AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH])
AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary])
+AC_PATH_PROG([IP6TABLES_PATH], [ip6tables], /sbin/ip6tables, [/usr/sbin:$PATH])
+AC_DEFINE_UNQUOTED([IP6TABLES_PATH], "$IP6TABLES_PATH", [path to ip6tables binary])
+
AC_PATH_PROG([EBTABLES_PATH], [ebtables], /sbin/ebtables, [/usr/sbin:$PATH])
AC_DEFINE_UNQUOTED([EBTABLES_PATH], "$EBTABLES_PATH", [path to ebtables binary])
/* allow DHCP requests through to dnsmasq */
- if (iptablesAddTcpInput(driver->iptables, network->def->bridge, 67) < 0) {
+ if (iptablesAddTcpInput(driver->iptables, AF_INET,
+ network->def->bridge, 67) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from '%s'"),
network->def->bridge);
goto err1;
}
- if (iptablesAddUdpInput(driver->iptables, network->def->bridge, 67) < 0) {
+ if (iptablesAddUdpInput(driver->iptables, AF_INET,
+ network->def->bridge, 67) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from '%s'"),
network->def->bridge);
}
/* allow DNS requests through to dnsmasq */
- if (iptablesAddTcpInput(driver->iptables, network->def->bridge, 53) < 0) {
+ if (iptablesAddTcpInput(driver->iptables, AF_INET,
+ network->def->bridge, 53) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from '%s'"),
network->def->bridge);
goto err3;
}
- if (iptablesAddUdpInput(driver->iptables, network->def->bridge, 53) < 0) {
+ if (iptablesAddUdpInput(driver->iptables, AF_INET,
+ network->def->bridge, 53) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from '%s'"),
network->def->bridge);
/* allow TFTP requests through to dnsmasq if necessary */
if (ipv4def && ipv4def->tftproot &&
- iptablesAddUdpInput(driver->iptables, network->def->bridge, 69) < 0) {
+ iptablesAddUdpInput(driver->iptables, AF_INET,
+ network->def->bridge, 69) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow TFTP requests from '%s'"),
network->def->bridge);
/* Catch all rules to block forwarding to/from bridges */
- if (iptablesAddForwardRejectOut(driver->iptables, network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectOut(driver->iptables, AF_INET,
+ network->def->bridge) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block outbound traffic from '%s'"),
network->def->bridge);
goto err6;
}
- if (iptablesAddForwardRejectIn(driver->iptables, network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectIn(driver->iptables, AF_INET,
+ network->def->bridge) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block inbound traffic to '%s'"),
network->def->bridge);
}
/* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(driver->iptables, network->def->bridge) < 0) {
+ if (iptablesAddForwardAllowCross(driver->iptables, AF_INET,
+ network->def->bridge) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow cross bridge traffic on '%s'"),
network->def->bridge);
/* unwind in reverse order from the point of failure */
err8:
- iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge);
+ iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge);
err7:
- iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge);
+ iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge);
err6:
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69);
+ iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69);
}
err5:
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
+ iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53);
err4:
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
+ iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53);
err3:
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
+ iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67);
err2:
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
+ iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67);
err1:
return -1;
}
break;
}
- iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge);
- iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge);
- iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge);
+ iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge);
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69);
+ iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69);
}
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
+ iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53);
+ iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53);
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) {
iptablesRemoveOutputFixUdpChecksum(driver->iptables,
network->def->bridge, 68);
}
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
+ iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67);
+ iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67);
}
static int
}
static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
+iptablesAddRemoveRule(iptRules *rules, int family, int action,
+ const char *arg, ...)
{
va_list args;
int ret;
virCommandPtr cmd;
const char *s;
- cmd = virCommandNew(IPTABLES_PATH);
+ cmd = virCommandNew((family == AF_INET6)
+ ? IP6TABLES_PATH : IPTABLES_PATH);
+
virCommandAddArgList(cmd, "--table", rules->table,
action == ADD ? "--insert" : "--delete",
rules->chain, arg, NULL);
static int
iptablesInput(iptablesContext *ctx,
+ int family,
const char *iface,
int port,
int action,
portstr[sizeof(portstr) - 1] = '\0';
return iptablesAddRemoveRule(ctx->input_filter,
+ family,
action,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
int
iptablesAddTcpInput(iptablesContext *ctx,
+ int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, iface, port, ADD, 1);
+ return iptablesInput(ctx, family, iface, port, ADD, 1);
}
/**
*/
int
iptablesRemoveTcpInput(iptablesContext *ctx,
+ int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, iface, port, REMOVE, 1);
+ return iptablesInput(ctx, family, iface, port, REMOVE, 1);
}
/**
int
iptablesAddUdpInput(iptablesContext *ctx,
+ int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, iface, port, ADD, 0);
+ return iptablesInput(ctx, family, iface, port, ADD, 0);
}
/**
*/
int
iptablesRemoveUdpInput(iptablesContext *ctx,
+ int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, iface, port, REMOVE, 0);
+ return iptablesInput(ctx, family, iface, port, REMOVE, 0);
}
char *netstr;
char *ret;
- if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET)) {
+ if (!(VIR_SOCKET_IS_FAMILY(netaddr, AF_INET) ||
+ VIR_SOCKET_IS_FAMILY(netaddr, AF_INET6))) {
iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("Only IPv4 addresses can be used with iptables"));
+ _("Only IPv4 or IPv6 addresses can be used with iptables"));
return NULL;
}
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--source", networkstr,
"--in-interface", iface,
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--source", networkstr,
"--in-interface", iface,
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--destination", networkstr,
"--in-interface", physdev,
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--destination", networkstr,
"--out-interface", iface,
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--destination", networkstr,
"--in-interface", physdev,
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--destination", networkstr,
"--out-interface", iface,
*/
static int
iptablesForwardAllowCross(iptablesContext *ctx,
+ int family,
const char *iface,
int action)
{
return iptablesAddRemoveRule(ctx->forward_filter,
+ family,
action,
"--in-interface", iface,
"--out-interface", iface,
*/
int
iptablesAddForwardAllowCross(iptablesContext *ctx,
- const char *iface) {
- return iptablesForwardAllowCross(ctx, iface, ADD);
+ int family,
+ const char *iface)
+{
+ return iptablesForwardAllowCross(ctx, family, iface, ADD);
}
/**
*/
int
iptablesRemoveForwardAllowCross(iptablesContext *ctx,
- const char *iface) {
- return iptablesForwardAllowCross(ctx, iface, REMOVE);
+ int family,
+ const char *iface)
+{
+ return iptablesForwardAllowCross(ctx, family, iface, REMOVE);
}
*/
static int
iptablesForwardRejectOut(iptablesContext *ctx,
+ int family,
const char *iface,
int action)
{
return iptablesAddRemoveRule(ctx->forward_filter,
- action,
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ family,
+ action,
+ "--in-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
*/
int
iptablesAddForwardRejectOut(iptablesContext *ctx,
+ int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, iface, ADD);
+ return iptablesForwardRejectOut(ctx, family, iface, ADD);
}
/**
*/
int
iptablesRemoveForwardRejectOut(iptablesContext *ctx,
+ int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, iface, REMOVE);
+ return iptablesForwardRejectOut(ctx, family, iface, REMOVE);
}
*/
static int
iptablesForwardRejectIn(iptablesContext *ctx,
+ int family,
const char *iface,
int action)
{
return iptablesAddRemoveRule(ctx->forward_filter,
+ family,
action,
"--out-interface", iface,
"--jump", "REJECT",
*/
int
iptablesAddForwardRejectIn(iptablesContext *ctx,
+ int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, iface, ADD);
+ return iptablesForwardRejectIn(ctx, family, iface, ADD);
}
/**
*/
int
iptablesRemoveForwardRejectIn(iptablesContext *ctx,
+ int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, iface, REMOVE);
+ return iptablesForwardRejectIn(ctx, family, iface, REMOVE);
}
if (protocol && protocol[0]) {
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--source", networkstr,
"-p", protocol,
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--source", networkstr,
"-p", protocol,
} else {
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
+ VIR_SOCKET_FAMILY(netaddr),
action,
"--source", networkstr,
"!", "--destination", networkstr,
portstr[sizeof(portstr) - 1] = '\0';
return iptablesAddRemoveRule(ctx->mangle_postrouting,
+ AF_INET,
action,
"--out-interface", iface,
"--protocol", "udp",
void iptablesContextFree (iptablesContext *ctx);
int iptablesAddTcpInput (iptablesContext *ctx,
+ int family,
const char *iface,
int port);
int iptablesRemoveTcpInput (iptablesContext *ctx,
+ int family,
const char *iface,
int port);
int iptablesAddUdpInput (iptablesContext *ctx,
+ int family,
const char *iface,
int port);
int iptablesRemoveUdpInput (iptablesContext *ctx,
+ int family,
const char *iface,
int port);
const char *physdev);
int iptablesAddForwardAllowCross (iptablesContext *ctx,
+ int family,
const char *iface);
int iptablesRemoveForwardAllowCross (iptablesContext *ctx,
+ int family,
const char *iface);
int iptablesAddForwardRejectOut (iptablesContext *ctx,
+ int family,
const char *iface);
int iptablesRemoveForwardRejectOut (iptablesContext *ctx,
+ int family,
const char *iface);
int iptablesAddForwardRejectIn (iptablesContext *ctx,
+ int family,
const char *iface);
int iptablesRemoveForwardRejectIn (iptablesContext *ctx,
+ int family,
const char *iface);
int iptablesAddForwardMasquerade (iptablesContext *ctx,
projects / libvirt.git / commitdiff