virNetworkObjList networks;
- iptablesContext *iptables;
char *networkConfigDir;
char *networkAutostartDir;
char *stateDir;
virNetworkObjPtr network);
static int networkShutdownNetworkVirtual(struct network_driver *driver,
- virNetworkObjPtr network);
+ virNetworkObjPtr network);
static int networkStartNetworkExternal(struct network_driver *driver,
virNetworkObjPtr network);
}
}
- if (!(driverState->iptables = iptablesContextNew())) {
- goto out_of_memory;
- }
-
/* if this fails now, it will be retried later with dnsmasqCapsRefresh() */
driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ);
VIR_FREE(driverState->dnsmasqStateDir);
VIR_FREE(driverState->radvdStateDir);
- if (driverState->iptables)
- iptablesContextFree(driverState->iptables);
-
virObjectUnref(driverState->dnsmasqCaps);
networkDriverUnlock(driverState);
}
static int
-networkAddMasqueradingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkAddMasqueradingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
}
/* allow forwarding packets from the bridge interface */
- if (iptablesAddForwardAllowOut(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
/* allow forwarding packets to the bridge interface if they are
* part of an existing connection
*/
- if (iptablesAddForwardAllowRelatedIn(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowRelatedIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
*/
/* First the generic masquerade rule for other protocols */
- if (iptablesAddForwardMasquerade(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
}
/* UDP with a source port restriction */
- if (iptablesAddForwardMasquerade(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
}
/* TCP with a source port restriction */
- if (iptablesAddForwardMasquerade(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
return 0;
masqerr5:
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
"udp");
masqerr4:
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
NULL);
masqerr3:
- iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
masqerr2:
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
}
static void
-networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkRemoveMasqueradingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
if (prefix >= 0) {
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
"tcp");
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
"udp");
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
NULL);
- iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
}
static int
-networkAddRoutingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkAddRoutingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
}
/* allow routing packets from the bridge interface */
- if (iptablesAddForwardAllowOut(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
}
/* allow routing packets to the bridge interface */
- if (iptablesAddForwardAllowIn(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
return 0;
routeerr2:
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
}
static void
-networkRemoveRoutingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkRemoveRoutingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
if (prefix >= 0) {
- iptablesRemoveForwardAllowIn(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
* If any IPv6 addresses are defined, then add the rules for regular operation.
*/
static int
-networkAddGeneralIp6tablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkAddGeneralIp6tablesRules(virNetworkObjPtr network)
{
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
/* Catch all rules to block forwarding to/from bridges */
- if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to block outbound traffic from '%s'"),
network->def->bridge);
goto err1;
}
- if (iptablesAddForwardRejectIn(driver->iptables, AF_INET6,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to block inbound traffic to '%s'"),
network->def->bridge);
}
/* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(driver->iptables, AF_INET6,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow cross bridge traffic on '%s'"),
network->def->bridge);
return 0;
/* allow DNS over IPv6 */
- if (iptablesAddTcpInput(driver->iptables, AF_INET6,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DNS requests from '%s'"),
network->def->bridge);
goto err4;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET6,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DNS requests from '%s'"),
network->def->bridge);
goto err5;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET6,
- network->def->bridge, 547) < 0) {
+ if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DHCP6 requests from '%s'"),
network->def->bridge);
/* unwind in reverse order from the point of failure */
err6:
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53);
+ iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
err5:
- iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53);
+ iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
err4:
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
err3:
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
err2:
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
err1:
return -1;
}
static void
-networkRemoveGeneralIp6tablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network)
{
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
!network->def->ipv6nogw) {
return;
}
if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 547);
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53);
- iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53);
+ iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547);
+ iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
+ iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
}
/* the following rules are there if no IPv6 address has been defined
* but network->def->ipv6nogw == true
*/
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge);
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge);
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
}
static int
-networkAddGeneralIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkAddGeneralIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipv4def;
/* allow DHCP requests through to dnsmasq */
- if (iptablesAddTcpInput(driver->iptables, AF_INET,
- network->def->bridge, 67) < 0) {
+ if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from '%s'"),
network->def->bridge);
goto err1;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET,
- network->def->bridge, 67) < 0) {
+ if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from '%s'"),
network->def->bridge);
*/
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) &&
- (iptablesAddOutputFixUdpChecksum(driver->iptables,
- network->def->bridge, 68) < 0)) {
+ (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) {
VIR_WARN("Could not add rule to fixup DHCP response checksums "
"on network '%s'.", network->def->name);
VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule.");
}
/* allow DNS requests through to dnsmasq */
- if (iptablesAddTcpInput(driver->iptables, AF_INET,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from '%s'"),
network->def->bridge);
goto err3;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from '%s'"),
network->def->bridge);
/* allow TFTP requests through to dnsmasq if necessary */
if (ipv4def && ipv4def->tftproot &&
- iptablesAddUdpInput(driver->iptables, AF_INET,
- network->def->bridge, 69) < 0) {
+ iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow TFTP requests from '%s'"),
network->def->bridge);
/* Catch all rules to block forwarding to/from bridges */
- if (iptablesAddForwardRejectOut(driver->iptables, AF_INET,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block outbound traffic from '%s'"),
network->def->bridge);
goto err6;
}
- if (iptablesAddForwardRejectIn(driver->iptables, AF_INET,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block inbound traffic to '%s'"),
network->def->bridge);
}
/* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(driver->iptables, AF_INET,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow cross bridge traffic on '%s'"),
network->def->bridge);
}
/* add IPv6 general rules, if needed */
- if (networkAddGeneralIp6tablesRules(driver, network) < 0) {
+ if (networkAddGeneralIp6tablesRules(network) < 0) {
goto err9;
}
/* unwind in reverse order from the point of failure */
err9:
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
err8:
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
err7:
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
err6:
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
}
err5:
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
err4:
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
err3:
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
err2:
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
err1:
return -1;
}
static void
-networkRemoveGeneralIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkRemoveGeneralIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipv4def;
- networkRemoveGeneralIp6tablesRules(driver, network);
+ networkRemoveGeneralIp6tablesRules(network);
for (ii = 0;
(ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii));
break;
}
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge);
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge);
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
}
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53);
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) {
- iptablesRemoveOutputFixUdpChecksum(driver->iptables,
- network->def->bridge, 68);
+ iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68);
}
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67);
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
}
static int
-networkAddIpSpecificIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkAddIpSpecificIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
/* NB: in the case of IPv6, routing rules are added when the
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- return networkAddMasqueradingIptablesRules(driver, network, ipdef);
+ return networkAddMasqueradingIptablesRules(network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkAddRoutingIptablesRules(driver, network, ipdef);
+ return networkAddRoutingIptablesRules(network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkAddRoutingIptablesRules(driver, network, ipdef);
+ return networkAddRoutingIptablesRules(network, ipdef);
}
return 0;
}
static void
-networkRemoveIpSpecificIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkRemoveIpSpecificIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- networkRemoveMasqueradingIptablesRules(driver, network, ipdef);
+ networkRemoveMasqueradingIptablesRules(network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- networkRemoveRoutingIptablesRules(driver, network, ipdef);
+ networkRemoveRoutingIptablesRules(network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- networkRemoveRoutingIptablesRules(driver, network, ipdef);
+ networkRemoveRoutingIptablesRules(network, ipdef);
}
}
/* Add all rules for all ip addresses (and general rules) on a network */
static int
-networkAddIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkAddIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipdef;
virErrorPtr orig_error;
/* Add "once per network" rules */
- if (networkAddGeneralIptablesRules(driver, network) < 0)
+ if (networkAddGeneralIptablesRules(network) < 0)
return -1;
for (ii = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
ii++) {
/* Add address-specific iptables rules */
- if (networkAddIpSpecificIptablesRules(driver, network, ipdef) < 0) {
+ if (networkAddIpSpecificIptablesRules(network, ipdef) < 0) {
goto err;
}
}
*/
while ((--ii >= 0) &&
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) {
- networkRemoveIpSpecificIptablesRules(driver, network, ipdef);
+ networkRemoveIpSpecificIptablesRules(network, ipdef);
}
- networkRemoveGeneralIptablesRules(driver, network);
+ networkRemoveGeneralIptablesRules(network);
/* return the original error */
virSetError(orig_error);
/* Remove all rules for all ip addresses (and general rules) on a network */
static void
-networkRemoveIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkRemoveIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipdef;
for (ii = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
ii++) {
- networkRemoveIpSpecificIptablesRules(driver, network, ipdef);
+ networkRemoveIpSpecificIptablesRules(network, ipdef);
}
- networkRemoveGeneralIptablesRules(driver, network);
+ networkRemoveGeneralIptablesRules(network);
}
static void
/* Only the three L3 network types that are configured by libvirt
* need to have iptables rules reloaded.
*/
- networkRemoveIptablesRules(driver, network);
- if (networkAddIptablesRules(driver, network) < 0) {
+ networkRemoveIptablesRules(network);
+ if (networkAddIptablesRules(network) < 0) {
/* failed to add but already logged */
}
}
goto err1;
/* Add "once per network" rules */
- if (networkAddIptablesRules(driver, network) < 0)
+ if (networkAddIptablesRules(network) < 0)
goto err1;
for (ii = 0;
err2:
if (!save_err)
save_err = virSaveLastError();
- networkRemoveIptablesRules(driver, network);
+ networkRemoveIptablesRules(network);
err1:
if (!save_err)
return -1;
}
-static int networkShutdownNetworkVirtual(struct network_driver *driver,
- virNetworkObjPtr network)
+static int networkShutdownNetworkVirtual(struct network_driver *driver ATTRIBUTE_UNUSED,
+ virNetworkObjPtr network)
{
virNetDevBandwidthClear(network->def->bridge);
ignore_value(virNetDevSetOnline(network->def->bridge, 0));
- networkRemoveIptablesRules(driver, network);
+ networkRemoveIptablesRules(network);
ignore_value(virNetDevBridgeDelete(network->def->bridge));
network->def->forward.type == VIR_NETWORK_FORWARD_NAT ||
network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {
/* these could affect the iptables rules */
- networkRemoveIptablesRules(driver, network);
- if (networkAddIptablesRules(driver, network) < 0)
+ networkRemoveIptablesRules(network);
+ if (networkAddIptablesRules(network) < 0)
goto cleanup;
}
REMOVE
};
-typedef struct
-{
- char *table;
- char *chain;
-} iptRules;
-
-struct _iptablesContext
-{
- iptRules *input_filter;
- iptRules *forward_filter;
- iptRules *nat_postrouting;
- iptRules *mangle_postrouting;
-};
-
-static void
-iptRulesFree(iptRules *rules)
-{
- VIR_FREE(rules->table);
- VIR_FREE(rules->chain);
- VIR_FREE(rules);
-}
-
-static iptRules *
-iptRulesNew(const char *table,
- const char *chain)
-{
- iptRules *rules;
-
- if (VIR_ALLOC(rules) < 0)
- return NULL;
-
- if (VIR_STRDUP(rules->table, table) < 0)
- goto error;
-
- if (VIR_STRDUP(rules->chain, chain) < 0)
- goto error;
-
- return rules;
-
- error:
- iptRulesFree(rules);
- return NULL;
-}
-
static virCommandPtr
-iptablesCommandNew(iptRules *rules, int family, int action)
+iptablesCommandNew(const char *table, const char *chain, int family, int action)
{
virCommandPtr cmd = NULL;
#if HAVE_FIREWALLD
? IP6TABLES_PATH : IPTABLES_PATH);
}
- virCommandAddArgList(cmd, "--table", rules->table,
+ virCommandAddArgList(cmd, "--table", table,
action == ADD ? "--insert" : "--delete",
- rules->chain, NULL);
+ chain, NULL);
return cmd;
}
}
static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int family, int action,
+iptablesAddRemoveRule(const char *table, const char *chain, int family, int action,
const char *arg, ...)
{
va_list args;
virCommandPtr cmd = NULL;
const char *s;
- cmd = iptablesCommandNew(rules, family, action);
+ cmd = iptablesCommandNew(table, chain, family, action);
virCommandAddArg(cmd, arg);
va_start(args, arg);
return iptablesCommandRunAndFree(cmd);
}
-/**
- * iptablesContextNew:
- *
- * Create a new IPtable context
- *
- * Returns a pointer to the new structure or NULL in case of error
- */
-iptablesContext *
-iptablesContextNew(void)
-{
- iptablesContext *ctx;
-
- if (VIR_ALLOC(ctx) < 0)
- return NULL;
-
- if (!(ctx->input_filter = iptRulesNew("filter", "INPUT")))
- goto error;
-
- if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD")))
- goto error;
-
- if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING")))
- goto error;
-
- if (!(ctx->mangle_postrouting = iptRulesNew("mangle", "POSTROUTING")))
- goto error;
-
- return ctx;
-
- error:
- iptablesContextFree(ctx);
- return NULL;
-}
-
-/**
- * iptablesContextFree:
- * @ctx: pointer to the IP table context
- *
- * Free the resources associated with an IP table context
- */
-void
-iptablesContextFree(iptablesContext *ctx)
-{
- if (ctx->input_filter)
- iptRulesFree(ctx->input_filter);
- if (ctx->forward_filter)
- iptRulesFree(ctx->forward_filter);
- if (ctx->nat_postrouting)
- iptRulesFree(ctx->nat_postrouting);
- if (ctx->mangle_postrouting)
- iptRulesFree(ctx->mangle_postrouting);
- VIR_FREE(ctx);
-}
-
static int
-iptablesInput(iptablesContext *ctx,
- int family,
+iptablesInput(int family,
const char *iface,
int port,
int action,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule(ctx->input_filter,
+ return iptablesAddRemoveRule("filter", "INPUT",
family,
action,
"--in-interface", iface,
*/
int
-iptablesAddTcpInput(iptablesContext *ctx,
- int family,
+iptablesAddTcpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, ADD, 1);
+ return iptablesInput(family, iface, port, ADD, 1);
}
/**
* Returns 0 in case of success or an error code in case of error
*/
int
-iptablesRemoveTcpInput(iptablesContext *ctx,
- int family,
+iptablesRemoveTcpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, REMOVE, 1);
+ return iptablesInput(family, iface, port, REMOVE, 1);
}
/**
*/
int
-iptablesAddUdpInput(iptablesContext *ctx,
- int family,
+iptablesAddUdpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, ADD, 0);
+ return iptablesInput(family, iface, port, ADD, 0);
}
/**
* Returns 0 in case of success or an error code in case of error
*/
int
-iptablesRemoveUdpInput(iptablesContext *ctx,
- int family,
+iptablesRemoveUdpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, REMOVE, 0);
+ return iptablesInput(family, iface, port, REMOVE, 0);
}
* to proceed to WAN
*/
static int
-iptablesForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardAllowOut(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
- cmd = iptablesCommandNew(ctx->forward_filter,
+ cmd = iptablesCommandNew("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action);
virCommandAddArgList(cmd,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardAllowOut(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD);
}
/**
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardAllowOut(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE);
}
* and associated with an existing connection
*/
static int
-iptablesForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
return -1;
if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
"--jump", "ACCEPT",
NULL);
} else {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD);
}
/**
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
-iptablesForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardAllowIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
return -1;
if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
"--jump", "ACCEPT",
NULL);
} else {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardAllowIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD);
}
/**
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardAllowIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE);
}
* with a valid network address
*/
static int
-iptablesForwardAllowCross(iptablesContext *ctx,
- int family,
+iptablesForwardAllowCross(int family,
const char *iface,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
family,
action,
"--in-interface", iface,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowCross(iptablesContext *ctx,
- int family,
+iptablesAddForwardAllowCross(int family,
const char *iface)
{
- return iptablesForwardAllowCross(ctx, family, iface, ADD);
+ return iptablesForwardAllowCross(family, iface, ADD);
}
/**
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowCross(iptablesContext *ctx,
- int family,
+iptablesRemoveForwardAllowCross(int family,
const char *iface)
{
- return iptablesForwardAllowCross(ctx, family, iface, REMOVE);
+ return iptablesForwardAllowCross(family, iface, REMOVE);
}
* ie the bridge is the in interface
*/
static int
-iptablesForwardRejectOut(iptablesContext *ctx,
- int family,
+iptablesForwardRejectOut(int family,
const char *iface,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
family,
action,
"--in-interface", iface,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardRejectOut(iptablesContext *ctx,
- int family,
+iptablesAddForwardRejectOut(int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, family, iface, ADD);
+ return iptablesForwardRejectOut(family, iface, ADD);
}
/**
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardRejectOut(iptablesContext *ctx,
- int family,
+iptablesRemoveForwardRejectOut(int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, family, iface, REMOVE);
+ return iptablesForwardRejectOut(family, iface, REMOVE);
}
* ie the bridge is the out interface
*/
static int
-iptablesForwardRejectIn(iptablesContext *ctx,
- int family,
+iptablesForwardRejectIn(int family,
const char *iface,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
family,
action,
"--out-interface", iface,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardRejectIn(iptablesContext *ctx,
- int family,
+iptablesAddForwardRejectIn(int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, family, iface, ADD);
+ return iptablesForwardRejectIn(family, iface, ADD);
}
/**
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardRejectIn(iptablesContext *ctx,
- int family,
+iptablesRemoveForwardRejectIn(int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, family, iface, REMOVE);
+ return iptablesForwardRejectIn(family, iface, REMOVE);
}
* with the bridge
*/
static int
-iptablesForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardMasquerade(virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
}
}
- cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
+ cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action);
virCommandAddArgList(cmd, "--source", networkstr, NULL);
if (protocol && protocol[0])
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardMasquerade(virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port,
+ return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
protocol, ADD);
}
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardMasquerade(virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port,
+ return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
protocol, REMOVE);
}
static int
-iptablesOutputFixUdpChecksum(iptablesContext *ctx,
- const char *iface,
+iptablesOutputFixUdpChecksum(const char *iface,
int port,
int action)
{
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule(ctx->mangle_postrouting,
+ return iptablesAddRemoveRule("mangle", "POSTROUTING",
AF_INET,
action,
"--out-interface", iface,
*/
int
-iptablesAddOutputFixUdpChecksum(iptablesContext *ctx,
- const char *iface,
+iptablesAddOutputFixUdpChecksum(const char *iface,
int port)
{
- return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD);
+ return iptablesOutputFixUdpChecksum(iface, port, ADD);
}
/**
* return an error, which should be ignored)
*/
int
-iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx,
- const char *iface,
+iptablesRemoveOutputFixUdpChecksum(const char *iface,
int port)
{
- return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE);
+ return iptablesOutputFixUdpChecksum(iface, port, REMOVE);
}
projects / people / dariof / libvirt.git / commitdiff