[libvirt] [PATCH 0/7] Restructure firewall rules for virtual networks into private chains

The virtual networks in NAT mode are supposed to only allow outbound network access for guests. Unfortunately due to ordering of the firewall rules libvirt creates, when you have multiple virtual networks, guests on the more recently created virtual networks can connect to guests on old virtual networks. This was reported way back in 2008 but we always thought the fix would be very complicated to deal with, so we've been putting it off forever. In parallel with this there's also been a long standing desire since 2009 to move our firewall rules out of the builtin chains, to libvirt private chains. This is to make it easier for admins to use hook scripts to setup rules in the builtin chains that take priority over rules libvirt creates. In implementing the changes to use private chains, I suddenly realized that fixing the network to network traffic blocking problem was trivial if I grouped the forwarding rules into three distinct sets. So this series finally fixes an annoying 10 year old bug, and implements a 9 year old RFE. It may take us a while, but we'll get to your bugs eventually ;-) Daniel P. Berrangé (7): util: refactor iptables APIs to share more code util: add iptables API for creating base chains util: prepare iptables for putting rules into private chains network: setup default iptables chains util: switch over to creating rules in private chains tests: remove duplicated test case in networkxml2firewalltest tests: fix dry run handling in network firewall test src/libvirt_private.syms | 1 + src/network/bridge_driver_linux.c | 3 + src/util/viriptables.c | 317 ++++++++++++++---- src/util/viriptables.h | 2 + .../nat-default-linux.args | 150 ++++++++- .../nat-ipv6-linux.args | 166 +++++++-- .../nat-many-ips-linux.args | 178 ++++++++-- .../nat-no-dhcp-linux.args | 164 +++++++-- .../nat-tftp-linux.args | 152 ++++++++- .../route-default-linux.args | 140 +++++++- tests/networkxml2firewalltest.c | 17 +- 11 files changed, 1107 insertions(+), 183 deletions(-) -- 2.19.1

Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/viriptables.c | 73 ++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 31 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 5dbea8cf57..f379844d28 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); } +static void +iptablesForwardAllowCross(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) +{ + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); +} + /** * iptablesAddForwardAllowCross: * @ctx: pointer to the IP table context @@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + iptablesForwardAllowCross(fw, layer, iface, ADD); } /** @@ -535,13 +544,21 @@ void iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, REMOVE); +} + +static void +iptablesForwardRejectOut(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) { virFirewallAddRule(fw, layer, "--table", "filter", - "--delete", "FORWARD", + action == ADD ? "--insert" : "delete", "FORWARD", "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", + "--jump", "REJECT", NULL); } @@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--in-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectOut(fw, layer, iface, ADD); } /** @@ -582,16 +594,25 @@ void iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, REMOVE); +} + + +static void +iptablesForwardRejectIn(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) { virFirewallAddRule(fw, layer, "--table", "filter", - "--delete", "FORWARD", - "--in-interface", iface, + action == ADD ? "--insert" : "--delete", "FORWARD", + "--out-interface", iface, "--jump", "REJECT", NULL); } - /** * iptablesAddForwardRejectIn: * @ctx: pointer to the IP table context @@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--out-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectIn(fw, layer, iface, ADD); } /** @@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--delete", "FORWARD", - "--out-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectIn(fw, layer, iface, REMOVE); } -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laine Stump <laine@laine.org>

Historically rules were added straight into the base chains. This works but it is inflexible for admins adding extra rules via hook scripts, and it is not clear which rules are libvirt created. There is a further complexity with the FORWARD chain where a specific ordering of rules is needed to ensure traffic is matched correctly. This would require complex interleaving of rules instead of plain appending. By splitting the FORWARD chain into three chains management will be simpler. Thus we create INPUT -> INP_libvirt OUTPUT -> OUT_libvirt FORWARD -> FWD_libvirt_cross FORWARD -> FWD_libvirt_in FORWARD -> FWD_libvirt_out POSTROUTING -> PRT_libvirt Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt_private.syms | 1 + src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 2 + 3 files changed, 84 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 335210c31d..e42c946de6 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; +iptablesSetupPrivateChains; # util/viriscsi.h diff --git a/src/util/viriptables.c b/src/util/viriptables.c index f379844d28..4a7ea54b38 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -51,6 +51,87 @@ enum { }; + +typedef struct { + virFirewallLayer layer; + const char *table; + const char *parent; + const char *child; +} iptablesChain; + +static int +iptablesCheckPrivateChain(virFirewallPtr fw, + const char *const *lines, + void *opaque) +{ + iptablesChain *data = opaque; + bool found = false; + + while (lines && *lines && !found) { + if (STRPREFIX(*lines, data->child)) + found = true; + lines++; + } + + if (!found) + virFirewallAddRule(fw, data->layer, + "--table", data->table, + "--insert", data->parent, + "--jump", data->child, NULL); + + return 0; +} + + +int +iptablesSetupPrivateChains(void) +{ + virFirewallPtr fw; + int ret = -1; + iptablesChain chains[] = { + {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_cross"}, + {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING", "PRT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_cross"}, + {VIR_FIREWALL_LAYER_IPV6, "nat", "POSTROUTING", "PRT_libvirt"}, + }; + size_t i; + + fw = virFirewallNew(); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (i = 0; i < ARRAY_CARDINALITY(chains); i++) { + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--new-chain", chains[i].child, NULL); + } + + virFirewallStartTransaction(fw, 0); + + for (i = 0; i < ARRAY_CARDINALITY(chains); i++) { + virFirewallAddRuleFull(fw, chains[i].layer, + false, iptablesCheckPrivateChain, + &chains[i], + "--table", chains[i].table, + "--list", chains[i].parent, NULL); + } + + if (virFirewallApply(fw) < 0) + goto cleanup; + + ret = 0; + cleanup: + return ret; +} + static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 9ea25fc096..1db97937a1 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -27,6 +27,8 @@ # include "virsocketaddr.h" # include "virfirewall.h" +int iptablesSetupPrivateChains (void); + void iptablesAddTcpInput (virFirewallPtr fw, virFirewallLayer layer, const char *iface, -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Historically rules were added straight into the base chains. This works but it is inflexible for admins adding extra rules via hook scripts, and it is not clear which rules are libvirt created.
There is a further complexity with the FORWARD chain where a specific ordering of rules is needed to ensure traffic is matched correctly. This would require complex interleaving of rules instead of plain appending. By splitting the FORWARD chain into three chains management will be simpler. Thus we create
INPUT -> INP_libvirt OUTPUT -> OUT_libvirt FORWARD -> FWD_libvirt_cross FORWARD -> FWD_libvirt_in FORWARD -> FWD_libvirt_out POSTROUTING -> PRT_libvirt
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt_private.syms | 1 + src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 2 + 3 files changed, 84 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 335210c31d..e42c946de6 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; +iptablesSetupPrivateChains;
# util/viriscsi.h diff --git a/src/util/viriptables.c b/src/util/viriptables.c index f379844d28..4a7ea54b38 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -51,6 +51,87 @@ enum { };
+ +typedef struct { + virFirewallLayer layer; + const char *table; + const char *parent; + const char *child; +} iptablesChain; + +static int +iptablesCheckPrivateChain(virFirewallPtr fw, + const char *const *lines, + void *opaque) +{ + iptablesChain *data = opaque; + bool found = false; + + while (lines && *lines && !found) { + if (STRPREFIX(*lines, data->child)) + found = true; + lines++; + } + + if (!found) + virFirewallAddRule(fw, data->layer, + "--table", data->table, + "--insert", data->parent, + "--jump", data->child, NULL); + + return 0; +} + + +int +iptablesSetupPrivateChains(void) +{ + virFirewallPtr fw; + int ret = -1; + iptablesChain chains[] = { + {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_cross"}, + {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING", "PRT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_cross"}, + {VIR_FIREWALL_LAYER_IPV6, "nat", "POSTROUTING", "PRT_libvirt"}, + }; + size_t i; + + fw = virFirewallNew(); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + + for (i = 0; i < ARRAY_CARDINALITY(chains); i++) { + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--new-chain", chains[i].child, NULL); + } + + virFirewallStartTransaction(fw, 0); + + for (i = 0; i < ARRAY_CARDINALITY(chains); i++) { + virFirewallAddRuleFull(fw, chains[i].layer, + false, iptablesCheckPrivateChain, + &chains[i], + "--table", chains[i].table, + "--list", chains[i].parent, NULL);
As we discussed on IRC last week, this *really* needs a "-n" to prevent iptables from doing a DNS lookup on every IP address in every rule. On a test I setup (with 60 networks) it took more than 10 minutes(!) to restart libvirtd after upgrading to the new code. With the old code, a restart after upgrading took 45 seconds. Even after you do that, this still creates some slowdown, and a *lot* of warnings in the logs from firewalld. A couple of ideas: 1) iptablesCheckPrivateChain only needs to be called once for each combination of layer+table+child, but it's being called 3 times for ipv4+filter+FORWARD and for ipv6+filter+FORWARD. Maybe the table could be constructed differently so that there is one entry for each layer+table+child, and each one of those entries has a list of all the private chains needed. 2) The toplevel function is called for every new network, but really only needs to be called a) when libvirtd is started, and b) when firewalld notifies us that it has flushed all of the rules. 3) We only add the rule to jump to the new chain if that rule doesn't exist already, but we still try to create the new chain no matter what, leading to tons of firewalld warnings in the log about attempts to create a new chain with the same name as an existing chain. The existence of the "-j $chain" rule is a fairly reliable indicator that the chain itself exists, though - we could eliminate these warnings (and the extra unnecessary dbus call + iptables exec) if we would add the new chain only in cases where we saw that the jump to the chain didn't exist.
+ } + + if (virFirewallApply(fw) < 0) + goto cleanup; + + ret = 0; + cleanup: + return ret; +} + static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 9ea25fc096..1db97937a1 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -27,6 +27,8 @@ # include "virsocketaddr.h" # include "virfirewall.h"
+int iptablesSetupPrivateChains (void); + void iptablesAddTcpInput (virFirewallPtr fw, virFirewallLayer layer, const char *iface,

On 12/3/18 10:07 AM, Laine Stump wrote:
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Historically rules were added straight into the base chains. This works but it is inflexible for admins adding extra rules via hook scripts, and it is not clear which rules are libvirt created.
There is a further complexity with the FORWARD chain where a specific ordering of rules is needed to ensure traffic is matched correctly. This would require complex interleaving of rules instead of plain appending. By splitting the FORWARD chain into three chains management will be simpler. Thus we create
INPUT -> INP_libvirt OUTPUT -> OUT_libvirt FORWARD -> FWD_libvirt_cross FORWARD -> FWD_libvirt_in FORWARD -> FWD_libvirt_out POSTROUTING -> PRT_libvirt
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt_private.syms | 1 + src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 2 + 3 files changed, 84 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 335210c31d..e42c946de6 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; +iptablesSetupPrivateChains;
# util/viriscsi.h diff --git a/src/util/viriptables.c b/src/util/viriptables.c index f379844d28..4a7ea54b38 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -51,6 +51,87 @@ enum { };
+ +typedef struct { + virFirewallLayer layer; + const char *table; + const char *parent; + const char *child; +} iptablesChain; + +static int +iptablesCheckPrivateChain(virFirewallPtr fw, + const char *const *lines, + void *opaque) +{ + iptablesChain *data = opaque; + bool found = false; + + while (lines && *lines && !found) { + if (STRPREFIX(*lines, data->child)) + found = true; + lines++; + } + + if (!found) + virFirewallAddRule(fw, data->layer, + "--table", data->table, + "--insert", data->parent, + "--jump", data->child, NULL); + + return 0; +} + + +int +iptablesSetupPrivateChains(void) +{ + virFirewallPtr fw; + int ret = -1; + iptablesChain chains[] = { + {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_cross"}, + {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING", "PRT_libvirt"},
You also need this entry (for the rule that fixes the UDP checksum of dhcp packets): + {VIR_FIREWALL_LAYER_IPV4, "mangle", "POSTROUTING", "PRT_libvirt"}, (that is, unless we think it's okay to do away with that rule. It was originally added because of some strange combination of virtio+vhost+[old OS, e.g. RHEL5] getting dhcp requests with incorrect checksums on the host. See https://bugzilla.redhat.com/show_bug.cgi?id=612588 for more info (although it's difficult since the Bug description is marked as Private :-( )

Currently all rules are created directly in the INPUT, FORWARD, OUTPUT and POSTROUTING chains. This change prepares for putting the rules into private changes, but does not actually do the switch yet. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------ 1 file changed, 108 insertions(+), 44 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 4a7ea54b38..b4a4bf9a12 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -50,6 +50,12 @@ enum { REMOVE }; +enum { + VIR_IPTABLES_CHAIN_BUILTIN, + VIR_IPTABLES_CHAIN_PRIVATE, + + VIR_IPTABLES_CHAIN_LAST, +}; typedef struct { @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void) static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "INPUT", + "INP_libvirt", + }; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "INPUT", + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw, static void iptablesOutput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "OUTPUT", + "OUT_libvirt", + }; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "OUTPUT", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1); } /** @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1); } /** @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); } /** @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, iface, port, REMOVE, 0); + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); } /** @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); } /** @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); } @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, */ static int iptablesForwardAllowOut(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw, VIR_AUTOFREE(char *) networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_out", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); } /** @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); } @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, */ static int iptablesForwardAllowRelatedIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); } /** @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw, virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); } /** @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); } static void iptablesForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_cross", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); } /** @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); } static void iptablesForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_out", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "delete", "FORWARD", + action == ADD ? "--insert" : "delete", chainName[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); } /** @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); } static void iptablesForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--jump", "REJECT", NULL); @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); } /** @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); } @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, */ static int iptablesForwardMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw, VIR_AUTOFREE(char *) portRangeStr = NULL; VIR_AUTOFREE(char *) natRangeStr = NULL; virFirewallRulePtr rule; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, if (protocol && protocol[0]) { rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, } else { rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, - protocol, ADD); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, ADD); } /** @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, - protocol, REMOVE); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, REMOVE); } @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, */ static int iptablesForwardDontMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + }; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, else virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - ADD); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, ADD); } /** @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - REMOVE); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, REMOVE); } static void iptablesOutputFixUdpChecksum(virFirewallPtr fw, + int chain, const char *iface, int port, int action) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + }; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD); } /** @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE); } -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Currently all rules are created directly in the INPUT, FORWARD, OUTPUT and POSTROUTING chains. This change prepares for putting the rules into private changes, but does not actually do the switch yet.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laine Stump <laine@laine.org>
--- src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------ 1 file changed, 108 insertions(+), 44 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 4a7ea54b38..b4a4bf9a12 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -50,6 +50,12 @@ enum { REMOVE };
+enum { + VIR_IPTABLES_CHAIN_BUILTIN, + VIR_IPTABLES_CHAIN_PRIVATE, + + VIR_IPTABLES_CHAIN_LAST, +};
typedef struct { @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void) static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "INPUT", + "INP_libvirt", + };
snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "INPUT", + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw, static void iptablesOutput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "OUTPUT", + "OUT_libvirt", + };
snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "OUTPUT", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1); }
/** @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1); }
/** @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); }
/** @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, iface, port, REMOVE, 0); + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); }
/** @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); }
/** @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); }
@@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, */ static int iptablesForwardAllowOut(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw, VIR_AUTOFREE(char *) networkstr = NULL; virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_out", + };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); }
/** @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); }
@@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, */ static int iptablesForwardAllowRelatedIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); }
/** @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); }
/* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw, virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); }
/** @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); }
static void iptablesForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_cross", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); }
/** @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); }
static void iptablesForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_out", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "delete", "FORWARD", + action == ADD ? "--insert" : "delete", chainName[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); }
/** @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); }
static void iptablesForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "FORWARD", + "FWD_libvirt_in", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "--delete", "FORWARD", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--jump", "REJECT", NULL); @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); }
/** @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); }
@@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, */ static int iptablesForwardMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw, VIR_AUTOFREE(char *) portRangeStr = NULL; VIR_AUTOFREE(char *) natRangeStr = NULL; virFirewallRulePtr rule; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, if (protocol && protocol[0]) { rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, } else { rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, - protocol, ADD); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, ADD); }
/** @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, - protocol, REMOVE); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, REMOVE); }
@@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, */ static int iptablesForwardDontMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { VIR_AUTOFREE(char *) networkstr = NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, else virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - ADD); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, ADD); }
/** @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, - REMOVE); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, REMOVE); }
static void iptablesOutputFixUdpChecksum(virFirewallPtr fw, + int chain, const char *iface, int port, int action) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = { + "POSTROUTING", + "PRT_libvirt", + };
snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action == ADD ? "--insert" : "--delete", "POSTROUTING", + action == ADD ? "--insert" : "--delete", chainName[chain], "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD); }
/** @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE); }

Register the default chains that will be used to hold firewall rules at network startup. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/bridge_driver_linux.c | 3 + .../nat-default-linux.args | 72 +++++++++++++++++++ .../nat-ipv6-linux.args | 72 +++++++++++++++++++ .../nat-many-ips-linux.args | 72 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 72 +++++++++++++++++++ .../nat-tftp-linux.args | 72 +++++++++++++++++++ .../route-default-linux.args | 72 +++++++++++++++++++ 7 files changed, 435 insertions(+) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index fb09954b8f..6992653b4a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw = NULL; int ret = -1; + if (iptablesSetupPrivateChains() < 0) + return -1; + fw = virFirewallNew(); virFirewallStartTransaction(fw, 0); diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index ffdafdff0e..9928da715b 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index 22285afa10..440896de18 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index aff9f69664..d80a9551d4 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index 2a9d79054e..e00c543487 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index 1a06f0d0a5..e0cfdcecf5 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index 65563ff8b4..5b8209af19 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Register the default chains that will be used to hold firewall rules at network startup.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/bridge_driver_linux.c | 3 + .../nat-default-linux.args | 72 +++++++++++++++++++ .../nat-ipv6-linux.args | 72 +++++++++++++++++++ .../nat-many-ips-linux.args | 72 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 72 +++++++++++++++++++ .../nat-tftp-linux.args | 72 +++++++++++++++++++ .../route-default-linux.args | 72 +++++++++++++++++++ 7 files changed, 435 insertions(+)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index fb09954b8f..6992653b4a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw = NULL; int ret = -1;
+ if (iptablesSetupPrivateChains() < 0) + return -1; +
So I'm not sure whether to fix the "the chains are re-added unnecessarily" problem by moving this call to somewhere else, or by making ipstablesSetupPrivateChains() more intelligent. Probably the latter. That's going to make the test results a bit hinky though, since only the first network will include the iptables calls to add the new chains.
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0); diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index ffdafdff0e..9928da715b 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index 22285afa10..440896de18 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index aff9f69664..d80a9551d4 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index 2a9d79054e..e00c543487 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index 1a06f0d0a5..e0cfdcecf5 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index 65563ff8b4..5b8209af19 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \

All rules are now created in the libvirt private firewall chains. The code for deleting rules will try to delete from both the original builtin chains and the new private chains in order to cleanup properly during upgrades. This finally fixes a very old bug (from 2008!) related to traffic between guests on distinct virtual networks. The intention is that networks never allow incoming connections, but the old ordering of rules meant that we would mistakenly allow accept traffic from whichever network was most recently created. With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network: ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable So the rule allowing outbound traffic from virbr2 would mistakenly allow packets from virbr2 to virbr0, before the rule denying input to virbr0 gets a chance to run With the split up forwarding chains, all incoming deny rules are checked before any of the outgoing allow rules, as rules are grouped into three distinct sets Cross rules ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Incoming rules ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Outgoing rules ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/viriptables.c | 71 +++++++++++++------ .../nat-default-linux.args | 32 ++++----- .../nat-ipv6-linux.args | 48 ++++++------- .../nat-many-ips-linux.args | 60 ++++++++-------- .../nat-no-dhcp-linux.args | 46 ++++++------ .../nat-tftp-linux.args | 34 ++++----- .../route-default-linux.args | 22 +++--- 7 files changed, 171 insertions(+), 142 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index b4a4bf9a12..ad029e6465 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 1); } /** @@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, int port) { iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 1); } /** @@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0); } /** @@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0); } /** @@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0); } /** @@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, int port) { iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0); } @@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD); } /** @@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; } @@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD); } /** @@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; } /* Allow all traffic destined to the bridge, with a valid network address @@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD); } /** @@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; } static void @@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD); } /** @@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, const char *iface) { iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE); } static void @@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw, virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "delete", chainName[chain], + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD); } /** @@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, const char *iface) { iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE); } @@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD); } /** @@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, const char *iface) { iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE); } @@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, physdev, addr, port, protocol, ADD); } @@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, - physdev, addr, port, protocol, REMOVE); + if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, REMOVE) < 0) + return -1; + if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, + physdev, addr, port, protocol, REMOVE) < 0) + return -1; + return 0; } @@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, physdev, destaddr, ADD); } @@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, - physdev, destaddr, REMOVE); + if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, REMOVE) < 0) + return -1; + if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, + physdev, destaddr, REMOVE) < 0) + return -1; + return 0; } @@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD); } /** @@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, int port) { iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE); } diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index 9928da715b..69995181ad 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -72,64 +72,64 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -137,13 +137,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -151,7 +151,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -159,19 +159,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index 440896de18..f93d8face2 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -72,101 +72,101 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -174,13 +174,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -188,7 +188,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -196,31 +196,31 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index d80a9551d4..faae4b881c 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -72,64 +72,64 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -137,13 +137,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -151,7 +151,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -159,25 +159,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.128.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.128.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -185,13 +185,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ -p udp '!' \ --destination 192.168.128.0/24 \ @@ -199,7 +199,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ -p tcp '!' \ --destination 192.168.128.0/24 \ @@ -207,25 +207,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.150.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.150.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -233,13 +233,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 '!' \ --destination 192.168.150.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ -p udp '!' \ --destination 192.168.150.0/24 \ @@ -247,7 +247,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ -p tcp '!' \ --destination 192.168.150.0/24 \ @@ -255,19 +255,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index e00c543487..cb0d908506 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -72,101 +72,101 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -174,13 +174,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -188,7 +188,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -196,25 +196,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index e0cfdcecf5..1243bd1c2d 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -72,71 +72,71 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 69 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -144,13 +144,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -158,7 +158,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -166,19 +166,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index 5b8209af19..624e589aae 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -72,70 +72,70 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
All rules are now created in the libvirt private firewall chains. The code for deleting rules will try to delete from both the original builtin chains and the new private chains in order to cleanup properly during upgrades.
This finally fixes a very old bug (from 2008!) related to traffic between guests on distinct virtual networks. The intention is that networks never allow incoming connections, but the old ordering of rules meant that we would mistakenly allow accept traffic from whichever network was most recently created.
Yay!! I've verified that traffic is blocked in both directions between nat and isolated networks, but otherwise allowed. The only issue I have with this is that, due to not keeping track of what rules we've added in the past, when we restart and want to refresh all the rules, we have to attempt deletion of both "the rules we would add currently for the active networks" as well as "the rules we would have added in the past (before these changes went in)". That makes for a slight startup time penalty (and maintenance headache) now, but in the future it will only get worse - any time we change the exact rules used for a particular network setup, we'll have to remember what rules we *used to* add for that type of network, and continue deleting (or attempting to delete) those rules, in addition to all previous incarnations of the rules *and* the new incarnation. This will end up becoming very unwieldy. I think instead we need to save in the network status a list of the exact iptables (or firewalld or nftables or whatever it is in the future) rules we have added, and always delete the exact rules that we previously added each time we do a refresh. The sooner we do this, the fewer headaches we'll have. Aside from that: Reviewed-by: Laine Stump <laine@laine.org> Tested-by: Laine Stump <laine@laine.org>
With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network:
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
So the rule allowing outbound traffic from virbr2 would mistakenly allow packets from virbr2 to virbr0, before the rule denying input to virbr0 gets a chance to run
With the split up forwarding chains, all incoming deny rules are checked before any of the outgoing allow rules, as rules are grouped into three distinct sets
Cross rules
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Incoming rules
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Outgoing rules
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/util/viriptables.c | 71 +++++++++++++------ .../nat-default-linux.args | 32 ++++----- .../nat-ipv6-linux.args | 48 ++++++------- .../nat-many-ips-linux.args | 60 ++++++++-------- .../nat-no-dhcp-linux.args | 46 ++++++------ .../nat-tftp-linux.args | 34 ++++----- .../route-default-linux.args | 22 +++--- 7 files changed, 171 insertions(+), 142 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c index b4a4bf9a12..ad029e6465 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 1); }
/** @@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, int port) { iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 1); }
/** @@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0); }
/** @@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0); }
/** @@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0); }
/** @@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, int port) { iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0); }
@@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD); }
/** @@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; }
@@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD); }
/** @@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; }
/* Allow all traffic destined to the bridge, with a valid network address @@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, ADD); }
/** @@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; }
static void @@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD); }
/** @@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, const char *iface) { iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE); }
static void @@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallAddRule(fw, layer, "--table", "filter", - action == ADD ? "--insert" : "delete", chainName[chain], + action == ADD ? "--insert" : "--delete", chainName[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD); }
/** @@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, const char *iface) { iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE); }
@@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD); }
/** @@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, const char *iface) { iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE); }
@@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, physdev, addr, port, protocol, ADD); }
@@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, - physdev, addr, port, protocol, REMOVE); + if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, addr, port, protocol, REMOVE) < 0) + return -1; + if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, + physdev, addr, port, protocol, REMOVE) < 0) + return -1; + return 0; }
@@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, physdev, destaddr, ADD); }
@@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, - physdev, destaddr, REMOVE); + if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, + physdev, destaddr, REMOVE) < 0) + return -1; + if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, + physdev, destaddr, REMOVE) < 0) + return -1; + return 0; }
@@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD); }
/** @@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, int port) { iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE); } diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index 9928da715b..69995181ad 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -72,64 +72,64 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -137,13 +137,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -151,7 +151,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -159,19 +159,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index 440896de18..f93d8face2 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -72,101 +72,101 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -174,13 +174,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -188,7 +188,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -196,31 +196,31 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index d80a9551d4..faae4b881c 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -72,64 +72,64 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -137,13 +137,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -151,7 +151,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -159,25 +159,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.128.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.128.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -185,13 +185,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ -p udp '!' \ --destination 192.168.128.0/24 \ @@ -199,7 +199,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ -p tcp '!' \ --destination 192.168.128.0/24 \ @@ -207,25 +207,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.150.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.150.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -233,13 +233,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 '!' \ --destination 192.168.150.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ -p udp '!' \ --destination 192.168.150.0/24 \ @@ -247,7 +247,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ -p tcp '!' \ --destination 192.168.150.0/24 \ @@ -255,19 +255,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index e00c543487..cb0d908506 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -72,101 +72,101 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -174,13 +174,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -188,7 +188,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -196,25 +196,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index e0cfdcecf5..1243bd1c2d 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -72,71 +72,71 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 69 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -144,13 +144,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -158,7 +158,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -166,19 +166,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index 5b8209af19..624e589aae 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -72,70 +72,70 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tests/networkxml2firewalltest.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 242b645767..505ff0c740 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -154,7 +154,6 @@ mymain(void) DO_TEST("nat-no-dhcp"); DO_TEST("nat-ipv6"); DO_TEST("route-default"); - DO_TEST("route-default"); cleanup: return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laine Stump <laine@laine.org>
--- tests/networkxml2firewalltest.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 242b645767..505ff0c740 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -154,7 +154,6 @@ mymain(void) DO_TEST("nat-no-dhcp"); DO_TEST("nat-ipv6"); DO_TEST("route-default"); - DO_TEST("route-default");
cleanup: return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;

The networkxml2firewalltest sets virCommand to dry run mode but doesn't provide a callback to fill in stdout/stderr. As a result when the firewall code queries rules it gets a NULL output and so never triggers the callback to process output. We only need to return an empty string to make the firewall code work and thus trigger adding of the libvirt private chains to the builtin chains. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- .../nat-default-linux.args | 48 +++++++++++++++++++ .../nat-ipv6-linux.args | 48 +++++++++++++++++++ .../nat-many-ips-linux.args | 48 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 48 +++++++++++++++++++ .../nat-tftp-linux.args | 48 +++++++++++++++++++ .../route-default-linux.args | 48 +++++++++++++++++++ tests/networkxml2firewalltest.c | 16 ++++++- 7 files changed, 303 insertions(+), 1 deletion(-) diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index 69995181ad..e7d71817c7 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index f93d8face2..620ebb8d14 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index faae4b881c..7c378b8c7e 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index cb0d908506..afa8c3a0ca 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index 1243bd1c2d..a45ba545c2 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index 624e589aae..859a342e7d 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 505ff0c740..5e3d8906c5 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -44,6 +44,20 @@ static const char *abs_top_srcdir; # error "test case not ported to this platform" # endif +static void +testCommandDryRun(const char *const*args ATTRIBUTE_UNUSED, + const char *const*env ATTRIBUTE_UNUSED, + const char *input ATTRIBUTE_UNUSED, + char **output, + char **error, + int *status, + void *opaque ATTRIBUTE_UNUSED) +{ + *status = 0; + ignore_value(VIR_STRDUP_QUIET(*output, "")); + ignore_value(VIR_STRDUP_QUIET(*error, "")); +} + static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline) { @@ -53,7 +67,7 @@ static int testCompareXMLToArgvFiles(const char *xml, virNetworkDefPtr def = NULL; int ret = -1; - virCommandSetDryRun(&buf, NULL, NULL); + virCommandSetDryRun(&buf, testCommandDryRun, NULL); if (!(def = virNetworkDefParseFile(xml))) goto cleanup; -- 2.19.1

On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
The networkxml2firewalltest sets virCommand to dry run mode but doesn't provide a callback to fill in stdout/stderr. As a result when the firewall code queries rules it gets a NULL output and so never triggers the callback to process output.
We only need to return an empty string to make the firewall code work and thus trigger adding of the libvirt private chains to the builtin chains.
Well, technically it's only adding the jump to the private chains, not the chains themselves (although I mentioned earlier that I think this should change).
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laine Stump <laine@laine.org> but shouldn't this just be squashed in with the patch that originally changed the code to add the chains?
--- .../nat-default-linux.args | 48 +++++++++++++++++++ .../nat-ipv6-linux.args | 48 +++++++++++++++++++ .../nat-many-ips-linux.args | 48 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 48 +++++++++++++++++++ .../nat-tftp-linux.args | 48 +++++++++++++++++++ .../route-default-linux.args | 48 +++++++++++++++++++ tests/networkxml2firewalltest.c | 16 ++++++- 7 files changed, 303 insertions(+), 1 deletion(-)
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args index 69995181ad..e7d71817c7 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args index f93d8face2..620ebb8d14 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args index faae4b881c..7c378b8c7e 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args index cb0d908506..afa8c3a0ca 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args index 1243bd1c2d..a45ba545c2 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args index 624e589aae..859a342e7d 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 505ff0c740..5e3d8906c5 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -44,6 +44,20 @@ static const char *abs_top_srcdir; # error "test case not ported to this platform" # endif
+static void +testCommandDryRun(const char *const*args ATTRIBUTE_UNUSED, + const char *const*env ATTRIBUTE_UNUSED, + const char *input ATTRIBUTE_UNUSED, + char **output, + char **error, + int *status, + void *opaque ATTRIBUTE_UNUSED) +{ + *status = 0; + ignore_value(VIR_STRDUP_QUIET(*output, "")); + ignore_value(VIR_STRDUP_QUIET(*error, "")); +} + static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline) { @@ -53,7 +67,7 @@ static int testCompareXMLToArgvFiles(const char *xml, virNetworkDefPtr def = NULL; int ret = -1;
- virCommandSetDryRun(&buf, NULL, NULL); + virCommandSetDryRun(&buf, testCommandDryRun, NULL);
if (!(def = virNetworkDefParseFile(xml))) goto cleanup;
participants (2)
-
Daniel P. Berrangé
-
Laine Stump