From nobody Mon Feb 9 13:11:48 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1541078010667499.60041673295757; Thu, 1 Nov 2018 06:13:30 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E8C3EC028328; Thu, 1 Nov 2018 13:13:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5C95F5D9D6; Thu, 1 Nov 2018 13:13:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C243818005B4; Thu, 1 Nov 2018 13:13:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wA1CqsrE002086 for ; Thu, 1 Nov 2018 08:52:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7F21E5C88D; Thu, 1 Nov 2018 12:52:54 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id A78A45C207; Thu, 1 Nov 2018 12:52:52 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 1 Nov 2018 12:52:34 +0000 Message-Id: <20181101125237.20723-5-berrange@redhat.com> In-Reply-To: <20181101125237.20723-1-berrange@redhat.com> References: <20181101125237.20723-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH 4/7] network: setup default iptables chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 01 Nov 2018 13:13:29 +0000 (UTC) Register the default chains that will be used to hold firewall rules at network startup. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/network/bridge_driver_linux.c | 3 + .../nat-default-linux.args | 72 +++++++++++++++++++ .../nat-ipv6-linux.args | 72 +++++++++++++++++++ .../nat-many-ips-linux.args | 72 +++++++++++++++++++ .../nat-no-dhcp-linux.args | 72 +++++++++++++++++++ .../nat-tftp-linux.args | 72 +++++++++++++++++++ .../route-default-linux.args | 72 +++++++++++++++++++ 7 files changed, 435 insertions(+) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index fb09954b8f..6992653b4a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 + if (iptablesSetupPrivateChains() < 0) + return -1; + fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, 0); diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index ffdafdff0e..9928da715b 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index 22285afa10..440896de18 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index aff9f69664..d80a9551d4 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index 2a9d79054e..e00c543487 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index 1a06f0d0a5..e0cfdcecf5 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index 65563ff8b4..5b8209af19 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,5 +1,77 @@ iptables \ --table filter \ +--new-chain INP_libvirt +iptables \ +--table filter \ +--new-chain OUT_libvirt +iptables \ +--table filter \ +--new-chain FWD_libvirt_out +iptables \ +--table filter \ +--new-chain FWD_libvirt_in +iptables \ +--table filter \ +--new-chain FWD_libvirt_cross +iptables \ +--table nat \ +--new-chain PRT_libvirt +ip6tables \ +--table filter \ +--new-chain INP_libvirt +ip6tables \ +--table filter \ +--new-chain OUT_libvirt +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_out +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_in +ip6tables \ +--table filter \ +--new-chain FWD_libvirt_cross +ip6tables \ +--table nat \ +--new-chain PRT_libvirt +iptables \ +--table filter \ +--list INPUT +iptables \ +--table filter \ +--list OUTPUT +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table filter \ +--list FORWARD +iptables \ +--table nat \ +--list POSTROUTING +ip6tables \ +--table filter \ +--list INPUT +ip6tables \ +--table filter \ +--list OUTPUT +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table filter \ +--list FORWARD +ip6tables \ +--table nat \ +--list POSTROUTING +iptables \ +--table filter \ --insert INPUT \ --in-interface virbr0 \ --protocol tcp \ --=20 2.19.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list