[libvirt] [PATCH 2/2] util: move firewall rules into per network chains
Daniel P. Berrangé
berrange at redhat.com
Fri Dec 7 17:00:48 UTC 2018
The previous commit created chains for each virtual network. This commit
adjusts the code so that rules are now put in these new chains.
With two networks running, the filter table thus looks like
-N LIBVIRT_FWI
-N LIBVIRT_FWI_virbr0
-N LIBVIRT_FWI_virbr1
-N LIBVIRT_FWO
-N LIBVIRT_FWO_virbr0
-N LIBVIRT_FWO_virbr1
-N LIBVIRT_FWX
-N LIBVIRT_FWX_virbr0
-N LIBVIRT_FWX_virbr1
-N LIBVIRT_INP
-N LIBVIRT_INP_virbr0
-N LIBVIRT_INP_virbr1
-N LIBVIRT_OUT
-N LIBVIRT_OUT_virbr0
-N LIBVIRT_OUT_virbr1
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LIBVIRT_FWI_virbr1
-A LIBVIRT_FWI -o virbr0 -j LIBVIRT_FWI_virbr0
-A LIBVIRT_FWI_virbr0 -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI_virbr0 -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI_virbr1 -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI_virbr1 -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr1 -j LIBVIRT_FWO_virbr1
-A LIBVIRT_FWO -i virbr0 -j LIBVIRT_FWO_virbr0
-A LIBVIRT_FWO_virbr0 -s 192.168.0.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO_virbr0 -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO_virbr1 -s 192.168.1.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO_virbr1 -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -j LIBVIRT_FWX_virbr1
-A LIBVIRT_FWX -j LIBVIRT_FWX_virbr0
-A LIBVIRT_FWX_virbr0 -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_FWX_virbr1 -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -j LIBVIRT_INP_virbr1
-A LIBVIRT_INP -i virbr0 -j LIBVIRT_INP_virbr0
-A LIBVIRT_INP_virbr0 -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP_virbr0 -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP_virbr0 -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP_virbr0 -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP_virbr1 -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP_virbr1 -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP_virbr1 -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP_virbr1 -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -j LIBVIRT_OUT_virbr1
-A LIBVIRT_OUT -o virbr0 -j LIBVIRT_OUT_virbr0
-A LIBVIRT_OUT_virbr0 -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT_virbr1 -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
while the nat table has
-N LIBVIRT_PRT
-N LIBVIRT_PRT_virbr0
-N LIBVIRT_PRT_virbr1
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -j LIBVIRT_PRT_virbr1
-A LIBVIRT_PRT -j LIBVIRT_PRT_virbr0
-A LIBVIRT_PRT_virbr0 -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT_virbr0 -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT_virbr0 -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT_virbr0 -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT_virbr0 -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
-A LIBVIRT_PRT_virbr1 -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT_virbr1 -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT_virbr1 -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT_virbr1 -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT_virbr1 -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
and the mangle table has
-N LIBVIRT_PRT
-N LIBVIRT_PRT_virbr0
-N LIBVIRT_PRT_virbr1
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -j LIBVIRT_PRT_virbr1
-A LIBVIRT_PRT -j LIBVIRT_PRT_virbr0
-A LIBVIRT_PRT_virbr0 -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT_virbr1 -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
src/libvirt_private.syms | 1 -
src/network/bridge_driver_linux.c | 25 +++-
src/util/viriptables.c | 124 ++++++++++++------
src/util/viriptables.h | 6 +-
.../nat-default-linux.args | 32 ++---
.../nat-ipv6-linux.args | 48 +++----
.../nat-many-ips-linux.args | 60 ++++-----
.../nat-no-dhcp-linux.args | 46 +++----
.../nat-tftp-linux.args | 34 ++---
.../route-default-linux.args | 22 ++--
10 files changed, 230 insertions(+), 168 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 8f7f166aef..c5b480cb87 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2071,7 +2071,6 @@ iptablesRemoveOutputFixUdpChecksum;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesRemoveUdpOutput;
-iptablesSetDeletePrivate;
iptablesSetupLocalChains;
iptablesSetupPrivateChains;
iptablesTeardownLocalChains;
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 4777e9efc4..220834d323 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -36,6 +36,8 @@ VIR_LOG_INIT("network.bridge_driver_linux");
#define PROC_NET_ROUTE "/proc/net/route"
+static bool deleteLegacyRules;
+
int networkPreReloadFirewallRules(bool startup)
{
int ret = iptablesSetupPrivateChains();
@@ -55,16 +57,16 @@ int networkPreReloadFirewallRules(bool startup)
* rules will be present. Thus we can safely just tell it
* to always delete from the builin chain
*/
- if (startup && ret == 1) {
- iptablesSetDeletePrivate(false);
- }
+ if (startup && ret == 1)
+ deleteLegacyRules = true;
+
return 0;
}
void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
{
- iptablesSetDeletePrivate(true);
+ deleteLegacyRules = false;
}
@@ -261,6 +263,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
/* First the generic masquerade rule for other protocols */
if (iptablesAddForwardMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -271,6 +274,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
/* UDP with a source port restriction */
if (iptablesAddForwardMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -281,6 +285,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
/* TCP with a source port restriction */
if (iptablesAddForwardMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -291,6 +296,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
/* exempt local network broadcast address as destination */
if (iptablesAddDontMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -299,6 +305,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
/* exempt local multicast range as destination */
if (iptablesAddDontMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -320,6 +327,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
return 0;
if (iptablesRemoveDontMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -327,6 +335,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
return -1;
if (iptablesRemoveDontMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -334,6 +343,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
return -1;
if (iptablesRemoveForwardMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -343,6 +353,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
return -1;
if (iptablesRemoveForwardMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -352,6 +363,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
return -1;
if (iptablesRemoveForwardMasquerade(fw,
+ def->bridge,
&ipdef->address,
prefix,
forwardIf,
@@ -717,7 +729,10 @@ void networkRemoveFirewallRules(virNetworkDefPtr def)
virNetworkIPDefPtr ipdef;
virFirewallPtr fw = NULL;
- iptablesTeardownLocalChains(def->bridge);
+ if (!deleteLegacyRules) {
+ iptablesTeardownLocalChains(def->bridge);
+ goto cleanup;
+ }
fw = virFirewallNew();
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 53d0568a84..f7072fd140 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -46,13 +46,13 @@ VIR_LOG_INIT("util.iptables");
#define VIR_FROM_THIS VIR_FROM_NONE
+#define CHAIN_NAME_MAX 32 /* Linux XT_TABLE_MAXNAMELEN - includes the NUL */
+
enum {
ADD = 0,
REMOVE
};
-static int deletePrivate = true;
-
typedef struct {
const char *parent;
const char *child;
@@ -268,13 +268,6 @@ iptablesTeardownLocalChains(const char *iface)
}
-void
-iptablesSetDeletePrivate(bool pvt)
-{
- deletePrivate = pvt;
-}
-
-
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
@@ -285,6 +278,10 @@ iptablesInput(virFirewallPtr fw,
int tcp)
{
char portstr[32];
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_INP_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
@@ -292,7 +289,7 @@ iptablesInput(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_INP" : "INPUT",
+ pvt ? chainName : "INPUT",
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -310,6 +307,10 @@ iptablesOutput(virFirewallPtr fw,
int tcp)
{
char portstr[32];
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_OUT_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
@@ -317,7 +318,7 @@ iptablesOutput(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_OUT" : "OUTPUT",
+ pvt ? chainName : "OUTPUT",
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
@@ -358,7 +359,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, false, iface, port, REMOVE, 1);
}
/**
@@ -394,7 +395,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, false, iface, port, REMOVE, 0);
}
/**
@@ -430,7 +431,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, false, iface, port, REMOVE, 0);
}
@@ -480,6 +481,10 @@ iptablesForwardAllowOut(virFirewallPtr fw,
VIR_AUTOFREE(char *) networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_FWO_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -488,7 +493,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWO" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
@@ -498,7 +503,7 @@ iptablesForwardAllowOut(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWO" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
@@ -550,7 +555,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, false, netaddr, prefix, iface, physdev, REMOVE);
}
@@ -569,6 +574,10 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_FWI_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -577,7 +586,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -589,7 +598,7 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
@@ -643,7 +652,7 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, false, netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
@@ -660,6 +669,10 @@ iptablesForwardAllowIn(virFirewallPtr fw,
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
VIR_AUTOFREE(char *) networkstr = NULL;
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_FWI_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -668,7 +681,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
@@ -678,7 +691,7 @@ iptablesForwardAllowIn(virFirewallPtr fw,
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -729,7 +742,7 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, false, netaddr, prefix, iface, physdev, REMOVE);
}
static void
@@ -739,10 +752,15 @@ iptablesForwardAllowCross(virFirewallPtr fw,
const char *iface,
int action)
{
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_FWX_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
+
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWX" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
@@ -784,7 +802,7 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, false, iface, REMOVE);
}
static void
@@ -794,10 +812,15 @@ iptablesForwardRejectOut(virFirewallPtr fw,
const char *iface,
int action)
{
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_FWO_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
+
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWO" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--in-interface", iface,
"--jump", "REJECT",
NULL);
@@ -836,7 +859,7 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, false, iface, REMOVE);
}
@@ -847,10 +870,15 @@ iptablesForwardRejectIn(virFirewallPtr fw,
const char *iface,
int action)
{
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_FWI_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
+
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_FWI" : "FORWARD",
+ pvt ? chainName : "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
@@ -889,7 +917,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, false, iface, REMOVE);
}
@@ -899,6 +927,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
static int
iptablesForwardMasquerade(virFirewallPtr fw,
bool pvt,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -913,6 +942,10 @@ iptablesForwardMasquerade(virFirewallPtr fw,
VIR_AUTOFREE(char *) portRangeStr = NULL;
VIR_AUTOFREE(char *) natRangeStr = NULL;
virFirewallRulePtr rule;
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_PRT_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -938,7 +971,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ pvt ? chainName : "POSTROUTING",
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
@@ -947,7 +980,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ pvt ? chainName : "POSTROUTING",
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
@@ -1018,6 +1051,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
*/
int
iptablesAddForwardMasquerade(virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -1025,7 +1059,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, true, netaddr, prefix,
+ return iptablesForwardMasquerade(fw, true, iface, netaddr, prefix,
physdev, addr, port, protocol, ADD);
}
@@ -1044,6 +1078,7 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
*/
int
iptablesRemoveForwardMasquerade(virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -1051,7 +1086,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
+ return iptablesForwardMasquerade(fw, false, iface, netaddr, prefix,
physdev, addr, port, protocol, REMOVE);
}
@@ -1062,6 +1097,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
bool pvt,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -1069,6 +1105,10 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
int action)
{
VIR_AUTOFREE(char *) networkstr = NULL;
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_PRT_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -1085,7 +1125,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ pvt ? chainName : "POSTROUTING",
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
@@ -1095,7 +1135,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ pvt ? chainName : "POSTROUTING",
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
@@ -1120,12 +1160,13 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
*/
int
iptablesAddDontMasquerade(virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
+ return iptablesForwardDontMasquerade(fw, true, iface, netaddr, prefix,
physdev, destaddr, ADD);
}
@@ -1145,12 +1186,13 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
*/
int
iptablesRemoveDontMasquerade(virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
+ return iptablesForwardDontMasquerade(fw, false, iface, netaddr, prefix,
physdev, destaddr, REMOVE);
}
@@ -1163,6 +1205,10 @@ iptablesOutputFixUdpChecksum(virFirewallPtr fw,
int action)
{
char portstr[32];
+ char chainName[CHAIN_NAME_MAX];
+
+ snprintf(chainName, sizeof(chainName), "LIBVIRT_PRT_%s", iface);
+ chainName[sizeof(chainName) - 1] = '\0';
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
@@ -1170,7 +1216,7 @@ iptablesOutputFixUdpChecksum(virFirewallPtr fw,
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
action == ADD ? "--insert" : "--delete",
- pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+ pvt ? chainName : "POSTROUTING",
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
@@ -1211,5 +1257,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, false, iface, port, REMOVE);
}
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 8eb884aa9f..0b4e41f692 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -31,8 +31,6 @@ int iptablesSetupPrivateChains (void);
int iptablesSetupLocalChains (const char *iface);
int iptablesTeardownLocalChains (const char *iface);
-void iptablesSetDeletePrivate (bool pvt);
-
void iptablesAddTcpInput (virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
@@ -120,6 +118,7 @@ void iptablesRemoveForwardRejectIn (virFirewallPtr fw,
const char *iface);
int iptablesAddForwardMasquerade (virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -128,6 +127,7 @@ int iptablesAddForwardMasquerade (virFirewallPtr fw,
const char *protocol)
ATTRIBUTE_RETURN_CHECK;
int iptablesRemoveForwardMasquerade (virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
@@ -136,12 +136,14 @@ int iptablesRemoveForwardMasquerade (virFirewallPtr fw,
const char *protocol)
ATTRIBUTE_RETURN_CHECK;
int iptablesAddDontMasquerade (virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr)
ATTRIBUTE_RETURN_CHECK;
int iptablesRemoveDontMasquerade (virFirewallPtr fw,
+ const char *iface,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
index 8efc415bee..3f6fb06549 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -98,64 +98,64 @@ ip6tables \
--jump LIBVIRT_PRT_virbr0
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert LIBVIRT_OUT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -163,13 +163,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -177,7 +177,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -185,19 +185,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index a72efecc49..7d4db3ac99 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -98,101 +98,101 @@ ip6tables \
--jump LIBVIRT_PRT_virbr0
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert LIBVIRT_OUT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -200,13 +200,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -214,7 +214,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -222,31 +222,31 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index 5094d6793b..421b57c0bb 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -98,64 +98,64 @@ ip6tables \
--jump LIBVIRT_PRT_virbr0
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert LIBVIRT_OUT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -163,13 +163,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -177,7 +177,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -185,25 +185,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -211,13 +211,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
@@ -225,7 +225,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
@@ -233,25 +233,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -259,13 +259,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
@@ -273,7 +273,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
@@ -281,19 +281,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index 3b870a0a02..90e62405d3 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -98,101 +98,101 @@ ip6tables \
--jump LIBVIRT_PRT_virbr0
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert LIBVIRT_OUT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -200,13 +200,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -214,7 +214,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -222,25 +222,25 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
index f002f0add9..b83720e6b5 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -98,71 +98,71 @@ ip6tables \
--jump LIBVIRT_PRT_virbr0
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert LIBVIRT_OUT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
@@ -170,13 +170,13 @@ iptables \
--jump ACCEPT
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
@@ -184,7 +184,7 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
@@ -192,19 +192,19 @@ iptables \
--to-ports 1024-65535
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
index 783e803dff..deb639a2b9 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -98,70 +98,70 @@ ip6tables \
--jump LIBVIRT_PRT_virbr0
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_OUT \
+--insert LIBVIRT_OUT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_INP \
+--insert LIBVIRT_INP_virbr0 \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
---insert LIBVIRT_FWX \
+--insert LIBVIRT_FWX_virbr0 \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWO \
+--insert LIBVIRT_FWO_virbr0 \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
---insert LIBVIRT_FWI \
+--insert LIBVIRT_FWI_virbr0 \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
---insert LIBVIRT_PRT \
+--insert LIBVIRT_PRT_virbr0 \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--
2.19.2
More information about the libvir-list
mailing list