Monday, 1 May
2023
Mon, 1 May
'23
11:19 a.m.
These toplevel functions have no iptables-specific code, except that
they each call a lower-level internal function that *is* iptables
specific. As a preparation to supporting use of either iptables or
nftables, rename these functions from iptablesXXX to virNetfilterXXX.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
src/libvirt_private.syms | 48 +++---
src/network/bridge_driver_linux.c | 124 +++++++-------
src/util/viriptables.c | 260 +++++++++++++++---------------
src/util/viriptables.h | 96 +++++------
4 files changed, 264 insertions(+), 264 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 73cccf38a1..9f3868bbac 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2547,33 +2547,33 @@ virInitctlSetRunLevel;
# util/viriptables.h
-iptablesAddDontMasquerade;
-iptablesAddForwardAllowCross;
-iptablesAddForwardAllowIn;
-iptablesAddForwardAllowOut;
-iptablesAddForwardAllowRelatedIn;
-iptablesAddForwardMasquerade;
-iptablesAddForwardRejectIn;
-iptablesAddForwardRejectOut;
iptablesAddOutputFixUdpChecksum;
-iptablesAddTcpInput;
-iptablesAddTcpOutput;
-iptablesAddUdpInput;
-iptablesAddUdpOutput;
-iptablesRemoveDontMasquerade;
-iptablesRemoveForwardAllowCross;
-iptablesRemoveForwardAllowIn;
-iptablesRemoveForwardAllowOut;
-iptablesRemoveForwardAllowRelatedIn;
-iptablesRemoveForwardMasquerade;
-iptablesRemoveForwardRejectIn;
-iptablesRemoveForwardRejectOut;
iptablesRemoveOutputFixUdpChecksum;
-iptablesRemoveTcpInput;
-iptablesRemoveTcpOutput;
-iptablesRemoveUdpInput;
-iptablesRemoveUdpOutput;
iptablesSetupPrivateChains;
+virNetfilterAddDontMasquerade;
+virNetfilterAddForwardAllowCross;
+virNetfilterAddForwardAllowIn;
+virNetfilterAddForwardAllowOut;
+virNetfilterAddForwardAllowRelatedIn;
+virNetfilterAddForwardMasquerade;
+virNetfilterAddForwardRejectIn;
+virNetfilterAddForwardRejectOut;
+virNetfilterAddTcpInput;
+virNetfilterAddTcpOutput;
+virNetfilterAddUdpInput;
+virNetfilterAddUdpOutput;
+virNetfilterRemoveDontMasquerade;
+virNetfilterRemoveForwardAllowCross;
+virNetfilterRemoveForwardAllowIn;
+virNetfilterRemoveForwardAllowOut;
+virNetfilterRemoveForwardAllowRelatedIn;
+virNetfilterRemoveForwardMasquerade;
+virNetfilterRemoveForwardRejectIn;
+virNetfilterRemoveForwardRejectOut;
+virNetfilterRemoveTcpInput;
+virNetfilterRemoveTcpOutput;
+virNetfilterRemoveUdpInput;
+virNetfilterRemoveUdpOutput;
# util/viriscsi.h
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 1ef5b9d917..da7d78a40a 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -322,7 +322,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
}
/* allow forwarding packets from the bridge interface */
- if (iptablesAddForwardAllowOut(fw,
+ if (virNetfilterAddForwardAllowOut(fw,
&ipdef->address,
prefix,
def->bridge,
@@ -332,7 +332,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
/* allow forwarding packets to the bridge interface if they are
* part of an existing connection
*/
- if (iptablesAddForwardAllowRelatedIn(fw,
+ if (virNetfilterAddForwardAllowRelatedIn(fw,
&ipdef->address,
prefix,
def->bridge,
@@ -372,7 +372,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
*/
/* First the generic masquerade rule for other protocols */
- if (iptablesAddForwardMasquerade(fw,
+ if (virNetfilterAddForwardMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -382,7 +382,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
return -1;
/* UDP with a source port restriction */
- if (iptablesAddForwardMasquerade(fw,
+ if (virNetfilterAddForwardMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -392,7 +392,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
return -1;
/* TCP with a source port restriction */
- if (iptablesAddForwardMasquerade(fw,
+ if (virNetfilterAddForwardMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -403,7 +403,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
/* exempt local network broadcast address as destination */
if (isIPv4 &&
- iptablesAddDontMasquerade(fw,
+ virNetfilterAddDontMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -411,7 +411,7 @@ networkAddMasqueradingFirewallRules(virFirewall *fw,
return -1;
/* exempt local multicast range as destination */
- if (iptablesAddDontMasquerade(fw,
+ if (virNetfilterAddDontMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -434,7 +434,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
if (prefix < 0)
return 0;
- if (iptablesRemoveDontMasquerade(fw,
+ if (virNetfilterRemoveDontMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -443,14 +443,14 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
return -1;
if (isIPv4 &&
- iptablesRemoveDontMasquerade(fw,
+ virNetfilterRemoveDontMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
networkLocalBroadcast) < 0)
return -1;
- if (iptablesRemoveForwardMasquerade(fw,
+ if (virNetfilterRemoveForwardMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -459,7 +459,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
"tcp") < 0)
return -1;
- if (iptablesRemoveForwardMasquerade(fw,
+ if (virNetfilterRemoveForwardMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -468,7 +468,7 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
"udp") < 0)
return -1;
- if (iptablesRemoveForwardMasquerade(fw,
+ if (virNetfilterRemoveForwardMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -477,14 +477,14 @@ networkRemoveMasqueradingFirewallRules(virFirewall *fw,
NULL) < 0)
return -1;
- if (iptablesRemoveForwardAllowRelatedIn(fw,
+ if (virNetfilterRemoveForwardAllowRelatedIn(fw,
&ipdef->address,
prefix,
def->bridge,
forwardIf) < 0)
return -1;
- if (iptablesRemoveForwardAllowOut(fw,
+ if (virNetfilterRemoveForwardAllowOut(fw,
&ipdef->address,
prefix,
def->bridge,
@@ -511,7 +511,7 @@ networkAddRoutingFirewallRules(virFirewall *fw,
}
/* allow routing packets from the bridge interface */
- if (iptablesAddForwardAllowOut(fw,
+ if (virNetfilterAddForwardAllowOut(fw,
&ipdef->address,
prefix,
def->bridge,
@@ -519,7 +519,7 @@ networkAddRoutingFirewallRules(virFirewall *fw,
return -1;
/* allow routing packets to the bridge interface */
- if (iptablesAddForwardAllowIn(fw,
+ if (virNetfilterAddForwardAllowIn(fw,
&ipdef->address,
prefix,
def->bridge,
@@ -541,14 +541,14 @@ networkRemoveRoutingFirewallRules(virFirewall *fw,
if (prefix < 0)
return 0;
- if (iptablesRemoveForwardAllowIn(fw,
+ if (virNetfilterRemoveForwardAllowIn(fw,
&ipdef->address,
prefix,
def->bridge,
forwardIf) < 0)
return -1;
- if (iptablesRemoveForwardAllowOut(fw,
+ if (virNetfilterRemoveForwardAllowOut(fw,
&ipdef->address,
prefix,
def->bridge,
@@ -576,29 +576,29 @@ networkAddGeneralIPv4FirewallRules(virFirewall *fw,
}
/* allow DHCP requests through to dnsmasq & back out */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
- iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
/* allow DNS requests through to dnsmasq & back out */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
/* allow TFTP requests through to dnsmasq if necessary & back out */
if (ipv4def && ipv4def->tftproot) {
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
}
/* Catch all rules to block forwarding to/from bridges */
- iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
- iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
/* Allow traffic between guests on the same bridge */
- iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
}
static void
@@ -615,24 +615,24 @@ networkRemoveGeneralIPv4FirewallRules(virFirewall *fw,
break;
}
- iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
- iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
- iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
+ virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
}
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
- iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
}
@@ -651,21 +651,21 @@ networkAddGeneralIPv6FirewallRules(virFirewall *fw,
}
/* Catch all rules to block forwarding to/from bridges */
- iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ virNetfilterAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ virNetfilterAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
/* Allow traffic between guests on the same bridge */
- iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ virNetfilterAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
/* allow DNS over IPv6 & back out */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
/* allow DHCPv6 & back out */
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+ virNetfilterAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+ virNetfilterAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
}
}
@@ -679,20 +679,20 @@ networkRemoveGeneralIPv6FirewallRules(virFirewall *fw,
}
if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
+ virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+ virNetfilterRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ virNetfilterRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
}
/* the following rules are there if no IPv6 address has been defined
* but def->ipv6nogw == true
*/
- iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ virNetfilterRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ virNetfilterRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ virNetfilterRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
}
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 018021bc1b..8db5bb3e4b 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -198,7 +198,7 @@ iptablesOutput(virFirewall *fw,
}
/**
- * iptablesAddTcpInput:
+ * virNetfilterAddTcpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to add
@@ -207,16 +207,16 @@ iptablesOutput(virFirewall *fw,
* the given @iface interface for TCP packets
*/
void
-iptablesAddTcpInput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterAddTcpInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
}
/**
- * iptablesRemoveTcpInput:
+ * virNetfilterRemoveTcpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to remove
@@ -225,16 +225,16 @@ iptablesAddTcpInput(virFirewall *fw,
* @port on the given @iface interface for TCP packets
*/
void
-iptablesRemoveTcpInput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterRemoveTcpInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
}
/**
- * iptablesAddUdpInput:
+ * virNetfilterAddUdpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to add
@@ -243,16 +243,16 @@ iptablesRemoveTcpInput(virFirewall *fw,
* the given @iface interface for UDP packets
*/
void
-iptablesAddUdpInput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterAddUdpInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
}
/**
- * iptablesRemoveUdpInput:
+ * virNetfilterRemoveUdpInput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to remove
@@ -261,16 +261,16 @@ iptablesAddUdpInput(virFirewall *fw,
* @port on the given @iface interface for UDP packets
*/
void
-iptablesRemoveUdpInput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterRemoveUdpInput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
}
/**
- * iptablesAddTcpOutput:
+ * virNetfilterAddTcpOutput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to add
@@ -279,16 +279,16 @@ iptablesRemoveUdpInput(virFirewall *fw,
* the given @iface interface for TCP packets
*/
void
-iptablesAddTcpOutput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterAddTcpOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
}
/**
- * iptablesRemoveTcpOutput:
+ * virNetfilterRemoveTcpOutput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to remove
@@ -297,16 +297,16 @@ iptablesAddTcpOutput(virFirewall *fw,
* @port from the given @iface interface for TCP packets
*/
void
-iptablesRemoveTcpOutput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterRemoveTcpOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
}
/**
- * iptablesAddUdpOutput:
+ * virNetfilterAddUdpOutput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to add
@@ -315,16 +315,16 @@ iptablesRemoveTcpOutput(virFirewall *fw,
* the given @iface interface for UDP packets
*/
void
-iptablesAddUdpOutput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterAddUdpOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
}
/**
- * iptablesRemoveUdpOutput:
+ * virNetfilterRemoveUdpOutput:
* @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to remove
@@ -333,10 +333,10 @@ iptablesAddUdpOutput(virFirewall *fw,
* @port from the given @iface interface for UDP packets
*/
void
-iptablesRemoveUdpOutput(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface,
- int port)
+virNetfilterRemoveUdpOutput(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int port)
{
iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
}
@@ -384,7 +384,7 @@ iptablesForwardAllowOut(virFirewall *fw,
}
/**
- * iptablesAddForwardAllowOut:
+ * virNetfilterAddForwardAllowOut:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the source interface name
@@ -397,18 +397,18 @@ iptablesForwardAllowOut(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowOut(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+virNetfilterAddForwardAllowOut(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
{
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveForwardAllowOut:
+ * virNetfilterRemoveForwardAllowOut:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the source interface name
@@ -421,11 +421,11 @@ iptablesAddForwardAllowOut(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowOut(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+virNetfilterRemoveForwardAllowOut(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
{
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
VIR_NETFILTER_DELETE);
@@ -478,7 +478,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
}
/**
- * iptablesAddForwardAllowRelatedIn:
+ * virNetfilterAddForwardAllowRelatedIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
@@ -491,18 +491,18 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowRelatedIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+virNetfilterAddForwardAllowRelatedIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
{
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveForwardAllowRelatedIn:
+ * virNetfilterRemoveForwardAllowRelatedIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
@@ -515,11 +515,11 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
{
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
VIR_NETFILTER_DELETE);
@@ -565,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw,
}
/**
- * iptablesAddForwardAllowIn:
+ * virNetfilterAddForwardAllowIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
@@ -578,18 +578,18 @@ iptablesForwardAllowIn(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+virNetfilterAddForwardAllowIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
{
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveForwardAllowIn:
+ * virNetfilterRemoveForwardAllowIn:
* @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
@@ -602,11 +602,11 @@ iptablesAddForwardAllowIn(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+virNetfilterRemoveForwardAllowIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
{
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
VIR_NETFILTER_DELETE);
@@ -629,7 +629,7 @@ iptablesForwardAllowCross(virFirewall *fw,
}
/**
- * iptablesAddForwardAllowCross:
+ * virNetfilterAddForwardAllowCross:
* @ctx: pointer to the IP table context
* @iface: the input/output interface name
*
@@ -640,15 +640,15 @@ iptablesForwardAllowCross(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
void
-iptablesAddForwardAllowCross(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface)
+virNetfilterAddForwardAllowCross(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
{
iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveForwardAllowCross:
+ * virNetfilterRemoveForwardAllowCross:
* @ctx: pointer to the IP table context
* @iface: the input/output interface name
*
@@ -659,9 +659,9 @@ iptablesAddForwardAllowCross(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
void
-iptablesRemoveForwardAllowCross(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface)
+virNetfilterRemoveForwardAllowCross(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
{
iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE);
}
@@ -682,7 +682,7 @@ iptablesForwardRejectOut(virFirewall *fw,
}
/**
- * iptablesAddForwardRejectOut:
+ * virNetfilterAddForwardRejectOut:
* @ctx: pointer to the IP table context
* @iface: the output interface name
*
@@ -692,15 +692,15 @@ iptablesForwardRejectOut(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
void
-iptablesAddForwardRejectOut(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface)
+virNetfilterAddForwardRejectOut(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
{
iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveForwardRejectOut:
+ * virNetfilterRemoveForwardRejectOut:
* @ctx: pointer to the IP table context
* @iface: the output interface name
*
@@ -710,9 +710,9 @@ iptablesAddForwardRejectOut(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
void
-iptablesRemoveForwardRejectOut(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface)
+virNetfilterRemoveForwardRejectOut(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
{
iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE);
}
@@ -734,7 +734,7 @@ iptablesForwardRejectIn(virFirewall *fw,
}
/**
- * iptablesAddForwardRejectIn:
+ * virNetfilterAddForwardRejectIn:
* @ctx: pointer to the IP table context
* @iface: the input interface name
*
@@ -744,15 +744,15 @@ iptablesForwardRejectIn(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
void
-iptablesAddForwardRejectIn(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface)
+virNetfilterAddForwardRejectIn(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
{
iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveForwardRejectIn:
+ * virNetfilterRemoveForwardRejectIn:
* @ctx: pointer to the IP table context
* @iface: the input interface name
*
@@ -762,9 +762,9 @@ iptablesAddForwardRejectIn(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
void
-iptablesRemoveForwardRejectIn(virFirewall *fw,
- virFirewallLayer layer,
- const char *iface)
+virNetfilterRemoveForwardRejectIn(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface)
{
iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE);
}
@@ -869,7 +869,7 @@ iptablesForwardMasquerade(virFirewall *fw,
}
/**
- * iptablesAddForwardMasquerade:
+ * virNetfilterAddForwardMasquerade:
* @ctx: pointer to the IP table context
* @network: the source network name
* @physdev: the physical input device or NULL
@@ -882,13 +882,13 @@ iptablesForwardMasquerade(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardMasquerade(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- virSocketAddrRange *addr,
- virPortRange *port,
- const char *protocol)
+virNetfilterAddForwardMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ virSocketAddrRange *addr,
+ virPortRange *port,
+ const char *protocol)
{
return iptablesForwardMasquerade(fw, netaddr, prefix,
physdev, addr, port, protocol,
@@ -896,7 +896,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
}
/**
- * iptablesRemoveForwardMasquerade:
+ * virNetfilterRemoveForwardMasquerade:
* @ctx: pointer to the IP table context
* @network: the source network name
* @physdev: the physical input device or NULL
@@ -909,13 +909,13 @@ iptablesAddForwardMasquerade(virFirewall *fw,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardMasquerade(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- virSocketAddrRange *addr,
- virPortRange *port,
- const char *protocol)
+virNetfilterRemoveForwardMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ virSocketAddrRange *addr,
+ virPortRange *port,
+ const char *protocol)
{
return iptablesForwardMasquerade(fw, netaddr, prefix,
physdev, addr, port, protocol,
@@ -965,7 +965,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
}
/**
- * iptablesAddDontMasquerade:
+ * virNetfilterAddDontMasquerade:
* @netaddr: the source network name
* @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr
* @physdev: the physical output device or NULL
@@ -973,24 +973,24 @@ iptablesForwardDontMasquerade(virFirewall *fw,
*
* Add rules to the IP table context to avoid masquerading from
* @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format
- * directly consumable by iptables, it must not depend on user input or
+ * directly consumable by iptables/nftables, it must not depend on user input or
* configuration.
*
* Returns 0 in case of success or an error code otherwise.
*/
int
-iptablesAddDontMasquerade(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- const char *destaddr)
+virNetfilterAddDontMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ const char *destaddr)
{
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
physdev, destaddr, VIR_NETFILTER_INSERT);
}
/**
- * iptablesRemoveDontMasquerade:
+ * virNetfilterRemoveDontMasquerade:
* @netaddr: the source network name
* @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr
* @physdev: the physical output device or NULL
@@ -998,17 +998,17 @@ iptablesAddDontMasquerade(virFirewall *fw,
*
* Remove rules from the IP table context that prevent masquerading from
* @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format
- * directly consumable by iptables, it must not depend on user input or
+ * directly consumable by iptables/nftables, it must not depend on user input or
* configuration.
*
* Returns 0 in case of success or an error code otherwise.
*/
int
-iptablesRemoveDontMasquerade(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- const char *destaddr)
+virNetfilterRemoveDontMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ const char *destaddr)
{
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
physdev, destaddr,
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index bb13f3292d..610c4dccde 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -25,101 +25,101 @@
int iptablesSetupPrivateChains (virFirewallLayer layer);
-void iptablesAddTcpInput (virFirewall *fw,
+void virNetfilterAddTcpInput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesRemoveTcpInput (virFirewall *fw,
+void virNetfilterRemoveTcpInput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesAddUdpInput (virFirewall *fw,
+void virNetfilterAddUdpInput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesRemoveUdpInput (virFirewall *fw,
+void virNetfilterRemoveUdpInput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesAddTcpOutput (virFirewall *fw,
+void virNetfilterAddTcpOutput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesRemoveTcpOutput (virFirewall *fw,
+void virNetfilterRemoveTcpOutput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesAddUdpOutput (virFirewall *fw,
+void virNetfilterAddUdpOutput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-void iptablesRemoveUdpOutput (virFirewall *fw,
+void virNetfilterRemoveUdpOutput (virFirewall *fw,
virFirewallLayer layer,
const char *iface,
int port);
-int iptablesAddForwardAllowOut (virFirewall *fw,
+int virNetfilterAddForwardAllowOut (virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardAllowOut (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+int virNetfilterRemoveForwardAllowOut(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesAddForwardAllowRelatedIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+int virNetfilterAddForwardAllowRelatedIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev)
+int virNetfilterRemoveForwardAllowRelatedIn(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesAddForwardAllowIn (virFirewall *fw,
+int virNetfilterAddForwardAllowIn (virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardAllowIn (virFirewall *fw,
+int virNetfilterRemoveForwardAllowIn(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
G_GNUC_WARN_UNUSED_RESULT;
-void iptablesAddForwardAllowCross (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-void iptablesRemoveForwardAllowCross (virFirewall *fw,
+void virNetfilterAddForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface);
+void virNetfilterRemoveForwardAllowCross(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface);
-void iptablesAddForwardRejectOut (virFirewall *fw,
- virFirewallLayer layer,
- const char *iface);
-void iptablesRemoveForwardRejectOut (virFirewall *fw,
+void virNetfilterAddForwardRejectOut (virFirewall *fw,
virFirewallLayer layer,
const char *iface);
+void virNetfilterRemoveForwardRejectOut(virFirewall *fw,
+ virFirewallLayer layer,
+ const char *iface);
-void iptablesAddForwardRejectIn (virFirewall *fw,
+void virNetfilterAddForwardRejectIn (virFirewall *fw,
virFirewallLayer layer,
const char *iface);
-void iptablesRemoveForwardRejectIn (virFirewall *fw,
- virFirewallLayer layery,
- const char *iface);
+void virNetfilterRemoveForwardRejectIn(virFirewall *fw,
+ virFirewallLayer layery,
+ const char *iface);
-int iptablesAddForwardMasquerade (virFirewall *fw,
+int virNetfilterAddForwardMasquerade(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -127,21 +127,21 @@ int iptablesAddForwardMasquerade (virFirewall *fw,
virPortRange *port,
const char *protocol)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveForwardMasquerade (virFirewall *fw,
- virSocketAddr *netaddr,
- unsigned int prefix,
- const char *physdev,
- virSocketAddrRange *addr,
- virPortRange *port,
- const char *protocol)
+int virNetfilterRemoveForwardMasquerade(virFirewall *fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *physdev,
+ virSocketAddrRange *addr,
+ virPortRange *port,
+ const char *protocol)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesAddDontMasquerade (virFirewall *fw,
+int virNetfilterAddDontMasquerade (virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr)
G_GNUC_WARN_UNUSED_RESULT;
-int iptablesRemoveDontMasquerade (virFirewall *fw,
+int virNetfilterRemoveDontMasquerade(virFirewall *fw,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
--
2.39.2