#include "virerror.h"
#include "virlog.h"
#include "virhash.h"
+#include "virenum.h"
#include "network_iptables.h"
VIR_LOG_INIT("network.iptables");
#define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
#define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
-enum {
- VIR_NETFILTER_INSERT = 0,
- VIR_NETFILTER_DELETE
-};
+typedef enum {
+ IPTABLES_ACTION_INSERT,
+ IPTABLES_ACTION_APPEND,
+ IPTABLES_ACTION_DELETE,
+
+ IPTABLES_ACTION_LAST
+} iptablesAction;
+
+VIR_ENUM_DECL(iptablesAction);
+VIR_ENUM_IMPL(iptablesAction,
+ IPTABLES_ACTION_LAST,
+ "--insert",
+ "--append",
+ "--delete",
+);
typedef struct {
const char *parent;
virFirewallLayer layer,
const char *iface,
int port,
- int action,
+ iptablesAction action,
int tcp)
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
virFirewallLayer layer,
const char *iface,
int port,
- int action,
+ iptablesAction action,
int tcp)
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1);
}
/**
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1);
}
/**
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0);
}
/**
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
+ iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0);
}
/**
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1);
}
/**
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1);
}
/**
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0);
}
/**
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
+ iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0);
}
unsigned int prefix,
const char *iface,
const char *physdev,
- int action)
+ iptablesAction action)
{
g_autofree char *networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
else
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
const char *physdev)
{
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
const char *physdev)
{
return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
unsigned int prefix,
const char *iface,
const char *physdev,
- int action)
+ iptablesAction action)
{
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
else
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
const char *physdev)
{
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
const char *physdev)
{
return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
/* Allow all traffic destined to the bridge, with a valid network address
unsigned int prefix,
const char *iface,
const char *physdev,
- int action)
+ iptablesAction action)
{
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
else
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
const char *physdev)
{
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
const char *physdev)
{
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
static void
iptablesForwardAllowCross(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
- int action)
+ iptablesAction action)
{
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT);
+ iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_INSERT);
}
/**
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE);
+ iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_DELETE);
}
static void
iptablesForwardRejectOut(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
- int action)
+ iptablesAction action)
{
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT);
+ iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_INSERT);
}
/**
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE);
+ iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_DELETE);
}
iptablesForwardRejectIn(virFirewall *fw,
virFirewallLayer layer,
const char *iface,
- int action)
+ iptablesAction action)
{
virFirewallAddCmd(fw, layer,
"--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT);
+ iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_INSERT);
}
/**
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE);
+ iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_DELETE);
}
virSocketAddrRange *addr,
virPortRange *port,
const char *protocol,
- int action)
+ iptablesAction action)
{
g_autofree char *networkstr = NULL;
g_autofree char *addrStartStr = NULL;
if (protocol && protocol[0]) {
fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"-p", protocol,
} else {
fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"!", "--destination", networkstr,
{
return iptablesForwardMasquerade(fw, netaddr, prefix,
physdev, addr, port, protocol,
- VIR_NETFILTER_INSERT);
+ IPTABLES_ACTION_INSERT);
}
/**
{
return iptablesForwardMasquerade(fw, netaddr, prefix,
physdev, addr, port, protocol,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
unsigned int prefix,
const char *physdev,
const char *destaddr,
- int action)
+ iptablesAction action)
{
g_autofree char *networkstr = NULL;
virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
if (physdev && physdev[0])
virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
else
virFirewallAddCmd(fw, layer,
"--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
const char *destaddr)
{
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
- physdev, destaddr, VIR_NETFILTER_INSERT);
+ physdev, destaddr, IPTABLES_ACTION_INSERT);
}
/**
{
return iptablesForwardDontMasquerade(fw, netaddr, prefix,
physdev, destaddr,
- VIR_NETFILTER_DELETE);
+ IPTABLES_ACTION_DELETE);
}
iptablesOutputFixUdpChecksum(virFirewall *fw,
const char *iface,
int port,
- int action)
+ iptablesAction action)
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ iptablesActionTypeToString(action),
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT);
+ iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_INSERT);
}
/**
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE);
+ iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_DELETE);
}
projects / libvirt.git / commitdiff