Re: [PATCH] nwfilter: Add support for icmpv6 filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/26/2014 10:02 PM, Stefan Berger wrote:
> Make use of the ebtables functionality to be able to filter certain
> parameters of icmpv6 packets. Extend the XML parser for icmpv6 types,
> type ranges, codes, and code ranges. Extend the nwfilter documentation,
> schema, and test cases.
> 
> Being able to filter icmpv6 types and codes helps extending the DHCP
> snooper for IPv6 and filtering at least some parameters of IPv6's NDP
> (Neighbor Discovery Protocol) packets. However, the filtering will not
> be as good as the filtering of ARP packets since we cannot check on IP
> addresses in the payload of the NDP packets.
> 
> Signed-off-by: Stefan Berger stefanb@xxxxxxxxxxxxxxxxxx
> ---
>  docs/formatnwfilter.html.in                    | 20 +++++++
>  docs/schemas/nwfilter.rng                      | 26 +++++++++
>  src/conf/nwfilter_conf.c                       | 26 +++++++++
>  src/conf/nwfilter_conf.h                       |  4 ++
>  src/nwfilter/nwfilter_ebiptables_driver.c      | 80 ++++++++++++++++++++++++++
>  tests/nwfilterxml2firewalldata/ipv6-linux.args | 16 ++++++
>  tests/nwfilterxml2firewalldata/ipv6.xml        | 38 ++++++++++++
>  tests/nwfilterxml2xmlin/ipv6-test.xml          | 38 ++++++++++++
>  tests/nwfilterxml2xmlout/ipv6-test.xml         | 12 ++++
>  9 files changed, 260 insertions(+)
> 
> diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
> index 073b852..7c0dd5b 100644

> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index 074d745..0108dbe 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -1445,6 +1445,26 @@ static const virXMLAttr2Struct ipv6Attributes[] = {
>          .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
>          .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.portData.dataDstPortEnd),
>      },
> +    {
> +        .name = "type",
> +        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> +        .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeStart),
> +    },
> +    {
> +        .name = "typeend",
> +        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> +        .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeEnd),
> +    },
> +    {
> +        .name = "code",
> +        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> +        .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeStart),
> +    },
> +    {
> +        .name = "codeend",
> +        .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
> +        .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeEnd),
> +    },
>      COMMENT_PROP_IPHDR(ipv6HdrFilter),
>      {
>          .name = NULL,
> @@ -2219,6 +2239,12 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule)
>                        rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr);
>          COPY_NEG_SIGN(rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask,
>                        rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr);
> +        COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPTypeend,
> +                      rule->p.icmpHdrFilter.dataICMPType);
> +        COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPCode,
> +                      rule->p.icmpHdrFilter.dataICMPType);
> +        COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPCodeend,
> +                      rule->p.icmpHdrFilter.dataICMPType);

This doesn't compile for me.

>          virNWFilterRuleDefFixupIPSet(&rule->p.ipv6HdrFilter.ipHdr);
>      break;
>  
> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index f81df60..6e68ecc 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -265,6 +265,10 @@ struct _ipv6HdrFilterDef {
>      ethHdrDataDef  ethHdr;
>      ipHdrDataDef   ipHdr;
>      portDataDef    portData;
> +    nwItemDesc     dataICMPTypeStart;
> +    nwItemDesc     dataICMPTypeEnd;
> +    nwItemDesc     dataICMPCodeStart;
> +    nwItemDesc     dataICMPCodeEnd;
>  };
>  
>  
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
> index 377b59b..d7a94ee 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -1826,6 +1826,7 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
>      bool hasMask = false;
>      virFirewallRulePtr fwrule;
>      int ret = -1;
> +    virBuffer buf = VIR_BUFFER_INITIALIZER;
>  
>      if (STREQ(chainSuffix,
>                virNWFilterChainSuffixTypeToString(
> @@ -2342,6 +2343,83 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
>                  virFirewallRuleAddArg(fw, fwrule, number);
>              }
>          }
> +
> +        if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)  ||
> +            HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) ||
> +            HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart) ||
> +            HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd) ) {
> +            bool lo = false;
> +            char *r;
> +
> +            virFirewallRuleAddArg(fw, fwrule,
> +                                  "--ip6-icmp-type");
> +
> +            if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) {
> +                if (printDataType(vars,
> +                                  number, sizeof(number),
> +                                  &rule->p.ipv6HdrFilter.dataICMPTypeStart) < 0)
> +                    goto cleanup;
> +                lo = true;
> +            } else {
> +                ignore_value(virStrcpyStatic(number, "0"));
> +            }
> +
> +            virBufferStrcat(&buf, number, ":", NULL);
> +
> +            if HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) {

I'd rather put parentheses around the macros.

Otherwise looks good to me.

Jan

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]