From nobody Wed Oct 30 22:17:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911237; cv=none; d=zohomail.com; s=zohoarc; b=jwKetcs10chQT+Q3QeByQ9db+2HifI/NfWNoce43g86s9ND0RosWY20/hh6REZL+3kXiGWl/F91xEljKWdQRLyXIdAJd0Y+LggUOByyDzsH7zvjgnTzNXfO3utguckKZW9iRNyL51s42QK4kULgCoIV48nx6DlxKlX2d1ylc+o8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911237; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WIOaaylsseqypYUtaD8ON+dTNVsAv0YZZnkFcA5GcXQ=; b=X5TxoB8y+0GKbIK7FOWkPO7WoYSeR1w8BzVOXqxkUJFku70S3G/N1mEwkZSikknxsmiGyOgEpvUUTQHHFRvkjgtgIg1HEP6Mw7sUTDJVzv1/enjxUOHfvdHMHzRHaIXxm5f8vNYjz6fJNmxVGLDTM19j7ngQWQA2PrtdHIxk2Yc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 168291123691154.302125559411934; Sun, 30 Apr 2023 20:20:36 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-269-YGAPPYRfP2qwN_wGN8NJmA-1; Sun, 30 Apr 2023 23:20:32 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7854788563B; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5375140C6E70; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id F0D32194E110; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C7B451946594 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 2B3DA40F158; Mon, 1 May 2023 03:19:45 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1162D4750C0 for ; Mon, 1 May 2023 03:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911235; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WIOaaylsseqypYUtaD8ON+dTNVsAv0YZZnkFcA5GcXQ=; b=fMbIZY6EyxPFZielXiJlP9eNjiENlF1CFt9h0bAnL2HnEQFktyqSvd+ZvXyfnKreIuIU/4 KVF803T4QsXQjXzq05+Jj/IHhh2/h8zHHvpGCkwzj1LAzFUOovYwGfrf5CbIgt8NFh222p Qrpf4yW65nrPRKz9Dk6RIS3Runy8DzY= X-MC-Unique: YGAPPYRfP2qwN_wGN8NJmA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 07/28] util: #define the names used for private packet filter chains Date: Sun, 30 Apr 2023 23:19:22 -0400 Message-Id: <20230501031943.288145-8-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911238022100003 Content-Type: text/plain; charset="utf-8"; x-default="true" This is done so that we can be sure we're using the same chain name for iptables and nftables. Not strictly necessary, but it will make documentation and troubleshooting simpler. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/util/viriptables.c | 44 ++++++++++++++++++++--------------------- src/util/virnetfilter.h | 7 +++++++ 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index dc2a4335bf..a0c35887c5 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -120,14 +120,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer) { g_autoptr(virFirewall) fw =3D virFirewallNew(); iptablesGlobalChain filter_chains[] =3D { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, + {"INPUT", VIR_NETFILTER_INPUT_CHAIN}, + {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN}, + {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN}, }; iptablesGlobalChain natmangle_chains[] =3D { - {"POSTROUTING", "LIBVIRT_PRT"}, + {"POSTROUTING", VIR_NETFILTER_NAT_POSTROUTE_CHAIN}, }; bool changed =3D false; iptablesGlobalChainData data[] =3D { @@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_INP", + VIR_NETFILTER_INPUT_CHAIN, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -196,7 +196,7 @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_OUT", + VIR_NETFILTER_OUTPUT_CHAIN, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -227,7 +227,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -237,7 +237,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -269,7 +269,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -281,7 +281,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -314,7 +314,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -324,7 +324,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -342,7 +342,7 @@ iptablesForwardAllowCross(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWX", + VIR_NETFILTER_FWD_X_CHAIN, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -359,7 +359,7 @@ iptablesForwardRejectOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWO", + VIR_NETFILTER_FWD_OUT_CHAIN, "--in-interface", iface, "--jump", "REJECT", NULL); @@ -375,7 +375,7 @@ iptablesForwardRejectIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", virIptablesActionTypeToString(action), - "LIBVIRT_FWI", + VIR_NETFILTER_FWD_IN_CHAIN, "--out-interface", iface, "--jump", "REJECT", NULL); @@ -421,7 +421,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -430,7 +430,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -503,7 +503,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -513,7 +513,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -534,7 +534,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", virIptablesActionTypeToString(action), - "LIBVIRT_PRT", + VIR_NETFILTER_NAT_POSTROUTE_CHAIN, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h index c8b91f16eb..b515512ad7 100644 --- a/src/util/virnetfilter.h +++ b/src/util/virnetfilter.h @@ -23,6 +23,13 @@ #include "virsocketaddr.h" #include "virfirewall.h" =20 +#define VIR_NETFILTER_INPUT_CHAIN "LIBVIRT_INP" +#define VIR_NETFILTER_OUTPUT_CHAIN "LIBVIRT_OUT" +#define VIR_NETFILTER_FWD_IN_CHAIN "LIBVIRT_FWI" +#define VIR_NETFILTER_FWD_OUT_CHAIN "LIBVIRT_FWO" +#define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX" +#define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT" + void virNetfilterAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, --=20 2.39.2