From nobody Fri Oct 18 09:19:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911220; cv=none; d=zohomail.com; s=zohoarc; b=c0WiG3bvbT+3qtkdNQV/CnFr4mTmhgXVMZI0qiTnKyev7S+7T6HV1j/uGGid+KcQtSi7gSNJyLd27G0dPpyfIktRpJJgiTeMPBpm4seObopmVnPCQF+fjj7//kaLtgQMV4b2dBJuZ9T4DmFPR/uua5rPsfntzOn1P67roWPAW4U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911220; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9t5xqsgklcgTd8O5z04Iy0XYtzoYI9Qcd2iTWQ4xAyQ=; b=oEl4wyQrgwl61OSiz+u9l3esK79PNVyP2IoRa8rvgoL/zVHaqDIlmfkkdWtfKVmWUwomfWL/CEug4uTBDFt4d17ZnhZpGX5rlb3ZWUxpw0xvDr5QF/Z4wZSakGLG4CLMasS5BBbbd6IVcGn7KPRlMuUu4Fid7/Ge5zIT3Otm4zw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911220305795.3874702489735; Sun, 30 Apr 2023 20:20:20 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-342-v4iHYkUtMeuCzHRbPfOQ8w-1; Sun, 30 Apr 2023 23:20:16 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E4BCF10504BE; Mon, 1 May 2023 03:20:12 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id CF0E1BC88; Mon, 1 May 2023 03:20:12 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A307B1946A45; Mon, 1 May 2023 03:20:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CC7321946A40 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id C585247506B; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD12040F169 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911219; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9t5xqsgklcgTd8O5z04Iy0XYtzoYI9Qcd2iTWQ4xAyQ=; b=VeBLozIW+G2MvvLfPFVQttAIPQboauNnhhx8gJE4YEz+ZVAFLomQeydWZF3ehHFNqzgxcI 0Hlvo03gktL6hquslwXHEzz7JswDE4wLIQx4n4j4sKrbi5dGxDbonLwptzoUpKM1fr9w4F xXeb7TO2XEkyBg+egsPxxMVBT930rMk= X-MC-Unique: v4iHYkUtMeuCzHRbPfOQ8w-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 11/28] network: allow setting firewallBackend from network.conf Date: Sun, 30 Apr 2023 23:19:26 -0400 Message-Id: <20230501031943.288145-12-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911221692100007 Content-Type: text/plain; charset="utf-8"; x-default="true" It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=3Dnftables" in /etc/libvirt/network.conf. If firewall_backend isn't set in network.conf, then libvirt will check to see if the iptables binary is present on the system and set firewallBackend to iptables; if not, it will be left as "unset", which (once multiple backends are available) will trigger an appropriate error message the first time we attempt to add a rule. Signed-off-by: Laine Stump --- src/network/bridge_driver.c | 22 +++++++------ src/network/bridge_driver_conf.c | 40 ++++++++++++++++++++++++ src/network/bridge_driver_conf.h | 3 ++ src/network/bridge_driver_linux.c | 12 ++++--- src/network/bridge_driver_nop.c | 6 ++-- src/network/bridge_driver_platform.h | 6 ++-- src/network/libvirtd_network.aug | 5 ++- src/network/network.conf | 8 +++++ src/network/test_libvirtd_network.aug.in | 3 ++ tests/networkxml2firewalltest.c | 2 +- 10 files changed, 87 insertions(+), 20 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 9eb543a0a3..fb353e449a 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1684,6 +1684,7 @@ static int networkReloadFirewallRulesHelper(virNetworkObj *obj, void *opaque G_GNUC_UNUSED) { + g_autoptr(virNetworkDriverConfig) cfg =3D virNetworkDriverGetConfig(ne= tworkGetDriver()); VIR_LOCK_GUARD lock =3D virObjectLockGuard(obj); virNetworkDef *def =3D virNetworkObjGetDef(obj); =20 @@ -1697,8 +1698,8 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj, * network type, forward=3D'open', doesn't need this because it * has no iptables rules. */ - networkRemoveFirewallRules(def); - ignore_value(networkAddFirewallRules(def)); + networkRemoveFirewallRules(def, cfg->firewallBackend); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); break; =20 case VIR_NETWORK_FORWARD_OPEN: @@ -1949,7 +1950,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 /* Add "once per network" rules */ if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN && - networkAddFirewallRules(def) < 0) + networkAddFirewallRules(def, cfg->firewallBackend) < 0) goto error; =20 firewalRulesAdded =3D true; @@ -2036,7 +2037,7 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 if (firewalRulesAdded && def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); =20 virNetworkObjUnrefMacMap(obj); =20 @@ -2048,7 +2049,8 @@ networkStartNetworkVirtual(virNetworkDriverState *dri= ver, =20 =20 static int -networkShutdownNetworkVirtual(virNetworkObj *obj) +networkShutdownNetworkVirtual(virNetworkObj *obj, + virNetworkDriverConfig *cfg) { virNetworkDef *def =3D virNetworkObjGetDef(obj); pid_t dnsmasqPid; @@ -2074,7 +2076,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj) ignore_value(virNetDevSetOnline(def->bridge, false)); =20 if (def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); =20 ignore_value(virNetDevBridgeDelete(def->bridge)); =20 @@ -2378,7 +2380,7 @@ networkShutdownNetwork(virNetworkDriverState *driver, case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: case VIR_NETWORK_FORWARD_OPEN: - ret =3D networkShutdownNetworkVirtual(obj); + ret =3D networkShutdownNetworkVirtual(obj, cfg); break; =20 case VIR_NETWORK_FORWARD_BRIDGE: @@ -3241,7 +3243,7 @@ networkUpdate(virNetworkPtr net, * old rules (and remember to load new ones after the * update). */ - networkRemoveFirewallRules(def); + networkRemoveFirewallRules(def, cfg->firewallBackend); needFirewallRefresh =3D true; break; default: @@ -3269,14 +3271,14 @@ networkUpdate(virNetworkPtr net, parentIndex, xml, network_driver->xmlopt, flags) < 0) { if (needFirewallRefresh) - ignore_value(networkAddFirewallRules(def)); + ignore_value(networkAddFirewallRules(def, cfg->firewallBackend= )); goto cleanup; } =20 /* @def is replaced */ def =3D virNetworkObjGetDef(obj); =20 - if (needFirewallRefresh && networkAddFirewallRules(def) < 0) + if (needFirewallRefresh && networkAddFirewallRules(def, cfg->firewallB= ackend) < 0) goto cleanup; =20 if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) { diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index a2edafa837..9769ee06b5 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -25,6 +25,7 @@ #include "datatypes.h" #include "virlog.h" #include "virerror.h" +#include "virfile.h" #include "virutil.h" #include "bridge_driver_conf.h" =20 @@ -62,6 +63,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_= GNUC_UNUSED, const char *filename) { g_autoptr(virConf) conf =3D NULL; + g_autofree char *firewallBackendStr =3D NULL; =20 /* if file doesn't exist or is unreadable, ignore the "error" */ if (access(filename, R_OK) =3D=3D -1) @@ -73,6 +75,44 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G= _GNUC_UNUSED, =20 /* use virConfGetValue*(conf, ...) functions to read any settings into= cfg */ =20 + if (virConfGetValueString(conf, "firewall_backend", &firewallBackendSt= r) < 0) + return -1; + + if (firewallBackendStr) { + int backend =3D virFirewallBackendTypeFromString(firewallBackendSt= r); + + if (backend < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown value for 'firewall_backend' in netw= ork.conf: '%1$s'"), + firewallBackendStr); + return -1; + } + + cfg->firewallBackend =3D backend; + VIR_INFO("using firewall_backend setting from network.conf: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + + } else { + + /* no .conf setting, so see what this host supports by looking + * for binaries used by the backends, and set accordingly. + */ + g_autofree char *iptablesInPath =3D NULL; + + /* virFindFileInPath() uses g_find_program_in_path(), + * which allows absolute paths, and verifies that + * the file is executable. + */ + if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; + + if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) + VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); + else + VIR_INFO("using auto-detected firewall_backend: '%s'", + virFirewallBackendTypeToString(cfg->firewallBackend)); + } + return 0; } =20 diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_c= onf.h index 426c16198d..8f221f391e 100644 --- a/src/network/bridge_driver_conf.h +++ b/src/network/bridge_driver_conf.h @@ -26,6 +26,7 @@ #include "virdnsmasq.h" #include "virnetworkobj.h" #include "object_event.h" +#include "virfirewall.h" =20 typedef struct _virNetworkDriverConfig virNetworkDriverConfig; struct _virNetworkDriverConfig { @@ -37,6 +38,8 @@ struct _virNetworkDriverConfig { char *stateDir; char *pidDir; char *dnsmasqStateDir; + + virFirewallBackend firewallBackend; }; =20 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index c6aab9b236..ff2f87054d 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -802,11 +802,13 @@ networkRemoveIPSpecificFirewallRules(virFirewall *fw, =20 =20 /* Add all rules for all ip addresses (and general rules) on a network */ -int networkAddFirewallRules(virNetworkDef *def) +int +networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); + g_autoptr(virFirewall) fw =3D virFirewallNew(firewallBackend); =20 if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) return -1; @@ -928,11 +930,13 @@ int networkAddFirewallRules(virNetworkDef *def) } =20 /* Remove all rules for all ip addresses (and general rules) on a network = */ -void networkRemoveFirewallRules(virNetworkDef *def) +void +networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); + g_autoptr(virFirewall) fw =3D virFirewallNew(firewallBackend); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); networkRemoveChecksumFirewallRules(fw, def); diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index 6eee6043e6..7d9a061e50 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -36,11 +36,13 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNU= C_UNUSED) return 0; } =20 -int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_UNUS= ED) { return 0; } =20 -void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED) +void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend G_GNUC_U= NUSED) { } diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index b720d343be..7443c3129f 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup); =20 int networkCheckRouteCollision(virNetworkDef *def); =20 -int networkAddFirewallRules(virNetworkDef *def); +int networkAddFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); =20 -void networkRemoveFirewallRules(virNetworkDef *def); +void networkRemoveFirewallRules(virNetworkDef *def, + virFirewallBackend firewallBackend); diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_networ= k.aug index ae153d96a1..5d6d72dd92 100644 --- a/src/network/libvirtd_network.aug +++ b/src/network/libvirtd_network.aug @@ -22,11 +22,14 @@ module Libvirtd_network =3D let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] =20 + let firewall_backend_entry =3D str_entry "firewall_backend" + (* Each entry in the config is one of the following *) + let entry =3D firewall_backend_entry let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] let empty =3D [ label "#empty" . eol ] =20 - let record =3D indent . eol + let record =3D indent . entry . eol =20 let lns =3D ( record | comment | empty ) * =20 diff --git a/src/network/network.conf b/src/network/network.conf index 5c84003f6d..74c79e4cc6 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -1,3 +1,11 @@ # Master configuration file for the network driver. # All settings described here are optional - if omitted, sensible # defaults are used. + +# firewall_backend: +# +# determines which subsystem to use to setup firewall packet +# filtering rules for virtual networks. Currently the only supported +# selection is "iptables". +# +#firewall_backend =3D "iptables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in index ffdca520ce..3aa7b4cc22 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -1,2 +1,5 @@ module Test_libvirtd_network =3D @CONFIG@ + + test Libvirtd_network.lns get conf =3D +{ "firewall_backend" =3D "iptables" } diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index cb66a26294..3a9f409e2a 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -98,7 +98,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def) < 0) + if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); --=20 2.39.2