REMOVE
};
+static bool deletePrivate = true;
typedef struct {
const char *parent;
}
+void
+iptablesSetDeletePrivate(bool pvt)
+{
+ deletePrivate = pvt;
+}
+
+
static void
iptablesInput(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int port,
int action,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "INPUT",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_INP" : "INPUT",
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
static void
iptablesOutput(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int port,
int action,
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "OUTPUT",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_OUT" : "OUTPUT",
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 1);
+ iptablesInput(fw, layer, true, iface, port, ADD, 1);
}
/**
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
}
/**
const char *iface,
int port)
{
- iptablesInput(fw, layer, iface, port, ADD, 0);
+ iptablesInput(fw, layer, true, iface, port, ADD, 0);
}
/**
const char *iface,
int port)
{
- return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+ iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
}
/**
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, true, iface, port, ADD, 0);
}
/**
const char *iface,
int port)
{
- iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
}
*/
static int
iptablesForwardAllowOut(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWO" : "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWO" : "FORWARD",
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
}
/**
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
}
*/
static int
iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD);
}
/**
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
else
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
}
/**
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWX" : "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, ADD);
+ iptablesForwardAllowCross(fw, layer, true, iface, ADD);
}
/**
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+ iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWO" : "FORWARD",
"--in-interface", iface,
"--jump", "REJECT",
NULL);
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, ADD);
+ iptablesForwardRejectOut(fw, layer, true, iface, ADD);
}
/**
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+ iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
+ bool pvt,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- action == ADD ? "--insert" : "--delete", "FORWARD",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_FWI" : "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, ADD);
+ iptablesForwardRejectIn(fw, layer, true, iface, ADD);
}
/**
virFirewallLayer layer,
const char *iface)
{
- iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+ iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
}
*/
static int
iptablesForwardMasquerade(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
} else {
rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--source", networkstr,
"!", "--destination", networkstr,
NULL);
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, ADD);
+ return iptablesForwardMasquerade(fw, true, netaddr, prefix,
+ physdev, addr, port, protocol, ADD);
}
/**
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
- protocol, REMOVE);
+ return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
+ physdev, addr, port, protocol, REMOVE);
}
*/
static int
iptablesForwardDontMasquerade(virFirewallPtr fw,
+ bool pvt,
virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
if (physdev && physdev[0])
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
else
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "nat",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- ADD);
+ return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
+ physdev, destaddr, ADD);
}
/**
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
- REMOVE);
+ return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
+ physdev, destaddr, REMOVE);
}
static void
iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+ bool pvt,
const char *iface,
int port,
int action)
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
- action == ADD ? "--insert" : "--delete", "POSTROUTING",
+ action == ADD ? "--insert" : "--delete",
+ pvt ? "LIBVIRT_PRT" : "POSTROUTING",
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
}
/**
const char *iface,
int port)
{
- iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
}
projects / libvirt.git / commitdiff