[libvirt] [PATCH v4 2/2] net: add support for specifying port range for forward mode nat

Natanael Copa ncopa at alpinelinux.org
Fri Feb 15 23:02:41 UTC 2013


On Fri, 15 Feb 2013 14:03:37 -0500
Laine Stump <laine at laine.org> wrote:

> On 02/11/2013 09:54 AM, Natanael Copa wrote:
> > Let users set the port range to be used for forward mode NAT:
> >
> > ...
> >   <forward mode='nat'>
> >     <nat>
> >       <port start='1024' end='65535'/>
> >     </nat>
> >   </forward>

...

> > diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
> > index 61d086a..5725800 100644
> > --- a/src/conf/network_conf.c
> > +++ b/src/conf/network_conf.c

...

> > @@ -2179,6 +2210,7 @@ virNatDefFormat(virBufferPtr buf,
> >      char *addr_start = NULL;
> >      char *addr_end = NULL;
> >      int ret = -1;
> > +    int longdef;
> 
> "longdef" must be leftover from an earlier version of your patch, as
> it's now unused.

Yes. It is a leftover and should be removed. Sorry about that.

> > diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
> > index 1a598e3..7df2426 100644
> > --- a/src/conf/network_conf.h
> > +++ b/src/conf/network_conf.h
> > @@ -175,8 +175,9 @@ struct _virNetworkForwardDef {
> >      size_t nifs;
> >      virNetworkForwardIfDefPtr ifs;
> >  
> > -    /* adresses for SNAT */
> > +    /* ranges for NAT */
> >      virSocketAddr addr_start, addr_end;
> > +    unsigned int port_start, port_end;
> 
> 
> As with addr_*, since there is a preference for using Caps instead of
> _ between words in variable names, I'm going to head this one off at
> the beginning and change all the port_starts to portStart and
> portEnds to port_end.

Ok. Sounds good.

> 
> 
> >  };
> >  
> >  typedef struct _virPortGroupDef virPortGroupDef;
> > diff --git a/src/network/bridge_driver.c
> > b/src/network/bridge_driver.c index 6d74c1f..5c83085 100644
> > --- a/src/network/bridge_driver.c
> > +++ b/src/network/bridge_driver.c
> > @@ -1589,6 +1589,8 @@ networkAddMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                       &network->def->forward.addr_start,
> >                                       &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +
> > network->def->forward.port_end, NULL) < 0) {
> >          virReportError(VIR_ERR_SYSTEM_ERROR,
> >                         forwardIf ?
> > @@ -1605,6 +1607,8 @@ networkAddMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                       &network->def->forward.addr_start,
> >                                       &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +
> > network->def->forward.port_end, "udp") < 0) {
> >          virReportError(VIR_ERR_SYSTEM_ERROR,
> >                         forwardIf ?
> > @@ -1621,6 +1625,8 @@ networkAddMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                       &network->def->forward.addr_start,
> >                                       &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +
> > network->def->forward.port_end, "tcp") < 0) {
> >          virReportError(VIR_ERR_SYSTEM_ERROR,
> >                         forwardIf ?
> > @@ -1639,6 +1645,8 @@ networkAddMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                      &network->def->forward.addr_start,
> >                                      &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +                                    network->def->forward.port_end,
> >                                      "udp");
> >   masqerr4:
> >      iptablesRemoveForwardMasquerade(driver->iptables,
> > @@ -1647,6 +1655,8 @@ networkAddMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                      &network->def->forward.addr_start,
> >                                      &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +                                    network->def->forward.port_end,
> >                                      NULL);
> >   masqerr3:
> >      iptablesRemoveForwardAllowRelatedIn(driver->iptables,
> > @@ -1679,6 +1689,8 @@ networkRemoveMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                          &network->def->forward.addr_start,
> >                                          &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +
> > network->def->forward.port_end, "tcp");
> >          iptablesRemoveForwardMasquerade(driver->iptables,
> >                                          &ipdef->address,
> > @@ -1686,6 +1698,8 @@ networkRemoveMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                          &network->def->forward.addr_start,
> >                                          &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +
> > network->def->forward.port_end,
> 
> 
> There's so many of these, I'm starting to wonder if it's worth having
> a virPortAddrRange data type (but not wondering enough to actually do
> it myself :-)

I thought of that too. I think I saw some addr range struct in the
code. We could maybe reuse that and add a virPortRange data type. Would
reduce half of the forward args.

> 
> >                                          "udp");
> >          iptablesRemoveForwardMasquerade(driver->iptables,
> >                                          &ipdef->address,
> > @@ -1693,6 +1707,8 @@ networkRemoveMasqueradingIptablesRules(struct
> > network_driver *driver, forwardIf,
> >                                          &network->def->forward.addr_start,
> >                                          &network->def->forward.addr_end,
> > +
> > network->def->forward.port_start,
> > +
> > network->def->forward.port_end, NULL);
> >  
> >          iptablesRemoveForwardAllowRelatedIn(driver->iptables,
> > diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> > index 3f0dcf0..aa48520 100644
> > --- a/src/util/viriptables.c
> > +++ b/src/util/viriptables.c
> > @@ -807,6 +807,8 @@ iptablesForwardMasquerade(iptablesContext *ctx,
> >                            const char *physdev,
> >                            virSocketAddr *addr_start,
> >                            virSocketAddr *addr_end,
> > +                          unsigned int port_start,
> > +                          unsigned int port_end,
> >                            const char *protocol,
> >                            int action)
> >  {
> > @@ -815,6 +817,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
> >      char *addr_start_str = NULL;
> >      char *addr_end_str = NULL;
> >      virCommandPtr cmd = NULL;
> > +    char port_str[sizeof(":65535-65535")] = "";
> 
> Again, port_str (which I'm renaming portRangeStr)

Good.

> should be a char*
> initialized to NULL, and we should call virAsprintf rather than
> snprintf (with all the associated checks for OOM).

So, it can not be on stack?

...
> > @@ -849,19 +852,27 @@ iptablesForwardMasquerade(iptablesContext
> > *ctx, if (physdev && physdev[0])
> >          virCommandAddArgList(cmd, "--out-interface", physdev,
> > NULL); 
> > +    if (protocol && protocol[0]) {
> > +        if (port_start == 0 && port_end == 0) {
> > +            port_start = 1024;
> > +            port_end = 65535;
> > +        }
> > +
> > +        if (port_start < port_end && port_end < 65536)
> > +            snprintf(port_str, sizeof(port_str), ":%d-%d",
> > +                     port_start, port_end);
> 
> 1) port_* are unsigned, so the format string should use %u rather
> than %d
>
> 2) If the conditional *isn't* true, that's an error and should be
> logged.

Ok.
 
> ACK with those nits fixed. I was making them as I went along, and had
> to rebase the patch anyway, so I'll post a new version that you can
> review; if you ACK, I'll push.

I am ok with those changes. If you want I could look at the range
structs on monday.

-nc




More information about the libvir-list mailing list