The iptables backend (which was used as the model for the nftables backend) used the same "filter" and "nat" tables used by other services on the system (e.g. firewalld or any other host firewall management application), so it was possible that one of those other services would be blocking DNS, DHCP, or TFTP from guests to the host; we added our own rules at the beginning of the chain to allow this traffic no matter if someone else rejected it later. But with nftables, each service uses their own table, and all traffic must be acepted by all tables no matter what - it's not possible for us to just insert a higher priority/earlier rule that will override some reject rule put in by, e.g., firewalld. Instead the firewalld (or other) table must be setup by that service to allow the traffic. That, along with the fact that our table is already "accept by default", makes it possible to eliminate the individual accept rules for DHCP, DNS, and TFTP. And once those rules are eliminated, there is no longer any need for the guest_to_host or host_to_guest tables. Signed-off-by: Laine Stump <laine@xxxxxxxxxx> --- I've just #ifdef'ed out the code that adds these rules so that it remains there as an example if someone wants to add in some different guest<->host rules in the future. I could instead completely remove all the now-uncompiled code, and just leave a comment referencing the upstream commit ID of the last commit that still contained all of that code. I'm fine either way. src/network/network_nftables.c | 36 +++- .../nat-default-linux.nftables | 104 ---------- .../nat-ipv6-linux.nftables | 182 ------------------ .../nat-ipv6-masquerade-linux.nftables | 182 ------------------ .../nat-many-ips-linux.nftables | 104 ---------- .../nat-no-dhcp-linux.nftables | 182 ------------------ .../nat-tftp-linux.nftables | 130 ------------- .../route-default-linux.nftables | 104 ---------- 8 files changed, 33 insertions(+), 991 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index fd0d0f82dc..5bdde822f1 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -40,8 +40,12 @@ VIR_LOG_INIT("network.nftables"); #define VIR_FROM_THIS VIR_FROM_NONE -#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" -#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* The input and output tables aren't currently used */ +# define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" +# define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#endif + #define VIR_NFTABLES_FORWARD_CHAIN "forward" #define VIR_NFTABLES_FWD_IN_CHAIN "guest_input" #define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output" @@ -88,9 +92,14 @@ typedef struct { nftablesGlobalChain nftablesChains[] = { /* chains for filter rules */ + +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* nothing is being added to these chains now, so they are effective NOPs */ {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy accept; }"}, - {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy accept; }"}, +#endif + + {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"}, {"forward", VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, {"forward", VIR_NFTABLES_FWD_IN_CHAIN, NULL}, {"forward", VIR_NFTABLES_FWD_X_CHAIN, NULL}, @@ -209,6 +218,11 @@ nftablesSetupPrivateChains(virFirewallLayer layer) } +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* currently these functions aren't used, but they remain in the + * source (uncompiled) as examples of adding specific rules to permit + * input/output of packets. in case the need arises in the future + */ static void nftablesAddInput(virFirewall *fw, virFirewallLayer layer, @@ -315,6 +329,9 @@ nftablesAddUdpOutput(virFirewall *fw, } +#endif + + /** * nftablesAddForwardAllowOut: * @@ -801,6 +818,14 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, break; } +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* These rules copied from the iptables backend, have been removed + * from the nftab because they are redundant since we are using our own + * table that is default accept; there are no other users that + * could add a reject rule that we would need to / be able to + * override with these rules + */ + /* allow DHCP requests through to dnsmasq & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); @@ -818,6 +843,7 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); } +#endif /* Catch all rules to block forwarding to/from bridges */ nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); @@ -849,6 +875,9 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, /* Allow traffic between guests on the same bridge */ nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* see the note above in nftablesAddGeneralIPv4FirewallRules */ + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { /* allow DNS over IPv6 & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); @@ -859,6 +888,7 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546); } +#endif } diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables index 8b6e0ba406..298a83d088 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables index 03fb7397cd..615bb4e144 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index 012a3d5d47..27817d8a68 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables index 029274ea06..3ab6286d2c 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables index 03fb7397cd..615bb4e144 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables index dd84468ad6..298a83d088 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -3,136 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables index c1cc8f05b1..09a32f0949 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ -- 2.44.0 _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx