From nobody Wed Jan 15 05:15:32 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911327; cv=none; d=zohomail.com; s=zohoarc; b=N8uLpsqQO42xM7LnRw8kctmxC+/EZEIA4K6b0gdvYgzcBMwnK63N/9T08+IZ9mU68Fn29lw3ksvhAwPIL0lUOWIq96uZ0qe/8AzZcFYbv2iXC4o2cHg4yC9hG7JP03KAdwqlyegQO1Q1ImThKfLryaEzs0xOdcaEtva/C79K3Zs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911327; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=uECXAfYBlDPzfOlQ1hu0dfj7fUJH8dbod6vpigvVx5I=; b=fUq/dc29oFMLLb/kvZosfjy1wdocDicgHzDd/hp4QoHU1SryezEHdkhfrr+QgWyWQNdb7hVEZi0FPwWkDaQpWdBjU3+2orRNjXDD/O+TUDPosIPq89lpgwUfeOLMfAgF1XoM0yUzFWaklGSkmyfxXavLgzRGoHUrEc+zI21Ltx4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1682911327003288.75481670350393; Sun, 30 Apr 2023 20:22:07 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-452-IxaxXaekNASyJvXw30-w1Q-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1C51DA0F3AE; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 06C2340C200A; Mon, 1 May 2023 03:20:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 7D2101946A45; Mon, 1 May 2023 03:20:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CBE5C19465B7 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 40D17475020; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 282A8475072 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911326; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=uECXAfYBlDPzfOlQ1hu0dfj7fUJH8dbod6vpigvVx5I=; b=ei4s2JzulhcKffA6k0bbN+Rq+yPEuj65cX+fDCq5MdxawbxpbYyP1ARrJhgaQOYrQIchow pda8mkgSH4D92NkScz8jKT+8IRZtbJpbZCXYVBwlZp8JMVvkJYNOtTLYlugTZ0FsODZr2c IT/ME8aQF6YiehFZY10t+x3YwjzeZ60= X-MC-Unique: IxaxXaekNASyJvXw30-w1Q-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 14/28] util: setup functions in virnetfilter which will call appropriate backend Date: Sun, 30 Apr 2023 23:19:29 -0400 Message-Id: <20230501031943.288145-15-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911328574100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Many of the functions in virnetfilter.c are nearly identical to one or more other functions (e.g. they just call the same iptables function, but with INSERT|DELETE action). Rather than adding a switch(backend) into all 24 of these functions, make small wrappers for the 10 iptables* functions that those 24 call, and put switch(backend) in *those* functions. This is more work now, but will make shorter work of adding in nftables backend support. (To be truthful, I've gotten this far basically ignoring the details of the plethora of functions in the viriptables.c API, just faithfully tooling it around while keeping the callers unchanged (aside from the function renaming back at the beginning of the series). I'm now thinking maybe the original API should be simplified, and the callers (i.e. the network driver) modified to use that simplified API instead. But I've gotten this far so I might as well demonstrate working patches and ask for opinions rather than throwing away multiple patches and dealing with associated local merge/rebase conflicts due to changing patches early in the series for possibly no reason.) Signed-off-by: Laine Stump --- po/POTFILES | 1 + src/util/virfirewall.c | 14 +- src/util/virnetfilter.c | 320 +++++++++++++++++++++++++++++++++++----- 3 files changed, 293 insertions(+), 42 deletions(-) diff --git a/po/POTFILES b/po/POTFILES index b122f02818..d20ac36062 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -302,6 +302,7 @@ src/util/virnetdevopenvswitch.c src/util/virnetdevtap.c src/util/virnetdevveth.c src/util/virnetdevvportprofile.c +src/util/virnetfilter.c src/util/virnetlink.c src/util/virnodesuspend.c src/util/virnuma.c diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index e1fda162c4..fa21266fb2 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -99,7 +99,19 @@ virFirewallGroupNew(void) */ virFirewall *virFirewallNew(virFirewallBackend backend) { - virFirewall *firewall =3D g_new0(virFirewall, 1); + virFirewall *firewall =3D NULL; + + /* If we arrive here and backend is _UNSET, then either there is a + * bug in our code, or we couldn't find the necessary binaries for + * a working backend (e.g. no iptables of nft binary). + */ + if (backend =3D=3D VIR_FIREWALL_BACKEND_UNSET) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setti= ng could be auto-detected")); + return NULL; + } + + firewall =3D g_new0(virFirewall, 1); =20 firewall->backend =3D backend; return firewall; diff --git a/src/util/virnetfilter.c b/src/util/virnetfilter.c index f0fa0d5cd2..e6a748e877 100644 --- a/src/util/virnetfilter.c +++ b/src/util/virnetfilter.c @@ -44,6 +44,18 @@ VIR_LOG_INIT("util.netfilter"); #define VIR_FROM_THIS VIR_FROM_NONE =20 =20 +static void +virNetFilterBackendUnsetError(void) +{ + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewall_backend wasn't set, and no usable setting c= ould be auto-detected")); +} + + +/* All functions with a switch checking virFirewallGetBackend(fw) will + * need a case in the switch for each backend. + */ + /** * virNetfilterApplyFirewallRule: * @fw: the virFirewall this rule is part of (currently unused) @@ -59,7 +71,16 @@ virNetfilterApplyFirewallRule(virFirewall *fw, virFirewallRule *rule, char **output) { - return virIptablesApplyFirewallRule(fw, rule, output); + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return virIptablesApplyFirewallRule(fw, rule, output); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; } =20 =20 @@ -73,12 +94,228 @@ virNetfilterApplyFirewallRule(virFirewall *fw, * */ int -virNetfilterSetupPrivateChains(virFirewallBackend backend G_GNUC_UNUSED, +virNetfilterSetupPrivateChains(virFirewallBackend backend, virFirewallLayer layer) { - return iptablesSetupPrivateChains(layer); + switch (backend) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesSetupPrivateChains(layer); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +virNetfilterInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesInput(fw, layer, iface, port, action, tcp); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + virFirewallAction action, + int tcp) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesOutput(fw, layer, iface, port, action, tcp); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static int +virNetfilterForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowOut(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static int +virNetfilterForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; } =20 + +static int +virNetfilterForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardAllowIn(fw, netaddr, prefix, + iface, physdev, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static void +virNetfilterForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardAllowCross(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardRejectOut(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static void +virNetfilterForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + iptablesForwardRejectIn(fw, layer, iface, action); + break; + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + +static int +virNetfilterForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, + addr, port, protocol, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + +static int +virNetfilterForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + virFirewallAction action) +{ + switch (virFirewallGetBackend(fw)) { + case VIR_FIREWALL_BACKEND_IPTABLES: + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, action); + + case VIR_FIREWALL_BACKEND_UNSET: + case VIR_FIREWALL_BACKEND_LAST: + virNetFilterBackendUnsetError(); + return -1; + } + return 0; +} + + /** * virNetfilterAddTcpInput: * @ctx: pointer to the IP table context @@ -94,7 +331,7 @@ virNetfilterAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, = 1); } =20 =20 @@ -113,7 +350,7 @@ virNetfilterRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, = 1); } =20 =20 @@ -132,7 +369,7 @@ virNetfilterAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, = 0); } =20 =20 @@ -151,7 +388,7 @@ virNetfilterRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); + virNetfilterInput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, = 0); } =20 =20 @@ -170,7 +407,7 @@ virNetfilterAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 1); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT,= 1); } =20 =20 @@ -189,7 +426,7 @@ virNetfilterRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 1); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE,= 1); } =20 =20 @@ -208,7 +445,7 @@ virNetfilterAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT, 0); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_INSERT,= 0); } =20 =20 @@ -227,7 +464,7 @@ virNetfilterRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE, 0); + virNetfilterOutput(fw, layer, iface, port, VIR_FIREWALL_ACTION_DELETE,= 0); } =20 =20 @@ -251,8 +488,8 @@ virNetfilterAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -276,8 +513,8 @@ virNetfilterRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -301,8 +538,8 @@ virNetfilterAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowRelatedIn(fw, netaddr, prefix, iface, p= hysdev, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -326,8 +563,8 @@ virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowRelatedIn(fw, netaddr, prefix, iface, p= hysdev, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -351,8 +588,8 @@ virNetfilterAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -376,8 +613,8 @@ virNetfilterRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -397,7 +634,7 @@ virNetfilterAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT= ); + virNetfilterForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_IN= SERT); } =20 =20 @@ -417,7 +654,7 @@ virNetfilterRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE= ); + virNetfilterForwardAllowCross(fw, layer, iface, VIR_FIREWALL_ACTION_DE= LETE); } =20 =20 @@ -436,9 +673,10 @@ virNetfilterAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_INS= ERT); } =20 + /** * virNetfilterRemoveForwardRejectOut: * @ctx: pointer to the IP table context @@ -454,7 +692,7 @@ virNetfilterRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardRejectOut(fw, layer, iface, VIR_FIREWALL_ACTION_DEL= ETE); } =20 =20 @@ -473,7 +711,7 @@ virNetfilterAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSERT); + virNetfilterForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_INSE= RT); } =20 =20 @@ -492,7 +730,7 @@ virNetfilterRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELETE); + virNetfilterForwardRejectIn(fw, layer, iface, VIR_FIREWALL_ACTION_DELE= TE); } =20 =20 @@ -518,9 +756,9 @@ virNetfilterAddForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -546,9 +784,9 @@ virNetfilterRemoveForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_FIREWALL_ACTION_DELETE); } =20 =20 @@ -573,9 +811,9 @@ virNetfilterAddDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_FIREWALL_ACTION_INSERT); + return virNetfilterForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_FIREWALL_ACTION_INSERT); } =20 =20 @@ -600,7 +838,7 @@ virNetfilterRemoveDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_FIREWALL_ACTION_DELETE); + return virNetfilterForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_FIREWALL_ACTION_DELETE); } --=20 2.39.2