On 11/26/2014 10:02 PM, Stefan Berger wrote:
> Make use of the ebtables functionality to be able to filter certain
> parameters of icmpv6 packets. Extend the XML parser for icmpv6 types,
> type ranges, codes, and code ranges. Extend the nwfilter documentation,
> schema, and test cases.
>
> Being able to filter icmpv6 types and codes helps extending the DHCP
> snooper for IPv6 and filtering at least some parameters of IPv6's NDP
> (Neighbor Discovery Protocol) packets. However, the filtering will not
> be as good as the filtering of ARP packets since we cannot check on IP
> addresses in the payload of the NDP packets.
>
> Signed-off-by: Stefan Berger stefanb@xxxxxxxxxxxxxxxxxx
> ---
> docs/formatnwfilter.html.in | 20 +++++++
> docs/schemas/nwfilter.rng | 26 +++++++++
> src/conf/nwfilter_conf.c | 26 +++++++++
> src/conf/nwfilter_conf.h | 4 ++
> src/nwfilter/nwfilter_ebiptables_driver.c | 80 ++++++++++++++++++++++++++
> tests/nwfilterxml2firewalldata/ipv6-linux.args | 16 ++++++
> tests/nwfilterxml2firewalldata/ipv6.xml | 38 ++++++++++++
> tests/nwfilterxml2xmlin/ipv6-test.xml | 38 ++++++++++++
> tests/nwfilterxml2xmlout/ipv6-test.xml | 12 ++++
> 9 files changed, 260 insertions(+)
>
> diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
> index 073b852..7c0dd5b 100644
> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index 074d745..0108dbe 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -1445,6 +1445,26 @@ static const virXMLAttr2Struct ipv6Attributes[] = {
> .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
> .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.portData.dataDstPortEnd),
> },
> + {
> + .name = "type",
> + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeStart),
> + },
> + {
> + .name = "typeend",
> + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeEnd),
> + },
> + {
> + .name = "code",
> + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeStart),
> + },
> + {
> + .name = "codeend",
> + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeEnd),
> + },
> COMMENT_PROP_IPHDR(ipv6HdrFilter),
> {
> .name = NULL,
> @@ -2219,6 +2239,12 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule)
> rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr);
> COPY_NEG_SIGN(rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask,
> rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr);
> + COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPTypeend,
> + rule->p.icmpHdrFilter.dataICMPType);
> + COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPCode,
> + rule->p.icmpHdrFilter.dataICMPType);
> + COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPCodeend,
> + rule->p.icmpHdrFilter.dataICMPType);
This doesn't compile for me.
> virNWFilterRuleDefFixupIPSet(&rule->p.ipv6HdrFilter.ipHdr);
> break;
>
> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index f81df60..6e68ecc 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -265,6 +265,10 @@ struct _ipv6HdrFilterDef {
> ethHdrDataDef ethHdr;
> ipHdrDataDef ipHdr;
> portDataDef portData;
> + nwItemDesc dataICMPTypeStart;
> + nwItemDesc dataICMPTypeEnd;
> + nwItemDesc dataICMPCodeStart;
> + nwItemDesc dataICMPCodeEnd;
> };
>
>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
> index 377b59b..d7a94ee 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -1826,6 +1826,7 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
> bool hasMask = false;
> virFirewallRulePtr fwrule;
> int ret = -1;
> + virBuffer buf = VIR_BUFFER_INITIALIZER;
>
> if (STREQ(chainSuffix,
> virNWFilterChainSuffixTypeToString(
> @@ -2342,6 +2343,83 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
> virFirewallRuleAddArg(fw, fwrule, number);
> }
> }
> +
> + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart) ||
> + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) ||
> + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart) ||
> + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd) ) {
> + bool lo = false;
> + char *r;
> +
> + virFirewallRuleAddArg(fw, fwrule,
> + "--ip6-icmp-type");
> +
> + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) {
> + if (printDataType(vars,
> + number, sizeof(number),
> + &rule->p.ipv6HdrFilter.dataICMPTypeStart) < 0)
> + goto cleanup;
> + lo = true;
> + } else {
> + ignore_value(virStrcpyStatic(number, "0"));
> + }
> +
> + virBufferStrcat(&buf, number, ":", NULL);
> +
> + if HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) {
I'd rather put parentheses around the macros.
Otherwise looks good to me.
Jan
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list