[libvirt] [PATCH 4/7] network: setup default iptables chains
Laine Stump
laine at laine.org
Mon Dec 3 15:20:15 UTC 2018
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
> Register the default chains that will be used to hold firewall
> rules at network startup.
>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
> src/network/bridge_driver_linux.c | 3 +
> .../nat-default-linux.args | 72 +++++++++++++++++++
> .../nat-ipv6-linux.args | 72 +++++++++++++++++++
> .../nat-many-ips-linux.args | 72 +++++++++++++++++++
> .../nat-no-dhcp-linux.args | 72 +++++++++++++++++++
> .../nat-tftp-linux.args | 72 +++++++++++++++++++
> .../route-default-linux.args | 72 +++++++++++++++++++
> 7 files changed, 435 insertions(+)
>
> diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> index fb09954b8f..6992653b4a 100644
> --- a/src/network/bridge_driver_linux.c
> +++ b/src/network/bridge_driver_linux.c
> @@ -640,6 +640,9 @@ int networkAddFirewallRules(virNetworkDefPtr def)
> virFirewallPtr fw = NULL;
> int ret = -1;
>
> + if (iptablesSetupPrivateChains() < 0)
> + return -1;
> +
So I'm not sure whether to fix the "the chains are re-added
unnecessarily" problem by moving this call to somewhere else, or by
making ipstablesSetupPrivateChains() more intelligent. Probably the
latter. That's going to make the test results a bit hinky though, since
only the first network will include the iptables calls to add the new
chains.
> fw = virFirewallNew();
>
> virFirewallStartTransaction(fw, 0);
> diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
> index ffdafdff0e..9928da715b 100644
> --- a/tests/networkxml2firewalldata/nat-default-linux.args
> +++ b/tests/networkxml2firewalldata/nat-default-linux.args
> @@ -1,5 +1,77 @@
> iptables \
> --table filter \
> +--new-chain INP_libvirt
> +iptables \
> +--table filter \
> +--new-chain OUT_libvirt
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +iptables \
> +--table nat \
> +--new-chain PRT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain INP_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain OUT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +ip6tables \
> +--table nat \
> +--new-chain PRT_libvirt
> +iptables \
> +--table filter \
> +--list INPUT
> +iptables \
> +--table filter \
> +--list OUTPUT
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table nat \
> +--list POSTROUTING
> +ip6tables \
> +--table filter \
> +--list INPUT
> +ip6tables \
> +--table filter \
> +--list OUTPUT
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table nat \
> +--list POSTROUTING
> +iptables \
> +--table filter \
> --insert INPUT \
> --in-interface virbr0 \
> --protocol tcp \
> diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
> index 22285afa10..440896de18 100644
> --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
> +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
> @@ -1,5 +1,77 @@
> iptables \
> --table filter \
> +--new-chain INP_libvirt
> +iptables \
> +--table filter \
> +--new-chain OUT_libvirt
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +iptables \
> +--table nat \
> +--new-chain PRT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain INP_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain OUT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +ip6tables \
> +--table nat \
> +--new-chain PRT_libvirt
> +iptables \
> +--table filter \
> +--list INPUT
> +iptables \
> +--table filter \
> +--list OUTPUT
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table nat \
> +--list POSTROUTING
> +ip6tables \
> +--table filter \
> +--list INPUT
> +ip6tables \
> +--table filter \
> +--list OUTPUT
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table nat \
> +--list POSTROUTING
> +iptables \
> +--table filter \
> --insert INPUT \
> --in-interface virbr0 \
> --protocol tcp \
> diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
> index aff9f69664..d80a9551d4 100644
> --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
> +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
> @@ -1,5 +1,77 @@
> iptables \
> --table filter \
> +--new-chain INP_libvirt
> +iptables \
> +--table filter \
> +--new-chain OUT_libvirt
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +iptables \
> +--table nat \
> +--new-chain PRT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain INP_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain OUT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +ip6tables \
> +--table nat \
> +--new-chain PRT_libvirt
> +iptables \
> +--table filter \
> +--list INPUT
> +iptables \
> +--table filter \
> +--list OUTPUT
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table nat \
> +--list POSTROUTING
> +ip6tables \
> +--table filter \
> +--list INPUT
> +ip6tables \
> +--table filter \
> +--list OUTPUT
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table nat \
> +--list POSTROUTING
> +iptables \
> +--table filter \
> --insert INPUT \
> --in-interface virbr0 \
> --protocol tcp \
> diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
> index 2a9d79054e..e00c543487 100644
> --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
> +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
> @@ -1,5 +1,77 @@
> iptables \
> --table filter \
> +--new-chain INP_libvirt
> +iptables \
> +--table filter \
> +--new-chain OUT_libvirt
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +iptables \
> +--table nat \
> +--new-chain PRT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain INP_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain OUT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +ip6tables \
> +--table nat \
> +--new-chain PRT_libvirt
> +iptables \
> +--table filter \
> +--list INPUT
> +iptables \
> +--table filter \
> +--list OUTPUT
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table nat \
> +--list POSTROUTING
> +ip6tables \
> +--table filter \
> +--list INPUT
> +ip6tables \
> +--table filter \
> +--list OUTPUT
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table nat \
> +--list POSTROUTING
> +iptables \
> +--table filter \
> --insert INPUT \
> --in-interface virbr0 \
> --protocol tcp \
> diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
> index 1a06f0d0a5..e0cfdcecf5 100644
> --- a/tests/networkxml2firewalldata/nat-tftp-linux.args
> +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
> @@ -1,5 +1,77 @@
> iptables \
> --table filter \
> +--new-chain INP_libvirt
> +iptables \
> +--table filter \
> +--new-chain OUT_libvirt
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +iptables \
> +--table nat \
> +--new-chain PRT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain INP_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain OUT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +ip6tables \
> +--table nat \
> +--new-chain PRT_libvirt
> +iptables \
> +--table filter \
> +--list INPUT
> +iptables \
> +--table filter \
> +--list OUTPUT
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table nat \
> +--list POSTROUTING
> +ip6tables \
> +--table filter \
> +--list INPUT
> +ip6tables \
> +--table filter \
> +--list OUTPUT
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table nat \
> +--list POSTROUTING
> +iptables \
> +--table filter \
> --insert INPUT \
> --in-interface virbr0 \
> --protocol tcp \
> diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
> index 65563ff8b4..5b8209af19 100644
> --- a/tests/networkxml2firewalldata/route-default-linux.args
> +++ b/tests/networkxml2firewalldata/route-default-linux.args
> @@ -1,5 +1,77 @@
> iptables \
> --table filter \
> +--new-chain INP_libvirt
> +iptables \
> +--table filter \
> +--new-chain OUT_libvirt
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +iptables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +iptables \
> +--table nat \
> +--new-chain PRT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain INP_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain OUT_libvirt
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_out
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_in
> +ip6tables \
> +--table filter \
> +--new-chain FWD_libvirt_cross
> +ip6tables \
> +--table nat \
> +--new-chain PRT_libvirt
> +iptables \
> +--table filter \
> +--list INPUT
> +iptables \
> +--table filter \
> +--list OUTPUT
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table filter \
> +--list FORWARD
> +iptables \
> +--table nat \
> +--list POSTROUTING
> +ip6tables \
> +--table filter \
> +--list INPUT
> +ip6tables \
> +--table filter \
> +--list OUTPUT
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table filter \
> +--list FORWARD
> +ip6tables \
> +--table nat \
> +--list POSTROUTING
> +iptables \
> +--table filter \
> --insert INPUT \
> --in-interface virbr0 \
> --protocol tcp \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20181203/1422e6ad/attachment-0001.bin>
More information about the libvir-list
mailing list