[libvirt] [PATCH 3/7] util: prepare iptables for putting rules into private chains
Laine Stump
laine at laine.org
Mon Dec 3 15:17:27 UTC 2018
On 11/1/18 8:52 AM, Daniel P. Berrangé wrote:
> Currently all rules are created directly in the INPUT, FORWARD,
> OUTPUT and POSTROUTING chains. This change prepares for putting
> the rules into private changes, but does not actually do the
> switch yet.
>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
Reviewed-by: Laine Stump <laine at laine.org>
> ---
> src/util/viriptables.c | 152 +++++++++++++++++++++++++++++------------
> 1 file changed, 108 insertions(+), 44 deletions(-)
>
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index 4a7ea54b38..b4a4bf9a12 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -50,6 +50,12 @@ enum {
> REMOVE
> };
>
> +enum {
> + VIR_IPTABLES_CHAIN_BUILTIN,
> + VIR_IPTABLES_CHAIN_PRIVATE,
> +
> + VIR_IPTABLES_CHAIN_LAST,
> +};
>
>
> typedef struct {
> @@ -135,19 +141,24 @@ iptablesSetupPrivateChains(void)
> static void
> iptablesInput(virFirewallPtr fw,
> virFirewallLayer layer,
> + int chain,
> const char *iface,
> int port,
> int action,
> int tcp)
> {
> char portstr[32];
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "INPUT",
> + "INP_libvirt",
> + };
>
> snprintf(portstr, sizeof(portstr), "%d", port);
> portstr[sizeof(portstr) - 1] = '\0';
>
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "INPUT",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--in-interface", iface,
> "--protocol", tcp ? "tcp" : "udp",
> "--destination-port", portstr,
> @@ -158,19 +169,24 @@ iptablesInput(virFirewallPtr fw,
> static void
> iptablesOutput(virFirewallPtr fw,
> virFirewallLayer layer,
> + int chain,
> const char *iface,
> int port,
> int action,
> int tcp)
> {
> char portstr[32];
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "OUTPUT",
> + "OUT_libvirt",
> + };
>
> snprintf(portstr, sizeof(portstr), "%d", port);
> portstr[sizeof(portstr) - 1] = '\0';
>
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "OUTPUT",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--out-interface", iface,
> "--protocol", tcp ? "tcp" : "udp",
> "--destination-port", portstr,
> @@ -193,7 +209,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesInput(fw, layer, iface, port, ADD, 1);
> + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 1);
> }
>
> /**
> @@ -211,7 +227,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesInput(fw, layer, iface, port, REMOVE, 1);
> + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 1);
> }
>
> /**
> @@ -229,7 +245,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesInput(fw, layer, iface, port, ADD, 0);
> + iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
> }
>
> /**
> @@ -247,7 +263,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - return iptablesInput(fw, layer, iface, port, REMOVE, 0);
> + return iptablesInput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
> }
>
> /**
> @@ -265,7 +281,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesOutput(fw, layer, iface, port, ADD, 0);
> + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD, 0);
> }
>
> /**
> @@ -283,7 +299,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesOutput(fw, layer, iface, port, REMOVE, 0);
> + iptablesOutput(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE, 0);
> }
>
>
> @@ -323,6 +339,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
> */
> static int
> iptablesForwardAllowOut(virFirewallPtr fw,
> + int chain,
> virSocketAddr *netaddr,
> unsigned int prefix,
> const char *iface,
> @@ -332,6 +349,10 @@ iptablesForwardAllowOut(virFirewallPtr fw,
> VIR_AUTOFREE(char *) networkstr = NULL;
> virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
> VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "FORWARD",
> + "FWD_libvirt_out",
> + };
>
> if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
> return -1;
> @@ -339,7 +360,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
> if (physdev && physdev[0])
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--source", networkstr,
> "--in-interface", iface,
> "--out-interface", physdev,
> @@ -348,7 +369,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
> else
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--source", networkstr,
> "--in-interface", iface,
> "--jump", "ACCEPT",
> @@ -377,7 +398,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
> const char *iface,
> const char *physdev)
> {
> - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
> + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
> }
>
> /**
> @@ -400,7 +421,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
> const char *iface,
> const char *physdev)
> {
> - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
> + return iptablesForwardAllowOut(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
> }
>
>
> @@ -409,6 +430,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
> */
> static int
> iptablesForwardAllowRelatedIn(virFirewallPtr fw,
> + int chain,
> virSocketAddr *netaddr,
> unsigned int prefix,
> const char *iface,
> @@ -418,6 +440,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
> virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
> VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
> VIR_AUTOFREE(char *) networkstr = NULL;
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "FORWARD",
> + "FWD_libvirt_in",
> + };
>
> if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
> return -1;
> @@ -425,7 +451,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
> if (physdev && physdev[0])
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--destination", networkstr,
> "--in-interface", physdev,
> "--out-interface", iface,
> @@ -436,7 +462,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
> else
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--destination", networkstr,
> "--out-interface", iface,
> "--match", "conntrack",
> @@ -467,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
> const char *iface,
> const char *physdev)
> {
> - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
> + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
> }
>
> /**
> @@ -490,13 +516,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
> const char *iface,
> const char *physdev)
> {
> - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
> + return iptablesForwardAllowRelatedIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
> }
>
> /* Allow all traffic destined to the bridge, with a valid network address
> */
> static int
> iptablesForwardAllowIn(virFirewallPtr fw,
> + int chain,
> virSocketAddr *netaddr,
> unsigned int prefix,
> const char *iface,
> @@ -506,6 +533,10 @@ iptablesForwardAllowIn(virFirewallPtr fw,
> virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
> VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
> VIR_AUTOFREE(char *) networkstr = NULL;
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "FORWARD",
> + "FWD_libvirt_in",
> + };
>
> if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
> return -1;
> @@ -513,7 +544,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
> if (physdev && physdev[0])
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--destination", networkstr,
> "--in-interface", physdev,
> "--out-interface", iface,
> @@ -522,7 +553,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
> else
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--destination", networkstr,
> "--out-interface", iface,
> "--jump", "ACCEPT",
> @@ -550,7 +581,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
> const char *iface,
> const char *physdev)
> {
> - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
> + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, ADD);
> }
>
> /**
> @@ -573,18 +604,24 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
> const char *iface,
> const char *physdev)
> {
> - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
> + return iptablesForwardAllowIn(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix, iface, physdev, REMOVE);
> }
>
> static void
> iptablesForwardAllowCross(virFirewallPtr fw,
> virFirewallLayer layer,
> + int chain,
> const char *iface,
> int action)
> {
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "FORWARD",
> + "FWD_libvirt_cross",
> + };
> +
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--in-interface", iface,
> "--out-interface", iface,
> "--jump", "ACCEPT",
> @@ -607,7 +644,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
> virFirewallLayer layer,
> const char *iface)
> {
> - iptablesForwardAllowCross(fw, layer, iface, ADD);
> + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
> }
>
> /**
> @@ -626,18 +663,24 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
> virFirewallLayer layer,
> const char *iface)
> {
> - iptablesForwardAllowCross(fw, layer, iface, REMOVE);
> + iptablesForwardAllowCross(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
> }
>
> static void
> iptablesForwardRejectOut(virFirewallPtr fw,
> virFirewallLayer layer,
> + int chain,
> const char *iface,
> int action)
> {
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "FORWARD",
> + "FWD_libvirt_out",
> + };
> +
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "delete", "FORWARD",
> + action == ADD ? "--insert" : "delete", chainName[chain],
> "--in-interface", iface,
> "--jump", "REJECT",
> NULL);
> @@ -658,7 +701,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
> virFirewallLayer layer,
> const char *iface)
> {
> - iptablesForwardRejectOut(fw, layer, iface, ADD);
> + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
> }
>
> /**
> @@ -676,19 +719,25 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
> virFirewallLayer layer,
> const char *iface)
> {
> - iptablesForwardRejectOut(fw, layer, iface, REMOVE);
> + iptablesForwardRejectOut(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
> }
>
>
> static void
> iptablesForwardRejectIn(virFirewallPtr fw,
> virFirewallLayer layer,
> + int chain,
> const char *iface,
> int action)
> {
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "FORWARD",
> + "FWD_libvirt_in",
> + };
> +
> virFirewallAddRule(fw, layer,
> "--table", "filter",
> - action == ADD ? "--insert" : "--delete", "FORWARD",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--out-interface", iface,
> "--jump", "REJECT",
> NULL);
> @@ -709,7 +758,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
> virFirewallLayer layer,
> const char *iface)
> {
> - iptablesForwardRejectIn(fw, layer, iface, ADD);
> + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, ADD);
> }
>
> /**
> @@ -727,7 +776,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
> virFirewallLayer layer,
> const char *iface)
> {
> - iptablesForwardRejectIn(fw, layer, iface, REMOVE);
> + iptablesForwardRejectIn(fw, layer, VIR_IPTABLES_CHAIN_BUILTIN, iface, REMOVE);
> }
>
>
> @@ -736,6 +785,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
> */
> static int
> iptablesForwardMasquerade(virFirewallPtr fw,
> + int chain,
> virSocketAddr *netaddr,
> unsigned int prefix,
> const char *physdev,
> @@ -750,6 +800,10 @@ iptablesForwardMasquerade(virFirewallPtr fw,
> VIR_AUTOFREE(char *) portRangeStr = NULL;
> VIR_AUTOFREE(char *) natRangeStr = NULL;
> virFirewallRulePtr rule;
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "POSTROUTING",
> + "PRT_libvirt",
> + };
>
> if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
> return -1;
> @@ -774,7 +828,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
> if (protocol && protocol[0]) {
> rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> "--table", "nat",
> - action == ADD ? "--insert" : "--delete", "POSTROUTING",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--source", networkstr,
> "-p", protocol,
> "!", "--destination", networkstr,
> @@ -782,7 +836,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
> } else {
> rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> "--table", "nat",
> - action == ADD ? "--insert" : "--delete", "POSTROUTING",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--source", networkstr,
> "!", "--destination", networkstr,
> NULL);
> @@ -860,8 +914,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
> virPortRangePtr port,
> const char *protocol)
> {
> - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
> - protocol, ADD);
> + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> + physdev, addr, port, protocol, ADD);
> }
>
> /**
> @@ -886,8 +940,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
> virPortRangePtr port,
> const char *protocol)
> {
> - return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
> - protocol, REMOVE);
> + return iptablesForwardMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> + physdev, addr, port, protocol, REMOVE);
> }
>
>
> @@ -896,6 +950,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
> */
> static int
> iptablesForwardDontMasquerade(virFirewallPtr fw,
> + int chain,
> virSocketAddr *netaddr,
> unsigned int prefix,
> const char *physdev,
> @@ -903,6 +958,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
> int action)
> {
> VIR_AUTOFREE(char *) networkstr = NULL;
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "POSTROUTING",
> + "PRT_libvirt",
> + };
>
> if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
> return -1;
> @@ -918,7 +977,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
> if (physdev && physdev[0])
> virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> "--table", "nat",
> - action == ADD ? "--insert" : "--delete", "POSTROUTING",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--out-interface", physdev,
> "--source", networkstr,
> "--destination", destaddr,
> @@ -927,7 +986,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
> else
> virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> "--table", "nat",
> - action == ADD ? "--insert" : "--delete", "POSTROUTING",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--source", networkstr,
> "--destination", destaddr,
> "--jump", "RETURN",
> @@ -957,8 +1016,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
> const char *physdev,
> const char *destaddr)
> {
> - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
> - ADD);
> + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> + physdev, destaddr, ADD);
> }
>
> /**
> @@ -982,25 +1041,30 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
> const char *physdev,
> const char *destaddr)
> {
> - return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
> - REMOVE);
> + return iptablesForwardDontMasquerade(fw, VIR_IPTABLES_CHAIN_BUILTIN, netaddr, prefix,
> + physdev, destaddr, REMOVE);
> }
>
>
> static void
> iptablesOutputFixUdpChecksum(virFirewallPtr fw,
> + int chain,
> const char *iface,
> int port,
> int action)
> {
> char portstr[32];
> + static const char *chainName[VIR_IPTABLES_CHAIN_LAST] = {
> + "POSTROUTING",
> + "PRT_libvirt",
> + };
>
> snprintf(portstr, sizeof(portstr), "%d", port);
> portstr[sizeof(portstr) - 1] = '\0';
>
> virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> "--table", "mangle",
> - action == ADD ? "--insert" : "--delete", "POSTROUTING",
> + action == ADD ? "--insert" : "--delete", chainName[chain],
> "--out-interface", iface,
> "--protocol", "udp",
> "--destination-port", portstr,
> @@ -1024,7 +1088,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
> + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, ADD);
> }
>
> /**
> @@ -1041,5 +1105,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
> const char *iface,
> int port)
> {
> - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
> + iptablesOutputFixUdpChecksum(fw, VIR_IPTABLES_CHAIN_BUILTIN, iface, port, REMOVE);
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20181203/16a81509/attachment-0001.bin>
More information about the libvir-list
mailing list