + * + * + * + * ... + + * ... + * + * ... + * + */ +int +virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt) +{ + g_autoptr(virFirewall) newfw =3D NULL; + virFirewallBackend backend; + g_autofree xmlNodePtr *groupNodes =3D NULL; + ssize_t ngroups; + size_t g; + VIR_XPATH_NODE_AUTORESTORE(ctxt); + + ctxt->node =3D node; + + ngroups =3D virXPathNodeSet("./group", ctxt, &groupNodes); + if (ngroups < 0) + return -1; + if (ngroups =3D=3D 0) + return 0; + + if (virXMLPropEnum(node, "backend", virFirewallBackendTypeFromString, + VIR_XML_PROP_REQUIRED, &backend) < 0) { + return -1; + } + + newfw =3D virFirewallNew(backend); + + for (g =3D 0; g < ngroups; g++) { + int flags =3D 0; + g_autofree xmlNodePtr *actionNodes =3D NULL; + ssize_t nactions; + size_t a; + + ctxt->node =3D groupNodes[g]; + nactions =3D virXPathNodeSet("./action", ctxt, &actionNodes); + if (nactions < 0) + return -1; + if (nactions =3D=3D 0) + continue; + + if ((flags =3D virFirewallGetFlagsFromNode(groupNodes[g])) < 0) + return -1; + + virFirewallStartTransaction(newfw, flags); + + for (a =3D 0; a < nactions; a++) { + g_autofree xmlNodePtr *argsNodes =3D NULL; + ssize_t nargs; + size_t i; + virFirewallLayer layer; + virFirewallRule *action; + bool ignoreErrors; + + ctxt->node =3D actionNodes[a]; + + if (!(ctxt->node =3D virXPathNode("./args", ctxt))) + continue; + + if ((flags =3D virFirewallGetFlagsFromNode(actionNodes[a])) < = 0) + return -1; + + ignoreErrors =3D flags & VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S; + + if (virXMLPropEnum(actionNodes[a], "layer", + virFirewallLayerTypeFromString, + VIR_XML_PROP_REQUIRED, &layer) < 0) { + return -1; + } + + nargs =3D virXPathNodeSet("./item", ctxt, &argsNodes); + if (nargs < 0) + return -1; + if (nargs =3D=3D 0) + continue; + + action =3D virFirewallAddRuleFull(newfw, layer, ignoreErrors, + NULL, NULL, NULL); + for (i =3D 0; i < nargs; i++) { + + char *arg =3D virXMLNodeContentString(argsNodes[i]); + if (!arg) + return -1; + + virFirewallRuleAddArg(newfw, action, arg); + } + } + } + + *firewall =3D g_steal_pointer(&newfw); + return 0; +} + + +/** + * virFirewallFormat: + * @buf: output buffer + * @firewall: the virFirewall object to format as XML + * + * Format virFirewall object @firewall into @buf as XML. + * Returns 0 on success, -1 on failure. + * + */ +int +virFirewallFormat(virBuffer *buf, + virFirewall *firewall) +{ + size_t g; + + if (firewall->ngroups =3D=3D 0) + return 0; + + virBufferAsprintf(buf, "\n", + virFirewallBackendTypeToString(virFirewallGetBackend= (firewall))); + virBufferAdjustIndent(buf, 2); + for (g =3D 0; g < firewall->ngroups; g++) { + virFirewallGroup *group =3D firewall->groups[g]; + bool groupIgnoreErrors =3D (group->actionFlags + & VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S); + size_t a; + + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, 2); + + for (a =3D 0; a < group->naction; a++) { + virFirewallRule *action =3D group->action[a]; + size_t i; + + virBufferAsprintf(buf, "\n"); + + virBufferAdjustIndent(buf, 2); + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, 2); + for (i =3D 0; i < virFirewallRuleGetArgCount(action); i++) { + virBufferEscapeString(buf, "%s\n", + virFirewallRuleGetArg(action, i)); + } + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + } + + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + } + + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + return 0; +} diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 9017c12b5c..651cf32fed 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -22,6 +22,8 @@ =20 #include "internal.h" #include "virenum.h" +#include "virbuffer.h" +#include "virxml.h" =20 typedef struct _virFirewall virFirewall; =20 @@ -152,4 +154,11 @@ void virFirewallStartRollback(virFirewall *firewall, =20 int virFirewallApply(virFirewall *firewall); =20 +int virFirewallParseXML(virFirewall **firewall, + xmlNodePtr node, + xmlXPathContextPtr ctxt); + +int virFirewallFormat(virBuffer *buf, + virFirewall *firewall); + G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911280; cv=none; d=zohomail.com; s=zohoarc; b=n08OYtoHAyeWaFdEqtRZZlXee5nq08m96oeyzY4PuObtfW3Aa60naZ74Hc15ojBKnurXkKO43dVVH7vC9KtA28ICjix6dvRuTkrr/lRbG5flYJ/p7bE81cvUCJcVCjMy9LM+oeaVzcF0p99ODeHITb9uyaNRjtYQKa6oX7h0MgU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911280; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4x/fC+UjegNJOUD7lvtg8z46MH7rs6HSD+FGzJkHQuo=; b=g23p0ajSnDRjQ6tESnWDo2Fi7uv0arkA9v87KcNHxp9R7KJ6bDmBzwraxT/Bp44ZnLtGxFuvV8gU6aXVT++cYmGgBJUr3dy5iqlj5nO1PK6xhpv1alvE6RqQ2bZVh9xGHlxUsn37SK1NBOFLkvheWERCwIOOyPaivVTNy4iTXfM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911280400107.30397886731691; Sun, 30 Apr 2023 20:21:20 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-267-RJ41qaqNPGStxv0LEKCqPQ-1; Sun, 30 Apr 2023 23:20:30 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9CE773815F94; Mon, 1 May 2023 03:20:22 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FD0C728FC; Mon, 1 May 2023 03:20:22 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0E856194F27E; Mon, 1 May 2023 03:20:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D6CC41946A52 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 04A18475025; Mon, 1 May 2023 03:19:48 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id E0B87463ECD for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911279; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=4x/fC+UjegNJOUD7lvtg8z46MH7rs6HSD+FGzJkHQuo=; b=LjLdVLgPFFA2DisMHNDk+i+vTQSi/gdY0+f76rKrw8+TO41X156TTqAfc22oEOAJ0DoXxU nt06xi675dGPGBqY7L9zz53vFjCZiuzKqoZhvtaPFK0vrFYjVFEEfcMS1ehTf/WrzKYWHV Ly5NY/628+Rmx7MkgcbcsixAyyb+Fo8= X-MC-Unique: RJ41qaqNPGStxv0LEKCqPQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 25/28] conf: add a virFirewall object to virNetworkObj Date: Sun, 30 Apr 2023 23:19:40 -0400 Message-Id: <20230501031943.288145-26-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911280928100013 Content-Type: text/plain; charset="utf-8"; x-default="true" This virFirewall object will store the list of actions required to remove the firewall that was added for the currently active instance of the network, so it has been named "fwRemoval". There are no uses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and freeing the virFirewall object with the virNetworkObj is freed. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/conf/virnetworkobj.c | 39 +++++++++++++++++++++++++++++++++++++++ src/conf/virnetworkobj.h | 11 +++++++++++ src/libvirt_private.syms | 3 +++ 3 files changed, 53 insertions(+) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index b8b86da06f..ae26f6fab1 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -55,6 +55,11 @@ struct _virNetworkObj { =20 unsigned int taint; =20 + /* fwRemoval contains all commands needed to remove the firewall + * that was added for this network. + */ + virFirewall *fwRemoval; + /* Immutable pointer, self locking APIs */ virMacMap *macmap; =20 @@ -239,6 +244,28 @@ virNetworkObjSetFloorSum(virNetworkObj *obj, } =20 =20 +virFirewall ** +virNetworkObjGetFwRemovalPtr(virNetworkObj *obj) +{ + return &obj->fwRemoval; +} + + +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj) +{ + return obj->fwRemoval; +} + + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval) +{ + obj->fwRemoval =3D fwRemoval; +} + + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap) @@ -444,6 +471,7 @@ virNetworkObjDispose(void *opaque) virNetworkDefFree(obj->newDef); virBitmapFree(obj->classIdMap); virObjectUnref(obj->macmap); + virFirewallFree(obj->fwRemoval); } =20 =20 @@ -800,6 +828,9 @@ virNetworkObjFormat(virNetworkObj *obj, if (virNetworkDefFormatBuf(&buf, obj->def, xmlopt, flags) < 0) return NULL; =20 + if (obj->fwRemoval && virFirewallFormat(&buf, obj->fwRemoval) < 0) + return NULL; + virBufferAdjustIndent(&buf, -2); virBufferAddLit(&buf, ""); =20 @@ -834,6 +865,7 @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *configFile =3D NULL; g_autoptr(virNetworkDef) def =3D NULL; virNetworkObj *obj =3D NULL; + g_autoptr(virFirewall) fwRemoval =3D NULL; g_autoptr(xmlDoc) xml =3D NULL; xmlNodePtr node =3D NULL; g_autoptr(xmlXPathContext) ctxt =3D NULL; @@ -876,6 +908,7 @@ virNetworkLoadState(virNetworkObjList *nets, g_autofree char *classIdStr =3D NULL; g_autofree char *floor_sum =3D NULL; g_autofree xmlNodePtr *nodes =3D NULL; + xmlNodePtr fwNode; =20 ctxt->node =3D node; if ((classIdStr =3D virXPathString("string(./class_id[1]/@bitmap)", @@ -910,6 +943,10 @@ virNetworkLoadState(virNetworkObjList *nets, taint |=3D (1 << flag); } } + if ((fwNode =3D virXPathNode("./firewall", ctxt)) + && virFirewallParseXML(&fwRemoval, fwNode, ctxt) < 0) { + return NULL; + } } =20 /* create the object */ @@ -918,6 +955,8 @@ virNetworkLoadState(virNetworkObjList *nets, =20 def =3D NULL; =20 + virNetworkObjSetFwRemoval(obj, g_steal_pointer(&fwRemoval)); + /* assign status data stored in the network object */ if (classIdMap) { virBitmapFree(obj->classIdMap); diff --git a/src/conf/virnetworkobj.h b/src/conf/virnetworkobj.h index 7d34fa3204..12669b83cf 100644 --- a/src/conf/virnetworkobj.h +++ b/src/conf/virnetworkobj.h @@ -23,6 +23,7 @@ =20 #include "network_conf.h" #include "virnetworkportdef.h" +#include "virfirewall.h" =20 typedef struct _virNetworkObj virNetworkObj; =20 @@ -76,6 +77,16 @@ void virNetworkObjSetFloorSum(virNetworkObj *obj, unsigned long long floor_sum); =20 +virFirewall ** +virNetworkObjGetFwRemovalPtr(virNetworkObj *obj); + +virFirewall * +virNetworkObjGetFwRemoval(virNetworkObj *obj); + +void +virNetworkObjSetFwRemoval(virNetworkObj *obj, + virFirewall *fwRemoval); + void virNetworkObjSetMacMap(virNetworkObj *obj, virMacMap **macmap); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 1666da633d..fe023d56c3 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1290,6 +1290,8 @@ virNetworkObjGetClassIdMap; virNetworkObjGetDef; virNetworkObjGetDnsmasqPid; virNetworkObjGetFloorSum; +virNetworkObjGetFwRemoval; +virNetworkObjGetFwRemovalPtr; virNetworkObjGetMacMap; virNetworkObjGetNewDef; virNetworkObjGetPersistentDef; @@ -1320,6 +1322,7 @@ virNetworkObjSetDef; virNetworkObjSetDefTransient; virNetworkObjSetDnsmasqPid; virNetworkObjSetFloorSum; +virNetworkObjSetFwRemoval; virNetworkObjSetMacMap; virNetworkObjTaint; virNetworkObjUnrefMacMap; --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911274; cv=none; d=zohomail.com; s=zohoarc; b=XR81t2guUXMU+Wwm3mhQk12DDge61lh7LgD6hrPJKXuP6vtOKj9YKq4DXL3uquESzSAP4cDaijVxuo7CPxHCxKnU0g+QPB1aoS3+AfYyJmxE5yFWhPaO2G7qxzfn6y5jXDz8JIoehUCj0Oe1mmwz1Q8yfv5GcpI1QfNp5D8oMHk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911274; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Xd/qoIGNhi1YLk02bUjeCV81Az82Feva66j+EQWY0HY=; b=cDXsNsnIvOXrWkhk6OMKvNtjByrxvHJg97tQjtMinW8wrkfqiJly+L1FOisIp4qcRKAHAkaWjJvFT2d3aL95KrtHYkYILhMQvDjALUon34QmYAAm9RdC/jjDf/b4/p6dARTP8XuQYiT4dShC9eW6hcsVyz0UrFZcVs4BtD2qR3s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911274485623.4593548424493; Sun, 30 Apr 2023 20:21:14 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-627-il70Qz7POYG13NprrAj8FQ-1; Sun, 30 Apr 2023 23:20:30 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D391B3C0F666; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id B47B87D56A; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 96080194E01A; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D63BB1946A51 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 29EFE463ED1; Mon, 1 May 2023 03:19:48 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 117E6475026 for ; Mon, 1 May 2023 03:19:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911273; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Xd/qoIGNhi1YLk02bUjeCV81Az82Feva66j+EQWY0HY=; b=TpN6qTcHrW3a+VP7sSgAETIWpH7AaJcls9tCQWFBXH0rDEiyBoLY4TD83PptiJG0bCipGX E2e+SjtejlLDOEzv+S/JvY2qjubQJ0mUd7BW6nUEGP/hj6OCiVtvIP0/l9NMS6fdst2jDM H9orL5c9Z4PKj6mcj3OxCaVozaNGqLE= X-MC-Unique: il70Qz7POYG13NprrAj8FQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 26/28] network: use previously saved list of firewall rules when removing Date: Sun, 30 Apr 2023 23:19:41 -0400 Message-Id: <20230501031943.288145-27-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911274921100002 Content-Type: text/plain; charset="utf-8"; x-default="true" When destroying a network, the network driver has always assumed that it knew what firewall rules had been added as the network was started. This was usually correct, but if the exact rules used for a network were ever changed from one build/version of libvirt to another, then we would end up attempting to remove rules that hadn't been added, and could possibly *not* remove rules that had been added. The solution to this to not make such brash assumptions about the past, but instead to save (in the network status object at network start time) a list of all the rules needed to remove the rules that were added for the network, and then use that saved list during network destroy to remove exactly what was previous added. As a result of doing this, not only can we change the details of the rules we add for networks from one build/release of libvirt to another and painlessly upgrade, but the user can also switch from one firewall backend to another by simply changing the setting in network.conf and restarting libvirtd/virtnetworkd. Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/network/bridge_driver.c | 34 +++++++++++------ src/network/bridge_driver_linux.c | 56 +++++++++++++++++++++------- src/network/bridge_driver_nop.c | 4 +- src/network/bridge_driver_platform.h | 4 +- tests/networkxml2firewalltest.c | 2 +- 5 files changed, 70 insertions(+), 30 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index fb353e449a..9f876d7418 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1698,8 +1698,10 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward=3D'open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def, cfg->firewallBackend); - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); + networkRemoveFirewallRules(obj); + ignore_value(networkAddFirewallRules(def, + virNetworkObjGetFwRemoval= Ptr(obj), + cfg->firewallBackend)); break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1950,8 +1952,11 @@ networkStartNetworkVirtual(virNetworkDriverState *dr= iver, =20 /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def, cfg->firewallBackend) < 0) + networkAddFirewallRules(def, + virNetworkObjGetFwRemovalPtr(obj), + cfg->firewallBackend) < 0) { goto error; + } =20 firewalRulesAdded =3D true; =20 @@ -2037,7 +2042,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 if (firewalRulesAdded && def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); =20 virNetworkObjUnrefMacMap(obj); =20 @@ -2049,8 +2054,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 =20 static int -networkShutdownNetworkVirtual(virNetworkObj *obj, - virNetworkDriverConfig *cfg) +networkShutdownNetworkVirtual(virNetworkObj *obj) { virNetworkDef *def =3D virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -2076,7 +2080,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj, ignore_value(virNetDevSetOnline(def->bridge, false)); =20 if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -2380,7 +2384,7 @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret =3D networkShutdownNetworkVirtual(obj, cfg); + ret =3D networkShutdownNetworkVirtual(obj); break; =20 case VIR_NETWORK_FORWARD_BRIDGE: @@ -3243,7 +3247,7 @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def, cfg->firewallBackend); + networkRemoveFirewallRules(obj); needFirewallRefresh =3D true; break; default: @@ -3270,16 +3274,22 @@ networkUpdate(virNetworkPtr net, if (virNetworkObjUpdate(obj, command, section, parentIndex, xml, network_driver->xmlopt, flags) < 0) { - if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); + if (needFirewallRefresh) { + ignore_value(networkAddFirewallRules(def, + virNetworkObjGetFwRemoval= Ptr(obj), + cfg->firewallBackend)); + } goto cleanup; } =20 /* @def is replaced */ def =3D virNetworkObjGetDef(obj); =20 - if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallB= ackend) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, + virNetworkObjGetFwR= emovalPtr(obj), + cfg->firewallBacken= d) < 0) { goto cleanup; + } =20 if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { /* save updated persistent config to disk */ diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index f6bae334aa..9adf05c05d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -818,6 +818,7 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, /* Add all rules for all ip addresses (and general rules) on a network */ int networkAddFirewallRules(virNetworkDef *def, + virFirewall **fwRemoval, virFirewallBackend firewallBackend) { size_t i; @@ -930,30 +931,59 @@ networkAddFirewallRules(virNetworkDef *def, | VIR_FIREWALL_TRANSACTION_AUTO_ROLLB= ACK)); networkAddChecksumFirewallRules(fw, def); =20 - return virFirewallApply(fw); + if (virFirewallApply(fw) < 0) + return -1; + + if (fwRemoval) { + /* caller wants us to create a virFirewall object that can be + * applied to undo everything that was just done by + * virFirewallApply() + */ + if (virFirewallNewFromRollback(fw, fwRemoval) < 0) + return -1; + } + + return 0; } =20 /* Remove all rules for all ip addresses (and general rules) on a network = */ void -networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend) +networkRemoveFirewallRules(virNetworkObj *obj) { size_t i; + virNetworkDef *def =3D virNetworkObjGetDef(obj); virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(firewallBackend); + g_autoptr(virFirewall) fw =3D NULL; + + if ((fw =3D virNetworkObjGetFwRemoval(obj))) { + /* exact list of removal rules was saved + * when the firewall rules were originally added + */ + VIR_DEBUG("Removing exact firewall rules previously saved"); + virNetworkObjSetFwRemoval(obj, NULL); =20 - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); - networkRemoveChecksumFirewallRules(fw, def); + } else { + /* The firewall rules were added by an older libvirt that + * didn't automatically save removal rules, so we guess + * at what rules were added (NB: any libvirt old enough + * to require this only supported the iptables backend) + */ + VIR_DEBUG("Removing a guess at what firewall rules were previously= saved"); + fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); =20 - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ER= RORS); + networkRemoveChecksumFirewallRules(fw, def); =20 - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return; + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ER= RORS); + + for (i =3D 0; + (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); + i++) { + if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) + return; + } + networkRemoveGeneralFirewallRules(fw, def); } - networkRemoveGeneralFirewallRules(fw, def); =20 virFirewallApply(fw); } diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 7d9a061e50..e73831ccc6 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -37,12 +37,12 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNU= C_UNUSED) } =20 int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewall **fwRemoval G_GNUC_UNUSED, virFirewallBackend firewallBackend G_GNUC_UNUS= ED) { return 0; } =20 -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, - virFirewallBackend firewallBackend G_GNUC_U= NUSED) +void networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index 7443c3129f..81305f7a0d 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -33,7 +33,7 @@ void networkPostReloadFirewallRules(bool startup); int networkCheckRouteCollision(virNetworkDef *def); =20 int networkAddFirewallRules(virNetworkDef *def, + virFirewall **fwRemoval, virFirewallBackend firewallBackend); =20 -void networkRemoveFirewallRules(virNetworkDef *def, - virFirewallBackend firewallBackend); +void networkRemoveFirewallRules(virNetworkObj *obj); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 6e9eca0832..8254fde94e 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -106,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def, backend) < 0) + if (networkAddFirewallRules(def, NULL, backend) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911279; cv=none; d=zohomail.com; s=zohoarc; b=A6kLjf+KiaXp6pW8CcciYmec3XgxcctEdHGIJQ6/7khum2EdrKD6GrTEw8fAegUWkuiY6+ZWqbubgaj06P028aH2Db2R+DmzC/wbishbq8ZO2cqQOnPSNSU4mRBT37qXsOOl8HxWDp2QYtYzLQ+nAEhDKlkReA038CUvdrvaI5E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911279; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=sxZqovJO/OmO/6iy30gpnwOnUnrgYaw6TUViy0XClZc=; b=gTguWXrpoMhMOMvgdxRTVd/jsNumFQIxQsYB3//gi+7ETTRkYVeLMWmxPaSEtIRSj3G73vtLdl+zNNQpoLdep3Ec5htwhaz6twkdKnBDqJCvVoA094fTLBKY04na5Oejjbic6G8iLxNOcdxYPl3qhoYP29TOfSF1LngTDGMkj7g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911279673618.7573474427676; Sun, 30 Apr 2023 20:21:19 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-282-koLUlo4gOHy2lqfvnmZEGA-1; Sun, 30 Apr 2023 23:20:31 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9788788F47E; Mon, 1 May 2023 03:20:19 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 81F4440C2009; Mon, 1 May 2023 03:20:19 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 63E33194F248; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E42981946A62 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 512A3463ECD; Mon, 1 May 2023 03:19:48 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 36B58475026 for ; Mon, 1 May 2023 03:19:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911278; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=sxZqovJO/OmO/6iy30gpnwOnUnrgYaw6TUViy0XClZc=; b=M9RumHNvuq2bOLxURLWi3dbmpUWXToE01uLNx5rAoNawrgxoUHT5t3WGsbyJSTu5hiMQsF rBRE/mu1AL1oqZUoThiNeyT7R6SYQVMjjlloWHXj6M+yDHB22w5o+GxbfC1jdf4mcGi+X3 ztL1L1M95iDsM5Ns2rCWOuAD5MY7VGw= X-MC-Unique: koLUlo4gOHy2lqfvnmZEGA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 27/28] network: save network status when firewall rules are reloaded Date: Sun, 30 Apr 2023 23:19:42 -0400 Message-Id: <20230501031943.288145-28-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911280245100011 Content-Type: text/plain; charset="utf-8"; x-default="true" Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/conf/virnetworkobj.c | 1 + src/network/bridge_driver.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index ae26f6fab1..ce39ab5250 100644 --- a/src/conf/virnetworkobj.c +++ b/src/conf/virnetworkobj.c @@ -846,6 +846,7 @@ virNetworkObjSaveStatus(const char *statusDir, int flags =3D 0; g_autofree char *xml =3D NULL; =20 + VIR_DEBUG("Writing network status to disk"); if (!(xml =3D virNetworkObjFormat(obj, xmlopt, flags))) return -1; =20 diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 9f876d7418..1b831f9a36 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1687,6 +1687,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(ne= tworkGetDriver()); VIR_LOCK_GUARD lock =3D virObjectLockGuard(obj); virNetworkDef *def =3D virNetworkObjGetDef(obj); + bool saveStatus =3D false; =20 if (virNetworkObjIsActive(obj)) { switch ((virNetworkForwardType) def->forward.type) { @@ -1702,6 +1703,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, ignore_value(networkAddFirewallRules(def, virNetworkObjGetFwRemoval= Ptr(obj), cfg->firewallBackend)); + saveStatus =3D true; break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1719,6 +1721,11 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, } } =20 + if (saveStatus) { + ignore_value(virNetworkObjSaveStatus(cfg->stateDir, obj, + network_driver->xmlopt)); + } + return 0; } =20 @@ -2336,7 +2343,6 @@ networkStartNetwork(virNetworkDriverState *driver, /* Persist the live configuration now that anything autogenerated * is setup. */ - VIR_DEBUG("Writing network status to disk"); if (virNetworkObjSaveStatus(cfg->stateDir, obj, network_driver->xmlopt) < 0) goto cleanup; --=20 2.39.2 From nobody Fri Mar 29 14:34:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911329; cv=none; d=zohomail.com; s=zohoarc; b=RFjaVHbcfgkLu5+6a6xj/CRLWJO9LLQfcduzPFkNcGlmqXFKkMJBYxSWV5o8ErFtXDrYtOtKolLvs56g3YaiEUMsIrA3cjvn6S2/tM/On+fe0luSWWyUScqWGVtoOrn9QfFWuk8MnZUapX4QI5gVsjAhwnJgqX+l9jmXkZKAlFw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911329; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7m9YV7a4QVFnXsWi83M1cyU3JW50EZujv+R3fj2MbTM=; b=RlkrDoJ9qdffcED5XA4aqU4sPsgkyPFQc9qjnvol+qtNE+KbtOEMOtQBsjkZ1IDR+lWTnuGhknhrsyz0amXzcVwq34/LjWcDmFzAgO6WJqtaB0vgHiKFI5kBprS0rDc/avRg5ulYCO2ZpQESVj1VPb3ODXEyiX6HBKA2i2m59fU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911329757285.8966998287084; Sun, 30 Apr 2023 20:22:09 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-375-NcG9aT9WOb28Si-s4_KFJQ-1; Sun, 30 Apr 2023 23:20:31 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 72FAC80D956; Mon, 1 May 2023 03:20:23 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5887940C6E69; Mon, 1 May 2023 03:20:23 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4640919543A0; Mon, 1 May 2023 03:20:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E7FFB1946586 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 83218475027; Mon, 1 May 2023 03:19:48 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5E8EB475026 for ; Mon, 1 May 2023 03:19:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911328; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7m9YV7a4QVFnXsWi83M1cyU3JW50EZujv+R3fj2MbTM=; b=YwaTp0VADCaklLsqS3xEw85o0ptjYTtFRa0vXZrVHYp3NfH+unGkcthy0mqDtn0cuH+px8 vZ1r8wBNVmyz17YFQJaRM2dNdXb5ue4PeLdaMuaWG4s4XJgiMZk5TR6q7qUgHeDq3XGmw1 gs87eFKISRu8tcaU1/bv6RePOYdU5zI= X-MC-Unique: NcG9aT9WOb28Si-s4_KFJQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 28/28] network: improve log message when reloading virtual network firewall rules Date: Sun, 30 Apr 2023 23:19:43 -0400 Message-Id: <20230501031943.288145-29-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911331844100002 Content-Type: text/plain; charset="utf-8"; x-default="true" It's not always iptables rules that are being reloaded, could be nftables. Also the message previously didn't clarify that this is only reloading the rules for active virtual networks (and not for nwfilter, for example). Signed-off-by: Laine Stump Reviewed-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/network/bridge_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 1b831f9a36..7783473a0f 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1735,7 +1735,7 @@ networkReloadFirewallRules(virNetworkDriverState *dri= ver, bool startup, bool force) { - VIR_INFO("Reloading iptables rules"); + VIR_INFO("Reloading firewall rules for active virtual networks"); /* Ideally we'd not even register the driver when unprivilegd * but until we untangle the virt driver that's not viable */ if (!driver->privileged) --=20 2.39.2