[PATCH v2 04/27] util: #define the names used for private packet filter chains

Sunday, 21 April 2024

Signed-off-by: Laine Stump <laine(a)redhat.com&gt;
---
 src/network/network_iptables.c | 51 +++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 8d32d30980..45907dd2da 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -39,6 +39,13 @@ VIR_LOG_INIT("network.iptables");
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
+#define VIR_IPTABLES_INPUT_CHAIN "LIBVIRT_INP"
+#define VIR_IPTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
+#define VIR_IPTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
+#define VIR_IPTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
+#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
+#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+
 enum {
     VIR_NETFILTER_INSERT = 0,
     VIR_NETFILTER_DELETE
@@ -115,14 +122,14 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
 {
     g_autoptr(virFirewall) fw = virFirewallNew();
     iptablesGlobalChain filter_chains[] = {
-        {"INPUT", "LIBVIRT_INP"},
-        {"OUTPUT", "LIBVIRT_OUT"},
-        {"FORWARD", "LIBVIRT_FWO"},
-        {"FORWARD", "LIBVIRT_FWI"},
-        {"FORWARD", "LIBVIRT_FWX"},
+        {"INPUT", VIR_IPTABLES_INPUT_CHAIN},
+        {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN},
+        {"FORWARD", VIR_IPTABLES_FWD_OUT_CHAIN},
+        {"FORWARD", VIR_IPTABLES_FWD_IN_CHAIN},
+        {"FORWARD", VIR_IPTABLES_FWD_X_CHAIN},
     };
     iptablesGlobalChain natmangle_chains[] = {
-        {"POSTROUTING",  "LIBVIRT_PRT"},
+        {"POSTROUTING",  VIR_IPTABLES_NAT_POSTROUTE_CHAIN},
     };
     bool changed = false;
     iptablesGlobalChainData data[] = {
@@ -170,7 +177,7 @@ iptablesInput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                       "LIBVIRT_INP",
+                       VIR_IPTABLES_INPUT_CHAIN,
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -191,7 +198,7 @@ iptablesOutput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                       "LIBVIRT_OUT",
+                       VIR_IPTABLES_OUTPUT_CHAIN,
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -366,7 +373,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_FWO",
+                           VIR_IPTABLES_FWD_OUT_CHAIN,
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -376,7 +383,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_FWO",
+                           VIR_IPTABLES_FWD_OUT_CHAIN,
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -456,7 +463,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_FWI",
+                           VIR_IPTABLES_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -468,7 +475,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_FWI",
+                           VIR_IPTABLES_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -548,7 +555,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_FWI",
+                           VIR_IPTABLES_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -558,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_FWI",
+                           VIR_IPTABLES_FWD_IN_CHAIN,
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -623,7 +630,7 @@ iptablesForwardAllowCross(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                       "LIBVIRT_FWX",
+                       VIR_IPTABLES_FWD_X_CHAIN,
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -677,7 +684,7 @@ iptablesForwardRejectOut(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                       "LIBVIRT_FWO",
+                       VIR_IPTABLES_FWD_OUT_CHAIN,
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -729,7 +736,7 @@ iptablesForwardRejectIn(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                       "LIBVIRT_FWI",
+                       VIR_IPTABLES_FWD_IN_CHAIN,
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -811,7 +818,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                                  "LIBVIRT_PRT",
+                                  VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -820,7 +827,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                                  "LIBVIRT_PRT",
+                                  VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -947,7 +954,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_PRT",
+                           VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -957,7 +964,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                           "LIBVIRT_PRT",
+                           VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -1029,7 +1036,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
                        action == VIR_NETFILTER_INSERT ? "--insert" :
"--delete",
-                       "LIBVIRT_PRT",
+                       VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
-- 
2.44.0

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH v2 04/27] util: #define the names used for private packet filter chains