goto error;
}
- def->network = def->ipAddress;
- def->network.data.inet4.sin_addr.s_addr &=
- def->netmask.data.inet4.sin_addr.s_addr;
-
if ((ip = virXPathNode("./ip[1]", ctxt)) &&
virNetworkIPParseXML(def, ip) < 0)
goto error;
virSocketAddr ipAddress; /* Bridge IP address */
virSocketAddr netmask;
- virSocketAddr network;
unsigned int nranges; /* Zero or more dhcp ranges */
virNetworkDHCPRangeDefPtr ranges;
int err;
/* allow forwarding packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev))) {
virReportSystemError(err,
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
- &network->def->network,
- network->def->bridge,
- network->def->forwardDev))) {
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->bridge,
+ network->def->forwardDev))) {
virReportSystemError(err,
_("failed to add iptables rule to allow forwarding to '%s'"),
network->def->bridge);
/* First the generic masquerade rule for other protocols */
if ((err = iptablesAddForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
NULL))) {
virReportSystemError(err,
/* UDP with a source port restriction */
if ((err = iptablesAddForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
"udp"))) {
virReportSystemError(err,
/* TCP with a source port restriction */
if ((err = iptablesAddForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
"tcp"))) {
virReportSystemError(err,
masqerr5:
iptablesRemoveForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
"udp");
masqerr4:
iptablesRemoveForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
NULL);
masqerr3:
iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- &network->def->network,
- network->def->bridge,
- network->def->forwardDev);
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->bridge,
+ network->def->forwardDev);
masqerr2:
iptablesRemoveForwardAllowOut(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev);
masqerr1:
int err;
/* allow routing packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev))) {
virReportSystemError(err,
/* allow routing packets to the bridge interface */
if ((err = iptablesAddForwardAllowIn(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev))) {
virReportSystemError(err,
routeerr2:
iptablesRemoveForwardAllowOut(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev);
routeerr1:
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
iptablesRemoveForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
"tcp");
iptablesRemoveForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
"udp");
iptablesRemoveForwardMasquerade(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->forwardDev,
NULL);
iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev);
} else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)
iptablesRemoveForwardAllowIn(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev);
iptablesRemoveForwardAllowOut(driver->iptables,
- &network->def->network,
+ &network->def->ipAddress,
+ &network->def->netmask,
network->def->bridge,
network->def->forwardDev);
}
#include "virterror_internal.h"
#include "logging.h"
+#define VIR_FROM_THIS VIR_FROM_NONE
#define iptablesError(code, ...) \
- virReportErrorHelper(NULL, VIR_FROM_NONE, code, __FILE__, \
+ virReportErrorHelper(NULL, VIR_FROM_THIS, code, __FILE__, \
__FUNCTION__, __LINE__, __VA_ARGS__)
enum {
}
+static char *iptablesFormatNetwork(virSocketAddr *netaddr,
+ virSocketAddr *netmask)
+{
+ virSocketAddr network;
+ int prefix;
+ char *netstr;
+ char *ret;
+
+ if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET) ||
+ !VIR_SOCKET_IS_FAMILY(netmask, AF_INET)) {
+ iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("Only IPv4 addresses can be used with iptables"));
+ return NULL;
+ }
+
+ network = *netaddr;
+ network.data.inet4.sin_addr.s_addr &=
+ netmask->data.inet4.sin_addr.s_addr;
+
+ prefix = virSocketGetNumNetmaskBits(netmask);
+
+ netstr = virSocketFormatAddr(&network);
+
+ if (!netstr)
+ return NULL;
+
+ if (virAsprintf(&ret, "%s/%d", netstr, prefix) < 0)
+ virReportOOMError();
+
+ VIR_FREE(netstr);
+ return ret;
+}
+
+
/* Allow all traffic coming from the bridge, with a valid network address
* to proceed to WAN
*/
static int
iptablesForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *network,
- const char *iface,
- const char *physdev,
- int action)
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
+ const char *iface,
+ const char *physdev,
+ int action)
{
int ret;
char *networkstr;
- if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
- iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Only IPv4 addresses can be used with iptables"));
- return -1;
- }
-
- if (!(networkstr = virSocketFormatAddr(network)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
return -1;
if (physdev && physdev[0]) {
*/
int
iptablesAddForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *network,
- const char *iface,
- const char *physdev)
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowOut(ctx, network, iface, physdev, ADD);
+ return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, ADD);
}
/**
*/
int
iptablesRemoveForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *network,
- const char *iface,
- const char *physdev)
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowOut(ctx, network, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, REMOVE);
}
*/
static int
iptablesForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *network,
- const char *iface,
- const char *physdev,
- int action)
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
+ const char *iface,
+ const char *physdev,
+ int action)
{
int ret;
char *networkstr;
- if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
- iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Only IPv4 addresses can be used with iptables"));
- return -1;
- }
-
- if (!(networkstr = virSocketFormatAddr(network)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
return -1;
if (physdev && physdev[0]) {
*/
int
iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *network,
- const char *iface,
- const char *physdev)
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, ADD);
}
/**
*/
int
iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *network,
- const char *iface,
- const char *physdev)
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
iptablesForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev,
int action)
int ret;
char *networkstr;
- if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
- iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Only IPv4 addresses can be used with iptables"));
- return -1;
- }
-
- if (!(networkstr = virSocketFormatAddr(network)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
return -1;
if (physdev && physdev[0]) {
*/
int
iptablesAddForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, network, iface, physdev, ADD);
+ return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, ADD);
}
/**
*/
int
iptablesRemoveForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, network, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, REMOVE);
}
*/
static int
iptablesForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *physdev,
const char *protocol,
int action)
int ret;
char *networkstr;
- if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
- iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Only IPv4 addresses can be used with iptables"));
- return -1;
- }
-
- if (!(networkstr = virSocketFormatAddr(network)))
+ if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
return -1;
if (protocol && protocol[0]) {
*/
int
iptablesAddForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *physdev,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, network, physdev, protocol, ADD);
+ return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, ADD);
}
/**
*/
int
iptablesRemoveForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *physdev,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, network, physdev, protocol, REMOVE);
+ return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, REMOVE);
}
int port);
int iptablesAddForwardAllowOut (iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev);
int iptablesRemoveForwardAllowOut (iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev);
int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev);
int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev);
int iptablesAddForwardAllowIn (iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev);
int iptablesRemoveForwardAllowIn (iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *iface,
const char *physdev);
const char *iface);
int iptablesAddForwardMasquerade (iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *physdev,
const char *protocol);
int iptablesRemoveForwardMasquerade (iptablesContext *ctx,
- virSocketAddr *network,
+ virSocketAddr *netaddr,
+ virSocketAddr *netmask,
const char *physdev,
const char *protocol);
int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,
projects / libvirt.git / commitdiff