Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
src/network/network_iptables.c | 51 +++++++++++++++++++---------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 8d32d30980..45907dd2da 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -39,6 +39,13 @@ VIR_LOG_INIT("network.iptables");
#define VIR_FROM_THIS VIR_FROM_NONE
+#define VIR_IPTABLES_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_IPTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_IPTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_IPTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
enum {
VIR_NETFILTER_INSERT = 0,
VIR_NETFILTER_DELETE
@@ -115,14 +122,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
{
g_autoptr(virFirewall) fw = virFirewallNew();
iptablesGlobalChain filter_chains[] = {
- {"INPUT", "LIBVIRT_INP"},
- {"OUTPUT", "LIBVIRT_OUT"},
- {"FORWARD", "LIBVIRT_FWO"},
- {"FORWARD", "LIBVIRT_FWI"},
- {"FORWARD", "LIBVIRT_FWX"},
+ {"INPUT", VIR_IPTABLES_INPUT_CHAIN},
+ {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN},
+ {"FORWARD", VIR_IPTABLES_FWD_OUT_CHAIN},
+ {"FORWARD", VIR_IPTABLES_FWD_IN_CHAIN},
+ {"FORWARD", VIR_IPTABLES_FWD_X_CHAIN},
};
iptablesGlobalChain natmangle_chains[] = {
- {"POSTROUTING", "LIBVIRT_PRT"},
+ {"POSTROUTING", VIR_IPTABLES_NAT_POSTROUTE_CHAIN},
};
bool changed = false;
iptablesGlobalChainData data[] = {
@@ -170,7 +177,7 @@ iptablesInput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_INP",
+ VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -191,7 +198,7 @@ iptablesOutput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_OUT",
+ VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -366,7 +373,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWO",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -376,7 +383,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWO",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -456,7 +463,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -468,7 +475,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -548,7 +555,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -558,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -623,7 +630,7 @@ iptablesForwardAllowCross(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWX",
+ VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -677,7 +684,7 @@ iptablesForwardRejectOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWO",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -729,7 +736,7 @@ iptablesForwardRejectIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -811,7 +818,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -820,7 +827,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -947,7 +954,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -957,7 +964,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -1029,7 +1036,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
--
2.44.0
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
