static int
networkAddMasqueradingIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) {
+ int prefix = virNetworkDefPrefix(network->def);
+
+ if (prefix < 0) {
+ networkReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%s'"),
+ network->def->bridge);
+ goto masqerr1;
+ }
/* allow forwarding packets from the bridge interface */
if (iptablesAddForwardAllowOut(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
if (iptablesAddForwardAllowRelatedIn(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
/* First the generic masquerade rule for other protocols */
if (iptablesAddForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
NULL) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
/* UDP with a source port restriction */
if (iptablesAddForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
"udp") < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
/* TCP with a source port restriction */
if (iptablesAddForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
"tcp") < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
masqerr5:
iptablesRemoveForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
"udp");
masqerr4:
iptablesRemoveForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
NULL);
masqerr3:
iptablesRemoveForwardAllowRelatedIn(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev);
masqerr2:
iptablesRemoveForwardAllowOut(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev);
masqerr1:
static int
networkAddRoutingIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) {
+ int prefix = virNetworkDefPrefix(network->def);
+
+ if (prefix < 0) {
+ networkReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%s'"),
+ network->def->bridge);
+ goto routeerr1;
+ }
/* allow routing packets from the bridge interface */
if (iptablesAddForwardAllowOut(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
/* allow routing packets to the bridge interface */
if (iptablesAddForwardAllowIn(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev) < 0) {
networkReportError(VIR_ERR_SYSTEM_ERROR,
routeerr2:
iptablesRemoveForwardAllowOut(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev);
routeerr1:
network->def->bridge, 68);
}
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
+ int prefix = virNetworkDefPrefix(network->def);
+
+ if (prefix < 0) {
+ networkReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Invalid prefix or netmask for '%s'"),
+ network->def->bridge);
+ goto error;
+ }
+
if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
iptablesRemoveForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
"tcp");
iptablesRemoveForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
"udp");
iptablesRemoveForwardMasquerade(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->forwardDev,
NULL);
iptablesRemoveForwardAllowRelatedIn(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev);
} else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)
iptablesRemoveForwardAllowIn(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev);
iptablesRemoveForwardAllowOut(driver->iptables,
&network->def->ipAddress,
- &network->def->netmask,
+ prefix,
network->def->bridge,
network->def->forwardDev);
}
+error:
iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge);
iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge);
iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge);
{
int ret = -1, len;
unsigned int net_dest;
+ virSocketAddr netmask;
char *cur, *buf = NULL;
enum {MAX_ROUTE_SIZE = 1024*64};
- if (!VIR_SOCKET_IS_FAMILY(&network->def->ipAddress, AF_INET) ||
- !VIR_SOCKET_IS_FAMILY(&network->def->netmask, AF_INET)) {
+ if (!VIR_SOCKET_IS_FAMILY(&network->def->ipAddress, AF_INET)) {
/* Only support collision check for IPv4 */
return 0;
}
+ if (virNetworkDefNetmask(network->def, &netmask) < 0) {
+ networkReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to get netmask of '%s'"),
+ network->def->bridge);
+ }
+
net_dest = (network->def->ipAddress.data.inet4.sin_addr.s_addr &
- network->def->netmask.data.inet4.sin_addr.s_addr);
+ netmask.data.inet4.sin_addr.s_addr);
/* Read whole routing table into memory */
if ((len = virFileReadAll(PROC_NET_ROUTE, MAX_ROUTE_SIZE, &buf)) < 0)
addr_val &= mask_val;
if ((net_dest == addr_val) &&
- (network->def->netmask.data.inet4.sin_addr.s_addr == mask_val)) {
+ (netmask.data.inet4.sin_addr.s_addr == mask_val)) {
networkReportError(VIR_ERR_INTERNAL_ERROR,
_("Network is already in use by interface %s"),
iface);
goto err_delbr;
}
- if (VIR_SOCKET_HAS_ADDR(&network->def->netmask) &&
- (err = brSetInetNetmask(driver->brctl, network->def->bridge,
- &network->def->netmask))) {
+ virSocketAddr netmask;
+
+ if (virNetworkDefNetmask(network->def, &netmask) < 0) {
+
+ networkReportError(VIR_ERR_INTERNAL_ERROR,
+ _("bridge '%s' has an invalid netmask or IP address"),
+ network->def->bridge);
+ goto err_delbr;
+ }
+
+ if ((err = brSetInetNetmask(driver->brctl, network->def->bridge,
+ &netmask))) {
virReportSystemError(err,
_("cannot set netmask on bridge '%s'"),
network->def->bridge);
static char *iptablesFormatNetwork(virSocketAddr *netaddr,
- virSocketAddr *netmask)
+ unsigned int prefix)
{
virSocketAddr network;
- int prefix;
char *netstr;
char *ret;
- if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET) ||
- !VIR_SOCKET_IS_FAMILY(netmask, AF_INET)) {
+ if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET)) {
iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Only IPv4 addresses can be used with iptables"));
return NULL;
}
network = *netaddr;
- network.data.inet4.sin_addr.s_addr &=
- netmask->data.inet4.sin_addr.s_addr;
-
- prefix = virSocketGetNumNetmaskBits(netmask);
+ if (virSocketAddrMaskByPrefix(&network, prefix) < 0) {
+ iptablesError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Failure to mask address"));
+ return NULL;
+ }
netstr = virSocketFormatAddr(&network);
static int
iptablesForwardAllowOut(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev,
int action)
int ret;
char *networkstr;
- if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
if (physdev && physdev[0]) {
int
iptablesAddForwardAllowOut(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, ADD);
+ return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD);
}
/**
int
iptablesRemoveForwardAllowOut(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE);
}
static int
iptablesForwardAllowRelatedIn(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev,
int action)
int ret;
char *networkstr;
- if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
if (physdev && physdev[0]) {
int
iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD);
}
/**
int
iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
static int
iptablesForwardAllowIn(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev,
int action)
int ret;
char *networkstr;
- if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
if (physdev && physdev[0]) {
int
iptablesAddForwardAllowIn(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, ADD);
+ return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD);
}
/**
int
iptablesRemoveForwardAllowIn(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
}
static int
iptablesForwardMasquerade(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *physdev,
const char *protocol,
int action)
int ret;
char *networkstr;
- if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
if (protocol && protocol[0]) {
int
iptablesAddForwardMasquerade(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *physdev,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, ADD);
+ return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, ADD);
}
/**
int
iptablesRemoveForwardMasquerade(iptablesContext *ctx,
virSocketAddr *netaddr,
- virSocketAddr *netmask,
+ unsigned int prefix,
const char *physdev,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, REMOVE);
+ return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, REMOVE);
}
projects / libvirt.git / commitdiff