Re: [PATCH 3/7] util: prepare iptables for putting rules into private chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
> Currently all rules are created directly in the INPUT, FORWARD,
> OUTPUT and POSTROUTING chains. This change prepares for putting
> the rules into private changes, but does not actually do the
> switch yet.
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>


Reviewed-by: Laine Stump <laine@xxxxxxxxx>


> ---
>  src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------
>  1 file changed, 108 insertions(+), 44 deletions(-)
>
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index 4a7ea54b38..b4a4bf9a12 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -50,6 +50,12 @@ enum {
>      REMOVE
>  };
>  
> +enum {
> +    VIR_IPTABLES_CHAIN_BUILTIN,
> +    VIR_IPTABLES_CHAIN_PRIVATE,
> +
> +    VIR_IPTABLES_CHAIN_LAST,
> +};
>  
>  
>  typedef struct {
> @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void)
>  static void
>  iptablesInput(virFirewallPtr fw,
>                virFirewallLayer layer,
> +              int chain,
>                const char *iface,
>                int port,
>                int action,
>                int tcp)
>  {
>      char portstr[32];
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "INPUT",
> +        "INP_libvirt",
> +    };
>  
>      snprintf(portstr, sizeof(portstr), "%d", port);
>      portstr[sizeof(portstr) - 1] = '\0';
>  
>      virFirewallAddRule(fw, layer,
>                         "--table", "filter",
> -                       action == ADD ? "--insert" : "--delete", "INPUT",
> +                       action == ADD ? "--insert" : "--delete", chainName[chain],
>                         "--in-interface", iface,
>                         "--protocol", tcp ? "tcp" : "udp",
>                         "--destination-port", portstr,
> @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw,
>  static void
>  iptablesOutput(virFirewallPtr fw,
>                 virFirewallLayer layer,
> +               int chain,
>                 const char *iface,
>                 int port,
>                 int action,
>                 int tcp)
>  {
>      char portstr[32];
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "OUTPUT",
> +        "OUT_libvirt",
> +    };
>  
>      snprintf(portstr, sizeof(portstr), "%d", port);
>      portstr[sizeof(portstr) - 1] = '\0';
>  
>      virFirewallAddRule(fw, layer,
>                         "--table", "filter",
> -                       action == ADD ? "--insert" : "--delete", "OUTPUT",
> +                       action == ADD ? "--insert" : "--delete", chainName[chain],
>                         "--out-interface", iface,
>                         "--protocol", tcp ? "tcp" : "udp",
>                         "--destination-port", portstr,
> @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
>                      const char *iface,
>                      int port)
>  {
> -    iptablesInput(fw, layer, iface, port, ADD, 1);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
>  }
>  
>  /**
> @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
>                         const char *iface,
>                         int port)
>  {
> -    iptablesInput(fw, layer, iface, port, REMOVE, 1);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
>  }
>  
>  /**
> @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
>                      const char *iface,
>                      int port)
>  {
> -    iptablesInput(fw, layer, iface, port, ADD, 0);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
>  }
>  
>  /**
> @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
>                         const char *iface,
>                         int port)
>  {
> -    return iptablesInput(fw, layer, iface, port, REMOVE, 0);
> +    return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
>  }
>  
>  /**
> @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
>                       const char *iface,
>                       int port)
>  {
> -    iptablesOutput(fw, layer, iface, port, ADD, 0);
> +    iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
>  }
>  
>  /**
> @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
>                          const char *iface,
>                          int port)
>  {
> -    iptablesOutput(fw, layer, iface, port, REMOVE, 0);
> +    iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
>  }
>  
>  
> @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
>   */
>  static int
>  iptablesForwardAllowOut(virFirewallPtr fw,
> +                        int chain,
>                          virSocketAddr *netaddr,
>                          unsigned int prefix,
>                          const char *iface,
> @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw,
>      VIR_AUTOFREE(char *) networkstr = NULL;
>      virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
>          VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "FORWARD",
> +        "FWD_libvirt_out",
> +    };
>  
>      if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>          return -1;
> @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
>      if (physdev && physdev[0])
>          virFirewallAddRule(fw, layer,
>                             "--table", "filter",
> -                           action == ADD ? "--insert" : "--delete", "FORWARD",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--source", networkstr,
>                             "--in-interface", iface,
>                             "--out-interface", physdev,
> @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
>      else
>          virFirewallAddRule(fw, layer,
>                             "--table", "filter",
> -                           action == ADD ? "--insert" : "--delete", "FORWARD",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--source", networkstr,
>                             "--in-interface", iface,
>                             "--jump", "ACCEPT",
> @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
>                             const char *iface,
>                             const char *physdev)
>  {
> -    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
> +    return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
>  }
>  
>  /**
> @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
>                                const char *iface,
>                                const char *physdev)
>  {
> -    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
> +    return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
>  }
>  
>  
> @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
>   */
>  static int
>  iptablesForwardAllowRelatedIn(virFirewallPtr fw,
> +                              int chain,
>                                virSocketAddr *netaddr,
>                                unsigned int prefix,
>                                const char *iface,
> @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
>      virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
>          VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
>      VIR_AUTOFREE(char *) networkstr = NULL;
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "FORWARD",
> +        "FWD_libvirt_in",
> +    };
>  
>      if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>          return -1;
> @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
>      if (physdev && physdev[0])
>          virFirewallAddRule(fw, layer,
>                             "--table", "filter",
> -                           action == ADD ? "--insert" : "--delete", "FORWARD",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--destination", networkstr,
>                             "--in-interface", physdev,
>                             "--out-interface", iface,
> @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
>      else
>          virFirewallAddRule(fw, layer,
>                             "--table", "filter",
> -                           action == ADD ? "--insert" : "--delete", "FORWARD",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--destination", networkstr,
>                             "--out-interface", iface,
>                             "--match", "conntrack",
> @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
>                                   const char *iface,
>                                   const char *physdev)
>  {
> -    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
> +    return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
>  }
>  
>  /**
> @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
>                                      const char *iface,
>                                      const char *physdev)
>  {
> -    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
> +    return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
>  }
>  
>  /* Allow all traffic destined to the bridge, with a valid network address
>   */
>  static int
>  iptablesForwardAllowIn(virFirewallPtr fw,
> +                       int chain,
>                         virSocketAddr *netaddr,
>                         unsigned int prefix,
>                         const char *iface,
> @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw,
>      virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
>          VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
>      VIR_AUTOFREE(char *) networkstr = NULL;
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "FORWARD",
> +        "FWD_libvirt_in",
> +    };
>  
>      if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>          return -1;
> @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
>      if (physdev && physdev[0])
>          virFirewallAddRule(fw, layer,
>                             "--table", "filter",
> -                           action == ADD ? "--insert" : "--delete", "FORWARD",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--destination", networkstr,
>                             "--in-interface", physdev,
>                             "--out-interface", iface,
> @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
>      else
>          virFirewallAddRule(fw, layer,
>                             "--table", "filter",
> -                           action == ADD ? "--insert" : "--delete", "FORWARD",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--destination", networkstr,
>                             "--out-interface", iface,
>                             "--jump", "ACCEPT",
> @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
>                            const char *iface,
>                            const char *physdev)
>  {
> -    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
> +    return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
>  }
>  
>  /**
> @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
>                               const char *iface,
>                               const char *physdev)
>  {
> -    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
> +    return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
>  }
>  
>  static void
>  iptablesForwardAllowCross(virFirewallPtr fw,
>                            virFirewallLayer layer,
> +                          int chain,
>                            const char *iface,
>                            int action)
>  {
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "FORWARD",
> +        "FWD_libvirt_cross",
> +    };
> +
>      virFirewallAddRule(fw, layer,
>                         "--table", "filter",
> -                       action == ADD ? "--insert" : "--delete", "FORWARD",
> +                       action == ADD ? "--insert" : "--delete", chainName[chain],
>                         "--in-interface", iface,
>                         "--out-interface", iface,
>                         "--jump", "ACCEPT",
> @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
>                               virFirewallLayer layer,
>                               const char *iface)
>  {
> -    iptablesForwardAllowCross(fw, layer, iface, ADD);
> +    iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
>  }
>  
>  /**
> @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
>                                  virFirewallLayer layer,
>                                  const char *iface)
>  {
> -    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
> +    iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
>  }
>  
>  static void
>  iptablesForwardRejectOut(virFirewallPtr fw,
>                           virFirewallLayer layer,
> +                         int chain,
>                           const char *iface,
>                           int action)
>  {
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "FORWARD",
> +        "FWD_libvirt_out",
> +    };
> +
>      virFirewallAddRule(fw, layer,
>                         "--table", "filter",
> -                       action == ADD ? "--insert" : "delete", "FORWARD",
> +                       action == ADD ? "--insert" : "delete", chainName[chain],
>                         "--in-interface", iface,
>                         "--jump", "REJECT",
>                         NULL);
> @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
>                              virFirewallLayer layer,
>                              const char *iface)
>  {
> -    iptablesForwardRejectOut(fw, layer, iface, ADD);
> +    iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
>  }
>  
>  /**
> @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
>                                 virFirewallLayer layer,
>                                 const char *iface)
>  {
> -    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
> +    iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
>  }
>  
>  
>  static void
>  iptablesForwardRejectIn(virFirewallPtr fw,
>                          virFirewallLayer layer,
> +                        int chain,
>                          const char *iface,
>                          int action)
>  {
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "FORWARD",
> +        "FWD_libvirt_in",
> +    };
> +
>      virFirewallAddRule(fw, layer,
>                         "--table", "filter",
> -                       action == ADD ? "--insert" : "--delete", "FORWARD",
> +                       action == ADD ? "--insert" : "--delete", chainName[chain],
>                         "--out-interface", iface,
>                         "--jump", "REJECT",
>                         NULL);
> @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
>                             virFirewallLayer layer,
>                             const char *iface)
>  {
> -    iptablesForwardRejectIn(fw, layer, iface, ADD);
> +    iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
>  }
>  
>  /**
> @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
>                                virFirewallLayer layer,
>                                const char *iface)
>  {
> -    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
> +    iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
>  }
>  
>  
> @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
>   */
>  static int
>  iptablesForwardMasquerade(virFirewallPtr fw,
> +                          int chain,
>                            virSocketAddr *netaddr,
>                            unsigned int prefix,
>                            const char *physdev,
> @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw,
>      VIR_AUTOFREE(char *) portRangeStr = NULL;
>      VIR_AUTOFREE(char *) natRangeStr = NULL;
>      virFirewallRulePtr rule;
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "POSTROUTING",
> +        "PRT_libvirt",
> +    };
>  
>      if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>          return -1;
> @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
>      if (protocol && protocol[0]) {
>          rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
>                                    "--table", "nat",
> -                                  action == ADD ? "--insert" : "--delete", "POSTROUTING",
> +                                  action == ADD ? "--insert" : "--delete", chainName[chain],
>                                    "--source", networkstr,
>                                    "-p", protocol,
>                                    "!", "--destination", networkstr,
> @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
>      } else {
>          rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
>                                    "--table", "nat",
> -                                  action == ADD ? "--insert" : "--delete", "POSTROUTING",
> +                                  action == ADD ? "--insert" : "--delete", chainName[chain],
>                                    "--source", networkstr,
>                                    "!", "--destination", networkstr,
>                                    NULL);
> @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
>                               virPortRangePtr port,
>                               const char *protocol)
>  {
> -    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
> -                                     protocol, ADD);
> +    return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +                                     physdev, addr, port, protocol, ADD);
>  }
>  
>  /**
> @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
>                                  virPortRangePtr port,
>                                  const char *protocol)
>  {
> -    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
> -                                     protocol, REMOVE);
> +    return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +                                     physdev, addr, port, protocol, REMOVE);
>  }
>  
>  
> @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
>   */
>  static int
>  iptablesForwardDontMasquerade(virFirewallPtr fw,
> +                              int chain,
>                                virSocketAddr *netaddr,
>                                unsigned int prefix,
>                                const char *physdev,
> @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
>                                int action)
>  {
>      VIR_AUTOFREE(char *) networkstr = NULL;
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "POSTROUTING",
> +        "PRT_libvirt",
> +    };
>  
>      if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>          return -1;
> @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
>      if (physdev && physdev[0])
>          virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
>                             "--table", "nat",
> -                           action == ADD ? "--insert" : "--delete", "POSTROUTING",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--out-interface", physdev,
>                             "--source", networkstr,
>                             "--destination", destaddr,
> @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
>      else
>          virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
>                             "--table", "nat",
> -                           action == ADD ? "--insert" : "--delete", "POSTROUTING",
> +                           action == ADD ? "--insert" : "--delete", chainName[chain],
>                             "--source", networkstr,
>                             "--destination", destaddr,
>                             "--jump", "RETURN",
> @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
>                            const char *physdev,
>                            const char *destaddr)
>  {
> -    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
> -                                         ADD);
> +    return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +                                         physdev, destaddr, ADD);
>  }
>  
>  /**
> @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
>                               const char *physdev,
>                               const char *destaddr)
>  {
> -    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
> -                                         REMOVE);
> +    return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +                                         physdev, destaddr, REMOVE);
>  }
>  
>  
>  static void
>  iptablesOutputFixUdpChecksum(virFirewallPtr fw,
> +                             int chain,
>                               const char *iface,
>                               int port,
>                               int action)
>  {
>      char portstr[32];
> +    static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> +        "POSTROUTING",
> +        "PRT_libvirt",
> +    };
>  
>      snprintf(portstr, sizeof(portstr), "%d", port);
>      portstr[sizeof(portstr) - 1] = '\0';
>  
>      virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
>                         "--table", "mangle",
> -                       action == ADD ? "--insert" : "--delete", "POSTROUTING",
> +                       action == ADD ? "--insert" : "--delete", chainName[chain],
>                         "--out-interface", iface,
>                         "--protocol", "udp",
>                         "--destination-port", portstr,
> @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
>                                  const char *iface,
>                                  int port)
>  {
> -    iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
> +    iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
>  }
>  
>  /**
> @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
>                                     const char *iface,
>                                     int port)
>  {
> -    iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
> +    iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
>  }


Attachment: pEpkey.asc
Description: application/pgp-keys

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux