12:29 p.m.
V4:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX...
V3:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HO...
V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5R...
This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).
Changes from V4:
* changed the way that default firewall backends are specified in
meson_options.txt/on the meson commandline - instead of using a
#defined constant string, there are now one of these for each
backend that should be tried when none is specified:
#define FIREWALL_BACKEND_DEFAULT_n VIR_FIREWALL_BACKEND_xyzzy
The "n" will be 1-[number of backends], and the code will try each
in ascending order to see if it is usable.
* properly handle the case where network.conf doesn't exist (from
Patch 12/30 in V3)
* In RPM specfile, Require: nftables for Fedora >= 41 /RHEL >= 10,
while continuining to Require: iptables for anything else
(specifically older RHEL/Fedora)
* use VIR_NFTABLES_FORWARD_CHAIN instead of hardcoded "forward" in
array of chains needed for the nftable backend.
The patches that haven't yet gotten an R-B (and/or were changed enough
from V3 to warrant removing the R-B):
12 - network: support setting firewallBackend from network.conf
17 - util: add name attribute to virFirewall (so that the
element in the status XML is appropriately identifiable)
18 - util: new function virFirewallNewFromRollback()
19 - util: new functions virFirewallParseXML() and virFirewallFormat()
24 - network: add an nftables backend for network driver's firewall construction
26: network: prefer the nftables backend over iptables
(I didn't remove the R-B for patch 27 ("require nftables rather than
iptables for newer RHEl/Fedora") for example, because the change is
very small, and was exactly copy-pasted from Daniel's suggestion).
Changes from V3:
* Fixed a bug (newly added in V3) that resulted in the firewall name
attribute not being added to the XML.
* renamed the table to "libvirt_network"
* renamed the chains to be more descriptive, and lower case rather
than all caps.
* eliminated all the guest->host and host->guest rules since they are
redundant in nftables.
Laine Stump (30):
util/network: move viriptables.[ch] from util to network directory
network: move all functions manipulating iptables rules into
network_iptables.c
network: make all iptables functions used only in network_iptables.c
static
util: #define the names used for private packet filter chains
util: change name of virFirewallRule to virFirewallCmd
util: rename virNetFilterAction to iptablesAction, and add
VIR_ENUM_DECL/IMPL
util: check for 0 args when applying iptables rule
util: add -w/--concurrent when applying a FirewallCmd rather than when
building it
util: determine ignoreErrors value when creating virFirewallCmd, not
when applying
util/network: new virFirewallBackend enum
network: add (empty) network.conf file to distribution files
network: support setting firewallBackend from network.conf
network: framework to call backend-specific function to init private
filter chains
util: new functions to support adding individual firewall rollback
commands
util: implement rollback rule autocreation for iptables commands
network: turn on auto-rollback for the rules added for virtual
networks
util: add name attribute to virFirewall
util: new function virFirewallNewFromRollback()
util: new functions virFirewallParseXML() and virFirewallFormat()
conf: add a virFirewall object to virNetworkObj
network: use previously saved list of firewall removal commands
network: save network status when firewall rules are reloaded
meson: stop looking for iptables/ip6tables/ebtables at build time
network: add an nftables backend for network driver's firewall
construction
tests: test cases for nftables backend
network: prefer the nftables backend over iptables
spec: require nftables rather than iptables for newer RHEL/Fedora
network: name the nftables table "libvirt_network" rather than
"libvirt"
network: rename chains used by network driver nftables backend
network: eliminate pointless host input/output rules from nftables
backend
libvirt.spec.in | 9 +-
meson.build | 12 +-
meson_options.txt | 2 +
po/POTFILES | 3 +-
src/conf/virnetworkobj.c | 41 +
src/conf/virnetworkobj.h | 8 +
src/libvirt_private.syms | 58 +-
src/network/bridge_driver.c | 39 +-
src/network/bridge_driver_conf.c | 86 +-
src/network/bridge_driver_conf.h | 3 +
src/network/bridge_driver_linux.c | 630 +------
src/network/bridge_driver_nop.c | 6 +-
src/network/bridge_driver_platform.h | 6 +-
src/network/libvirtd_network.aug | 39 +
src/network/meson.build | 36 +
src/network/network.conf.in | 28 +
src/network/network_iptables.c | 1677 +++++++++++++++++
src/network/network_iptables.h | 30 +
src/network/network_nftables.c | 968 ++++++++++
src/network/network_nftables.h | 28 +
src/network/test_libvirtd_network.aug.in | 5 +
src/nwfilter/nwfilter_ebiptables_driver.c | 1004 +++++-----
src/util/meson.build | 1 -
src/util/virebtables.c | 36 +-
src/util/virfirewall.c | 820 ++++++--
src/util/virfirewall.h | 87 +-
src/util/viriptables.c | 1072 -----------
src/util/viriptables.h | 155 --
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 +++
...-linux.args => nat-default-linux.iptables} | 0
.../nat-default-linux.nftables | 144 ++
...pv6-linux.args => nat-ipv6-linux.iptables} | 0
.../nat-ipv6-linux.nftables | 202 ++
...rgs => nat-ipv6-masquerade-linux.iptables} | 0
.../nat-ipv6-masquerade-linux.nftables | 274 +++
...linux.args => nat-many-ips-linux.iptables} | 0
.../nat-many-ips-linux.nftables | 368 ++++
...-linux.args => nat-no-dhcp-linux.iptables} | 0
.../nat-no-dhcp-linux.nftables | 202 ++
...ftp-linux.args => nat-tftp-linux.iptables} | 0
.../nat-tftp-linux.nftables | 144 ++
...inux.args => route-default-linux.iptables} | 0
.../route-default-linux.nftables | 58 +
tests/networkxml2firewalltest.c | 56 +-
tests/virfirewalltest.c | 424 ++---
46 files changed, 6258 insertions(+), 2759 deletions(-)
create mode 100644 src/network/libvirtd_network.aug
create mode 100644 src/network/network.conf.in
create mode 100644 src/network/network_iptables.c
create mode 100644 src/network/network_iptables.h
create mode 100644 src/network/network_nftables.c
create mode 100644 src/network/network_nftables.h
create mode 100644 src/network/test_libvirtd_network.aug.in
delete mode 100644 src/util/viriptables.c
delete mode 100644 src/util/viriptables.h
rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/base.nftables
rename tests/networkxml2firewalldata/{nat-default-linux.args =>
nat-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables}
(100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =>
nat-ipv6-masquerade-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =>
nat-many-ips-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =>
nat-no-dhcp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables}
(100%)
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
rename tests/networkxml2firewalldata/{route-default-linux.args =>
route-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 01/30] util/network: move viriptables.[ch] from util to network directory
These functions are only ever used by the network driver, and are so
specific to the network driver's usage of iptables that they likely
won't ever be used elsewhere. The files are renamed to
network_iptables.[ch] to be more in line with driver-specific file
naming conventions.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
po/POTFILES | 2 +-
src/libvirt_private.syms | 31 -------------------
src/network/bridge_driver_linux.c | 2 +-
src/network/meson.build | 1 +
.../network_iptables.c} | 6 ++--
.../network_iptables.h} | 2 +-
src/util/meson.build | 1 -
7 files changed, 7 insertions(+), 38 deletions(-)
rename src/{util/viriptables.c => network/network_iptables.c} (99%)
rename src/{util/viriptables.h => network/network_iptables.h} (99%)
diff --git a/po/POTFILES b/po/POTFILES
index cec7e4abf4..0542d342d6 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -144,6 +144,7 @@ src/network/bridge_driver.c
src/network/bridge_driver_conf.c
src/network/bridge_driver_linux.c
src/network/leaseshelper.c
+src/network/network_iptables.c
src/node_device/node_device_driver.c
src/node_device/node_device_udev.c
src/nwfilter/nwfilter_dhcpsnoop.c
@@ -288,7 +289,6 @@ src/util/virhostmem.c
src/util/virhostuptime.c
src/util/viridentity.c
src/util/virinitctl.c
-src/util/viriptables.c
src/util/viriscsi.c
src/util/virjson.c
src/util/virlease.c
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 1c8f3f902d..b006b84262 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2576,37 +2576,6 @@ virIdentitySetX509DName;
virInitctlFifos;
virInitctlSetRunLevel;
-
-# util/viriptables.h
-iptablesAddDontMasquerade;
-iptablesAddForwardAllowCross;
-iptablesAddForwardAllowIn;
-iptablesAddForwardAllowOut;
-iptablesAddForwardAllowRelatedIn;
-iptablesAddForwardMasquerade;
-iptablesAddForwardRejectIn;
-iptablesAddForwardRejectOut;
-iptablesAddOutputFixUdpChecksum;
-iptablesAddTcpInput;
-iptablesAddTcpOutput;
-iptablesAddUdpInput;
-iptablesAddUdpOutput;
-iptablesRemoveDontMasquerade;
-iptablesRemoveForwardAllowCross;
-iptablesRemoveForwardAllowIn;
-iptablesRemoveForwardAllowOut;
-iptablesRemoveForwardAllowRelatedIn;
-iptablesRemoveForwardMasquerade;
-iptablesRemoveForwardRejectIn;
-iptablesRemoveForwardRejectOut;
-iptablesRemoveOutputFixUdpChecksum;
-iptablesRemoveTcpInput;
-iptablesRemoveTcpOutput;
-iptablesRemoveUdpInput;
-iptablesRemoveUdpOutput;
-iptablesSetupPrivateChains;
-
-
# util/viriscsi.h
virISCSIConnectionLogin;
virISCSIConnectionLogout;
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index b8893bfed2..fd4bf7b61c 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -22,11 +22,11 @@
#include <config.h>
#include "virfile.h"
-#include "viriptables.h"
#include "virstring.h"
#include "virlog.h"
#include "virfirewall.h"
#include "virfirewalld.h"
+#include "network_iptables.h"
#define VIR_FROM_THIS VIR_FROM_NONE
diff --git a/src/network/meson.build b/src/network/meson.build
index eb171ae779..305e2d52fb 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -2,6 +2,7 @@ network_driver_sources = [
'bridge_driver.c',
'bridge_driver_conf.c',
'bridge_driver_platform.c',
+ 'network_iptables.c',
]
driver_source_files += files(network_driver_sources)
diff --git a/src/util/viriptables.c b/src/network/network_iptables.c
similarity index 99%
rename from src/util/viriptables.c
rename to src/network/network_iptables.c
index 018021bc1b..362c0202a0 100644
--- a/src/util/viriptables.c
+++ b/src/network/network_iptables.c
@@ -1,5 +1,5 @@
/*
- * viriptables.c: helper APIs for managing iptables
+ * network_iptables.c: helper APIs for managing iptables in network driver
*
* Copyright (C) 2007-2014 Red Hat, Inc.
*
@@ -27,13 +27,13 @@
#include <sys/stat.h>
#include "internal.h"
-#include "viriptables.h"
#include "virfirewalld.h"
#include "virerror.h"
#include "virlog.h"
#include "virhash.h"
+#include "network_iptables.h"
-VIR_LOG_INIT("util.iptables");
+VIR_LOG_INIT("network.iptables");
#define VIR_FROM_THIS VIR_FROM_NONE
diff --git a/src/util/viriptables.h b/src/network/network_iptables.h
similarity index 99%
rename from src/util/viriptables.h
rename to src/network/network_iptables.h
index bb13f3292d..bfb6bbe0e7 100644
--- a/src/util/viriptables.h
+++ b/src/network/network_iptables.h
@@ -1,5 +1,5 @@
/*
- * viriptables.h: helper APIs for managing iptables
+ * network_iptables.h: helper APIs for managing iptables in network driver
*
* Copyright (C) 2007, 2008 Red Hat, Inc.
*
diff --git a/src/util/meson.build b/src/util/meson.build
index c2175f1098..896c795150 100644
--- a/src/util/meson.build
+++ b/src/util/meson.build
@@ -46,7 +46,6 @@ util_sources = [
'virhostuptime.c',
'viridentity.c',
'virinitctl.c',
- 'viriptables.c',
'viriscsi.c',
'virjson.c',
'virkeycode.c',
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 02/30] network: move all functions manipulating iptables rules into network_iptables.c
Although initially we will add exactly the same rules for the nftables
backend, the two may (hopefully) soon diverge as we take advantage of
nftables features that weren't available in iptables. When we do that,
there will need to be a different version of these functions (currently in
bridge_driver_linux.c) for each backend:
networkAddFirewallRules()
networkRemoveFirewallRules()
networkSetupPrivateChains()
Although it will mean duplicating some amount of code (with just the
function names changed) for the nftables backend, this patch moves all
of the rule-related code in the above three functions into iptables*()
functions in network_iptables.c, and changes the functions in
bridge_driver_linux.c to call the iptables*() functions. When we make
a different backend, it will only need to make equivalents of those 3
functions publicly available to the upper layer.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver_linux.c | 556 +----------------------------
src/network/network_iptables.c | 562 +++++++++++++++++++++++++++++-
src/network/network_iptables.h | 7 +-
3 files changed, 574 insertions(+), 551 deletions(-)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index fd4bf7b61c..4914d5c903 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -301,512 +301,10 @@ int networkCheckRouteCollision(virNetworkDef *def)
return 0;
}
-static const char networkLocalMulticastIPv4[] = "224.0.0.0/24";
-static const char networkLocalMulticastIPv6[] = "ff02::/16";
-static const char networkLocalBroadcast[] = "255.255.255.255/32";
-static int
-networkAddMasqueradingFirewallRules(virFirewall *fw,
- virNetworkDef *def,
- virNetworkIPDef *ipdef)
-{
- int prefix = virNetworkIPDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(def, 0);
- bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
-
- if (prefix < 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Invalid prefix or netmask for '%1$s'"),
- def->bridge);
- return -1;
- }
-
- /* allow forwarding packets from the bridge interface */
- if (iptablesAddForwardAllowOut(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- /* allow forwarding packets to the bridge interface if they are
- * part of an existing connection
- */
- if (iptablesAddForwardAllowRelatedIn(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- /*
- * Enable masquerading.
- *
- * We need to end up with 5 rules in the table in this order
- *
- * 1. do not masquerade packets targeting 224.0.0.0/24
- * 2. do not masquerade packets targeting 255.255.255.255/32
- * 3. masquerade protocol=tcp with sport mapping restriction
- * 4. masquerade protocol=udp with sport mapping restriction
- * 5. generic, masquerade any protocol
- *
- * 224.0.0.0/24 is the local network multicast range. Packets are not
- * forwarded outside.
- *
- * 255.255.255.255/32 is the broadcast address of any local network. Again,
- * such packets are never forwarded, but strict DHCP clients don't accept
- * DHCP replies with changed source ports.
- *
- * The sport mappings are required, because default IPtables
- * MASQUERADE maintain port numbers unchanged where possible.
- *
- * NFS can be configured to only "trust" port numbers < 1023.
- *
- * Guests using NAT thus need to be prevented from having port
- * numbers < 1023, otherwise they can bypass the NFS "security"
- * check on the source port number.
- *
- * Since we use '--insert' to add rules to the header of the
- * chain, we actually need to add them in the reverse of the
- * order just mentioned !
- */
-
- /* First the generic masquerade rule for other protocols */
- if (iptablesAddForwardMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- &def->forward.addr,
- &def->forward.port,
- NULL) < 0)
- return -1;
-
- /* UDP with a source port restriction */
- if (iptablesAddForwardMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- &def->forward.addr,
- &def->forward.port,
- "udp") < 0)
- return -1;
-
- /* TCP with a source port restriction */
- if (iptablesAddForwardMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- &def->forward.addr,
- &def->forward.port,
- "tcp") < 0)
- return -1;
-
- /* exempt local network broadcast address as destination */
- if (isIPv4 &&
- iptablesAddDontMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- networkLocalBroadcast) < 0)
- return -1;
-
- /* exempt local multicast range as destination */
- if (iptablesAddDontMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- isIPv4 ? networkLocalMulticastIPv4 :
- networkLocalMulticastIPv6) < 0)
- return -1;
-
- return 0;
-}
-
-static int
-networkRemoveMasqueradingFirewallRules(virFirewall *fw,
- virNetworkDef *def,
- virNetworkIPDef *ipdef)
-{
- int prefix = virNetworkIPDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(def, 0);
- bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
-
- if (prefix < 0)
- return 0;
-
- if (iptablesRemoveDontMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- isIPv4 ? networkLocalMulticastIPv4 :
- networkLocalMulticastIPv6) < 0)
- return -1;
-
- if (isIPv4 &&
- iptablesRemoveDontMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- networkLocalBroadcast) < 0)
- return -1;
-
- if (iptablesRemoveForwardMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- &def->forward.addr,
- &def->forward.port,
- "tcp") < 0)
- return -1;
-
- if (iptablesRemoveForwardMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- &def->forward.addr,
- &def->forward.port,
- "udp") < 0)
- return -1;
-
- if (iptablesRemoveForwardMasquerade(fw,
- &ipdef->address,
- prefix,
- forwardIf,
- &def->forward.addr,
- &def->forward.port,
- NULL) < 0)
- return -1;
-
- if (iptablesRemoveForwardAllowRelatedIn(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- if (iptablesRemoveForwardAllowOut(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- return 0;
-}
-
-
-static int
-networkAddRoutingFirewallRules(virFirewall *fw,
- virNetworkDef *def,
- virNetworkIPDef *ipdef)
-{
- int prefix = virNetworkIPDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(def, 0);
-
- if (prefix < 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Invalid prefix or netmask for '%1$s'"),
- def->bridge);
- return -1;
- }
-
- /* allow routing packets from the bridge interface */
- if (iptablesAddForwardAllowOut(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- /* allow routing packets to the bridge interface */
- if (iptablesAddForwardAllowIn(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- return 0;
-}
-
-
-static int
-networkRemoveRoutingFirewallRules(virFirewall *fw,
- virNetworkDef *def,
- virNetworkIPDef *ipdef)
-{
- int prefix = virNetworkIPDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(def, 0);
-
- if (prefix < 0)
- return 0;
-
- if (iptablesRemoveForwardAllowIn(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- if (iptablesRemoveForwardAllowOut(fw,
- &ipdef->address,
- prefix,
- def->bridge,
- forwardIf) < 0)
- return -1;
-
- return 0;
-}
-
-
-static void
-networkAddGeneralIPv4FirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- size_t i;
- virNetworkIPDef *ipv4def;
-
- /* First look for first IPv4 address that has dhcp or tftpboot defined. */
- /* We support dhcp config on 1 IPv4 interface only. */
- for (i = 0;
- (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
- i++) {
- if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
- break;
- }
-
- /* allow DHCP requests through to dnsmasq & back out */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
- iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
-
- /* allow DNS requests through to dnsmasq & back out */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-
- /* allow TFTP requests through to dnsmasq if necessary & back out */
- if (ipv4def && ipv4def->tftproot) {
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- }
-
- /* Catch all rules to block forwarding to/from bridges */
- iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
- iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
-
- /* Allow traffic between guests on the same bridge */
- iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
-}
-
-static void
-networkRemoveGeneralIPv4FirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- size_t i;
- virNetworkIPDef *ipv4def;
-
- for (i = 0;
- (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
- i++) {
- if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
- break;
- }
-
- iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
- iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
- iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
-
- if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- }
-
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
-
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
- iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
-}
-
-
-/* Add all once/network rules required for IPv6.
- * If no IPv6 addresses are defined and <network ipv6='yes'> is
- * specified, then allow IPv6 communications between virtual systems.
- * If any IPv6 addresses are defined, then add the rules for regular operation.
- */
-static void
-networkAddGeneralIPv6FirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
- !def->ipv6nogw) {
- return;
- }
-
- /* Catch all rules to block forwarding to/from bridges */
- iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
-
- /* Allow traffic between guests on the same bridge */
- iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
-
- if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
- /* allow DNS over IPv6 & back out */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- /* allow DHCPv6 & back out */
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
- }
-}
-
-static void
-networkRemoveGeneralIPv6FirewallRules(virFirewall *fw,
- virNetworkDef *def)
+int
+networkAddFirewallRules(virNetworkDef *def)
{
- if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
- !def->ipv6nogw) {
- return;
- }
-
- if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- }
-
- /* the following rules are there if no IPv6 address has been defined
- * but def->ipv6nogw == true
- */
- iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
-}
-
-
-static void
-networkAddGeneralFirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- networkAddGeneralIPv4FirewallRules(fw, def);
- networkAddGeneralIPv6FirewallRules(fw, def);
-}
-
-
-static void
-networkRemoveGeneralFirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- networkRemoveGeneralIPv4FirewallRules(fw, def);
- networkRemoveGeneralIPv6FirewallRules(fw, def);
-}
-
-static void
-networkAddChecksumFirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- size_t i;
- virNetworkIPDef *ipv4def;
-
- /* First look for first IPv4 address that has dhcp or tftpboot defined. */
- /* We support dhcp config on 1 IPv4 interface only. */
- for (i = 0;
- (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
- i++) {
- if (ipv4def->nranges || ipv4def->nhosts)
- break;
- }
-
- /* If we are doing local DHCP service on this network, attempt to
- * add a rule that will fixup the checksum of DHCP response
- * packets back to the guests (but report failure without
- * aborting, since not all iptables implementations support it).
- */
- if (ipv4def)
- iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68);
-}
-
-
-static void
-networkRemoveChecksumFirewallRules(virFirewall *fw,
- virNetworkDef *def)
-{
- size_t i;
- virNetworkIPDef *ipv4def;
-
- /* First look for first IPv4 address that has dhcp or tftpboot defined. */
- /* We support dhcp config on 1 IPv4 interface only. */
- for (i = 0;
- (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
- i++) {
- if (ipv4def->nranges || ipv4def->nhosts)
- break;
- }
-
- if (ipv4def)
- iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68);
-}
-
-
-static int
-networkAddIPSpecificFirewallRules(virFirewall *fw,
- virNetworkDef *def,
- virNetworkIPDef *ipdef)
-{
- /* NB: in the case of IPv6, routing rules are added when the
- * forward mode is NAT. This is because IPv6 has no NAT.
- */
-
- if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
- if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
- def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
- return networkAddMasqueradingFirewallRules(fw, def, ipdef);
- else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkAddRoutingFirewallRules(fw, def, ipdef);
- } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkAddRoutingFirewallRules(fw, def, ipdef);
- }
- return 0;
-}
-
-
-static int
-networkRemoveIPSpecificFirewallRules(virFirewall *fw,
- virNetworkDef *def,
- virNetworkIPDef *ipdef)
-{
- if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
- if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
- def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
- return networkRemoveMasqueradingFirewallRules(fw, def, ipdef);
- else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkRemoveRoutingFirewallRules(fw, def, ipdef);
- } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkRemoveRoutingFirewallRules(fw, def, ipdef);
- }
- return 0;
-}
-
-
-/* Add all rules for all ip addresses (and general rules) on a network */
-int networkAddFirewallRules(virNetworkDef *def)
-{
- size_t i;
- virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew();
-
if (virOnce(&createdOnce, networkSetupPrivateChains) < 0)
return -1;
@@ -891,52 +389,12 @@ int networkAddFirewallRules(virNetworkDef *def)
}
}
- virFirewallStartTransaction(fw, 0);
-
- networkAddGeneralFirewallRules(fw, def);
-
- for (i = 0;
- (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
- i++) {
- if (networkAddIPSpecificFirewallRules(fw, def, ipdef) < 0)
- return -1;
- }
-
- virFirewallStartRollback(fw, 0);
-
- for (i = 0;
- (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
- i++) {
- if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
- return -1;
- }
- networkRemoveGeneralFirewallRules(fw, def);
-
- virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- networkAddChecksumFirewallRules(fw, def);
-
- return virFirewallApply(fw);
+ return iptablesAddFirewallRules(def);
}
-/* Remove all rules for all ip addresses (and general rules) on a network */
-void networkRemoveFirewallRules(virNetworkDef *def)
-{
- size_t i;
- virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew();
-
- virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- networkRemoveChecksumFirewallRules(fw, def);
-
- virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- for (i = 0;
- (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
- i++) {
- if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
- return;
- }
- networkRemoveGeneralFirewallRules(fw, def);
-
- virFirewallApply(fw);
+void
+networkRemoveFirewallRules(virNetworkDef *def)
+{
+ iptablesRemoveFirewallRules(def);
}
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 362c0202a0..7338237c21 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -1,5 +1,6 @@
/*
- * network_iptables.c: helper APIs for managing iptables in network driver
+ * network_iptables.c: iptables-based firewall implementation for
+ * virtual networks.
*
* Copyright (C) 2007-2014 Red Hat, Inc.
*
@@ -1070,3 +1071,562 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw,
{
iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE);
}
+
+
+static const char networkLocalMulticastIPv4[] = "224.0.0.0/24";
+static const char networkLocalMulticastIPv6[] = "ff02::/16";
+static const char networkLocalBroadcast[] = "255.255.255.255/32";
+
+static int
+iptablesAddMasqueradingFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ int prefix = virNetworkIPDefPrefix(ipdef);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
+ bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
+
+ if (prefix < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%1$s'"),
+ def->bridge);
+ return -1;
+ }
+
+ /* allow forwarding packets from the bridge interface */
+ if (iptablesAddForwardAllowOut(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ /* allow forwarding packets to the bridge interface if they are
+ * part of an existing connection
+ */
+ if (iptablesAddForwardAllowRelatedIn(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ /*
+ * Enable masquerading.
+ *
+ * We need to end up with 5 rules in the table in this order
+ *
+ * 1. do not masquerade packets targeting 224.0.0.0/24
+ * 2. do not masquerade packets targeting 255.255.255.255/32
+ * 3. masquerade protocol=tcp with sport mapping restriction
+ * 4. masquerade protocol=udp with sport mapping restriction
+ * 5. generic, masquerade any protocol
+ *
+ * 224.0.0.0/24 is the local network multicast range. Packets are not
+ * forwarded outside.
+ *
+ * 255.255.255.255/32 is the broadcast address of any local network. Again,
+ * such packets are never forwarded, but strict DHCP clients don't accept
+ * DHCP replies with changed source ports.
+ *
+ * The sport mappings are required, because default IPtables
+ * MASQUERADE maintain port numbers unchanged where possible.
+ *
+ * NFS can be configured to only "trust" port numbers < 1023.
+ *
+ * Guests using NAT thus need to be prevented from having port
+ * numbers < 1023, otherwise they can bypass the NFS "security"
+ * check on the source port number.
+ *
+ * Since we use '--insert' to add rules to the header of the
+ * chain, we actually need to add them in the reverse of the
+ * order just mentioned !
+ */
+
+ /* First the generic masquerade rule for other protocols */
+ if (iptablesAddForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ NULL) < 0)
+ return -1;
+
+ /* UDP with a source port restriction */
+ if (iptablesAddForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ "udp") < 0)
+ return -1;
+
+ /* TCP with a source port restriction */
+ if (iptablesAddForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ "tcp") < 0)
+ return -1;
+
+ /* exempt local network broadcast address as destination */
+ if (isIPv4 &&
+ iptablesAddDontMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ networkLocalBroadcast) < 0)
+ return -1;
+
+ /* exempt local multicast range as destination */
+ if (iptablesAddDontMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ isIPv4 ? networkLocalMulticastIPv4 :
+ networkLocalMulticastIPv6) < 0)
+ return -1;
+
+ return 0;
+}
+
+static int
+iptablesRemoveMasqueradingFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ int prefix = virNetworkIPDefPrefix(ipdef);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
+ bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
+
+ if (prefix < 0)
+ return 0;
+
+ if (iptablesRemoveDontMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ isIPv4 ? networkLocalMulticastIPv4 :
+ networkLocalMulticastIPv6) < 0)
+ return -1;
+
+ if (isIPv4 &&
+ iptablesRemoveDontMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ networkLocalBroadcast) < 0)
+ return -1;
+
+ if (iptablesRemoveForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ "tcp") < 0)
+ return -1;
+
+ if (iptablesRemoveForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ "udp") < 0)
+ return -1;
+
+ if (iptablesRemoveForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ NULL) < 0)
+ return -1;
+
+ if (iptablesRemoveForwardAllowRelatedIn(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ if (iptablesRemoveForwardAllowOut(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static int
+iptablesAddRoutingFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ int prefix = virNetworkIPDefPrefix(ipdef);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
+
+ if (prefix < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%1$s'"),
+ def->bridge);
+ return -1;
+ }
+
+ /* allow routing packets from the bridge interface */
+ if (iptablesAddForwardAllowOut(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ /* allow routing packets to the bridge interface */
+ if (iptablesAddForwardAllowIn(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static int
+iptablesRemoveRoutingFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ int prefix = virNetworkIPDefPrefix(ipdef);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
+
+ if (prefix < 0)
+ return 0;
+
+ if (iptablesRemoveForwardAllowIn(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ if (iptablesRemoveForwardAllowOut(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static void
+iptablesAddGeneralIPv4FirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipv4def;
+
+ /* First look for first IPv4 address that has dhcp or tftpboot defined. */
+ /* We support dhcp config on 1 IPv4 interface only. */
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ break;
+ }
+
+ /* allow DHCP requests through to dnsmasq & back out */
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+
+ /* allow DNS requests through to dnsmasq & back out */
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+
+ /* allow TFTP requests through to dnsmasq if necessary & back out */
+ if (ipv4def && ipv4def->tftproot) {
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ }
+
+ /* Catch all rules to block forwarding to/from bridges */
+ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+
+ /* Allow traffic between guests on the same bridge */
+ iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+}
+
+static void
+iptablesRemoveGeneralIPv4FirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipv4def;
+
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ break;
+ }
+
+ iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+
+ if (ipv4def && ipv4def->tftproot) {
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ }
+
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+}
+
+
+/* Add all once/network rules required for IPv6.
+ * If no IPv6 addresses are defined and <network ipv6='yes'> is
+ * specified, then allow IPv6 communications between virtual systems.
+ * If any IPv6 addresses are defined, then add the rules for regular operation.
+ */
+static void
+iptablesAddGeneralIPv6FirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
+ !def->ipv6nogw) {
+ return;
+ }
+
+ /* Catch all rules to block forwarding to/from bridges */
+ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+
+ /* Allow traffic between guests on the same bridge */
+ iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+
+ if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
+ /* allow DNS over IPv6 & back out */
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ /* allow DHCPv6 & back out */
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+ }
+}
+
+static void
+iptablesRemoveGeneralIPv6FirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
+ !def->ipv6nogw) {
+ return;
+ }
+
+ if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ }
+
+ /* the following rules are there if no IPv6 address has been defined
+ * but def->ipv6nogw == true
+ */
+ iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+}
+
+
+static void
+iptablesAddGeneralFirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ iptablesAddGeneralIPv4FirewallRules(fw, def);
+ iptablesAddGeneralIPv6FirewallRules(fw, def);
+}
+
+
+static void
+iptablesRemoveGeneralFirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ iptablesRemoveGeneralIPv4FirewallRules(fw, def);
+ iptablesRemoveGeneralIPv6FirewallRules(fw, def);
+}
+
+static void
+iptablesAddChecksumFirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipv4def;
+
+ /* First look for first IPv4 address that has dhcp or tftpboot defined. */
+ /* We support dhcp config on 1 IPv4 interface only. */
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts)
+ break;
+ }
+
+ /* If we are doing local DHCP service on this network, attempt to
+ * add a rule that will fixup the checksum of DHCP response
+ * packets back to the guests (but report failure without
+ * aborting, since not all iptables implementations support it).
+ */
+ if (ipv4def)
+ iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68);
+}
+
+
+static void
+iptablesRemoveChecksumFirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipv4def;
+
+ /* First look for first IPv4 address that has dhcp or tftpboot defined. */
+ /* We support dhcp config on 1 IPv4 interface only. */
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts)
+ break;
+ }
+
+ if (ipv4def)
+ iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68);
+}
+
+
+static int
+iptablesAddIPSpecificFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ /* NB: in the case of IPv6, routing rules are added when the
+ * forward mode is NAT. This is because IPv6 has no NAT.
+ */
+
+ if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
+ if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
+ def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
+ return iptablesAddMasqueradingFirewallRules(fw, def, ipdef);
+ else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
+ return iptablesAddRoutingFirewallRules(fw, def, ipdef);
+ } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+ return iptablesAddRoutingFirewallRules(fw, def, ipdef);
+ }
+ return 0;
+}
+
+
+static int
+iptablesRemoveIPSpecificFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
+ if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
+ def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
+ return iptablesRemoveMasqueradingFirewallRules(fw, def, ipdef);
+ else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
+ return iptablesRemoveRoutingFirewallRules(fw, def, ipdef);
+ } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+ return iptablesRemoveRoutingFirewallRules(fw, def, ipdef);
+ }
+ return 0;
+}
+
+
+/* Add all rules for all ip addresses (and general rules) on a network */
+int
+iptablesAddFirewallRules(virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipdef;
+ g_autoptr(virFirewall) fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ iptablesAddGeneralFirewallRules(fw, def);
+
+ for (i = 0;
+ (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
+ i++) {
+ if (iptablesAddIPSpecificFirewallRules(fw, def, ipdef) < 0)
+ return -1;
+ }
+
+ virFirewallStartRollback(fw, 0);
+
+ for (i = 0;
+ (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
+ i++) {
+ if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
+ return -1;
+ }
+ iptablesRemoveGeneralFirewallRules(fw, def);
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ iptablesAddChecksumFirewallRules(fw, def);
+
+ return virFirewallApply(fw);
+}
+
+/* Remove all rules for all ip addresses (and general rules) on a network */
+void
+iptablesRemoveFirewallRules(virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipdef;
+ g_autoptr(virFirewall) fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ iptablesRemoveChecksumFirewallRules(fw, def);
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ for (i = 0;
+ (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
+ i++) {
+ if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
+ return;
+ }
+ iptablesRemoveGeneralFirewallRules(fw, def);
+
+ virFirewallApply(fw);
+}
diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h
index bfb6bbe0e7..d3f6b48437 100644
--- a/src/network/network_iptables.h
+++ b/src/network/network_iptables.h
@@ -22,8 +22,13 @@
#include "virsocketaddr.h"
#include "virfirewall.h"
+#include "network_conf.h"
-int iptablesSetupPrivateChains (virFirewallLayer layer);
+int iptablesAddFirewallRules(virNetworkDef *def);
+
+void iptablesRemoveFirewallRules(virNetworkDef *def);
+
+int iptablesSetupPrivateChains(virFirewallLayer layer);
void iptablesAddTcpInput (virFirewall *fw,
virFirewallLayer layer,
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 03/30] network: make all iptables functions used only in network_iptables.c static
Now that the toplevel iptables functions have been moved out of the
linux bridge driver into network_iptables.c, all of the utility
functions are used only within that same file, so simplify it.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_iptables.c | 52 ++++++-------
src/network/network_iptables.h | 130 ---------------------------------
2 files changed, 26 insertions(+), 156 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 7338237c21..697ad5d8d6 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -207,7 +207,7 @@ iptablesOutput(virFirewall *fw,
* Add an input to the IP table allowing access to the given @port on
* the given @iface interface for TCP packets
*/
-void
+static void
iptablesAddTcpInput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -225,7 +225,7 @@ iptablesAddTcpInput(virFirewall *fw,
* Removes an input from the IP table, hence forbidding access to the given
* @port on the given @iface interface for TCP packets
*/
-void
+static void
iptablesRemoveTcpInput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -243,7 +243,7 @@ iptablesRemoveTcpInput(virFirewall *fw,
* Add an input to the IP table allowing access to the given @port on
* the given @iface interface for UDP packets
*/
-void
+static void
iptablesAddUdpInput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -261,7 +261,7 @@ iptablesAddUdpInput(virFirewall *fw,
* Removes an input from the IP table, hence forbidding access to the given
* @port on the given @iface interface for UDP packets
*/
-void
+static void
iptablesRemoveUdpInput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -279,7 +279,7 @@ iptablesRemoveUdpInput(virFirewall *fw,
* Add an output to the IP table allowing access to the given @port from
* the given @iface interface for TCP packets
*/
-void
+static void
iptablesAddTcpOutput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -297,7 +297,7 @@ iptablesAddTcpOutput(virFirewall *fw,
* Removes an output from the IP table, hence forbidding access to the given
* @port from the given @iface interface for TCP packets
*/
-void
+static void
iptablesRemoveTcpOutput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -315,7 +315,7 @@ iptablesRemoveTcpOutput(virFirewall *fw,
* Add an output to the IP table allowing access to the given @port from
* the given @iface interface for UDP packets
*/
-void
+static void
iptablesAddUdpOutput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -333,7 +333,7 @@ iptablesAddUdpOutput(virFirewall *fw,
* Removes an output from the IP table, hence forbidding access to the given
* @port from the given @iface interface for UDP packets
*/
-void
+static void
iptablesRemoveUdpOutput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
@@ -397,7 +397,7 @@ iptablesForwardAllowOut(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesAddForwardAllowOut(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -421,7 +421,7 @@ iptablesAddForwardAllowOut(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesRemoveForwardAllowOut(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -491,7 +491,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesAddForwardAllowRelatedIn(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -515,7 +515,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -578,7 +578,7 @@ iptablesForwardAllowIn(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesAddForwardAllowIn(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -602,7 +602,7 @@ iptablesAddForwardAllowIn(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesRemoveForwardAllowIn(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -640,7 +640,7 @@ iptablesForwardAllowCross(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-void
+static void
iptablesAddForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
@@ -659,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-void
+static void
iptablesRemoveForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
@@ -692,7 +692,7 @@ iptablesForwardRejectOut(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-void
+static void
iptablesAddForwardRejectOut(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
@@ -710,7 +710,7 @@ iptablesAddForwardRejectOut(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-void
+static void
iptablesRemoveForwardRejectOut(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
@@ -744,7 +744,7 @@ iptablesForwardRejectIn(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-void
+static void
iptablesAddForwardRejectIn(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
@@ -762,7 +762,7 @@ iptablesAddForwardRejectIn(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-void
+static void
iptablesRemoveForwardRejectIn(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
@@ -882,7 +882,7 @@ iptablesForwardMasquerade(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesAddForwardMasquerade(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -909,7 +909,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
+static int
iptablesRemoveForwardMasquerade(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -979,7 +979,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise.
*/
-int
+static int
iptablesAddDontMasquerade(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -1004,7 +1004,7 @@ iptablesAddDontMasquerade(virFirewall *fw,
*
* Returns 0 in case of success or an error code otherwise.
*/
-int
+static int
iptablesRemoveDontMasquerade(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
@@ -1047,7 +1047,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
* the given @iface interface for TCP packets.
*
*/
-void
+static void
iptablesAddOutputFixUdpChecksum(virFirewall *fw,
const char *iface,
int port)
@@ -1064,7 +1064,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw,
* Removes the checksum fixup rule that was previous added with
* iptablesAddOutputFixUdpChecksum.
*/
-void
+static void
iptablesRemoveOutputFixUdpChecksum(virFirewall *fw,
const char *iface,
int port)
diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h
index d3f6b48437..cdc143f154 100644
--- a/src/network/network_iptables.h
+++ b/src/network/network_iptables.h
@@ -20,7 +20,6 @@
#pragma once
-#include "virsocketaddr.h"
#include "virfirewall.h"
#include "network_conf.h"
@@ -29,132 +28,3 @@ int iptablesAddFirewallRules(virNetworkDef *def);
void iptablesRemoveFirewallRules(virNetworkDef *def);
int iptablesSetupPrivateChains(virFirewallLayer layer);
-
-void iptablesAddTcpInput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-void iptablesRemoveTcpInput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-
-void iptablesAddUdpInput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-void iptablesRemoveUdpInput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-
-void iptablesAddTcpOutput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-void iptablesRemoveTcpOutput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-void iptablesAddUdpOutput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-void iptablesRemoveUdpOutput (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port);
-
-int iptablesAddForwardAllowOut (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardAllowOut (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesAddForwardAllowRelatedIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
- G_GNUC_WARN_UNUSED_RESULT;
-
-int iptablesAddForwardAllowIn (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardAllowIn (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
- G_GNUC_WARN_UNUSED_RESULT;
-
-void iptablesAddForwardAllowCross (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-void iptablesRemoveForwardAllowCross (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-
-void iptablesAddForwardRejectOut (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-void iptablesRemoveForwardRejectOut (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-
-void iptablesAddForwardRejectIn (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-void iptablesRemoveForwardRejectIn (virFirewall *fw,
- virFirewallLayer layery,
- const char *iface);
-
-int iptablesAddForwardMasquerade (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- virSocketAddrRange *addr,
- virPortRange *port,
- const char *protocol)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardMasquerade (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- virSocketAddrRange *addr,
- virPortRange *port,
- const char *protocol)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesAddDontMasquerade (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- const char *destaddr)
- G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveDontMasquerade (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- const char *destaddr)
- G_GNUC_WARN_UNUSED_RESULT;
-void iptablesAddOutputFixUdpChecksum (virFirewall *fw,
- const char *iface,
- int port);
-void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw,
- const char *iface,
- int port);
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 04/30] util: #define the names used for private packet filter chains
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_iptables.c | 51 +++++++++++++++++++---------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 697ad5d8d6..ac3e60b79f 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -38,6 +38,13 @@ VIR_LOG_INIT("network.iptables");
#define VIR_FROM_THIS VIR_FROM_NONE
+#define VIR_IPTABLES_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_IPTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_IPTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_IPTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
enum {
VIR_NETFILTER_INSERT = 0,
VIR_NETFILTER_DELETE
@@ -114,14 +121,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
{
g_autoptr(virFirewall) fw = virFirewallNew();
iptablesGlobalChain filter_chains[] = {
- {"INPUT", "LIBVIRT_INP"},
- {"OUTPUT", "LIBVIRT_OUT"},
- {"FORWARD", "LIBVIRT_FWO"},
- {"FORWARD", "LIBVIRT_FWI"},
- {"FORWARD", "LIBVIRT_FWX"},
+ {"INPUT", VIR_IPTABLES_INPUT_CHAIN},
+ {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN},
+ {"FORWARD", VIR_IPTABLES_FWD_OUT_CHAIN},
+ {"FORWARD", VIR_IPTABLES_FWD_IN_CHAIN},
+ {"FORWARD", VIR_IPTABLES_FWD_X_CHAIN},
};
iptablesGlobalChain natmangle_chains[] = {
- {"POSTROUTING", "LIBVIRT_PRT"},
+ {"POSTROUTING", VIR_IPTABLES_NAT_POSTROUTE_CHAIN},
};
bool changed = false;
iptablesGlobalChainData data[] = {
@@ -169,7 +176,7 @@ iptablesInput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_INP",
+ VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -190,7 +197,7 @@ iptablesOutput(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_OUT",
+ VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -365,7 +372,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWO",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -375,7 +382,7 @@ iptablesForwardAllowOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWO",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -455,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -467,7 +474,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -547,7 +554,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -557,7 +564,7 @@ iptablesForwardAllowIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -622,7 +629,7 @@ iptablesForwardAllowCross(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWX",
+ VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -676,7 +683,7 @@ iptablesForwardRejectOut(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWO",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -728,7 +735,7 @@ iptablesForwardRejectIn(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_FWI",
+ VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -810,7 +817,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -819,7 +826,7 @@ iptablesForwardMasquerade(virFirewall *fw,
rule = virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -946,7 +953,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -956,7 +963,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -1028,7 +1035,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- "LIBVIRT_PRT",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 05/30] util: change name of virFirewallRule to virFirewallCmd
These objects aren't rules, they are commands that are executed that
may create a firewall rule, delete a firewall rule, or simply list the
existing firewall rules. It's confusing for the objects to be called
"Rule" (especially in the case of the function
virFirewallRemoveRule(), which doesn't remove a rule from the
firewall, it takes one of the objects out of the list of commands to
execute! In order to remove a rule from the host's firewall, you have
to Add a "rule" (now "cmd" aka command) to the list that will, when
applied/run, remove a rule from the host firewall.)
Changing the name to virFirewallCmd makes it all much less confusing.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 16 +-
src/network/network_iptables.c | 286 +++----
src/nwfilter/nwfilter_ebiptables_driver.c | 988 +++++++++++-----------
src/util/virebtables.c | 32 +-
src/util/virfirewall.c | 223 +++--
src/util/virfirewall.h | 54 +-
tests/virfirewalltest.c | 404 ++++-----
7 files changed, 1000 insertions(+), 1003 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index b006b84262..533071d08c 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2404,17 +2404,17 @@ virFileCacheSetPriv;
# util/virfirewall.h
-virFirewallAddRuleFull;
+virFirewallAddCmdFull;
virFirewallApply;
+virFirewallCmdAddArg;
+virFirewallCmdAddArgFormat;
+virFirewallCmdAddArgList;
+virFirewallCmdAddArgSet;
+virFirewallCmdGetArgCount;
+virFirewallCmdToString;
virFirewallFree;
virFirewallNew;
-virFirewallRemoveRule;
-virFirewallRuleAddArg;
-virFirewallRuleAddArgFormat;
-virFirewallRuleAddArgList;
-virFirewallRuleAddArgSet;
-virFirewallRuleGetArgCount;
-virFirewallRuleToString;
+virFirewallRemoveCmd;
virFirewallStartRollback;
virFirewallStartTransaction;
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index ac3e60b79f..5c16683cff 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -98,18 +98,18 @@ iptablesPrivateChainCreate(virFirewall *fw,
for (i = 0; i < data->nchains; i++) {
const char *from;
if (!virHashLookup(chains, data->chains[i].child)) {
- virFirewallAddRule(fw, layer,
- "--table", data->table,
- "--new-chain", data->chains[i].child, NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", data->table,
+ "--new-chain", data->chains[i].child, NULL);
*data->changed = true;
}
from = virHashLookup(links, data->chains[i].child);
if (!from || STRNEQ(from, data->chains[i].parent))
- virFirewallAddRule(fw, layer,
- "--table", data->table,
- "--insert", data->chains[i].parent,
- "--jump", data->chains[i].child, NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", data->table,
+ "--insert", data->chains[i].parent,
+ "--jump", data->chains[i].child, NULL);
}
return 0;
@@ -151,10 +151,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
virFirewallStartTransaction(fw, 0);
for (i = 0; i < G_N_ELEMENTS(data); i++)
- virFirewallAddRuleFull(fw, data[i].layer,
- false, iptablesPrivateChainCreate,
- &(data[i]), "--table", data[i].table,
- "--list-rules", NULL);
+ virFirewallAddCmdFull(fw, data[i].layer,
+ false, iptablesPrivateChainCreate,
+ &(data[i]), "--table", data[i].table,
+ "--list-rules", NULL);
if (virFirewallApply(fw) < 0)
return -1;
@@ -173,15 +173,15 @@ iptablesInput(virFirewall *fw,
{
g_autofree char *portstr = g_strdup_printf("%d", port);
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_INPUT_CHAIN,
- "--in-interface", iface,
- "--protocol", tcp ? "tcp" : "udp",
- "--destination-port", portstr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_INPUT_CHAIN,
+ "--in-interface", iface,
+ "--protocol", tcp ? "tcp" : "udp",
+ "--destination-port", portstr,
+ "--jump", "ACCEPT",
+ NULL);
}
static void
@@ -194,15 +194,15 @@ iptablesOutput(virFirewall *fw,
{
g_autofree char *portstr = g_strdup_printf("%d", port);
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_OUTPUT_CHAIN,
- "--out-interface", iface,
- "--protocol", tcp ? "tcp" : "udp",
- "--destination-port", portstr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_OUTPUT_CHAIN,
+ "--out-interface", iface,
+ "--protocol", tcp ? "tcp" : "udp",
+ "--destination-port", portstr,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
@@ -369,24 +369,24 @@ iptablesForwardAllowOut(virFirewall *fw,
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_OUT_CHAIN,
- "--source", networkstr,
- "--in-interface", iface,
- "--out-interface", physdev,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
+ "--source", networkstr,
+ "--in-interface", iface,
+ "--out-interface", physdev,
+ "--jump", "ACCEPT",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_OUT_CHAIN,
- "--source", networkstr,
- "--in-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
+ "--source", networkstr,
+ "--in-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
return 0;
}
@@ -459,28 +459,28 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--in-interface", physdev,
- "--out-interface", iface,
- "--match", "conntrack",
- "--ctstate", "ESTABLISHED,RELATED",
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--in-interface", physdev,
+ "--out-interface", iface,
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
+ "--jump", "ACCEPT",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--out-interface", iface,
- "--match", "conntrack",
- "--ctstate", "ESTABLISHED,RELATED",
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--out-interface", iface,
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
+ "--jump", "ACCEPT",
+ NULL);
return 0;
}
@@ -551,24 +551,24 @@ iptablesForwardAllowIn(virFirewall *fw,
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--in-interface", physdev,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--in-interface", physdev,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
return 0;
}
@@ -626,14 +626,14 @@ iptablesForwardAllowCross(virFirewall *fw,
const char *iface,
int action)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_X_CHAIN,
- "--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_X_CHAIN,
+ "--in-interface", iface,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
@@ -680,13 +680,13 @@ iptablesForwardRejectOut(virFirewall *fw,
const char *iface,
int action)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_OUT_CHAIN,
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
+ "--in-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
@@ -732,13 +732,13 @@ iptablesForwardRejectIn(virFirewall *fw,
const char *iface,
int action)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--out-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
@@ -796,7 +796,7 @@ iptablesForwardMasquerade(virFirewall *fw,
g_autofree char *addrEndStr = NULL;
g_autofree char *portRangeStr = NULL;
g_autofree char *natRangeStr = NULL;
- virFirewallRule *rule;
+ virFirewallCmd *fwCmd;
int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
virFirewallLayer layer = af == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@@ -814,7 +814,7 @@ iptablesForwardMasquerade(virFirewall *fw,
}
if (protocol && protocol[0]) {
- rule = virFirewallAddRule(fw, layer,
+ fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@@ -823,7 +823,7 @@ iptablesForwardMasquerade(virFirewall *fw,
"!", "--destination", networkstr,
NULL);
} else {
- rule = virFirewallAddRule(fw, layer,
+ fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@@ -833,7 +833,7 @@ iptablesForwardMasquerade(virFirewall *fw,
}
if (physdev && physdev[0])
- virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
@@ -861,16 +861,16 @@ iptablesForwardMasquerade(virFirewall *fw,
portRangeStr ? portRangeStr : "");
}
- virFirewallRuleAddArgList(fw, rule,
- "--jump", "SNAT",
- "--to-source", natRangeStr, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd,
+ "--jump", "SNAT",
+ "--to-source", natRangeStr, NULL);
} else {
- virFirewallRuleAddArgList(fw, rule,
- "--jump", "MASQUERADE", NULL);
+ virFirewallCmdAddArgList(fw, fwCmd,
+ "--jump", "MASQUERADE", NULL);
if (portRangeStr && portRangeStr[0])
- virFirewallRuleAddArgList(fw, rule,
- "--to-ports", &portRangeStr[1],
NULL);
+ virFirewallCmdAddArgList(fw, fwCmd,
+ "--to-ports", &portRangeStr[1],
NULL);
}
return 0;
@@ -950,24 +950,24 @@ iptablesForwardDontMasquerade(virFirewall *fw,
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
- "--out-interface", physdev,
- "--source", networkstr,
- "--destination", destaddr,
- "--jump", "RETURN",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "nat",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+ "--out-interface", physdev,
+ "--source", networkstr,
+ "--destination", destaddr,
+ "--jump", "RETURN",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
- "--source", networkstr,
- "--destination", destaddr,
- "--jump", "RETURN",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "nat",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+ "--source", networkstr,
+ "--destination", destaddr,
+ "--jump", "RETURN",
+ NULL);
return 0;
}
@@ -1032,15 +1032,15 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
{
g_autofree char *portstr = g_strdup_printf("%d", port);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "--table", "mangle",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
- VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
- "--out-interface", iface,
- "--protocol", "udp",
- "--destination-port", portstr,
- "--jump", "CHECKSUM",
"--checksum-fill",
- NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "mangle",
+ action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+ "--out-interface", iface,
+ "--protocol", "udp",
+ "--destination-port", portstr,
+ "--jump", "CHECKSUM",
"--checksum-fill",
+ NULL);
}
/**
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 56bddb9097..3ef1bb576e 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -334,7 +334,7 @@ printDataTypeAsHex(virNWFilterVarCombIter *vars,
static int
ebtablesHandleEthHdr(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
ethHdrDataDef *ethHdr,
bool reverse)
@@ -348,11 +348,11 @@ ebtablesHandleEthHdr(virFirewall *fw,
ðHdr->dataSrcMACAddr) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- reverse ? "-d" : "-s",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ reverse ? "-d" : "-s",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) {
if (printDataType(vars,
@@ -360,10 +360,10 @@ ebtablesHandleEthHdr(virFirewall *fw,
ðHdr->dataSrcMACMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", macaddr, macmask);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", macaddr, macmask);
} else {
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
}
@@ -373,11 +373,11 @@ ebtablesHandleEthHdr(virFirewall *fw,
ðHdr->dataDstMACAddr) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- reverse ? "-s" : "-d",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ reverse ? "-s" : "-d",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) {
if (printDataType(vars,
@@ -385,10 +385,10 @@ ebtablesHandleEthHdr(virFirewall *fw,
ðHdr->dataDstMACMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", macaddr, macmask);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", macaddr, macmask);
} else {
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
}
@@ -403,38 +403,38 @@ static void
iptablesCreateBaseChainsFW(virFirewall *fw,
virFirewallLayer layer)
{
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", VIRT_IN_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", VIRT_OUT_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", VIRT_IN_POST_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", HOST_IN_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "FORWARD", "-j",
VIRT_IN_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "FORWARD", "-j",
VIRT_OUT_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "FORWARD", "-j",
VIRT_IN_POST_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "INPUT", "-j",
HOST_IN_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "FORWARD", "1",
"-j", VIRT_IN_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "FORWARD", "2",
"-j", VIRT_OUT_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "FORWARD", "3",
"-j", VIRT_IN_POST_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "INPUT", "1", "-j",
HOST_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_OUT_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", HOST_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j",
VIRT_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j",
VIRT_OUT_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j",
VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "INPUT", "-j",
HOST_IN_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "FORWARD", "1", "-j",
VIRT_IN_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "FORWARD", "2", "-j",
VIRT_OUT_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "FORWARD", "3", "-j",
VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "INPUT", "1", "-j",
HOST_IN_CHAIN, NULL);
}
@@ -453,8 +453,8 @@ iptablesCreateTmpRootChainFW(virFirewall *fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, layer,
- "-N", chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-N", chain, NULL);
}
@@ -490,12 +490,12 @@ _iptablesRemoveRootChainFW(virFirewall *fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-F", chain, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-X", chain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-F", chain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-X", chain, NULL);
}
@@ -561,17 +561,17 @@ iptablesLinkTmpRootChainFW(virFirewall *fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
if (incoming)
- virFirewallAddRule(fw, layer,
- "-A", basechain,
- MATCH_PHYSDEV_IN_FW,
- ifname,
- "-g", chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", basechain,
+ MATCH_PHYSDEV_IN_FW,
+ ifname,
+ "-g", chain, NULL);
else
- virFirewallAddRule(fw, layer,
- "-A", basechain,
- MATCH_PHYSDEV_OUT_FW,
- ifname,
- "-g", chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", basechain,
+ MATCH_PHYSDEV_OUT_FW,
+ ifname,
+ "-g", chain, NULL);
}
@@ -591,15 +591,15 @@ iptablesSetupVirtInPostFW(virFirewall *fw G_GNUC_UNUSED,
virFirewallLayer layer G_GNUC_UNUSED,
const char *ifname G_GNUC_UNUSED)
{
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", VIRT_IN_POST_CHAIN,
- MATCH_PHYSDEV_IN_FW,
- ifname, "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, layer,
- "-A", VIRT_IN_POST_CHAIN,
- MATCH_PHYSDEV_IN_FW,
- ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
@@ -608,11 +608,11 @@ iptablesClearVirtInPostFW(virFirewall *fw,
virFirewallLayer layer,
const char *ifname)
{
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", VIRT_IN_POST_CHAIN,
- MATCH_PHYSDEV_IN_FW,
- ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
@@ -638,19 +638,19 @@ _iptablesUnlinkRootChainFW(virFirewall *fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
if (incoming)
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", basechain,
- MATCH_PHYSDEV_IN_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_IN_FW, ifname,
+ "-g", chain,
+ NULL);
else
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", basechain,
- MATCH_PHYSDEV_OUT_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_FW, ifname,
+ "-g", chain,
+ NULL);
/*
* Previous versions of libvirt may have created a rule
@@ -658,12 +658,12 @@ _iptablesUnlinkRootChainFW(virFirewall *fw,
* as well.
*/
if (!incoming)
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", basechain,
- MATCH_PHYSDEV_OUT_OLD_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+ "-g", chain,
+ NULL);
}
@@ -735,8 +735,8 @@ iptablesRenameTmpRootChainFW(virFirewall *fw,
PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, layer,
- "-E", tmpchain, chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-E", tmpchain, chain, NULL);
}
@@ -753,7 +753,7 @@ iptablesRenameTmpRootChainsFW(virFirewall *fw,
static int
iptablesHandleSrcMacAddr(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
nwItemDesc *srcMacAddr,
bool directionIn,
@@ -774,15 +774,15 @@ iptablesHandleSrcMacAddr(virFirewall *fw,
srcMacAddr) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "mac",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "mac",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(srcMacAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--mac-source",
- macaddr,
- NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--mac-source",
+ macaddr,
+ NULL);
}
return 0;
@@ -791,7 +791,7 @@ iptablesHandleSrcMacAddr(virFirewall *fw,
static int
iptablesHandleIPHdr(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
ipHdrDataDef *ipHdr,
bool directionIn,
@@ -819,8 +819,8 @@ iptablesHandleIPHdr(virFirewall *fw,
return -1;
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, src);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, src);
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) {
@@ -829,10 +829,10 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataSrcIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
} else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) {
if (printDataType(vars,
@@ -840,12 +840,12 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataSrcIPFrom) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "iprange",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "iprange",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, srcrange);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, srcrange);
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) {
@@ -854,10 +854,10 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataSrcIPTo) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s-%s", ipaddr, ipaddralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s-%s", ipaddr, ipaddralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
@@ -868,8 +868,8 @@ iptablesHandleIPHdr(virFirewall *fw,
return -1;
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, dst);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, dst);
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) {
if (printDataType(vars,
@@ -877,10 +877,10 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataDstIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
} else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) {
if (printDataType(vars,
@@ -888,12 +888,12 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataDstIPFrom) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "iprange",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "iprange",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, dstrange);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, dstrange);
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) {
if (printDataType(vars,
@@ -901,10 +901,10 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataDstIPTo) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s-%s", ipaddr, ipaddralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s-%s", ipaddr, ipaddralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
@@ -914,14 +914,14 @@ iptablesHandleIPHdr(virFirewall *fw,
&ipHdr->dataDSCP) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "dscp",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "dscp",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--dscp", number,
- NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--dscp", number,
+ NULL);
}
if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
@@ -939,7 +939,7 @@ iptablesHandleIPHdr(virFirewall *fw,
static int
iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
ipHdrDataDef *ipHdr,
bool directionIn)
@@ -955,17 +955,17 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
&ipHdr->dataIPSet) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "set",
- "--match-set", str,
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "set",
+ "--match-set", str,
+ NULL);
if (printDataTypeDirection(vars,
str, sizeof(str),
&ipHdr->dataIPSetFlags, directionIn) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, str);
+ virFirewallCmdAddArg(fw, fwrule, str);
}
if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
@@ -977,24 +977,24 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
/* place connlimit after potential -m state --state ...
since this is the most useful order */
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "connlimit",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "connlimit",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--connlimit-above", number,
- NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--connlimit-above", number,
+ NULL);
}
}
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
/* keep comments behind everything else -- they are packet eval.
no-ops */
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "comment",
- "--comment", ipHdr->dataComment.u.string,
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "comment",
+ "--comment", ipHdr->dataComment.u.string,
+ NULL);
}
return 0;
@@ -1003,7 +1003,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
static int
iptablesHandlePortData(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
portDataDef *portData,
bool directionIn)
@@ -1024,8 +1024,8 @@ iptablesHandlePortData(virFirewall *fw,
return -1;
if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, sport);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, sport);
if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) {
if (printDataType(vars,
@@ -1033,10 +1033,10 @@ iptablesHandlePortData(virFirewall *fw,
&portData->dataSrcPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", portstr, portstralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", portstr, portstralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, portstr);
+ virFirewallCmdAddArg(fw, fwrule, portstr);
}
}
@@ -1047,8 +1047,8 @@ iptablesHandlePortData(virFirewall *fw,
return -1;
if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, dport);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, dport);
if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) {
if (printDataType(vars,
@@ -1056,10 +1056,10 @@ iptablesHandlePortData(virFirewall *fw,
&portData->dataDstPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", portstr, portstralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", portstr, portstralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, portstr);
+ virFirewallCmdAddArg(fw, fwrule, portstr);
}
}
@@ -1069,18 +1069,18 @@ iptablesHandlePortData(virFirewall *fw,
static void
iptablesEnforceDirection(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
bool directionIn,
virNWFilterRuleDef *rule)
{
if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "conntrack",
- "--ctdir",
- (directionIn ?
- "Reply" :
- "Original"),
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctdir",
+ (directionIn ?
+ "Reply" :
+ "Original"),
+ NULL);
}
@@ -1123,7 +1123,7 @@ _iptablesCreateRuleInstance(virFirewall *fw,
bool skipRule = false;
bool skipMatch = false;
bool hasICMPType = false;
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
size_t fwruleargs;
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
@@ -1131,12 +1131,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
switch ((int)rule->prtclType) {
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "tcp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "tcp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1156,16 +1156,16 @@ _iptablesCreateRuleInstance(virFirewall *fw,
g_autofree char *mask = NULL;
g_autofree char *flags = NULL;
if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, "--tcp-flags");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "--tcp-flags");
if (!(mask =
virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask)))
return -1;
- virFirewallRuleAddArg(fw, fwrule, mask);
+ virFirewallCmdAddArg(fw, fwrule, mask);
if (!(flags =
virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags)))
return -1;
- virFirewallRuleAddArg(fw, fwrule, flags);
+ virFirewallCmdAddArg(fw, fwrule, flags);
}
if (iptablesHandlePortData(fw, fwrule,
@@ -1181,21 +1181,21 @@ _iptablesCreateRuleInstance(virFirewall *fw,
return -1;
if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--tcp-option", number, NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--tcp-option", number, NULL);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "udp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "udp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1220,12 +1220,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "udplite",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "udplite",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1245,12 +1245,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "esp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "esp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1270,12 +1270,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "ah",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "ah",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1295,12 +1295,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "sctp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "sctp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1325,18 +1325,18 @@ _iptablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ NULL);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "icmp", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "icmp", NULL);
else
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "icmpv6", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "icmpv6", NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1358,7 +1358,7 @@ _iptablesCreateRuleInstance(virFirewall *fw,
hasICMPType = true;
if (maySkipICMP) {
- virFirewallRemoveRule(fw, fwrule);
+ virFirewallRemoveCmd(fw, fwrule);
return 0;
}
@@ -1373,8 +1373,8 @@ _iptablesCreateRuleInstance(virFirewall *fw,
return -1;
if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, parm);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, parm);
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) {
if (printDataType(vars,
@@ -1382,21 +1382,21 @@ _iptablesCreateRuleInstance(virFirewall *fw,
&rule->p.icmpHdrFilter.dataICMPCode) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "igmp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "igmp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1416,12 +1416,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "all",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "all",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
@@ -1447,9 +1447,9 @@ _iptablesCreateRuleInstance(virFirewall *fw,
}
if ((srcMacSkipped &&
- fwruleargs == virFirewallRuleGetArgCount(fwrule)) ||
+ fwruleargs == virFirewallCmdGetArgCount(fwrule)) ||
skipRule) {
- virFirewallRemoveRule(fw, fwrule);
+ virFirewallRemoveCmd(fw, fwrule);
return 0;
}
@@ -1461,10 +1461,10 @@ _iptablesCreateRuleInstance(virFirewall *fw,
}
if (match && !skipMatch) {
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "conntrack",
- "--ctstate", match,
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctstate", match,
+ NULL);
}
if (defMatch && match != NULL && !skipMatch && !hasICMPType)
@@ -1478,8 +1478,8 @@ _iptablesCreateRuleInstance(virFirewall *fw,
directionIn) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-j", target, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-j", target, NULL);
return 0;
}
@@ -1752,7 +1752,7 @@ ebtablesCreateRuleInstance(virFirewall *fw,
char chain[MAX_CHAINNAME_LENGTH];
const char *target;
bool hasMask = false;
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString(
@@ -1768,10 +1768,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
field, sizeof(field), \
&rule->p.STRUCT.ITEM) < 0) \
return -1; \
- virFirewallRuleAddArg(fw, fwrule, CLI); \
+ virFirewallCmdAddArg(fw, fwrule, CLI); \
if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
- virFirewallRuleAddArg(fw, fwrule, "!"); \
- virFirewallRuleAddArg(fw, fwrule, field); \
+ virFirewallCmdAddArg(fw, fwrule, "!"); \
+ virFirewallCmdAddArg(fw, fwrule, field); \
}
#define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \
@@ -1780,18 +1780,18 @@ ebtablesCreateRuleInstance(virFirewall *fw,
field, sizeof(field), \
&rule->p.STRUCT.ITEM) < 0) \
return -1; \
- virFirewallRuleAddArg(fw, fwrule, CLI); \
+ virFirewallCmdAddArg(fw, fwrule, CLI); \
if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
- virFirewallRuleAddArg(fw, fwrule, "!"); \
+ virFirewallCmdAddArg(fw, fwrule, "!"); \
if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
if (printDataType(vars, \
fieldalt, sizeof(fieldalt), \
&rule->p.STRUCT.ITEM_HI) < 0) \
return -1; \
- virFirewallRuleAddArgFormat(fw, fwrule, \
- "%s%s%s", field, SEP, fieldalt); \
+ virFirewallCmdAddArgFormat(fw, fwrule, \
+ "%s%s%s", field, SEP, fieldalt); \
} else { \
- virFirewallRuleAddArg(fw, fwrule, field); \
+ virFirewallCmdAddArg(fw, fwrule, field); \
} \
}
#define INST_ITEM_RANGE(S, I, I_HI, C) \
@@ -1801,9 +1801,9 @@ ebtablesCreateRuleInstance(virFirewall *fw,
switch ((int)rule->prtclType) {
case VIR_NWFILTER_RULE_PROTOCOL_MAC:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat",
- "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat",
+ "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
@@ -1816,16 +1816,16 @@ ebtablesCreateRuleInstance(virFirewall *fw,
number, sizeof(number),
&rule->p.ethHdrFilter.dataProtocolID) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "-p");
+ virFirewallCmdAddArg(fw, fwrule, "-p");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
@@ -1833,8 +1833,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "0x8100", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "0x8100", NULL);
INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id")
INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap")
@@ -1852,8 +1852,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
return -1;
}
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
@@ -1861,8 +1861,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-d", NWFILTER_MAC_BGA, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-d", NWFILTER_MAC_BGA, NULL);
INST_ITEM(stpHdrFilter, dataType, "--stp-type")
INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags")
@@ -1888,8 +1888,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
case VIR_NWFILTER_RULE_PROTOCOL_ARP:
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
@@ -1897,21 +1897,21 @@ ebtablesCreateRuleInstance(virFirewall *fw,
reverse) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "-p");
- virFirewallRuleAddArgFormat(fw, fwrule, "0x%x",
- (rule->prtclType ==
VIR_NWFILTER_RULE_PROTOCOL_ARP)
- ? l3_protocols[L3_PROTO_ARP_IDX].attr
- : l3_protocols[L3_PROTO_RARP_IDX].attr);
+ virFirewallCmdAddArg(fw, fwrule, "-p");
+ virFirewallCmdAddArgFormat(fw, fwrule, "0x%x",
+ (rule->prtclType ==
VIR_NWFILTER_RULE_PROTOCOL_ARP)
+ ? l3_protocols[L3_PROTO_ARP_IDX].attr
+ : l3_protocols[L3_PROTO_RARP_IDX].attr);
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.arpHdrFilter.dataHWType) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--arp-htype");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-htype");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) {
@@ -1919,10 +1919,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
number, sizeof(number),
&rule->p.arpHdrFilter.dataOpcode) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--arp-opcode");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-opcode");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) {
@@ -1930,10 +1930,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
number, sizeof(number),
&rule->p.arpHdrFilter.dataProtocolType) <
0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--arp-ptype");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-ptype");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) {
@@ -1950,12 +1950,12 @@ ebtablesCreateRuleInstance(virFirewall *fw,
hasMask = true;
}
- virFirewallRuleAddArg(fw, fwrule,
+ virFirewallCmdAddArg(fw, fwrule,
reverse ? "--arp-ip-dst" :
"--arp-ip-src");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, hasMask ? ipmask :
"32");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, hasMask ? ipmask :
"32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
@@ -1972,12 +1972,12 @@ ebtablesCreateRuleInstance(virFirewall *fw,
hasMask = true;
}
- virFirewallRuleAddArg(fw, fwrule,
+ virFirewallCmdAddArg(fw, fwrule,
reverse ? "--arp-ip-src" :
"--arp-ip-dst");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, hasMask ? ipmask :
"32");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, hasMask ? ipmask :
"32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
@@ -1986,11 +1986,11 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--arp-mac-dst" :
"--arp-mac-src");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--arp-mac-dst" :
"--arp-mac-src");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) {
@@ -1999,24 +1999,24 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.arpHdrFilter.dataARPDstMACAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--arp-mac-src" :
"--arp-mac-dst");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--arp-mac-src" :
"--arp-mac-dst");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) &&
rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) {
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-gratuitous");
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IP:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
@@ -2024,8 +2024,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "ipv4", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "ipv4", NULL);
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) {
if (printDataType(vars,
@@ -2033,20 +2033,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-destination" :
"--ip-source");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-destination" :
"--ip-source");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask) <
0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
@@ -2057,20 +2057,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-source" :
"--ip-destination");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-source" :
"--ip-destination");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipHdrFilter.ipHdr.dataDstIPMask) <
0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
@@ -2080,10 +2080,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.ipHdr.dataProtocolID) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--ip-protocol");
+ virFirewallCmdAddArg(fw, fwrule, "--ip-protocol");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)) {
@@ -2092,10 +2092,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.portData.dataSrcPortStart) <
0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-destination-port" :
"--ip-source-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-destination-port" :
"--ip-source-port");
if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEnd)) {
if (printDataType(vars,
@@ -2103,10 +2103,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.portData.dataSrcPortEnd)
< 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
@@ -2116,10 +2116,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.portData.dataDstPortStart) <
0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-source-port" :
"--ip-destination-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-source-port" :
"--ip-destination-port");
if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEnd)) {
if (printDataType(vars,
@@ -2127,10 +2127,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.portData.dataDstPortEnd)
< 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
@@ -2140,16 +2140,16 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipHdrFilter.ipHdr.dataDSCP) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--ip-tos");
+ virFirewallCmdAddArg(fw, fwrule, "--ip-tos");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
@@ -2157,8 +2157,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "ipv6", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "ipv6", NULL);
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) {
if (printDataType(vars,
@@ -2166,20 +2166,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-destination" :
"--ip6-source");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-destination" :
"--ip6-source");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask) <
0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipv6addr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipv6addr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipv6addr);
+ virFirewallCmdAddArg(fw, fwrule, ipv6addr);
}
}
@@ -2190,20 +2190,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-source" :
"--ip6-destination");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-source" :
"--ip6-destination");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask) <
0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipv6addr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipv6addr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipv6addr);
+ virFirewallCmdAddArg(fw, fwrule, ipv6addr);
}
}
@@ -2213,10 +2213,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID) <
0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol");
+ virFirewallCmdAddArg(fw, fwrule, "--ip6-protocol");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)) {
@@ -2226,10 +2226,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)
< 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-destination-port" :
"--ip6-source-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-destination-port" :
"--ip6-source-port");
if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)) {
if (printDataType(vars,
@@ -2237,10 +2237,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)
< 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
@@ -2251,10 +2251,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.portData.dataDstPortStart)
< 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-source-port" :
"--ip6-destination-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-source-port" :
"--ip6-destination-port");
if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDstPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)) {
if (printDataType(vars,
@@ -2262,10 +2262,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)
< 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
@@ -2277,8 +2277,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
g_autofree char *r = NULL;
- virFirewallRuleAddArg(fw, fwrule,
- "--ip6-icmp-type");
+ virFirewallCmdAddArg(fw, fwrule,
+ "--ip6-icmp-type");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) {
if (printDataType(vars,
@@ -2335,17 +2335,17 @@ ebtablesCreateRuleInstance(virFirewall *fw,
virBufferStrcat(&buf, numberalt, NULL);
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
r = virBufferContentAndReset(&buf);
- virFirewallRuleAddArg(fw, fwrule, r);
+ virFirewallCmdAddArg(fw, fwrule, r);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_NONE:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
break;
default:
@@ -2370,8 +2370,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
target = virNWFilterJumpTargetTypeToString(rule->action);
}
- virFirewallRuleAddArgList(fw, fwrule,
- "-j", target, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-j", target, NULL);
#undef INST_ITEM_RANGE
#undef INST_ITEM_MASK
@@ -2461,8 +2461,8 @@ ebtablesCreateTmpRootChainFW(virFirewall *fw,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-N", chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-N", chain, NULL);
}
@@ -2476,11 +2476,11 @@ ebtablesLinkTmpRootChainFW(virFirewall *fw,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
- incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
- incoming ? "-i" : "-o",
- ifname, "-j", chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
}
@@ -2500,12 +2500,12 @@ _ebtablesRemoveRootChainFW(virFirewall *fw,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-F", chain,
NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-X", chain,
NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", chain, NULL);
}
@@ -2543,12 +2543,12 @@ _ebtablesUnlinkRootChainFW(virFirewall *fw,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-D",
- incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
- incoming ? "-i" : "-o",
- ifname, "-j", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-D",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
}
@@ -2577,41 +2577,41 @@ ebtablesCreateTmpSubChainFW(virFirewall *fw,
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP;
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname,
(filtername) ? filtername : l3_protocols[protoidx].val);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-F", chain,
NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-X", chain,
NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-N", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-N", chain, NULL);
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
rootchain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
rootchain, NULL);
switch ((int)protoidx) {
case L2_PROTO_MAC_IDX:
break;
case L2_PROTO_STP_IDX:
- virFirewallRuleAddArgList(fw, fwrule,
- "-d", NWFILTER_MAC_BGA, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-d", NWFILTER_MAC_BGA, NULL);
break;
default:
- virFirewallRuleAddArg(fw, fwrule, "-p");
- virFirewallRuleAddArgFormat(fw, fwrule,
- "0x%04x",
- l3_protocols[protoidx].attr);
+ virFirewallCmdAddArg(fw, fwrule, "-p");
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "0x%04x",
+ l3_protocols[protoidx].attr);
break;
}
- virFirewallRuleAddArgList(fw, fwrule,
- "-j", chain, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-j", chain, NULL);
}
@@ -2636,16 +2636,16 @@ ebtablesRemoveSubChainsQuery(virFirewall *fw,
if (tmp[0] == chainprefixes[j] &&
tmp[1] == '-') {
VIR_DEBUG("Processing chain '%s'", tmp);
- virFirewallAddRuleFull(fw, layer,
- false, ebtablesRemoveSubChainsQuery,
- (void *)chainprefixes,
- "-t", "nat", "-L",
tmp, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-F",
tmp, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-X",
tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chainprefixes,
+ "-t", "nat", "-L",
tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-F",
tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-X",
tmp, NULL);
}
}
}
@@ -2664,10 +2664,10 @@ _ebtablesRemoveSubChainsFW(virFirewall *fw,
for (i = 0; chainprefixes[i] != 0; i++) {
PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- false, ebtablesRemoveSubChainsQuery,
- (void *)chainprefixes,
- "-t", "nat", "-L",
rootchain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chainprefixes,
+ "-t", "nat", "-L", rootchain,
NULL);
}
}
@@ -2706,8 +2706,8 @@ ebtablesRenameTmpSubChainFW(virFirewall *fw,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
}
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-E", tmpchain, chain,
NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-E", tmpchain, chain,
NULL);
}
static void
@@ -2748,18 +2748,18 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewall *fw,
else
newchain[0] = CHAINPREFIX_HOST_OUT;
VIR_DEBUG("Renaming chain '%s' to '%s'", tmp,
newchain);
- virFirewallAddRuleFull(fw, layer,
- false, ebtablesRenameTmpSubAndRootChainsQuery,
- NULL,
- "-t", "nat", "-L", tmp,
NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-F", newchain,
NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-X", newchain,
NULL);
- virFirewallAddRule(fw, layer,
- "-t", "nat", "-E", tmp,
newchain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ false, ebtablesRenameTmpSubAndRootChainsQuery,
+ NULL,
+ "-t", "nat", "-L", tmp,
NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-F", newchain,
NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-X", newchain,
NULL);
+ virFirewallAddCmd(fw, layer,
+ "-t", "nat", "-E", tmp, newchain,
NULL);
}
return 0;
@@ -2779,10 +2779,10 @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewall *fw,
};
for (i = 0; chains[i] != 0; i++) {
PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- false, ebtablesRenameTmpSubAndRootChainsQuery,
- NULL,
- "-t", "nat", "-L",
rootchain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRenameTmpSubAndRootChainsQuery,
+ NULL,
+ "-t", "nat", "-L", rootchain,
NULL);
}
ebtablesRenameTmpRootChainFW(fw, true, ifname);
@@ -2835,21 +2835,21 @@ ebtablesApplyBasicRules(const char *ifname,
ebtablesCreateTmpRootChainFW(fw, true, ifname);
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-s", "!", macaddr_str,
- "-j", "DROP", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-p", "IPv4",
- "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-p", "ARP",
- "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-s", "!", macaddr_str,
+ "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-p", "IPv4",
+ "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-p", "ARP",
+ "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-j", "DROP", NULL);
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesRenameTmpRootChainFW(fw, true, ifname);
@@ -2908,16 +2908,16 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_in,
- "-s", macaddr_str,
- "-p", "ipv4", "--ip-protocol",
"udp",
- "--ip-sport", "68", "--ip-dport",
"67",
- "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-s", macaddr_str,
+ "-p", "ipv4", "--ip-protocol",
"udp",
+ "--ip-sport", "68", "--ip-dport",
"67",
+ "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_in,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-j", "DROP", NULL);
num_dhcpsrvrs = (dhcpsrvrs != NULL)
? virNWFilterVarValueGetCardinality(dhcpsrvrs)
@@ -2936,20 +2936,20 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
*/
for (ctr = 0; ctr < 2; ctr++) {
if (dhcpserver)
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain_out,
- "-d", (ctr == 0) ? macaddr_str :
"ff:ff:ff:ff:ff:ff",
- "-p", "ipv4",
"--ip-protocol", "udp",
- "--ip-src", dhcpserver,
- "--ip-sport", "67",
"--ip-dport", "68",
- "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain_out,
+ "-d", (ctr == 0) ? macaddr_str :
"ff:ff:ff:ff:ff:ff",
+ "-p", "ipv4",
"--ip-protocol", "udp",
+ "--ip-src", dhcpserver,
+ "--ip-sport", "67",
"--ip-dport", "68",
+ "-j", "ACCEPT", NULL);
else
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
chain_out,
- "-d", (ctr == 0) ? macaddr_str :
"ff:ff:ff:ff:ff:ff",
- "-p", "ipv4",
"--ip-protocol", "udp",
- "--ip-sport", "67",
"--ip-dport", "68",
- "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain_out,
+ "-d", (ctr == 0) ? macaddr_str :
"ff:ff:ff:ff:ff:ff",
+ "-p", "ipv4",
"--ip-protocol", "udp",
+ "--ip-sport", "67",
"--ip-dport", "68",
+ "-j", "ACCEPT", NULL);
}
idx++;
@@ -2958,9 +2958,9 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
break;
}
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_out,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-j", "DROP", NULL);
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesLinkTmpRootChainFW(fw, false, ifname);
@@ -3008,13 +3008,13 @@ ebtablesApplyDropAllRules(const char *ifname)
PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_in,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-j", "DROP", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_out,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-j", "DROP", NULL);
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesLinkTmpRootChainFW(fw, false, ifname);
diff --git a/src/util/virebtables.c b/src/util/virebtables.c
index a1f5f7cf1e..cabcbb3e81 100644
--- a/src/util/virebtables.c
+++ b/src/util/virebtables.c
@@ -81,17 +81,17 @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
g_autoptr(virFirewall) fw = virFirewallNew();
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "--new-chain", ctx->chain,
- NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "--insert", "FORWARD",
- "--jump", ctx->chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--new-chain", ctx->chain,
+ NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--insert", "FORWARD",
+ "--jump", ctx->chain, NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-P", ctx->chain, "DROP",
- NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-P", ctx->chain, "DROP",
+ NULL);
return virFirewallApply(fw);
}
@@ -109,13 +109,13 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
g_autoptr(virFirewall) fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- action == ADD ? "--insert" : "--delete",
- ctx->chain,
- "--in-interface", iface,
- "--source", macaddr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ action == ADD ? "--insert" : "--delete",
+ ctx->chain,
+ "--in-interface", iface,
+ "--source", macaddr,
+ "--jump", "ACCEPT",
+ NULL);
return virFirewallApply(fw);
}
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 30e73f603e..902cb8e445 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -45,7 +45,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand,
IP6TABLES,
);
-struct _virFirewallRule {
+struct _virFirewallCmd {
virFirewallLayer layer;
virFirewallQueryCallback queryCB;
@@ -62,10 +62,10 @@ struct _virFirewallGroup {
unsigned int rollbackFlags;
size_t naction;
- virFirewallRule **action;
+ virFirewallCmd **action;
size_t nrollback;
- virFirewallRule **rollback;
+ virFirewallCmd **rollback;
bool addingRollback;
};
@@ -79,7 +79,7 @@ struct _virFirewall {
size_t currentGroup;
};
-static virMutex ruleLock = VIR_MUTEX_INITIALIZER;
+static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER;
static virFirewallGroup *
virFirewallGroupNew(void)
@@ -107,17 +107,17 @@ virFirewall *virFirewallNew(void)
static void
-virFirewallRuleFree(virFirewallRule *rule)
+virFirewallCmdFree(virFirewallCmd *fwCmd)
{
size_t i;
- if (!rule)
+ if (!fwCmd)
return;
- for (i = 0; i < rule->argsLen; i++)
- g_free(rule->args[i]);
- g_free(rule->args);
- g_free(rule);
+ for (i = 0; i < fwCmd->argsLen; i++)
+ g_free(fwCmd->args[i]);
+ g_free(fwCmd->args);
+ g_free(fwCmd);
}
@@ -130,11 +130,11 @@ virFirewallGroupFree(virFirewallGroup *group)
return;
for (i = 0; i < group->naction; i++)
- virFirewallRuleFree(group->action[i]);
+ virFirewallCmdFree(group->action[i]);
g_free(group->action);
for (i = 0; i < group->nrollback; i++)
- virFirewallRuleFree(group->rollback[i]);
+ virFirewallCmdFree(group->rollback[i]);
g_free(group->rollback);
g_free(group);
@@ -167,9 +167,9 @@ void virFirewallFree(virFirewall *firewall)
return; \
} while (0)
-#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\
+#define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\
do { \
- if (!firewall || firewall->err || !rule) \
+ if (!firewall || firewall->err || !fwCmd) \
return; \
} while (0)
@@ -179,22 +179,22 @@ void virFirewallFree(virFirewall *firewall)
return NULL; \
} while (0)
-#define ADD_ARG(rule, str) \
+#define ADD_ARG(fwCmd, str) \
do { \
- VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \
- rule->args[rule->argsLen++] = g_strdup(str); \
+ VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \
+ fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \
} while (0)
-static virFirewallRule *
-virFirewallAddRuleFullV(virFirewall *firewall,
- virFirewallLayer layer,
- bool ignoreErrors,
- virFirewallQueryCallback cb,
- void *opaque,
- va_list args)
+static virFirewallCmd *
+virFirewallAddCmdFullV(virFirewall *firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ va_list args)
{
virFirewallGroup *group;
- virFirewallRule *rule;
+ virFirewallCmd *fwCmd;
char *str;
VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
@@ -206,43 +206,43 @@ virFirewallAddRuleFullV(virFirewall *firewall,
group = firewall->groups[firewall->currentGroup];
- rule = g_new0(virFirewallRule, 1);
+ fwCmd = g_new0(virFirewallCmd, 1);
- rule->layer = layer;
- rule->queryCB = cb;
- rule->queryOpaque = opaque;
- rule->ignoreErrors = ignoreErrors;
+ fwCmd->layer = layer;
+ fwCmd->queryCB = cb;
+ fwCmd->queryOpaque = opaque;
+ fwCmd->ignoreErrors = ignoreErrors;
- switch (rule->layer) {
+ switch (fwCmd->layer) {
case VIR_FIREWALL_LAYER_ETHERNET:
- ADD_ARG(rule, "--concurrent");
+ ADD_ARG(fwCmd, "--concurrent");
break;
case VIR_FIREWALL_LAYER_IPV4:
- ADD_ARG(rule, "-w");
+ ADD_ARG(fwCmd, "-w");
break;
case VIR_FIREWALL_LAYER_IPV6:
- ADD_ARG(rule, "-w");
+ ADD_ARG(fwCmd, "-w");
break;
case VIR_FIREWALL_LAYER_LAST:
break;
}
while ((str = va_arg(args, char *)) != NULL)
- ADD_ARG(rule, str);
+ ADD_ARG(fwCmd, str);
if (group->addingRollback) {
- VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule);
+ VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd);
} else {
- VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule);
+ VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd);
}
- return rule;
+ return fwCmd;
}
/**
- * virFirewallAddRuleFull:
+ * virFirewallAddCmdFull:
* @firewall: firewall ruleset to add to
* @layer: the firewall layer to change
* @ignoreErrors: true to ignore failure of the command
@@ -253,7 +253,7 @@ virFirewallAddRuleFullV(virFirewall *firewall,
* Add any type of rule to the firewall ruleset. Any output
* generated by the addition will be fed into the query
* callback @cb. This callback is permitted to create new
- * rules by invoking the virFirewallAddRule method, but
+ * rules by invoking the virFirewallAddCmd method, but
* is not permitted to start new transactions.
*
* If @ignoreErrors is set to TRUE, then any failure of
@@ -263,31 +263,31 @@ virFirewallAddRuleFullV(virFirewall *firewall,
*
* Returns the new rule
*/
-virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall,
- virFirewallLayer layer,
- bool ignoreErrors,
- virFirewallQueryCallback cb,
- void *opaque,
- ...)
+virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ ...)
{
- virFirewallRule *rule;
+ virFirewallCmd *fwCmd;
va_list args;
va_start(args, opaque);
- rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args);
+ fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args);
va_end(args);
- return rule;
+ return fwCmd;
}
/**
- * virFirewallRemoveRule:
+ * virFirewallRemoveCmd:
* @firewall: firewall ruleset to remove from
* @rule: the rule to remove
*
* Remove a rule from the current transaction
*/
-void virFirewallRemoveRule(virFirewall *firewall,
- virFirewallRule *rule)
+void virFirewallRemoveCmd(virFirewall *firewall,
+ virFirewallCmd *fwCmd)
{
size_t i;
virFirewallGroup *group;
@@ -306,21 +306,21 @@ void virFirewallRemoveRule(virFirewall *firewall,
if (group->addingRollback) {
for (i = 0; i < group->nrollback; i++) {
- if (group->rollback[i] == rule) {
+ if (group->rollback[i] == fwCmd) {
VIR_DELETE_ELEMENT(group->rollback,
i,
group->nrollback);
- virFirewallRuleFree(rule);
+ virFirewallCmdFree(fwCmd);
break;
}
}
} else {
for (i = 0; i < group->naction; i++) {
- if (group->action[i] == rule) {
+ if (group->action[i] == fwCmd) {
VIR_DELETE_ELEMENT(group->action,
i,
group->naction);
- virFirewallRuleFree(rule);
+ virFirewallCmdFree(fwCmd);
return;
}
}
@@ -328,45 +328,45 @@ void virFirewallRemoveRule(virFirewall *firewall,
}
-void virFirewallRuleAddArg(virFirewall *firewall,
- virFirewallRule *rule,
- const char *arg)
+void virFirewallCmdAddArg(virFirewall *firewall,
+ virFirewallCmd *fwCmd,
+ const char *arg)
{
- VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+ VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
- ADD_ARG(rule, arg);
+ ADD_ARG(fwCmd, arg);
return;
}
-void virFirewallRuleAddArgFormat(virFirewall *firewall,
- virFirewallRule *rule,
- const char *fmt, ...)
+void virFirewallCmdAddArgFormat(virFirewall *firewall,
+ virFirewallCmd *fwCmd,
+ const char *fmt, ...)
{
g_autofree char *arg = NULL;
va_list list;
- VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+ VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
va_start(list, fmt);
arg = g_strdup_vprintf(fmt, list);
va_end(list);
- ADD_ARG(rule, arg);
+ ADD_ARG(fwCmd, arg);
return;
}
-void virFirewallRuleAddArgSet(virFirewall *firewall,
- virFirewallRule *rule,
- const char *const *args)
+void virFirewallCmdAddArgSet(virFirewall *firewall,
+ virFirewallCmd *fwCmd,
+ const char *const *args)
{
- VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+ VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
while (*args) {
- ADD_ARG(rule, *args);
+ ADD_ARG(fwCmd, *args);
args++;
}
@@ -374,19 +374,19 @@ void virFirewallRuleAddArgSet(virFirewall *firewall,
}
-void virFirewallRuleAddArgList(virFirewall *firewall,
- virFirewallRule *rule,
- ...)
+void virFirewallCmdAddArgList(virFirewall *firewall,
+ virFirewallCmd *fwCmd,
+ ...)
{
va_list list;
const char *str;
- VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+ VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
- va_start(list, rule);
+ va_start(list, fwCmd);
while ((str = va_arg(list, char *)) != NULL)
- ADD_ARG(rule, str);
+ ADD_ARG(fwCmd, str);
va_end(list);
@@ -394,11 +394,11 @@ void virFirewallRuleAddArgList(virFirewall *firewall,
}
-size_t virFirewallRuleGetArgCount(virFirewallRule *rule)
+size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd)
{
- if (!rule)
+ if (!fwCmd)
return 0;
- return rule->argsLen;
+ return fwCmd->argsLen;
}
@@ -462,16 +462,16 @@ void virFirewallStartRollback(virFirewall *firewall,
char *
-virFirewallRuleToString(const char *cmd,
- virFirewallRule *rule)
+virFirewallCmdToString(const char *cmd,
+ virFirewallCmd *fwCmd)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
size_t i;
virBufferAdd(&buf, cmd, -1);
- for (i = 0; i < rule->argsLen; i++) {
+ for (i = 0; i < fwCmd->argsLen; i++) {
virBufferAddLit(&buf, " ");
- virBufferAdd(&buf, rule->args[i], -1);
+ virBufferAdd(&buf, fwCmd->args[i], -1);
}
return virBufferContentAndReset(&buf);
@@ -479,12 +479,12 @@ virFirewallRuleToString(const char *cmd,
static int
-virFirewallApplyRuleDirect(virFirewallRule *rule,
- bool ignoreErrors,
- char **output)
+virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
+ bool ignoreErrors,
+ char **output)
{
size_t i;
- const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
+ const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer);
g_autoptr(virCommand) cmd = NULL;
g_autofree char *cmdStr = NULL;
int status;
@@ -493,17 +493,17 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
if (!bin) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Unknown firewall layer %1$d"),
- rule->layer);
+ fwCmd->layer);
return -1;
}
cmd = virCommandNewArgList(bin, NULL);
- for (i = 0; i < rule->argsLen; i++)
- virCommandAddArg(cmd, rule->args[i]);
+ for (i = 0; i < fwCmd->argsLen; i++)
+ virCommandAddArg(cmd, fwCmd->args[i]);
cmdStr = virCommandToString(cmd, false);
- VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr));
+ VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr));
virCommandSetOutputBuffer(cmd, output);
virCommandSetErrorBuffer(cmd, &error);
@@ -516,7 +516,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
VIR_DEBUG("Ignoring error running command");
} else {
virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Failed to apply firewall rules %1$s: %2$s"),
+ _("Failed to run firewall command %1$s: %2$s"),
NULLSTR(cmdStr), NULLSTR(error));
VIR_FREE(*output);
return -1;
@@ -528,30 +528,30 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
static int
-virFirewallApplyRule(virFirewall *firewall,
- virFirewallRule *rule,
- bool ignoreErrors)
+virFirewallApplyCmd(virFirewall *firewall,
+ virFirewallCmd *fwCmd,
+ bool ignoreErrors)
{
g_autofree char *output = NULL;
g_auto(GStrv) lines = NULL;
- if (rule->ignoreErrors)
- ignoreErrors = rule->ignoreErrors;
+ if (fwCmd->ignoreErrors)
+ ignoreErrors = fwCmd->ignoreErrors;
- if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0)
+ if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0)
return -1;
- if (rule->queryCB && output) {
+ if (fwCmd->queryCB && output) {
if (!(lines = g_strsplit(output, "\n", -1)))
return -1;
- VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB,
output);
- if (rule->queryCB(firewall, rule->layer, (const char *const *)lines,
rule->queryOpaque) < 0)
+ VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB,
output);
+ if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)lines,
fwCmd->queryOpaque) < 0)
return -1;
if (firewall->err) {
virReportSystemError(firewall->err, "%s",
- _("Unable to create rule"));
+ _("Unable to create firewall command"));
return -1;
}
@@ -573,9 +573,9 @@ virFirewallApplyGroup(virFirewall *firewall,
firewall->currentGroup = idx;
group->addingRollback = false;
for (i = 0; i < group->naction; i++) {
- if (virFirewallApplyRule(firewall,
- group->action[i],
- ignoreErrors) < 0)
+ if (virFirewallApplyCmd(firewall,
+ group->action[i],
+ ignoreErrors) < 0)
return -1;
}
return 0;
@@ -592,11 +592,8 @@ virFirewallRollbackGroup(virFirewall *firewall,
VIR_INFO("Starting rollback for group %p", group);
firewall->currentGroup = idx;
group->addingRollback = true;
- for (i = 0; i < group->nrollback; i++) {
- ignore_value(virFirewallApplyRule(firewall,
- group->rollback[i],
- true));
- }
+ for (i = 0; i < group->nrollback; i++)
+ ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true));
}
@@ -604,7 +601,7 @@ int
virFirewallApply(virFirewall *firewall)
{
size_t i, j;
- VIR_LOCK_GUARD lock = virLockGuardLock(&ruleLock);
+ VIR_LOCK_GUARD lock = virLockGuardLock(&fwCmdLock);
if (!firewall || firewall->err) {
int err = EINVAL;
@@ -612,7 +609,7 @@ virFirewallApply(virFirewall *firewall)
if (firewall)
err = firewall->err;
- virReportSystemError(err, "%s", _("Unable to create rule"));
+ virReportSystemError(err, "%s", _("Unable to create firewall
command"));
return -1;
}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 187748b2bf..956bf0e2bf 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -24,7 +24,7 @@
typedef struct _virFirewall virFirewall;
-typedef struct _virFirewallRule virFirewallRule;
+typedef struct _virFirewallCmd virFirewallCmd;
typedef enum {
VIR_FIREWALL_LAYER_ETHERNET,
@@ -39,7 +39,7 @@ virFirewall *virFirewallNew(void);
void virFirewallFree(virFirewall *firewall);
/**
- * virFirewallAddRule:
+ * virFirewallAddCmd:
* @firewall: firewall ruleset to add to
* @layer: the firewall layer to change
* @...: NULL terminated list of strings for the rule
@@ -48,49 +48,49 @@ void virFirewallFree(virFirewall *firewall);
*
* Returns the new rule
*/
-#define virFirewallAddRule(firewall, layer, ...) \
- virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
+#define virFirewallAddCmd(firewall, layer, ...) \
+ virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
typedef int (*virFirewallQueryCallback)(virFirewall *firewall,
virFirewallLayer layer,
const char *const *lines,
void *opaque);
-virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall,
- virFirewallLayer layer,
- bool ignoreErrors,
- virFirewallQueryCallback cb,
- void *opaque,
- ...)
+virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ ...)
G_GNUC_NULL_TERMINATED;
-void virFirewallRemoveRule(virFirewall *firewall,
- virFirewallRule *rule);
+void virFirewallRemoveCmd(virFirewall *firewall,
+ virFirewallCmd *rule);
-void virFirewallRuleAddArg(virFirewall *firewall,
- virFirewallRule *rule,
- const char *arg)
+void virFirewallCmdAddArg(virFirewall *firewall,
+ virFirewallCmd *rule,
+ const char *arg)
ATTRIBUTE_NONNULL(3);
-void virFirewallRuleAddArgFormat(virFirewall *firewall,
- virFirewallRule *rule,
- const char *fmt, ...)
+void virFirewallCmdAddArgFormat(virFirewall *firewall,
+ virFirewallCmd *rule,
+ const char *fmt, ...)
ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4);
-void virFirewallRuleAddArgSet(virFirewall *firewall,
- virFirewallRule *rule,
- const char *const *args)
+void virFirewallCmdAddArgSet(virFirewall *firewall,
+ virFirewallCmd *rule,
+ const char *const *args)
ATTRIBUTE_NONNULL(3);
-void virFirewallRuleAddArgList(virFirewall *firewall,
- virFirewallRule *rule,
- ...)
+void virFirewallCmdAddArgList(virFirewall *firewall,
+ virFirewallCmd *rule,
+ ...)
G_GNUC_NULL_TERMINATED;
-size_t virFirewallRuleGetArgCount(virFirewallRule *rule);
+size_t virFirewallCmdGetArgCount(virFirewallCmd *rule);
-char *virFirewallRuleToString(const char *cmd,
- virFirewallRule *rule);
+char *virFirewallCmdToString(const char *cmd,
+ virFirewallCmd *rule);
typedef enum {
/* Ignore all errors when applying rules, so no
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
index e676a434c8..45bb67cb21 100644
--- a/tests/virfirewalltest.c
+++ b/tests/virfirewalltest.c
@@ -74,15 +74,15 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
@@ -107,28 +107,28 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump
REJECT\n";
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT", NULL);
- virFirewallRuleAddArg(fw, fwrule, "--source");
- virFirewallRemoveRule(fw, fwrule);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallCmdAddArg(fw, fwrule, "--source");
+ virFirewallRemoveCmd(fw, fwrule);
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT", NULL);
- virFirewallRuleAddArg(fw, fwrule, "--source");
- virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
- virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallCmdAddArg(fw, fwrule, "--source");
+ virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
+ virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
@@ -161,26 +161,26 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--jump", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
@@ -235,26 +235,26 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--jump", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
@@ -288,25 +288,25 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- true, NULL, NULL,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ true, NULL, NULL,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--jump", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
@@ -338,20 +338,20 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -386,37 +386,37 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -450,41 +450,41 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -522,67 +522,67 @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.127",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.127",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.127",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.127",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -656,10 +656,10 @@ testFirewallQueryCallback(virFirewall *fw,
void *opaque G_GNUC_UNUSED)
{
size_t i;
- virFirewallAddRule(fw, layer,
- "-A", "INPUT",
- "--source", "!192.168.122.129",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", "INPUT",
+ "--source", "!192.168.122.129",
+ "--jump", "REJECT", NULL);
for (i = 0; lines[i] != NULL; i++) {
if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
@@ -703,46 +703,46 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.127",
- "--jump", "REJECT", NULL);
-
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- false,
- testFirewallQueryCallback,
- NULL,
- "-L", NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- false,
- testFirewallQueryCallback,
- NULL,
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
+ "-L", NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
"-t", "nat", "-L", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.130",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.130",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.128",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.128",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 06/30] util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL
I had originally named these as VIR_NETFILTER_* because I assumed the
same enum would eventually be used by our nftables backend as well as
iptables. But it turns out that in most cases it's not possible to
delete an nftables rule, so we just never used the enum anyway, so
this patch is renaming the values to IPTABLES_ACTION_*, and taking
advantage of the newly defined (via VIR_ENUM_DECL/IMPL)
iptablesActionTypeToString() to replace all the ternary operators used
to translate the enum into a string for the iptables commandline with
iptablesActionTypeToString().
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_iptables.c | 126 ++++++++++++++++++---------------
1 file changed, 69 insertions(+), 57 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 5c16683cff..d7e749adf0 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -32,6 +32,7 @@
#include "virerror.h"
#include "virlog.h"
#include "virhash.h"
+#include "virenum.h"
#include "network_iptables.h"
VIR_LOG_INIT("network.iptables");
@@ -45,10 +46,21 @@ VIR_LOG_INIT("network.iptables");
#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
-enum {
- VIR_NETFILTER_INSERT = 0,
- VIR_NETFILTER_DELETE
-};
+typedef enum {
+ IPTABLES_ACTION_INSERT,
+ IPTABLES_ACTION_APPEND,
+ IPTABLES_ACTION_DELETE,
+
+ IPTABLES_ACTION_LAST
+} iptablesAction;
+
+VIR_ENUM_DECL(iptablesAction);
+VIR_ENUM_IMPL(iptablesAction,
+ IPTABLES_ACTION_LAST,
+ "--insert",
+ "--append",
+ "--delete",
+);
typedef struct {
const char *parent;
@@ -168,14 +180,14 @@ iptablesInput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port,
- int action,
+ iptablesAction action,
int tcp)
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
@@ -189,14 +201,14 @@ iptablesOutput(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port,
- int action,
+ iptablesAction action,
int tcp)
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
@@ -220,7 +232,7 @@ iptablesAddTcpInput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1);
}
/**
@@ -238,7 +250,7 @@ iptablesRemoveTcpInput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1);
}
/**
@@ -256,7 +268,7 @@ iptablesAddUdpInput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0);
}
/**
@@ -274,7 +286,7 @@ iptablesRemoveUdpInput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0);
}
/**
@@ -292,7 +304,7 @@ iptablesAddTcpOutput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1);
}
/**
@@ -310,7 +322,7 @@ iptablesRemoveTcpOutput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1);
}
/**
@@ -328,7 +340,7 @@ iptablesAddUdpOutput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0);
}
/**
@@ -346,7 +358,7 @@ iptablesRemoveUdpOutput(virFirewall *fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0);
}
@@ -359,7 +371,7 @@ iptablesForwardAllowOut(virFirewall *fw,
unsigned int prefix,
const char *iface,
const char *physdev,
- int action)
+ iptablesAction action)
{
g_autofree char *networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
@@ -371,7 +383,7 @@ iptablesForwardAllowOut(virFirewall *fw,
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
@@ -381,7 +393,7 @@ iptablesForwardAllowOut(virFirewall *fw,
else
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
@@ -412,7 +424,7 @@ iptablesAddForwardAllowOut(virFirewall *fw,
const char *physdev)
{
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
@@ -436,7 +448,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw,
const char *physdev)
{
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
@@ -449,7 +461,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
unsigned int prefix,
const char *iface,
const char *physdev,
- int action)
+ iptablesAction action)
{
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@@ -461,7 +473,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
@@ -473,7 +485,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
else
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
@@ -506,7 +518,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
const char *physdev)
{
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
@@ -530,7 +542,7 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
const char *physdev)
{
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
/* Allow all traffic destined to the bridge, with a valid network address
@@ -541,7 +553,7 @@ iptablesForwardAllowIn(virFirewall *fw,
unsigned int prefix,
const char *iface,
const char *physdev,
- int action)
+ iptablesAction action)
{
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@@ -553,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw,
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
@@ -563,7 +575,7 @@ iptablesForwardAllowIn(virFirewall *fw,
else
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
@@ -593,7 +605,7 @@ iptablesAddForwardAllowIn(virFirewall *fw,
const char *physdev)
{
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
@@ -617,18 +629,18 @@ iptablesRemoveForwardAllowIn(virFirewall *fw,
const char *physdev)
{
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
static void
iptablesForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
- int action)
+ iptablesAction action)
{
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
@@ -652,7 +664,7 @@ iptablesAddForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT);
+ iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_INSERT);
}
/**
@@ -671,18 +683,18 @@ iptablesRemoveForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE);
+ iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_DELETE);
}
static void
iptablesForwardRejectOut(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
- int action)
+ iptablesAction action)
{
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
@@ -704,7 +716,7 @@ iptablesAddForwardRejectOut(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT);
+ iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_INSERT);
}
/**
@@ -722,7 +734,7 @@ iptablesRemoveForwardRejectOut(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE);
+ iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_DELETE);
}
@@ -730,11 +742,11 @@ static void
iptablesForwardRejectIn(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
- int action)
+ iptablesAction action)
{
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
@@ -756,7 +768,7 @@ iptablesAddForwardRejectIn(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT);
+ iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_INSERT);
}
/**
@@ -774,7 +786,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE);
+ iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_DELETE);
}
@@ -789,7 +801,7 @@ iptablesForwardMasquerade(virFirewall *fw,
virSocketAddrRange *addr,
virPortRange *port,
const char *protocol,
- int action)
+ iptablesAction action)
{
g_autofree char *networkstr = NULL;
g_autofree char *addrStartStr = NULL;
@@ -816,7 +828,7 @@ iptablesForwardMasquerade(virFirewall *fw,
if (protocol && protocol[0]) {
fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"-p", protocol,
@@ -825,7 +837,7 @@ iptablesForwardMasquerade(virFirewall *fw,
} else {
fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"!", "--destination", networkstr,
@@ -900,7 +912,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
{
return iptablesForwardMasquerade(fw, netaddr, prefix,
physdev, addr, port, protocol,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
@@ -927,7 +939,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw,
{
return iptablesForwardMasquerade(fw, netaddr, prefix,
physdev, addr, port, protocol,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
@@ -940,7 +952,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
unsigned int prefix,
const char *physdev,
const char *destaddr,
- int action)
+ iptablesAction action)
{
g_autofree char *networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
@@ -952,7 +964,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
@@ -962,7 +974,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
else
virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
@@ -994,7 +1006,7 @@ iptablesAddDontMasquerade(virFirewall *fw,
const char *destaddr)
{
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
- physdev, destaddr, VIR_NETFILTER_INSERT);
+ physdev, destaddr, IPTABLES_ACTION_INSERT);
}
/**
@@ -1020,7 +1032,7 @@ iptablesRemoveDontMasquerade(virFirewall *fw,
{
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
physdev, destaddr,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
@@ -1028,13 +1040,13 @@ static void
iptablesOutputFixUdpChecksum(virFirewall *fw,
const char *iface,
int port,
- int action)
+ iptablesAction action)
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
@@ -1059,7 +1071,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT);
+ iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_INSERT);
}
/**
@@ -1076,7 +1088,7 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE);
+ iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_DELETE);
}
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 07/30] util: check for 0 args when applying iptables rule
In normal practice a virFirewallCmd should never have 0 args by the
time it gets to the Apply stage, but at some time while debugging one
of the other patches in this series, exactly that happened (due to a
bug that was since squashed), and having a check for it helped
debugging, so let's permanently check for it.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/virfirewall.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 902cb8e445..1897a66070 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -538,6 +538,12 @@ virFirewallApplyCmd(virFirewall *firewall,
if (fwCmd->ignoreErrors)
ignoreErrors = fwCmd->ignoreErrors;
+ if (fwCmd->argsLen == 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Can't apply empty firewall command"));
+ return -1;
+ }
+
if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0)
return -1;
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 08/30] util: add -w/--concurrent when applying a FirewallCmd rather than when building it
We will already need a separate function for virFirewallApplyCmd for
iptables vs. nftables, but the only reason for needing a separate
function for virFirewallAddCmd* is that iptables/ebtables need to have
an extra arg added for locking (to prevent multiple iptables commands
from running at the same time). We can just as well add in the
-w/--concurrent during virFirewallApplyCmd, so move the arg-add to
ApplyCmd to keep AddCmd simple.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/virfirewall.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 1897a66070..a57a79d4ce 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -213,20 +213,6 @@ virFirewallAddCmdFullV(virFirewall *firewall,
fwCmd->queryOpaque = opaque;
fwCmd->ignoreErrors = ignoreErrors;
- switch (fwCmd->layer) {
- case VIR_FIREWALL_LAYER_ETHERNET:
- ADD_ARG(fwCmd, "--concurrent");
- break;
- case VIR_FIREWALL_LAYER_IPV4:
- ADD_ARG(fwCmd, "-w");
- break;
- case VIR_FIREWALL_LAYER_IPV6:
- ADD_ARG(fwCmd, "-w");
- break;
- case VIR_FIREWALL_LAYER_LAST:
- break;
- }
-
while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(fwCmd, str);
@@ -499,6 +485,19 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
cmd = virCommandNewArgList(bin, NULL);
+ /* lock to assure nobody else is messing with the tables while we are */
+ switch (fwCmd->layer) {
+ case VIR_FIREWALL_LAYER_ETHERNET:
+ virCommandAddArg(cmd, "--concurrent");
+ break;
+ case VIR_FIREWALL_LAYER_IPV4:
+ case VIR_FIREWALL_LAYER_IPV6:
+ virCommandAddArg(cmd, "-w");
+ break;
+ case VIR_FIREWALL_LAYER_LAST:
+ break;
+ }
+
for (i = 0; i < fwCmd->argsLen; i++)
virCommandAddArg(cmd, fwCmd->args[i]);
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 09/30] util: determine ignoreErrors value when creating virFirewallCmd, not when applying
We know at the time a virFirewallCmd is created (with
virFirewallAddCmd*()) whether or not we will later want to ignore
errors encountered when attempting to apply that command - if
ignoreErrors is set in the AddCmd or if the group has already had
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS set, then we ignore the errors.
Rather than setting the fwCmd->ignoreErrors only according to the arg
sent to virFirewallAddCmdFull(), and then later (at ApplyCmd-time)
combining that with the group transactionFlags setting (and passing it
all the way down the call chain), just combine the two flags right
away and store this final value in fwCmd->ignoreErrors when the
virFirewallCmd is created (thus avoiding the need to look at anything
other than fwCmd->ignoreErrors at the time the command is applied). Once
that is done, we can simply grab ignoreErrors from the object down in
virFirewallApply() rather than cluttering up the argument list on the
entire call chain.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/virfirewall.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index a57a79d4ce..56d43bfdde 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -211,14 +211,19 @@ virFirewallAddCmdFullV(virFirewall *firewall,
fwCmd->layer = layer;
fwCmd->queryCB = cb;
fwCmd->queryOpaque = opaque;
- fwCmd->ignoreErrors = ignoreErrors;
while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(fwCmd, str);
if (group->addingRollback) {
+ fwCmd->ignoreErrors = true; /* always ignore errors when rolling back */
VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd);
} else {
+ /* when not rolling back, ignore errors if this group (transaction)
+ * was started with VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS *or*
+ * if this specific rule was created with ignoreErrors == true
+ */
+ fwCmd->ignoreErrors = ignoreErrors || (group->actionFlags &
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd);
}
@@ -466,8 +471,7 @@ virFirewallCmdToString(const char *cmd,
static int
virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
- bool ignoreErrors,
- char **output)
+ char **output)
{
size_t i;
const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer);
@@ -511,7 +515,7 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
return -1;
if (status != 0) {
- if (ignoreErrors) {
+ if (fwCmd->ignoreErrors) {
VIR_DEBUG("Ignoring error running command");
} else {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -528,22 +532,18 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
static int
virFirewallApplyCmd(virFirewall *firewall,
- virFirewallCmd *fwCmd,
- bool ignoreErrors)
+ virFirewallCmd *fwCmd)
{
g_autofree char *output = NULL;
g_auto(GStrv) lines = NULL;
- if (fwCmd->ignoreErrors)
- ignoreErrors = fwCmd->ignoreErrors;
-
if (fwCmd->argsLen == 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Can't apply empty firewall command"));
return -1;
}
- if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0)
+ if (virFirewallApplyCmdDirect(fwCmd, &output) < 0)
return -1;
if (fwCmd->queryCB && output) {
@@ -570,7 +570,7 @@ virFirewallApplyGroup(virFirewall *firewall,
size_t idx)
{
virFirewallGroup *group = firewall->groups[idx];
- bool ignoreErrors = (group->actionFlags &
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
size_t i;
VIR_INFO("Starting transaction for firewall=%p group=%p flags=0x%x",
@@ -578,9 +578,7 @@ virFirewallApplyGroup(virFirewall *firewall,
firewall->currentGroup = idx;
group->addingRollback = false;
for (i = 0; i < group->naction; i++) {
- if (virFirewallApplyCmd(firewall,
- group->action[i],
- ignoreErrors) < 0)
+ if (virFirewallApplyCmd(firewall, group->action[i]) < 0)
return -1;
}
return 0;
@@ -598,7 +596,7 @@ virFirewallRollbackGroup(virFirewall *firewall,
firewall->currentGroup = idx;
group->addingRollback = true;
for (i = 0; i < group->nrollback; i++)
- ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true));
+ ignore_value(virFirewallApplyCmd(firewall, group->rollback[i]));
}
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 10/30] util/network: new virFirewallBackend enum
(This paragraph is for historical reference only, described only to
avoid confusion of past use of the name with its new use) In a past
life, virFirewallBackend had been a private static in virfirewall.c
that was set at daemon init time, and used to globally (i.e. for all
drivers in the daemon) determine whether to directly execute iptables
commands, or to run them indirectly via the firewalld passthrough
API. This was removed in commit d566cc55, since we decided that using
the firewalld passthrough API is never appropriate.
Now the same enum, virFirewallBackend, is being reintroduced, with a
different meaning and usage pattern. It will be used to pick between
using nftables commands or iptables commands (in either case directly
handled by libvirt, *not* via firewalld). Additionally, rather than
being a static known only within virfirewall.c and applying to all
firewall commands for all drivers, each virFirewall object will have
its own backend setting, which will be set during virFirewallNew() by
the driver who wants to add a firewall rule.
This will allow the nwfilter and network drivers to each have their
own backend setting, even when they coexist in a single unified
daemon. At least as important as that, it will also allow an instance
of the network driver to remove iptables rules that had been added by
a previous instance, and then add nftables rules for the new instance
(in the case that an admin, or possibly an update, switches the driver
backend from iptables to nftable)
Initially, the enum will only have one usable value -
VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all
calls to virFirewallNew(). The other enum value (along with a method
of setting it for each driver) will be added later, when it can be
used (when the nftables backend is in the code).
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 3 +++
src/network/network_iptables.c | 6 +++---
src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++++++++--------
src/util/virebtables.c | 4 ++--
src/util/virfirewall.c | 15 ++++++++++++++-
src/util/virfirewall.h | 11 ++++++++++-
tests/virfirewalltest.c | 20 ++++++++++----------
7 files changed, 50 insertions(+), 25 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 533071d08c..6cb3003499 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2406,6 +2406,8 @@ virFileCacheSetPriv;
# util/virfirewall.h
virFirewallAddCmdFull;
virFirewallApply;
+virFirewallBackendTypeFromString;
+virFirewallBackendTypeToString;
virFirewallCmdAddArg;
virFirewallCmdAddArgFormat;
virFirewallCmdAddArgList;
@@ -2413,6 +2415,7 @@ virFirewallCmdAddArgSet;
virFirewallCmdGetArgCount;
virFirewallCmdToString;
virFirewallFree;
+virFirewallGetBackend;
virFirewallNew;
virFirewallRemoveCmd;
virFirewallStartRollback;
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index d7e749adf0..db35a4c5a0 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -131,7 +131,7 @@ iptablesPrivateChainCreate(virFirewall *fw,
int
iptablesSetupPrivateChains(virFirewallLayer layer)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
iptablesGlobalChain filter_chains[] = {
{"INPUT", VIR_IPTABLES_INPUT_CHAIN},
{"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN},
@@ -1597,7 +1597,7 @@ iptablesAddFirewallRules(virNetworkDef *def)
{
size_t i;
virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, 0);
@@ -1632,7 +1632,7 @@ iptablesRemoveFirewallRules(virNetworkDef *def)
{
size_t i;
virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
iptablesRemoveChecksumFirewallRules(fw, def);
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3ef1bb576e..5082b62577 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2820,7 +2820,7 @@ static int
ebtablesApplyBasicRules(const char *ifname,
const virMacAddr *macaddr)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
char chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = CHAINPREFIX_HOST_IN_TEMP;
char macaddr_str[VIR_MAC_STRING_BUFLEN];
@@ -2893,7 +2893,7 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
char macaddr_str[VIR_MAC_STRING_BUFLEN];
unsigned int idx = 0;
unsigned int num_dhcpsrvrs;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virMacAddrFormat(macaddr, macaddr_str);
@@ -2995,7 +2995,7 @@ ebtablesApplyDropAllRules(const char *ifname)
{
char chain_in [MAX_CHAINNAME_LENGTH],
chain_out[MAX_CHAINNAME_LENGTH];
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
if (ebiptablesAllTeardown(ifname) < 0)
return -1;
@@ -3042,7 +3042,7 @@ ebtablesRemoveBasicRules(const char *ifname)
static int
ebtablesCleanAll(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
@@ -3302,7 +3302,7 @@ ebiptablesApplyNewRules(const char *ifname,
size_t nrules)
{
size_t i, j;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
g_autoptr(GHashTable) chains_in_set = virHashNew(NULL);
g_autoptr(GHashTable) chains_out_set = virHashNew(NULL);
bool haveEbtables = false;
@@ -3527,7 +3527,7 @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char *ifname)
static int
ebiptablesTearNewRules(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
@@ -3539,7 +3539,7 @@ ebiptablesTearNewRules(const char *ifname)
static int
ebiptablesTearOldRules(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
@@ -3574,7 +3574,7 @@ ebiptablesTearOldRules(const char *ifname)
static int
ebiptablesAllTeardown(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
diff --git a/src/util/virebtables.c b/src/util/virebtables.c
index cabcbb3e81..8a361a2dbb 100644
--- a/src/util/virebtables.c
+++ b/src/util/virebtables.c
@@ -78,7 +78,7 @@ ebtablesContextFree(ebtablesContext *ctx)
int
ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
@@ -106,7 +106,7 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
const char *macaddr,
int action)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, 0);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 56d43bfdde..77de34533d 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -35,6 +35,10 @@
VIR_LOG_INIT("util.firewall");
+VIR_ENUM_IMPL(virFirewallBackend,
+ VIR_FIREWALL_BACKEND_LAST,
+ "iptables");
+
typedef struct _virFirewallGroup virFirewallGroup;
VIR_ENUM_DECL(virFirewallLayerCommand);
@@ -77,6 +81,7 @@ struct _virFirewall {
size_t ngroups;
virFirewallGroup **groups;
size_t currentGroup;
+ virFirewallBackend backend;
};
static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER;
@@ -98,14 +103,22 @@ virFirewallGroupNew(void)
*
* Returns the new firewall ruleset
*/
-virFirewall *virFirewallNew(void)
+virFirewall *virFirewallNew(virFirewallBackend backend)
{
virFirewall *firewall = g_new0(virFirewall, 1);
+ firewall->backend = backend;
return firewall;
}
+virFirewallBackend
+virFirewallGetBackend(virFirewall *firewall)
+{
+ return firewall->backend;
+}
+
+
static void
virFirewallCmdFree(virFirewallCmd *fwCmd)
{
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 956bf0e2bf..1ca1cce10a 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -21,6 +21,7 @@
#pragma once
#include "internal.h"
+#include "virenum.h"
typedef struct _virFirewall virFirewall;
@@ -34,9 +35,17 @@ typedef enum {
VIR_FIREWALL_LAYER_LAST,
} virFirewallLayer;
-virFirewall *virFirewallNew(void);
+typedef enum {
+ VIR_FIREWALL_BACKEND_IPTABLES,
+
+ VIR_FIREWALL_BACKEND_LAST,
+} virFirewallBackend;
+
+VIR_ENUM_DECL(virFirewallBackend);
+virFirewall *virFirewallNew(virFirewallBackend backend);
void virFirewallFree(virFirewall *firewall);
+virFirewallBackend virFirewallGetBackend(virFirewall *firewall);
/**
* virFirewallAddCmd:
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
index 45bb67cb21..38726dcc7a 100644
--- a/tests/virfirewalltest.c
+++ b/tests/virfirewalltest.c
@@ -62,7 +62,7 @@ static int
testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -102,7 +102,7 @@ static int
testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -148,7 +148,7 @@ static int
testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -222,7 +222,7 @@ static int
testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -275,7 +275,7 @@ static int
testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -327,7 +327,7 @@ static int
testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -372,7 +372,7 @@ static int
testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -437,7 +437,7 @@ static int
testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -505,7 +505,7 @@ static int
testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
@@ -682,7 +682,7 @@ static int
testFirewallQuery(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 11/30] network: add (empty) network.conf file to distribution files
This file is generated from network.conf.in because it will soon have
an item that must be modified according to meson buildtime config.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 3 ++
src/network/libvirtd_network.aug | 36 ++++++++++++++++++++++++
src/network/meson.build | 16 +++++++++++
src/network/network.conf.in | 3 ++
src/network/test_libvirtd_network.aug.in | 2 ++
5 files changed, 60 insertions(+)
create mode 100644 src/network/libvirtd_network.aug
create mode 100644 src/network/network.conf.in
create mode 100644 src/network/test_libvirtd_network.aug.in
diff --git a/libvirt.spec.in b/libvirt.spec.in
index bea3c827bc..0e8dc000f3 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -2120,6 +2120,9 @@ exit 0
%config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf
%{_datadir}/augeas/lenses/virtnetworkd.aug
%{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug
+%config(noreplace) %{_sysconfdir}/libvirt/network.conf
+%{_datadir}/augeas/lenses/libvirtd_network.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug
%{_unitdir}/virtnetworkd.service
%{_unitdir}/virtnetworkd.socket
%{_unitdir}/virtnetworkd-ro.socket
diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug
new file mode 100644
index 0000000000..ae153d96a1
--- /dev/null
+++ b/src/network/libvirtd_network.aug
@@ -0,0 +1,36 @@
+(* /etc/libvirt/network.conf *)
+
+module Libvirtd_network =
+ autoload xfm
+
+ let eol = del /[ \t]*\n/ "\n"
+ let value_sep = del /[ \t]*=[ \t]*/ " = "
+ let indent = del /[ \t]*/ ""
+
+ let array_sep = del /,[ \t\n]*/ ", "
+ let array_start = del /\[[ \t\n]*/ "[ "
+ let array_end = del /\]/ "]"
+
+ let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/
"\""
+ let bool_val = store /0|1/
+ let int_val = store /[0-9]+/
+ let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/
""
+ let str_array_val = counter "el" . array_start . ( str_array_element . (
array_sep . str_array_element ) * ) ? . array_end
+
+ let str_entry (kw:string) = [ key kw . value_sep . str_val ]
+ let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
+ let int_entry (kw:string) = [ key kw . value_sep . int_val ]
+ let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
+
+ (* Each entry in the config is one of the following *)
+ let comment = [ label "#comment" . del /#[ \t]*/ "# " . store
/([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
+ let empty = [ label "#empty" . eol ]
+
+ let record = indent . eol
+
+ let lns = ( record | comment | empty ) *
+
+ let filter = incl "/etc/libvirt/network.conf"
+ . Util.stdexcl
+
+ let xfm = transform lns filter
diff --git a/src/network/meson.build b/src/network/meson.build
index 305e2d52fb..0336435862 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -49,6 +49,22 @@ if conf.has('WITH_NETWORK')
],
}
+ network_conf = configure_file(
+ input: 'network.conf.in',
+ output: 'network.conf',
+ configuration: configmake_conf,
+ )
+ virt_conf_files += network_conf
+ virt_aug_files += files('libvirtd_network.aug')
+ virt_test_aug_files += {
+ 'name': 'test_libvirtd_network.aug',
+ 'aug': files('test_libvirtd_network.aug.in'),
+ 'conf': network_conf,
+ 'test_name': 'libvirtd_network',
+ 'test_srcdir': meson.current_source_dir(),
+ 'test_builddir': meson.current_build_dir(),
+ }
+
virt_daemon_confs += {
'name': 'virtnetworkd',
}
diff --git a/src/network/network.conf.in b/src/network/network.conf.in
new file mode 100644
index 0000000000..5c84003f6d
--- /dev/null
+++ b/src/network/network.conf.in
@@ -0,0 +1,3 @@
+# Master configuration file for the network driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
diff --git a/src/network/test_libvirtd_network.aug.in
b/src/network/test_libvirtd_network.aug.in
new file mode 100644
index 0000000000..ffdca520ce
--- /dev/null
+++ b/src/network/test_libvirtd_network.aug.in
@@ -0,0 +1,2 @@
+module Test_libvirtd_network =
+ @CONFIG@
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 12/30] network: support setting firewallBackend from network.conf
It still can have only one useful value ("iptables"), but once a 2nd
value is supported, it will be selectable by setting
"firewall_backend=nftables" in /etc/libvirt/network.conf.
If firewall_backend isn't set in network.conf, then libvirt will check
to see if FIREWALL_BACKEND_DEFAULT_1 is available and, if so, set
that. (Since FIREWALL_BACKEND_DEFAULT_1 is currently "iptables", this
means checking to see it the iptables binary is present on the
system). If the default backend isn't available, that is considered a
fatal error (since no networks can be started anyway), so an error is
logged and startup of the network driver fails.
NB: network.conf is itself created from network.conf.in at build time,
and the advertised default setting of firewall_backend (in a commented
out line) is set from the meson_options.txt setting
"firewall_backend_default_1". This way the conf file will have correct
information no matter what ordering is chosen for default backend at
build time (as more backends are added, settings will be added for
"firewall_backend_default_n", and those will be settable in
meson_options.txt and on the meson commandline to change the ordering
of the auto-detection when no backend is set in network.conf).
virNetworkLoadDriverConfig() may look more complicated than necessary,
but as additional backends are added, it will be easier to add checks
for those backends (and to re-order the checks based on builders'
preferences).
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
meson.build | 4 ++
meson_options.txt | 1 +
src/network/bridge_driver.c | 22 +++----
src/network/bridge_driver_conf.c | 75 +++++++++++++++++++++---
src/network/bridge_driver_conf.h | 3 +
src/network/bridge_driver_linux.c | 6 +-
src/network/bridge_driver_nop.c | 6 +-
src/network/bridge_driver_platform.h | 6 +-
src/network/libvirtd_network.aug | 5 +-
src/network/meson.build | 22 ++++++-
src/network/network.conf.in | 8 +++
src/network/test_libvirtd_network.aug.in | 3 +
tests/networkxml2firewalltest.c | 2 +-
13 files changed, 134 insertions(+), 29 deletions(-)
diff --git a/meson.build b/meson.build
index 063233e05e..af3719a734 100644
--- a/meson.build
+++ b/meson.build
@@ -1638,6 +1638,10 @@ endif
if not get_option('driver_network').disabled() and
conf.has('WITH_LIBVIRTD')
conf.set('WITH_NETWORK', 1)
+ firewall_backend_default_1 = get_option('firewall_backend_default_1')
+ firewall_backend_default_conf = firewall_backend_default_1
+ firewall_backend_default_1 = 'VIR_FIREWALL_BACKEND_' +
firewall_backend_default_1.to_upper()
+ conf.set('FIREWALL_BACKEND_DEFAULT_1', firewall_backend_default_1)
elif get_option('driver_network').enabled()
error('libvirtd must be enabled to build the network driver')
endif
diff --git a/meson_options.txt b/meson_options.txt
index 6258e50c91..41342793bc 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -115,6 +115,7 @@ option('dtrace', type: 'feature', value:
'auto', description: 'use dtrace for st
option('firewalld', type: 'feature', value: 'auto', description:
'firewalld support')
# dep:firewalld
option('firewalld_zone', type: 'feature', value: 'auto',
description: 'whether to install firewalld libvirt zone')
+option('firewall_backend_default_1', type: 'string', value:
'iptables', description: 'first firewall backend to try when none is
specified')
option('host_validate', type: 'feature', value: 'auto',
description: 'build virt-host-validate')
option('init_script', type: 'combo', choices: ['systemd',
'openrc', 'check', 'none'], value: 'check', description:
'Style of init script to install')
option('loader_nvram', type: 'string', value: '', description:
'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items
are separated by a colon.')
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index e5f9ecf9e8..82e1052978 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1682,6 +1682,7 @@ static int
networkReloadFirewallRulesHelper(virNetworkObj *obj,
void *opaque G_GNUC_UNUSED)
{
+ g_autoptr(virNetworkDriverConfig) cfg =
virNetworkDriverGetConfig(networkGetDriver());
VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
virNetworkDef *def = virNetworkObjGetDef(obj);
@@ -1695,8 +1696,8 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
* network type, forward='open', doesn't need this because it
* has no iptables rules.
*/
- networkRemoveFirewallRules(def);
- ignore_value(networkAddFirewallRules(def));
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
+ ignore_value(networkAddFirewallRules(def, cfg->firewallBackend));
break;
case VIR_NETWORK_FORWARD_OPEN:
@@ -1948,7 +1949,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
/* Add "once per network" rules */
if (def->forward.type != VIR_NETWORK_FORWARD_OPEN &&
- networkAddFirewallRules(def) < 0)
+ networkAddFirewallRules(def, cfg->firewallBackend) < 0)
goto error;
firewalRulesAdded = true;
@@ -2066,7 +2067,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
if (firewalRulesAdded &&
def->forward.type != VIR_NETWORK_FORWARD_OPEN)
- networkRemoveFirewallRules(def);
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
virNetworkObjUnrefMacMap(obj);
@@ -2078,7 +2079,8 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
static int
-networkShutdownNetworkVirtual(virNetworkObj *obj)
+networkShutdownNetworkVirtual(virNetworkObj *obj,
+ virNetworkDriverConfig *cfg)
{
virNetworkDef *def = virNetworkObjGetDef(obj);
pid_t dnsmasqPid;
@@ -2104,7 +2106,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj)
ignore_value(virNetDevSetOnline(def->bridge, false));
if (def->forward.type != VIR_NETWORK_FORWARD_OPEN)
- networkRemoveFirewallRules(def);
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
ignore_value(virNetDevBridgeDelete(def->bridge));
@@ -2408,7 +2410,7 @@ networkShutdownNetwork(virNetworkDriverState *driver,
case VIR_NETWORK_FORWARD_NAT:
case VIR_NETWORK_FORWARD_ROUTE:
case VIR_NETWORK_FORWARD_OPEN:
- ret = networkShutdownNetworkVirtual(obj);
+ ret = networkShutdownNetworkVirtual(obj, cfg);
break;
case VIR_NETWORK_FORWARD_BRIDGE:
@@ -3259,7 +3261,7 @@ networkUpdate(virNetworkPtr net,
* old rules (and remember to load new ones after the
* update).
*/
- networkRemoveFirewallRules(def);
+ networkRemoveFirewallRules(def, cfg->firewallBackend);
needFirewallRefresh = true;
break;
default:
@@ -3287,14 +3289,14 @@ networkUpdate(virNetworkPtr net,
parentIndex, xml,
network_driver->xmlopt, flags) < 0) {
if (needFirewallRefresh)
- ignore_value(networkAddFirewallRules(def));
+ ignore_value(networkAddFirewallRules(def, cfg->firewallBackend));
goto cleanup;
}
/* @def is replaced */
def = virNetworkObjGetDef(obj);
- if (needFirewallRefresh && networkAddFirewallRules(def) < 0)
+ if (needFirewallRefresh && networkAddFirewallRules(def,
cfg->firewallBackend) < 0)
goto cleanup;
if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) {
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index a2edafa837..06abab516a 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -25,6 +25,7 @@
#include "datatypes.h"
#include "virlog.h"
#include "virerror.h"
+#include "virfile.h"
#include "virutil.h"
#include "bridge_driver_conf.h"
@@ -32,7 +33,6 @@
VIR_LOG_INIT("network.bridge_driver");
-
static virClass *virNetworkDriverConfigClass;
static void virNetworkDriverConfigDispose(void *obj);
@@ -62,18 +62,75 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
const char *filename)
{
g_autoptr(virConf) conf = NULL;
+ g_autofree char *fwBackendStr = NULL;
+ bool fwBackendSelected = false;
+ size_t i;
+ int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 };
+ G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
+
+ if (access(filename, R_OK) == 0) {
+
+ conf = virConfReadFile(filename, 0);
+ if (!conf)
+ return -1;
+
+ /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */
+
+ if (virConfGetValueString(conf, "firewall_backend", &fwBackendStr)
< 0)
+ return -1;
+
+ if (fwBackendStr) {
+ fwBackends[0] = virFirewallBackendTypeFromString(fwBackendStr);
+
+ if (fwBackends[0] < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unrecognized 'firewall_backend =
'%1$s' set in network driver config file %2$s"),
+ fwBackendStr, filename);
+ return -1;
+ }
+ VIR_INFO("firewall_backend setting requested from config file %s:
'%s'",
+ virFirewallBackendTypeToString(fwBackends[0]), filename);
+ }
+ }
- /* if file doesn't exist or is unreadable, ignore the "error" */
- if (access(filename, R_OK) == -1)
- return 0;
+ for (i = 0; i < G_N_ELEMENTS(fwBackends) && !fwBackendSelected; i++) {
- conf = virConfReadFile(filename, 0);
- if (!conf)
- return -1;
+ switch ((virFirewallBackend)fwBackends[i]) {
+ case VIR_FIREWALL_BACKEND_IPTABLES: {
+ g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES);
- /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */
+ if (iptablesInPath)
+ fwBackendSelected = true;
+ break;
+ }
+ case VIR_FIREWALL_BACKEND_LAST:
+ virReportEnumRangeError(virFirewallBackend, fwBackends[i]);
+ return -1;
+ }
- return 0;
+ if (fwBackendSelected) {
+
+ cfg->firewallBackend = fwBackends[i];
+
+ } else if (fwBackendStr) {
+
+ /* explicitly requested backend not found - this is a failure */
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("requested firewall_backend '%1$s' is not
available"),
+ virFirewallBackendTypeToString(fwBackends[i]));
+ return -1;
+ }
+ }
+
+ if (fwBackendSelected) {
+ VIR_INFO("using firewall_backend: '%s'",
+ virFirewallBackendTypeToString(cfg->firewallBackend));
+ return 0;
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("could not find a usable firewall backend"));
+ return -1;
+ }
}
diff --git a/src/network/bridge_driver_conf.h b/src/network/bridge_driver_conf.h
index 426c16198d..8f221f391e 100644
--- a/src/network/bridge_driver_conf.h
+++ b/src/network/bridge_driver_conf.h
@@ -26,6 +26,7 @@
#include "virdnsmasq.h"
#include "virnetworkobj.h"
#include "object_event.h"
+#include "virfirewall.h"
typedef struct _virNetworkDriverConfig virNetworkDriverConfig;
struct _virNetworkDriverConfig {
@@ -37,6 +38,8 @@ struct _virNetworkDriverConfig {
char *stateDir;
char *pidDir;
char *dnsmasqStateDir;
+
+ virFirewallBackend firewallBackend;
};
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virNetworkDriverConfig, virObjectUnref);
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 4914d5c903..c2ef27f251 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -303,7 +303,8 @@ int networkCheckRouteCollision(virNetworkDef *def)
int
-networkAddFirewallRules(virNetworkDef *def)
+networkAddFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend G_GNUC_UNUSED)
{
if (virOnce(&createdOnce, networkSetupPrivateChains) < 0)
return -1;
@@ -394,7 +395,8 @@ networkAddFirewallRules(virNetworkDef *def)
void
-networkRemoveFirewallRules(virNetworkDef *def)
+networkRemoveFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend G_GNUC_UNUSED)
{
iptablesRemoveFirewallRules(def);
}
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
index 6eee6043e6..7d9a061e50 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -36,11 +36,13 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
return 0;
}
-int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED)
+int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend G_GNUC_UNUSED)
{
return 0;
}
-void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED)
+void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend G_GNUC_UNUSED)
{
}
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h
index b720d343be..7443c3129f 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -32,6 +32,8 @@ void networkPostReloadFirewallRules(bool startup);
int networkCheckRouteCollision(virNetworkDef *def);
-int networkAddFirewallRules(virNetworkDef *def);
+int networkAddFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend);
-void networkRemoveFirewallRules(virNetworkDef *def);
+void networkRemoveFirewallRules(virNetworkDef *def,
+ virFirewallBackend firewallBackend);
diff --git a/src/network/libvirtd_network.aug b/src/network/libvirtd_network.aug
index ae153d96a1..5d6d72dd92 100644
--- a/src/network/libvirtd_network.aug
+++ b/src/network/libvirtd_network.aug
@@ -22,11 +22,14 @@ module Libvirtd_network =
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
+ let firewall_backend_entry = str_entry "firewall_backend"
+
(* Each entry in the config is one of the following *)
+ let entry = firewall_backend_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store
/([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
- let record = indent . eol
+ let record = indent . entry . eol
let lns = ( record | comment | empty ) *
diff --git a/src/network/meson.build b/src/network/meson.build
index 0336435862..c1934d2e68 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -49,16 +49,34 @@ if conf.has('WITH_NETWORK')
],
}
+ network_options_conf = configuration_data({
+ 'FIREWALL_BACKEND': firewall_backend_default_conf,
+ })
+
network_conf = configure_file(
input: 'network.conf.in',
output: 'network.conf',
- configuration: configmake_conf,
+ configuration: network_options_conf,
)
+
+ network_options_hack_conf = configuration_data({
+ 'FIREWALL_BACKEND': firewall_backend_default_conf,
+ # This hack is necessary because the output file is going to be
+ # used as input for another configure_file() call later, which
+ # will take care of substituting @CONFIG@ with useful data
+ 'CONFIG': '@CONFIG@',
+ })
+ test_libvirtd_network_aug_tmp = configure_file(
+ input: 'test_libvirtd_network.aug.in',
+ output: 'test_libvirtd_network.aug.tmp',
+ configuration: network_options_hack_conf,
+ )
+
virt_conf_files += network_conf
virt_aug_files += files('libvirtd_network.aug')
virt_test_aug_files += {
'name': 'test_libvirtd_network.aug',
- 'aug': files('test_libvirtd_network.aug.in'),
+ 'aug': test_libvirtd_network_aug_tmp,
'conf': network_conf,
'test_name': 'libvirtd_network',
'test_srcdir': meson.current_source_dir(),
diff --git a/src/network/network.conf.in b/src/network/network.conf.in
index 5c84003f6d..ec75e125d8 100644
--- a/src/network/network.conf.in
+++ b/src/network/network.conf.in
@@ -1,3 +1,11 @@
# Master configuration file for the network driver.
# All settings described here are optional - if omitted, sensible
# defaults are used.
+
+# firewall_backend:
+#
+# determines which subsystem to use to setup firewall packet
+# filtering rules for virtual networks. Currently the only supported
+# selection is "iptables".
+#
+#firewall_backend = "@FIREWALL_BACKEND@"
diff --git a/src/network/test_libvirtd_network.aug.in
b/src/network/test_libvirtd_network.aug.in
index ffdca520ce..9e29a9192f 100644
--- a/src/network/test_libvirtd_network.aug.in
+++ b/src/network/test_libvirtd_network.aug.in
@@ -1,2 +1,5 @@
module Test_libvirtd_network =
@CONFIG@
+
+ test Libvirtd_network.lns get conf =
+{ "firewall_backend" = "@FIREWALL_BACKEND@" }
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index cb66a26294..3a9f409e2a 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -98,7 +98,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
return -1;
- if (networkAddFirewallRules(def) < 0)
+ if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0)
return -1;
actual = actualargv = virBufferContentAndReset(&buf);
--
2.45.0
5:14 a.m.
New subject: [PATCH v5 12/30] network: support setting firewallBackend from
network.conf
On Fri, May 17, 2024 at 01:29:49PM -0400, Laine Stump wrote:
It still can have only one useful value ("iptables"), but
once a 2nd
value is supported, it will be selectable by setting
"firewall_backend=nftables" in /etc/libvirt/network.conf.
If firewall_backend isn't set in network.conf, then libvirt will check
to see if FIREWALL_BACKEND_DEFAULT_1 is available and, if so, set
that. (Since FIREWALL_BACKEND_DEFAULT_1 is currently "iptables", this
means checking to see it the iptables binary is present on the
system). If the default backend isn't available, that is considered a
fatal error (since no networks can be started anyway), so an error is
logged and startup of the network driver fails.
NB: network.conf is itself created from network.conf.in at build time,
and the advertised default setting of firewall_backend (in a commented
out line) is set from the meson_options.txt setting
"firewall_backend_default_1". This way the conf file will have correct
information no matter what ordering is chosen for default backend at
build time (as more backends are added, settings will be added for
"firewall_backend_default_n", and those will be settable in
meson_options.txt and on the meson commandline to change the ordering
of the auto-detection when no backend is set in network.conf).
virNetworkLoadDriverConfig() may look more complicated than necessary,
but as additional backends are added, it will be easier to add checks
for those backends (and to re-order the checks based on builders'
preferences).
Signed-off-by: Laine Stump <laine(a)redhat.com>
@@ -62,18 +62,75 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig
*cfg G_GNUC_UNUSED,
const char *filename)
{
g_autoptr(virConf) conf = NULL;
+ g_autofree char *fwBackendStr = NULL;
+ bool fwBackendSelected = false;
+ size_t i;
+ int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 };
+ G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
I'd say we shoule remove this assert and use:
size_t nfwBackends = G_N_ELEMENTS(fwBackends));
+
+ if (access(filename, R_OK) == 0) {
+
+ conf = virConfReadFile(filename, 0);
+ if (!conf)
+ return -1;
+
+ /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */
+
+ if (virConfGetValueString(conf, "firewall_backend", &fwBackendStr)
< 0)
+ return -1;
+
+ if (fwBackendStr) {
+ fwBackends[0] = virFirewallBackendTypeFromString(fwBackendStr);
+
+ if (fwBackends[0] < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unrecognized 'firewall_backend =
'%1$s' set in network driver config file %2$s"),
+ fwBackendStr, filename);
+ return -1;
+ }
+ VIR_INFO("firewall_backend setting requested from config file %s:
'%s'",
+ virFirewallBackendTypeToString(fwBackends[0]), filename);
Here set
nfwBackends = 1;
since when a config param is set, we don't want to ever fallback to
the 2nd entry
+ }
+ }
- /* if file doesn't exist or is unreadable, ignore the "error" */
- if (access(filename, R_OK) == -1)
- return 0;
+ for (i = 0; i < G_N_ELEMENTS(fwBackends) && !fwBackendSelected; i++) {
s/G_N_ELEMENTS(...)/nfwBackends/;
- conf = virConfReadFile(filename, 0);
- if (!conf)
- return -1;
+ switch ((virFirewallBackend)fwBackends[i]) {
+ case VIR_FIREWALL_BACKEND_IPTABLES: {
+ g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES);
- /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */
+ if (iptablesInPath)
+ fwBackendSelected = true;
+ break;
+ }
+ case VIR_FIREWALL_BACKEND_LAST:
+ virReportEnumRangeError(virFirewallBackend, fwBackends[i]);
+ return -1;
+ }
- return 0;
+ if (fwBackendSelected) {
+
+ cfg->firewallBackend = fwBackends[i];
+
+ } else if (fwBackendStr) {
+
+ /* explicitly requested backend not found - this is a failure */
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("requested firewall_backend '%1$s' is not
available"),
+ virFirewallBackendTypeToString(fwBackends[i]));
+ return -1;
+ }
+ }
+
+ if (fwBackendSelected) {
+ VIR_INFO("using firewall_backend: '%s'",
+ virFirewallBackendTypeToString(cfg->firewallBackend));
+ return 0;
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("could not find a usable firewall backend"));
+ return -1;
+ }
}
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
11:14 a.m.
New subject: [PATCH v5 12/30] network: support setting firewallBackend from
network.conf
On 5/20/24 6:14 AM, Daniel P. Berrangé wrote:
On Fri, May 17, 2024 at 01:29:49PM -0400, Laine Stump wrote:
> It still can have only one useful value ("iptables"), but once a 2nd
> value is supported, it will be selectable by setting
> "firewall_backend=nftables" in /etc/libvirt/network.conf.
>
> If firewall_backend isn't set in network.conf, then libvirt will check
> to see if FIREWALL_BACKEND_DEFAULT_1 is available and, if so, set
> that. (Since FIREWALL_BACKEND_DEFAULT_1 is currently "iptables", this
> means checking to see it the iptables binary is present on the
> system). If the default backend isn't available, that is considered a
> fatal error (since no networks can be started anyway), so an error is
> logged and startup of the network driver fails.
>
> NB: network.conf is itself created from network.conf.in at build time,
> and the advertised default setting of firewall_backend (in a commented
> out line) is set from the meson_options.txt setting
> "firewall_backend_default_1". This way the conf file will have correct
> information no matter what ordering is chosen for default backend at
> build time (as more backends are added, settings will be added for
> "firewall_backend_default_n", and those will be settable in
> meson_options.txt and on the meson commandline to change the ordering
> of the auto-detection when no backend is set in network.conf).
>
> virNetworkLoadDriverConfig() may look more complicated than necessary,
> but as additional backends are added, it will be easier to add checks
> for those backends (and to re-order the checks based on builders'
> preferences).
>
> Signed-off-by: Laine Stump <laine(a)redhat.com>
> @@ -62,18 +62,75 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
> const char *filename)
> {
> g_autoptr(virConf) conf = NULL;
> + g_autofree char *fwBackendStr = NULL;
> + bool fwBackendSelected = false;
> + size_t i;
> + int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 };
> + G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
I'd say we shoule remove this assert and use:
size_t nfwBackends = G_N_ELEMENTS(fwBackends));
The reason I put in the assert was to make sure there is a compile-time
error if someone adds a new backend and forgets to add an entry in the
above array, or to add a new FIREWALL_BACKEND_n in the meson_options +
an additional item for it in fwBackends (similar to typecasting ints
into enums so the compile will catch it when you add an enum value and
forget to add a case to a switch statement).
> +
> + if (access(filename, R_OK) == 0) {
> +
> + conf = virConfReadFile(filename, 0);
> + if (!conf)
> + return -1;
> +
> + /* use virConfGetValue*(conf, ...) functions to read any settings into cfg
*/
> +
> + if (virConfGetValueString(conf, "firewall_backend",
&fwBackendStr) < 0)
> + return -1;
> +
> + if (fwBackendStr) {
> + fwBackends[0] = virFirewallBackendTypeFromString(fwBackendStr);
> +
> + if (fwBackends[0] < 0) {
> + virReportError(VIR_ERR_INTERNAL_ERROR,
> + _("unrecognized 'firewall_backend =
'%1$s' set in network driver config file %2$s"),
> + fwBackendStr, filename);
> + return -1;
> + }
> + VIR_INFO("firewall_backend setting requested from config file %s:
'%s'",
> + virFirewallBackendTypeToString(fwBackends[0]), filename);
Here set
nfwBackends = 1;
since when a config param is set, we don't want to ever fallback to
the 2nd entry
That is taken care of by [see [*] below], but I'll add this suggestion
anyway to reduce the brain cells required for someone reading through
the code :-) (and also as a backup in case the code at [*] gets changed
in the future).
> + }
> + }
>
> - /* if file doesn't exist or is unreadable, ignore the "error" */
> - if (access(filename, R_OK) == -1)
> - return 0;
> + for (i = 0; i < G_N_ELEMENTS(fwBackends) && !fwBackendSelected; i++)
{
s/G_N_ELEMENTS(...)/nfwBackends/;
>
> - conf = virConfReadFile(filename, 0);
> - if (!conf)
> - return -1;
> + switch ((virFirewallBackend)fwBackends[i]) {
> + case VIR_FIREWALL_BACKEND_IPTABLES: {
> + g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES);
>
> - /* use virConfGetValue*(conf, ...) functions to read any settings into cfg */
> + if (iptablesInPath)
> + fwBackendSelected = true;
> + break;
> + }
> + case VIR_FIREWALL_BACKEND_LAST:
> + virReportEnumRangeError(virFirewallBackend, fwBackends[i]);
> + return -1;
> + }
>
> - return 0;
> + if (fwBackendSelected) {
> +
> + cfg->firewallBackend = fwBackends[i];
> +
[*] The else clause just below this comment makes sure that if a backend
is specified in the config (and thus fwBackendStr is non-null) then
we'll never fall back to one of the alternates, but will instead
immediately log an error and fail. And it has the added advantage (over
just setting nFwBackends = 1) of giving us an easy way to differentiate
the log message of "couldn't find a working backend among all the
possibilities" and "the backend you specifically requested is
unavailable".
> + } else if (fwBackendStr) {
> +
> + /* explicitly requested backend not found - this is a failure */
> + virReportError(VIR_ERR_INTERNAL_ERROR,
> + _("requested firewall_backend '%1$s' is not
available"),
> + virFirewallBackendTypeToString(fwBackends[i]));
> + return -1;
> + }
> + }
> +
> + if (fwBackendSelected) {
> + VIR_INFO("using firewall_backend: '%s'",
> + virFirewallBackendTypeToString(cfg->firewallBackend));
> + return 0;
> + } else {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("could not find a usable firewall backend"));
> + return -1;
> + }
> }
>
With regards,
Daniel
9:36 a.m.
New subject: [PATCH v5 12/30] network: support setting firewallBackend from
network.conf
On Mon, May 20, 2024 at 12:14:26PM -0400, Laine Stump wrote:
On 5/20/24 6:14 AM, Daniel P. Berrangé wrote:
> On Fri, May 17, 2024 at 01:29:49PM -0400, Laine Stump wrote:
> > It still can have only one useful value ("iptables"), but once a 2nd
> > value is supported, it will be selectable by setting
> > "firewall_backend=nftables" in /etc/libvirt/network.conf.
> >
> > If firewall_backend isn't set in network.conf, then libvirt will check
> > to see if FIREWALL_BACKEND_DEFAULT_1 is available and, if so, set
> > that. (Since FIREWALL_BACKEND_DEFAULT_1 is currently "iptables",
this
> > means checking to see it the iptables binary is present on the
> > system). If the default backend isn't available, that is considered a
> > fatal error (since no networks can be started anyway), so an error is
> > logged and startup of the network driver fails.
> >
> > NB: network.conf is itself created from network.conf.in at build time,
> > and the advertised default setting of firewall_backend (in a commented
> > out line) is set from the meson_options.txt setting
> > "firewall_backend_default_1". This way the conf file will have
correct
> > information no matter what ordering is chosen for default backend at
> > build time (as more backends are added, settings will be added for
> > "firewall_backend_default_n", and those will be settable in
> > meson_options.txt and on the meson commandline to change the ordering
> > of the auto-detection when no backend is set in network.conf).
> >
> > virNetworkLoadDriverConfig() may look more complicated than necessary,
> > but as additional backends are added, it will be easier to add checks
> > for those backends (and to re-order the checks based on builders'
> > preferences).
> >
> > Signed-off-by: Laine Stump <laine(a)redhat.com>
>
> > @@ -62,18 +62,75 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
> > const char *filename)
> > {
> > g_autoptr(virConf) conf = NULL;
> > + g_autofree char *fwBackendStr = NULL;
> > + bool fwBackendSelected = false;
> > + size_t i;
> > + int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 };
> > + G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
>
> I'd say we shoule remove this assert and use:
>
> size_t nfwBackends = G_N_ELEMENTS(fwBackends));
The reason I put in the assert was to make sure there is a compile-time
error if someone adds a new backend and forgets to add an entry in the above
array, or to add a new FIREWALL_BACKEND_n in the meson_options + an
additional item for it in fwBackends (similar to typecasting ints into enums
so the compile will catch it when you add an enum value and forget to add a
case to a switch statement).
Ah right, yes.
> > + if (access(filename, R_OK) == 0) {
> > +
> > + conf = virConfReadFile(filename, 0);
> > + if (!conf)
> > + return -1;
> > +
> > + /* use virConfGetValue*(conf, ...) functions to read any settings into
cfg */
> > +
> > + if (virConfGetValueString(conf, "firewall_backend",
&fwBackendStr) < 0)
> > + return -1;
> > +
> > + if (fwBackendStr) {
> > + fwBackends[0] = virFirewallBackendTypeFromString(fwBackendStr);
> > +
> > + if (fwBackends[0] < 0) {
> > + virReportError(VIR_ERR_INTERNAL_ERROR,
> > + _("unrecognized 'firewall_backend =
'%1$s' set in network driver config file %2$s"),
> > + fwBackendStr, filename);
> > + return -1;
> > + }
> > + VIR_INFO("firewall_backend setting requested from config file
%s: '%s'",
> > + virFirewallBackendTypeToString(fwBackends[0]),
filename);
>
> Here set
>
> nfwBackends = 1;
>
> since when a config param is set, we don't want to ever fallback to
> the 2nd entry
That is taken care of by [see [*] below], but I'll add this suggestion
anyway to reduce the brain cells required for someone reading through the
code :-) (and also as a backup in case the code at [*] gets changed in the
future).
Yeah, the current code works, but is a bit confusing to me.
Meanwhile
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
>
> > + }
> > + }
> > - /* if file doesn't exist or is unreadable, ignore the
"error" */
> > - if (access(filename, R_OK) == -1)
> > - return 0;
> > + for (i = 0; i < G_N_ELEMENTS(fwBackends) && !fwBackendSelected;
i++) {
>
> s/G_N_ELEMENTS(...)/nfwBackends/;
>
> > - conf = virConfReadFile(filename, 0);
> > - if (!conf)
> > - return -1;
> > + switch ((virFirewallBackend)fwBackends[i]) {
> > + case VIR_FIREWALL_BACKEND_IPTABLES: {
> > + g_autofree char *iptablesInPath = virFindFileInPath(IPTABLES);
> > - /* use virConfGetValue*(conf, ...) functions to read any settings into cfg
*/
> > + if (iptablesInPath)
> > + fwBackendSelected = true;
> > + break;
> > + }
> > + case VIR_FIREWALL_BACKEND_LAST:
> > + virReportEnumRangeError(virFirewallBackend, fwBackends[i]);
> > + return -1;
> > + }
> > - return 0;
> > + if (fwBackendSelected) {
> > +
> > + cfg->firewallBackend = fwBackends[i];
> > +
[*] The else clause just below this comment makes sure that if a backend is
specified in the config (and thus fwBackendStr is non-null) then we'll never
fall back to one of the alternates, but will instead immediately log an
error and fail. And it has the added advantage (over just setting
nFwBackends = 1) of giving us an easy way to differentiate the log message
of "couldn't find a working backend among all the possibilities" and
"the
backend you specifically requested is unavailable".
> > + } else if (fwBackendStr) {
> > +
> > + /* explicitly requested backend not found - this is a failure */
> > + virReportError(VIR_ERR_INTERNAL_ERROR,
> > + _("requested firewall_backend '%1$s'
is not available"),
> > + virFirewallBackendTypeToString(fwBackends[i]));
> > + return -1;
> > + }
> > + }
> > +
> > + if (fwBackendSelected) {
> > + VIR_INFO("using firewall_backend: '%s'",
> > + virFirewallBackendTypeToString(cfg->firewallBackend));
> > + return 0;
> > + } else {
> > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> > + _("could not find a usable firewall
backend"));
> > + return -1;
> > + }
> > }
>
> With regards,
> Daniel
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
10:08 p.m.
New subject: [PATCH v5 12/30] network: support setting firewallBackend from
network.conf
On 5/22/24 10:36 AM, Daniel P. Berrangé wrote:
On Mon, May 20, 2024 at 12:14:26PM -0400, Laine Stump wrote:
[...]
> That is taken care of by [see [*] below], but I'll add this
suggestion
> anyway to reduce the brain cells required for someone reading through the
> code :-) (and also as a backup in case the code at [*] gets changed in the
> future).
Yeah, the current code works, but is a bit confusing to me.
Meanwhile
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Okay, I'll squash this in before I push (to summarize, I add a variable
for nFwBackends, then set it to 1 if a backend is specified in the
config file, and finally I move the " else if (fwBackendStr)" clause
(the code that's executed if a backend was set in the conf file and it
failed) down below the loop (with the rest of the log messages).
diff --git a/src/network/bridge_driver_conf.c
b/src/network/bridge_driver_conf.c
index a083fa68e6..8f4956dace 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -69,6 +69,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
size_t i;
int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1,
FIREWALL_BACKEND_DEFAULT_2 };
G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) ==
VIR_FIREWALL_BACKEND_LAST);
+ int nFwBackends = G_N_ELEMENTS(fwBackends);
if (access(filename, R_OK) == 0) {
@@ -83,6 +84,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
if (fwBackendStr) {
fwBackends[0] =
virFirewallBackendTypeFromString(fwBackendStr);
+ nFwBackends = 1;
if (fwBackends[0] < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -95,7 +97,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
}
}
- for (i = 0; i < G_N_ELEMENTS(fwBackends) && !fwBackendSelected; i++) {
+ for (i = 0; i < nFwBackends && !fwBackendSelected; i++) {
switch ((virFirewallBackend)fwBackends[i]) {
case VIR_FIREWALL_BACKEND_IPTABLES: {
@@ -119,24 +121,23 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig
*cfg G_GNUC_UNUSED,
return -1;
}
- if (fwBackendSelected) {
-
+ if (fwBackendSelected)
cfg->firewallBackend = fwBackends[i];
-
- } else if (fwBackendStr) {
-
- /* explicitly requested backend not found - this is a
failure */
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("requested firewall_backend '%1$s' is not
available"),
- virFirewallBackendTypeToString(fwBackends[i]));
- return -1;
- }
}
if (fwBackendSelected) {
VIR_INFO("using firewall_backend: '%s'",
virFirewallBackendTypeToString(cfg->firewallBackend));
return 0;
+
+ } else if (fwBackendStr) {
+
+ /* the explicitly requested backend wasn't found - this is a
failure */
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("requested firewall_backend '%1$s' is not
available"),
+ fwBackendStr);
+ return -1;
+
} else {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("could not find a usable firewall backend"));
12:29 p.m.
New subject: [PATCH v5 13/30] network: framework to call backend-specific function to init private filter chains
Modify networkSetupPrivateChains() in the network driver to accept a
firewallBackend argument so it will know which backend to call. (right
now it always calls the iptables version of the lower level function,
but in the future it could instead call the nftables version based on
configuration).
But networkSetupPrivateChains() was being called with virOnce(), and
virOnce() doesn't support calling functions that require an argument
(it's based on pthread_once(), which accepts no arguments, so it's not
something we can easily fix in our implementation of virOnce()). To
solve this dilemma, this patch eliminates use of virOnce() by adding a
static lock, and putting all of networkSetupPrivateChains() (including
the setting of "chainInitDone") inside a lock guard - now the places
that used to call it via virOnce() can safely call it directly
instead (adding in the necessary argument to specify backend).
(If it turns out to be significant, we could optimize this by checking
for chainInitDone outside the lock guard, returning immediately if
it's already set, and then moving the setting of chainInitDone up to
the top of the guarded section.)
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver_linux.c | 57 +++++++++++++++++++++----------
1 file changed, 39 insertions(+), 18 deletions(-)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index c2ef27f251..988362abef 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -34,25 +34,45 @@ VIR_LOG_INIT("network.bridge_driver_linux");
#define PROC_NET_ROUTE "/proc/net/route"
-static virOnceControl createdOnce;
+static virMutex chainInitLock = VIR_MUTEX_INITIALIZER;
static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */
static virErrorPtr errInitV4;
static virErrorPtr errInitV6;
-/* Usually only called via virOnce, but can also be called directly in
- * response to firewalld reload (if chainInitDone == true)
- */
-static void networkSetupPrivateChains(void)
+
+static int
+networkFirewallSetupPrivateChains(virFirewallBackend backend,
+ virFirewallLayer layer)
+{
+ switch (backend) {
+ case VIR_FIREWALL_BACKEND_IPTABLES:
+ return iptablesSetupPrivateChains(layer);
+
+ case VIR_FIREWALL_BACKEND_LAST:
+ virReportEnumRangeError(virFirewallBackend, backend);
+ return -1;
+ }
+ return 0;
+}
+
+
+static void
+networkSetupPrivateChains(virFirewallBackend backend,
+ bool force)
{
+ VIR_LOCK_GUARD lock = virLockGuardLock(&chainInitLock);
int rc;
+ if (chainInitDone && !force)
+ return;
+
VIR_DEBUG("Setting up global firewall chains");
g_clear_pointer(&errInitV4, virFreeError);
g_clear_pointer(&errInitV6, virFreeError);
- rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
+ rc = networkFirewallSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV4);
if (rc < 0) {
VIR_DEBUG("Failed to create global IPv4 chains: %s",
virGetLastErrorMessage());
@@ -65,7 +85,7 @@ static void networkSetupPrivateChains(void)
VIR_DEBUG("Global IPv4 chains already exist");
}
- rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
+ rc = networkFirewallSetupPrivateChains(backend, VIR_FIREWALL_LAYER_IPV6);
if (rc < 0) {
VIR_DEBUG("Failed to create global IPv6 chains: %s",
virGetLastErrorMessage());
@@ -138,6 +158,7 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver,
bool startup G_GNUC_UNUSED,
bool force)
{
+ g_autoptr(virNetworkDriverConfig) cfg = virNetworkDriverGetConfig(driver);
/*
* If there are any running networks, we need to
* create the global rules upfront. This allows us
@@ -157,14 +178,14 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver,
*/
if (chainInitDone && force) {
/* The Private chains have already been initialized once
- * during this run of libvirtd, so 1) we can't do it again via
- * virOnce(), and 2) we need to re-add the private chains even
- * if there are currently no running networks, because the
- * next time a network is started, libvirt will expect that
- * the chains have already been added. So we call directly
- * instead of via virOnce().
+ * during this run of libvirtd/virtnetworkd (known because
+ * chainInitDone == true) so we need to re-add the private
+ * chains even if there are currently no running networks,
+ * because the next time a network is started, libvirt will
+ * expect that the chains have already been added. So we force
+ * the init.
*/
- networkSetupPrivateChains();
+ networkSetupPrivateChains(cfg->firewallBackend, true);
} else {
if (!networkHasRunningNetworksWithFW(driver)) {
@@ -172,7 +193,7 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver,
return;
}
- ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
+ networkSetupPrivateChains(cfg->firewallBackend, false);
}
}
@@ -304,10 +325,10 @@ int networkCheckRouteCollision(virNetworkDef *def)
int
networkAddFirewallRules(virNetworkDef *def,
- virFirewallBackend firewallBackend G_GNUC_UNUSED)
+ virFirewallBackend firewallBackend)
{
- if (virOnce(&createdOnce, networkSetupPrivateChains) < 0)
- return -1;
+
+ networkSetupPrivateChains(firewallBackend, false);
if (errInitV4 &&
(virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 14/30] util: new functions to support adding individual firewall rollback commands
In the past virFirewall required all rollback commands for a group
(those commands necessary to "undo" any rules that had been added in
that group in case of a later failure) to be manually added by
switching into the virFirewall object into "rollback mode" and then
re-calling the inverse of the exact virFirewallAddCmd*() APIs that had
been called to add the original rules (ie. for each
"iptables --insert" command, for rollback we would need to add a
command with all arguments identical except that "--insert" would be
replaced by "--delete").
Because nftables can't search for rules to remove by comparing all the
arguments (it instead expects *only* a handle that is provided via
stdout when the rule was originally added), we won't be able to follow
the iptables method and manually construct the command to undo any
given nft command by just duplicating all the args of the command
(except the action). Instead we will need to be able to automatically
create a rollback command at the time the rule-adding command is
executed (e.g. an "nft delete rule" command that would include the
rule handle returned in stdout by an "nft add rule" command).
In order to make this happen, we need to be able to 1) learn whether
the user of the virFirewall API desires this behavior (handled by a new
transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that
can be retrieved with the new virFirewallTransactionGetFlags() API),
and 2) add a new command to the current group's rollback command list (with
the new virFirewallAddRollbackCmd()).
We will actually use this capability in an upcoming patch.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 55 +++++++++++++++++++++++++++++++++++-----
src/util/virfirewall.h | 7 +++++
3 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 6cb3003499..893859caba 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2405,6 +2405,7 @@ virFileCacheSetPriv;
# util/virfirewall.h
virFirewallAddCmdFull;
+virFirewallAddRollbackCmd;
virFirewallApply;
virFirewallBackendTypeFromString;
virFirewallBackendTypeToString;
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 77de34533d..9def8999d5 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -198,10 +198,12 @@ void virFirewallFree(virFirewall *firewall)
fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \
} while (0)
+
static virFirewallCmd *
virFirewallAddCmdFullV(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
+ bool isRollback,
virFirewallQueryCallback cb,
void *opaque,
va_list args)
@@ -218,18 +220,16 @@ virFirewallAddCmdFullV(virFirewall *firewall,
}
group = firewall->groups[firewall->currentGroup];
-
fwCmd = g_new0(virFirewallCmd, 1);
-
fwCmd->layer = layer;
- fwCmd->queryCB = cb;
- fwCmd->queryOpaque = opaque;
while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(fwCmd, str);
- if (group->addingRollback) {
+ if (isRollback || group->addingRollback) {
fwCmd->ignoreErrors = true; /* always ignore errors when rolling back */
+ fwCmd->queryCB = NULL; /* rollback commands can't have a callback */
+ fwCmd->queryOpaque = NULL;
VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd);
} else {
/* when not rolling back, ignore errors if this group (transaction)
@@ -237,6 +237,8 @@ virFirewallAddCmdFullV(virFirewall *firewall,
* if this specific rule was created with ignoreErrors == true
*/
fwCmd->ignoreErrors = ignoreErrors || (group->actionFlags &
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ fwCmd->queryCB = cb;
+ fwCmd->queryOpaque = opaque;
VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd);
}
@@ -277,7 +279,33 @@ virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
virFirewallCmd *fwCmd;
va_list args;
va_start(args, opaque);
- fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args);
+ fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, false, cb, opaque,
args);
+ va_end(args);
+ return fwCmd;
+}
+
+
+/**
+ * virFirewallAddRollbackCmd:
+ * @firewall: firewall commands to add to
+ * @layer: the firewall layer to change
+ * @...: NULL terminated list of strings for the command
+ *
+ * Add a command to the current firewall command group "rollback".
+ * Rollback commands always ignore errors and don't support any
+ * callbacks.
+ *
+ * Returns the new Command
+ */
+virFirewallCmd *
+virFirewallAddRollbackCmd(virFirewall *firewall,
+ virFirewallLayer layer,
+ ...)
+{
+ virFirewallCmd *fwCmd;
+ va_list args;
+ va_start(args, layer);
+ fwCmd = virFirewallAddCmdFullV(firewall, layer, true, true, NULL, NULL, args);
va_end(args);
return fwCmd;
}
@@ -434,6 +462,21 @@ void virFirewallStartTransaction(virFirewall *firewall,
firewall->currentGroup = firewall->ngroups - 1;
}
+
+/**
+ * virFirewallTransactionGetFlags:
+ * @firewall: the firewall to look at
+ *
+ * Returns the virFirewallTransactionFlags for the currently active
+ * group (transaction) in @firewall.
+ */
+static virFirewallTransactionFlags G_GNUC_UNUSED
+virFirewallTransactionGetFlags(virFirewall *firewall)
+{
+ return firewall->groups[firewall->currentGroup]->actionFlags;
+}
+
+
/**
* virFirewallBeginRollback:
* @firewall: the firewall ruleset
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 1ca1cce10a..e6aac365f1 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -73,6 +73,11 @@ virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
...)
G_GNUC_NULL_TERMINATED;
+virFirewallCmd *virFirewallAddRollbackCmd(virFirewall *firewall,
+ virFirewallLayer layer,
+ ...)
+ G_GNUC_NULL_TERMINATED;
+
void virFirewallRemoveCmd(virFirewall *firewall,
virFirewallCmd *rule);
@@ -105,6 +110,8 @@ typedef enum {
/* Ignore all errors when applying rules, so no
* rollback block will be required */
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS = (1 << 0),
+ /* Set to auto-add a rollback rule for each rule that is applied */
+ VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK = (1 << 1),
} virFirewallTransactionFlags;
void virFirewallStartTransaction(virFirewall *firewall,
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 15/30] util: implement rollback rule autocreation for iptables commands
If the VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK flag is set, each time
an iptables command is executed that is adding a rule or chain, a
corresponding command that will *delete* the same rule/chain is
constructed and added to the list of rollback commands. If we later
want to undo the entire firewall, we can just run those commands.
This isn't yet used anywhere, since
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/virfirewall.c | 55 ++++++++++++++++++++++++++++++++++++------
1 file changed, 48 insertions(+), 7 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 9def8999d5..b9b4140ad6 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -470,7 +470,7 @@ void virFirewallStartTransaction(virFirewall *firewall,
* Returns the virFirewallTransactionFlags for the currently active
* group (transaction) in @firewall.
*/
-static virFirewallTransactionFlags G_GNUC_UNUSED
+static virFirewallTransactionFlags
virFirewallTransactionGetFlags(virFirewall *firewall)
{
return firewall->groups[firewall->currentGroup]->actionFlags;
@@ -525,16 +525,25 @@ virFirewallCmdToString(const char *cmd,
}
+#define VIR_IPTABLES_ARG_IS_CREATE(arg) \
+ (STREQ(arg, "--insert") || STREQ(arg, "-I") || \
+ STREQ(arg, "--append") || STREQ(arg, "-A"))
+
+
static int
-virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
- char **output)
+virFirewallCmdIptablesApply(virFirewall *firewall,
+ virFirewallCmd *fwCmd,
+ char **output)
{
- size_t i;
const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer);
+ bool checkRollback = (virFirewallTransactionGetFlags(firewall) &
+ VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
+ bool needRollback = false;
g_autoptr(virCommand) cmd = NULL;
g_autofree char *cmdStr = NULL;
- int status;
g_autofree char *error = NULL;
+ size_t i;
+ int status;
if (!bin) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -558,8 +567,13 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
break;
}
- for (i = 0; i < fwCmd->argsLen; i++)
+ for (i = 0; i < fwCmd->argsLen; i++) {
+ /* the -I/-A arg could be at any position in the list */
+ if (checkRollback && VIR_IPTABLES_ARG_IS_CREATE(fwCmd->args[i]))
+ needRollback = true;
+
virCommandAddArg(cmd, fwCmd->args[i]);
+ }
cmdStr = virCommandToString(cmd, false);
VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr));
@@ -571,8 +585,10 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
return -1;
if (status != 0) {
+ /* the command failed, decide whether or not to report it */
if (fwCmd->ignoreErrors) {
VIR_DEBUG("Ignoring error running command");
+ return 0;
} else {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Failed to run firewall command %1$s: %2$s"),
@@ -582,6 +598,31 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
}
}
+ /* the command was successful, see if we need to add a
+ * rollback command
+ */
+
+ if (needRollback) {
+ virFirewallCmd *rollback
+ = virFirewallAddRollbackCmd(firewall, fwCmd->layer, NULL);
+ g_autofree char *rollbackStr = NULL;
+
+ for (i = 0; i < fwCmd->argsLen; i++) {
+ /* iptables --delete wants the entire commandline that
+ * was used for --insert but with s/insert/delete/
+ */
+ if (VIR_IPTABLES_ARG_IS_CREATE(fwCmd->args[i])) {
+ virFirewallCmdAddArg(firewall, rollback, "--delete");
+ } else {
+ virFirewallCmdAddArg(firewall, rollback, fwCmd->args[i]);
+ }
+ }
+
+ rollbackStr =
virFirewallCmdToString(virFirewallLayerCommandTypeToString(fwCmd->layer),
+ rollback);
+ VIR_DEBUG("Recording Rollback command '%s'",
NULLSTR(rollbackStr));
+ }
+
return 0;
}
@@ -599,7 +640,7 @@ virFirewallApplyCmd(virFirewall *firewall,
return -1;
}
- if (virFirewallApplyCmdDirect(fwCmd, &output) < 0)
+ if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0)
return -1;
if (fwCmd->queryCB && output) {
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 16/30] network: turn on auto-rollback for the rules added for virtual networks
So far this will only affect what happens if there is some failure
while applying the firewall rules; the rollback rules aren't yet
persistent beyond that time. More work is needed to remember the
rollback rules while the network is active, and use those rules to
remove the firewall for the network when it is destroyed.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_iptables.c | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index db35a4c5a0..467d43c1e9 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def)
virNetworkIPDef *ipdef;
g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
- virFirewallStartTransaction(fw, 0);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
iptablesAddGeneralFirewallRules(fw, def);
@@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def)
return -1;
}
- virFirewallStartRollback(fw, 0);
-
- for (i = 0;
- (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
- i++) {
- if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
- return -1;
- }
- iptablesRemoveGeneralFirewallRules(fw, def);
-
- virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS |
+ VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK));
iptablesAddChecksumFirewallRules(fw, def);
return virFirewallApply(fw);
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 17/30] util: add name attribute to virFirewall
This will be used to label (via "name='blah'") a firewall when it is
formatted to XML and written to the network status.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 2 ++
src/util/virfirewall.c | 20 +++++++++++++++++++-
src/util/virfirewall.h | 2 ++
3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 893859caba..9897caea21 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2417,8 +2417,10 @@ virFirewallCmdGetArgCount;
virFirewallCmdToString;
virFirewallFree;
virFirewallGetBackend;
+virFirewallGetName;
virFirewallNew;
virFirewallRemoveCmd;
+virFirewallSetName;
virFirewallStartRollback;
virFirewallStartTransaction;
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index b9b4140ad6..fe8c09c0ed 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -78,6 +78,7 @@ struct _virFirewallGroup {
struct _virFirewall {
int err;
+ char *name;
size_t ngroups;
virFirewallGroup **groups;
size_t currentGroup;
@@ -119,6 +120,22 @@ virFirewallGetBackend(virFirewall *firewall)
}
+const char *
+virFirewallGetName(virFirewall *firewall)
+{
+ return firewall->name;
+}
+
+
+void
+virFirewallSetName(virFirewall *firewall,
+ const char *name)
+{
+ g_free(firewall->name);
+ firewall->name = g_strdup(name);
+}
+
+
static void
virFirewallCmdFree(virFirewallCmd *fwCmd)
{
@@ -169,8 +186,9 @@ void virFirewallFree(virFirewall *firewall)
for (i = 0; i < firewall->ngroups; i++)
virFirewallGroupFree(firewall->groups[i]);
- g_free(firewall->groups);
+ g_free(firewall->groups);
+ g_free(firewall->name);
g_free(firewall);
}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index e6aac365f1..e8ad81056f 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -46,6 +46,8 @@ VIR_ENUM_DECL(virFirewallBackend);
virFirewall *virFirewallNew(virFirewallBackend backend);
void virFirewallFree(virFirewall *firewall);
virFirewallBackend virFirewallGetBackend(virFirewall *firewall);
+const char *virFirewallGetName(virFirewall *firewall);
+void virFirewallSetName(virFirewall *firewall, const char *name);
/**
* virFirewallAddCmd:
--
2.45.0
9:38 a.m.
New subject: [PATCH v5 17/30] util: add name attribute to virFirewall
On Fri, May 17, 2024 at 01:29:54PM -0400, Laine Stump wrote:
This will be used to label (via "name='blah'") a
firewall when it is
formatted to XML and written to the network status.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 2 ++
src/util/virfirewall.c | 20 +++++++++++++++++++-
src/util/virfirewall.h | 2 ++
3 files changed, 23 insertions(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:29 p.m.
New subject: [PATCH v5 18/30] util: new function virFirewallNewFromRollback()
virFirewallNewFromRollback() creates a new virFirewall object that
contains a copy of the "rollback" commands from an existing
virFirewall object, but in reverse order. The intent is that this
virFirewall be saved and used later to remove the firewall rules that
were added for a network.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 59 ++++++++++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 1 +
3 files changed, 61 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9897caea21..4e6a113ba1 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2419,6 +2419,7 @@ virFirewallFree;
virFirewallGetBackend;
virFirewallGetName;
virFirewallNew;
+virFirewallNewFromRollback;
virFirewallRemoveCmd;
virFirewallSetName;
virFirewallStartRollback;
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index fe8c09c0ed..2f4f128cd1 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -768,3 +768,62 @@ virFirewallApply(virFirewall *firewall)
return 0;
}
+
+
+/**
+ * virFirewallNewFromRollback:
+
+ * @original: the original virFirewall object containing the rollback
+ * of interest
+ * @fwRemoval: a firewall object that, when applied, will remove @original
+ *
+ * Copy the rollback rules from the current virFirewall object as a
+ * new virFirewall. This virFirewall can then be saved to apply later
+ * and counteract everything done by the original.
+ *
+ * Returns 0 on success, -1 on error
+ */
+int
+virFirewallNewFromRollback(virFirewall *original,
+ virFirewall **fwRemoval)
+{
+ size_t g;
+ g_autoptr(virFirewall) firewall = NULL;
+
+ if (original->err) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("error in original firewall object"));
+ return -1;
+ }
+
+ firewall = virFirewallNew(original->backend);
+
+ /* add the rollback commands in reverse order of actions/groups of
+ * what was applied in the original firewall.
+ */
+ for (g = original->ngroups; g > 0; g--) {
+ size_t r;
+ virFirewallGroup *group = original->groups[g - 1];
+
+ if (group->nrollback == 0)
+ continue;
+
+ virFirewallStartTransaction(firewall, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ for (r = group->nrollback; r > 0; r--) {
+ size_t i;
+ virFirewallCmd *origCmd = group->rollback[r - 1];
+ virFirewallCmd *rbCmd = virFirewallAddCmd(firewall, origCmd->layer,
NULL);
+
+ for (i = 0; i < origCmd->argsLen; i++)
+ ADD_ARG(rbCmd, origCmd->args[i]);
+ }
+ }
+
+ if (firewall->ngroups == 0)
+ VIR_DEBUG("original firewall object is empty");
+ else
+ *fwRemoval = g_steal_pointer(&firewall);
+
+ return 0;
+}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index e8ad81056f..931dfb04cf 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -44,6 +44,7 @@ typedef enum {
VIR_ENUM_DECL(virFirewallBackend);
virFirewall *virFirewallNew(virFirewallBackend backend);
+int virFirewallNewFromRollback(virFirewall *original, virFirewall **fwRemoval);
void virFirewallFree(virFirewall *firewall);
virFirewallBackend virFirewallGetBackend(virFirewall *firewall);
const char *virFirewallGetName(virFirewall *firewall);
--
2.45.0
9:39 a.m.
New subject: [PATCH v5 18/30] util: new function virFirewallNewFromRollback()
On Fri, May 17, 2024 at 01:29:55PM -0400, Laine Stump wrote:
virFirewallNewFromRollback() creates a new virFirewall object that
contains a copy of the "rollback" commands from an existing
virFirewall object, but in reverse order. The intent is that this
virFirewall be saved and used later to remove the firewall rules that
were added for a network.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 59 ++++++++++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 1 +
3 files changed, 61 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:29 p.m.
New subject: [PATCH v5 19/30] util: new functions virFirewallParseXML() and virFirewallFormat()
These functions convert a virFirewall object to/from XML so that it
can be serialized to disk (in a virNetworkObj's status file) and
restored later (e.g. after libvirtd/virtnetworkd is restarted).
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 2 +
src/util/virfirewall.c | 219 +++++++++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 9 ++
3 files changed, 230 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 4e6a113ba1..eb328ca04f 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2415,11 +2415,13 @@ virFirewallCmdAddArgList;
virFirewallCmdAddArgSet;
virFirewallCmdGetArgCount;
virFirewallCmdToString;
+virFirewallFormat;
virFirewallFree;
virFirewallGetBackend;
virFirewallGetName;
virFirewallNew;
virFirewallNewFromRollback;
+virFirewallParseXML;
virFirewallRemoveCmd;
virFirewallSetName;
virFirewallStartRollback;
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 2f4f128cd1..649b2289c0 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -39,6 +39,14 @@ VIR_ENUM_IMPL(virFirewallBackend,
VIR_FIREWALL_BACKEND_LAST,
"iptables");
+VIR_ENUM_DECL(virFirewallLayer);
+VIR_ENUM_IMPL(virFirewallLayer,
+ VIR_FIREWALL_LAYER_LAST,
+ "ethernet",
+ "ipv4",
+ "ipv6",
+);
+
typedef struct _virFirewallGroup virFirewallGroup;
VIR_ENUM_DECL(virFirewallLayerCommand);
@@ -827,3 +835,214 @@ virFirewallNewFromRollback(virFirewall *original,
return 0;
}
+
+
+/* virFirewallGetFlagsFromNode:
+ * @node: the xmlNode to check for an ignoreErrors attribute
+ *
+ * A short helper to get the setting of the ignorErrors attribute from
+ * an xmlNode. Returns -1 on error (with error reported), or the
+ * VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS bit set/reset according to
+ * the value of the attribute.
+ */
+static int
+virFirewallGetFlagsFromNode(xmlNodePtr node)
+{
+ virTristateBool ignoreErrors;
+
+ if (virXMLPropTristateBool(node, "ignoreErrors", VIR_XML_PROP_NONE,
&ignoreErrors) < 0)
+ return -1;
+
+ if (ignoreErrors == VIR_TRISTATE_BOOL_YES)
+ return VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS;
+ return 0;
+}
+
+
+/**
+ * virFirewallParseXML:
+ * @firewall: pointer to virFirewall* to fill in with new virFirewall object
+ *
+ * Construct a new virFirewall object according to the XML in
+ * xmlNodePtr. Return 0 (and new object) on success, or -1 (with
+ * error reported) on error.
+ *
+ * Example of <firewall> element XML:
+ *
+ * <firewall backend='iptables|nftables'>
+ * <group ignoreErrors='yes|no'>
+ * <action layer='ethernet|ipv4|ipv6' ignoreErrors='yes|no'>
+ * <args>
+ * <item>arg1</item>
+ * <item>arg2</item>
+ * ...
+ * </args>
+ * </action>
+ * <action ...>
+ * ...
+ </action>
+ * ...
+ * </group>
+ * ...
+ * </firewall>
+ */
+int
+virFirewallParseXML(virFirewall **firewall,
+ xmlNodePtr node,
+ xmlXPathContextPtr ctxt)
+{
+ g_autoptr(virFirewall) newfw = NULL;
+ virFirewallBackend backend;
+ g_autofree xmlNodePtr *groupNodes = NULL;
+ ssize_t ngroups;
+ size_t g;
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+
+ ctxt->node = node;
+
+ if (virXMLPropEnum(node, "backend", virFirewallBackendTypeFromString,
+ VIR_XML_PROP_REQUIRED, &backend) < 0) {
+ return -1;
+ }
+
+ newfw = virFirewallNew(backend);
+
+ newfw->name = virXMLPropString(node, "name");
+
+ ngroups = virXPathNodeSet("./group", ctxt, &groupNodes);
+ if (ngroups < 0)
+ return -1;
+
+ for (g = 0; g < ngroups; g++) {
+ int flags = 0;
+ g_autofree xmlNodePtr *actionNodes = NULL;
+ ssize_t nactions;
+ size_t a;
+
+ ctxt->node = groupNodes[g];
+ nactions = virXPathNodeSet("./action", ctxt, &actionNodes);
+ if (nactions < 0)
+ return -1;
+ if (nactions == 0)
+ continue;
+
+ if ((flags = virFirewallGetFlagsFromNode(groupNodes[g])) < 0)
+ return -1;
+
+ virFirewallStartTransaction(newfw, flags);
+
+ for (a = 0; a < nactions; a++) {
+ g_autofree xmlNodePtr *argsNodes = NULL;
+ ssize_t nargs;
+ size_t i;
+ virFirewallLayer layer;
+ virFirewallCmd *action;
+ bool ignoreErrors;
+
+ ctxt->node = actionNodes[a];
+
+ if (!(ctxt->node = virXPathNode("./args", ctxt)))
+ continue;
+
+ if ((flags = virFirewallGetFlagsFromNode(actionNodes[a])) < 0)
+ return -1;
+
+ ignoreErrors = flags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS;
+
+ if (virXMLPropEnum(actionNodes[a], "layer",
+ virFirewallLayerTypeFromString,
+ VIR_XML_PROP_REQUIRED, &layer) < 0) {
+ return -1;
+ }
+
+ nargs = virXPathNodeSet("./item", ctxt, &argsNodes);
+ if (nargs < 0)
+ return -1;
+ if (nargs == 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Invalid firewall command has 0 arguments"));
+ return -1;
+ }
+
+ action = virFirewallAddCmdFull(newfw, layer, ignoreErrors,
+ NULL, NULL, NULL);
+ for (i = 0; i < nargs; i++) {
+
+ char *arg = virXMLNodeContentString(argsNodes[i]);
+ if (!arg)
+ return -1;
+
+ virFirewallCmdAddArg(newfw, action, arg);
+ }
+ }
+ }
+
+ *firewall = g_steal_pointer(&newfw);
+ return 0;
+}
+
+
+/**
+ * virFirewallFormat:
+ * @buf: output buffer
+ * @firewall: the virFirewall object to format as XML
+ *
+ * Format virFirewall object @firewall into @buf as XML.
+ * Returns 0 on success, -1 on failure.
+ *
+ */
+int
+virFirewallFormat(virBuffer *buf,
+ virFirewall *firewall)
+{
+ size_t g;
+ g_auto(virBuffer) attrBuf = VIR_BUFFER_INITIALIZER;
+ g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf);
+
+ virBufferEscapeString(&attrBuf, " name='%s'",
firewall->name);
+ virBufferAsprintf(&attrBuf, " backend='%s'",
+ virFirewallBackendTypeToString(virFirewallGetBackend(firewall)));
+
+ for (g = 0; g < firewall->ngroups; g++) {
+ virFirewallGroup *group = firewall->groups[g];
+ bool groupIgnoreErrors = (group->actionFlags &
+ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ size_t a;
+
+ virBufferAddLit(&childBuf, "<group");
+ if (groupIgnoreErrors)
+ virBufferAddLit(&childBuf, " ignoreErrors='yes'");
+ virBufferAddLit(&childBuf, ">\n");
+ virBufferAdjustIndent(&childBuf, 2);
+
+ for (a = 0; a < group->naction; a++) {
+ virFirewallCmd *action = group->action[a];
+ size_t i;
+
+ virBufferAsprintf(&childBuf, "<action layer='%s'",
+ virFirewallLayerTypeToString(action->layer));
+ /* if the entire group has ignoreErrors='yes', then it's
+ * redundant to have it for an action of the group
+ */
+ if (action->ignoreErrors && !groupIgnoreErrors)
+ virBufferAddLit(&childBuf, " ignoreErrors='yes'");
+ virBufferAddLit(&childBuf, ">\n");
+
+ virBufferAdjustIndent(&childBuf, 2);
+ virBufferAddLit(&childBuf, "<args>\n");
+ virBufferAdjustIndent(&childBuf, 2);
+ for (i = 0; i < virFirewallCmdGetArgCount(action); i++)
+ virBufferEscapeString(&childBuf,
"<item>%s</item>\n", action->args[i]);
+ virBufferAdjustIndent(&childBuf, -2);
+ virBufferAddLit(&childBuf, "</args>\n");
+ virBufferAdjustIndent(&childBuf, -2);
+ virBufferAddLit(&childBuf, "</action>\n");
+ }
+
+ virBufferAdjustIndent(&childBuf, -2);
+ virBufferAddLit(&childBuf, "</group>\n");
+ }
+
+ virXMLFormatElement(buf, "firewall", &attrBuf, &childBuf);
+ return 0;
+}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 931dfb04cf..917745c315 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -22,6 +22,8 @@
#include "internal.h"
#include "virenum.h"
+#include "virbuffer.h"
+#include "virxml.h"
typedef struct _virFirewall virFirewall;
@@ -131,4 +133,11 @@ void virFirewallStartRollback(virFirewall *firewall,
int virFirewallApply(virFirewall *firewall);
+int virFirewallParseXML(virFirewall **firewall,
+ xmlNodePtr node,
+ xmlXPathContextPtr ctxt);
+
+int virFirewallFormat(virBuffer *buf,
+ virFirewall *firewall);
+
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree);
--
2.45.0
9:41 a.m.
New subject: [PATCH v5 19/30] util: new functions virFirewallParseXML() and
virFirewallFormat()
On Fri, May 17, 2024 at 01:29:56PM -0400, Laine Stump wrote:
These functions convert a virFirewall object to/from XML so that it
can be serialized to disk (in a virNetworkObj's status file) and
restored later (e.g. after libvirtd/virtnetworkd is restarted).
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 2 +
src/util/virfirewall.c | 219 +++++++++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 9 ++
3 files changed, 230 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:29 p.m.
New subject: [PATCH v5 20/30] conf: add a virFirewall object to virNetworkObj
This virFirewall object will store the list of actions required to
remove the firewall that was added for the currently active instance
of the network, so it has been named "fwRemoval" (and when parsed into
XML, the <firewall> element will have the name "fwRemoval").
There are no uses of the fwRemoval object in the virNetworkObj yet,
but everything is in place to add it to the XML when formatted, parse
it from the XML when reading network status, and free the virFirewall
object when the virNetworkObj is freed.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/conf/virnetworkobj.c | 40 ++++++++++++++++++++++++++++++++++++++++
src/conf/virnetworkobj.h | 8 ++++++++
src/libvirt_private.syms | 2 ++
3 files changed, 50 insertions(+)
diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c
index d5aa121e20..f5db4c5804 100644
--- a/src/conf/virnetworkobj.c
+++ b/src/conf/virnetworkobj.c
@@ -55,6 +55,11 @@ struct _virNetworkObj {
unsigned int taint;
+ /* fwRemoval contains all commands needed to remove the firewall
+ * that was added for this network.
+ */
+ virFirewall *fwRemoval;
+
/* Immutable pointer, self locking APIs */
virMacMap *macmap;
@@ -239,6 +244,24 @@ virNetworkObjSetFloorSum(virNetworkObj *obj,
}
+virFirewall *
+virNetworkObjGetFwRemoval(virNetworkObj *obj)
+{
+ return obj->fwRemoval;
+}
+
+
+void
+virNetworkObjSetFwRemoval(virNetworkObj *obj,
+ virFirewall *fwRemoval)
+{
+ obj->fwRemoval = fwRemoval;
+ /* give it a name so it's identifiable in the XML */
+ if (fwRemoval)
+ virFirewallSetName(fwRemoval, "fwRemoval");
+}
+
+
void
virNetworkObjSetMacMap(virNetworkObj *obj,
virMacMap **macmap)
@@ -444,6 +467,7 @@ virNetworkObjDispose(void *opaque)
virNetworkDefFree(obj->newDef);
virBitmapFree(obj->classIdMap);
virObjectUnref(obj->macmap);
+ virFirewallFree(obj->fwRemoval);
}
@@ -792,6 +816,9 @@ virNetworkObjFormat(virNetworkObj *obj,
if (virNetworkDefFormatBuf(&buf, obj->def, xmlopt, flags) < 0)
return NULL;
+ if (obj->fwRemoval && virFirewallFormat(&buf, obj->fwRemoval) <
0)
+ return NULL;
+
virBufferAdjustIndent(&buf, -2);
virBufferAddLit(&buf, "</networkstatus>");
@@ -826,6 +853,7 @@ virNetworkLoadState(virNetworkObjList *nets,
g_autofree char *configFile = NULL;
g_autoptr(virNetworkDef) def = NULL;
virNetworkObj *obj = NULL;
+ g_autoptr(virFirewall) fwRemoval = NULL;
g_autoptr(xmlDoc) xml = NULL;
xmlNodePtr node = NULL;
g_autoptr(xmlXPathContext) ctxt = NULL;
@@ -868,6 +896,7 @@ virNetworkLoadState(virNetworkObjList *nets,
g_autofree char *classIdStr = NULL;
g_autofree char *floor_sum = NULL;
g_autofree xmlNodePtr *nodes = NULL;
+ xmlNodePtr fwNode;
ctxt->node = node;
if ((classIdStr = virXPathString("string(./class_id[1]/@bitmap)",
@@ -902,6 +931,15 @@ virNetworkLoadState(virNetworkObjList *nets,
taint |= (1 << flag);
}
}
+ if ((fwNode = virXPathNode("./firewall", ctxt))) {
+ g_autoptr(virFirewall) fwTmp = NULL;
+
+ if (virFirewallParseXML(&fwTmp, fwNode, ctxt) < 0)
+ return NULL;
+
+ if (STREQ_NULLABLE(virFirewallGetName(fwTmp), "fwRemoval"))
+ fwRemoval = g_steal_pointer(&fwTmp);
+ }
}
/* create the object */
@@ -910,6 +948,8 @@ virNetworkLoadState(virNetworkObjList *nets,
def = NULL;
+ virNetworkObjSetFwRemoval(obj, g_steal_pointer(&fwRemoval));
+
/* assign status data stored in the network object */
if (classIdMap) {
virBitmapFree(obj->classIdMap);
diff --git a/src/conf/virnetworkobj.h b/src/conf/virnetworkobj.h
index d3847d3422..6ebc6c49f5 100644
--- a/src/conf/virnetworkobj.h
+++ b/src/conf/virnetworkobj.h
@@ -23,6 +23,7 @@
#include "network_conf.h"
#include "virnetworkportdef.h"
+#include "virfirewall.h"
typedef struct _virNetworkObj virNetworkObj;
@@ -76,6 +77,13 @@ void
virNetworkObjSetFloorSum(virNetworkObj *obj,
unsigned long long floor_sum);
+virFirewall *
+virNetworkObjGetFwRemoval(virNetworkObj *obj);
+
+void
+virNetworkObjSetFwRemoval(virNetworkObj *obj,
+ virFirewall *fwRemoval);
+
void
virNetworkObjSetMacMap(virNetworkObj *obj,
virMacMap **macmap);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index eb328ca04f..f0f7aa8654 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1300,6 +1300,7 @@ virNetworkObjGetClassIdMap;
virNetworkObjGetDef;
virNetworkObjGetDnsmasqPid;
virNetworkObjGetFloorSum;
+virNetworkObjGetFwRemoval;
virNetworkObjGetMacMap;
virNetworkObjGetMetadata;
virNetworkObjGetNewDef;
@@ -1331,6 +1332,7 @@ virNetworkObjSetDef;
virNetworkObjSetDefTransient;
virNetworkObjSetDnsmasqPid;
virNetworkObjSetFloorSum;
+virNetworkObjSetFwRemoval;
virNetworkObjSetMacMap;
virNetworkObjSetMetadata;
virNetworkObjTaint;
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 21/30] network: use previously saved list of firewall removal commands
When destroying a network, the network driver has always assumed that
it knew what firewall rules had been added as the network was
started. This was usually correct - I only recall one time in the past
that the firewall rules added by libvirt were changed. But if the
exact rules used for a network *were* ever changed from one
build/version of libvirt to another, then we would end up attempting
to remove rules that hadn't been added, and could possibly *not*
remove rules that had been added.
The solution to this to not make such brash assumptions about the
past, but instead to save (in the network status object at network
start time) a list of all the rules needed to remove the rules that
were added for the network, and then use that saved list during
network destroy to remove exactly what was previous added.
Beyond making net-destroy more precise, there are other benefits:
1) We can change the details of the rules we add for networks from one
build/release of libvirt to another and painlessly upgrade.
2) The user can switch from one firewall backend to another by simply
changing the setting in network.conf and restarting
libvirtd/virtnetworkd.
In both cases, the restarted libvirtd/virtnetworkd will remove all the
rules that had been previously added (based on the network status),
and then add new rules (saving the new removal commands back into the
network status)
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver.c | 35 ++++++++++++++--------
src/network/bridge_driver_linux.c | 26 +++++++++++++----
src/network/bridge_driver_nop.c | 6 ++--
src/network/bridge_driver_platform.h | 6 ++--
src/network/network_iptables.c | 43 +++++++++++++++++++++++++---
src/network/network_iptables.h | 2 +-
tests/networkxml2firewalltest.c | 2 +-
7 files changed, 91 insertions(+), 29 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 82e1052978..1b4c5aedf2 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1685,6 +1685,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
g_autoptr(virNetworkDriverConfig) cfg =
virNetworkDriverGetConfig(networkGetDriver());
VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
virNetworkDef *def = virNetworkObjGetDef(obj);
+ virFirewall *fwRemoval = NULL;
if (virNetworkObjIsActive(obj)) {
switch ((virNetworkForwardType) def->forward.type) {
@@ -1696,8 +1697,9 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
* network type, forward='open', doesn't need this because it
* has no iptables rules.
*/
- networkRemoveFirewallRules(def, cfg->firewallBackend);
- ignore_value(networkAddFirewallRules(def, cfg->firewallBackend));
+ networkRemoveFirewallRules(obj);
+ ignore_value(networkAddFirewallRules(def, cfg->firewallBackend,
&fwRemoval));
+ virNetworkObjSetFwRemoval(obj, fwRemoval);
break;
case VIR_NETWORK_FORWARD_OPEN:
@@ -1904,6 +1906,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
bool devOnline = false;
bool firewalRulesAdded = false;
virSocketAddr *dnsServer = NULL;
+ virFirewall *fwRemoval = NULL;
/* Check to see if any network IP collides with an existing route */
if (networkCheckRouteCollision(def) < 0)
@@ -1949,9 +1952,11 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
/* Add "once per network" rules */
if (def->forward.type != VIR_NETWORK_FORWARD_OPEN &&
- networkAddFirewallRules(def, cfg->firewallBackend) < 0)
+ networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) {
goto error;
+ }
+ virNetworkObjSetFwRemoval(obj, fwRemoval);
firewalRulesAdded = true;
for (i = 0; (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); i++) {
@@ -2067,7 +2072,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
if (firewalRulesAdded &&
def->forward.type != VIR_NETWORK_FORWARD_OPEN)
- networkRemoveFirewallRules(def, cfg->firewallBackend);
+ networkRemoveFirewallRules(obj);
virNetworkObjUnrefMacMap(obj);
@@ -2079,8 +2084,7 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
static int
-networkShutdownNetworkVirtual(virNetworkObj *obj,
- virNetworkDriverConfig *cfg)
+networkShutdownNetworkVirtual(virNetworkObj *obj)
{
virNetworkDef *def = virNetworkObjGetDef(obj);
pid_t dnsmasqPid;
@@ -2106,7 +2110,7 @@ networkShutdownNetworkVirtual(virNetworkObj *obj,
ignore_value(virNetDevSetOnline(def->bridge, false));
if (def->forward.type != VIR_NETWORK_FORWARD_OPEN)
- networkRemoveFirewallRules(def, cfg->firewallBackend);
+ networkRemoveFirewallRules(obj);
ignore_value(virNetDevBridgeDelete(def->bridge));
@@ -2410,7 +2414,7 @@ networkShutdownNetwork(virNetworkDriverState *driver,
case VIR_NETWORK_FORWARD_NAT:
case VIR_NETWORK_FORWARD_ROUTE:
case VIR_NETWORK_FORWARD_OPEN:
- ret = networkShutdownNetworkVirtual(obj, cfg);
+ ret = networkShutdownNetworkVirtual(obj);
break;
case VIR_NETWORK_FORWARD_BRIDGE:
@@ -3215,6 +3219,8 @@ networkUpdate(virNetworkPtr net,
virNetworkIPDef *ipdef;
bool oldDhcpActive = false;
bool needFirewallRefresh = false;
+ virFirewall *fwRemoval = NULL;
+
virCheckFlags(VIR_NETWORK_UPDATE_AFFECT_LIVE |
@@ -3261,7 +3267,7 @@ networkUpdate(virNetworkPtr net,
* old rules (and remember to load new ones after the
* update).
*/
- networkRemoveFirewallRules(def, cfg->firewallBackend);
+ networkRemoveFirewallRules(obj);
needFirewallRefresh = true;
break;
default:
@@ -3288,16 +3294,21 @@ networkUpdate(virNetworkPtr net,
if (virNetworkObjUpdate(obj, command, section,
parentIndex, xml,
network_driver->xmlopt, flags) < 0) {
- if (needFirewallRefresh)
- ignore_value(networkAddFirewallRules(def, cfg->firewallBackend));
+ if (needFirewallRefresh) {
+ ignore_value(networkAddFirewallRules(def, cfg->firewallBackend,
&fwRemoval));
+ virNetworkObjSetFwRemoval(obj, fwRemoval);
+ }
goto cleanup;
}
/* @def is replaced */
def = virNetworkObjGetDef(obj);
- if (needFirewallRefresh && networkAddFirewallRules(def,
cfg->firewallBackend) < 0)
+ if (needFirewallRefresh &&
+ networkAddFirewallRules(def, cfg->firewallBackend, &fwRemoval) < 0) {
goto cleanup;
+ }
+ virNetworkObjSetFwRemoval(obj, fwRemoval);
if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) {
/* save updated persistent config to disk */
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 988362abef..b488600989 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -325,7 +325,8 @@ int networkCheckRouteCollision(virNetworkDef *def)
int
networkAddFirewallRules(virNetworkDef *def,
- virFirewallBackend firewallBackend)
+ virFirewallBackend firewallBackend,
+ virFirewall **fwRemoval)
{
networkSetupPrivateChains(firewallBackend, false);
@@ -411,13 +412,28 @@ networkAddFirewallRules(virNetworkDef *def,
}
}
- return iptablesAddFirewallRules(def);
+ return iptablesAddFirewallRules(def, fwRemoval);
}
void
-networkRemoveFirewallRules(virNetworkDef *def,
- virFirewallBackend firewallBackend G_GNUC_UNUSED)
+networkRemoveFirewallRules(virNetworkObj *obj)
{
- iptablesRemoveFirewallRules(def);
+ virFirewall *fw;
+
+ if ((fw = virNetworkObjGetFwRemoval(obj)) == NULL) {
+ /* No information about firewall rules in the network status,
+ * so we assume the old iptables-based rules from 10.2.0 and
+ * earlier.
+ */
+ VIR_DEBUG("No firewall info in network status, assuming old-style
iptables");
+ iptablesRemoveFirewallRules(virNetworkObjGetDef(obj));
+ return;
+ }
+
+ /* fwRemoval info was stored in the network status, so use that to
+ * remove the firewall
+ */
+ VIR_DEBUG("Removing firewall rules with commands saved in network
status");
+ virFirewallApply(fw);
}
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
index 7d9a061e50..537b9234f8 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -37,12 +37,12 @@ int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
}
int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
- virFirewallBackend firewallBackend G_GNUC_UNUSED)
+ virFirewallBackend firewallBackend G_GNUC_UNUSED,
+ virFirewall **fwRemoval G_GNUC_UNUSED)
{
return 0;
}
-void networkRemoveFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
- virFirewallBackend firewallBackend G_GNUC_UNUSED)
+void networkRemoveFirewallRules(virNetworkObj *obj G_GNUC_UNUSED)
{
}
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h
index 7443c3129f..cd2e3fa7b5 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -33,7 +33,7 @@ void networkPostReloadFirewallRules(bool startup);
int networkCheckRouteCollision(virNetworkDef *def);
int networkAddFirewallRules(virNetworkDef *def,
- virFirewallBackend firewallBackend);
+ virFirewallBackend firewallBackend,
+ virFirewall **fwRemoval);
-void networkRemoveFirewallRules(virNetworkDef *def,
- virFirewallBackend firewallBackend);
+void networkRemoveFirewallRules(virNetworkObj *obj);
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 467d43c1e9..f774176b3d 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -1591,9 +1591,19 @@ iptablesRemoveIPSpecificFirewallRules(virFirewall *fw,
}
-/* Add all rules for all ip addresses (and general rules) on a network */
+/* iptablesAddFirewallrules:
+ *
+ * @def - the network that needs an iptables firewall added
+ * @fwRemoval - if this is not NULL, it points to a pointer
+ * that should be filled in with a virFirewall object containing
+ * all the commands needed to remove this firewall at a later time.
+ *
+ * Add all rules for all ip addresses (and general rules) on a
+ * network, and optionally return a virFirewall object containing all
+ * the rules needed to later remove the firewall that has been added.
+*/
int
-iptablesAddFirewallRules(virNetworkDef *def)
+iptablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval)
{
size_t i;
virNetworkIPDef *ipdef;
@@ -1614,10 +1624,35 @@ iptablesAddFirewallRules(virNetworkDef *def)
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK));
iptablesAddChecksumFirewallRules(fw, def);
- return virFirewallApply(fw);
+ if (virFirewallApply(fw) < 0)
+ return -1;
+
+ if (fwRemoval) {
+ /* caller wants us to create a virFirewall object that can be
+ * applied to undo everything that was just done by * virFirewallApply()
+ */
+
+ if (virFirewallNewFromRollback(fw, fwRemoval) < 0)
+ return -1;
+ }
+
+ return 0;
}
-/* Remove all rules for all ip addresses (and general rules) on a network */
+/* iptablesRemoveFirewallRules:
+ *
+ * @def - the network that needs its iptables firewall rules removed
+ *
+ * Remove all rules for all ip addresses (and general rules) on a
+ * network that is being shut down.
+ *
+ * This function assumes the set of iptables rules that were added by
+ * all versions of libvirt prior to 10.4.0; any libvirt of that
+ * release or newer may or may not have this same set of rules, and
+ * should be using the list of commands saved in NetworkObj::fwRemoval
+ * (<fwRemoval> element in the network status XML) to remove the
+ * network's firewall rules.
+ */
void
iptablesRemoveFirewallRules(virNetworkDef *def)
{
diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h
index cdc143f154..d6ffc15bb0 100644
--- a/src/network/network_iptables.h
+++ b/src/network/network_iptables.h
@@ -23,7 +23,7 @@
#include "virfirewall.h"
#include "network_conf.h"
-int iptablesAddFirewallRules(virNetworkDef *def);
+int iptablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval);
void iptablesRemoveFirewallRules(virNetworkDef *def);
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 3a9f409e2a..082979e5dc 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -98,7 +98,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
return -1;
- if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0)
+ if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0)
return -1;
actual = actualargv = virBufferContentAndReset(&buf);
--
2.45.0
12:29 p.m.
New subject: [PATCH v5 22/30] network: save network status when firewall rules are reloaded
In the case that a new version of libvirt is started that uses
different rules to build the network firewall, we need to re-save the
status so that when the network is destroyed (or the *next* time
libvirt is restarted and wants to remove/re-add the firewall), it will
have the proper information to perform the firewall removal.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/conf/virnetworkobj.c | 1 +
src/network/bridge_driver.c | 8 +++++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c
index f5db4c5804..19305798cb 100644
--- a/src/conf/virnetworkobj.c
+++ b/src/conf/virnetworkobj.c
@@ -834,6 +834,7 @@ virNetworkObjSaveStatus(const char *statusDir,
int flags = 0;
g_autofree char *xml = NULL;
+ VIR_DEBUG("Writing network status to disk");
if (!(xml = virNetworkObjFormat(obj, xmlopt, flags)))
return -1;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 1b4c5aedf2..53a896feb9 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1686,6 +1686,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
virNetworkDef *def = virNetworkObjGetDef(obj);
virFirewall *fwRemoval = NULL;
+ bool saveStatus = false;
if (virNetworkObjIsActive(obj)) {
switch ((virNetworkForwardType) def->forward.type) {
@@ -1700,6 +1701,7 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
networkRemoveFirewallRules(obj);
ignore_value(networkAddFirewallRules(def, cfg->firewallBackend,
&fwRemoval));
virNetworkObjSetFwRemoval(obj, fwRemoval);
+ saveStatus = true;
break;
case VIR_NETWORK_FORWARD_OPEN:
@@ -1717,6 +1719,11 @@ networkReloadFirewallRulesHelper(virNetworkObj *obj,
}
}
+ if (saveStatus) {
+ ignore_value(virNetworkObjSaveStatus(cfg->stateDir, obj,
+ network_driver->xmlopt));
+ }
+
return 0;
}
@@ -2366,7 +2373,6 @@ networkStartNetwork(virNetworkDriverState *driver,
/* Persist the live configuration now that anything autogenerated
* is setup.
*/
- VIR_DEBUG("Writing network status to disk");
if (virNetworkObjSaveStatus(cfg->stateDir,
obj, network_driver->xmlopt) < 0)
goto cleanup;
--
2.45.0
12:30 p.m.
New subject: [PATCH v5 23/30] meson: stop looking for iptables/ip6tables/ebtables at build time
This was the only reason we required the iptables and ebtables
packages at build time, and many other external commands already have
their binaries found at runtime by looking through $PATH (virCommand
automatically does this), so we may as well do it for these commands
as well.
Since we no longer need iptables or iptables at build time, we can
also drop the BuildRequires for them from the rpm specfile.
Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 2 --
meson.build | 3 ---
src/network/bridge_driver_conf.c | 2 ++
src/util/virfirewall.h | 5 +++++
4 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 0e8dc000f3..fce312c8ab 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -356,8 +356,6 @@ BuildRequires: sanlock-devel >= 2.4
BuildRequires: libpcap-devel >= 1.5.0
BuildRequires: libnl3-devel
BuildRequires: libselinux-devel
-BuildRequires: iptables
-BuildRequires: ebtables
# For modprobe
BuildRequires: kmod
BuildRequires: cyrus-sasl-devel
diff --git a/meson.build b/meson.build
index af3719a734..91211d7964 100644
--- a/meson.build
+++ b/meson.build
@@ -838,10 +838,7 @@ optional_test_programs = [
optional_programs = [
'dmidecode',
- 'ebtables',
'ip',
- 'ip6tables',
- 'iptables',
'iscsiadm',
'mdevctl',
'mm-ctl',
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index 06abab516a..d0135fb12a 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -27,8 +27,10 @@
#include "virerror.h"
#include "virfile.h"
#include "virutil.h"
+#include "virfirewall.h" /* for binary names */
#include "bridge_driver_conf.h"
+
#define VIR_FROM_THIS VIR_FROM_NETWORK
VIR_LOG_INIT("network.bridge_driver");
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 917745c315..4ac16f02b3 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -25,6 +25,11 @@
#include "virbuffer.h"
#include "virxml.h"
+/* various external programs executed when applying firewalls */
+#define EBTABLES "ebtables"
+#define IPTABLES "iptables"
+#define IP6TABLES "ip6tables"
+
typedef struct _virFirewall virFirewall;
typedef struct _virFirewallCmd virFirewallCmd;
--
2.45.0
12:30 p.m.
New subject: [PATCH v5 24/30] network: add an nftables backend for network driver's firewall construction
Support using nftables to setup the firewall for each virtual network,
rather than iptables. The initial implementation of the nftables
backend creates (almost) exactly the same ruleset as the iptables
backend, determined by running the following commands on a host that
has an active virtual network:
iptables-save >iptables.txt
iptables-restore-translate -f iptables.txt
(and the similar ip6tables-save/ip6tables-restore-translate for an
IPv6 network). Correctness of the new backend was checked by comparing
the output of:
nft list ruleset
when the backend is set to iptables and when it is set to nftables.
This page was used as a guide:
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to...
The only differences between the rules created by the nftables backed
vs. the iptables backend (aside from a few inconsequential changes in
display order of some chains/options) are:
1) When we add nftables rules, rather than adding them in the
system-created "filter" and "nat" tables, we add them in a private
table (ie only we should be using it) created by us called "libvirt"
(the system-created "filter" and "nat" tables can't be used
because
adding any rules to those tables directly with nft will cause failure
of any legacy application attempting to use iptables when it tries to
list the iptables rules (e.g. "iptables -S").
(NB: in nftables only a single table is required for both nat and
filter rules - the chains for each are differentiated by specifying
different "hook" locations for the toplevel chain of each)
2) Since the rules that were added to allow tftp/dns/dhcp traffic from
the guests to the host are unnecessary in the context of nftables,
those rules aren't added.
(Longer explanation: In the case of iptables, all rules were in a
single table, and it was always assumed that there would be some
"catch-all" REJECT rule added by "someone else" in the case that a
packet didn't match any specific rules, so libvirt added these
specific rules to ensure that, no matter what other rules were added
by any other subsystem, the guests would still have functional
tftp/dns/dhcp. For nftables though, the rules added by each subsystem
are in a separate table, and in order for traffic to be accepted, it
must be accepted by *all* tables, so just adding the specific rules to
libvirt's table doesn't help anything (as the default for the libvirt
table is ACCEPT anyway) and it just isn't practical/possible for
libvirt to find *all* other tables and add rules in all of them to
make sure the traffic is accepted. libvirt does this for firewalld (it
creates a "libvirt" zone that allows tftp/dns/dhcp, and adds all
virtual network bridges to that zone), however, so in that case no
extra work is required of the sysadmin.)
3) nftables doesn't support the "checksum mangle" rule (or any
equivalent functionality) that we have historically added to our
iptables rules, so the nftables rules we add have nothing related to
checksum mangling.
(NB: The result of (3) is that if you a) have a very old guest (RHEL5
era or earlier) and b) that guest is using a virtio-net network
device, and c) the virtio-net device is using vhost packet processing
(the default) then DHCP on the guest will fail. You can work around
this by adding <driver name='qemu'/> to the <interface> XML for the
guest).
There are certainly much better nftables rulesets that could be used
instead of those implemented here, and everything is in place to make
future changes to the rules that are used simple and free of surprises
(e.g. the rules that are added have coresponding "removal" commands
added to the network status so that we will always remove exactly the
rules that were previously added rather than trying to remove the
rules that "the current build of libvirt would have added" (which will
be incorrect the first time we run a libvirt with a newly modified
ruleset). For this initial implementation though, I wanted the
nftables rules to be as identical to the iptables rules as possible,
just to make it easier to verify that everything is working.
The backend can be manually chosen using the firewall_backend setting
in /etc/libvirt/network.conf. libvirtd/virtnetworkd will read this
setting when it starts; if there is no explicit setting, it will check
for availability of FIREWALL_BACKEND_DEFAULT_1 and then
FIREWALL_BACKEND_DEFAULT_2 (which are set at build time in
meson_options.txt or by adding -Dfirewall_backend_default_n=blah to
the meson commandline), and use the first backend that is available
(ie, that has the necessary programs installed). The standard
meson_options.txt is set to check for nftables first, and then
iptables.
Although it should be very safe to change the default backend from
iptables to nftables, that change is left for a later patch, to show
how the change in default can be undone if someone really needs to do
that.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
meson.build | 5 +
meson_options.txt | 1 +
po/POTFILES | 1 +
src/network/bridge_driver_conf.c | 11 +-
src/network/bridge_driver_linux.c | 17 +-
src/network/meson.build | 1 +
src/network/network.conf.in | 21 +-
src/network/network_nftables.c | 940 ++++++++++++++++++++++++++++++
src/network/network_nftables.h | 28 +
src/util/virfirewall.c | 167 +++++-
src/util/virfirewall.h | 2 +
11 files changed, 1188 insertions(+), 6 deletions(-)
create mode 100644 src/network/network_nftables.c
create mode 100644 src/network/network_nftables.h
diff --git a/meson.build b/meson.build
index 91211d7964..f67c3d2724 100644
--- a/meson.build
+++ b/meson.build
@@ -1639,6 +1639,11 @@ if not get_option('driver_network').disabled() and
conf.has('WITH_LIBVIRTD')
firewall_backend_default_conf = firewall_backend_default_1
firewall_backend_default_1 = 'VIR_FIREWALL_BACKEND_' +
firewall_backend_default_1.to_upper()
conf.set('FIREWALL_BACKEND_DEFAULT_1', firewall_backend_default_1)
+
+ firewall_backend_default_2 = get_option('firewall_backend_default_2')
+ firewall_backend_default_2 = 'VIR_FIREWALL_BACKEND_' +
firewall_backend_default_2.to_upper()
+ conf.set('FIREWALL_BACKEND_DEFAULT_2', firewall_backend_default_2)
+
elif get_option('driver_network').enabled()
error('libvirtd must be enabled to build the network driver')
endif
diff --git a/meson_options.txt b/meson_options.txt
index 41342793bc..cd2b9acc79 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -116,6 +116,7 @@ option('firewalld', type: 'feature', value:
'auto', description: 'firewalld supp
# dep:firewalld
option('firewalld_zone', type: 'feature', value: 'auto',
description: 'whether to install firewalld libvirt zone')
option('firewall_backend_default_1', type: 'string', value:
'iptables', description: 'first firewall backend to try when none is
specified')
+option('firewall_backend_default_2', type: 'string', value:
'nftables', description: 'second firewall backend to try when none is
specified (and first is unavailable)')
option('host_validate', type: 'feature', value: 'auto',
description: 'build virt-host-validate')
option('init_script', type: 'combo', choices: ['systemd',
'openrc', 'check', 'none'], value: 'check', description:
'Style of init script to install')
option('loader_nvram', type: 'string', value: '', description:
'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items
are separated by a colon.')
diff --git a/po/POTFILES b/po/POTFILES
index 0542d342d6..4ad7e19e08 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -145,6 +145,7 @@ src/network/bridge_driver_conf.c
src/network/bridge_driver_linux.c
src/network/leaseshelper.c
src/network/network_iptables.c
+src/network/network_nftables.c
src/node_device/node_device_driver.c
src/node_device/node_device_udev.c
src/nwfilter/nwfilter_dhcpsnoop.c
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index d0135fb12a..a083fa68e6 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -67,7 +67,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
g_autofree char *fwBackendStr = NULL;
bool fwBackendSelected = false;
size_t i;
- int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1 };
+ int fwBackends[] = { FIREWALL_BACKEND_DEFAULT_1, FIREWALL_BACKEND_DEFAULT_2 };
G_STATIC_ASSERT(G_N_ELEMENTS(fwBackends) == VIR_FIREWALL_BACKEND_LAST);
if (access(filename, R_OK) == 0) {
@@ -105,6 +105,15 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
fwBackendSelected = true;
break;
}
+
+ case VIR_FIREWALL_BACKEND_NFTABLES: {
+ g_autofree char *nftablesInPath = virFindFileInPath(NFT);
+
+ if (nftablesInPath)
+ fwBackendSelected = true;
+ break;
+ }
+
case VIR_FIREWALL_BACKEND_LAST:
virReportEnumRangeError(virFirewallBackend, fwBackends[i]);
return -1;
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index b488600989..35e6bd1154 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -27,6 +27,7 @@
#include "virfirewall.h"
#include "virfirewalld.h"
#include "network_iptables.h"
+#include "network_nftables.h"
#define VIR_FROM_THIS VIR_FROM_NONE
@@ -49,6 +50,9 @@ networkFirewallSetupPrivateChains(virFirewallBackend backend,
case VIR_FIREWALL_BACKEND_IPTABLES:
return iptablesSetupPrivateChains(layer);
+ case VIR_FIREWALL_BACKEND_NFTABLES:
+ return nftablesSetupPrivateChains(layer);
+
case VIR_FIREWALL_BACKEND_LAST:
virReportEnumRangeError(virFirewallBackend, backend);
return -1;
@@ -412,7 +416,18 @@ networkAddFirewallRules(virNetworkDef *def,
}
}
- return iptablesAddFirewallRules(def, fwRemoval);
+ switch (firewallBackend) {
+ case VIR_FIREWALL_BACKEND_IPTABLES:
+ return iptablesAddFirewallRules(def, fwRemoval);
+
+ case VIR_FIREWALL_BACKEND_NFTABLES:
+ return nftablesAddFirewallRules(def, fwRemoval);
+
+ case VIR_FIREWALL_BACKEND_LAST:
+ virReportEnumRangeError(virFirewallBackend, firewallBackend);
+ return -1;
+ }
+ return 0;
}
diff --git a/src/network/meson.build b/src/network/meson.build
index c1934d2e68..bf2893accc 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -3,6 +3,7 @@ network_driver_sources = [
'bridge_driver_conf.c',
'bridge_driver_platform.c',
'network_iptables.c',
+ 'network_nftables.c',
]
driver_source_files += files(network_driver_sources)
diff --git a/src/network/network.conf.in b/src/network/network.conf.in
index ec75e125d8..f579f39fcd 100644
--- a/src/network/network.conf.in
+++ b/src/network/network.conf.in
@@ -5,7 +5,24 @@
# firewall_backend:
#
# determines which subsystem to use to setup firewall packet
-# filtering rules for virtual networks. Currently the only supported
-# selection is "iptables".
+# filtering rules for virtual networks.
+#
+# Supported settings:
+#
+# iptables - use iptables commands to construct the firewall
+# nftables - use nft commands to construct the firewall
+#
+# If firewall_backend isn't set in this file, libvirt will
+# prefer the @FIREWALL_BACKEND@ backend *if the necessary package.
+# binary is installed*, otherwise it will look for the package/binary
+# needed for the other backend and use that if available. If neither
+# is available on the host, then the network driver will fail to
+# start, and an error will be logged.
+#
+# (NB: switching from one backend to another while there are active
+# virtual networks *is* supported. The change will take place the
+# next time that libvirtd/virtnetworkd is restarted - all existing
+# virtual networks will have their old firewalls removed, and then
+# reloaded using the new backend.)
#
#firewall_backend = "@FIREWALL_BACKEND@"
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
new file mode 100644
index 0000000000..c8cee98df5
--- /dev/null
+++ b/src/network/network_nftables.c
@@ -0,0 +1,940 @@
+/*
+ * network_nftables.c: nftables-based firewall implementation for
+ * virtual networks.
+ *
+ * Copyright (C) 2007-2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include "internal.h"
+#include "virfirewalld.h"
+#include "virerror.h"
+#include "virlog.h"
+#include "virhash.h"
+#include "virenum.h"
+#include "virstring.h"
+#include "network_nftables.h"
+
+VIR_LOG_INIT("network.nftables");
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
+/* we must avoid using the standard "filter" table as used by
+ * iptables, as any subsequent attempts to use iptables commands will
+ * fail (due to the "filter" table having rules that are unexpected by
+ * the iptables-compat
+ */
+
+#define VIR_NFTABLES_PRIVATE_TABLE "libvirt"
+
+/* nftables backend uses the same binary (nft) for all layers, but
+ * IPv4 and IPv6 have their rules in separate classes of tables,
+ * either "ip" or "ip6". (there is also an "inet" class of
tables that
+ * would examined for both IPv4 and IPv6 traffic, but since we want
+ * different rules for each family, we only use the family-specific
+ * table classes).
+ */
+VIR_ENUM_DECL(nftablesLayer);
+VIR_ENUM_IMPL(nftablesLayer,
+ VIR_FIREWALL_LAYER_LAST,
+ "",
+ "ip",
+ "ip6",
+);
+
+
+typedef struct {
+ const char *parent;
+ const char *child;
+ const char *extraArgs;
+} nftablesGlobalChain;
+
+typedef struct {
+ virFirewallLayer layer;
+ nftablesGlobalChain *chains;
+ size_t nchains;
+ bool *changed;
+} nftablesGlobalChainData;
+
+
+nftablesGlobalChain nftablesChains[] = {
+ /* chains for filter rules */
+ {NULL, "INPUT", "{ type filter hook input priority 0; policy accept;
}"},
+ {NULL, "FORWARD", "{ type filter hook forward priority 0; policy
accept; }"},
+ {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept;
}"},
+ {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
+ {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
+ {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
+ {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
+ {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
+
+ /* chains for NAT rules */
+ {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100;
policy accept; }"},
+ {"POSTROUTING", VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
+};
+
+
+static int
+nftablesPrivateChainCreate(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *const *lines,
+ void *opaque)
+{
+ nftablesGlobalChainData *data = opaque;
+ g_autoptr(GHashTable) chains = virHashNew(NULL);
+ g_autoptr(GHashTable) links = virHashNew(NULL);
+ const char *const *line;
+ const char *chain = NULL;
+ size_t i;
+ bool tableMatch = false;
+ const char *layerStr = nftablesLayerTypeToString(layer);
+ g_autofree char *tableStr = g_strdup_printf("table %s %s {",
+ layerStr,
+ VIR_NFTABLES_PRIVATE_TABLE);
+
+ line = lines;
+ while (line && *line) {
+ const char *pos = *line;
+
+ virSkipSpaces(&pos);
+ if (STREQ(pos, tableStr)) {
+ /* "table ip libvirt {" */
+
+ tableMatch = true;
+
+ } else if (STRPREFIX(pos, "chain ")) {
+ /* "chain LIBVIRT_OUT {" */
+
+ chain = pos + 6;
+ pos = strchr(chain, ' ');
+ if (pos) {
+ *(char *)pos = '\0';
+ if (virHashUpdateEntry(chains, chain, (void *)0x1) < 0)
+ return -1;
+ }
+
+ } else if ((pos = strstr(pos, "jump "))) {
+ /* "counter packets 20189046 bytes 3473108889 jump LIBVIRT_OUT" */
+
+ pos += 5;
+ if (chain) {
+ if (virHashUpdateEntry(links, pos, (char *)chain) < 0)
+ return -1;
+ }
+
+ }
+ line++;
+ }
+
+ if (!tableMatch) {
+ virFirewallAddCmd(fw, layer, "add", "table",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL);
+ }
+
+ for (i = 0; i < data->nchains; i++) {
+ if (!(tableMatch && virHashLookup(chains, data->chains[i].child))) {
+ virFirewallAddCmd(fw, layer, "add", "chain",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ data->chains[i].child,
+ data->chains[i].extraArgs, NULL);
+ *data->changed = true;
+ }
+
+ if (data->chains[i].parent) {
+ const char *from = virHashLookup(links, data->chains[i].child);
+
+ if (!from || STRNEQ(from, data->chains[i].parent)) {
+ virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ data->chains[i].parent, "counter",
+ "jump", data->chains[i].child, NULL);
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+int
+nftablesSetupPrivateChains(virFirewallLayer layer)
+{
+ bool changed = false;
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_NFTABLES);
+ const char *layerStr = nftablesLayerTypeToString(layer);
+ nftablesGlobalChainData data = { layer, nftablesChains,
G_N_ELEMENTS(nftablesChains), &changed };
+
+ virFirewallStartTransaction(fw, 0);
+
+ /* the output of "nft list table ip[6] libvirt" will be parsed by
+ * the callback nftablesPrivateChainCreate which will add any
+ * needed commands to add missing chains (or possibly even add the
+ * "ip[6] libvirt" table itself
+ */
+ virFirewallAddCmdFull(fw, layer, false,
+ nftablesPrivateChainCreate, &data,
+ "list", "table",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL);
+
+ if (virFirewallApply(fw) < 0)
+ return -1;
+
+ return changed ? 1 : 0;
+}
+
+
+static void
+nftablesAddInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port,
+ int tcp)
+{
+ g_autofree char *portstr = g_strdup_printf("%d", port);
+ const char *layerStr = nftablesLayerTypeToString(layer);
+
+ virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_INPUT_CHAIN,
+ "iifname", iface,
+ tcp ? "tcp" : "udp",
+ "dport", portstr,
+ "counter", "accept",
+ NULL);
+}
+
+
+static void
+nftablesAddOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port,
+ int tcp)
+{
+ g_autofree char *portstr = g_strdup_printf("%d", port);
+ const char *layerStr = nftablesLayerTypeToString(layer);
+
+ virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_OUTPUT_CHAIN,
+ "oifname", iface,
+ tcp ? "tcp" : "udp",
+ "dport", portstr,
+ "counter", "accept",
+ NULL);
+}
+
+
+/**
+ * nftablesAddTcpInput:
+ *
+ * Add a rule to @fw that will allow incoming TCP sessions to port
+ * @port on @iface with protocol @layer.
+ */
+static void
+nftablesAddTcpInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
+{
+ nftablesAddInput(fw, layer, iface, port, 1);
+}
+
+
+/**
+ * nftablesAddUdpInput:
+ *
+ * Add a rule to @fw that will allow incoming UDP sessions to port
+ * @port on @iface with protocol @layer.
+ */
+static void
+nftablesAddUdpInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
+{
+ nftablesAddInput(fw, layer, iface, port, 0);
+}
+
+
+/**
+ * nftablesAddTcpOutput:
+ *
+ * Add a rule to @fw that will allow outbound TCP sessions to port
+ * @port on @iface with protocol @layer.
+ */
+static void
+nftablesAddTcpOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
+{
+ nftablesAddOutput(fw, layer, iface, port, 1);
+}
+
+
+/**
+ * nftablesAddUdpOutput:
+ *
+ * Add a rule to @fw that will allow outbound UDP sessions to port
+ * @port on @iface with protocol @layer.
+ */
+static void
+nftablesAddUdpOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
+{
+ nftablesAddOutput(fw, layer, iface, port, 0);
+}
+
+
+/**
+ * nftablesAddForwardAllowOut:
+ *
+ * Add a rule to @fw that allows all outbound traffic coming from
+ * @iface (the virtual network's bridge) to be forwarded out @physdev,
+ * as long as its source address is in @netaddr/@prefix.
+ */
+static int
+nftablesAddForwardAllowOut(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
+{
+ g_autofree char *networkstr = NULL;
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ const char *layerStr = nftablesLayerTypeToString(layer);
+ virFirewallCmd *fwCmd;
+
+ if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true)))
+ return -1;
+
+ fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_OUT_CHAIN,
+ layerStr, "saddr", networkstr,
+ "iifname", iface, NULL);
+
+ if (physdev && physdev[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+
+ virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
+
+ return 0;
+}
+
+/**
+ * nftablesAddForwardAllowRelatedIn:
+ *
+ * Add a rule to @fw that allows all traffic coming in from @physdev
+ * and destined to @iface (the virtual network's bridge) that has a
+ * destination within @netaddr/@prefix and is associated with an
+ * existing connection.
+ */
+static int
+nftablesAddForwardAllowRelatedIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
+{
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ const char *layerStr = nftablesLayerTypeToString(layer);
+ g_autofree char *networkstr = NULL;
+ virFirewallCmd *fwCmd;
+
+ if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true)))
+ return -1;
+
+ fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_IN_CHAIN, NULL);
+
+ if (physdev && physdev[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+ layerStr, "daddr", networkstr,
+ "ct", "state",
"related,established",
+ "counter", "accept", NULL);
+ return 0;
+}
+
+
+/**
+ * nftablesAddForwardAllowIn:
+ *
+ * Add a rule to @fw that allows all traffic coming in from @physdev
+ * and destined to @iface (the virtual network's bridge) that has a
+ * destination within @netaddr/@prefix.
+ */
+static int
+nftablesAddForwardAllowIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
+{
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ const char *layerStr = nftablesLayerTypeToString(layer);
+ g_autofree char *networkstr = NULL;
+ virFirewallCmd *fwCmd;
+
+ if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true)))
+ return -1;
+
+ fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_IN_CHAIN,
+ layerStr, "daddr", networkstr, NULL);
+
+ if (physdev && physdev[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+ "counter", "accept", NULL);
+ return 0;
+}
+
+
+/**
+ * nftablesAddForwardAllowCross:
+ *
+ * Add a rule to @fw to allow traffic to go across @iface (the virtual
+ * network's bridge) from one port to another. This allows all traffic
+ * between guests on the same virtual network.
+ */
+static void
+nftablesAddForwardAllowCross(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
+{
+ virFirewallAddCmd(fw, layer, "insert", "rule",
+ nftablesLayerTypeToString(layer),
+ VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_X_CHAIN,
+ "iifname", iface,
+ "oifname", iface,
+ "counter", "accept",
+ NULL);
+}
+
+
+/**
+ * nftablesAddForwardRejectOut:
+ *
+ * Add a rule to @fw to forbid all outbound traffic through @iface
+ * (the virtual network's bridge). This is used as a catchall rule to
+ * reject traffic that hasn't already been explicitly allowed by
+ * another rule.
+ */
+static void
+nftablesAddForwardRejectOut(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
+{
+ virFirewallAddCmd(fw, layer, "insert", "rule",
+ nftablesLayerTypeToString(layer),
+ VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_OUT_CHAIN,
+ "iifname", iface,
+ "counter", "reject",
+ NULL);
+}
+
+
+/**
+ * nftablesAddForwardRejectIn:
+ *
+ * Add a rule to @fw to forbid all inbound traffic through @iface (the
+ * virtual network's bridge). This is used as a catchall rule to
+ * reject traffic that hasn't already been explicitly allowed by
+ * another rule.
+ */
+static void
+nftablesAddForwardRejectIn(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
+{
+ virFirewallAddCmd(fw, layer, "insert", "rule",
+ nftablesLayerTypeToString(layer),
+ VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_IN_CHAIN,
+ "oifname", iface,
+ "counter", "reject",
+ NULL);
+}
+
+
+/**
+ * nftablesAddForwardMasquerade:
+ *
+ * Add a rule to @fw that will masquerade outbound traffic from
+ * @netaddr/@prefix @iface to have the source IP/port from one of the
+ * range of @addr:@port (or something appropriate for the interface
+ * used for egress, if no address/port range is given)
+ */
+static int
+nftablesAddForwardMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ virSocketAddrRange *addr,
+ virPortRange *port,
+ const char *protocol)
+{
+ g_autofree char *networkstr = NULL;
+ g_autofree char *addrStartStr = NULL;
+ g_autofree char *addrEndStr = NULL;
+ g_autofree char *portRangeStr = NULL;
+ g_autofree char *natRangeStr = NULL;
+ virFirewallCmd *fwCmd;
+ int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
+ virFirewallLayer layer = af == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ const char *layerStr = nftablesLayerTypeToString(layer);
+
+ if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true)))
+ return -1;
+
+ if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) {
+ if (!(addrStartStr = virSocketAddrFormat(&addr->start)))
+ return -1;
+ if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) {
+ if (!(addrEndStr = virSocketAddrFormat(&addr->end)))
+ return -1;
+ }
+ }
+
+ fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
+
+ if (protocol && protocol[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "meta", "l4proto",
protocol, NULL);
+
+ virFirewallCmdAddArgList(fw, fwCmd,
+ layerStr, "saddr", networkstr,
+ layerStr, "daddr", "!=", networkstr,
NULL);
+
+ if (physdev && physdev[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+
+ if (protocol && protocol[0]) {
+ if (port->start == 0 && port->end == 0) {
+ port->start = 1024;
+ port->end = 65535;
+ }
+
+ if (port->start < port->end && port->end < 65536) {
+ portRangeStr = g_strdup_printf(":%u-%u", port->start,
port->end);
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid port range '%1$u-%2$u'."),
+ port->start, port->end);
+ return -1;
+ }
+ }
+
+ /* Use snat if public address is specified */
+ if (addrStartStr && addrStartStr[0]) {
+ if (addrEndStr && addrEndStr[0]) {
+ natRangeStr = g_strdup_printf("%s-%s%s", addrStartStr, addrEndStr,
+ portRangeStr ? portRangeStr : "");
+ } else {
+ natRangeStr = g_strdup_printf("%s%s", addrStartStr,
+ portRangeStr ? portRangeStr : "");
+ }
+
+ virFirewallCmdAddArgList(fw, fwCmd, "counter", "snat",
"to", natRangeStr, NULL);
+ } else {
+ virFirewallCmdAddArgList(fw, fwCmd, "counter", "masquerade",
NULL);
+
+ if (portRangeStr && portRangeStr[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "to", portRangeStr, NULL);
+ }
+
+ return 0;
+}
+
+
+/**
+ * nftablesAddDontMasquerade:
+ *
+ * Add a rule to @fw that prevents masquerading traffic coming from
+ * the network associated with the bridge if said traffic targets
+ * @destaddr.
+ */
+static int
+nftablesAddDontMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ const char *destaddr)
+{
+ g_autofree char *networkstr = NULL;
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ const char *layerStr = nftablesLayerTypeToString(layer);
+ virFirewallCmd *fwCmd;
+
+ if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true)))
+ return -1;
+
+ fwCmd = virFirewallAddCmd(fw, layer, "insert", "rule",
+ layerStr, VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
+
+ if (physdev && physdev[0])
+ virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+
+ virFirewallCmdAddArgList(fw, fwCmd,
+ layerStr, "saddr", networkstr,
+ layerStr, "daddr", destaddr,
+ "counter", "return", NULL);
+ return 0;
+}
+
+
+static const char networkLocalMulticastIPv4[] = "224.0.0.0/24";
+static const char networkLocalMulticastIPv6[] = "ff02::/16";
+static const char networkLocalBroadcast[] = "255.255.255.255/32";
+
+
+static int
+nftablesAddMasqueradingFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ int prefix = virNetworkIPDefPrefix(ipdef);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
+ bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
+
+ if (prefix < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%1$s'"),
+ def->bridge);
+ return -1;
+ }
+
+ /* allow forwarding packets from the bridge interface */
+ if (nftablesAddForwardAllowOut(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ /* allow forwarding packets to the bridge interface if they are
+ * part of an existing connection
+ */
+ if (nftablesAddForwardAllowRelatedIn(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ /*
+ * Enable masquerading.
+ *
+ * We need to end up with 5 rules in the table in this order
+ *
+ * 1. do not masquerade packets targeting 224.0.0.0/24
+ * 2. do not masquerade packets targeting 255.255.255.255/32
+ * 3. masquerade protocol=tcp with sport mapping restriction
+ * 4. masquerade protocol=udp with sport mapping restriction
+ * 5. generic, masquerade any protocol
+ *
+ * 224.0.0.0/24 is the local network multicast range. Packets are not
+ * forwarded outside.
+ *
+ * 255.255.255.255/32 is the broadcast address of any local network. Again,
+ * such packets are never forwarded, but strict DHCP clients don't accept
+ * DHCP replies with changed source ports.
+ *
+ * The sport mappings are required, because default Nftables
+ * MASQUERADE maintain port numbers unchanged where possible.
+ *
+ * NFS can be configured to only "trust" port numbers < 1023.
+ *
+ * Guests using NAT thus need to be prevented from having port
+ * numbers < 1023, otherwise they can bypass the NFS "security"
+ * check on the source port number.
+ *
+ * Since we use '--insert' to add rules to the header of the
+ * chain, we actually need to add them in the reverse of the
+ * order just mentioned !
+ */
+
+ /* First the generic masquerade rule for other protocols */
+ if (nftablesAddForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ NULL) < 0)
+ return -1;
+
+ /* UDP with a source port restriction */
+ if (nftablesAddForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ "udp") < 0)
+ return -1;
+
+ /* TCP with a source port restriction */
+ if (nftablesAddForwardMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ &def->forward.addr,
+ &def->forward.port,
+ "tcp") < 0)
+ return -1;
+
+ /* exempt local network broadcast address as destination */
+ if (isIPv4 &&
+ nftablesAddDontMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ networkLocalBroadcast) < 0)
+ return -1;
+
+ /* exempt local multicast range as destination */
+ if (nftablesAddDontMasquerade(fw,
+ &ipdef->address,
+ prefix,
+ forwardIf,
+ isIPv4 ? networkLocalMulticastIPv4 :
+ networkLocalMulticastIPv6) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static int
+nftablesAddRoutingFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ int prefix = virNetworkIPDefPrefix(ipdef);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
+
+ if (prefix < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%1$s'"),
+ def->bridge);
+ return -1;
+ }
+
+ /* allow routing packets from the bridge interface */
+ if (nftablesAddForwardAllowOut(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ /* allow routing packets to the bridge interface */
+ if (nftablesAddForwardAllowIn(fw,
+ &ipdef->address,
+ prefix,
+ def->bridge,
+ forwardIf) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static void
+nftablesAddGeneralIPv4FirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ size_t i;
+ virNetworkIPDef *ipv4def;
+
+ /* First look for first IPv4 address that has dhcp or tftpboot defined. */
+ /* We support dhcp config on 1 IPv4 interface only. */
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIPByIndex(def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ break;
+ }
+
+ /* allow DHCP requests through to dnsmasq & back out */
+ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+
+ /* allow DNS requests through to dnsmasq & back out */
+ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+
+ /* allow TFTP requests through to dnsmasq if necessary & back out */
+ if (ipv4def && ipv4def->tftproot) {
+ nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ }
+
+ /* Catch all rules to block forwarding to/from bridges */
+ nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ nftablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+
+ /* Allow traffic between guests on the same bridge */
+ nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+}
+
+
+/* Add all once/network rules required for IPv6.
+ * If no IPv6 addresses are defined and <network ipv6='yes'> is
+ * specified, then allow IPv6 communications between virtual systems.
+ * If any IPv6 addresses are defined, then add the rules for regular operation.
+ */
+static void
+nftablesAddGeneralIPv6FirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ if (!virNetworkDefGetIPByIndex(def, AF_INET6, 0) &&
+ !def->ipv6nogw) {
+ return;
+ }
+
+ /* Catch all rules to block forwarding to/from bridges */
+ nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ nftablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+
+ /* Allow traffic between guests on the same bridge */
+ nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+
+ if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
+ /* allow DNS over IPv6 & back out */
+ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ nftablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ /* allow DHCPv6 & back out */
+ nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+ nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+ }
+}
+
+
+static void
+nftablesAddGeneralFirewallRules(virFirewall *fw,
+ virNetworkDef *def)
+{
+ nftablesAddGeneralIPv4FirewallRules(fw, def);
+ nftablesAddGeneralIPv6FirewallRules(fw, def);
+}
+
+
+static int
+nftablesAddIPSpecificFirewallRules(virFirewall *fw,
+ virNetworkDef *def,
+ virNetworkIPDef *ipdef)
+{
+ /* NB: in the case of IPv6, routing rules are added when the
+ * forward mode is NAT. This is because IPv6 has no NAT.
+ */
+
+ if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
+ if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
+ def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
+ return nftablesAddMasqueradingFirewallRules(fw, def, ipdef);
+ else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
+ return nftablesAddRoutingFirewallRules(fw, def, ipdef);
+ } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+ return nftablesAddRoutingFirewallRules(fw, def, ipdef);
+ }
+ return 0;
+}
+
+
+/* nftablesAddFirewallrules:
+ *
+ * @def - the network that needs an nftables firewall added
+ * @fwRemoval - if this is not NULL, it points to a pointer
+ * that should be filled in with a virFirewall object containing
+ * all the commands needed to remove this firewall at a later time.
+ *
+ * Add all rules for all ip addresses (and general rules) on a
+ * network, and optionally return a virFirewall object containing all
+ * the rules needed to later remove the firewall that has been added.
+ */
+int
+nftablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval)
+{
+ size_t i;
+ virNetworkIPDef *ipdef;
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_NFTABLES);
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
+
+ nftablesAddGeneralFirewallRules(fw, def);
+
+ for (i = 0;
+ (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
+ i++) {
+ if (nftablesAddIPSpecificFirewallRules(fw, def, ipdef) < 0)
+ return -1;
+ }
+
+ if (virFirewallApply(fw) < 0)
+ return -1;
+
+ if (fwRemoval) {
+ /* caller wants us to create a virFirewall object that can be
+ * applied to undo everything that was just done by * virFirewallApply()
+ */
+
+ if (virFirewallNewFromRollback(fw, fwRemoval) < 0)
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/src/network/network_nftables.h b/src/network/network_nftables.h
new file mode 100644
index 0000000000..5abae3a423
--- /dev/null
+++ b/src/network/network_nftables.h
@@ -0,0 +1,28 @@
+/*
+ * network_nftables.h: helper APIs for managing nftables in network driver
+ *
+ * Copyright (C) 2024 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ */
+
+#pragma once
+
+#include "virfirewall.h"
+#include "network_conf.h"
+
+int nftablesAddFirewallRules(virNetworkDef *def, virFirewall **fwRemoval);
+
+int nftablesSetupPrivateChains(virFirewallLayer layer);
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 649b2289c0..2219506b18 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -37,7 +37,8 @@ VIR_LOG_INIT("util.firewall");
VIR_ENUM_IMPL(virFirewallBackend,
VIR_FIREWALL_BACKEND_LAST,
- "iptables");
+ "iptables",
+ "nftables");
VIR_ENUM_DECL(virFirewallLayer);
VIR_ENUM_IMPL(virFirewallLayer,
@@ -653,6 +654,153 @@ virFirewallCmdIptablesApply(virFirewall *firewall,
}
+#define VIR_NFTABLES_ARG_IS_CREATE(arg) \
+ (STREQ(arg, "insert") || STREQ(arg, "add") || STREQ(arg,
"create"))
+
+static int
+virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED,
+ virFirewallCmd *fwCmd,
+ char **output)
+{
+ bool needRollback = false;
+ size_t cmdIdx = 0;
+ const char *objectType = NULL;
+ g_autoptr(virCommand) cmd = NULL;
+ g_autofree char *cmdStr = NULL;
+ g_autofree char *error = NULL;
+ size_t i;
+ int status;
+
+ cmd = virCommandNew(NFT);
+
+ if ((virFirewallTransactionGetFlags(firewall) &
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) &&
+ fwCmd->argsLen > 1) {
+ /* skip any leading options to get to command verb */
+ for (i = 0; i < fwCmd->argsLen - 1; i++) {
+ if (fwCmd->args[i][0] != '-')
+ break;
+ }
+
+ if (i + 1 < fwCmd->argsLen &&
+ VIR_NFTABLES_ARG_IS_CREATE(fwCmd->args[i])) {
+
+ cmdIdx = i;
+ objectType = fwCmd->args[i + 1];
+
+ /* we currently only handle auto-rollback for rules,
+ * chains, and tables, and those all can be "rolled
+ * back" by a delete command using the handle that is
+ * returned when "-ae" is added to the add/insert
+ * command.
+ */
+ if (STREQ_NULLABLE(objectType, "rule") ||
+ STREQ_NULLABLE(objectType, "chain") ||
+ STREQ_NULLABLE(objectType, "table")) {
+
+ needRollback = true;
+ /* this option to nft instructs it to add the
+ * "handle" of the created object to stdout
+ */
+ virCommandAddArg(cmd, "-ae");
+ }
+ }
+ }
+
+ for (i = 0; i < fwCmd->argsLen; i++)
+ virCommandAddArg(cmd, fwCmd->args[i]);
+
+ cmdStr = virCommandToString(cmd, false);
+ VIR_INFO("Applying '%s'", NULLSTR(cmdStr));
+
+ virCommandSetOutputBuffer(cmd, output);
+ virCommandSetErrorBuffer(cmd, &error);
+
+ if (virCommandRun(cmd, &status) < 0)
+ return -1;
+
+ if (status != 0) {
+ if (STREQ_NULLABLE(fwCmd->args[0], "list")) {
+ /* nft returns error status when the target of a "list"
+ * command doesn't exist, but we always want to just have
+ * an empty result, so this is not actually an error.
+ */
+ } else if (fwCmd->ignoreErrors) {
+ VIR_DEBUG("Ignoring error running command");
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to apply firewall command '%1$s':
%2$s"),
+ NULLSTR(cmdStr), NULLSTR(error));
+ VIR_FREE(*output);
+ return -1;
+ }
+
+ /* there was an error, so we won't be building any rollback command,
+ * but the error should be ignored, so we return success
+ */
+ return 0;
+ }
+
+ if (needRollback) {
+ virFirewallCmd *rollback = virFirewallAddRollbackCmd(firewall, fwCmd->layer,
NULL);
+ const char *handleStart = NULL;
+ size_t handleLen = 0;
+ g_autofree char *handleStr = NULL;
+ g_autofree char *rollbackStr = NULL;
+
+ /* Search for "# handle n" in stdout of the nft add command -
+ * that is the handle of the table/rule/chain that will later
+ * need to be deleted.
+ */
+
+ if ((handleStart = strstr(*output, "# handle "))) {
+ handleStart += 9; /* move past "# handle " */
+ handleLen = strspn(handleStart, "0123456789");
+ }
+
+ if (!handleLen) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("couldn't register rollback command - command
'%1$s' had no valid handle in output ('%2$s')"),
+ NULLSTR(cmdStr), NULLSTR(*output));
+ return -1;
+ }
+
+ handleStr = g_strdup_printf("%.*s", (int)handleLen, handleStart);
+
+ /* The rollback command is created from the original command like this:
+ *
+ * 1) skip any leading options
+ * 2) replace add/insert with delete
+ * 3) keep the type of item being added (rule/chain/table)
+ * 4) keep the class (ip/ip6/inet)
+ * 5) for chain/rule, keep the table name
+ * 6) for rule, keep the chain name
+ * 7) add "handle n" where "n" is parsed from the
+ * stdout of the original nft command
+ */
+ virFirewallCmdAddArgList(firewall, rollback, "delete", objectType,
+ fwCmd->args[cmdIdx + 2], /* ip/ip6/inet */
+ NULL);
+
+ if (STREQ_NULLABLE(objectType, "rule") ||
+ STREQ_NULLABLE(objectType, "chain")) {
+ /* include table name in command */
+ virFirewallCmdAddArg(firewall, rollback, fwCmd->args[cmdIdx + 3]);
+ }
+
+ if (STREQ_NULLABLE(objectType, "rule")) {
+ /* include chain name in command */
+ virFirewallCmdAddArg(firewall, rollback, fwCmd->args[cmdIdx + 4]);
+ }
+
+ virFirewallCmdAddArgList(firewall, rollback, "handle", handleStr,
NULL);
+
+ rollbackStr = virFirewallCmdToString(NFT, rollback);
+ VIR_DEBUG("Recording Rollback command '%s'",
NULLSTR(rollbackStr));
+ }
+ return 0;
+}
+
+
static int
virFirewallApplyCmd(virFirewall *firewall,
virFirewallCmd *fwCmd)
@@ -666,8 +814,23 @@ virFirewallApplyCmd(virFirewall *firewall,
return -1;
}
- if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0)
+ switch (virFirewallGetBackend(firewall)) {
+ case VIR_FIREWALL_BACKEND_IPTABLES:
+ if (virFirewallCmdIptablesApply(firewall, fwCmd, &output) < 0)
+ return -1;
+ break;
+
+ case VIR_FIREWALL_BACKEND_NFTABLES:
+ if (virFirewallCmdNftablesApply(firewall, fwCmd, &output) < 0)
+ return -1;
+ break;
+
+ case VIR_FIREWALL_BACKEND_LAST:
+ default:
+ virReportEnumRangeError(virFirewallBackend,
+ virFirewallGetBackend(firewall));
return -1;
+ }
if (fwCmd->queryCB && output) {
if (!(lines = g_strsplit(output, "\n", -1)))
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 4ac16f02b3..302a6a4e5b 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -29,6 +29,7 @@
#define EBTABLES "ebtables"
#define IPTABLES "iptables"
#define IP6TABLES "ip6tables"
+#define NFT "nft"
typedef struct _virFirewall virFirewall;
@@ -44,6 +45,7 @@ typedef enum {
typedef enum {
VIR_FIREWALL_BACKEND_IPTABLES,
+ VIR_FIREWALL_BACKEND_NFTABLES,
VIR_FIREWALL_BACKEND_LAST,
} virFirewallBackend;
--
2.45.0
2:40 p.m.
New subject: [PATCH v5 24/30] network: add an nftables backend for network
driver's firewall construction
On 5/17/24 1:30 PM, Laine Stump wrote:
+ virFirewallAddCmd(fw, layer, "insert",
"rule",
+ nftablesLayerTypeToString(layer),
+ VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_X_CHAIN,
+ "iifname", iface,
+ "oifname", iface,
+ "counter", "accept",
+ NULL);
I just found out that if we use "iif" and "oif" rather than
"iifname"
and "oifname", the runtime operation will be a direct comparison if the
ifindex (stored with the packet data) rather than a string comparison
with the interface name (which needs to be separately retrieved).
The only potential downside would be in the case that an interface was
deleted and then re-added - it would have a new ifindex, and the ifindex
in the rule is determined when the rule is installed, so the new ifindex
would never match. In our case this would never happen though, since all
the rules for a network are recreating (possibly multiple times just
after the bridge device is created, then deleted when the bridge device
is deleted.
I've tried this, and everything works fine. Should I squash that change
into this patch, or make a separate patch with the change so that this
patch remains (nearly) identical to what is produced by
iptables-restore-translate on the old iptables rules?
9:44 a.m.
New subject: [PATCH v5 24/30] network: add an nftables backend for network
driver's firewall construction
On Tue, May 21, 2024 at 03:40:54PM -0400, Laine Stump wrote:
On 5/17/24 1:30 PM, Laine Stump wrote:
> + virFirewallAddCmd(fw, layer, "insert", "rule",
> + nftablesLayerTypeToString(layer),
> + VIR_NFTABLES_PRIVATE_TABLE,
> + VIR_NFTABLES_FWD_X_CHAIN,
> + "iifname", iface,
> + "oifname", iface,
> + "counter", "accept",
> + NULL);
I just found out that if we use "iif" and "oif" rather than
"iifname" and
"oifname", the runtime operation will be a direct comparison if the ifindex
(stored with the packet data) rather than a string comparison with the
interface name (which needs to be separately retrieved).
Right, that's one of the valuable benefits of NFT avoiding the O(n)
performance degradation we have with ipt
The only potential downside would be in the case that an interface
was
deleted and then re-added - it would have a new ifindex, and the ifindex in
the rule is determined when the rule is installed, so the new ifindex would
never match. In our case this would never happen though, since all the rules
for a network are recreating (possibly multiple times just after the bridge
device is created, then deleted when the bridge device is deleted.
So, you're saying that nft doesn't have something that automatically
purges the rules when an indexed interface is deleted ?
I've tried this, and everything works fine. Should I squash that change into
this patch, or make a separate patch with the change so that this patch
remains (nearly) identical to what is produced by iptables-restore-translate
on the old iptables rules?
Lets just do it as a followup. Since you now record the historical rules,
we should "do the right thing" in upgrades, so we don't need to be perfect
first time out.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
10:38 a.m.
New subject: [PATCH v5 24/30] network: add an nftables backend for network
driver's firewall construction
On 5/22/24 10:44 AM, Daniel P. Berrangé wrote:
On Tue, May 21, 2024 at 03:40:54PM -0400, Laine Stump wrote:
> On 5/17/24 1:30 PM, Laine Stump wrote:
>> + virFirewallAddCmd(fw, layer, "insert", "rule",
>> + nftablesLayerTypeToString(layer),
>> + VIR_NFTABLES_PRIVATE_TABLE,
>> + VIR_NFTABLES_FWD_X_CHAIN,
>> + "iifname", iface,
>> + "oifname", iface,
>> + "counter", "accept",
>> + NULL);
>
> I just found out that if we use "iif" and "oif" rather than
"iifname" and
> "oifname", the runtime operation will be a direct comparison if the
ifindex
> (stored with the packet data) rather than a string comparison with the
> interface name (which needs to be separately retrieved).
Right, that's one of the valuable benefits of NFT avoiding the O(n)
performance degradation we have with ipt
> The only potential downside would be in the case that an interface was
> deleted and then re-added - it would have a new ifindex, and the ifindex in
> the rule is determined when the rule is installed, so the new ifindex would
> never match. In our case this would never happen though, since all the rules
> for a network are recreating (possibly multiple times just after the bridge
> device is created, then deleted when the bridge device is deleted.
So, you're saying that nft doesn't have something that automatically
purges the rules when an indexed interface is deleted ?
I haven't tried that, but according to the article I referenced, the
rules aren't deleted, but if you list a rule that references an ifindex
for an interface that has been deleted, it will show the ifindex itself
rather than the interface name:
https://serverfault.com/questions/985158/what-is-the-difference-between-i...
>
> I've tried this, and everything works fine. Should I squash that change into
> this patch, or make a separate patch with the change so that this patch
> remains (nearly) identical to what is produced by iptables-restore-translate
> on the old iptables rules?
Lets just do it as a followup. Since you now record the historical rules,
we should "do the right thing" in upgrades, so we don't need to be perfect
first time out.
Okay, I'll send the patch as a 31/30 so it's grouped in the same series
in the archives.
9:45 a.m.
New subject: [PATCH v5 24/30] network: add an nftables backend for network
driver's firewall construction
On Fri, May 17, 2024 at 01:30:01PM -0400, Laine Stump wrote:
Support using nftables to setup the firewall for each virtual
network,
rather than iptables. The initial implementation of the nftables
backend creates (almost) exactly the same ruleset as the iptables
backend, determined by running the following commands on a host that
has an active virtual network:
iptables-save >iptables.txt
iptables-restore-translate -f iptables.txt
(and the similar ip6tables-save/ip6tables-restore-translate for an
IPv6 network). Correctness of the new backend was checked by comparing
the output of:
nft list ruleset
when the backend is set to iptables and when it is set to nftables.
This page was used as a guide:
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to...
The only differences between the rules created by the nftables backed
vs. the iptables backend (aside from a few inconsequential changes in
display order of some chains/options) are:
1) When we add nftables rules, rather than adding them in the
system-created "filter" and "nat" tables, we add them in a private
table (ie only we should be using it) created by us called "libvirt"
(the system-created "filter" and "nat" tables can't be used
because
adding any rules to those tables directly with nft will cause failure
of any legacy application attempting to use iptables when it tries to
list the iptables rules (e.g. "iptables -S").
(NB: in nftables only a single table is required for both nat and
filter rules - the chains for each are differentiated by specifying
different "hook" locations for the toplevel chain of each)
2) Since the rules that were added to allow tftp/dns/dhcp traffic from
the guests to the host are unnecessary in the context of nftables,
those rules aren't added.
(Longer explanation: In the case of iptables, all rules were in a
single table, and it was always assumed that there would be some
"catch-all" REJECT rule added by "someone else" in the case that a
packet didn't match any specific rules, so libvirt added these
specific rules to ensure that, no matter what other rules were added
by any other subsystem, the guests would still have functional
tftp/dns/dhcp. For nftables though, the rules added by each subsystem
are in a separate table, and in order for traffic to be accepted, it
must be accepted by *all* tables, so just adding the specific rules to
libvirt's table doesn't help anything (as the default for the libvirt
table is ACCEPT anyway) and it just isn't practical/possible for
libvirt to find *all* other tables and add rules in all of them to
make sure the traffic is accepted. libvirt does this for firewalld (it
creates a "libvirt" zone that allows tftp/dns/dhcp, and adds all
virtual network bridges to that zone), however, so in that case no
extra work is required of the sysadmin.)
3) nftables doesn't support the "checksum mangle" rule (or any
equivalent functionality) that we have historically added to our
iptables rules, so the nftables rules we add have nothing related to
checksum mangling.
(NB: The result of (3) is that if you a) have a very old guest (RHEL5
era or earlier) and b) that guest is using a virtio-net network
device, and c) the virtio-net device is using vhost packet processing
(the default) then DHCP on the guest will fail. You can work around
this by adding <driver name='qemu'/> to the <interface> XML for the
guest).
There are certainly much better nftables rulesets that could be used
instead of those implemented here, and everything is in place to make
future changes to the rules that are used simple and free of surprises
(e.g. the rules that are added have coresponding "removal" commands
added to the network status so that we will always remove exactly the
rules that were previously added rather than trying to remove the
rules that "the current build of libvirt would have added" (which will
be incorrect the first time we run a libvirt with a newly modified
ruleset). For this initial implementation though, I wanted the
nftables rules to be as identical to the iptables rules as possible,
just to make it easier to verify that everything is working.
The backend can be manually chosen using the firewall_backend setting
in /etc/libvirt/network.conf. libvirtd/virtnetworkd will read this
setting when it starts; if there is no explicit setting, it will check
for availability of FIREWALL_BACKEND_DEFAULT_1 and then
FIREWALL_BACKEND_DEFAULT_2 (which are set at build time in
meson_options.txt or by adding -Dfirewall_backend_default_n=blah to
the meson commandline), and use the first backend that is available
(ie, that has the necessary programs installed). The standard
meson_options.txt is set to check for nftables first, and then
iptables.
Although it should be very safe to change the default backend from
iptables to nftables, that change is left for a later patch, to show
how the change in default can be undone if someone really needs to do
that.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
meson.build | 5 +
meson_options.txt | 1 +
po/POTFILES | 1 +
src/network/bridge_driver_conf.c | 11 +-
src/network/bridge_driver_linux.c | 17 +-
src/network/meson.build | 1 +
src/network/network.conf.in | 21 +-
src/network/network_nftables.c | 940 ++++++++++++++++++++++++++++++
src/network/network_nftables.h | 28 +
src/util/virfirewall.c | 167 +++++-
src/util/virfirewall.h | 2 +
11 files changed, 1188 insertions(+), 6 deletions(-)
create mode 100644 src/network/network_nftables.c
create mode 100644 src/network/network_nftables.h
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
And for that matter
Tested-by: Daniel P. Berrangé <berrange(a)redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:30 p.m.
New subject: [PATCH v5 25/30] tests: test cases for nftables backend
Run all the networkxml2firewall tests twice - once with iptables
backend, and once with the nftables backend.
The results files for the existing iptables tests were previously
named *.args. That has been changed to *.iptables, and the results
files for the new nftables tests are named *.nftables.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 ++++++++++
...-linux.args => nat-default-linux.iptables} | 0
.../nat-default-linux.nftables | 248 +++++++++
...pv6-linux.args => nat-ipv6-linux.iptables} | 0
.../nat-ipv6-linux.nftables | 384 ++++++++++++++
...rgs => nat-ipv6-masquerade-linux.iptables} | 0
.../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++
...linux.args => nat-many-ips-linux.iptables} | 0
.../nat-many-ips-linux.nftables | 472 ++++++++++++++++++
...-linux.args => nat-no-dhcp-linux.iptables} | 0
.../nat-no-dhcp-linux.nftables | 384 ++++++++++++++
...ftp-linux.args => nat-tftp-linux.iptables} | 0
.../nat-tftp-linux.nftables | 274 ++++++++++
...inux.args => route-default-linux.iptables} | 0
.../route-default-linux.nftables | 162 ++++++
tests/networkxml2firewalltest.c | 56 ++-
17 files changed, 2678 insertions(+), 14 deletions(-)
rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/base.nftables
rename tests/networkxml2firewalldata/{nat-default-linux.args =>
nat-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables}
(100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =>
nat-ipv6-masquerade-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =>
nat-many-ips-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =>
nat-no-dhcp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables}
(100%)
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
rename tests/networkxml2firewalldata/{route-default-linux.args =>
route-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables
diff --git a/tests/networkxml2firewalldata/base.args
b/tests/networkxml2firewalldata/base.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/base.args
rename to tests/networkxml2firewalldata/base.iptables
diff --git a/tests/networkxml2firewalldata/base.nftables
b/tests/networkxml2firewalldata/base.nftables
new file mode 100644
index 0000000000..4f1f475a85
--- /dev/null
+++ b/tests/networkxml2firewalldata/base.nftables
@@ -0,0 +1,256 @@
+nft \
+list \
+table \
+ip \
+libvirt
+nft \
+add \
+table \
+ip \
+libvirt
+nft \
+add \
+chain \
+ip \
+libvirt \
+INPUT \
+'{ type filter hook input priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+FORWARD \
+'{ type filter hook forward priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+OUTPUT \
+'{ type filter hook output priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_INP
+nft \
+insert \
+rule \
+ip \
+libvirt \
+INPUT \
+counter \
+jump \
+LIBVIRT_INP
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_OUT
+nft \
+insert \
+rule \
+ip \
+libvirt \
+OUTPUT \
+counter \
+jump \
+LIBVIRT_OUT
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWO
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWO
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWI
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWI
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWX
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWX
+nft \
+add \
+chain \
+ip \
+libvirt \
+POSTROUTING \
+'{ type nat hook postrouting priority 100; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_PRT
+nft \
+insert \
+rule \
+ip \
+libvirt \
+POSTROUTING \
+counter \
+jump \
+LIBVIRT_PRT
+nft \
+list \
+table \
+ip6 \
+libvirt
+nft \
+add \
+table \
+ip6 \
+libvirt
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+INPUT \
+'{ type filter hook input priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+FORWARD \
+'{ type filter hook forward priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+OUTPUT \
+'{ type filter hook output priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_INP
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+INPUT \
+counter \
+jump \
+LIBVIRT_INP
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_OUT
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+OUTPUT \
+counter \
+jump \
+LIBVIRT_OUT
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWO
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWO
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWI
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWI
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWX
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWX
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+POSTROUTING \
+'{ type nat hook postrouting priority 100; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_PRT
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+POSTROUTING \
+counter \
+jump \
+LIBVIRT_PRT
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-default-linux.args
rename to tests/networkxml2firewalldata/nat-default-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
new file mode 100644
index 0000000000..2dafe078a1
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -0,0 +1,248 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-ipv6-linux.args
rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
new file mode 100644
index 0000000000..63d4d8e2a5
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -0,0 +1,384 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oifname \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
new file mode 100644
index 0000000000..e6d5dea661
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -0,0 +1,456 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+ff02::/16 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-many-ips-linux.args
rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
new file mode 100644
index 0000000000..e636916c7e
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -0,0 +1,472 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.128.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.128.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.150.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.150.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args
rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
new file mode 100644
index 0000000000..63d4d8e2a5
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -0,0 +1,384 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oifname \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/nat-tftp-linux.args
rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
new file mode 100644
index 0000000000..bb0598d011
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -0,0 +1,274 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+69 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+69 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.iptables
similarity index 100%
rename from tests/networkxml2firewalldata/route-default-linux.args
rename to tests/networkxml2firewalldata/route-default-linux.iptables
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
new file mode 100644
index 0000000000..834f6366ae
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -0,0 +1,162 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+ip \
+daddr \
+192.168.122.0/24 \
+oifname \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 082979e5dc..4cabe39d1d 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -79,13 +79,21 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
void *opaque G_GNUC_UNUSED)
{
*status = 0;
- *output = g_strdup("");
+ /* if arg[1] is -ae then this is an nft command,
+ * and the caller requested to get the handle
+ * of the newly added object in stdout
+ */
+ if (STREQ_NULLABLE(args[1], "-ae"))
+ *output = g_strdup("# handle 5309");
+ else
+ *output = g_strdup("");
*error = g_strdup("");
}
static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline,
- const char *baseargs)
+ const char *baseargs,
+ virFirewallBackend backend)
{
g_autofree char *actualargv = NULL;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
@@ -98,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
return -1;
- if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0)
+ if (networkAddFirewallRules(def, backend, NULL) < 0)
return -1;
actual = actualargv = virBufferContentAndReset(&buf);
@@ -119,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
struct testInfo {
const char *name;
const char *baseargs;
+ virFirewallBackend backend;
};
@@ -132,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data)
xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml",
abs_srcdir, info->name);
- args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args",
- abs_srcdir, info->name, RULESTYPE);
+ args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s",
+ abs_srcdir, info->name, RULESTYPE,
+ virFirewallBackendTypeToString(info->backend));
- result = testCompareXMLToArgvFiles(xml, args, info->baseargs);
+ result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend);
return result;
}
@@ -145,24 +155,42 @@ static int
mymain(void)
{
int ret = 0;
- g_autofree char *basefile = NULL;
- g_autofree char *baseargs = NULL;
+ g_autofree char *basefileIptables = NULL;
+ g_autofree char *basefileNftables = NULL;
+ g_autofree char *baseargsIptables = NULL;
+ g_autofree char *baseargsNftables = NULL;
+ const char *baseargs[VIR_FIREWALL_BACKEND_LAST];
-# define DO_TEST(name) \
+# define DO_TEST_FOR_BACKEND(name, backend) \
do { \
struct testInfo info = { \
- name, baseargs, \
+ name, baseargs[backend], backend \
}; \
- if (virTestRun("Network XML-2-iptables " name, \
- testCompareXMLToIPTablesHelper, &info) < 0) \
+ g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \
+ virFirewallBackendTypeToString(backend),
\
+ name); \
+ if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \
ret = -1; \
} while (0)
- basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args",
abs_srcdir);
+# define DO_TEST(name) \
+ DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \
+ DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES);
- if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0)
+
+ basefileIptables =
g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir);
+ if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0)
return EXIT_FAILURE;
+ baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables;
+
+ basefileNftables =
g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir);
+ if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0)
+ return EXIT_FAILURE;
+
+ baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables;
+
+
DO_TEST("nat-default");
DO_TEST("nat-tftp");
DO_TEST("nat-many-ips");
--
2.45.0
12:30 p.m.
New subject: [PATCH v5 26/30] network: prefer the nftables backend over iptables
The patch that added the nftables backend for virtual networks left
iptables as the default backend when both nftables and iptables are
installed.
The only functional difference between the two backends is that the
nftables backend doesn't add any rules to fix up the checksum of DHCP
packets, which will cause failures on guests with very old OSes
(e.g. RHEL5) that have a virtio-net network interface using vhost
packet processing (the default), connected to a libvirt virtual
network, and configured to acquire the interface IP using DHCP. Since
RHEL5 has been out of support for several years already, we might as
well start off nftables support right by making it the default.
Distros that aren't quite ready to default to nftables (e.g. maybe
they're rebasing libvirt within a release and don't want to surprise
anyone with an automatic switch from iptables to nftables) can simply
run meson with "-Dfirewall_backend=iptables" during their official
package build.
In the extremely unlikely case that this causes a problem for a user,
they can work around the failure by adding "<driver name='qemu'/> to
the guest <interface> element.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
meson_options.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meson_options.txt b/meson_options.txt
index cd2b9acc79..ad354a8668 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -115,8 +115,8 @@ option('dtrace', type: 'feature', value:
'auto', description: 'use dtrace for st
option('firewalld', type: 'feature', value: 'auto', description:
'firewalld support')
# dep:firewalld
option('firewalld_zone', type: 'feature', value: 'auto',
description: 'whether to install firewalld libvirt zone')
-option('firewall_backend_default_1', type: 'string', value:
'iptables', description: 'first firewall backend to try when none is
specified')
-option('firewall_backend_default_2', type: 'string', value:
'nftables', description: 'second firewall backend to try when none is
specified (and first is unavailable)')
+option('firewall_backend_default_1', type: 'string', value:
'nftables', description: 'first firewall backend to try when none is
specified')
+option('firewall_backend_default_2', type: 'string', value:
'iptables', description: 'second firewall backend to try when none is
specified (and first is unavailable)')
option('host_validate', type: 'feature', value: 'auto',
description: 'build virt-host-validate')
option('init_script', type: 'combo', choices: ['systemd',
'openrc', 'check', 'none'], value: 'check', description:
'Style of init script to install')
option('loader_nvram', type: 'string', value: '', description:
'Pass list of pairs of <loader>:<nvram> paths. Both pairs and list items
are separated by a colon.')
--
2.45.0
9:45 a.m.
New subject: [PATCH v5 26/30] network: prefer the nftables backend over
iptables
On Fri, May 17, 2024 at 01:30:03PM -0400, Laine Stump wrote:
The patch that added the nftables backend for virtual networks left
iptables as the default backend when both nftables and iptables are
installed.
The only functional difference between the two backends is that the
nftables backend doesn't add any rules to fix up the checksum of DHCP
packets, which will cause failures on guests with very old OSes
(e.g. RHEL5) that have a virtio-net network interface using vhost
packet processing (the default), connected to a libvirt virtual
network, and configured to acquire the interface IP using DHCP. Since
RHEL5 has been out of support for several years already, we might as
well start off nftables support right by making it the default.
Distros that aren't quite ready to default to nftables (e.g. maybe
they're rebasing libvirt within a release and don't want to surprise
anyone with an automatic switch from iptables to nftables) can simply
run meson with "-Dfirewall_backend=iptables" during their official
package build.
In the extremely unlikely case that this causes a problem for a user,
they can work around the failure by adding "<driver name='qemu'/> to
the guest <interface> element.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
meson_options.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:30 p.m.
New subject: [PATCH v5 27/30] spec: require nftables rather than iptables for newer RHEL/Fedora
It will still be possible to install iptables and use the iptables
backend, but we'll be showing a greater preference for nftables, which
is the proper thing to be doing.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index fce312c8ab..6fb223c74a 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -592,7 +592,11 @@ Summary: Network driver plugin for the libvirtd daemon
Requires: libvirt-daemon-common = %{version}-%{release}
Requires: libvirt-libs = %{version}-%{release}
Requires: dnsmasq >= 2.41
+ %if 0%{?rhel} >= 10 || 0%{?fedora} >= 41
+Requires: nftables
+ %else
Requires: iptables
+ %endif
%description daemon-driver-network
The network driver plugin for the libvirtd daemon, providing
--
2.45.0
12:30 p.m.
New subject: [PATCH v5 28/30] network: name the nftables table "libvirt_network" rather than "libvirt"
This way when we implement nftables for the nwfilter driver, we can
create a separate table called "libvirt_nwfilter" and everything will
look all symmetrical and stuff.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_nftables.c | 2 +-
.../nat-default-linux.nftables | 36 +++++-----
.../nat-ipv6-linux.nftables | 58 ++++++++--------
.../nat-ipv6-masquerade-linux.nftables | 66 +++++++++----------
.../nat-many-ips-linux.nftables | 64 +++++++++---------
.../nat-no-dhcp-linux.nftables | 58 ++++++++--------
.../nat-tftp-linux.nftables | 40 +++++------
.../route-default-linux.nftables | 26 ++++----
8 files changed, 175 insertions(+), 175 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index c8cee98df5..ec9194a8b8 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -53,7 +53,7 @@ VIR_LOG_INIT("network.nftables");
* the iptables-compat
*/
-#define VIR_NFTABLES_PRIVATE_TABLE "libvirt"
+#define VIR_NFTABLES_PRIVATE_TABLE "libvirt_network"
/* nftables backend uses the same binary (nft) for all layers, but
* IPv4 and IPv6 have their rules in separate classes of tables,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 2dafe078a1..92b3dd7fc0 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -116,7 +116,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -126,7 +126,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -138,7 +138,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -151,7 +151,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -167,7 +167,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -182,7 +182,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -202,7 +202,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -222,7 +222,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -236,7 +236,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 63d4d8e2a5..f8317415cf 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -116,7 +116,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -126,7 +126,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -138,7 +138,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -148,7 +148,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -158,7 +158,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -170,7 +170,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -183,7 +183,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -196,7 +196,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -209,7 +209,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -222,7 +222,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -235,7 +235,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -248,7 +248,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -261,7 +261,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -277,7 +277,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -292,7 +292,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -312,7 +312,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -332,7 +332,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -346,7 +346,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -360,7 +360,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip6 \
saddr \
@@ -373,7 +373,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
ip6 \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index e6d5dea661..a15b38478b 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -116,7 +116,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -126,7 +126,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -138,7 +138,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -148,7 +148,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -158,7 +158,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -170,7 +170,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -183,7 +183,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -196,7 +196,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -209,7 +209,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -222,7 +222,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -235,7 +235,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -248,7 +248,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -261,7 +261,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -277,7 +277,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -292,7 +292,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -312,7 +312,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -332,7 +332,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -346,7 +346,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -360,7 +360,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip6 \
saddr \
@@ -373,7 +373,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -389,7 +389,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip6 \
saddr \
@@ -404,7 +404,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -424,7 +424,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -444,7 +444,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip6 \
saddr \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index e636916c7e..bd88ec9d83 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -116,7 +116,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -126,7 +126,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -138,7 +138,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -151,7 +151,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -167,7 +167,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -182,7 +182,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -202,7 +202,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -222,7 +222,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -236,7 +236,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -250,7 +250,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -263,7 +263,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -279,7 +279,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -294,7 +294,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -314,7 +314,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -334,7 +334,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -348,7 +348,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -362,7 +362,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -375,7 +375,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -391,7 +391,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -406,7 +406,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -426,7 +426,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -446,7 +446,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -460,7 +460,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 63d4d8e2a5..f8317415cf 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -116,7 +116,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -126,7 +126,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -138,7 +138,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -148,7 +148,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -158,7 +158,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -170,7 +170,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -183,7 +183,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -196,7 +196,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -209,7 +209,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -222,7 +222,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -235,7 +235,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -248,7 +248,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -261,7 +261,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -277,7 +277,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -292,7 +292,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -312,7 +312,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -332,7 +332,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -346,7 +346,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -360,7 +360,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip6 \
saddr \
@@ -373,7 +373,7 @@ nft \
-ae insert \
rule \
ip6 \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
ip6 \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index bb0598d011..a25935b831 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -119,7 +119,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -132,7 +132,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -142,7 +142,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -152,7 +152,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -164,7 +164,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -177,7 +177,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -193,7 +193,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -208,7 +208,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -228,7 +228,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
meta \
l4proto \
@@ -248,7 +248,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
@@ -262,7 +262,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_PRT \
ip \
saddr \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index 834f6366ae..2337d50baf 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -2,7 +2,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -15,7 +15,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -28,7 +28,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -41,7 +41,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -54,7 +54,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -67,7 +67,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_INP \
iifname \
virbr0 \
@@ -80,7 +80,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -93,7 +93,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_OUT \
oifname \
virbr0 \
@@ -106,7 +106,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
iifname \
virbr0 \
@@ -116,7 +116,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
oifname \
virbr0 \
@@ -126,7 +126,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWX \
iifname \
virbr0 \
@@ -138,7 +138,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWO \
ip \
saddr \
@@ -151,7 +151,7 @@ nft \
-ae insert \
rule \
ip \
-libvirt \
+libvirt_network \
LIBVIRT_FWI \
ip \
daddr \
--
2.45.0
12:30 p.m.
New subject: [PATCH v5 29/30] network: rename chains used by network driver nftables backend
Because the chains added by the network driver nftables backend will
go into a table used only by libvirt, we don't need to have "libvirt"
in the chain names. Instead, we can make them more descriptive and
less abrasive (by using lower case, and using full words rather than
abbreviations).
Also (again because nobody else is using the private "libvirt_network"
table) we can directly put our rules into the input ("guest_to_host"),
output ("host_to_guest"), and postrouting ("guest_nat") chains rather
than creating a subordinate chain as done in the iptables backend.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_nftables.c | 30 ++++-----
.../nat-default-linux.nftables | 36 +++++-----
.../nat-ipv6-linux.nftables | 58 ++++++++--------
.../nat-ipv6-masquerade-linux.nftables | 66 +++++++++----------
.../nat-many-ips-linux.nftables | 64 +++++++++---------
.../nat-no-dhcp-linux.nftables | 58 ++++++++--------
.../nat-tftp-linux.nftables | 40 +++++------
.../route-default-linux.nftables | 26 ++++----
8 files changed, 188 insertions(+), 190 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index ec9194a8b8..12a2d4c6ad 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -40,12 +40,13 @@ VIR_LOG_INIT("network.nftables");
#define VIR_FROM_THIS VIR_FROM_NONE
-#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
-#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
-#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
-#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
-#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
-#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
+#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#define VIR_NFTABLES_FORWARD_CHAIN "forward"
+#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
+#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
+#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
+#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
/* we must avoid using the standard "filter" table as used by
* iptables, as any subsequent attempts to use iptables commands will
@@ -87,18 +88,15 @@ typedef struct {
nftablesGlobalChain nftablesChains[] = {
/* chains for filter rules */
- {NULL, "INPUT", "{ type filter hook input priority 0; policy accept;
}"},
- {NULL, "FORWARD", "{ type filter hook forward priority 0; policy
accept; }"},
- {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept;
}"},
- {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
- {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
- {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
- {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
- {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
+ {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy
accept; }"},
+ {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0;
policy accept; }"},
+ {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy
accept; }"},
+ {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
+ {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL},
+ {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL},
/* chains for NAT rules */
- {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100;
policy accept; }"},
- {"POSTROUTING", VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
+ {NULL, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, "{ type nat hook postrouting priority
100; policy accept; }"},
};
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 92b3dd7fc0..8b6e0ba406 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -117,7 +117,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -127,7 +127,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -139,7 +139,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -168,7 +168,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -203,7 +203,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -223,7 +223,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -117,7 +117,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -127,7 +127,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -139,7 +139,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -149,7 +149,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -159,7 +159,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -171,7 +171,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -184,7 +184,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -197,7 +197,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -210,7 +210,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -223,7 +223,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -236,7 +236,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -249,7 +249,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -278,7 +278,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -313,7 +313,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -333,7 +333,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index a15b38478b..012a3d5d47 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -117,7 +117,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -127,7 +127,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -139,7 +139,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -149,7 +149,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -159,7 +159,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -171,7 +171,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -184,7 +184,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -197,7 +197,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -210,7 +210,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -223,7 +223,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -236,7 +236,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -249,7 +249,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -278,7 +278,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -313,7 +313,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -333,7 +333,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip6 \
@@ -390,7 +390,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
@@ -405,7 +405,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -425,7 +425,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -445,7 +445,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index bd88ec9d83..029274ea06 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -117,7 +117,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -127,7 +127,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -139,7 +139,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -168,7 +168,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -203,7 +203,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -223,7 +223,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -251,7 +251,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.128.0/24 \
@@ -264,7 +264,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -280,7 +280,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.128.0/24 \
@@ -295,7 +295,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -315,7 +315,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -335,7 +335,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.128.0/24 \
@@ -349,7 +349,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.128.0/24 \
@@ -363,7 +363,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.150.0/24 \
@@ -376,7 +376,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -392,7 +392,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.150.0/24 \
@@ -407,7 +407,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -427,7 +427,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -447,7 +447,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.150.0/24 \
@@ -461,7 +461,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.150.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -117,7 +117,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -127,7 +127,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -139,7 +139,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -149,7 +149,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -159,7 +159,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -171,7 +171,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -184,7 +184,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -197,7 +197,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -210,7 +210,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -223,7 +223,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -236,7 +236,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -249,7 +249,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -278,7 +278,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -313,7 +313,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -333,7 +333,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
rule \
ip6 \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index a25935b831..dd84468ad6 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -120,7 +120,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -133,7 +133,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -143,7 +143,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -153,7 +153,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -165,7 +165,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -178,7 +178,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
ip \
@@ -194,7 +194,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -209,7 +209,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
udp \
@@ -229,7 +229,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
meta \
l4proto \
tcp \
@@ -249,7 +249,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
@@ -263,7 +263,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
ip \
saddr \
192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index 2337d50baf..c1cc8f05b1 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -16,7 +16,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -29,7 +29,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -42,7 +42,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -55,7 +55,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
tcp \
@@ -68,7 +68,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
iifname \
virbr0 \
udp \
@@ -81,7 +81,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
tcp \
@@ -94,7 +94,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
oifname \
virbr0 \
udp \
@@ -107,7 +107,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
iifname \
virbr0 \
counter \
@@ -117,7 +117,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
oifname \
virbr0 \
counter \
@@ -127,7 +127,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
iifname \
virbr0 \
oifname \
@@ -139,7 +139,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWO \
+guest_output \
ip \
saddr \
192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
rule \
ip \
libvirt_network \
-LIBVIRT_FWI \
+guest_input \
ip \
daddr \
192.168.122.0/24 \
--
2.45.0
12:30 p.m.
New subject: [PATCH v5 30/30] network: eliminate pointless host input/output rules from nftables backend
The iptables backend (which was used as the model for the nftables
backend) used the same "filter" and "nat" tables used by other
services on the system (e.g. firewalld or any other host firewall
management application), so it was possible that one of those other
services would be blocking DNS, DHCP, or TFTP from guests to the host;
we added our own rules at the beginning of the chain to allow this
traffic no matter if someone else rejected it later.
But with nftables, each service uses their own table, and all traffic
must be acepted by all tables no matter what - it's not possible for
us to just insert a higher priority/earlier rule that will override
some reject rule put in by, e.g., firewalld. Instead the firewalld (or
other) table must be setup by that service to allow the traffic. That,
along with the fact that our table is already "accept by default",
makes it possible to eliminate the individual accept rules for DHCP,
DNS, and TFTP. And once those rules are eliminated, there is no longer
any need for the guest_to_host or host_to_guest tables.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_nftables.c | 36 +++-
.../nat-default-linux.nftables | 104 ----------
.../nat-ipv6-linux.nftables | 182 ------------------
.../nat-ipv6-masquerade-linux.nftables | 182 ------------------
.../nat-many-ips-linux.nftables | 104 ----------
.../nat-no-dhcp-linux.nftables | 182 ------------------
.../nat-tftp-linux.nftables | 130 -------------
.../route-default-linux.nftables | 104 ----------
8 files changed, 33 insertions(+), 991 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index 12a2d4c6ad..f3824ece99 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -40,8 +40,12 @@ VIR_LOG_INIT("network.nftables");
#define VIR_FROM_THIS VIR_FROM_NONE
-#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
-#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+/* The input and output tables aren't currently used */
+# define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
+# define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#endif
+
#define VIR_NFTABLES_FORWARD_CHAIN "forward"
#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
@@ -88,9 +92,14 @@ typedef struct {
nftablesGlobalChain nftablesChains[] = {
/* chains for filter rules */
+
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+ /* nothing is being added to these chains now, so they are effective NOPs */
{NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy
accept; }"},
- {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0;
policy accept; }"},
{NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy
accept; }"},
+#endif
+
+ {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0;
policy accept; }"},
{VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
{VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL},
{VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL},
@@ -209,6 +218,11 @@ nftablesSetupPrivateChains(virFirewallLayer layer)
}
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+/* currently these functions aren't used, but they remain in the
+ * source (uncompiled) as examples of adding specific rules to permit
+ * input/output of packets. in case the need arises in the future
+ */
static void
nftablesAddInput(virFirewall *fw,
virFirewallLayer layer,
@@ -315,6 +329,9 @@ nftablesAddUdpOutput(virFirewall *fw,
}
+#endif
+
+
/**
* nftablesAddForwardAllowOut:
*
@@ -801,6 +818,14 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw,
break;
}
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+ /* These rules copied from the iptables backend, have been removed
+ * from the nftab because they are redundant since we are using our own
+ * table that is default accept; there are no other users that
+ * could add a reject rule that we would need to / be able to
+ * override with these rules
+ */
+
/* allow DHCP requests through to dnsmasq & back out */
nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
@@ -818,6 +843,7 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw,
nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
}
+#endif
/* Catch all rules to block forwarding to/from bridges */
nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
@@ -849,6 +875,9 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw,
/* Allow traffic between guests on the same bridge */
nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+ /* see the note above in nftablesAddGeneralIPv4FirewallRules */
+
if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
/* allow DNS over IPv6 & back out */
nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
@@ -859,6 +888,7 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw,
nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
}
+#endif
}
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 8b6e0ba406..298a83d088 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 03fb7397cd..615bb4e144 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
@@ -169,84 +65,6 @@ accept
nft \
-ae insert \
rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-547 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-546 \
-counter \
-accept
-nft \
--ae insert \
-rule \
ip \
libvirt_network \
guest_output \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 012a3d5d47..27817d8a68 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
@@ -169,84 +65,6 @@ accept
nft \
-ae insert \
rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-547 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-546 \
-counter \
-accept
-nft \
--ae insert \
-rule \
ip \
libvirt_network \
guest_output \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 029274ea06..3ab6286d2c 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 03fb7397cd..615bb4e144 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
@@ -169,84 +65,6 @@ accept
nft \
-ae insert \
rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-547 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-546 \
-counter \
-accept
-nft \
--ae insert \
-rule \
ip \
libvirt_network \
guest_output \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index dd84468ad6..298a83d088 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -3,136 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-69 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-69 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index c1cc8f05b1..09a32f0949 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
--
2.45.0
4:39 a.m.
New subject: [PATCH v5 00/30] native support for nftables in virtual network
driver
On Fri, May 17, 2024 at 01:29:37PM -0400, Laine Stump wrote:
V4:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX...
V3:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HO...
V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5R...
This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).
For some reason this series fails to apply, could you post a gitlab
link for the branch.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
10:57 a.m.
New subject: [PATCH v5 00/30] native support for nftables in virtual network
driver
On 5/20/24 5:39 AM, Daniel P. Berrangé wrote:
On Fri, May 17, 2024 at 01:29:37PM -0400, Laine Stump wrote:
> V4:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX...
> V3:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HO...
> V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5R...
>
> This patch series enables libvirt to use nftables rules rather than
> iptables *when setting up virtual networks* (it does *not* add
> nftables support to the nwfilter driver).
For some reason this series fails to apply, could you post a gitlab
link for the branch.
I should have expected that :-/
https://gitlab.com/lainestump/libvirt/tree/nftrereboot-7
which again reminds me that I haven't run CI on the branch since V4!
10:13 p.m.
New subject: [PATCH v5 31/30] network: use iif/oif instead of iifname/oifname in nftables rules
iifname/oifname need to lookup the string that contains the name of
the interface each time a packet is checked, while iif/oif compare the
ifindex of the interface, which is included directly in the
packet. Conveniently, the rule is created using the *name* of the
interface (which gets converted to ifindex as the rule is added), so
no extra work is required other than changing the commandline option.
If it was the case that the interface could be deleted and re-added
during the life of the rule, we would have to use Xifname (since
deleting and re-adding the interface would result in ifindex
changing), but for our uses this never happens, so Xif works for us,
and undoubtedly improves performance by at least 0.0000001%.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/network/network_nftables.c | 28 +++++++++----------
.../nat-default-linux.nftables | 12 ++++----
.../nat-ipv6-linux.nftables | 24 ++++++++--------
.../nat-ipv6-masquerade-linux.nftables | 24 ++++++++--------
.../nat-many-ips-linux.nftables | 20 ++++++-------
.../nat-no-dhcp-linux.nftables | 24 ++++++++--------
.../nat-tftp-linux.nftables | 12 ++++----
.../route-default-linux.nftables | 12 ++++----
8 files changed, 78 insertions(+), 78 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index f3824ece99..59ab231a06 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -236,7 +236,7 @@ nftablesAddInput(virFirewall *fw,
virFirewallAddCmd(fw, layer, "insert", "rule",
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_INPUT_CHAIN,
- "iifname", iface,
+ "iif", iface,
tcp ? "tcp" : "udp",
"dport", portstr,
"counter", "accept",
@@ -257,7 +257,7 @@ nftablesAddOutput(virFirewall *fw,
virFirewallAddCmd(fw, layer, "insert", "rule",
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_OUTPUT_CHAIN,
- "oifname", iface,
+ "oif", iface,
tcp ? "tcp" : "udp",
"dport", portstr,
"counter", "accept",
@@ -359,10 +359,10 @@ nftablesAddForwardAllowOut(virFirewall *fw,
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_OUT_CHAIN,
layerStr, "saddr", networkstr,
- "iifname", iface, NULL);
+ "iif", iface, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
@@ -398,9 +398,9 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw,
VIR_NFTABLES_FWD_IN_CHAIN, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
layerStr, "daddr", networkstr,
"ct", "state",
"related,established",
"counter", "accept", NULL);
@@ -437,9 +437,9 @@ nftablesAddForwardAllowIn(virFirewall *fw,
layerStr, "daddr", networkstr, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
"counter", "accept", NULL);
return 0;
}
@@ -461,8 +461,8 @@ nftablesAddForwardAllowCross(virFirewall *fw,
nftablesLayerTypeToString(layer),
VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_X_CHAIN,
- "iifname", iface,
- "oifname", iface,
+ "iif", iface,
+ "oif", iface,
"counter", "accept",
NULL);
}
@@ -485,7 +485,7 @@ nftablesAddForwardRejectOut(virFirewall *fw,
nftablesLayerTypeToString(layer),
VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_OUT_CHAIN,
- "iifname", iface,
+ "iif", iface,
"counter", "reject",
NULL);
}
@@ -508,7 +508,7 @@ nftablesAddForwardRejectIn(virFirewall *fw,
nftablesLayerTypeToString(layer),
VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_IN_CHAIN,
- "oifname", iface,
+ "oif", iface,
"counter", "reject",
NULL);
}
@@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw,
layerStr, "daddr", "!=", networkstr,
NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
@@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw,
VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd,
layerStr, "saddr", networkstr,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 298a83d088..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -49,7 +49,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 615bb4e144..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -36,7 +36,7 @@ rule \
ip6 \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -46,7 +46,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -56,9 +56,9 @@ rule \
ip6 \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -71,7 +71,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -81,7 +81,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -183,7 +183,7 @@ guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -196,7 +196,7 @@ guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
-oifname \
+oif \
virbr0 \
counter \
accept
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 27817d8a68..a7f09cda59 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -36,7 +36,7 @@ rule \
ip6 \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -46,7 +46,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -56,9 +56,9 @@ rule \
ip6 \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -71,7 +71,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -81,7 +81,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -183,7 +183,7 @@ guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -193,7 +193,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip6 \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 3ab6286d2c..b826fe6134 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -49,7 +49,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -151,7 +151,7 @@ guest_output \
ip \
saddr \
192.168.128.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -161,7 +161,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -263,7 +263,7 @@ guest_output \
ip \
saddr \
192.168.150.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -273,7 +273,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 615bb4e144..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -36,7 +36,7 @@ rule \
ip6 \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -46,7 +46,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -56,9 +56,9 @@ rule \
ip6 \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -71,7 +71,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -81,7 +81,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -183,7 +183,7 @@ guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -196,7 +196,7 @@ guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
-oifname \
+oif \
virbr0 \
counter \
accept
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index 298a83d088..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -49,7 +49,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index 09a32f0949..282c9542a5 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -52,7 +52,7 @@ guest_input \
ip \
daddr \
192.168.122.0/24 \
-oifname \
+oif \
virbr0 \
counter \
accept
--
2.45.0
4:56 p.m.
New subject: [PATCH v5 31/30] network: use iif/oif instead of iifname/oifname
in nftables rules
On Wed, May 22, 2024 at 23:13:33 -0400, Laine Stump wrote:
iifname/oifname need to lookup the string that contains the name of
the interface each time a packet is checked, while iif/oif compare the
ifindex of the interface, which is included directly in the
packet. Conveniently, the rule is created using the *name* of the
interface (which gets converted to ifindex as the rule is added), so
no extra work is required other than changing the commandline option.
If it was the case that the interface could be deleted and re-added
during the life of the rule, we would have to use Xifname (since
deleting and re-adding the interface would result in ifindex
changing), but for our uses this never happens, so Xif works for us,
and undoubtedly improves performance by at least 0.0000001%.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/network/network_nftables.c | 28 +++++++++----------
.../nat-default-linux.nftables | 12 ++++----
.../nat-ipv6-linux.nftables | 24 ++++++++--------
.../nat-ipv6-masquerade-linux.nftables | 24 ++++++++--------
.../nat-many-ips-linux.nftables | 20 ++++++-------
.../nat-no-dhcp-linux.nftables | 24 ++++++++--------
.../nat-tftp-linux.nftables | 12 ++++----
.../route-default-linux.nftables | 12 ++++----
8 files changed, 78 insertions(+), 78 deletions(-)
Reviewed-by: Jiri Denemark <jdenemar(a)redhat.com>
179
days inactive
189
days old
46 comments
3 participants
participants (3)
-
Daniel P. Berrangé -
Jiri Denemark -
Laine Stump