[PATCH 4/7] network: setup default iptables chains

Daniel P. Berrangé <berrange@xxxxxxxxxx> · Thu, 1 Nov 2018 12:52:34 +0000

Register the default chains that will be used to hold firewall
rules at network startup.

Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
 src/network/bridge_driver_linux.c             |  3 +
 .../nat-default-linux.args                    | 72 +++++++++++++++++++
 .../nat-ipv6-linux.args                       | 72 +++++++++++++++++++
 .../nat-many-ips-linux.args                   | 72 +++++++++++++++++++
 .../nat-no-dhcp-linux.args                    | 72 +++++++++++++++++++
 .../nat-tftp-linux.args                       | 72 +++++++++++++++++++
 .../route-default-linux.args                  | 72 +++++++++++++++++++
 7 files changed, 435 insertions(+)

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index fb09954b8f..6992653b4a 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def)
     virFirewallPtr fw = NULL;
     int ret = -1;
 
+    if (iptablesSetupPrivateChains() < 0)
+        return -1;
+
     fw = virFirewallNew();
 
     virFirewallStartTransaction(fw, 0);
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
index ffdafdff0e..9928da715b 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,5 +1,77 @@
 iptables \
 --table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
 --insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 22285afa10..440896de18 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,5 +1,77 @@
 iptables \
 --table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
 --insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index aff9f69664..d80a9551d4 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,5 +1,77 @@
 iptables \
 --table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
 --insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index 2a9d79054e..e00c543487 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,5 +1,77 @@
 iptables \
 --table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
 --insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
index 1a06f0d0a5..e0cfdcecf5 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,5 +1,77 @@
 iptables \
 --table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
 --insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
index 65563ff8b4..5b8209af19 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,5 +1,77 @@
 iptables \
 --table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
 --insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
-- 
2.19.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







