Currently all rules are created directly in the INPUT, FORWARD, OUTPUT and POSTROUTING chains. This change prepares for putting the rules into private changes, but does not actually do the switch yet. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------ 1 file changed, 108 insertions(+), 44 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 4a7ea54b38..b4a4bf9a12 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -50,6 +50,12 @@ enum { REMOVE }; +enum { + VIR_IPTABLES_CHAIN_BUILTIN, + VIR_IPTABLES_CHAIN_PRIVATE, + + VIR_IPTABLES_CHAIN_LAST, +}; typedef struct { @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void) static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "INPUT", + "INP_libvirt", + }; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "INPUT", + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw, static void iptablesOutput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "OUTPUT", + "OUT_libvirt", + }; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "OUTPUT", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1); } /** @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1); } /** @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); } /** @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, iface, port, REMOVE, 0); + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); } /** @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); } /** @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); } @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, */ static int iptablesForwardAllowOut(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw, VIR_AUTOFREE(char *) networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_out", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); } /** @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); } @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, */ static int iptablesForwardAllowRelatedIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); } /** @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw, virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); } /** @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); } static void iptablesForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_cross", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); } /** @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); } static void iptablesForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_out", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "delete", "FORWARD", + action == ADD ? "--insert" : "delete", chainName[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); } /** @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); } static void iptablesForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--jump", "REJECT", NULL); @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); } /** @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); } @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, */ static int iptablesForwardMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw, VIR_AUTOFREE(char *) portRangeStr = NULL; VIR_AUTOFREE(char *) natRangeStr = NULL; virFirewallRulePtr rule; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, if (protocol && protocol[0]) { rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, } else { rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, - protocol, ADD); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, ADD); } /** @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, - protocol, REMOVE); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, REMOVE); } @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, */ static int iptablesForwardDontMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, else virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - ADD); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, ADD); } /** @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - REMOVE); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, REMOVE); } static void iptablesOutputFixUdpChecksum(virFirewallPtr fw, + int chain, const char *iface, int port, int action) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + }; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD); } /** @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE); } -- 2.19.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list