#define PROC_NET_ROUTE "/proc/net/route"
-static virErrorPtr errInit;
+static virErrorPtr errInitV4;
+static virErrorPtr errInitV6;
void networkPreReloadFirewallRules(bool startup)
{
+ bool created = false;
int rc;
/* We create global rules upfront as we don't want
* of starting the network though as that makes them
* more likely to be seen by a human
*/
- rc = iptablesSetupPrivateChains();
+ rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
if (rc < 0) {
- errInit = virSaveLastError();
+ errInitV4 = virSaveLastError();
virResetLastError();
}
+ if (rc)
+ created = true;
+
+ rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
+ if (rc < 0) {
+ errInitV6 = virSaveLastError();
+ virResetLastError();
+ }
+ if (rc)
+ created = true;
/*
* If this is initial startup, and we just created the
* rules will be present. Thus we can safely just tell it
* to always delete from the builin chain
*/
- if (startup && rc == 1)
+ if (startup && created)
iptablesSetDeletePrivate(false);
}
virFirewallPtr fw = NULL;
int ret = -1;
- if (errInit) {
- virSetError(errInit);
+ if (errInitV4 &&
+ (virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
+ virNetworkDefGetRouteByIndex(def, AF_INET, 0))) {
+ virSetError(errInitV4);
+ return -1;
+ }
+
+ if (errInitV6 &&
+ (virNetworkDefGetIPByIndex(def, AF_INET6, 0) ||
+ virNetworkDefGetRouteByIndex(def, AF_INET6, 0) ||
+ def->ipv6nogw)) {
+ virSetError(errInitV6);
return -1;
}
int
-iptablesSetupPrivateChains(void)
+iptablesSetupPrivateChains(virFirewallLayer layer)
{
virFirewallPtr fw = NULL;
int ret = -1;
};
bool changed = false;
iptablesGlobalChainData data[] = {
- { VIR_FIREWALL_LAYER_IPV4, "filter",
+ { layer, "filter",
filter_chains, ARRAY_CARDINALITY(filter_chains), &changed },
- { VIR_FIREWALL_LAYER_IPV4, "nat",
+ { layer, "nat",
natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
- { VIR_FIREWALL_LAYER_IPV4, "mangle",
- natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
- { VIR_FIREWALL_LAYER_IPV6, "filter",
- filter_chains, ARRAY_CARDINALITY(filter_chains), &changed },
- { VIR_FIREWALL_LAYER_IPV6, "nat",
- natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
- { VIR_FIREWALL_LAYER_IPV6, "mangle",
+ { layer, "mangle",
natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed },
};
size_t i;
# include "virsocketaddr.h"
# include "virfirewall.h"
-int iptablesSetupPrivateChains (void);
+int iptablesSetupPrivateChains (virFirewallLayer layer);
void iptablesSetDeletePrivate (bool pvt);
projects / libvirt.git / commitdiff