[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvir] [patch 3/5] iptables: fix iptablesPhysdevForward()



Remove the target interface parameter from iptablesPhysdevForward().

This rule is intended to allow frames to be forwarded across the
bridge from the supplied bridge port. In this context, the --out
parameter would match the outgoing bridge port, which will never
be network->def->forwardDev.

Signed-off-by: Mark McLoughlin <markmc redhat com>

Index: libvirt/qemud/iptables.c
===================================================================
--- libvirt.orig/qemud/iptables.c
+++ libvirt/qemud/iptables.c
@@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *
 static int
 iptablesPhysdevForward(iptablesContext *ctx,
                        const char *iface,
-                       const char *target,
                        int action)
 {
-    if (target && target[0]) {
-        return iptablesAddRemoveRule(ctx->forward_filter,
-                                     action,
-                                     "--match", "physdev",
-                                     "--physdev-in", iface,
-                                     "--out", target,
-                                     "--jump", "ACCEPT",
-                                     NULL);
-    } else {
-        return iptablesAddRemoveRule(ctx->forward_filter,
-                                     action,
-                                     "--match", "physdev",
-                                     "--physdev-in", iface,
-                                     "--jump", "ACCEPT",
-                                     NULL);
-    }
+    return iptablesAddRemoveRule(ctx->forward_filter,
+                                 action,
+                                 "--match", "physdev",
+                                 "--physdev-in", iface,
+                                 "--jump", "ACCEPT",
+                                 NULL);
 }
 
 int
 iptablesAddPhysdevForward(iptablesContext *ctx,
-                          const char *iface,
-                          const char *target)
+                          const char *iface)
 {
-    return iptablesPhysdevForward(ctx, iface, target, ADD);
+    return iptablesPhysdevForward(ctx, iface, ADD);
 }
 
 int
 iptablesRemovePhysdevForward(iptablesContext *ctx,
-                             const char *iface,
-                             const char *target)
+                             const char *iface)
 {
-    return iptablesPhysdevForward(ctx, iface, target, REMOVE);
+    return iptablesPhysdevForward(ctx, iface, REMOVE);
 }
 
 static int
Index: libvirt/qemud/iptables.h
===================================================================
--- libvirt.orig/qemud/iptables.h
+++ libvirt/qemud/iptables.h
@@ -42,11 +42,9 @@ int              iptablesRemoveUdpInput 
                                                   int port);
 
 int              iptablesAddPhysdevForward       (iptablesContext *ctx,
-                                                  const char *iface,
-                                                  const char *target);
+                                                  const char *iface);
 int              iptablesRemovePhysdevForward    (iptablesContext *ctx,
-                                                  const char *iface,
-                                                  const char *target);
+                                                  const char *iface);
 
 int              iptablesAddInterfaceForward     (iptablesContext *ctx,
                                                   const char *iface,
Index: libvirt/qemud/conf.c
===================================================================
--- libvirt.orig/qemud/conf.c
+++ libvirt/qemud/conf.c
@@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_se
     }
 
     if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
-        if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) {
+        if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) {
             qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                              "Failed to add iptables rule to allow bridging from '%s' :%s",
                              ifname, strerror(err));
@@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_se
 
  no_memory:
     if (net->type == QEMUD_NET_NETWORK && network->def->forward)
-        iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev);
+        iptablesRemovePhysdevForward(server->iptables, ifname);
     qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
  error:
     if (retval)
Index: libvirt/qemud/qemud.c
===================================================================
--- libvirt.orig/qemud/qemud.c
+++ libvirt/qemud/qemud.c
@@ -1042,8 +1042,7 @@ qemudNetworkIfaceDisconnect(struct qemud
         return;
     }
 
-    if (network->def->forward)
-        iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev);
+    iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname);
 }
 
 int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
@@ -1242,83 +1241,87 @@ qemudAddIptablesRules(struct qemud_serve
     }
 
     /* allow bridging from the bridge interface itself */
-    if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) {
+    if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
                          "failed to add iptables rule to allow bridging from '%s' : %s\n",
                          network->bridge, strerror(err));
         goto err1;
     }
 
-    /* allow forwarding packets from the bridge interface */
-    if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
+    /* allow DHCP requests through to dnsmasq */
+    if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to allow forwarding from '%s' : %s\n",
+                         "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
                          network->bridge, strerror(err));
         goto err2;
     }
 
-    /* allow forwarding packets to the bridge interface if they are part of an existing connection */
-    if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
+    if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to allow forwarding to '%s' : %s\n",
+                         "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
                          network->bridge, strerror(err));
         goto err3;
     }
 
-    /* enable masquerading */
-    if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
+    /* allow DNS requests through to dnsmasq */
+    if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to enable masquerading : %s\n",
-                         strerror(err));
+                         "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
+                         network->bridge, strerror(err));
         goto err4;
     }
 
-    /* allow DHCP requests through to dnsmasq */
-    if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
+    if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
+                         "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
                          network->bridge, strerror(err));
         goto err5;
     }
 
-    if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
+    /* The remaining rules are only needed for IP forwarding */
+    if (!network->def->forward)
+        return 1;
+
+    /* allow forwarding packets from the bridge interface */
+    if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
+                         "failed to add iptables rule to allow forwarding from '%s' : %s\n",
                          network->bridge, strerror(err));
         goto err6;
     }
 
-    /* allow DNS requests through to dnsmasq */
-    if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) {
+    /* allow forwarding packets to the bridge interface if they are part of an existing connection */
+    if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
+                         "failed to add iptables rule to allow forwarding to '%s' : %s\n",
                          network->bridge, strerror(err));
         goto err7;
     }
 
-    if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
+    /* enable masquerading */
+    if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
         qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
-                         "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
-                         network->bridge, strerror(err));
+                         "failed to add iptables rule to enable masquerading : %s\n",
+                         strerror(err));
         goto err8;
     }
 
     return 1;
 
  err8:
-    iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
+    iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
  err7:
-    iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
+    iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
  err6:
-    iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
+    iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
  err5:
-    iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
+    iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
  err4:
-    iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
+    iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
  err3:
-    iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
+    iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
  err2:
-    iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
+    iptablesRemovePhysdevForward(server->iptables, network->bridge);
  err1:
     return 0;
 }
@@ -1327,15 +1330,15 @@ static void
 qemudRemoveIptablesRules(struct qemud_server *server,
                          struct qemud_network *network) {
     if (network->def->forward) {
-        iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
-        iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
-        iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
-        iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
         iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
         iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
         iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
-        iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
     }
+    iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
+    iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
+    iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
+    iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
+    iptablesRemovePhysdevForward(server->iptables, network->bridge);
 }
 
 static int
@@ -1412,8 +1415,7 @@ int qemudStartNetworkDaemon(struct qemud
         goto err_delbr;
     }
 
-    if (network->def->forward &&
-        !qemudAddIptablesRules(server, network))
+    if (!qemudAddIptablesRules(server, network))
         goto err_delbr1;
 
     if (network->def->forward &&

-- 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]