3:41 p.m.
This patch adds filtering support for the so-far missing protocols 'ah',
'esp' and 'udplite'.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -85,6 +85,9 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V
"icmp",
"igmp",
"udp",
+ "udplite",
+ "esp",
+ "ah",
"sctp",
"all");
@@ -586,6 +589,17 @@ static const struct int_map ipProtoMap[]
} , {
.attr = IPPROTO_UDP,
.val = "udp",
+#ifdef IPPROTO_UDPLITE
+ } , {
+ .attr = IPPROTO_UDPLITE,
+ .val = "udplite",
+#endif
+ } , {
+ .attr = IPPROTO_ESP,
+ .val = "esp",
+ } , {
+ .attr = IPPROTO_AH,
+ .val = "ah",
} , {
.attr = IPPROTO_ICMP,
.val = "icmp",
@@ -950,6 +964,26 @@ static const virXMLAttr2Struct udpAttrib
}
};
+static const virXMLAttr2Struct udpliteAttributes[] = {
+ COMMON_IP_PROPS(udpliteHdrFilter),
+ {
+ .name = NULL,
+ }
+};
+
+static const virXMLAttr2Struct espAttributes[] = {
+ COMMON_IP_PROPS(espHdrFilter),
+ {
+ .name = NULL,
+ }
+};
+
+static const virXMLAttr2Struct ahAttributes[] = {
+ COMMON_IP_PROPS(ahHdrFilter),
+ {
+ .name = NULL,
+ }
+};
static const virXMLAttr2Struct sctpAttributes[] = {
COMMON_IP_PROPS(sctpHdrFilter),
@@ -1028,6 +1062,18 @@ static const virAttributes virAttr[] = {
.att = udpAttributes,
.prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDP,
}, {
+ .id = "udplite",
+ .att = udpliteAttributes,
+ .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+ }, {
+ .id = "esp",
+ .att = espAttributes,
+ .prtclType = VIR_NWFILTER_RULE_PROTOCOL_ESP,
+ }, {
+ .id = "ah",
+ .att = ahAttributes,
+ .prtclType = VIR_NWFILTER_RULE_PROTOCOL_AH,
+ }, {
.id = "sctp",
.att = sctpAttributes,
.prtclType = VIR_NWFILTER_RULE_PROTOCOL_SCTP,
@@ -1496,6 +1542,39 @@ virNWFilterRuleDefFixup(virNWFilterRuleD
rule->p.udpHdrFilter.portData.dataSrcPortStart);
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.udpliteHdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPMask,
+ rule->p.udpliteHdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.udpliteHdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPTo,
+ rule->p.udpliteHdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.espHdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPMask,
+ rule->p.espHdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.espHdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPTo,
+ rule->p.espHdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_AH:
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.ahHdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPMask,
+ rule->p.ahHdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.ahHdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPTo,
+ rule->p.ahHdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
COPY_NEG_SIGN(rule->p.sctpHdrFilter.ipHdr.dataSrcIPMask,
rule->p.sctpHdrFilter.ipHdr.dataSrcIPAddr);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -241,6 +241,30 @@ struct _sctpHdrFilterDef {
};
+typedef struct _espHdrFilterDef espHdrFilterDef;
+typedef espHdrFilterDef *espHdrFilterDefPtr;
+struct _espHdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _ahHdrFilterDef ahHdrFilterDef;
+typedef ahHdrFilterDef *ahHdrFilterDefPtr;
+struct _ahHdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _udpliteHdrFilterDef udpliteHdrFilterDef;
+typedef udpliteHdrFilterDef *udpliteHdrFilterDefPtr;
+struct _udpliteHdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
+
+
enum virNWFilterRuleActionType {
VIR_NWFILTER_RULE_ACTION_DROP = 0,
VIR_NWFILTER_RULE_ACTION_ACCEPT,
@@ -273,6 +297,9 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_ICMP,
VIR_NWFILTER_RULE_PROTOCOL_IGMP,
VIR_NWFILTER_RULE_PROTOCOL_UDP,
+ VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+ VIR_NWFILTER_RULE_PROTOCOL_ESP,
+ VIR_NWFILTER_RULE_PROTOCOL_AH,
VIR_NWFILTER_RULE_PROTOCOL_SCTP,
VIR_NWFILTER_RULE_PROTOCOL_ALL,
@@ -306,6 +333,9 @@ struct _virNWFilterRuleDef {
tcpHdrFilterDef tcpHdrFilter;
icmpHdrFilterDef icmpHdrFilter;
udpHdrFilterDef udpHdrFilter;
+ udpliteHdrFilterDef udpliteHdrFilter;
+ espHdrFilterDef espHdrFilter;
+ ahHdrFilterDef ahHdrFilter;
allHdrFilterDef allHdrFilter;
igmpHdrFilterDef igmpHdrFilter;
sctpHdrFilterDef sctpHdrFilter;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1089,6 +1089,75 @@ _iptablesCreateRuleInstance(virConnectPt
goto err_exit;
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+ virBufferVSprintf(&buf,
+ CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+ chain);
+
+ virBufferAddLit(&buf, " -p udplite");
+
+ if (iptablesHandleSrcMacAddr(conn,
+ &buf,
+ vars,
+ &rule->p.udpliteHdrFilter.dataSrcMACAddr,
+ directionIn))
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(conn,
+ &buf,
+ vars,
+ &rule->p.udpliteHdrFilter.ipHdr,
+ directionIn))
+ goto err_exit;
+
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+ virBufferVSprintf(&buf,
+ CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+ chain);
+
+ virBufferAddLit(&buf, " -p esp");
+
+ if (iptablesHandleSrcMacAddr(conn,
+ &buf,
+ vars,
+ &rule->p.espHdrFilter.dataSrcMACAddr,
+ directionIn))
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(conn,
+ &buf,
+ vars,
+ &rule->p.espHdrFilter.ipHdr,
+ directionIn))
+ goto err_exit;
+
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_AH:
+ virBufferVSprintf(&buf,
+ CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+ chain);
+
+ virBufferAddLit(&buf, " -p ah");
+
+ if (iptablesHandleSrcMacAddr(conn,
+ &buf,
+ vars,
+ &rule->p.ahHdrFilter.dataSrcMACAddr,
+ directionIn))
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(conn,
+ &buf,
+ vars,
+ &rule->p.ahHdrFilter.ipHdr,
+ directionIn))
+ goto err_exit;
+
+ break;
+
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
virBufferVSprintf(&buf,
CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
@@ -1836,6 +1905,9 @@ ebiptablesCreateRuleInstance(virConnectP
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
+ case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+ case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+ case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_IGMP: