[libvirt PATCH v2 1/3] util: add support for IPv6 masquerade rules

Laine Stump laine at redhat.com
Tue Jun 9 23:10:03 UTC 2020


(or: "Remove hardcoding to IPv4 in function that creates masquerade 
rules" :-)

On 6/9/20 12:17 PM, Daniel P. Berrangé wrote:
> IPv6 does support masquerade since Linux 3.9.0 / ip6tables 1.4.18,
> which is Fedora 18 / RHEL-7 vintage, which covers all our supported
> Linux versions.
>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>   src/util/viriptables.c | 33 +++++++++++----------------------
>   1 file changed, 11 insertions(+), 22 deletions(-)
>
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index e6a1ded8d5..8ccce835b2 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -854,29 +854,24 @@ iptablesForwardMasquerade(virFirewallPtr fw,
>       g_autofree char *portRangeStr = NULL;
>       g_autofree char *natRangeStr = NULL;
>       virFirewallRulePtr rule;
> +    int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
> +    virFirewallLayer layer = af == AF_INET ?
> +        VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
>   
>       if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>           return -1;
>   
> -    if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) {
> -        /* Higher level code *should* guaranteee it's impossible to get here. */
> -        virReportError(VIR_ERR_INTERNAL_ERROR,
> -                       _("Attempted to NAT '%s'. NAT is only supported for IPv4."),
> -                       networkstr);
> -        return -1;
> -    }
> -
> -    if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, AF_INET)) {
> +    if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) {
>           if (!(addrStartStr = virSocketAddrFormat(&addr->start)))
>               return -1;
> -        if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, AF_INET)) {
> +        if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) {
>               if (!(addrEndStr = virSocketAddrFormat(&addr->end)))
>                   return -1;
>           }
>       }
>   
>       if (protocol && protocol[0]) {
> -        rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> +        rule = virFirewallAddRule(fw, layer,
>                                     "--table", "nat",
>                                     action == ADD ? "--insert" : "--delete",
>                                     pvt ? "LIBVIRT_PRT" : "POSTROUTING",
> @@ -885,7 +880,7 @@ iptablesForwardMasquerade(virFirewallPtr fw,
>                                     "!", "--destination", networkstr,
>                                     NULL);
>       } else {
> -        rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> +        rule = virFirewallAddRule(fw, layer,
>                                     "--table", "nat",
>                                     action == ADD ? "--insert" : "--delete",
>                                     pvt ? "LIBVIRT_PRT" : "POSTROUTING",
> @@ -1004,20 +999,14 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
>                                 int action)
>   {
>       g_autofree char *networkstr = NULL;
> +    virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
> +        VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
>   
>       if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
>           return -1;
>   
> -    if (!VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET)) {
> -        /* Higher level code *should* guaranteee it's impossible to get here. */
> -        virReportError(VIR_ERR_INTERNAL_ERROR,
> -                       _("Attempted to NAT '%s'. NAT is only supported for IPv4."),
> -                       networkstr);
> -        return -1;
> -    }
> -
>       if (physdev && physdev[0])
> -        virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> +        virFirewallAddRule(fw, layer,
>                              "--table", "nat",
>                              action == ADD ? "--insert" : "--delete",
>                              pvt ? "LIBVIRT_PRT" : "POSTROUTING",
> @@ -1027,7 +1016,7 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
>                              "--jump", "RETURN",
>                              NULL);
>       else
> -        virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
> +        virFirewallAddRule(fw, layer,
>                              "--table", "nat",
>                              action == ADD ? "--insert" : "--delete",
>                              pvt ? "LIBVIRT_PRT" : "POSTROUTING",


It's nice that adding capability is done by *removing* code rather than 
adding it!


Reviewed-by: Laine Stump <laine at redhat.com>




More information about the libvir-list mailing list