[libvirt] [PATCH 3/7] util: prepare iptables for putting rules into private chains
Daniel P. Berrangé
berrange at redhat.com
Thu Nov 1 12:52:33 UTC 2018
Currently all rules are created directly in the INPUT, FORWARD,
OUTPUT and POSTROUTING chains. This change prepares for putting
the rules into private changes, but does not actually do the
switch yet.
Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------
1 file changed, 108 insertions(+), 44 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 4a7ea54b38..b4a4bf9a12 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -50,6 +50,12 @@ enum {
REMOVE
};
+enum {
+ VIR_IPTABLES_CHAIN_BUILTIN,
+ VIR_IPTABLES_CHAIN_PRIVATE,
+
+ VIR_IPTABLES_CHAIN_LAST,
+};
typedef struct {
@@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void)
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "INPUT",
+ "INP_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "INPUT",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw,
static void
iptablesOutput(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "OUTPUT",
+ "OUT_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "OUTPUT",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
}
/**
@@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
}
/**
@@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
}
/**
@@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+ return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
}
/**
@@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
}
/**
@@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
}
@@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
*/
static int
iptablesForwardAllowOut(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw,
VIR_AUTOFREE(char *) networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_out",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
}
@@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
*/
static int
iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_cross",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_out",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete", "FORWARD",
+ action == ADD ? "--insert" : "delete", chainName[chain],
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
@@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
*/
static int
iptablesForwardMasquerade(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw,
VIR_AUTOFREE(char *) portRangeStr = NULL;
VIR_AUTOFREE(char *) natRangeStr = NULL;
virFirewallRulePtr rule;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
} else {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, ADD);
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, ADD);
}
/**
@@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, REMOVE);
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE);
}
@@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
*/
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
int action)
{
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
else
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- ADD);
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, destaddr, ADD);
}
/**
@@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- REMOVE);
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, destaddr, REMOVE);
}
static void
iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+ int chain,
const char *iface,
int port,
int action)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete", chainName[chain],
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
@@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
}
/**
@@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
}
--
2.19.1
More information about the libvir-list
mailing list