From nobody Mon Feb 9 21:31:37 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541077079559438.9591741020903; Thu, 1 Nov 2018 05:57:59 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 544FD308402A; Thu, 1 Nov 2018 12:57:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 128005C1B2; Thu, 1 Nov 2018 12:57:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2F6593D380; Thu, 1 Nov 2018 12:57:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1CqqFu002072 for ; Thu, 1 Nov 2018 08:52:52 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3D17417115; Thu, 1 Nov 2018 12:52:52 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6EDDE5C88D; Thu, 1 Nov 2018 12:52:47 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:33 +0000 Message-Id: <20181101125237.20723-4-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 3/7] util: prepare iptables for putting rules into private chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 01 Nov 2018 12:57:58 +0000 (UTC) Currently all rules are created directly in the INPUT, FORWARD, OUTPUT and POSTROUTING chains. This change prepares for putting the rules into private changes, but does not actually do the switch yet. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------ 1 file changed, 108 insertions(+), 44 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 4a7ea54b38..b4a4bf9a12 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -50,6 +50,12 @@ enum { REMOVE }; =20 +enum { + VIR_IPTABLES_CHAIN_BUILTIN, + VIR_IPTABLES_CHAIN_PRIVATE, + + VIR_IPTABLES_CHAIN_LAST, +}; =20 =20 typedef struct { @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void) static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "INPUT", + "INP_libvirt", + }; =20 snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] =3D '\0'; =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "INPUT= ", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw, static void iptablesOutput(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int port, int action, int tcp) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "OUTPUT", + "OUT_libvirt", + }; =20 snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] =3D '\0'; =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "OUTPU= T", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD,= 1); } =20 /** @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMO= VE, 1); } =20 /** @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD,= 0); } =20 /** @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw, const char *iface, int port) { - return iptablesInput(fw, layer, iface, port, REMOVE, 0); + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, por= t, REMOVE, 0); } =20 /** @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD= , 0); } =20 /** @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REM= OVE, 0); } =20 =20 @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netad= dr, */ static int iptablesForwardAllowOut(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw, VIR_AUTOFREE(char *) networkstr =3D NULL; virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_out", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD= D); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr= , prefix, iface, physdev, ADD); } =20 /** @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE= MOVE); + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr= , prefix, iface, physdev, REMOVE); } =20 =20 @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw, */ static int iptablesForwardAllowRelatedIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr =3D NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_in", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, ADD); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, iface, physdev, ADD); } =20 /** @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, iface, physdev, REMOVE); } =20 /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw, virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_AUTOFREE(char *) networkstr =3D NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_in", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "F= ORWARD", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD= ); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, iface, physdev, ADD); } =20 /** @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr,= prefix, iface, physdev, REMOVE); } =20 static void iptablesForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_cross", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface= , ADD); } =20 /** @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface= , REMOVE); } =20 static void iptablesForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_out", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "delete", "FORWARD= ", + action =3D=3D ADD ? "--insert" : "delete", chainNam= e[chain], "--in-interface", iface, "--jump", "REJECT", NULL); @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface,= ADD); } =20 /** @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface,= REMOVE); } =20 =20 static void iptablesForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, + int chain, const char *iface, int action) { + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "FORWARD", + "FWD_libvirt_in", + }; + virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", "FORWA= RD", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--out-interface", iface, "--jump", "REJECT", NULL); @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, = ADD); } =20 /** @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, = REMOVE); } =20 =20 @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, */ static int iptablesForwardMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw, VIR_AUTOFREE(char *) portRangeStr =3D NULL; VIR_AUTOFREE(char *) natRangeStr =3D NULL; virFirewallRulePtr rule; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "POSTROUTING", + "PRT_libvirt", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, if (protocol && protocol[0]) { rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", "POSTROUTING", + action =3D=3D ADD ? "--insert" : "--dele= te", chainName[chain], "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw, } else { rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", "POSTROUTING", + action =3D=3D ADD ? "--insert" : "--dele= te", chainName[chain], "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p= ort, - protocol, ADD); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netad= dr, prefix, + physdev, addr, port, protocol, ADD); } =20 /** @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p= ort, - protocol, REMOVE); + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netad= dr, prefix, + physdev, addr, port, protocol, REMOVE= ); } =20 =20 @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw, */ static int iptablesForwardDontMasquerade(virFirewallPtr fw, + int chain, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, int action) { VIR_AUTOFREE(char *) networkstr =3D NULL; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "POSTROUTING", + "PRT_libvirt", + }; =20 if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, if (physdev && physdev[0]) virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", "P= OSTROUTING", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw, else virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", "P= OSTROUTING", + action =3D=3D ADD ? "--insert" : "--delete", ch= ainName[chain], "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des= taddr, - ADD); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, + physdev, destaddr, ADD); } =20 /** @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des= taddr, - REMOVE); + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, n= etaddr, prefix, + physdev, destaddr, REMOVE); } =20 =20 static void iptablesOutputFixUdpChecksum(virFirewallPtr fw, + int chain, const char *iface, int port, int action) { char portstr[32]; + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] =3D { + "POSTROUTING", + "PRT_libvirt", + }; =20 snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] =3D '\0'; =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D ADD ? "--insert" : "--delete", "POSTR= OUTING", + action =3D=3D ADD ? "--insert" : "--delete", chainN= ame[chain], "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, po= rt, ADD); } =20 /** @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, po= rt, REMOVE); } --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list