From nobody Fri Apr 26 04:18:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541077061621826.8317867177044; Thu, 1 Nov 2018 05:57:41 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B35973084217; Thu, 1 Nov 2018 12:57:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3C4825D9CD; Thu, 1 Nov 2018 12:57:38 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6BD4E18005B5; Thu, 1 Nov 2018 12:57:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1Cqjl9002046 for ; Thu, 1 Nov 2018 08:52:45 -0400 Received: by smtp.corp.redhat.com (Postfix) id 08D2D5C88D; Thu, 1 Nov 2018 12:52:45 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id B5BC15C207; Thu, 1 Nov 2018 12:52:43 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:31 +0000 Message-Id: <20181101125237.20723-2-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 1/7] util: refactor iptables APIs to share more code X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 01 Nov 2018 12:57:40 +0000 (UTC) Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viriptables.c | 73 ++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 31 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 5dbea8cf57..f379844d28 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); } =20 +static void +iptablesForwardAllowCross(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) +{ + virFirewallAddRule(fw, layer, + "--table", "filter", + action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); +} + /** * iptablesAddForwardAllowCross: * @ctx: pointer to the IP table context @@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + iptablesForwardAllowCross(fw, layer, iface, ADD); } =20 /** @@ -535,13 +544,21 @@ void iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, REMOVE); +} + +static void +iptablesForwardRejectOut(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) { virFirewallAddRule(fw, layer, "--table", "filter", - "--delete", "FORWARD", + action =3D=3D ADD ? "--insert" : "delete", "FORWARD= ", "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", + "--jump", "REJECT", NULL); } =20 @@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--in-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectOut(fw, layer, iface, ADD); } =20 /** @@ -582,16 +594,25 @@ void iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, REMOVE); +} + + +static void +iptablesForwardRejectIn(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) { virFirewallAddRule(fw, layer, "--table", "filter", - "--delete", "FORWARD", - "--in-interface", iface, + action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + "--out-interface", iface, "--jump", "REJECT", NULL); } =20 - /** * iptablesAddForwardRejectIn: * @ctx: pointer to the IP table context @@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--out-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectIn(fw, layer, iface, ADD); } =20 /** @@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--delete", "FORWARD", - "--out-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectIn(fw, layer, iface, REMOVE); } =20 =20 --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 04:18:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541077090731743.6036301692789; Thu, 1 Nov 2018 05:58:10 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 11C1F3001E51; Thu, 1 Nov 2018 12:58:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 15DB160BF9; Thu, 1 Nov 2018 12:58:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3708C180BAD1; Thu, 1 Nov 2018 12:58:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1Cqlm9002056 for ; Thu, 1 Nov 2018 08:52:47 -0400 Received: by smtp.corp.redhat.com (Postfix) id 170BE17115; Thu, 1 Nov 2018 12:52:47 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 771345C207; Thu, 1 Nov 2018 12:52:45 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:32 +0000 Message-Id: <20181101125237.20723-3-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 2/7] util: add iptables API for creating base chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Thu, 01 Nov 2018 12:58:08 +0000 (UTC) Historically rules were added straight into the base chains. This works but it is inflexible for admins adding extra rules via hook scripts, and it is not clear which rules are libvirt created. There is a further complexity with the FORWARD chain where a specific ordering of rules is needed to ensure traffic is matched correctly. This would require complex interleaving of rules instead of plain appending. By splitting the FORWARD chain into three chains management will be simpler. Thus we create INPUT -> INP_libvirt OUTPUT -> OUT_libvirt FORWARD -> FWD_libvirt_cross FORWARD -> FWD_libvirt_in FORWARD -> FWD_libvirt_out POSTROUTING -> PRT_libvirt Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/util/viriptables.c | 81 ++++++++++++++++++++++++++++++++++++++++ src/util/viriptables.h | 2 + 3 files changed, 84 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 335210c31d..e42c946de6 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2062,6 +2062,7 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; +iptablesSetupPrivateChains; =20 =20 # util/viriscsi.h diff --git a/src/util/viriptables.c b/src/util/viriptables.c index f379844d28..4a7ea54b38 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -51,6 +51,87 @@ enum { }; =20 =20 + +typedef struct { + virFirewallLayer layer; + const char *table; + const char *parent; + const char *child; +} iptablesChain; + +static int +iptablesCheckPrivateChain(virFirewallPtr fw, + const char *const *lines, + void *opaque) +{ + iptablesChain *data =3D opaque; + bool found =3D false; + + while (lines && *lines && !found) { + if (STRPREFIX(*lines, data->child)) + found =3D true; + lines++; + } + + if (!found) + virFirewallAddRule(fw, data->layer, + "--table", data->table, + "--insert", data->parent, + "--jump", data->child, NULL); + + return 0; +} + + +int +iptablesSetupPrivateChains(void) +{ + virFirewallPtr fw; + int ret =3D -1; + iptablesChain chains[] =3D { + {VIR_FIREWALL_LAYER_IPV4, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV4, "filter", "FORWARD", "FWD_libvirt_cross"= }, + {VIR_FIREWALL_LAYER_IPV4, "nat", "POSTROUTING", "PRT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "INPUT", "INP_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "OUTPUT", "OUT_libvirt"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_out"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_in"}, + {VIR_FIREWALL_LAYER_IPV6, "filter", "FORWARD", "FWD_libvirt_cross"= }, + {VIR_FIREWALL_LAYER_IPV6, "nat", "POSTROUTING", "PRT_libvirt"}, + }; + size_t i; + + fw =3D virFirewallNew(); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + + for (i =3D 0; i < ARRAY_CARDINALITY(chains); i++) { + virFirewallAddRule(fw, chains[i].layer, + "--table", chains[i].table, + "--new-chain", chains[i].child, NULL); + } + + virFirewallStartTransaction(fw, 0); + + for (i =3D 0; i < ARRAY_CARDINALITY(chains); i++) { + virFirewallAddRuleFull(fw, chains[i].layer, + false, iptablesCheckPrivateChain, + &chains[i], + "--table", chains[i].table, + "--list", chains[i].parent, NULL); + } + + if (virFirewallApply(fw) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + return ret; +} + static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 9ea25fc096..1db97937a1 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -27,6 +27,8 @@ # include "virsocketaddr.h" # include "virfirewall.h" =20 +int iptablesSetupPrivateChains (void); + void iptablesAddTcpInput (virFirewallPtr fw, virFirewallLayer layer, const char *iface, --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 04:18:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541077079559438.9591741020903; Thu, 1 Nov 2018 05:57:59 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 544FD308402A; Thu, 1 Nov 2018 12:57:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 128005C1B2; Thu, 1 Nov 2018 12:57:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2F6593D380; Thu, 1 Nov 2018 12:57:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1CqqFu002072 for ; Thu, 1 Nov 2018 08:52:52 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3D17417115; Thu, 1 Nov 2018 12:52:52 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6EDDE5C88D; Thu, 1 Nov 2018 12:52:47 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:33 +0000 Message-Id: <20181101125237.20723-4-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 3/7] util: prepare iptables for putting rules into private chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 01 Nov 2018 12:57:58 +0000 (UTC) Currently all rules are created directly in the INPUT, FORWARD, OUTPUT and POSTROUTING chains. This change prepares for putting the rules into private changes, but does not actually do the switch yet. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------ 1 file changed, 108 insertions(+), 44 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 4a7ea54b38..b4a4bf9a12 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -50,6 +50,12 @@ enum { REMOVE }; =20 +enum { + VIR_IPTABLES_CHAIN_BUILTIN, + VIR_IPTABLES_CHAIN_PRIVATE, + + VIR_IPTABLES_CHAIN_LAST, +}; =20 =20 typedef struct { @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void) static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "INPUT", + "INP_libvirt", + }; =20 snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] =3D '\0'; =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "INPUT= ", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw, static void iptablesOutput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "OUTPUT", + "OUT_libvirt", + }; =20 snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] =3D '\0'; =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "OUTPU= T", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD,= 1); } =20 /** @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMO= VE, 1); } =20 /** @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD,= 0); } =20 /** @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, iface, port, REMOVE, 0); + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, por= t, REMOVE, 0); } =20 /** @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD= , 0); } =20 /** @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REM= OVE, 0); } =20 =20 @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netad= dr, */ static int iptablesForwardAllowOut(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw, VIR_AUTOFREE(char *) networkstr =3D NULL; virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_out", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD= D); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr= , prefix, iface, physdev, ADD); } =20 /** @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE= MOVE); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr= , prefix, iface, physdev, REMOVE); } =20 =20 @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, */ static int iptablesForwardAllowRelatedIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr =3D NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_in", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, iface, physdev, ADD); } =20 /** @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, iface, physdev, REMOVE); } =20 /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw, virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr =3D NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_in", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD= ); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, iface, physdev, ADD); } =20 /** @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, iface, physdev, REMOVE); } =20 static void iptablesForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_cross", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface= , ADD); } =20 /** @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface= , REMOVE); } =20 static void iptablesForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_out", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "delete", "FORWARD= ", + action =3D=3D ADD ? "--insert" : "delete", chainNam= e[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface,= ADD); } =20 /** @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface,= REMOVE); } =20 =20 static void iptablesForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_in", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--out-interface", iface, "--jump", "REJECT", NULL); @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, = ADD); } =20 /** @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, = REMOVE); } =20 =20 @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, */ static int iptablesForwardMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw, VIR_AUTOFREE(char *) portRangeStr =3D NULL; VIR_AUTOFREE(char *) natRangeStr =3D NULL; virFirewallRulePtr rule; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "POSTROUTING", + "PRT_libvirt", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, if (protocol && protocol[0]) { rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", "POSTROUTING", + action =3D=3D ADD ? "--insert" : "--dele= te", chainName[chain], "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, } else { rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", "POSTROUTING", + action =3D=3D ADD ? "--insert" : "--dele= te", chainName[chain], "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p= ort, - protocol, ADD); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netad= dr, prefix, + physdev, addr, port, protocol, ADD); } =20 /** @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p= ort, - protocol, REMOVE); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netad= dr, prefix, + physdev, addr, port, protocol, REMOVE= ); } =20 =20 @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, */ static int iptablesForwardDontMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { VIR_AUTOFREE(char *) networkstr =3D NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "POSTROUTING", + "PRT_libvirt", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", "P= OSTROUTING", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, else virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", "P= OSTROUTING", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des= taddr, - ADD); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, + physdev, destaddr, ADD); } =20 /** @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des= taddr, - REMOVE); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, + physdev, destaddr, REMOVE); } =20 =20 static void iptablesOutputFixUdpChecksum(virFirewallPtr fw, + int chain, const char *iface, int port, int action) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "POSTROUTING", + "PRT_libvirt", + }; =20 snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] =3D '\0'; =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D ADD ? "--insert" : "--delete", "POSTR= OUTING", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, po= rt, ADD); } =20 /** @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, po= rt, REMOVE); } --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 04:18:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541078010667499.60041673295757; Thu, 1 Nov 2018 06:13:30 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E8C3EC028328; Thu, 1 Nov 2018 13:13:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5C95F5D9D6; Thu, 1 Nov 2018 13:13:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C243818005B4; Thu, 1 Nov 2018 13:13:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1CqsrE002086 for ; Thu, 1 Nov 2018 08:52:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7F21E5C88D; Thu, 1 Nov 2018 12:52:54 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id A78A45C207; Thu, 1 Nov 2018 12:52:52 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:34 +0000 Message-Id: <20181101125237.20723-5-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 4/7] network: setup default iptables chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 01 Nov 2018 13:13:29 +0000 (UTC) Register the default chains that will be used to hold firewall rules at network startup. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/network/bridge_driver_linux.c | 3 + .../nat-default-linux.args | 72 +++++++++++++++++++ .../nat-ipv6-linux.args | 72 +++++++++++++++++++ .../nat-many-ips-linux.args | 72 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 72 +++++++++++++++++++ .../nat-tftp-linux.args | 72 +++++++++++++++++++ .../route-default-linux.args | 72 +++++++++++++++++++ 7 files changed, 435 insertions(+) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index fb09954b8f..6992653b4a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 + if (iptablesSetupPrivateChains() < 0) + return -1; + fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, 0); diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index ffdafdff0e..9928da715b 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index 22285afa10..440896de18 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index aff9f69664..d80a9551d4 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index 2a9d79054e..e00c543487 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index 1a06f0d0a5..e0cfdcecf5 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index 65563ff8b4..5b8209af19 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 04:18:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541077108478129.24203343118688; Thu, 1 Nov 2018 05:58:28 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 137675F787; Thu, 1 Nov 2018 12:58:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AF8C5614FE; Thu, 1 Nov 2018 12:58:25 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 346A1180BAD3; Thu, 1 Nov 2018 12:58:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1CquLT002096 for ; Thu, 1 Nov 2018 08:52:56 -0400 Received: by smtp.corp.redhat.com (Postfix) id DD1085C207; Thu, 1 Nov 2018 12:52:56 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 23B305C88D; Thu, 1 Nov 2018 12:52:54 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:35 +0000 Message-Id: <20181101125237.20723-6-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 5/7] util: switch over to creating rules in private chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 01 Nov 2018 12:58:27 +0000 (UTC) All rules are now created in the libvirt private firewall chains. The code for deleting rules will try to delete from both the original builtin chains and the new private chains in order to cleanup properly during upgrades. This finally fixes a very old bug (from 2008!) related to traffic between guests on distinct virtual networks. The intention is that networks never allow incoming connections, but the old ordering of rules meant that we would mistakenly allow accept traffic from whichever network was most recently created. With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network: ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 = ctstate RELATED,ESTABLISHED ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 = ctstate RELATED,ESTABLISHED ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable So the rule allowing outbound traffic from virbr2 would mistakenly allow packets from virbr2 to virbr0, before the rule denying input to virbr0 gets a chance to run With the split up forwarding chains, all incoming deny rules are checked before any of the outgoing allow rules, as rules are grouped into three distinct sets Cross rules ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Incoming rules ACCEPT all -- * virbr2 0.0.0.0/0 192.168.123.0/24 = ctstate RELATED,ESTABLISHED ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 = ctstate RELATED,ESTABLISHED REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable Outgoing rules ACCEPT all -- virbr2 * 192.168.123.0/24 0.0.0.0/0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 = reject-with icmp-port-unreachable Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viriptables.c | 71 +++++++++++++------ .../nat-default-linux.args | 32 ++++----- .../nat-ipv6-linux.args | 48 ++++++------- .../nat-many-ips-linux.args | 60 ++++++++-------- .../nat-no-dhcp-linux.args | 46 ++++++------ .../nat-tftp-linux.args | 34 ++++----- .../route-default-linux.args | 22 +++--- 7 files changed, 171 insertions(+), 142 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index b4a4bf9a12..ad029e6465 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -209,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD,= 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD,= 1); } =20 /** @@ -228,6 +228,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, int port) { iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMO= VE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMO= VE, 1); } =20 /** @@ -245,7 +246,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD,= 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD,= 0); } =20 /** @@ -263,7 +264,8 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, por= t, REMOVE, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMO= VE, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REMO= VE, 0); } =20 /** @@ -281,7 +283,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD= , 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, ADD= , 0); } =20 /** @@ -300,6 +302,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, int port) { iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REM= OVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, port, REM= OVE, 0); } =20 =20 @@ -398,7 +401,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr= , prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr= , prefix, iface, physdev, ADD); } =20 /** @@ -421,7 +424,11 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr= , prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, p= refix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, p= refix, iface, physdev, REMOVE) < 0) + return -1; + return 0; } =20 =20 @@ -493,7 +500,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, n= etaddr, prefix, iface, physdev, ADD); } =20 /** @@ -516,7 +523,11 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, neta= ddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, neta= ddr, prefix, iface, physdev, REMOVE) < 0) + return -1; + return 0; } =20 /* Allow all traffic destined to the bridge, with a valid network address @@ -581,7 +592,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,= prefix, iface, physdev, ADD); } =20 /** @@ -604,7 +615,11 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, iface, physdev, REMOVE); + if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, pr= efix, iface, physdev, REMOVE) < 0) + return -1; + if (iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr, pr= efix, iface, physdev, REMOVE) < 0) + return -1; + return 0; } =20 static void @@ -644,7 +659,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface= , ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface= , ADD); } =20 /** @@ -664,6 +679,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, const char *iface) { iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface= , REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface= , REMOVE); } =20 static void @@ -680,7 +696,7 @@ iptablesForwardRejectOut(virFirewallPtr fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "delete", chainNam= e[chain], + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -701,7 +717,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface,= ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface,= ADD); } =20 /** @@ -720,6 +736,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, const char *iface) { iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface,= REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface,= REMOVE); } =20 =20 @@ -758,7 +775,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, = ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, = ADD); } =20 /** @@ -777,6 +794,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, const char *iface) { iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, = REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_PRIVATE, iface, = REMOVE); } =20 =20 @@ -914,7 +932,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netad= dr, prefix, + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netad= dr, prefix, physdev, addr, port, protocol, ADD); } =20 @@ -940,8 +958,13 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netad= dr, prefix, - physdev, addr, port, protocol, REMOVE= ); + if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, + physdev, addr, port, protocol, REMOVE) <= 0) + return -1; + if (iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, netaddr,= prefix, + physdev, addr, port, protocol, REMOVE) <= 0) + return -1; + return 0; } =20 =20 @@ -1016,7 +1039,7 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, n= etaddr, prefix, physdev, destaddr, ADD); } =20 @@ -1041,8 +1064,13 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, - physdev, destaddr, REMOVE); + if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, neta= ddr, prefix, + physdev, destaddr, REMOVE) < 0) + return -1; + if (iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_PRIVATE, neta= ddr, prefix, + physdev, destaddr, REMOVE) < 0) + return -1; + return 0; } =20 =20 @@ -1088,7 +1116,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, po= rt, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, po= rt, ADD); } =20 /** @@ -1106,4 +1134,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, int port) { iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, po= rt, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_PRIVATE, iface, po= rt, REMOVE); } diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index 9928da715b..69995181ad 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -72,64 +72,64 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -137,13 +137,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -151,7 +151,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -159,19 +159,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index 440896de18..f93d8face2 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -72,101 +72,101 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -174,13 +174,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -188,7 +188,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -196,31 +196,31 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index d80a9551d4..faae4b881c 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -72,64 +72,64 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -137,13 +137,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -151,7 +151,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -159,25 +159,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.128.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.128.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -185,13 +185,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ -p udp '!' \ --destination 192.168.128.0/24 \ @@ -199,7 +199,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ -p tcp '!' \ --destination 192.168.128.0/24 \ @@ -207,25 +207,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.128.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.150.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.150.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -233,13 +233,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 '!' \ --destination 192.168.150.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ -p udp '!' \ --destination 192.168.150.0/24 \ @@ -247,7 +247,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ -p tcp '!' \ --destination 192.168.150.0/24 \ @@ -255,19 +255,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.150.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index e00c543487..cb0d908506 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -72,101 +72,101 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT ip6tables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -174,13 +174,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -188,7 +188,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -196,25 +196,25 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index e0cfdcecf5..1243bd1c2d 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -72,71 +72,71 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 69 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --match conntrack \ @@ -144,13 +144,13 @@ iptables \ --jump ACCEPT iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p udp '!' \ --destination 192.168.122.0/24 \ @@ -158,7 +158,7 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ -p tcp '!' \ --destination 192.168.122.0/24 \ @@ -166,19 +166,19 @@ iptables \ --to-ports 1024-65535 iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ --table nat \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index 5b8209af19..624e589aae 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -72,70 +72,70 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 67 \ --jump ACCEPT iptables \ --table filter \ ---insert OUTPUT \ +--insert OUT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert INPUT \ +--insert INP_libvirt \ --in-interface virbr0 \ --protocol udp \ --destination-port 53 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --in-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --out-interface virbr0 \ --jump REJECT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_cross \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_out \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ --table filter \ ---insert FORWARD \ +--insert FWD_libvirt_in \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --jump ACCEPT iptables \ --table mangle \ ---insert POSTROUTING \ +--insert PRT_libvirt \ --out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 04:18:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541077125235605.2291126845043; Thu, 1 Nov 2018 05:58:45 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 344833082B4E; Thu, 1 Nov 2018 12:58:43 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EE38F600CD; Thu, 1 Nov 2018 12:58:42 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6416218005AD; Thu, 1 Nov 2018 12:58:42 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1CqwBA002101 for ; Thu, 1 Nov 2018 08:52:58 -0400 Received: by smtp.corp.redhat.com (Postfix) id 843895C207; Thu, 1 Nov 2018 12:52:58 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 743345885B; Thu, 1 Nov 2018 12:52:57 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:36 +0000 Message-Id: <20181101125237.20723-7-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 6/7] tests: remove duplicated test case in networkxml2firewalltest X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Thu, 01 Nov 2018 12:58:43 +0000 (UTC) Signed-off-by: Daniel P. Berrang=C3=A9 --- tests/networkxml2firewalltest.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 242b645767..505ff0c740 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -154,7 +154,6 @@ mymain(void) DO_TEST("nat-no-dhcp"); DO_TEST("nat-ipv6"); DO_TEST("route-default"); - DO_TEST("route-default"); =20 cleanup: return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 04:18:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541078034820286.8445425990901; Thu, 1 Nov 2018 06:13:54 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3F0AF81F0B; Thu, 1 Nov 2018 13:13:52 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 97098600CC; Thu, 1 Nov 2018 13:13:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DB70618005B4; Thu, 1 Nov 2018 13:13:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1Cr3GS002121 for ; Thu, 1 Nov 2018 08:53:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id BF46D5F701; Thu, 1 Nov 2018 12:53:03 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 434F65C88F; Thu, 1 Nov 2018 12:52:58 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:37 +0000 Message-Id: <20181101125237.20723-8-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 7/7] tests: fix dry run handling in network firewall test X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 01 Nov 2018 13:13:53 +0000 (UTC) The networkxml2firewalltest sets virCommand to dry run mode but doesn't provide a callback to fill in stdout/stderr. As a result when the firewall code queries rules it gets a NULL output and so never triggers the callback to process output. We only need to return an empty string to make the firewall code work and thus trigger adding of the libvirt private chains to the builtin chains. Signed-off-by: Daniel P. Berrang=C3=A9 --- .../nat-default-linux.args | 48 +++++++++++++++++++ .../nat-ipv6-linux.args | 48 +++++++++++++++++++ .../nat-many-ips-linux.args | 48 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 48 +++++++++++++++++++ .../nat-tftp-linux.args | 48 +++++++++++++++++++ .../route-default-linux.args | 48 +++++++++++++++++++ tests/networkxml2firewalltest.c | 16 ++++++- 7 files changed, 303 insertions(+), 1 deletion(-) diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index 69995181ad..e7d71817c7 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index f93d8face2..620ebb8d14 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index faae4b881c..7c378b8c7e 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index cb0d908506..afa8c3a0ca 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index 1243bd1c2d..a45ba545c2 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index 624e589aae..859a342e7d 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -72,6 +72,54 @@ ip6tables \ --list POSTROUTING iptables \ --table filter \ +--insert INPUT \ +--jump INP_libvirt +iptables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +iptables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +ip6tables \ +--table filter \ +--insert INPUT \ +--jump INP_libvirt +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump OUT_libvirt +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_out +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_in +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump FWD_libvirt_cross +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump PRT_libvirt +iptables \ +--table filter \ --insert INP_libvirt \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 505ff0c740..5e3d8906c5 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -44,6 +44,20 @@ static const char *abs_top_srcdir; # error "test case not ported to this platform" # endif =20 +static void +testCommandDryRun(const char *const*args ATTRIBUTE_UNUSED, + const char *const*env ATTRIBUTE_UNUSED, + const char *input ATTRIBUTE_UNUSED, + char **output, + char **error, + int *status, + void *opaque ATTRIBUTE_UNUSED) +{ + *status =3D 0; + ignore_value(VIR_STRDUP_QUIET(*output, "")); + ignore_value(VIR_STRDUP_QUIET(*error, "")); +} + static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline) { @@ -53,7 +67,7 @@ static int testCompareXMLToArgvFiles(const char *xml, virNetworkDefPtr def =3D NULL; int ret =3D -1; =20 - virCommandSetDryRun(&buf, NULL, NULL); + virCommandSetDryRun(&buf, testCommandDryRun, NULL); =20 if (!(def =3D virNetworkDefParseFile(xml))) goto cleanup; --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list