On 11/1/18 8:52 AM, Daniel P. Berrangé wrote: > Currently all rules are created directly in the INPUT, FORWARD, > OUTPUT and POSTROUTING chains. This change prepares for putting > the rules into private changes, but does not actually do the > switch yet. > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Reviewed-by: Laine Stump <laine@xxxxxxxxx> > --- > src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------ > 1 file changed, 108 insertions(+), 44 deletions(-) > > diff --git a/src/util/viriptables.c b/src/util/viriptables.c > index 4a7ea54b38..b4a4bf9a12 100644 > --- a/src/util/viriptables.c > +++ b/src/util/viriptables.c > @@ -50,6 +50,12 @@ enum { > REMOVE > }; > > +enum { > + VIR_IPTABLES_CHAIN_BUILTIN, > + VIR_IPTABLES_CHAIN_PRIVATE, > + > + VIR_IPTABLES_CHAIN_LAST, > +}; > > > typedef struct { > @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void) > static void > iptablesInput(virFirewallPtr fw, > virFirewallLayer layer, > + int chain, > const char *iface, > int port, > int action, > int tcp) > { > char portstr[32]; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "INPUT", > + "INP_libvirt", > + }; > > snprintf(portstr, sizeof(portstr), "%d", port); > portstr[sizeof(portstr) - 1] = '\0'; > > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "INPUT", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--in-interface", iface, > "--protocol", tcp ? "tcp" : "udp", > "--destination-port", portstr, > @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw, > static void > iptablesOutput(virFirewallPtr fw, > virFirewallLayer layer, > + int chain, > const char *iface, > int port, > int action, > int tcp) > { > char portstr[32]; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "OUTPUT", > + "OUT_libvirt", > + }; > > snprintf(portstr, sizeof(portstr), "%d", port); > portstr[sizeof(portstr) - 1] = '\0'; > > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "OUTPUT", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--out-interface", iface, > "--protocol", tcp ? "tcp" : "udp", > "--destination-port", portstr, > @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesInput(fw, layer, iface, port, ADD, 1); > + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1); > } > > /** > @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesInput(fw, layer, iface, port, REMOVE, 1); > + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1); > } > > /** > @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesInput(fw, layer, iface, port, ADD, 0); > + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); > } > > /** > @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, > const char *iface, > int port) > { > - return iptablesInput(fw, layer, iface, port, REMOVE, 0); > + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); > } > > /** > @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesOutput(fw, layer, iface, port, ADD, 0); > + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); > } > > /** > @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesOutput(fw, layer, iface, port, REMOVE, 0); > + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); > } > > > @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, > */ > static int > iptablesForwardAllowOut(virFirewallPtr fw, > + int chain, > virSocketAddr *netaddr, > unsigned int prefix, > const char *iface, > @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw, > VIR_AUTOFREE(char *) networkstr = NULL; > virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? > VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "FORWARD", > + "FWD_libvirt_out", > + }; > > if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) > return -1; > @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, > if (physdev && physdev[0]) > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--source", networkstr, > "--in-interface", iface, > "--out-interface", physdev, > @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, > else > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--source", networkstr, > "--in-interface", iface, > "--jump", "ACCEPT", > @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, > const char *iface, > const char *physdev) > { > - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD); > + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); > } > > /** > @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, > const char *iface, > const char *physdev) > { > - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE); > + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); > } > > > @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, > */ > static int > iptablesForwardAllowRelatedIn(virFirewallPtr fw, > + int chain, > virSocketAddr *netaddr, > unsigned int prefix, > const char *iface, > @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, > virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? > VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; > VIR_AUTOFREE(char *) networkstr = NULL; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "FORWARD", > + "FWD_libvirt_in", > + }; > > if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) > return -1; > @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, > if (physdev && physdev[0]) > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--destination", networkstr, > "--in-interface", physdev, > "--out-interface", iface, > @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, > else > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--destination", networkstr, > "--out-interface", iface, > "--match", "conntrack", > @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, > const char *iface, > const char *physdev) > { > - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD); > + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); > } > > /** > @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, > const char *iface, > const char *physdev) > { > - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE); > + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); > } > > /* Allow all traffic destined to the bridge, with a valid network address > */ > static int > iptablesForwardAllowIn(virFirewallPtr fw, > + int chain, > virSocketAddr *netaddr, > unsigned int prefix, > const char *iface, > @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw, > virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? > VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; > VIR_AUTOFREE(char *) networkstr = NULL; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "FORWARD", > + "FWD_libvirt_in", > + }; > > if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) > return -1; > @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, > if (physdev && physdev[0]) > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--destination", networkstr, > "--in-interface", physdev, > "--out-interface", iface, > @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, > else > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--destination", networkstr, > "--out-interface", iface, > "--jump", "ACCEPT", > @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, > const char *iface, > const char *physdev) > { > - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD); > + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); > } > > /** > @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, > const char *iface, > const char *physdev) > { > - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); > + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); > } > > static void > iptablesForwardAllowCross(virFirewallPtr fw, > virFirewallLayer layer, > + int chain, > const char *iface, > int action) > { > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "FORWARD", > + "FWD_libvirt_cross", > + }; > + > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--in-interface", iface, > "--out-interface", iface, > "--jump", "ACCEPT", > @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, > virFirewallLayer layer, > const char *iface) > { > - iptablesForwardAllowCross(fw, layer, iface, ADD); > + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); > } > > /** > @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, > virFirewallLayer layer, > const char *iface) > { > - iptablesForwardAllowCross(fw, layer, iface, REMOVE); > + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); > } > > static void > iptablesForwardRejectOut(virFirewallPtr fw, > virFirewallLayer layer, > + int chain, > const char *iface, > int action) > { > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "FORWARD", > + "FWD_libvirt_out", > + }; > + > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "delete", "FORWARD", > + action == ADD ? "--insert" : "delete", chainName[chain], > "--in-interface", iface, > "--jump", "REJECT", > NULL); > @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, > virFirewallLayer layer, > const char *iface) > { > - iptablesForwardRejectOut(fw, layer, iface, ADD); > + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); > } > > /** > @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, > virFirewallLayer layer, > const char *iface) > { > - iptablesForwardRejectOut(fw, layer, iface, REMOVE); > + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); > } > > > static void > iptablesForwardRejectIn(virFirewallPtr fw, > virFirewallLayer layer, > + int chain, > const char *iface, > int action) > { > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "FORWARD", > + "FWD_libvirt_in", > + }; > + > virFirewallAddRule(fw, layer, > "--table", "filter", > - action == ADD ? "--insert" : "--delete", "FORWARD", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--out-interface", iface, > "--jump", "REJECT", > NULL); > @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, > virFirewallLayer layer, > const char *iface) > { > - iptablesForwardRejectIn(fw, layer, iface, ADD); > + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); > } > > /** > @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, > virFirewallLayer layer, > const char *iface) > { > - iptablesForwardRejectIn(fw, layer, iface, REMOVE); > + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); > } > > > @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, > */ > static int > iptablesForwardMasquerade(virFirewallPtr fw, > + int chain, > virSocketAddr *netaddr, > unsigned int prefix, > const char *physdev, > @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw, > VIR_AUTOFREE(char *) portRangeStr = NULL; > VIR_AUTOFREE(char *) natRangeStr = NULL; > virFirewallRulePtr rule; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "POSTROUTING", > + "PRT_libvirt", > + }; > > if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) > return -1; > @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, > if (protocol && protocol[0]) { > rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, > "--table", "nat", > - action == ADD ? "--insert" : "--delete", "POSTROUTING", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--source", networkstr, > "-p", protocol, > "!", "--destination", networkstr, > @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, > } else { > rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, > "--table", "nat", > - action == ADD ? "--insert" : "--delete", "POSTROUTING", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--source", networkstr, > "!", "--destination", networkstr, > NULL); > @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, > virPortRangePtr port, > const char *protocol) > { > - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, > - protocol, ADD); > + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, > + physdev, addr, port, protocol, ADD); > } > > /** > @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, > virPortRangePtr port, > const char *protocol) > { > - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, > - protocol, REMOVE); > + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, > + physdev, addr, port, protocol, REMOVE); > } > > > @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, > */ > static int > iptablesForwardDontMasquerade(virFirewallPtr fw, > + int chain, > virSocketAddr *netaddr, > unsigned int prefix, > const char *physdev, > @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, > int action) > { > VIR_AUTOFREE(char *) networkstr = NULL; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "POSTROUTING", > + "PRT_libvirt", > + }; > > if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) > return -1; > @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, > if (physdev && physdev[0]) > virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, > "--table", "nat", > - action == ADD ? "--insert" : "--delete", "POSTROUTING", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--out-interface", physdev, > "--source", networkstr, > "--destination", destaddr, > @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, > else > virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, > "--table", "nat", > - action == ADD ? "--insert" : "--delete", "POSTROUTING", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--source", networkstr, > "--destination", destaddr, > "--jump", "RETURN", > @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, > const char *physdev, > const char *destaddr) > { > - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, > - ADD); > + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, > + physdev, destaddr, ADD); > } > > /** > @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, > const char *physdev, > const char *destaddr) > { > - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, > - REMOVE); > + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, > + physdev, destaddr, REMOVE); > } > > > static void > iptablesOutputFixUdpChecksum(virFirewallPtr fw, > + int chain, > const char *iface, > int port, > int action) > { > char portstr[32]; > + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { > + "POSTROUTING", > + "PRT_libvirt", > + }; > > snprintf(portstr, sizeof(portstr), "%d", port); > portstr[sizeof(portstr) - 1] = '\0'; > > virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, > "--table", "mangle", > - action == ADD ? "--insert" : "--delete", "POSTROUTING", > + action == ADD ? "--insert" : "--delete", chainName[chain], > "--out-interface", iface, > "--protocol", "udp", > "--destination-port", portstr, > @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); > + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD); > } > > /** > @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, > const char *iface, > int port) > { > - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); > + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE); > }
Attachment:
pEpkey.asc
Description: application/pgp-keys
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list