The previous commit created new chains to hold the firewall rules. This
commit changes the code that creates rules to place them in the new
private chains instead of the builtin top level chains.
With two networks running, the rules in the filter table now look like
-N LIBVIRT_FWI
-N LIBVIRT_FWO
-N LIBVIRT_FWX
-N LIBVIRT_INP
-N LIBVIRT_OUT
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.0.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.1.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
While in the nat table:
-N LIBVIRT_PRT
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE --to-ports
1024-65535
-A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports
1024-65535
-A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
-A LIBVIRT_PRT -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE --to-ports
1024-65535
-A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE --to-ports
1024-65535
-A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
And finally the mangle table:
-N LIBVIRT_PRT
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/network/bridge_driver_linux.c | 20 ++-
src/util/viriptables.c | 123 +++++++++++-------
src/util/viriptables.h | 2 +
.../nat-default-linux.args | 32 ++---
.../nat-ipv6-linux.args | 48 +++----
.../nat-many-ips-linux.args | 60 ++++-----
.../nat-no-dhcp-linux.args | 46 +++----
.../nat-tftp-linux.args | 34 ++---
.../route-default-linux.args | 22 ++--
10 files changed, 222 insertions(+), 166 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index a88856557d..77fc26376d 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2075,6 +2075,7 @@ iptablesRemoveOutputFixUdpChecksum;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesRemoveUdpOutput;
+iptablesSetDeletePrivate;
iptablesSetupPrivateChains;
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 61f77f2735..1e033fa21b 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -34,17 +34,35 @@ VIR_LOG_INIT("network.bridge_driver_linux");
#define PROC_NET_ROUTE "/proc/net/route"
-int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+int networkPreReloadFirewallRules(bool startup)
{
int ret = iptablesSetupPrivateChains();
if (ret < 0)
return -1;
+
+ /*
+ * If this is initial startup, and we just created the
+ * top level private chains we either
+ *
+ * - upgraded from old libvirt
+ * - freshly booted from clean state
+ *
+ * In the first case we must delete the old rules from
+ * the built-in chains, instead of our new private chains.
+ * In the second case it doesn't matter, since no existing
+ * rules will be present. Thus we can safely just tell it
+ * to always delete from the builin chain
+ */
+ if (startup && ret == 1) {
+ iptablesSetDeletePrivate(false);
+ }
return 0;
}
void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
{
+ iptablesSetDeletePrivate(true);
}
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 770dcf04a6..04fcc84705 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -48,6 +48,7 @@ enum {
REMOVE
};
+static int deletePrivate = true;
typedef struct {
const char *parent;
@@ -179,9 +180,17 @@ iptablesSetupPrivateChains(void)
}
+void
+iptablesSetDeletePrivate(bool pvt)
+{
+ deletePrivate = pvt;
+}
+
+
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int port,
int action,
@@ -194,7 +203,8 @@ iptablesInput(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"INPUT",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_INP" : "INPUT",
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -205,6 +215,7 @@ iptablesInput(virFirewallPtr fw,
static void
iptablesOutput(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int port,
int action,
@@ -217,7 +228,8 @@ iptablesOutput(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"OUTPUT",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_OUT" : "OUTPUT",
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -240,7 +252,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 1);
+ iptablesInput(fw, layer, true, iface, port, ADD, 1);
}
/**
@@ -258,7 +270,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
}
/**
@@ -276,7 +288,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 0);
+ iptablesInput(fw, layer, true, iface, port, ADD, 0);
}
/**
@@ -294,7 +306,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
}
/**
@@ -312,7 +324,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, true, iface, port, ADD, 0);
}
/**
@@ -330,7 +342,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
}
@@ -370,6 +382,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
*/
static int
iptablesForwardAllowOut(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -386,7 +399,8 @@ iptablesForwardAllowOut(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWO" : "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -395,7 +409,8 @@ iptablesForwardAllowOut(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWO" : "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -424,7 +439,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -447,7 +462,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev,
REMOVE);
}
@@ -456,6 +471,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
*/
static int
iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -472,7 +488,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -483,7 +500,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -514,7 +532,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev,
ADD);
}
/**
@@ -537,13 +555,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface,
physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -560,7 +579,8 @@ iptablesForwardAllowIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -569,7 +589,8 @@ iptablesForwardAllowIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -597,7 +618,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -620,18 +641,20 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev,
REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWX" : "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -654,7 +677,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, true, iface, ADD);
}
/**
@@ -673,18 +696,20 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWO" : "FORWARD",
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -705,7 +730,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, true, iface, ADD);
}
/**
@@ -723,19 +748,21 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -756,7 +783,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, true, iface, ADD);
}
/**
@@ -774,7 +801,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
}
@@ -783,6 +810,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
*/
static int
iptablesForwardMasquerade(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -821,7 +849,8 @@ iptablesForwardMasquerade(virFirewallPtr fw,
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ action == ADD ? "--insert" :
"--delete",
+ pvt ? "LIBVIRT_PRT" :
"POSTROUTING",
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -829,7 +858,8 @@ iptablesForwardMasquerade(virFirewallPtr fw,
} else {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ action == ADD ? "--insert" :
"--delete",
+ pvt ? "LIBVIRT_PRT" :
"POSTROUTING",
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -907,8 +937,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, ADD);
+ return iptablesForwardMasquerade(fw, true, netaddr, prefix,
+ physdev, addr, port, protocol, ADD);
}
/**
@@ -933,8 +963,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, REMOVE);
+ return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE);
}
@@ -943,6 +973,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
*/
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -965,7 +996,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -974,7 +1006,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
else
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -1004,8 +1037,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- ADD);
+ return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
+ physdev, destaddr, ADD);
}
/**
@@ -1029,13 +1062,14 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- REMOVE);
+ return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
+ physdev, destaddr, REMOVE);
}
static void
iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+ bool pvt,
const char *iface,
int port,
int action)
@@ -1047,7 +1081,8 @@ iptablesOutputFixUdpChecksum(virFirewallPtr fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
@@ -1071,7 +1106,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
}
/**
@@ -1088,5 +1123,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
}
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 94304401c5..903f390f89 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -26,6 +26,8 @@
int iptablesSetupPrivateChains (void);
+void iptablesSetDeletePrivate (bool pvt);
+
void iptablesAddTcpInput (virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index ffdafdff0e..c9d523d043 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,63 +1,63 @@
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -65,13 +65,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -87,19 +87,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 22285afa10..a57b9266af 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,100 +1,100 @@
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -102,13 +102,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -124,31 +124,31 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index aff9f69664..1bdc43fd6a 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,63 +1,63 @@
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -65,13 +65,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -87,25 +87,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -113,13 +113,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
@@ -127,7 +127,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
@@ -135,25 +135,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -161,13 +161,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
@@ -175,7 +175,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
@@ -183,19 +183,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index 2a9d79054e..7d359f3824 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,100 +1,100 @@
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -102,13 +102,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -124,25 +124,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index 1a06f0d0a5..b721801b70 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,70 +1,70 @@
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -72,13 +72,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -86,7 +86,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -94,19 +94,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 65563ff8b4..ed3c560f74 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,69 +1,69 @@
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--
2.20.1