Re: [PATCH 5/7] util: switch over to creating rules in private chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
> All rules are now created in the libvirt private firewall chains. The
> code for deleting rules will try to delete from both the original
> builtin chains and the new private chains in order to cleanup properly
> during upgrades.
>
> This finally fixes a very old bug (from 2008!) related to traffic
> between guests on distinct virtual networks. The intention is that
> networks never allow incoming connections, but the old ordering of rules
> meant that we would mistakenly allow accept traffic from whichever
> network was most recently created.


Yay!! I've verified that traffic is blocked in both directions between
nat and isolated networks, but otherwise allowed.


The only issue I have with this is that, due to not keeping track of
what rules we've added in the past, when we restart and want to refresh
all the rules, we have to attempt deletion of both "the rules we would
add currently for the active networks" as well as "the rules we would
have added in the past (before these changes went in)". That makes for a
slight startup time penalty (and maintenance headache) now, but in the
future it will only get worse - any time we change the exact rules used
for a particular network setup, we'll have to remember what rules we
*used to* add for that type of network, and continue deleting (or
attempting to delete) those rules, in addition to all previous
incarnations of the rules *and* the new incarnation. This will end up
becoming very unwieldy.


I think instead we need to save in the network status a list of the
exact iptables (or firewalld or nftables or whatever it is in the
future) rules we have added, and always delete the exact rules that we
previously added each time we do a refresh. The sooner we do this, the
fewer headaches we'll have.

Aside from that:


Reviewed-by: Laine Stump <laine@xxxxxxxxx>

Tested-by: Laine Stump <laine@xxxxxxxxx>


> With everything going into the FORWARD chain there was interleaving of
> rules for outbound traffic and inbound traffic for each network:
>
>   ACCEPT     all  --  *      virbr2  0.0.0.0/0            192.168.123.0/24     ctstate RELATED,ESTABLISHED
>   ACCEPT     all  --  virbr2 *       192.168.123.0/24     0.0.0.0/0
>   ACCEPT     all  --  virbr2 virbr2  0.0.0.0/0            0.0.0.0/0
>   REJECT     all  --  *      virbr2  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>   REJECT     all  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>   ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
>   ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
>   ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
>   REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>   REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>
> So the rule allowing outbound traffic from virbr2 would mistakenly
> allow packets from virbr2 to virbr0, before the rule denying input
> to virbr0 gets a chance to run
>
> With the split up forwarding chains, all incoming deny rules are checked
> before any of the outgoing allow rules, as rules are grouped into three
> distinct sets
>
> Cross rules
>
>   ACCEPT     all  --  virbr2 virbr2  0.0.0.0/0            0.0.0.0/0
>   ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
>
> Incoming rules
>
>   ACCEPT     all  --  *      virbr2  0.0.0.0/0            192.168.123.0/24     ctstate RELATED,ESTABLISHED
>   ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
>   REJECT     all  --  *      virbr2  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>   REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>
> Outgoing rules
>
>   ACCEPT     all  --  virbr2 *       192.168.123.0/24     0.0.0.0/0
>   REJECT     all  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>   ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
>   REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
>  src/util/viriptables.c                        | 71 +++++++++++++------
>  .../nat-default-linux.args                    | 32 ++++-----
>  .../nat-ipv6-linux.args                       | 48 ++++++-------
>  .../nat-many-ips-linux.args                   | 60 ++++++++--------
>  .../nat-no-dhcp-linux.args                    | 46 ++++++------
>  .../nat-tftp-linux.args                       | 34 ++++-----
>  .../route-default-linux.args                  | 22 +++---
>  7 files changed, 171 insertions(+), 142 deletions(-)
>
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index b4a4bf9a12..ad029e6465 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
>                      const char *iface,
>                      int port)
>  {
> -    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 1);
>  }
>  
>  /**
> @@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
>                         int port)
>  {
>      iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 1);
>  }
>  
>  /**
> @@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
>                      const char *iface,
>                      int port)
>  {
> -    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
>  }
>  
>  /**
> @@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
>                         const char *iface,
>                         int port)
>  {
> -    return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
> +    iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
>  }
>  
>  /**
> @@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
>                       const char *iface,
>                       int port)
>  {
> -    iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
> +    iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
>  }
>  
>  /**
> @@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
>                          int port)
>  {
>      iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
> +    iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
>  }
>  
>  
> @@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
>                             const char *iface,
>                             const char *physdev)
>  {
> -    return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
> +    return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD);
>  }
>  
>  /**
> @@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
>                                const char *iface,
>                                const char *physdev)
>  {
> -    return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
> +    if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0)
> +        return -1;
> +    if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0)
> +        return -1;
> +    return 0;
>  }
>  
>  
> @@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
>                                   const char *iface,
>                                   const char *physdev)
>  {
> -    return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
> +    return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD);
>  }
>  
>  /**
> @@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
>                                      const char *iface,
>                                      const char *physdev)
>  {
> -    return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
> +    if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0)
> +        return -1;
> +    if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0)
> +        return -1;
> +    return 0;
>  }
>  
>  /* Allow all traffic destined to the bridge, with a valid network address
> @@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
>                            const char *iface,
>                            const char *physdev)
>  {
> -    return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
> +    return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD);
>  }
>  
>  /**
> @@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
>                               const char *iface,
>                               const char *physdev)
>  {
> -    return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
> +    if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0)
> +        return -1;
> +    if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0)
> +        return -1;
> +    return 0;
>  }
>  
>  static void
> @@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
>                               virFirewallLayer layer,
>                               const char *iface)
>  {
> -    iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
> +    iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
>  }
>  
>  /**
> @@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
>                                  const char *iface)
>  {
>      iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
> +    iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
>  }
>  
>  static void
> @@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw,
>  
>      virFirewallAddRule(fw, layer,
>                         "--table", "filter",
> -                       action == ADD ? "--insert" : "delete", chainName[chain],
> +                       action == ADD ? "--insert" : "--delete", chainName[chain],
>                         "--in-interface", iface,
>                         "--jump", "REJECT",
>                         NULL);
> @@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
>                              virFirewallLayer layer,
>                              const char *iface)
>  {
> -    iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
> +    iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
>  }
>  
>  /**
> @@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
>                                 const char *iface)
>  {
>      iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
> +    iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
>  }
>  
>  
> @@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
>                             virFirewallLayer layer,
>                             const char *iface)
>  {
> -    iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
> +    iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
>  }
>  
>  /**
> @@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
>                                const char *iface)
>  {
>      iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
> +    iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
>  }
>  
>  
> @@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
>                               virPortRangePtr port,
>                               const char *protocol)
>  {
> -    return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +    return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
>                                       physdev, addr, port, protocol, ADD);
>  }
>  
> @@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
>                                  virPortRangePtr port,
>                                  const char *protocol)
>  {
> -    return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> -                                     physdev, addr, port, protocol, REMOVE);
> +    if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +                                  physdev, addr, port, protocol, REMOVE) < 0)
> +        return -1;
> +    if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
> +                                  physdev, addr, port, protocol, REMOVE) < 0)
> +        return -1;
> +    return 0;
>  }
>  
>  
> @@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
>                            const char *physdev,
>                            const char *destaddr)
>  {
> -    return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +    return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
>                                           physdev, destaddr, ADD);
>  }
>  
> @@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
>                               const char *physdev,
>                               const char *destaddr)
>  {
> -    return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> -                                         physdev, destaddr, REMOVE);
> +    if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> +                                      physdev, destaddr, REMOVE) < 0)
> +        return -1;
> +    if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
> +                                      physdev, destaddr, REMOVE) < 0)
> +        return -1;
> +    return 0;
>  }
>  
>  
> @@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
>                                  const char *iface,
>                                  int port)
>  {
> -    iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
> +    iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD);
>  }
>  
>  /**
> @@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
>                                     int port)
>  {
>      iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
> +    iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE);
>  }
> diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
> index 9928da715b..69995181ad 100644
> --- a/tests/networkxml2firewalldata/nat-default-linux.args
> +++ b/tests/networkxml2firewalldata/nat-default-linux.args
> @@ -72,64 +72,64 @@ ip6tables \
>  --list POSTROUTING
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert OUTPUT \
> +--insert OUT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.122.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.122.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -137,13 +137,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 '!' \
>  --destination 192.168.122.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p udp '!' \
>  --destination 192.168.122.0/24 \
> @@ -151,7 +151,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p tcp '!' \
>  --destination 192.168.122.0/24 \
> @@ -159,19 +159,19 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  iptables \
>  --table mangle \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
> diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
> index 440896de18..f93d8face2 100644
> --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
> +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
> @@ -72,101 +72,101 @@ ip6tables \
>  --list POSTROUTING
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert OUTPUT \
> +--insert OUT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 547 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.122.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.122.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -174,13 +174,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 '!' \
>  --destination 192.168.122.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p udp '!' \
>  --destination 192.168.122.0/24 \
> @@ -188,7 +188,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p tcp '!' \
>  --destination 192.168.122.0/24 \
> @@ -196,31 +196,31 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 2001:db8:ca2:2::/64 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 2001:db8:ca2:2::/64 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table mangle \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
> diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
> index d80a9551d4..faae4b881c 100644
> --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
> +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
> @@ -72,64 +72,64 @@ ip6tables \
>  --list POSTROUTING
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert OUTPUT \
> +--insert OUT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.122.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.122.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -137,13 +137,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 '!' \
>  --destination 192.168.122.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p udp '!' \
>  --destination 192.168.122.0/24 \
> @@ -151,7 +151,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p tcp '!' \
>  --destination 192.168.122.0/24 \
> @@ -159,25 +159,25 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.128.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.128.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -185,13 +185,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.128.0/24 '!' \
>  --destination 192.168.128.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.128.0/24 \
>  -p udp '!' \
>  --destination 192.168.128.0/24 \
> @@ -199,7 +199,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.128.0/24 \
>  -p tcp '!' \
>  --destination 192.168.128.0/24 \
> @@ -207,25 +207,25 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.128.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.128.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.150.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.150.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -233,13 +233,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.150.0/24 '!' \
>  --destination 192.168.150.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.150.0/24 \
>  -p udp '!' \
>  --destination 192.168.150.0/24 \
> @@ -247,7 +247,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.150.0/24 \
>  -p tcp '!' \
>  --destination 192.168.150.0/24 \
> @@ -255,19 +255,19 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.150.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.150.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  iptables \
>  --table mangle \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
> diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
> index e00c543487..cb0d908506 100644
> --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
> +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
> @@ -72,101 +72,101 @@ ip6tables \
>  --list POSTROUTING
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert OUTPUT \
> +--insert OUT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 547 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.122.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.122.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -174,13 +174,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 '!' \
>  --destination 192.168.122.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p udp '!' \
>  --destination 192.168.122.0/24 \
> @@ -188,7 +188,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p tcp '!' \
>  --destination 192.168.122.0/24 \
> @@ -196,25 +196,25 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 2001:db8:ca2:2::/64 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  ip6tables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 2001:db8:ca2:2::/64 \
>  --out-interface virbr0 \
>  --jump ACCEPT
> diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
> index e0cfdcecf5..1243bd1c2d 100644
> --- a/tests/networkxml2firewalldata/nat-tftp-linux.args
> +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
> @@ -72,71 +72,71 @@ ip6tables \
>  --list POSTROUTING
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert OUTPUT \
> +--insert OUT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 69 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.122.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.122.0/24 \
>  --out-interface virbr0 \
>  --match conntrack \
> @@ -144,13 +144,13 @@ iptables \
>  --jump ACCEPT
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 '!' \
>  --destination 192.168.122.0/24 \
>  --jump MASQUERADE
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p udp '!' \
>  --destination 192.168.122.0/24 \
> @@ -158,7 +158,7 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  -p tcp '!' \
>  --destination 192.168.122.0/24 \
> @@ -166,19 +166,19 @@ iptables \
>  --to-ports 1024-65535
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 255.255.255.255/32 \
>  --jump RETURN
>  iptables \
>  --table nat \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --source 192.168.122.0/24 \
>  --destination 224.0.0.0/24 \
>  --jump RETURN
>  iptables \
>  --table mangle \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
> diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
> index 5b8209af19..624e589aae 100644
> --- a/tests/networkxml2firewalldata/route-default-linux.args
> +++ b/tests/networkxml2firewalldata/route-default-linux.args
> @@ -72,70 +72,70 @@ ip6tables \
>  --list POSTROUTING
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 67 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert OUTPUT \
> +--insert OUT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol tcp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert INPUT \
> +--insert INP_libvirt \
>  --in-interface virbr0 \
>  --protocol udp \
>  --destination-port 53 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --in-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --out-interface virbr0 \
>  --jump REJECT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_cross \
>  --in-interface virbr0 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_out \
>  --source 192.168.122.0/24 \
>  --in-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table filter \
> ---insert FORWARD \
> +--insert FWD_libvirt_in \
>  --destination 192.168.122.0/24 \
>  --out-interface virbr0 \
>  --jump ACCEPT
>  iptables \
>  --table mangle \
> ---insert POSTROUTING \
> +--insert PRT_libvirt \
>  --out-interface virbr0 \
>  --protocol udp \
>  --destination-port 68 \


Attachment: pEpkey.asc
Description: application/pgp-keys

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux