10:19 p.m.
This is done so that we can be sure we're using the same chain name
for iptables and nftables. Not strictly necessary, but it will make
documentation and troubleshooting simpler.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/util/viriptables.c | 44 ++++++++++++++++++++---------------------
src/util/virnetfilter.h | 7 +++++++
2 files changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index dc2a4335bf..a0c35887c5 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -120,14 +120,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
{
g_autoptr(virFirewall) fw = virFirewallNew();
iptablesGlobalChain filter_chains[] = {
- {"INPUT", "LIBVIRT_INP"},
- {"OUTPUT", "LIBVIRT_OUT"},
- {"FORWARD", "LIBVIRT_FWO"},
- {"FORWARD", "LIBVIRT_FWI"},
- {"FORWARD", "LIBVIRT_FWX"},
+ {"INPUT", VIR_NETFILTER_INPUT_CHAIN},
+ {"OUTPUT", VIR_NETFILTER_OUTPUT_CHAIN},
+ {"FORWARD", VIR_NETFILTER_FWD_OUT_CHAIN},
+ {"FORWARD", VIR_NETFILTER_FWD_IN_CHAIN},
+ {"FORWARD", VIR_NETFILTER_FWD_X_CHAIN},
};
iptablesGlobalChain natmangle_chains[] = {
- {"POSTROUTING", "LIBVIRT_PRT"},
+ {"POSTROUTING", VIR_NETFILTER_NAT_POSTROUTE_CHAIN},
};
bool changed = false;
iptablesGlobalChainData data[] = {
@@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_INP",
+ VIR_NETFILTER_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -196,7 +196,7 @@ iptablesOutput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_OUT",
+ VIR_NETFILTER_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -227,7 +227,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWO",
+ VIR_NETFILTER_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -237,7 +237,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWO",
+ VIR_NETFILTER_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -269,7 +269,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWI",
+ VIR_NETFILTER_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -281,7 +281,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWI",
+ VIR_NETFILTER_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -314,7 +314,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWI",
+ VIR_NETFILTER_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -324,7 +324,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWI",
+ VIR_NETFILTER_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -342,7 +342,7 @@ iptablesForwardAllowCross(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWX",
+ VIR_NETFILTER_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -359,7 +359,7 @@ iptablesForwardRejectOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWO",
+ VIR_NETFILTER_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -375,7 +375,7 @@ iptablesForwardRejectIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
virIptablesActionTypeToString(action),
- "LIBVIRT_FWI",
+ VIR_NETFILTER_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -421,7 +421,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
virIptablesActionTypeToString(action),
- "LIBVIRT_PRT",
+ VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -430,7 +430,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
virIptablesActionTypeToString(action),
- "LIBVIRT_PRT",
+ VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -503,7 +503,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
virIptablesActionTypeToString(action),
- "LIBVIRT_PRT",
+ VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -513,7 +513,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
virIptablesActionTypeToString(action),
- "LIBVIRT_PRT",
+ VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -534,7 +534,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
virIptablesActionTypeToString(action),
- "LIBVIRT_PRT",
+ VIR_NETFILTER_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
diff --git a/src/util/virnetfilter.h b/src/util/virnetfilter.h
index c8b91f16eb..b515512ad7 100644
--- a/src/util/virnetfilter.h
+++ b/src/util/virnetfilter.h
@@ -23,6 +23,13 @@
#include "virsocketaddr.h"
#include "virfirewall.h"
+#define VIR_NETFILTER_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_NETFILTER_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_NETFILTER_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_NETFILTER_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_NETFILTER_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_NETFILTER_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
void virNetfilterAddTcpInput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
--
2.39.2