From: Laine Stump Date: Sat, 20 Apr 2024 02:19:42 +0000 (-0400) Subject: util/network: move viriptables.[ch] from util to network directory X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e1f6d2c20522fc0a9ebc2c3b8860bdc97a0e89fa;p=libvirt.git util/network: move viriptables.[ch] from util to network directory These functions are only ever used by the network driver, and are so specific to the network driver's usage of iptables that they likely won't ever be used elsewhere. The files are renamed to network_iptables.[ch] to be more in line with driver-specific file naming conventions. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- diff --git a/po/POTFILES b/po/POTFILES index cec7e4abf4..0542d342d6 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -144,6 +144,7 @@ src/network/bridge_driver.c src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c src/network/leaseshelper.c +src/network/network_iptables.c src/node_device/node_device_driver.c src/node_device/node_device_udev.c src/nwfilter/nwfilter_dhcpsnoop.c @@ -288,7 +289,6 @@ src/util/virhostmem.c src/util/virhostuptime.c src/util/viridentity.c src/util/virinitctl.c -src/util/viriptables.c src/util/viriscsi.c src/util/virjson.c src/util/virlease.c diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 1c8f3f902d..b006b84262 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2576,37 +2576,6 @@ virIdentitySetX509DName; virInitctlFifos; virInitctlSetRunLevel; - -# util/viriptables.h -iptablesAddDontMasquerade; -iptablesAddForwardAllowCross; -iptablesAddForwardAllowIn; -iptablesAddForwardAllowOut; -iptablesAddForwardAllowRelatedIn; -iptablesAddForwardMasquerade; -iptablesAddForwardRejectIn; -iptablesAddForwardRejectOut; -iptablesAddOutputFixUdpChecksum; -iptablesAddTcpInput; -iptablesAddTcpOutput; -iptablesAddUdpInput; -iptablesAddUdpOutput; -iptablesRemoveDontMasquerade; -iptablesRemoveForwardAllowCross; -iptablesRemoveForwardAllowIn; -iptablesRemoveForwardAllowOut; -iptablesRemoveForwardAllowRelatedIn; -iptablesRemoveForwardMasquerade; -iptablesRemoveForwardRejectIn; -iptablesRemoveForwardRejectOut; -iptablesRemoveOutputFixUdpChecksum; -iptablesRemoveTcpInput; -iptablesRemoveTcpOutput; -iptablesRemoveUdpInput; -iptablesRemoveUdpOutput; -iptablesSetupPrivateChains; - - # util/viriscsi.h virISCSIConnectionLogin; virISCSIConnectionLogout; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index b8893bfed2..fd4bf7b61c 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -22,11 +22,11 @@ #include #include "virfile.h" -#include "viriptables.h" #include "virstring.h" #include "virlog.h" #include "virfirewall.h" #include "virfirewalld.h" +#include "network_iptables.h" #define VIR_FROM_THIS VIR_FROM_NONE diff --git a/src/network/meson.build b/src/network/meson.build index eb171ae779..305e2d52fb 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -2,6 +2,7 @@ network_driver_sources = [ 'bridge_driver.c', 'bridge_driver_conf.c', 'bridge_driver_platform.c', + 'network_iptables.c', ] driver_source_files += files(network_driver_sources) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c new file mode 100644 index 0000000000..362c0202a0 --- /dev/null +++ b/src/network/network_iptables.c @@ -0,0 +1,1072 @@ +/* + * network_iptables.c: helper APIs for managing iptables in network driver + * + * Copyright (C) 2007-2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include +#include +#include +#include +#include + +#include "internal.h" +#include "virfirewalld.h" +#include "virerror.h" +#include "virlog.h" +#include "virhash.h" +#include "network_iptables.h" + +VIR_LOG_INIT("network.iptables"); + +#define VIR_FROM_THIS VIR_FROM_NONE + +enum { + VIR_NETFILTER_INSERT = 0, + VIR_NETFILTER_DELETE +}; + +typedef struct { + const char *parent; + const char *child; +} iptablesGlobalChain; + +typedef struct { + virFirewallLayer layer; + const char *table; + iptablesGlobalChain *chains; + size_t nchains; + bool *changed; +} iptablesGlobalChainData; + + +static int +iptablesPrivateChainCreate(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + iptablesGlobalChainData *data = opaque; + g_autoptr(GHashTable) chains = virHashNew(NULL); + g_autoptr(GHashTable) links = virHashNew(NULL); + const char *const *tmp; + size_t i; + + tmp = lines; + while (tmp && *tmp) { + if (STRPREFIX(*tmp, "-N ")) { /* eg "-N LIBVIRT_INP" */ + if (virHashUpdateEntry(chains, *tmp + 3, (void *)0x1) < 0) + return -1; + } else if (STRPREFIX(*tmp, "-A ")) { /* eg "-A INPUT -j LIBVIRT_INP" */ + char *sep = strchr(*tmp + 3, ' '); + if (sep) { + *sep = '\0'; + if (STRPREFIX(sep + 1, "-j ")) { + if (virHashUpdateEntry(links, sep + 4, + (char *)*tmp + 3) < 0) + return -1; + } + } + } + tmp++; + } + + for (i = 0; i < data->nchains; i++) { + const char *from; + if (!virHashLookup(chains, data->chains[i].child)) { + virFirewallAddRule(fw, layer, + "--table", data->table, + "--new-chain", data->chains[i].child, NULL); + *data->changed = true; + } + + from = virHashLookup(links, data->chains[i].child); + if (!from || STRNEQ(from, data->chains[i].parent)) + virFirewallAddRule(fw, layer, + "--table", data->table, + "--insert", data->chains[i].parent, + "--jump", data->chains[i].child, NULL); + } + + return 0; +} + + +int +iptablesSetupPrivateChains(virFirewallLayer layer) +{ + g_autoptr(virFirewall) fw = virFirewallNew(); + iptablesGlobalChain filter_chains[] = { + {"INPUT", "LIBVIRT_INP"}, + {"OUTPUT", "LIBVIRT_OUT"}, + {"FORWARD", "LIBVIRT_FWO"}, + {"FORWARD", "LIBVIRT_FWI"}, + {"FORWARD", "LIBVIRT_FWX"}, + }; + iptablesGlobalChain natmangle_chains[] = { + {"POSTROUTING", "LIBVIRT_PRT"}, + }; + bool changed = false; + iptablesGlobalChainData data[] = { + { layer, "filter", + filter_chains, G_N_ELEMENTS(filter_chains), &changed }, + { layer, "nat", + natmangle_chains, G_N_ELEMENTS(natmangle_chains), &changed }, + { layer, "mangle", + natmangle_chains, G_N_ELEMENTS(natmangle_chains), &changed }, + }; + size_t i; + + /* When firewalld.service is active, we need to make sure that + * firewalld has been fully started and completed its + * initialization, otherwise it might delete our rules soon after + * we add them! + */ + virFirewallDSynchronize(); + + virFirewallStartTransaction(fw, 0); + + for (i = 0; i < G_N_ELEMENTS(data); i++) + virFirewallAddRuleFull(fw, data[i].layer, + false, iptablesPrivateChainCreate, + &(data[i]), "--table", data[i].table, + "--list-rules", NULL); + + if (virFirewallApply(fw) < 0) + return -1; + + return changed ? 1 : 0; +} + + +static void +iptablesInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int action, + int tcp) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_INP", + "--in-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); +} + +static void +iptablesOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port, + int action, + int tcp) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_OUT", + "--out-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); +} + +/** + * iptablesAddTcpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an input to the IP table allowing access to the given @port on + * the given @iface interface for TCP packets + */ +void +iptablesAddTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); +} + +/** + * iptablesRemoveTcpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to remove + * + * Removes an input from the IP table, hence forbidding access to the given + * @port on the given @iface interface for TCP packets + */ +void +iptablesRemoveTcpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); +} + +/** + * iptablesAddUdpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to add + * + * Add an input to the IP table allowing access to the given @port on + * the given @iface interface for UDP packets + */ +void +iptablesAddUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); +} + +/** + * iptablesRemoveUdpInput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an input from the IP table, hence forbidding access to the given + * @port on the given @iface interface for UDP packets + */ +void +iptablesRemoveUdpInput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); +} + +/** + * iptablesAddTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for TCP packets + */ +void +iptablesAddTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); +} + +/** + * iptablesRemoveTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the given + * @port from the given @iface interface for TCP packets + */ +void +iptablesRemoveTcpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); +} + +/** + * iptablesAddUdpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for UDP packets + */ +void +iptablesAddUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); +} + +/** + * iptablesRemoveUdpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the given + * @port from the given @iface interface for UDP packets + */ +void +iptablesRemoveUdpOutput(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); +} + + +/* Allow all traffic coming from the bridge, with a valid network address + * to proceed to WAN + */ +static int +iptablesForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action) +{ + g_autofree char *networkstr = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (physdev && physdev[0]) + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWO", + "--source", networkstr, + "--in-interface", iface, + "--out-interface", physdev, + "--jump", "ACCEPT", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWO", + "--source", networkstr, + "--in-interface", iface, + "--jump", "ACCEPT", + NULL); + + return 0; +} + +/** + * iptablesAddForwardAllowOut: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the source interface name + * @physdev: the physical output device + * + * Add a rule to the IP table context to allow the traffic for the + * network @network via interface @iface to be forwarded to + * @physdev device. This allow the outbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesAddForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardAllowOut: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the source interface name + * @physdev: the physical output device + * + * Remove a rule from the IP table context hence forbidding forwarding + * of the traffic for the network @network via interface @iface + * to the @physdev device output. This stops the outbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesRemoveForwardAllowOut(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + + +/* Allow all traffic destined to the bridge, with a valid network address + * and associated with an existing connection + */ +static int +iptablesForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action) +{ + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + g_autofree char *networkstr = NULL; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (physdev && physdev[0]) + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWI", + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWI", + "--destination", networkstr, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); + + return 0; +} + +/** + * iptablesAddForwardAllowRelatedIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Add rules to the IP table context to allow the traffic for the + * network @network on @physdev device to be forwarded to + * interface @iface, if it is part of an existing connection. + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardAllowRelatedIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Remove rules from the IP table context hence forbidding the traffic for + * network @network on @physdev device to be forwarded to + * interface @iface, if it is part of an existing connection. + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + +/* Allow all traffic destined to the bridge, with a valid network address + */ +static int +iptablesForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev, + int action) +{ + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + g_autofree char *networkstr = NULL; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (physdev && physdev[0]) + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWI", + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWI", + "--destination", networkstr, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); + return 0; +} + +/** + * iptablesAddForwardAllowIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Add rules to the IP table context to allow the traffic for the + * network @network on @physdev device to be forwarded to + * interface @iface. This allow the inbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesAddForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardAllowIn: + * @ctx: pointer to the IP table context + * @network: the source network name + * @iface: the output interface name + * @physdev: the physical input device or NULL + * + * Remove rules from the IP table context hence forbidding the traffic for + * network @network on @physdev device to be forwarded to + * interface @iface. This stops the inbound traffic on a bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesRemoveForwardAllowIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) +{ + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); +} + +static void +iptablesForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action) +{ + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWX", + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); +} + +/** + * iptablesAddForwardAllowCross: + * @ctx: pointer to the IP table context + * @iface: the input/output interface name + * + * Add rules to the IP table context to allow traffic to cross that + * interface. It allows all traffic between guests on the same bridge + * represented by that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +iptablesAddForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardAllowCross: + * @ctx: pointer to the IP table context + * @iface: the input/output interface name + * + * Remove rules to the IP table context to block traffic to cross that + * interface. It forbids traffic between guests on the same bridge + * represented by that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +iptablesRemoveForwardAllowCross(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); +} + +static void +iptablesForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action) +{ + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWO", + "--in-interface", iface, + "--jump", "REJECT", + NULL); +} + +/** + * iptablesAddForwardRejectOut: + * @ctx: pointer to the IP table context + * @iface: the output interface name + * + * Add rules to the IP table context to forbid all traffic to that + * interface. It forbids forwarding from the bridge to that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +iptablesAddForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardRejectOut: + * @ctx: pointer to the IP table context + * @iface: the output interface name + * + * Remove rules from the IP table context forbidding all traffic to that + * interface. It reallow forwarding from the bridge to that interface. + * + * Returns 0 in case of success or an error code otherwise + */ +void +iptablesRemoveForwardRejectOut(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +static void +iptablesForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int action) +{ + virFirewallAddRule(fw, layer, + "--table", "filter", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_FWI", + "--out-interface", iface, + "--jump", "REJECT", + NULL); +} + +/** + * iptablesAddForwardRejectIn: + * @ctx: pointer to the IP table context + * @iface: the input interface name + * + * Add rules to the IP table context to forbid all traffic from that + * interface. It forbids forwarding from that interface to the bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +void +iptablesAddForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardRejectIn: + * @ctx: pointer to the IP table context + * @iface: the input interface name + * + * Remove rules from the IP table context forbidding all traffic from that + * interface. It allows forwarding from that interface to the bridge. + * + * Returns 0 in case of success or an error code otherwise + */ +void +iptablesRemoveForwardRejectIn(virFirewall *fw, + virFirewallLayer layer, + const char *iface) +{ + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); +} + + +/* Masquerade all traffic coming from the network associated + * with the bridge + */ +static int +iptablesForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol, + int action) +{ + g_autofree char *networkstr = NULL; + g_autofree char *addrStartStr = NULL; + g_autofree char *addrEndStr = NULL; + g_autofree char *portRangeStr = NULL; + g_autofree char *natRangeStr = NULL; + virFirewallRule *rule; + int af = VIR_SOCKET_ADDR_FAMILY(netaddr); + virFirewallLayer layer = af == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { + if (!(addrStartStr = virSocketAddrFormat(&addr->start))) + return -1; + if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { + if (!(addrEndStr = virSocketAddrFormat(&addr->end))) + return -1; + } + } + + if (protocol && protocol[0]) { + rule = virFirewallAddRule(fw, layer, + "--table", "nat", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_PRT", + "--source", networkstr, + "-p", protocol, + "!", "--destination", networkstr, + NULL); + } else { + rule = virFirewallAddRule(fw, layer, + "--table", "nat", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_PRT", + "--source", networkstr, + "!", "--destination", networkstr, + NULL); + } + + if (physdev && physdev[0]) + virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL); + + if (protocol && protocol[0]) { + if (port->start == 0 && port->end == 0) { + port->start = 1024; + port->end = 65535; + } + + if (port->start < port->end && port->end < 65536) { + portRangeStr = g_strdup_printf(":%u-%u", port->start, port->end); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Invalid port range '%1$u-%2$u'."), + port->start, port->end); + return -1; + } + } + + /* Use --jump SNAT if public addr is specified */ + if (addrStartStr && addrStartStr[0]) { + if (addrEndStr && addrEndStr[0]) { + natRangeStr = g_strdup_printf("%s-%s%s", addrStartStr, addrEndStr, + portRangeStr ? portRangeStr : ""); + } else { + natRangeStr = g_strdup_printf("%s%s", addrStartStr, + portRangeStr ? portRangeStr : ""); + } + + virFirewallRuleAddArgList(fw, rule, + "--jump", "SNAT", + "--to-source", natRangeStr, NULL); + } else { + virFirewallRuleAddArgList(fw, rule, + "--jump", "MASQUERADE", NULL); + + if (portRangeStr && portRangeStr[0]) + virFirewallRuleAddArgList(fw, rule, + "--to-ports", &portRangeStr[1], NULL); + } + + return 0; +} + +/** + * iptablesAddForwardMasquerade: + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL + * @protocol: the network protocol or NULL + * + * Add rules to the IP table context to allow masquerading + * network @network on @physdev. This allow the bridge to + * masquerade for that network (on @physdev). + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesAddForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + return iptablesForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveForwardMasquerade: + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL + * @protocol: the network protocol or NULL + * + * Remove rules from the IP table context to stop masquerading + * network @network on @physdev. This stops the bridge from + * masquerading for that network (on @physdev). + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesRemoveForwardMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) +{ + return iptablesForwardMasquerade(fw, netaddr, prefix, + physdev, addr, port, protocol, + VIR_NETFILTER_DELETE); +} + + +/* Don't masquerade traffic coming from the network associated with the bridge + * if said traffic targets @destaddr. + */ +static int +iptablesForwardDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr, + int action) +{ + g_autofree char *networkstr = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; + + if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) + return -1; + + if (physdev && physdev[0]) + virFirewallAddRule(fw, layer, + "--table", "nat", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_PRT", + "--out-interface", physdev, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "nat", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_PRT", + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); + + return 0; +} + +/** + * iptablesAddDontMasquerade: + * @netaddr: the source network name + * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr + * @physdev: the physical output device or NULL + * @destaddr: the destination network not to masquerade for + * + * Add rules to the IP table context to avoid masquerading from + * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format + * directly consumable by iptables, it must not depend on user input or + * configuration. + * + * Returns 0 in case of success or an error code otherwise. + */ +int +iptablesAddDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveDontMasquerade: + * @netaddr: the source network name + * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr + * @physdev: the physical output device or NULL + * @destaddr: the destination network not to masquerade for + * + * Remove rules from the IP table context that prevent masquerading from + * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format + * directly consumable by iptables, it must not depend on user input or + * configuration. + * + * Returns 0 in case of success or an error code otherwise. + */ +int +iptablesRemoveDontMasquerade(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) +{ + return iptablesForwardDontMasquerade(fw, netaddr, prefix, + physdev, destaddr, + VIR_NETFILTER_DELETE); +} + + +static void +iptablesOutputFixUdpChecksum(virFirewall *fw, + const char *iface, + int port, + int action) +{ + g_autofree char *portstr = g_strdup_printf("%d", port); + + virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "mangle", + action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", + "LIBVIRT_PRT", + "--out-interface", iface, + "--protocol", "udp", + "--destination-port", portstr, + "--jump", "CHECKSUM", "--checksum-fill", + NULL); +} + +/** + * iptablesAddOutputFixUdpChecksum: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to match + * + * Add a rule to the mangle table's POSTROUTING chain that fixes up the + * checksum of packets with the given destination @port. + * the given @iface interface for TCP packets. + * + */ +void +iptablesAddOutputFixUdpChecksum(virFirewall *fw, + const char *iface, + int port) +{ + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); +} + +/** + * iptablesRemoveOutputFixUdpChecksum: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port of the rule to remove + * + * Removes the checksum fixup rule that was previous added with + * iptablesAddOutputFixUdpChecksum. + */ +void +iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, + const char *iface, + int port) +{ + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); +} diff --git a/src/network/network_iptables.h b/src/network/network_iptables.h new file mode 100644 index 0000000000..bfb6bbe0e7 --- /dev/null +++ b/src/network/network_iptables.h @@ -0,0 +1,155 @@ +/* + * network_iptables.h: helper APIs for managing iptables in network driver + * + * Copyright (C) 2007, 2008 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "virsocketaddr.h" +#include "virfirewall.h" + +int iptablesSetupPrivateChains (virFirewallLayer layer); + +void iptablesAddTcpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesRemoveTcpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +void iptablesAddUdpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesRemoveUdpInput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +void iptablesAddTcpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesRemoveTcpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesAddUdpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesRemoveUdpOutput (virFirewall *fw, + virFirewallLayer layer, + const char *iface, + int port); + +int iptablesAddForwardAllowOut (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesRemoveForwardAllowOut (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesAddForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; + +int iptablesAddForwardAllowIn (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesRemoveForwardAllowIn (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + G_GNUC_WARN_UNUSED_RESULT; + +void iptablesAddForwardAllowCross (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void iptablesRemoveForwardAllowCross (virFirewall *fw, + virFirewallLayer layer, + const char *iface); + +void iptablesAddForwardRejectOut (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void iptablesRemoveForwardRejectOut (virFirewall *fw, + virFirewallLayer layer, + const char *iface); + +void iptablesAddForwardRejectIn (virFirewall *fw, + virFirewallLayer layer, + const char *iface); +void iptablesRemoveForwardRejectIn (virFirewall *fw, + virFirewallLayer layery, + const char *iface); + +int iptablesAddForwardMasquerade (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesRemoveForwardMasquerade (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + virSocketAddrRange *addr, + virPortRange *port, + const char *protocol) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesAddDontMasquerade (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) + G_GNUC_WARN_UNUSED_RESULT; +int iptablesRemoveDontMasquerade (virFirewall *fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *physdev, + const char *destaddr) + G_GNUC_WARN_UNUSED_RESULT; +void iptablesAddOutputFixUdpChecksum (virFirewall *fw, + const char *iface, + int port); +void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, + const char *iface, + int port); diff --git a/src/util/meson.build b/src/util/meson.build index c2175f1098..896c795150 100644 --- a/src/util/meson.build +++ b/src/util/meson.build @@ -46,7 +46,6 @@ util_sources = [ 'virhostuptime.c', 'viridentity.c', 'virinitctl.c', - 'viriptables.c', 'viriscsi.c', 'virjson.c', 'virkeycode.c', diff --git a/src/util/viriptables.c b/src/util/viriptables.c deleted file mode 100644 index 018021bc1b..0000000000 --- a/src/util/viriptables.c +++ /dev/null @@ -1,1072 +0,0 @@ -/* - * viriptables.c: helper APIs for managing iptables - * - * Copyright (C) 2007-2014 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library. If not, see - * . - */ - -#include - -#include -#include -#include -#include -#include - -#include "internal.h" -#include "viriptables.h" -#include "virfirewalld.h" -#include "virerror.h" -#include "virlog.h" -#include "virhash.h" - -VIR_LOG_INIT("util.iptables"); - -#define VIR_FROM_THIS VIR_FROM_NONE - -enum { - VIR_NETFILTER_INSERT = 0, - VIR_NETFILTER_DELETE -}; - -typedef struct { - const char *parent; - const char *child; -} iptablesGlobalChain; - -typedef struct { - virFirewallLayer layer; - const char *table; - iptablesGlobalChain *chains; - size_t nchains; - bool *changed; -} iptablesGlobalChainData; - - -static int -iptablesPrivateChainCreate(virFirewall *fw, - virFirewallLayer layer, - const char *const *lines, - void *opaque) -{ - iptablesGlobalChainData *data = opaque; - g_autoptr(GHashTable) chains = virHashNew(NULL); - g_autoptr(GHashTable) links = virHashNew(NULL); - const char *const *tmp; - size_t i; - - tmp = lines; - while (tmp && *tmp) { - if (STRPREFIX(*tmp, "-N ")) { /* eg "-N LIBVIRT_INP" */ - if (virHashUpdateEntry(chains, *tmp + 3, (void *)0x1) < 0) - return -1; - } else if (STRPREFIX(*tmp, "-A ")) { /* eg "-A INPUT -j LIBVIRT_INP" */ - char *sep = strchr(*tmp + 3, ' '); - if (sep) { - *sep = '\0'; - if (STRPREFIX(sep + 1, "-j ")) { - if (virHashUpdateEntry(links, sep + 4, - (char *)*tmp + 3) < 0) - return -1; - } - } - } - tmp++; - } - - for (i = 0; i < data->nchains; i++) { - const char *from; - if (!virHashLookup(chains, data->chains[i].child)) { - virFirewallAddRule(fw, layer, - "--table", data->table, - "--new-chain", data->chains[i].child, NULL); - *data->changed = true; - } - - from = virHashLookup(links, data->chains[i].child); - if (!from || STRNEQ(from, data->chains[i].parent)) - virFirewallAddRule(fw, layer, - "--table", data->table, - "--insert", data->chains[i].parent, - "--jump", data->chains[i].child, NULL); - } - - return 0; -} - - -int -iptablesSetupPrivateChains(virFirewallLayer layer) -{ - g_autoptr(virFirewall) fw = virFirewallNew(); - iptablesGlobalChain filter_chains[] = { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, - }; - iptablesGlobalChain natmangle_chains[] = { - {"POSTROUTING", "LIBVIRT_PRT"}, - }; - bool changed = false; - iptablesGlobalChainData data[] = { - { layer, "filter", - filter_chains, G_N_ELEMENTS(filter_chains), &changed }, - { layer, "nat", - natmangle_chains, G_N_ELEMENTS(natmangle_chains), &changed }, - { layer, "mangle", - natmangle_chains, G_N_ELEMENTS(natmangle_chains), &changed }, - }; - size_t i; - - /* When firewalld.service is active, we need to make sure that - * firewalld has been fully started and completed its - * initialization, otherwise it might delete our rules soon after - * we add them! - */ - virFirewallDSynchronize(); - - virFirewallStartTransaction(fw, 0); - - for (i = 0; i < G_N_ELEMENTS(data); i++) - virFirewallAddRuleFull(fw, data[i].layer, - false, iptablesPrivateChainCreate, - &(data[i]), "--table", data[i].table, - "--list-rules", NULL); - - if (virFirewallApply(fw) < 0) - return -1; - - return changed ? 1 : 0; -} - - -static void -iptablesInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port, - int action, - int tcp) -{ - g_autofree char *portstr = g_strdup_printf("%d", port); - - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_INP", - "--in-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); -} - -static void -iptablesOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port, - int action, - int tcp) -{ - g_autofree char *portstr = g_strdup_printf("%d", port); - - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_OUT", - "--out-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); -} - -/** - * iptablesAddTcpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to add - * - * Add an input to the IP table allowing access to the given @port on - * the given @iface interface for TCP packets - */ -void -iptablesAddTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); -} - -/** - * iptablesRemoveTcpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to remove - * - * Removes an input from the IP table, hence forbidding access to the given - * @port on the given @iface interface for TCP packets - */ -void -iptablesRemoveTcpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); -} - -/** - * iptablesAddUdpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to add - * - * Add an input to the IP table allowing access to the given @port on - * the given @iface interface for UDP packets - */ -void -iptablesAddUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); -} - -/** - * iptablesRemoveUdpInput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an input from the IP table, hence forbidding access to the given - * @port on the given @iface interface for UDP packets - */ -void -iptablesRemoveUdpInput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); -} - -/** - * iptablesAddTcpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the TCP port to add - * - * Add an output to the IP table allowing access to the given @port from - * the given @iface interface for TCP packets - */ -void -iptablesAddTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); -} - -/** - * iptablesRemoveTcpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an output from the IP table, hence forbidding access to the given - * @port from the given @iface interface for TCP packets - */ -void -iptablesRemoveTcpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); -} - -/** - * iptablesAddUdpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to add - * - * Add an output to the IP table allowing access to the given @port from - * the given @iface interface for UDP packets - */ -void -iptablesAddUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); -} - -/** - * iptablesRemoveUdpOutput: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to remove - * - * Removes an output from the IP table, hence forbidding access to the given - * @port from the given @iface interface for UDP packets - */ -void -iptablesRemoveUdpOutput(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port) -{ - iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); -} - - -/* Allow all traffic coming from the bridge, with a valid network address - * to proceed to WAN - */ -static int -iptablesForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev, - int action) -{ - g_autofree char *networkstr = NULL; - virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? - VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; - - if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) - return -1; - - if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWO", - "--source", networkstr, - "--in-interface", iface, - "--out-interface", physdev, - "--jump", "ACCEPT", - NULL); - else - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWO", - "--source", networkstr, - "--in-interface", iface, - "--jump", "ACCEPT", - NULL); - - return 0; -} - -/** - * iptablesAddForwardAllowOut: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the source interface name - * @physdev: the physical output device - * - * Add a rule to the IP table context to allow the traffic for the - * network @network via interface @iface to be forwarded to - * @physdev device. This allow the outbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesAddForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardAllowOut: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the source interface name - * @physdev: the physical output device - * - * Remove a rule from the IP table context hence forbidding forwarding - * of the traffic for the network @network via interface @iface - * to the @physdev device output. This stops the outbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesRemoveForwardAllowOut(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - - -/* Allow all traffic destined to the bridge, with a valid network address - * and associated with an existing connection - */ -static int -iptablesForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev, - int action) -{ - virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? - VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; - g_autofree char *networkstr = NULL; - - if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) - return -1; - - if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); - else - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", - "--destination", networkstr, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); - - return 0; -} - -/** - * iptablesAddForwardAllowRelatedIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Add rules to the IP table context to allow the traffic for the - * network @network on @physdev device to be forwarded to - * interface @iface, if it is part of an existing connection. - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardAllowRelatedIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Remove rules from the IP table context hence forbidding the traffic for - * network @network on @physdev device to be forwarded to - * interface @iface, if it is part of an existing connection. - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - -/* Allow all traffic destined to the bridge, with a valid network address - */ -static int -iptablesForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev, - int action) -{ - virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? - VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; - g_autofree char *networkstr = NULL; - - if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) - return -1; - - if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); - else - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", - "--destination", networkstr, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); - return 0; -} - -/** - * iptablesAddForwardAllowIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Add rules to the IP table context to allow the traffic for the - * network @network on @physdev device to be forwarded to - * interface @iface. This allow the inbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesAddForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardAllowIn: - * @ctx: pointer to the IP table context - * @network: the source network name - * @iface: the output interface name - * @physdev: the physical input device or NULL - * - * Remove rules from the IP table context hence forbidding the traffic for - * network @network on @physdev device to be forwarded to - * interface @iface. This stops the inbound traffic on a bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesRemoveForwardAllowIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) -{ - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, - VIR_NETFILTER_DELETE); -} - -static void -iptablesForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int action) -{ - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWX", - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); -} - -/** - * iptablesAddForwardAllowCross: - * @ctx: pointer to the IP table context - * @iface: the input/output interface name - * - * Add rules to the IP table context to allow traffic to cross that - * interface. It allows all traffic between guests on the same bridge - * represented by that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -iptablesAddForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardAllowCross: - * @ctx: pointer to the IP table context - * @iface: the input/output interface name - * - * Remove rules to the IP table context to block traffic to cross that - * interface. It forbids traffic between guests on the same bridge - * represented by that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -iptablesRemoveForwardAllowCross(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); -} - -static void -iptablesForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int action) -{ - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWO", - "--in-interface", iface, - "--jump", "REJECT", - NULL); -} - -/** - * iptablesAddForwardRejectOut: - * @ctx: pointer to the IP table context - * @iface: the output interface name - * - * Add rules to the IP table context to forbid all traffic to that - * interface. It forbids forwarding from the bridge to that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -iptablesAddForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardRejectOut: - * @ctx: pointer to the IP table context - * @iface: the output interface name - * - * Remove rules from the IP table context forbidding all traffic to that - * interface. It reallow forwarding from the bridge to that interface. - * - * Returns 0 in case of success or an error code otherwise - */ -void -iptablesRemoveForwardRejectOut(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); -} - - -static void -iptablesForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int action) -{ - virFirewallAddRule(fw, layer, - "--table", "filter", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_FWI", - "--out-interface", iface, - "--jump", "REJECT", - NULL); -} - -/** - * iptablesAddForwardRejectIn: - * @ctx: pointer to the IP table context - * @iface: the input interface name - * - * Add rules to the IP table context to forbid all traffic from that - * interface. It forbids forwarding from that interface to the bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -void -iptablesAddForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardRejectIn: - * @ctx: pointer to the IP table context - * @iface: the input interface name - * - * Remove rules from the IP table context forbidding all traffic from that - * interface. It allows forwarding from that interface to the bridge. - * - * Returns 0 in case of success or an error code otherwise - */ -void -iptablesRemoveForwardRejectIn(virFirewall *fw, - virFirewallLayer layer, - const char *iface) -{ - iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); -} - - -/* Masquerade all traffic coming from the network associated - * with the bridge - */ -static int -iptablesForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol, - int action) -{ - g_autofree char *networkstr = NULL; - g_autofree char *addrStartStr = NULL; - g_autofree char *addrEndStr = NULL; - g_autofree char *portRangeStr = NULL; - g_autofree char *natRangeStr = NULL; - virFirewallRule *rule; - int af = VIR_SOCKET_ADDR_FAMILY(netaddr); - virFirewallLayer layer = af == AF_INET ? - VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; - - if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) - return -1; - - if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { - if (!(addrStartStr = virSocketAddrFormat(&addr->start))) - return -1; - if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->end, af)) { - if (!(addrEndStr = virSocketAddrFormat(&addr->end))) - return -1; - } - } - - if (protocol && protocol[0]) { - rule = virFirewallAddRule(fw, layer, - "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", - "--source", networkstr, - "-p", protocol, - "!", "--destination", networkstr, - NULL); - } else { - rule = virFirewallAddRule(fw, layer, - "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", - "--source", networkstr, - "!", "--destination", networkstr, - NULL); - } - - if (physdev && physdev[0]) - virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL); - - if (protocol && protocol[0]) { - if (port->start == 0 && port->end == 0) { - port->start = 1024; - port->end = 65535; - } - - if (port->start < port->end && port->end < 65536) { - portRangeStr = g_strdup_printf(":%u-%u", port->start, port->end); - } else { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Invalid port range '%1$u-%2$u'."), - port->start, port->end); - return -1; - } - } - - /* Use --jump SNAT if public addr is specified */ - if (addrStartStr && addrStartStr[0]) { - if (addrEndStr && addrEndStr[0]) { - natRangeStr = g_strdup_printf("%s-%s%s", addrStartStr, addrEndStr, - portRangeStr ? portRangeStr : ""); - } else { - natRangeStr = g_strdup_printf("%s%s", addrStartStr, - portRangeStr ? portRangeStr : ""); - } - - virFirewallRuleAddArgList(fw, rule, - "--jump", "SNAT", - "--to-source", natRangeStr, NULL); - } else { - virFirewallRuleAddArgList(fw, rule, - "--jump", "MASQUERADE", NULL); - - if (portRangeStr && portRangeStr[0]) - virFirewallRuleAddArgList(fw, rule, - "--to-ports", &portRangeStr[1], NULL); - } - - return 0; -} - -/** - * iptablesAddForwardMasquerade: - * @ctx: pointer to the IP table context - * @network: the source network name - * @physdev: the physical input device or NULL - * @protocol: the network protocol or NULL - * - * Add rules to the IP table context to allow masquerading - * network @network on @physdev. This allow the bridge to - * masquerade for that network (on @physdev). - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesAddForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) -{ - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveForwardMasquerade: - * @ctx: pointer to the IP table context - * @network: the source network name - * @physdev: the physical input device or NULL - * @protocol: the network protocol or NULL - * - * Remove rules from the IP table context to stop masquerading - * network @network on @physdev. This stops the bridge from - * masquerading for that network (on @physdev). - * - * Returns 0 in case of success or an error code otherwise - */ -int -iptablesRemoveForwardMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) -{ - return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, - VIR_NETFILTER_DELETE); -} - - -/* Don't masquerade traffic coming from the network associated with the bridge - * if said traffic targets @destaddr. - */ -static int -iptablesForwardDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr, - int action) -{ - g_autofree char *networkstr = NULL; - virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? - VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; - - if (!(networkstr = virSocketAddrFormatWithPrefix(netaddr, prefix, true))) - return -1; - - if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", - "--out-interface", physdev, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); - else - virFirewallAddRule(fw, layer, - "--table", "nat", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); - - return 0; -} - -/** - * iptablesAddDontMasquerade: - * @netaddr: the source network name - * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr - * @physdev: the physical output device or NULL - * @destaddr: the destination network not to masquerade for - * - * Add rules to the IP table context to avoid masquerading from - * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables, it must not depend on user input or - * configuration. - * - * Returns 0 in case of success or an error code otherwise. - */ -int -iptablesAddDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) -{ - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveDontMasquerade: - * @netaddr: the source network name - * @prefix: prefix (# of 1 bits) of netmask to apply to @netaddr - * @physdev: the physical output device or NULL - * @destaddr: the destination network not to masquerade for - * - * Remove rules from the IP table context that prevent masquerading from - * @netaddr/@prefix to @destaddr on @physdev. @destaddr must be in a format - * directly consumable by iptables, it must not depend on user input or - * configuration. - * - * Returns 0 in case of success or an error code otherwise. - */ -int -iptablesRemoveDontMasquerade(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) -{ - return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, - VIR_NETFILTER_DELETE); -} - - -static void -iptablesOutputFixUdpChecksum(virFirewall *fw, - const char *iface, - int port, - int action) -{ - g_autofree char *portstr = g_strdup_printf("%d", port); - - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "--table", "mangle", - action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", - "LIBVIRT_PRT", - "--out-interface", iface, - "--protocol", "udp", - "--destination-port", portstr, - "--jump", "CHECKSUM", "--checksum-fill", - NULL); -} - -/** - * iptablesAddOutputFixUdpChecksum: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port to match - * - * Add a rule to the mangle table's POSTROUTING chain that fixes up the - * checksum of packets with the given destination @port. - * the given @iface interface for TCP packets. - * - */ -void -iptablesAddOutputFixUdpChecksum(virFirewall *fw, - const char *iface, - int port) -{ - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); -} - -/** - * iptablesRemoveOutputFixUdpChecksum: - * @ctx: pointer to the IP table context - * @iface: the interface name - * @port: the UDP port of the rule to remove - * - * Removes the checksum fixup rule that was previous added with - * iptablesAddOutputFixUdpChecksum. - */ -void -iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, - const char *iface, - int port) -{ - iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); -} diff --git a/src/util/viriptables.h b/src/util/viriptables.h deleted file mode 100644 index bb13f3292d..0000000000 --- a/src/util/viriptables.h +++ /dev/null @@ -1,155 +0,0 @@ -/* - * viriptables.h: helper APIs for managing iptables - * - * Copyright (C) 2007, 2008 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library. If not, see - * . - */ - -#pragma once - -#include "virsocketaddr.h" -#include "virfirewall.h" - -int iptablesSetupPrivateChains (virFirewallLayer layer); - -void iptablesAddTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveTcpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void iptablesAddUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveUdpInput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -void iptablesAddTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveTcpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesAddUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); -void iptablesRemoveUdpOutput (virFirewall *fw, - virFirewallLayer layer, - const char *iface, - int port); - -int iptablesAddForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowOut (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -int iptablesAddForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardAllowIn (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev) - G_GNUC_WARN_UNUSED_RESULT; - -void iptablesAddForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardAllowCross (virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void iptablesAddForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectOut (virFirewall *fw, - virFirewallLayer layer, - const char *iface); - -void iptablesAddForwardRejectIn (virFirewall *fw, - virFirewallLayer layer, - const char *iface); -void iptablesRemoveForwardRejectIn (virFirewall *fw, - virFirewallLayer layery, - const char *iface); - -int iptablesAddForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveForwardMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - virSocketAddrRange *addr, - virPortRange *port, - const char *protocol) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesAddDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -int iptablesRemoveDontMasquerade (virFirewall *fw, - virSocketAddr *netaddr, - unsigned int prefix, - const char *physdev, - const char *destaddr) - G_GNUC_WARN_UNUSED_RESULT; -void iptablesAddOutputFixUdpChecksum (virFirewall *fw, - const char *iface, - int port); -void iptablesRemoveOutputFixUdpChecksum (virFirewall *fw, - const char *iface, - int port);