This patch adds filtering support for the so-far missing protocols 'ah', 'esp' and 'udplite'. Signed-off-by: Stefan Berger Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -85,6 +85,9 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V "icmp", "igmp", "udp", + "udplite", + "esp", + "ah", "sctp", "all"); @@ -586,6 +589,17 @@ static const struct int_map ipProtoMap[] } , { .attr = IPPROTO_UDP, .val = "udp", +#ifdef IPPROTO_UDPLITE + } , { + .attr = IPPROTO_UDPLITE, + .val = "udplite", +#endif + } , { + .attr = IPPROTO_ESP, + .val = "esp", + } , { + .attr = IPPROTO_AH, + .val = "ah", } , { .attr = IPPROTO_ICMP, .val = "icmp", @@ -950,6 +964,26 @@ static const virXMLAttr2Struct udpAttrib } }; +static const virXMLAttr2Struct udpliteAttributes[] = { + COMMON_IP_PROPS(udpliteHdrFilter), + { + .name = NULL, + } +}; + +static const virXMLAttr2Struct espAttributes[] = { + COMMON_IP_PROPS(espHdrFilter), + { + .name = NULL, + } +}; + +static const virXMLAttr2Struct ahAttributes[] = { + COMMON_IP_PROPS(ahHdrFilter), + { + .name = NULL, + } +}; static const virXMLAttr2Struct sctpAttributes[] = { COMMON_IP_PROPS(sctpHdrFilter), @@ -1028,6 +1062,18 @@ static const virAttributes virAttr[] = { .att = udpAttributes, .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDP, }, { + .id = "udplite", + .att = udpliteAttributes, + .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDPLITE, + }, { + .id = "esp", + .att = espAttributes, + .prtclType = VIR_NWFILTER_RULE_PROTOCOL_ESP, + }, { + .id = "ah", + .att = ahAttributes, + .prtclType = VIR_NWFILTER_RULE_PROTOCOL_AH, + }, { .id = "sctp", .att = sctpAttributes, .prtclType = VIR_NWFILTER_RULE_PROTOCOL_SCTP, @@ -1496,6 +1542,39 @@ virNWFilterRuleDefFixup(virNWFilterRuleD rule->p.udpHdrFilter.portData.dataSrcPortStart); break; + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: + COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPMask, + rule->p.udpliteHdrFilter.ipHdr.dataSrcIPAddr); + COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPMask, + rule->p.udpliteHdrFilter.ipHdr.dataDstIPAddr); + COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPTo, + rule->p.udpliteHdrFilter.ipHdr.dataSrcIPFrom); + COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPTo, + rule->p.udpliteHdrFilter.ipHdr.dataDstIPFrom); + break; + + case VIR_NWFILTER_RULE_PROTOCOL_ESP: + COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPMask, + rule->p.espHdrFilter.ipHdr.dataSrcIPAddr); + COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPMask, + rule->p.espHdrFilter.ipHdr.dataDstIPAddr); + COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPTo, + rule->p.espHdrFilter.ipHdr.dataSrcIPFrom); + COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPTo, + rule->p.espHdrFilter.ipHdr.dataDstIPFrom); + break; + + case VIR_NWFILTER_RULE_PROTOCOL_AH: + COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPMask, + rule->p.ahHdrFilter.ipHdr.dataSrcIPAddr); + COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPMask, + rule->p.ahHdrFilter.ipHdr.dataDstIPAddr); + COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPTo, + rule->p.ahHdrFilter.ipHdr.dataSrcIPFrom); + COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPTo, + rule->p.ahHdrFilter.ipHdr.dataDstIPFrom); + break; + case VIR_NWFILTER_RULE_PROTOCOL_SCTP: COPY_NEG_SIGN(rule->p.sctpHdrFilter.ipHdr.dataSrcIPMask, rule->p.sctpHdrFilter.ipHdr.dataSrcIPAddr); Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -241,6 +241,30 @@ struct _sctpHdrFilterDef { }; +typedef struct _espHdrFilterDef espHdrFilterDef; +typedef espHdrFilterDef *espHdrFilterDefPtr; +struct _espHdrFilterDef { + nwItemDesc dataSrcMACAddr; + ipHdrDataDef ipHdr; +}; + + +typedef struct _ahHdrFilterDef ahHdrFilterDef; +typedef ahHdrFilterDef *ahHdrFilterDefPtr; +struct _ahHdrFilterDef { + nwItemDesc dataSrcMACAddr; + ipHdrDataDef ipHdr; +}; + + +typedef struct _udpliteHdrFilterDef udpliteHdrFilterDef; +typedef udpliteHdrFilterDef *udpliteHdrFilterDefPtr; +struct _udpliteHdrFilterDef { + nwItemDesc dataSrcMACAddr; + ipHdrDataDef ipHdr; +}; + + enum virNWFilterRuleActionType { VIR_NWFILTER_RULE_ACTION_DROP = 0, VIR_NWFILTER_RULE_ACTION_ACCEPT, @@ -273,6 +297,9 @@ enum virNWFilterRuleProtocolType { VIR_NWFILTER_RULE_PROTOCOL_ICMP, VIR_NWFILTER_RULE_PROTOCOL_IGMP, VIR_NWFILTER_RULE_PROTOCOL_UDP, + VIR_NWFILTER_RULE_PROTOCOL_UDPLITE, + VIR_NWFILTER_RULE_PROTOCOL_ESP, + VIR_NWFILTER_RULE_PROTOCOL_AH, VIR_NWFILTER_RULE_PROTOCOL_SCTP, VIR_NWFILTER_RULE_PROTOCOL_ALL, @@ -306,6 +333,9 @@ struct _virNWFilterRuleDef { tcpHdrFilterDef tcpHdrFilter; icmpHdrFilterDef icmpHdrFilter; udpHdrFilterDef udpHdrFilter; + udpliteHdrFilterDef udpliteHdrFilter; + espHdrFilterDef espHdrFilter; + ahHdrFilterDef ahHdrFilter; allHdrFilterDef allHdrFilter; igmpHdrFilterDef igmpHdrFilter; sctpHdrFilterDef sctpHdrFilter; Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1089,6 +1089,75 @@ _iptablesCreateRuleInstance(virConnectPt goto err_exit; break; + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: + virBufferVSprintf(&buf, + CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s", + chain); + + virBufferAddLit(&buf, " -p udplite"); + + if (iptablesHandleSrcMacAddr(conn, + &buf, + vars, + &rule->p.udpliteHdrFilter.dataSrcMACAddr, + directionIn)) + goto err_exit; + + if (iptablesHandleIpHdr(conn, + &buf, + vars, + &rule->p.udpliteHdrFilter.ipHdr, + directionIn)) + goto err_exit; + + break; + + case VIR_NWFILTER_RULE_PROTOCOL_ESP: + virBufferVSprintf(&buf, + CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s", + chain); + + virBufferAddLit(&buf, " -p esp"); + + if (iptablesHandleSrcMacAddr(conn, + &buf, + vars, + &rule->p.espHdrFilter.dataSrcMACAddr, + directionIn)) + goto err_exit; + + if (iptablesHandleIpHdr(conn, + &buf, + vars, + &rule->p.espHdrFilter.ipHdr, + directionIn)) + goto err_exit; + + break; + + case VIR_NWFILTER_RULE_PROTOCOL_AH: + virBufferVSprintf(&buf, + CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s", + chain); + + virBufferAddLit(&buf, " -p ah"); + + if (iptablesHandleSrcMacAddr(conn, + &buf, + vars, + &rule->p.ahHdrFilter.dataSrcMACAddr, + directionIn)) + goto err_exit; + + if (iptablesHandleIpHdr(conn, + &buf, + vars, + &rule->p.ahHdrFilter.ipHdr, + directionIn)) + goto err_exit; + + break; + case VIR_NWFILTER_RULE_PROTOCOL_SCTP: virBufferVSprintf(&buf, CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s", @@ -1836,6 +1905,9 @@ ebiptablesCreateRuleInstance(virConnectP case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_UDP: + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: + case VIR_NWFILTER_RULE_PROTOCOL_ESP: + case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_IGMP: