"icmp",
"igmp",
"udp",
+ "udplite",
+ "esp",
+ "ah",
"sctp",
"all");
} , {
.attr = IPPROTO_UDP,
.val = "udp",
+#ifdef IPPROTO_UDPLITE
+ } , {
+ .attr = IPPROTO_UDPLITE,
+ .val = "udplite",
+#endif
+ } , {
+ .attr = IPPROTO_ESP,
+ .val = "esp",
+ } , {
+ .attr = IPPROTO_AH,
+ .val = "ah",
} , {
.attr = IPPROTO_ICMP,
.val = "icmp",
}
};
+static const virXMLAttr2Struct udpliteAttributes[] = {
+ COMMON_IP_PROPS(udpliteHdrFilter),
+ {
+ .name = NULL,
+ }
+};
+
+static const virXMLAttr2Struct espAttributes[] = {
+ COMMON_IP_PROPS(espHdrFilter),
+ {
+ .name = NULL,
+ }
+};
+
+static const virXMLAttr2Struct ahAttributes[] = {
+ COMMON_IP_PROPS(ahHdrFilter),
+ {
+ .name = NULL,
+ }
+};
static const virXMLAttr2Struct sctpAttributes[] = {
COMMON_IP_PROPS(sctpHdrFilter),
.id = "udp",
.att = udpAttributes,
.prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDP,
+ }, {
+ .id = "udplite",
+ .att = udpliteAttributes,
+ .prtclType = VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+ }, {
+ .id = "esp",
+ .att = espAttributes,
+ .prtclType = VIR_NWFILTER_RULE_PROTOCOL_ESP,
+ }, {
+ .id = "ah",
+ .att = ahAttributes,
+ .prtclType = VIR_NWFILTER_RULE_PROTOCOL_AH,
}, {
.id = "sctp",
.att = sctpAttributes,
rule->p.udpHdrFilter.portData.dataSrcPortStart);
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.udpliteHdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPMask,
+ rule->p.udpliteHdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.udpliteHdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.udpliteHdrFilter.ipHdr.dataDstIPTo,
+ rule->p.udpliteHdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.espHdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPMask,
+ rule->p.espHdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.espHdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.espHdrFilter.ipHdr.dataDstIPTo,
+ rule->p.espHdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_AH:
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPMask,
+ rule->p.ahHdrFilter.ipHdr.dataSrcIPAddr);
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPMask,
+ rule->p.ahHdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataSrcIPTo,
+ rule->p.ahHdrFilter.ipHdr.dataSrcIPFrom);
+ COPY_NEG_SIGN(rule->p.ahHdrFilter.ipHdr.dataDstIPTo,
+ rule->p.ahHdrFilter.ipHdr.dataDstIPFrom);
+ break;
+
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
COPY_NEG_SIGN(rule->p.sctpHdrFilter.ipHdr.dataSrcIPMask,
rule->p.sctpHdrFilter.ipHdr.dataSrcIPAddr);
};
+typedef struct _espHdrFilterDef espHdrFilterDef;
+typedef espHdrFilterDef *espHdrFilterDefPtr;
+struct _espHdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _ahHdrFilterDef ahHdrFilterDef;
+typedef ahHdrFilterDef *ahHdrFilterDefPtr;
+struct _ahHdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
+
+
+typedef struct _udpliteHdrFilterDef udpliteHdrFilterDef;
+typedef udpliteHdrFilterDef *udpliteHdrFilterDefPtr;
+struct _udpliteHdrFilterDef {
+ nwItemDesc dataSrcMACAddr;
+ ipHdrDataDef ipHdr;
+};
+
+
enum virNWFilterRuleActionType {
VIR_NWFILTER_RULE_ACTION_DROP = 0,
VIR_NWFILTER_RULE_ACTION_ACCEPT,
VIR_NWFILTER_RULE_PROTOCOL_ICMP,
VIR_NWFILTER_RULE_PROTOCOL_IGMP,
VIR_NWFILTER_RULE_PROTOCOL_UDP,
+ VIR_NWFILTER_RULE_PROTOCOL_UDPLITE,
+ VIR_NWFILTER_RULE_PROTOCOL_ESP,
+ VIR_NWFILTER_RULE_PROTOCOL_AH,
VIR_NWFILTER_RULE_PROTOCOL_SCTP,
VIR_NWFILTER_RULE_PROTOCOL_ALL,
tcpHdrFilterDef tcpHdrFilter;
icmpHdrFilterDef icmpHdrFilter;
udpHdrFilterDef udpHdrFilter;
+ udpliteHdrFilterDef udpliteHdrFilter;
+ espHdrFilterDef espHdrFilter;
+ ahHdrFilterDef ahHdrFilter;
allHdrFilterDef allHdrFilter;
igmpHdrFilterDef igmpHdrFilter;
sctpHdrFilterDef sctpHdrFilter;
goto err_exit;
break;
+ case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+ virBufferVSprintf(&buf,
+ CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+ chain);
+
+ virBufferAddLit(&buf, " -p udplite");
+
+ if (iptablesHandleSrcMacAddr(conn,
+ &buf,
+ vars,
+ &rule->p.udpliteHdrFilter.dataSrcMACAddr,
+ directionIn))
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(conn,
+ &buf,
+ vars,
+ &rule->p.udpliteHdrFilter.ipHdr,
+ directionIn))
+ goto err_exit;
+
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+ virBufferVSprintf(&buf,
+ CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+ chain);
+
+ virBufferAddLit(&buf, " -p esp");
+
+ if (iptablesHandleSrcMacAddr(conn,
+ &buf,
+ vars,
+ &rule->p.espHdrFilter.dataSrcMACAddr,
+ directionIn))
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(conn,
+ &buf,
+ vars,
+ &rule->p.espHdrFilter.ipHdr,
+ directionIn))
+ goto err_exit;
+
+ break;
+
+ case VIR_NWFILTER_RULE_PROTOCOL_AH:
+ virBufferVSprintf(&buf,
+ CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
+ chain);
+
+ virBufferAddLit(&buf, " -p ah");
+
+ if (iptablesHandleSrcMacAddr(conn,
+ &buf,
+ vars,
+ &rule->p.ahHdrFilter.dataSrcMACAddr,
+ directionIn))
+ goto err_exit;
+
+ if (iptablesHandleIpHdr(conn,
+ &buf,
+ vars,
+ &rule->p.ahHdrFilter.ipHdr,
+ directionIn))
+ goto err_exit;
+
+ break;
+
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
virBufferVSprintf(&buf,
CMD_DEF_PRE IPTABLES_CMD " -%%c %s %%s",
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
+ case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
+ case VIR_NWFILTER_RULE_PROTOCOL_ESP:
+ case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
projects / libvirt.git / commitdiff