On 11/1/18 8:52 AM, Daniel P. Berrangé wrote: > Register the default chains that will be used to hold firewall > rules at network startup. > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > --- > src/network/bridge_driver_linux.c | 3 + > .../nat-default-linux.args | 72 +++++++++++++++++++ > .../nat-ipv6-linux.args | 72 +++++++++++++++++++ > .../nat-many-ips-linux.args | 72 +++++++++++++++++++ > .../nat-no-dhcp-linux.args | 72 +++++++++++++++++++ > .../nat-tftp-linux.args | 72 +++++++++++++++++++ > .../route-default-linux.args | 72 +++++++++++++++++++ > 7 files changed, 435 insertions(+) > > diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c > index fb09954b8f..6992653b4a 100644 > --- a/src/network/bridge_driver_linux.c > +++ b/src/network/bridge_driver_linux.c > @@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) > virFirewallPtr fw = NULL; > int ret = -1; > > + if (iptablesSetupPrivateChains() < 0) > + return -1; > + So I'm not sure whether to fix the "the chains are re-added unnecessarily" problem by moving this call to somewhere else, or by making ipstablesSetupPrivateChains() more intelligent. Probably the latter. That's going to make the test results a bit hinky though, since only the first network will include the iptables calls to add the new chains. > fw = virFirewallNew(); > > virFirewallStartTransaction(fw, 0); > diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args > index ffdafdff0e..9928da715b 100644 > --- a/tests/networkxml2firewalldata/nat-default-linux.args > +++ b/tests/networkxml2firewalldata/nat-default-linux.args > @@ -1,5 +1,77 @@ > iptables \ > --table filter \ > +--new-chain INP_libvirt > +iptables \ > +--table filter \ > +--new-chain OUT_libvirt > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +iptables \ > +--table nat \ > +--new-chain PRT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain INP_libvirt > +ip6tables \ > +--table filter \ > +--new-chain OUT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +ip6tables \ > +--table nat \ > +--new-chain PRT_libvirt > +iptables \ > +--table filter \ > +--list INPUT > +iptables \ > +--table filter \ > +--list OUTPUT > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table nat \ > +--list POSTROUTING > +ip6tables \ > +--table filter \ > +--list INPUT > +ip6tables \ > +--table filter \ > +--list OUTPUT > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table nat \ > +--list POSTROUTING > +iptables \ > +--table filter \ > --insert INPUT \ > --in-interface virbr0 \ > --protocol tcp \ > diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args > index 22285afa10..440896de18 100644 > --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args > +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args > @@ -1,5 +1,77 @@ > iptables \ > --table filter \ > +--new-chain INP_libvirt > +iptables \ > +--table filter \ > +--new-chain OUT_libvirt > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +iptables \ > +--table nat \ > +--new-chain PRT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain INP_libvirt > +ip6tables \ > +--table filter \ > +--new-chain OUT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +ip6tables \ > +--table nat \ > +--new-chain PRT_libvirt > +iptables \ > +--table filter \ > +--list INPUT > +iptables \ > +--table filter \ > +--list OUTPUT > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table nat \ > +--list POSTROUTING > +ip6tables \ > +--table filter \ > +--list INPUT > +ip6tables \ > +--table filter \ > +--list OUTPUT > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table nat \ > +--list POSTROUTING > +iptables \ > +--table filter \ > --insert INPUT \ > --in-interface virbr0 \ > --protocol tcp \ > diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args > index aff9f69664..d80a9551d4 100644 > --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args > +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args > @@ -1,5 +1,77 @@ > iptables \ > --table filter \ > +--new-chain INP_libvirt > +iptables \ > +--table filter \ > +--new-chain OUT_libvirt > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +iptables \ > +--table nat \ > +--new-chain PRT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain INP_libvirt > +ip6tables \ > +--table filter \ > +--new-chain OUT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +ip6tables \ > +--table nat \ > +--new-chain PRT_libvirt > +iptables \ > +--table filter \ > +--list INPUT > +iptables \ > +--table filter \ > +--list OUTPUT > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table nat \ > +--list POSTROUTING > +ip6tables \ > +--table filter \ > +--list INPUT > +ip6tables \ > +--table filter \ > +--list OUTPUT > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table nat \ > +--list POSTROUTING > +iptables \ > +--table filter \ > --insert INPUT \ > --in-interface virbr0 \ > --protocol tcp \ > diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args > index 2a9d79054e..e00c543487 100644 > --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args > +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args > @@ -1,5 +1,77 @@ > iptables \ > --table filter \ > +--new-chain INP_libvirt > +iptables \ > +--table filter \ > +--new-chain OUT_libvirt > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +iptables \ > +--table nat \ > +--new-chain PRT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain INP_libvirt > +ip6tables \ > +--table filter \ > +--new-chain OUT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +ip6tables \ > +--table nat \ > +--new-chain PRT_libvirt > +iptables \ > +--table filter \ > +--list INPUT > +iptables \ > +--table filter \ > +--list OUTPUT > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table nat \ > +--list POSTROUTING > +ip6tables \ > +--table filter \ > +--list INPUT > +ip6tables \ > +--table filter \ > +--list OUTPUT > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table nat \ > +--list POSTROUTING > +iptables \ > +--table filter \ > --insert INPUT \ > --in-interface virbr0 \ > --protocol tcp \ > diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args > index 1a06f0d0a5..e0cfdcecf5 100644 > --- a/tests/networkxml2firewalldata/nat-tftp-linux.args > +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args > @@ -1,5 +1,77 @@ > iptables \ > --table filter \ > +--new-chain INP_libvirt > +iptables \ > +--table filter \ > +--new-chain OUT_libvirt > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +iptables \ > +--table nat \ > +--new-chain PRT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain INP_libvirt > +ip6tables \ > +--table filter \ > +--new-chain OUT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +ip6tables \ > +--table nat \ > +--new-chain PRT_libvirt > +iptables \ > +--table filter \ > +--list INPUT > +iptables \ > +--table filter \ > +--list OUTPUT > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table nat \ > +--list POSTROUTING > +ip6tables \ > +--table filter \ > +--list INPUT > +ip6tables \ > +--table filter \ > +--list OUTPUT > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table nat \ > +--list POSTROUTING > +iptables \ > +--table filter \ > --insert INPUT \ > --in-interface virbr0 \ > --protocol tcp \ > diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args > index 65563ff8b4..5b8209af19 100644 > --- a/tests/networkxml2firewalldata/route-default-linux.args > +++ b/tests/networkxml2firewalldata/route-default-linux.args > @@ -1,5 +1,77 @@ > iptables \ > --table filter \ > +--new-chain INP_libvirt > +iptables \ > +--table filter \ > +--new-chain OUT_libvirt > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +iptables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +iptables \ > +--table nat \ > +--new-chain PRT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain INP_libvirt > +ip6tables \ > +--table filter \ > +--new-chain OUT_libvirt > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_out > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_in > +ip6tables \ > +--table filter \ > +--new-chain FWD_libvirt_cross > +ip6tables \ > +--table nat \ > +--new-chain PRT_libvirt > +iptables \ > +--table filter \ > +--list INPUT > +iptables \ > +--table filter \ > +--list OUTPUT > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table filter \ > +--list FORWARD > +iptables \ > +--table nat \ > +--list POSTROUTING > +ip6tables \ > +--table filter \ > +--list INPUT > +ip6tables \ > +--table filter \ > +--list OUTPUT > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table filter \ > +--list FORWARD > +ip6tables \ > +--table nat \ > +--list POSTROUTING > +iptables \ > +--table filter \ > --insert INPUT \ > --in-interface virbr0 \ > --protocol tcp \
Attachment:
pEpkey.asc
Description: application/pgp-keys
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
