7:52 a.m.
The virtual networks in NAT mode are supposed to only allow outbound
network access for guests. Unfortunately due to ordering of the firewall
rules libvirt creates, when you have multiple virtual networks, guests
on the more recently created virtual networks can connect to guests on
old virtual networks.
This was reported way back in 2008 but we always thought the fix would
be very complicated to deal with, so we've been putting it off forever.
In parallel with this there's also been a long standing desire since
2009 to move our firewall rules out of the builtin chains, to libvirt
private chains. This is to make it easier for admins to use hook scripts
to setup rules in the builtin chains that take priority over rules
libvirt creates.
In implementing the changes to use private chains, I suddenly realized
that fixing the network to network traffic blocking problem was trivial
if I grouped the forwarding rules into three distinct sets.
So this series finally fixes an annoying 10 year old bug, and implements
a 9 year old RFE.
It may take us a while, but we'll get to your bugs eventually ;-)
Daniel P. Berrangé (7):
util: refactor iptables APIs to share more code
util: add iptables API for creating base chains
util: prepare iptables for putting rules into private chains
network: setup default iptables chains
util: switch over to creating rules in private chains
tests: remove duplicated test case in networkxml2firewalltest
tests: fix dry run handling in network firewall test
src/libvirt_private.syms | 1 +
src/network/bridge_driver_linux.c | 3 +
src/util/viriptables.c | 317 ++++++++++++++----
src/util/viriptables.h | 2 +
.../nat-default-linux.args | 150 ++++++++-
.../nat-ipv6-linux.args | 166 +++++++--
.../nat-many-ips-linux.args | 178 ++++++++--
.../nat-no-dhcp-linux.args | 164 +++++++--
.../nat-tftp-linux.args | 152 ++++++++-
.../route-default-linux.args | 140 +++++++-
tests/networkxml2firewalltest.c | 17 +-
11 files changed, 1107 insertions(+), 183 deletions(-)
--
2.19.1
7:52 a.m.
New subject: [libvirt] [PATCH 1/7] util: refactor iptables APIs to share more code
Most of the iptables APIs share code for the add/delete paths, but a
couple were separated. Merge the remaining APIs to facilitate future
changes.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/viriptables.c | 73 ++++++++++++++++++++++++------------------
1 file changed, 42 insertions(+), 31 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 5dbea8cf57..f379844d28 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
+static void
+iptablesForwardAllowCross(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int action)
+{
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--in-interface", iface,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
+}
+
/**
* iptablesAddForwardAllowCross:
* @ctx: pointer to the IP table context
@@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--insert", "FORWARD",
- "--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ iptablesForwardAllowCross(fw, layer, iface, ADD);
}
/**
@@ -535,13 +544,21 @@ void
iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
+{
+ iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+}
+
+static void
+iptablesForwardRejectOut(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- "--delete", "FORWARD",
+ action == ADD ? "--insert" : "delete",
"FORWARD",
"--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
+ "--jump", "REJECT",
NULL);
}
@@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--insert", "FORWARD",
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ iptablesForwardRejectOut(fw, layer, iface, ADD);
}
/**
@@ -582,16 +594,25 @@ void
iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
+{
+ iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+}
+
+
+static void
+iptablesForwardRejectIn(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- "--delete", "FORWARD",
- "--in-interface", iface,
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--out-interface", iface,
"--jump", "REJECT",
NULL);
}
-
/**
* iptablesAddForwardRejectIn:
* @ctx: pointer to the IP table context
@@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--insert", "FORWARD",
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
+ iptablesForwardRejectIn(fw, layer, iface, ADD);
}
/**
@@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--delete", "FORWARD",
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
+ iptablesForwardRejectIn(fw, layer, iface, REMOVE);
}
--
2.19.1
8:04 p.m.
New subject: [libvirt] [PATCH 1/7] util: refactor iptables APIs to share more code
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Most of the iptables APIs share code for the add/delete paths, but a
couple were separated. Merge the remaining APIs to facilitate future
changes.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Reviewed-by: Laine Stump <laine(a)laine.org>
7:52 a.m.
New subject: [libvirt] [PATCH 2/7] util: add iptables API for creating base chains
Historically rules were added straight into the base chains. This works
but it is inflexible for admins adding extra rules via hook scripts, and
it is not clear which rules are libvirt created.
There is a further complexity with the FORWARD chain where a specific
ordering of rules is needed to ensure traffic is matched correctly. This
would require complex interleaving of rules instead of plain appending.
By splitting the FORWARD chain into three chains management will be
simpler. Thus we create
INPUT -> INP_libvirt
OUTPUT -> OUT_libvirt
FORWARD -> FWD_libvirt_cross
FORWARD -> FWD_libvirt_in
FORWARD -> FWD_libvirt_out
POSTROUTING -> PRT_libvirt
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++
src/util/viriptables.h | 2 +
3 files changed, 84 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 335210c31d..e42c946de6 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesRemoveUdpOutput;
+iptablesSetupPrivateChains;
# util/viriscsi.h
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index f379844d28..4a7ea54b38 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -51,6 +51,87 @@ enum {
};
+
+typedef struct {
+ virFirewallLayer layer;
+ const char *table;
+ const char *parent;
+ const char *child;
+} iptablesChain;
+
+static int
+iptablesCheckPrivateChain(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque)
+{
+ iptablesChain *data = opaque;
+ bool found = false;
+
+ while (lines && *lines && !found) {
+ if (STRPREFIX(*lines, data->child))
+ found = true;
+ lines++;
+ }
+
+ if (!found)
+ virFirewallAddRule(fw, data->layer,
+ "--table", data->table,
+ "--insert", data->parent,
+ "--jump", data->child, NULL);
+
+ return 0;
+}
+
+
+int
+iptablesSetupPrivateChains(void)
+{
+ virFirewallPtr fw;
+ int ret = -1;
+ iptablesChain chains[] = {
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT",
"INP_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT",
"OUT_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_out"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_in"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_cross"},
+ {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING",
"PRT_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "INPUT",
"INP_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "OUTPUT",
"OUT_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD",
"FWD_libvirt_out"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD",
"FWD_libvirt_in"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD",
"FWD_libvirt_cross"},
+ {VIR_FIREWALL_LAYER_IPV6, "nat", "POSTROUTING",
"PRT_libvirt"},
+ };
+ size_t i;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ for (i = 0; i < ARRAY_CARDINALITY(chains); i++) {
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--new-chain", chains[i].child, NULL);
+ }
+
+ virFirewallStartTransaction(fw, 0);
+
+ for (i = 0; i < ARRAY_CARDINALITY(chains); i++) {
+ virFirewallAddRuleFull(fw, chains[i].layer,
+ false, iptablesCheckPrivateChain,
+ &chains[i],
+ "--table", chains[i].table,
+ "--list", chains[i].parent, NULL);
+ }
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 9ea25fc096..1db97937a1 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -27,6 +27,8 @@
# include "virsocketaddr.h"
# include "virfirewall.h"
+int iptablesSetupPrivateChains (void);
+
void iptablesAddTcpInput (virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
--
2.19.1
9:07 a.m.
New subject: [libvirt] [PATCH 2/7] util: add iptables API for creating base chains
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Historically rules were added straight into the base chains. This
works
but it is inflexible for admins adding extra rules via hook scripts, and
it is not clear which rules are libvirt created.
There is a further complexity with the FORWARD chain where a specific
ordering of rules is needed to ensure traffic is matched correctly. This
would require complex interleaving of rules instead of plain appending.
By splitting the FORWARD chain into three chains management will be
simpler. Thus we create
INPUT -> INP_libvirt
OUTPUT -> OUT_libvirt
FORWARD -> FWD_libvirt_cross
FORWARD -> FWD_libvirt_in
FORWARD -> FWD_libvirt_out
POSTROUTING -> PRT_libvirt
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++
src/util/viriptables.h | 2 +
3 files changed, 84 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 335210c31d..e42c946de6 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesRemoveUdpOutput;
+iptablesSetupPrivateChains;
# util/viriscsi.h
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index f379844d28..4a7ea54b38 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -51,6 +51,87 @@ enum {
};
+
+typedef struct {
+ virFirewallLayer layer;
+ const char *table;
+ const char *parent;
+ const char *child;
+} iptablesChain;
+
+static int
+iptablesCheckPrivateChain(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque)
+{
+ iptablesChain *data = opaque;
+ bool found = false;
+
+ while (lines && *lines && !found) {
+ if (STRPREFIX(*lines, data->child))
+ found = true;
+ lines++;
+ }
+
+ if (!found)
+ virFirewallAddRule(fw, data->layer,
+ "--table", data->table,
+ "--insert", data->parent,
+ "--jump", data->child, NULL);
+
+ return 0;
+}
+
+
+int
+iptablesSetupPrivateChains(void)
+{
+ virFirewallPtr fw;
+ int ret = -1;
+ iptablesChain chains[] = {
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT",
"INP_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT",
"OUT_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_out"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_in"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_cross"},
+ {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING",
"PRT_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "INPUT",
"INP_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "OUTPUT",
"OUT_libvirt"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD",
"FWD_libvirt_out"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD",
"FWD_libvirt_in"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD",
"FWD_libvirt_cross"},
+ {VIR_FIREWALL_LAYER_IPV6, "nat", "POSTROUTING",
"PRT_libvirt"},
+ };
+ size_t i;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ for (i = 0; i < ARRAY_CARDINALITY(chains); i++) {
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--new-chain", chains[i].child, NULL);
+ }
+
+ virFirewallStartTransaction(fw, 0);
+
+ for (i = 0; i < ARRAY_CARDINALITY(chains); i++) {
+ virFirewallAddRuleFull(fw, chains[i].layer,
+ false, iptablesCheckPrivateChain,
+ &chains[i],
+ "--table", chains[i].table,
+ "--list", chains[i].parent, NULL);
As we discussed on IRC last week, this *really* needs a "-n" to prevent
iptables from doing a DNS lookup on every IP address in every rule. On a
test I setup (with 60 networks) it took more than 10 minutes(!) to
restart libvirtd after upgrading to the new code. With the old code, a
restart after upgrading took 45 seconds.
Even after you do that, this still creates some slowdown, and a *lot* of
warnings in the logs from firewalld. A couple of ideas:
1) iptablesCheckPrivateChain only needs to be called once for each
combination of layer+table+child, but it's being called 3 times for
ipv4+filter+FORWARD and for ipv6+filter+FORWARD. Maybe the table could
be constructed differently so that there is one entry for each
layer+table+child, and each one of those entries has a list of all the
private chains needed.
2) The toplevel function is called for every new network, but really
only needs to be called a) when libvirtd is started, and b) when
firewalld notifies us that it has flushed all of the rules.
3) We only add the rule to jump to the new chain if that rule doesn't
exist already, but we still try to create the new chain no matter what,
leading to tons of firewalld warnings in the log about attempts to
create a new chain with the same name as an existing chain. The
existence of the "-j $chain" rule is a fairly reliable indicator that
the chain itself exists, though - we could eliminate these warnings (and
the extra unnecessary dbus call + iptables exec) if we would add the new
chain only in cases where we saw that the jump to the chain didn't exist.
+ }
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 9ea25fc096..1db97937a1 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -27,6 +27,8 @@
# include "virsocketaddr.h"
# include "virfirewall.h"
+int iptablesSetupPrivateChains (void);
+
void iptablesAddTcpInput (virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
9:51 a.m.
New subject: [libvirt] [PATCH 2/7] util: add iptables API for creating base chains
On 12/3/18 10:07 AM, Laine Stump wrote:
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
> Historically rules were added straight into the base chains. This works
> but it is inflexible for admins adding extra rules via hook scripts, and
> it is not clear which rules are libvirt created.
>
> There is a further complexity with the FORWARD chain where a specific
> ordering of rules is needed to ensure traffic is matched correctly. This
> would require complex interleaving of rules instead of plain appending.
> By splitting the FORWARD chain into three chains management will be
> simpler. Thus we create
>
> INPUT -> INP_libvirt
> OUTPUT -> OUT_libvirt
> FORWARD -> FWD_libvirt_cross
> FORWARD -> FWD_libvirt_in
> FORWARD -> FWD_libvirt_out
> POSTROUTING -> PRT_libvirt
>
> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
> ---
> src/libvirt_private.syms | 1 +
> src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++
> src/util/viriptables.h | 2 +
> 3 files changed, 84 insertions(+)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 335210c31d..e42c946de6 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum;
> iptablesRemoveTcpInput;
> iptablesRemoveUdpInput;
> iptablesRemoveUdpOutput;
> +iptablesSetupPrivateChains;
>
>
> # util/viriscsi.h
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index f379844d28..4a7ea54b38 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -51,6 +51,87 @@ enum {
> };
>
>
> +
> +typedef struct {
> + virFirewallLayer layer;
> + const char *table;
> + const char *parent;
> + const char *child;
> +} iptablesChain;
> +
> +static int
> +iptablesCheckPrivateChain(virFirewallPtr fw,
> + const char *const *lines,
> + void *opaque)
> +{
> + iptablesChain *data = opaque;
> + bool found = false;
> +
> + while (lines && *lines && !found) {
> + if (STRPREFIX(*lines, data->child))
> + found = true;
> + lines++;
> + }
> +
> + if (!found)
> + virFirewallAddRule(fw, data->layer,
> + "--table", data->table,
> + "--insert", data->parent,
> + "--jump", data->child, NULL);
> +
> + return 0;
> +}
> +
> +
> +int
> +iptablesSetupPrivateChains(void)
> +{
> + virFirewallPtr fw;
> + int ret = -1;
> + iptablesChain chains[] = {
> + {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT",
"INP_libvirt"},
> + {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT",
"OUT_libvirt"},
> + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_out"},
> + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_in"},
> + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD",
"FWD_libvirt_cross"},
> + {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING",
"PRT_libvirt"},
You also need this entry (for the rule that fixes the UDP checksum of
dhcp packets):
+ {VIR_FIREWALL_LAYER_IPV4, "mangle", "POSTROUTING",
"PRT_libvirt"},
(that is, unless we think it's okay to do away with that rule. It was originally added
because of some strange combination of virtio+vhost+[old OS, e.g. RHEL5] getting dhcp
requests with incorrect checksums on the host. See
https://bugzilla.redhat.com/show_bug.cgi?id=612588 for more info (although it's
difficult since the Bug description is marked as Private :-( )
7:52 a.m.
New subject: [libvirt] [PATCH 3/7] util: prepare iptables for putting rules into private chains
Currently all rules are created directly in the INPUT, FORWARD,
OUTPUT and POSTROUTING chains. This change prepares for putting
the rules into private changes, but does not actually do the
switch yet.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------
1 file changed, 108 insertions(+), 44 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 4a7ea54b38..b4a4bf9a12 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -50,6 +50,12 @@ enum {
REMOVE
};
+enum {
+ VIR_IPTABLES_CHAIN_BUILTIN,
+ VIR_IPTABLES_CHAIN_PRIVATE,
+
+ VIR_IPTABLES_CHAIN_LAST,
+};
typedef struct {
@@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void)
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "INPUT",
+ "INP_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"INPUT",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw,
static void
iptablesOutput(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "OUTPUT",
+ "OUT_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"OUTPUT",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
}
/**
@@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
}
/**
@@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
}
/**
@@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+ return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
}
/**
@@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
}
/**
@@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
}
@@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
*/
static int
iptablesForwardAllowOut(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw,
VIR_AUTOFREE(char *) networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_out",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
}
@@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
*/
static int
iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, ADD);
}
/**
@@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_cross",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_out",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete",
"FORWARD",
+ action == ADD ? "--insert" : "delete",
chainName[chain],
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
@@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
*/
static int
iptablesForwardMasquerade(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw,
VIR_AUTOFREE(char *) portRangeStr = NULL;
VIR_AUTOFREE(char *) natRangeStr = NULL;
virFirewallRulePtr rule;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ action == ADD ? "--insert" :
"--delete", chainName[chain],
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
} else {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ action == ADD ? "--insert" :
"--delete", chainName[chain],
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, ADD);
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, ADD);
}
/**
@@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, REMOVE);
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE);
}
@@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
*/
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
int action)
{
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
else
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- ADD);
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ physdev, destaddr, ADD);
}
/**
@@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- REMOVE);
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ physdev, destaddr, REMOVE);
}
static void
iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+ int chain,
const char *iface,
int port,
int action)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
@@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
}
/**
@@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
}
--
2.19.1
9:17 a.m.
New subject: [libvirt] [PATCH 3/7] util: prepare iptables for putting rules into private chains
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Currently all rules are created directly in the INPUT, FORWARD,
OUTPUT and POSTROUTING chains. This change prepares for putting
the rules into private changes, but does not actually do the
switch yet.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Reviewed-by: Laine Stump <laine(a)laine.org>
---
src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------
1 file changed, 108 insertions(+), 44 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 4a7ea54b38..b4a4bf9a12 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -50,6 +50,12 @@ enum {
REMOVE
};
+enum {
+ VIR_IPTABLES_CHAIN_BUILTIN,
+ VIR_IPTABLES_CHAIN_PRIVATE,
+
+ VIR_IPTABLES_CHAIN_LAST,
+};
typedef struct {
@@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void)
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "INPUT",
+ "INP_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"INPUT",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw,
static void
iptablesOutput(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int port,
int action,
int tcp)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "OUTPUT",
+ "OUT_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"OUTPUT",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
}
/**
@@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
}
/**
@@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
}
/**
@@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+ return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE,
0);
}
/**
@@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
}
/**
@@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
}
@@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
*/
static int
iptablesForwardAllowOut(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw,
VIR_AUTOFREE(char *) networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_out",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
}
@@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
*/
static int
iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix, iface, physdev, ADD);
}
/**
@@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
@@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_cross",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_out",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete",
"FORWARD",
+ action == ADD ? "--insert" : "delete",
chainName[chain],
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
+ int chain,
const char *iface,
int action)
{
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "FORWARD",
+ "FWD_libvirt_in",
+ };
+
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete",
"FORWARD",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
}
/**
@@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
}
@@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
*/
static int
iptablesForwardMasquerade(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw,
VIR_AUTOFREE(char *) portRangeStr = NULL;
VIR_AUTOFREE(char *) natRangeStr = NULL;
virFirewallRulePtr rule;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ action == ADD ? "--insert" :
"--delete", chainName[chain],
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
} else {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ action == ADD ? "--insert" :
"--delete", chainName[chain],
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, ADD);
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, ADD);
}
/**
@@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, REMOVE);
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE);
}
@@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
*/
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
+ int chain,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
int action)
{
VIR_AUTOFREE(char *) networkstr = NULL;
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
if (physdev && physdev[0])
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
else
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- ADD);
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ physdev, destaddr, ADD);
}
/**
@@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- REMOVE);
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ physdev, destaddr, REMOVE);
}
static void
iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+ int chain,
const char *iface,
int port,
int action)
{
char portstr[32];
+ static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
+ "POSTROUTING",
+ "PRT_libvirt",
+ };
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
@@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
}
/**
@@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
}
7:52 a.m.
New subject: [libvirt] [PATCH 4/7] network: setup default iptables chains
Register the default chains that will be used to hold firewall
rules at network startup.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver_linux.c | 3 +
.../nat-default-linux.args | 72 +++++++++++++++++++
.../nat-ipv6-linux.args | 72 +++++++++++++++++++
.../nat-many-ips-linux.args | 72 +++++++++++++++++++
.../nat-no-dhcp-linux.args | 72 +++++++++++++++++++
.../nat-tftp-linux.args | 72 +++++++++++++++++++
.../route-default-linux.args | 72 +++++++++++++++++++
7 files changed, 435 insertions(+)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index fb09954b8f..6992653b4a 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def)
virFirewallPtr fw = NULL;
int ret = -1;
+ if (iptablesSetupPrivateChains() < 0)
+ return -1;
+
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index ffdafdff0e..9928da715b 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 22285afa10..440896de18 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index aff9f69664..d80a9551d4 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index 2a9d79054e..e00c543487 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index 1a06f0d0a5..e0cfdcecf5 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 65563ff8b4..5b8209af19 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--
2.19.1
9:20 a.m.
New subject: [libvirt] [PATCH 4/7] network: setup default iptables chains
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Register the default chains that will be used to hold firewall
rules at network startup.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver_linux.c | 3 +
.../nat-default-linux.args | 72 +++++++++++++++++++
.../nat-ipv6-linux.args | 72 +++++++++++++++++++
.../nat-many-ips-linux.args | 72 +++++++++++++++++++
.../nat-no-dhcp-linux.args | 72 +++++++++++++++++++
.../nat-tftp-linux.args | 72 +++++++++++++++++++
.../route-default-linux.args | 72 +++++++++++++++++++
7 files changed, 435 insertions(+)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index fb09954b8f..6992653b4a 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def)
virFirewallPtr fw = NULL;
int ret = -1;
+ if (iptablesSetupPrivateChains() < 0)
+ return -1;
+
So I'm not sure whether to fix the "the chains are re-added
unnecessarily" problem by moving this call to somewhere else, or by
making ipstablesSetupPrivateChains() more intelligent. Probably the
latter. That's going to make the test results a bit hinky though, since
only the first network will include the iptables calls to add the new
chains.
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index ffdafdff0e..9928da715b 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 22285afa10..440896de18 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index aff9f69664..d80a9551d4 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index 2a9d79054e..e00c543487 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index 1a06f0d0a5..e0cfdcecf5 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 65563ff8b4..5b8209af19 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,5 +1,77 @@
iptables \
--table filter \
+--new-chain INP_libvirt
+iptables \
+--table filter \
+--new-chain OUT_libvirt
+iptables \
+--table filter \
+--new-chain FWD_libvirt_out
+iptables \
+--table filter \
+--new-chain FWD_libvirt_in
+iptables \
+--table filter \
+--new-chain FWD_libvirt_cross
+iptables \
+--table nat \
+--new-chain PRT_libvirt
+ip6tables \
+--table filter \
+--new-chain INP_libvirt
+ip6tables \
+--table filter \
+--new-chain OUT_libvirt
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_out
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_in
+ip6tables \
+--table filter \
+--new-chain FWD_libvirt_cross
+ip6tables \
+--table nat \
+--new-chain PRT_libvirt
+iptables \
+--table filter \
+--list INPUT
+iptables \
+--table filter \
+--list OUTPUT
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table filter \
+--list FORWARD
+iptables \
+--table nat \
+--list POSTROUTING
+ip6tables \
+--table filter \
+--list INPUT
+ip6tables \
+--table filter \
+--list OUTPUT
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table filter \
+--list FORWARD
+ip6tables \
+--table nat \
+--list POSTROUTING
+iptables \
+--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
7:52 a.m.
New subject: [libvirt] [PATCH 5/7] util: switch over to creating rules in private chains
All rules are now created in the libvirt private firewall chains. The
code for deleting rules will try to delete from both the original
builtin chains and the new private chains in order to cleanup properly
during upgrades.
This finally fixes a very old bug (from 2008!) related to traffic
between guests on distinct virtual networks. The intention is that
networks never allow incoming connections, but the old ordering of rules
meant that we would mistakenly allow accept traffic from whichever
network was most recently created.
With everything going into the FORWARD chain there was interleaving of
rules for outbound traffic and inbound traffic for each network:
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
So the rule allowing outbound traffic from virbr2 would mistakenly
allow packets from virbr2 to virbr0, before the rule denying input
to virbr0 gets a chance to run
With the split up forwarding chains, all incoming deny rules are checked
before any of the outgoing allow rules, as rules are grouped into three
distinct sets
Cross rules
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Incoming rules
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Outgoing rules
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0
REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/viriptables.c | 71 +++++++++++++------
.../nat-default-linux.args | 32 ++++-----
.../nat-ipv6-linux.args | 48 ++++++-------
.../nat-many-ips-linux.args | 60 ++++++++--------
.../nat-no-dhcp-linux.args | 46 ++++++------
.../nat-tftp-linux.args | 34 ++++-----
.../route-default-linux.args | 22 +++---
7 files changed, 171 insertions(+), 142 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index b4a4bf9a12..ad029e6465 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 1);
}
/**
@@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
int port)
{
iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 1);
}
/**
@@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
}
/**
@@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
}
/**
@@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
}
/**
@@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
int port)
{
iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
}
@@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
+ if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
+ if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
/* Allow all traffic destined to the bridge, with a valid network address
@@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, ADD);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, ADD);
}
/**
@@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE);
+ if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
static void
@@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
const char *iface)
{
iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
static void
@@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete",
chainName[chain],
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
const char *iface)
{
iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
@@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
const char *iface)
{
iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
@@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
physdev, addr, port, protocol, ADD);
}
@@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
- physdev, addr, port, protocol, REMOVE);
+ if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,
prefix,
physdev, destaddr, ADD);
}
@@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
- physdev, destaddr, REMOVE);
+ if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, destaddr, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
+ physdev, destaddr, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD);
}
/**
@@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
int port)
{
iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE);
}
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index 9928da715b..69995181ad 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -72,64 +72,64 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -137,13 +137,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -151,7 +151,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -159,19 +159,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 440896de18..f93d8face2 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -72,101 +72,101 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -174,13 +174,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -188,7 +188,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -196,31 +196,31 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index d80a9551d4..faae4b881c 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -72,64 +72,64 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -137,13 +137,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -151,7 +151,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -159,25 +159,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -185,13 +185,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
@@ -199,7 +199,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
@@ -207,25 +207,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -233,13 +233,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
@@ -247,7 +247,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
@@ -255,19 +255,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index e00c543487..cb0d908506 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -72,101 +72,101 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -174,13 +174,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -188,7 +188,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -196,25 +196,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index e0cfdcecf5..1243bd1c2d 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -72,71 +72,71 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -144,13 +144,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -158,7 +158,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -166,19 +166,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 5b8209af19..624e589aae 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -72,70 +72,70 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--
2.19.1
10:14 a.m.
New subject: [libvirt] [PATCH 5/7] util: switch over to creating rules in private chains
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
All rules are now created in the libvirt private firewall chains.
The
code for deleting rules will try to delete from both the original
builtin chains and the new private chains in order to cleanup properly
during upgrades.
This finally fixes a very old bug (from 2008!) related to traffic
between guests on distinct virtual networks. The intention is that
networks never allow incoming connections, but the old ordering of rules
meant that we would mistakenly allow accept traffic from whichever
network was most recently created.
Yay!! I've verified that traffic is blocked in both directions between
nat and isolated networks, but otherwise allowed.
The only issue I have with this is that, due to not keeping track of
what rules we've added in the past, when we restart and want to refresh
all the rules, we have to attempt deletion of both "the rules we would
add currently for the active networks" as well as "the rules we would
have added in the past (before these changes went in)". That makes for a
slight startup time penalty (and maintenance headache) now, but in the
future it will only get worse - any time we change the exact rules used
for a particular network setup, we'll have to remember what rules we
*used to* add for that type of network, and continue deleting (or
attempting to delete) those rules, in addition to all previous
incarnations of the rules *and* the new incarnation. This will end up
becoming very unwieldy.
I think instead we need to save in the network status a list of the
exact iptables (or firewalld or nftables or whatever it is in the
future) rules we have added, and always delete the exact rules that we
previously added each time we do a refresh. The sooner we do this, the
fewer headaches we'll have.
Aside from that:
Reviewed-by: Laine Stump <laine(a)laine.org>
Tested-by: Laine Stump <laine(a)laine.org>
With everything going into the FORWARD chain there was interleaving
of
rules for outbound traffic and inbound traffic for each network:
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
So the rule allowing outbound traffic from virbr2 would mistakenly
allow packets from virbr2 to virbr0, before the rule denying input
to virbr0 gets a chance to run
With the split up forwarding chains, all incoming deny rules are checked
before any of the outgoing allow rules, as rules are grouped into three
distinct sets
Cross rules
ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Incoming rules
ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Outgoing rules
ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0
REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/viriptables.c | 71 +++++++++++++------
.../nat-default-linux.args | 32 ++++-----
.../nat-ipv6-linux.args | 48 ++++++-------
.../nat-many-ips-linux.args | 60 ++++++++--------
.../nat-no-dhcp-linux.args | 46 ++++++------
.../nat-tftp-linux.args | 34 ++++-----
.../route-default-linux.args | 22 +++---
7 files changed, 171 insertions(+), 142 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index b4a4bf9a12..ad029e6465 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 1);
}
/**
@@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
int port)
{
iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 1);
}
/**
@@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
}
/**
@@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE,
0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
}
/**
@@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD, 0);
}
/**
@@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
int port)
{
iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE, 0);
}
@@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
+ if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,
prefix, iface, physdev, ADD);
}
/**
@@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix, iface, physdev, REMOVE);
+ if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
/* Allow all traffic destined to the bridge, with a valid network address
@@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
iface, physdev, ADD);
}
/**
@@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
iface, physdev, REMOVE);
+ if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix, iface,
physdev, REMOVE) < 0)
+ return -1;
+ return 0;
}
static void
@@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
const char *iface)
{
iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
static void
@@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete",
chainName[chain],
+ action == ADD ? "--insert" : "--delete",
chainName[chain],
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
const char *iface)
{
iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
@@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, ADD);
}
/**
@@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
const char *iface)
{
iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, REMOVE);
}
@@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
physdev, addr, port, protocol, ADD);
}
@@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
- physdev, addr, port, protocol, REMOVE);
+ if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
+ return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,
prefix,
physdev, destaddr, ADD);
}
@@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,
prefix,
- physdev, destaddr, REMOVE);
+ if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
+ physdev, destaddr, REMOVE) < 0)
+ return -1;
+ if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, prefix,
+ physdev, destaddr, REMOVE) < 0)
+ return -1;
+ return 0;
}
@@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD);
}
/**
@@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
int port)
{
iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMOVE);
}
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index 9928da715b..69995181ad 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -72,64 +72,64 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -137,13 +137,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -151,7 +151,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -159,19 +159,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index 440896de18..f93d8face2 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -72,101 +72,101 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -174,13 +174,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -188,7 +188,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -196,31 +196,31 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index d80a9551d4..faae4b881c 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -72,64 +72,64 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -137,13 +137,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -151,7 +151,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -159,25 +159,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -185,13 +185,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
@@ -199,7 +199,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
@@ -207,25 +207,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -233,13 +233,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
@@ -247,7 +247,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
@@ -255,19 +255,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index e00c543487..cb0d908506 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -72,101 +72,101 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -174,13 +174,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -188,7 +188,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -196,25 +196,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index e0cfdcecf5..1243bd1c2d 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -72,71 +72,71 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -144,13 +144,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -158,7 +158,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -166,19 +166,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert POSTROUTING \
+--insert PRT_libvirt \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 5b8209af19..624e589aae 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -72,70 +72,70 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert OUTPUT \
+--insert OUT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert INPUT \
+--insert INP_libvirt \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_cross \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_out \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert FORWARD \
+--insert FWD_libvirt_in \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert POSTROUTING \
+--insert PRT_libvirt \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
7:52 a.m.
New subject: [libvirt] [PATCH 6/7] tests: remove duplicated test case in networkxml2firewalltest
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tests/networkxml2firewalltest.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 242b645767..505ff0c740 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -154,7 +154,6 @@ mymain(void)
DO_TEST("nat-no-dhcp");
DO_TEST("nat-ipv6");
DO_TEST("route-default");
- DO_TEST("route-default");
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
--
2.19.1
10:14 a.m.
New subject: [libvirt] [PATCH 6/7] tests: remove duplicated test case in networkxml2firewalltest
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Reviewed-by: Laine Stump <laine(a)laine.org>
---
tests/networkxml2firewalltest.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 242b645767..505ff0c740 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -154,7 +154,6 @@ mymain(void)
DO_TEST("nat-no-dhcp");
DO_TEST("nat-ipv6");
DO_TEST("route-default");
- DO_TEST("route-default");
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
7:52 a.m.
New subject: [libvirt] [PATCH 7/7] tests: fix dry run handling in network firewall test
The networkxml2firewalltest sets virCommand to dry run mode but doesn't
provide a callback to fill in stdout/stderr. As a result when the
firewall code queries rules it gets a NULL output and so never triggers
the callback to process output.
We only need to return an empty string to make the firewall code work
and thus trigger adding of the libvirt private chains to the builtin
chains.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
.../nat-default-linux.args | 48 +++++++++++++++++++
.../nat-ipv6-linux.args | 48 +++++++++++++++++++
.../nat-many-ips-linux.args | 48 +++++++++++++++++++
.../nat-no-dhcp-linux.args | 48 +++++++++++++++++++
.../nat-tftp-linux.args | 48 +++++++++++++++++++
.../route-default-linux.args | 48 +++++++++++++++++++
tests/networkxml2firewalltest.c | 16 ++++++-
7 files changed, 303 insertions(+), 1 deletion(-)
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index 69995181ad..e7d71817c7 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index f93d8face2..620ebb8d14 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index faae4b881c..7c378b8c7e 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index cb0d908506..afa8c3a0ca 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index 1243bd1c2d..a45ba545c2 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 624e589aae..859a342e7d 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 505ff0c740..5e3d8906c5 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -44,6 +44,20 @@ static const char *abs_top_srcdir;
# error "test case not ported to this platform"
# endif
+static void
+testCommandDryRun(const char *const*args ATTRIBUTE_UNUSED,
+ const char *const*env ATTRIBUTE_UNUSED,
+ const char *input ATTRIBUTE_UNUSED,
+ char **output,
+ char **error,
+ int *status,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ *status = 0;
+ ignore_value(VIR_STRDUP_QUIET(*output, ""));
+ ignore_value(VIR_STRDUP_QUIET(*error, ""));
+}
+
static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline)
{
@@ -53,7 +67,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
virNetworkDefPtr def = NULL;
int ret = -1;
- virCommandSetDryRun(&buf, NULL, NULL);
+ virCommandSetDryRun(&buf, testCommandDryRun, NULL);
if (!(def = virNetworkDefParseFile(xml)))
goto cleanup;
--
2.19.1
10:18 a.m.
New subject: [libvirt] [PATCH 7/7] tests: fix dry run handling in network firewall test
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
The networkxml2firewalltest sets virCommand to dry run mode but
doesn't
provide a callback to fill in stdout/stderr. As a result when the
firewall code queries rules it gets a NULL output and so never triggers
the callback to process output.
We only need to return an empty string to make the firewall code work
and thus trigger adding of the libvirt private chains to the builtin
chains.
Well, technically it's only adding the jump to the private chains, not
the chains themselves (although I mentioned earlier that I think this
should change).
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Reviewed-by: Laine Stump <laine(a)laine.org>
but shouldn't this just be squashed in with the patch that originally
changed the code to add the chains?
---
.../nat-default-linux.args | 48 +++++++++++++++++++
.../nat-ipv6-linux.args | 48 +++++++++++++++++++
.../nat-many-ips-linux.args | 48 +++++++++++++++++++
.../nat-no-dhcp-linux.args | 48 +++++++++++++++++++
.../nat-tftp-linux.args | 48 +++++++++++++++++++
.../route-default-linux.args | 48 +++++++++++++++++++
tests/networkxml2firewalltest.c | 16 ++++++-
7 files changed, 303 insertions(+), 1 deletion(-)
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
index 69995181ad..e7d71817c7 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index f93d8face2..620ebb8d14 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index faae4b881c..7c378b8c7e 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index cb0d908506..afa8c3a0ca 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
index 1243bd1c2d..a45ba545c2 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
index 624e589aae..859a342e7d 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -72,6 +72,54 @@ ip6tables \
--list POSTROUTING
iptables \
--table filter \
+--insert INPUT \
+--jump INP_libvirt
+iptables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+iptables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+iptables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+ip6tables \
+--table filter \
+--insert INPUT \
+--jump INP_libvirt
+ip6tables \
+--table filter \
+--insert OUTPUT \
+--jump OUT_libvirt
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_out
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_in
+ip6tables \
+--table filter \
+--insert FORWARD \
+--jump FWD_libvirt_cross
+ip6tables \
+--table nat \
+--insert POSTROUTING \
+--jump PRT_libvirt
+iptables \
+--table filter \
--insert INP_libvirt \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 505ff0c740..5e3d8906c5 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -44,6 +44,20 @@ static const char *abs_top_srcdir;
# error "test case not ported to this platform"
# endif
+static void
+testCommandDryRun(const char *const*args ATTRIBUTE_UNUSED,
+ const char *const*env ATTRIBUTE_UNUSED,
+ const char *input ATTRIBUTE_UNUSED,
+ char **output,
+ char **error,
+ int *status,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ *status = 0;
+ ignore_value(VIR_STRDUP_QUIET(*output, ""));
+ ignore_value(VIR_STRDUP_QUIET(*error, ""));
+}
+
static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline)
{
@@ -53,7 +67,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
virNetworkDefPtr def = NULL;
int ret = -1;
- virCommandSetDryRun(&buf, NULL, NULL);
+ virCommandSetDryRun(&buf, testCommandDryRun, NULL);
if (!(def = virNetworkDefParseFile(xml)))
goto cleanup;
2180
days inactive
2212
days old
15 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Laine Stump