[libvirt PATCH 07/28] util: #define the names used for private packet filter chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is done so that we can be sure we're using the same chain name
for iptables and nftables. Not strictly necessary, but it will make
documentation and troubleshooting simpler.

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
 src/util/viriptables.c  | 44 ++++++++++++++++++++---------------------
 src/util/virnetfilter.h |  7 +++++++
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index dc2a4335bf..a0c35887c5 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -120,14 +120,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
 {
     g_autoptr(virFirewall) fw = virFirewallNew();
     iptablesGlobalChain filter_chains[] = {
-        {"INPUT", "LIBVIRT_INP"},
-        {"OUTPUT", "LIBVIRT_OUT"},
-        {"FORWARD", "LIBVIRT_FWO"},
-        {"FORWARD", "LIBVIRT_FWI"},
-        {"FORWARD", "LIBVIRT_FWX"},
+        {"INPUT", VIR_NETFILTER_INPUT_CHAIN},
+        {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN},
+        {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN},
+        {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN},
+        {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN},
     };
     iptablesGlobalChain natmangle_chains[] = {
-        {"POSTROUTING",  "LIBVIRT_PRT"},
+        {"POSTROUTING",  VIR_NETFILTER_NAT_POSTROUTE_CHAIN},
     };
     bool changed = false;
     iptablesGlobalChainData data[] = {
@@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_INP",
+                       VIR_NETFILTER_INPUT_CHAIN,
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -196,7 +196,7 @@ iptablesOutput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_OUT",
+                       VIR_NETFILTER_OUTPUT_CHAIN,
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -227,7 +227,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWO",
+                           VIR_NETFILTER_FWD_OUT_CHAIN,
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -237,7 +237,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWO",
+                           VIR_NETFILTER_FWD_OUT_CHAIN,
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -269,7 +269,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -281,7 +281,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -314,7 +314,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -324,7 +324,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_FWI",
+                           VIR_NETFILTER_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -342,7 +342,7 @@ iptablesForwardAllowCross(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_FWX",
+                       VIR_NETFILTER_FWD_X_CHAIN,
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -359,7 +359,7 @@ iptablesForwardRejectOut(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_FWO",
+                       VIR_NETFILTER_FWD_OUT_CHAIN,
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -375,7 +375,7 @@ iptablesForwardRejectIn(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_FWI",
+                       VIR_NETFILTER_FWD_IN_CHAIN,
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -421,7 +421,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   virIptablesActionTypeToString(action),
-                                  "LIBVIRT_PRT",
+                                  VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -430,7 +430,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   virIptablesActionTypeToString(action),
-                                  "LIBVIRT_PRT",
+                                  VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -503,7 +503,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_PRT",
+                           VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -513,7 +513,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            virIptablesActionTypeToString(action),
-                           "LIBVIRT_PRT",
+                           VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -534,7 +534,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
                        virIptablesActionTypeToString(action),
-                       "LIBVIRT_PRT",
+                       VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h
index c8b91f16eb..b515512ad7 100644
--- a/src/util/virnetfilter.h
+++ b/src/util/virnetfilter.h
@@ -23,6 +23,13 @@
 #include "virsocketaddr.h"
 #include "virfirewall.h"
 
+#define VIR_NETFILTER_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_NETFILTER_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_NETFILTER_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_NETFILTER_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
 void             virNetfilterAddTcpInput         (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
-- 
2.39.2
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux