[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 11/13] Update iptables.c to also support ip6tables.



On Mon, Dec 20, 2010 at 03:03:23AM -0500, Laine Stump wrote:
> All of the iptables functions eventually call down to a single
> bottom-level function, and fortunately, ip6tables syntax (for all the
> args that we use) is identical to iptables format (except the
> addresses), so all we need to do is:
> 
> 1) Get an address family down to the lowest level function in each
>    case, either implied through an address, or explicitly when no
>    address is in the parameter list, and
> 
> 2) At the lowest level, just decide whether to call "iptables" or
>    "ip6tables" based on the family.
> 
> The location of the ip6tables binary is determined at build time by
> autoconf. If a particular target system happens to not have ip6tables
> installed, any attempts to run it will generate an error, but that
> won't happen unless someone tries to define an IPv6 address for a
> network. This is identical behavior to IPv4 addresses and iptables.

> @@ -735,6 +765,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
>      if (protocol && protocol[0]) {
>          if (physdev && physdev[0]) {
>              ret = iptablesAddRemoveRule(ctx->nat_postrouting,
> +                                        VIR_SOCKET_FAMILY(netaddr),
>                                          action,
>                                          "--source", networkstr,
>                                          "-p", protocol,
> @@ -745,6 +776,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
>                                          NULL);
>          } else {
>              ret = iptablesAddRemoveRule(ctx->nat_postrouting,
> +                                        VIR_SOCKET_FAMILY(netaddr),
>                                          action,
>                                          "--source", networkstr,
>                                          "-p", protocol,
> @@ -756,6 +788,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
>      } else {
>          if (physdev && physdev[0]) {
>              ret = iptablesAddRemoveRule(ctx->nat_postrouting,
> +                                        VIR_SOCKET_FAMILY(netaddr),
>                                          action,
>                                          "--source", networkstr,
>                                          "!", "--destination", networkstr,
> @@ -764,6 +797,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
>                                          NULL);
>          } else {
>              ret = iptablesAddRemoveRule(ctx->nat_postrouting,
> +                                        VIR_SOCKET_FAMILY(netaddr),
>                                          action,
>                                          "--source", networkstr,
>                                          "!", "--destination", networkstr,

Masquerading doesn't exist in IPv6 world, so technically we should be
raising an error for AF_INET6 in these 4 cases as a sanity check.

Daniel


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]