[libvirt] [PATCH v1 1/2] Add support for so-far missing protocols for iptables filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch adds filtering support for the so-far missing protocols 'ah',
'esp' and 'udplite'.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>

Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -85,6 +85,9 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
               "icmp",
               "igmp",
               "udp",
+              "udplite",
+              "esp",
+              "ah",
               "sctp",
               "all");
 
@@ -586,6 +589,17 @@ static const struct int_map ipProtoMap[]
     } , {
         .attr = IPPROTO_UDP,
         .val  = "udp",
+#ifdef IPPROTO_UDPLITE
+    } , {
+        .attr = IPPROTO_UDPLITE,
+        .val  = "udplite",
+#endif
+    } , {
+        .attr = IPPROTO_ESP,
+        .val  = "esp",
+    } , {
+        .attr = IPPROTO_AH,
+        .val  = "ah",
     } , {
         .attr = IPPROTO_ICMP,
         .val  = "icmp",
@@ -950,6 +964,26 @@ static const virXMLAttr2Struct udpAttrib
     }
 };
 
+static const virXMLAttr2Struct udpliteAttributes[] = {
+    COMMON_IP_PROPS(udpliteHdrFilter),
+    {
+        .name = NULL,
+    }
+};
+
+static const virXMLAttr2Struct espAttributes[] = {
+    COMMON_IP_PROPS(espHdrFilter),
+    {
+        .name = NULL,
+    }
+};
+
+static const virXMLAttr2Struct ahAttributes[] = {
+    COMMON_IP_PROPS(ahHdrFilter),
+    {
+        .name = NULL,
+    }
+};
 
 static const virXMLAttr2Struct sctpAttributes[] = {
     COMMON_IP_PROPS(sctpHdrFilter),
@@ -1028,6 +1062,18 @@ static const virAttributes virAttr[] = {
         .att = udpAttributes,
         .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDP,
     }, {
+        .id = "udplite",
+        .att = udpliteAttributes,
+        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+    }, {
+        .id = "esp",
+        .att = espAttributes,
+        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_ESP,
+    }, {
+        .id = "ah",
+        .att = ahAttributes,
+        .prtclType = VIR_NWFILTER_RULE_PROTOCOL_AH,
+    }, {
         .id = "sctp",
         .att = sctpAttributes,
         .prtclType = VIR_NWFILTER_RULE_PROTOCOL_SCTP,
@@ -1496,6 +1542,39 @@ virNWFilterRuleDefFixup(virNWFilterRuleD
                       rule->p.udpHdrFilter.portData.dataSrcPortStart);
     break;
 
+    case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.udpliteHdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.udpliteHdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.udpliteHdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.udpliteHdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.espHdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.espHdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.espHdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.espHdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_AH:
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPMask,
+                      rule->p.ahHdrFilter.ipHdr.dataSrcIPAddr);
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPMask,
+                      rule->p.ahHdrFilter.ipHdr.dataDstIPAddr);
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPTo,
+                      rule->p.ahHdrFilter.ipHdr.dataSrcIPFrom);
+        COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPTo,
+                      rule->p.ahHdrFilter.ipHdr.dataDstIPFrom);
+    break;
+
     case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
         COPY_NEG_SIGN(rule->p.sctpHdrFilter.ipHdr.dataSrcIPMask,
                       rule->p.sctpHdrFilter.ipHdr.dataSrcIPAddr);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -241,6 +241,30 @@ struct _sctpHdrFilterDef {
 };
 
 
+typedef struct _espHdrFilterDef  espHdrFilterDef;
+typedef espHdrFilterDef *espHdrFilterDefPtr;
+struct _espHdrFilterDef {
+    nwItemDesc   dataSrcMACAddr;
+    ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _ahHdrFilterDef  ahHdrFilterDef;
+typedef ahHdrFilterDef *ahHdrFilterDefPtr;
+struct _ahHdrFilterDef {
+    nwItemDesc   dataSrcMACAddr;
+    ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _udpliteHdrFilterDef  udpliteHdrFilterDef;
+typedef udpliteHdrFilterDef *udpliteHdrFilterDefPtr;
+struct _udpliteHdrFilterDef {
+    nwItemDesc   dataSrcMACAddr;
+    ipHdrDataDef ipHdr;
+};
+
+
 enum virNWFilterRuleActionType {
     VIR_NWFILTER_RULE_ACTION_DROP = 0,
     VIR_NWFILTER_RULE_ACTION_ACCEPT,
@@ -273,6 +297,9 @@ enum virNWFilterRuleProtocolType {
     VIR_NWFILTER_RULE_PROTOCOL_ICMP,
     VIR_NWFILTER_RULE_PROTOCOL_IGMP,
     VIR_NWFILTER_RULE_PROTOCOL_UDP,
+    VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+    VIR_NWFILTER_RULE_PROTOCOL_ESP,
+    VIR_NWFILTER_RULE_PROTOCOL_AH,
     VIR_NWFILTER_RULE_PROTOCOL_SCTP,
     VIR_NWFILTER_RULE_PROTOCOL_ALL,
 
@@ -306,6 +333,9 @@ struct _virNWFilterRuleDef {
         tcpHdrFilterDef  tcpHdrFilter;
         icmpHdrFilterDef icmpHdrFilter;
         udpHdrFilterDef  udpHdrFilter;
+        udpliteHdrFilterDef  udpliteHdrFilter;
+        espHdrFilterDef  espHdrFilter;
+        ahHdrFilterDef  ahHdrFilter;
         allHdrFilterDef  allHdrFilter;
         igmpHdrFilterDef igmpHdrFilter;
         sctpHdrFilterDef sctpHdrFilter;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1089,6 +1089,75 @@ _iptablesCreateRuleInstance(virConnectPt
             goto err_exit;
     break;
 
+    case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+        virBufferVSprintf(&buf,
+                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+                          chain);
+
+        virBufferAddLit(&buf, " -p udplite");
+
+        if (iptablesHandleSrcMacAddr(conn,
+                                     &buf,
+                                     vars,
+                                     &rule->p.udpliteHdrFilter.dataSrcMACAddr,
+                                     directionIn))
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(conn,
+                                &buf,
+                                vars,
+                                &rule->p.udpliteHdrFilter.ipHdr,
+                                directionIn))
+            goto err_exit;
+
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+        virBufferVSprintf(&buf,
+                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+                          chain);
+
+        virBufferAddLit(&buf, " -p esp");
+
+        if (iptablesHandleSrcMacAddr(conn,
+                                     &buf,
+                                     vars,
+                                     &rule->p.espHdrFilter.dataSrcMACAddr,
+                                     directionIn))
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(conn,
+                                &buf,
+                                vars,
+                                &rule->p.espHdrFilter.ipHdr,
+                                directionIn))
+            goto err_exit;
+
+    break;
+
+    case VIR_NWFILTER_RULE_PROTOCOL_AH:
+        virBufferVSprintf(&buf,
+                          CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+                          chain);
+
+        virBufferAddLit(&buf, " -p ah");
+
+        if (iptablesHandleSrcMacAddr(conn,
+                                     &buf,
+                                     vars,
+                                     &rule->p.ahHdrFilter.dataSrcMACAddr,
+                                     directionIn))
+            goto err_exit;
+
+        if (iptablesHandleIpHdr(conn,
+                                &buf,
+                                vars,
+                                &rule->p.ahHdrFilter.ipHdr,
+                                directionIn))
+            goto err_exit;
+
+    break;
+
     case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
         virBufferVSprintf(&buf,
                           CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
@@ -1836,6 +1905,9 @@ ebiptablesCreateRuleInstance(virConnectP
 
     case VIR_NWFILTER_RULE_PROTOCOL_TCP:
     case VIR_NWFILTER_RULE_PROTOCOL_UDP:
+    case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+    case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+    case VIR_NWFILTER_RULE_PROTOCOL_AH:
     case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
     case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
     case VIR_NWFILTER_RULE_PROTOCOL_IGMP:

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]