From a66fc27d895cface9d41aae0de2dd99bc04ad9b5 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 6 Mar 2014 17:01:13 +0000 Subject: [PATCH] Convert bridge driver over to use new firewall APIs Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: Daniel P. Berrange --- src/network/bridge_driver_linux.c | 749 +++++++++++++----------------- src/util/viriptables.c | 630 +++++++++++-------------- src/util/viriptables.h | 116 +++-- 3 files changed, 659 insertions(+), 836 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 3891357a4b..9f4911b06a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -28,6 +28,7 @@ #include "viriptables.h" #include "virstring.h" #include "virlog.h" +#include "virfirewall.h" #define VIR_FROM_THIS VIR_FROM_NONE @@ -134,7 +135,8 @@ static const char networkLocalMulticast[] = "224.0.0.0/24"; static const char networkLocalBroadcast[] = "255.255.255.255/32"; static int -networkAddMasqueradingFirewallRules(virNetworkObjPtr network, +networkAddMasqueradingFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -144,32 +146,26 @@ networkAddMasqueradingFirewallRules(virNetworkObjPtr network, virReportError(VIR_ERR_INTERNAL_ERROR, _("Invalid prefix or netmask for '%s'"), network->def->bridge); - goto masqerr1; + return -1; } /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(&ipdef->address, + if (iptablesAddForwardAllowOut(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow forwarding from '%s'"), - network->def->bridge); - goto masqerr1; - } + forwardIf) < 0) + return -1; /* allow forwarding packets to the bridge interface if they are * part of an existing connection */ - if (iptablesAddForwardAllowRelatedIn(&ipdef->address, + if (iptablesAddForwardAllowRelatedIn(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow forwarding to '%s'"), - network->def->bridge); - goto masqerr2; - } + forwardIf) < 0) + return -1; /* * Enable masquerading. @@ -204,176 +200,127 @@ networkAddMasqueradingFirewallRules(virNetworkObjPtr network, */ /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(&ipdef->address, + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, - NULL) < 0) { - if (forwardIf) - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to enable masquerading to %s"), - forwardIf); - else - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("failed to add iptables rule to enable masquerading")); - goto masqerr3; - } + NULL) < 0) + return -1; /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(&ipdef->address, + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, - "udp") < 0) { - if (forwardIf) - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to enable UDP masquerading to %s"), - forwardIf); - else - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("failed to add iptables rule to enable UDP masquerading")); - goto masqerr4; - } + "udp") < 0) + return -1; /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(&ipdef->address, + if (iptablesAddForwardMasquerade(fw, + &ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, - "tcp") < 0) { - if (forwardIf) - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to enable TCP masquerading to %s"), - forwardIf); - else - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("failed to add iptables rule to enable TCP masquerading")); - goto masqerr5; - } + "tcp") < 0) + return -1; /* exempt local network broadcast address as destination */ - if (iptablesAddDontMasquerade(&ipdef->address, + if (iptablesAddDontMasquerade(fw, + &ipdef->address, prefix, forwardIf, - networkLocalBroadcast) < 0) { - if (forwardIf) - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to prevent local broadcast masquerading on %s"), - forwardIf); - else - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("failed to add iptables rule to prevent local broadcast masquerading")); - goto masqerr6; - } + networkLocalBroadcast) < 0) + return -1; /* exempt local multicast range as destination */ - if (iptablesAddDontMasquerade(&ipdef->address, + if (iptablesAddDontMasquerade(fw, + &ipdef->address, prefix, forwardIf, - networkLocalMulticast) < 0) { - if (forwardIf) - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to prevent local multicast masquerading on %s"), - forwardIf); - else - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("failed to add iptables rule to prevent local multicast masquerading")); - goto masqerr7; - } + networkLocalMulticast) < 0) + return -1; return 0; - - masqerr7: - iptablesRemoveDontMasquerade(&ipdef->address, - prefix, - forwardIf, - networkLocalBroadcast); - masqerr6: - iptablesRemoveForwardMasquerade(&ipdef->address, - prefix, - forwardIf, - &network->def->forward.addr, - &network->def->forward.port, - "tcp"); - masqerr5: - iptablesRemoveForwardMasquerade(&ipdef->address, - prefix, - forwardIf, - &network->def->forward.addr, - &network->def->forward.port, - "udp"); - masqerr4: - iptablesRemoveForwardMasquerade(&ipdef->address, - prefix, - forwardIf, - &network->def->forward.addr, - &network->def->forward.port, - NULL); - masqerr3: - iptablesRemoveForwardAllowRelatedIn(&ipdef->address, - prefix, - network->def->bridge, - forwardIf); - masqerr2: - iptablesRemoveForwardAllowOut(&ipdef->address, - prefix, - network->def->bridge, - forwardIf); - masqerr1: - return -1; } -static void -networkRemoveMasqueradingFirewallRules(virNetworkObjPtr network, +static int +networkRemoveMasqueradingFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); - if (prefix >= 0) { - iptablesRemoveDontMasquerade(&ipdef->address, - prefix, - forwardIf, - networkLocalMulticast); - iptablesRemoveDontMasquerade(&ipdef->address, - prefix, - forwardIf, - networkLocalBroadcast); - iptablesRemoveForwardMasquerade(&ipdef->address, - prefix, - forwardIf, - &network->def->forward.addr, - &network->def->forward.port, - "tcp"); - iptablesRemoveForwardMasquerade(&ipdef->address, - prefix, - forwardIf, - &network->def->forward.addr, - &network->def->forward.port, - "udp"); - iptablesRemoveForwardMasquerade(&ipdef->address, - prefix, - forwardIf, - &network->def->forward.addr, - &network->def->forward.port, - NULL); + if (prefix < 0) + return 0; - iptablesRemoveForwardAllowRelatedIn(&ipdef->address, + if (iptablesRemoveDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalMulticast) < 0) + return -1; + + if (iptablesRemoveDontMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + networkLocalBroadcast) < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &network->def->forward.addr, + &network->def->forward.port, + "tcp") < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &network->def->forward.addr, + &network->def->forward.port, + "udp") < 0) + return -1; + + if (iptablesRemoveForwardMasquerade(fw, + &ipdef->address, + prefix, + forwardIf, + &network->def->forward.addr, + &network->def->forward.port, + NULL) < 0) + return -1; + + if (iptablesRemoveForwardAllowRelatedIn(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf); - iptablesRemoveForwardAllowOut(&ipdef->address, + forwardIf) < 0) + return -1; + + if (iptablesRemoveForwardAllowOut(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf); - } + forwardIf) < 0) + return -1; + + return 0; } + static int -networkAddRoutingFirewallRules(virNetworkObjPtr network, +networkAddRoutingFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -383,168 +330,61 @@ networkAddRoutingFirewallRules(virNetworkObjPtr network, virReportError(VIR_ERR_INTERNAL_ERROR, _("Invalid prefix or netmask for '%s'"), network->def->bridge); - goto routeerr1; + return -1; } /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(&ipdef->address, + if (iptablesAddForwardAllowOut(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow routing from '%s'"), - network->def->bridge); - goto routeerr1; - } + forwardIf) < 0) + return -1; /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(&ipdef->address, + if (iptablesAddForwardAllowIn(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow routing to '%s'"), - network->def->bridge); - goto routeerr2; - } + forwardIf) < 0) + return -1; return 0; - - routeerr2: - iptablesRemoveForwardAllowOut(&ipdef->address, - prefix, - network->def->bridge, - forwardIf); - routeerr1: - return -1; } -static void -networkRemoveRoutingFirewallRules(virNetworkObjPtr network, +static int +networkRemoveRoutingFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); - if (prefix >= 0) { - iptablesRemoveForwardAllowIn(&ipdef->address, + if (prefix < 0) + return 0; + + if (iptablesRemoveForwardAllowIn(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf); + forwardIf) < 0) + return -1; - iptablesRemoveForwardAllowOut(&ipdef->address, + if (iptablesRemoveForwardAllowOut(fw, + &ipdef->address, prefix, network->def->bridge, - forwardIf); - } -} - -/* Add all once/network rules required for IPv6. - * If no IPv6 addresses are defined and is - * specified, then allow IPv6 commuinications between virtual systems. - * If any IPv6 addresses are defined, then add the rules for regular operation. - */ -static int -networkAddGeneralIp6tablesRules(virNetworkObjPtr network) -{ - - if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && - !network->def->ipv6nogw) { - return 0; - } - - /* Catch all rules to block forwarding to/from bridges */ - - if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add ip6tables rule to block outbound traffic from '%s'"), - network->def->bridge); - goto err1; - } - - if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add ip6tables rule to block inbound traffic to '%s'"), - network->def->bridge); - goto err2; - } - - /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add ip6tables rule to allow cross bridge traffic on '%s'"), - network->def->bridge); - goto err3; - } - - /* if no IPv6 addresses are defined, we are done. */ - if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) - return 0; - - /* allow DNS over IPv6 */ - if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add ip6tables rule to allow DNS requests from '%s'"), - network->def->bridge); - goto err4; - } - - if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add ip6tables rule to allow DNS requests from '%s'"), - network->def->bridge); - goto err5; - } - - if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add ip6tables rule to allow DHCP6 requests from '%s'"), - network->def->bridge); - goto err6; - } + forwardIf) < 0) + return -1; return 0; - - /* unwind in reverse order from the point of failure */ - err6: - iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); - err5: - iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); - err4: - iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); - err3: - iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); - err2: - iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); - err1: - return -1; } + static void -networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network) -{ - if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && - !network->def->ipv6nogw) { - return; - } - if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { - iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547); - iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); - iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); - } - - /* the following rules are there if no IPv6 address has been defined - * but network->def->ipv6nogw == true - */ - iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); -} - - -static int -networkAddGeneralFirewallRules(virNetworkObjPtr network) +networkAddGeneralIPv4FirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) { size_t i; virNetworkIpDefPtr ipv4def; @@ -559,130 +399,33 @@ networkAddGeneralFirewallRules(virNetworkObjPtr network) } /* allow DHCP requests through to dnsmasq */ - - if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow DHCP requests from '%s'"), - network->def->bridge); - goto err1; - } - - if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow DHCP requests from '%s'"), - network->def->bridge); - goto err2; - } - - if (iptablesAddUdpOutput(AF_INET, network->def->bridge, 68) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow DHCP replies to '%s'"), - network->def->bridge); - goto err3; - } - - /* If we are doing local DHCP service on this network, attempt to - * add a rule that will fixup the checksum of DHCP response - * packets back to the guests (but report failure without - * aborting, since not all iptables implementations support it). - */ - - if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) && - (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) { - VIR_WARN("Could not add rule to fixup DHCP response checksums " - "on network '%s'.", network->def->name); - VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule."); - } + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 68); /* allow DNS requests through to dnsmasq */ - if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow DNS requests from '%s'"), - network->def->bridge); - goto err4; - } - - if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow DNS requests from '%s'"), - network->def->bridge); - goto err5; - } + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53); /* allow TFTP requests through to dnsmasq if necessary */ - if (ipv4def && ipv4def->tftproot && - iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow TFTP requests from '%s'"), - network->def->bridge); - goto err6; - } + if (ipv4def && ipv4def->tftproot) + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 69); /* Catch all rules to block forwarding to/from bridges */ - - if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to block outbound traffic from '%s'"), - network->def->bridge); - goto err7; - } - - if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to block inbound traffic to '%s'"), - network->def->bridge); - goto err8; - } + iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge); + iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge); /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("failed to add iptables rule to allow cross bridge traffic on '%s'"), - network->def->bridge); - goto err9; - } - - /* add IPv6 general rules, if needed */ - if (networkAddGeneralIp6tablesRules(network) < 0) { - goto err10; - } - - return 0; - - /* unwind in reverse order from the point of failure */ - err10: - iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); - err9: - iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); - err8: - iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); - err7: - if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); - } - err6: - iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); - err5: - iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); - err4: - iptablesRemoveUdpOutput(AF_INET, network->def->bridge, 68); - err3: - iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); - err2: - iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); - err1: - return -1; + iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge); } - static void -networkRemoveGeneralFirewallRules(virNetworkObjPtr network) +networkRemoveGeneralIPv4FirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) { size_t i; virNetworkIpDefPtr ipv4def; - networkRemoveGeneralIp6tablesRules(network); - for (i = 0; (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i)); i++) { @@ -690,25 +433,143 @@ networkRemoveGeneralFirewallRules(virNetworkObjPtr network) break; } - iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); - iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); - iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); - if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); + iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge); + iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge); + iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge); + + if (ipv4def && ipv4def->tftproot) + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 69); + + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53); + + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 68); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67); +} + + +/* Add all once/network rules required for IPv6. + * If no IPv6 addresses are defined and is + * specified, then allow IPv6 commuinications between virtual systems. + * If any IPv6 addresses are defined, then add the rules for regular operation. + */ +static void +networkAddGeneralIPv6FirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) +{ + + if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && + !network->def->ipv6nogw) { + return; } - iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); - iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); - if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) { - iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68); + + /* Catch all rules to block forwarding to/from bridges */ + iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge); + iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge); + + /* Allow traffic between guests on the same bridge */ + iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge); + + if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { + /* allow DNS over IPv6 */ + iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge, 53); + iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge, 547); } - iptablesRemoveUdpOutput(AF_INET, network->def->bridge, 68); - iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); - iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); +} + +static void +networkRemoveGeneralIPv6FirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) +{ + if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && + !network->def->ipv6nogw) { + return; + } + + if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge, 547); + iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge, 53); + iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge, 53); + } + + /* the following rules are there if no IPv6 address has been defined + * but network->def->ipv6nogw == true + */ + iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge); + iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge); + iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge); +} + + +static void +networkAddGeneralFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) +{ + networkAddGeneralIPv4FirewallRules(fw, network); + networkAddGeneralIPv6FirewallRules(fw, network); +} + + +static void +networkRemoveGeneralFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) +{ + networkRemoveGeneralIPv4FirewallRules(fw, network); + networkRemoveGeneralIPv6FirewallRules(fw, network); +} + +static void +networkAddChecksumFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) +{ + size_t i; + virNetworkIpDefPtr ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i = 0; + (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts) + break; + } + + /* If we are doing local DHCP service on this network, attempt to + * add a rule that will fixup the checksum of DHCP response + * packets back to the guests (but report failure without + * aborting, since not all iptables implementations support it). + */ + if (ipv4def) + iptablesAddOutputFixUdpChecksum(fw, network->def->bridge, 68); +} + + +static void +networkRemoveChecksumFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network) +{ + size_t i; + virNetworkIpDefPtr ipv4def; + + /* First look for first IPv4 address that has dhcp or tftpboot defined. */ + /* We support dhcp config on 1 IPv4 interface only. */ + for (i = 0; + (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i)); + i++) { + if (ipv4def->nranges || ipv4def->nhosts) + break; + } + + if (ipv4def) + iptablesRemoveOutputFixUdpChecksum(fw, network->def->bridge, 68); } static int -networkAddIpSpecificFirewallRules(virNetworkObjPtr network, +networkAddIpSpecificFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { /* NB: in the case of IPv6, routing rules are added when the @@ -717,70 +578,74 @@ networkAddIpSpecificFirewallRules(virNetworkObjPtr network, if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - return networkAddMasqueradingFirewallRules(network, ipdef); + return networkAddMasqueradingFirewallRules(fw, network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkAddRoutingFirewallRules(network, ipdef); + return networkAddRoutingFirewallRules(fw, network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - return networkAddRoutingFirewallRules(network, ipdef); + return networkAddRoutingFirewallRules(fw, network, ipdef); } return 0; } -static void -networkRemoveIpSpecificFirewallRules(virNetworkObjPtr network, +static int +networkRemoveIpSpecificFirewallRules(virFirewallPtr fw, + virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - networkRemoveMasqueradingFirewallRules(network, ipdef); + return networkRemoveMasqueradingFirewallRules(fw, network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - networkRemoveRoutingFirewallRules(network, ipdef); + return networkRemoveRoutingFirewallRules(fw, network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - networkRemoveRoutingFirewallRules(network, ipdef); + return networkRemoveRoutingFirewallRules(fw, network, ipdef); } + return 0; } /* Add all rules for all ip addresses (and general rules) on a network */ int networkAddFirewallRules(virNetworkObjPtr network) { - size_t i, j; + size_t i; virNetworkIpDefPtr ipdef; - virErrorPtr orig_error; + virFirewallPtr fw = NULL; + int ret = -1; - /* Add "once per network" rules */ - if (networkAddGeneralFirewallRules(network) < 0) - return -1; + fw = virFirewallNew(); + + virFirewallStartTransaction(fw, 0); + + networkAddGeneralFirewallRules(fw, network); for (i = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i)); i++) { - /* Add address-specific iptables rules */ - if (networkAddIpSpecificFirewallRules(network, ipdef) < 0) { - goto err; - } + if (networkAddIpSpecificFirewallRules(fw, network, ipdef) < 0) + goto cleanup; } - return 0; - err: - /* store the previous error message before attempting removal of rules */ - orig_error = virSaveLastError(); + virFirewallStartRollback(fw, 0); - /* The final failed call to networkAddIpSpecificFirewallRules will - * have removed any rules it created, but we need to remove those - * added for previous IP addresses. - */ - for (j = 0; j < i; j++) { - if ((ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, j))) - networkRemoveIpSpecificFirewallRules(network, ipdef); + for (i = 0; + (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i)); + i++) { + if (networkRemoveIpSpecificFirewallRules(fw, network, ipdef) < 0) + goto cleanup; } - networkRemoveGeneralFirewallRules(network); + networkRemoveGeneralFirewallRules(fw, network); - /* return the original error */ - virSetError(orig_error); - virFreeError(orig_error); - return -1; + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + networkAddChecksumFirewallRules(fw, network); + + if (virFirewallApply(fw) < 0) + goto cleanup; + + ret = 0; + cleanup: + virFirewallFree(fw); + return ret; } /* Remove all rules for all ip addresses (and general rules) on a network */ @@ -788,11 +653,25 @@ void networkRemoveFirewallRules(virNetworkObjPtr network) { size_t i; virNetworkIpDefPtr ipdef; + virFirewallPtr fw = NULL; + + fw = virFirewallNew(); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + networkRemoveChecksumFirewallRules(fw, network); + + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); for (i = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i)); i++) { - networkRemoveIpSpecificFirewallRules(network, ipdef); + if (networkRemoveIpSpecificFirewallRules(fw, network, ipdef) < 0) + goto cleanup; } - networkRemoveGeneralFirewallRules(network); + networkRemoveGeneralFirewallRules(fw, network); + + virFirewallApply(fw); + + cleanup: + virFirewallFree(fw); } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index c8c4175ff5..4f3ac9c121 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -54,56 +54,6 @@ VIR_LOG_INIT("util.iptables"); bool iptables_supports_xlock = false; -#if HAVE_FIREWALLD -static char *firewall_cmd_path = NULL; -#endif - -static int -virIpTablesOnceInit(void) -{ - virCommandPtr cmd; - int status; - -#if HAVE_FIREWALLD - firewall_cmd_path = virFindFileInPath("firewall-cmd"); - if (!firewall_cmd_path) { - VIR_INFO("firewall-cmd not found on system. " - "firewalld support disabled for iptables."); - } else { - cmd = virCommandNew(firewall_cmd_path); - - virCommandAddArgList(cmd, "--state", NULL); - /* don't log non-zero status */ - if (virCommandRun(cmd, &status) < 0 || status != 0) { - VIR_INFO("firewall-cmd found but disabled for iptables"); - VIR_FREE(firewall_cmd_path); - firewall_cmd_path = NULL; - } else { - VIR_INFO("using firewalld for iptables commands"); - } - virCommandFree(cmd); - } - - if (firewall_cmd_path) - return 0; - -#endif - - cmd = virCommandNew(IPTABLES_PATH); - virCommandAddArgList(cmd, "-w", "-L", "-n", NULL); - /* don't log non-zero status */ - if (virCommandRun(cmd, &status) < 0 || status != 0) { - VIR_INFO("xtables locking not supported by your iptables"); - } else { - VIR_INFO("using xtables locking for iptables"); - iptables_supports_xlock = true; - } - virCommandFree(cmd); - return 0; -} - -VIR_ONCE_GLOBAL_INIT(virIpTables) - #define VIR_FROM_THIS VIR_FROM_NONE enum { @@ -111,63 +61,10 @@ enum { REMOVE }; -static virCommandPtr -iptablesCommandNew(const char *table, const char *chain, int family, int action) -{ - virCommandPtr cmd = NULL; - virIpTablesInitialize(); -#if HAVE_FIREWALLD - if (firewall_cmd_path) { - cmd = virCommandNew(firewall_cmd_path); - virCommandAddArgList(cmd, "--direct", "--passthrough", - (family == AF_INET6) ? "ipv6" : "ipv4", NULL); - } -#endif - if (cmd == NULL) { - cmd = virCommandNew((family == AF_INET6) - ? IP6TABLES_PATH : IPTABLES_PATH); - - if (iptables_supports_xlock) - virCommandAddArgList(cmd, "-w", NULL); - } - - virCommandAddArgList(cmd, "--table", table, - action == ADD ? "--insert" : "--delete", - chain, NULL); - return cmd; -} - -static int -iptablesCommandRunAndFree(virCommandPtr cmd) -{ - int ret; - ret = virCommandRun(cmd, NULL); - virCommandFree(cmd); - return ret; -} - -static int ATTRIBUTE_SENTINEL -iptablesAddRemoveRule(const char *table, const char *chain, int family, int action, - const char *arg, ...) -{ - va_list args; - virCommandPtr cmd = NULL; - const char *s; - - cmd = iptablesCommandNew(table, chain, family, action); - virCommandAddArg(cmd, arg); - - va_start(args, arg); - while ((s = va_arg(args, const char *))) - virCommandAddArg(cmd, s); - va_end(args); - - return iptablesCommandRunAndFree(cmd); -} - -static int -iptablesInput(int family, +static void +iptablesInput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port, int action, @@ -178,18 +75,19 @@ iptablesInput(int family, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule("filter", "INPUT", - family, - action, - "--in-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "INPUT", + "--in-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } -static int -iptablesOutput(int family, +static void +iptablesOutput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port, int action, @@ -200,14 +98,14 @@ iptablesOutput(int family, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule("filter", "OUTPUT", - family, - action, - "--out-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "OUTPUT", + "--out-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } /** @@ -218,16 +116,14 @@ iptablesOutput(int family, * * Add an input to the IP table allowing access to the given @port on * the given @iface interface for TCP packets - * - * Returns 0 in case of success or an error code in case of error */ - -int -iptablesAddTcpInput(int family, +void +iptablesAddTcpInput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port) { - return iptablesInput(family, iface, port, ADD, 1); + iptablesInput(fw, layer, iface, port, ADD, 1); } /** @@ -238,15 +134,14 @@ iptablesAddTcpInput(int family, * * Removes an input from the IP table, hence forbidding access to the given * @port on the given @iface interface for TCP packets - * - * Returns 0 in case of success or an error code in case of error */ -int -iptablesRemoveTcpInput(int family, +void +iptablesRemoveTcpInput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port) { - return iptablesInput(family, iface, port, REMOVE, 1); + iptablesInput(fw, layer, iface, port, REMOVE, 1); } /** @@ -257,16 +152,14 @@ iptablesRemoveTcpInput(int family, * * Add an input to the IP table allowing access to the given @port on * the given @iface interface for UDP packets - * - * Returns 0 in case of success or an error code in case of error */ - -int -iptablesAddUdpInput(int family, +void +iptablesAddUdpInput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port) { - return iptablesInput(family, iface, port, ADD, 0); + iptablesInput(fw, layer, iface, port, ADD, 0); } /** @@ -277,15 +170,14 @@ iptablesAddUdpInput(int family, * * Removes an input from the IP table, hence forbidding access to the given * @port on the given @iface interface for UDP packets - * - * Returns 0 in case of success or an error code in case of error */ -int -iptablesRemoveUdpInput(int family, +void +iptablesRemoveUdpInput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port) { - return iptablesInput(family, iface, port, REMOVE, 0); + return iptablesInput(fw, layer, iface, port, REMOVE, 0); } /** @@ -296,16 +188,14 @@ iptablesRemoveUdpInput(int family, * * Add an output to the IP table allowing access to the given @port from * the given @iface interface for UDP packets - * - * Returns 0 in case of success or an error code in case of error */ - -int -iptablesAddUdpOutput(int family, +void +iptablesAddUdpOutput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port) { - return iptablesOutput(family, iface, port, ADD, 0); + iptablesOutput(fw, layer, iface, port, ADD, 0); } /** @@ -316,15 +206,14 @@ iptablesAddUdpOutput(int family, * * Removes an output from the IP table, hence forbidding access to the given * @port from the given @iface interface for UDP packets - * - * Returns 0 in case of success or an error code in case of error */ -int -iptablesRemoveUdpOutput(int family, +void +iptablesRemoveUdpOutput(virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port) { - return iptablesOutput(family, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, iface, port, REMOVE, 0); } @@ -364,34 +253,40 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, * to proceed to WAN */ static int -iptablesForwardAllowOut(virSocketAddr *netaddr, +iptablesForwardAllowOut(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, int action) { - int ret; char *networkstr; - virCommandPtr cmd = NULL; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; - cmd = iptablesCommandNew("filter", "FORWARD", - VIR_SOCKET_ADDR_FAMILY(netaddr), - action); - virCommandAddArgList(cmd, - "--source", networkstr, - "--in-interface", iface, NULL); - if (physdev && physdev[0]) - virCommandAddArgList(cmd, "--out-interface", physdev, NULL); + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--source", networkstr, + "--in-interface", iface, + "--out-interface", physdev, + "--jump", "ACCEPT", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--source", networkstr, + "--in-interface", iface, + "--jump", "ACCEPT", + NULL); - virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL); - - ret = iptablesCommandRunAndFree(cmd); VIR_FREE(networkstr); - return ret; + return 0; } /** @@ -408,12 +303,13 @@ iptablesForwardAllowOut(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(virSocketAddr *netaddr, +iptablesAddForwardAllowOut(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD); } /** @@ -430,12 +326,13 @@ iptablesAddForwardAllowOut(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(virSocketAddr *netaddr, +iptablesRemoveForwardAllowOut(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE); } @@ -443,42 +340,44 @@ iptablesRemoveForwardAllowOut(virSocketAddr *netaddr, * and associated with an existing connection */ static int -iptablesForwardAllowRelatedIn(virSocketAddr *netaddr, +iptablesForwardAllowRelatedIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, int action) { - int ret; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; char *networkstr; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; - if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule("filter", "FORWARD", - VIR_SOCKET_ADDR_FAMILY(netaddr), - action, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); - } else { - ret = iptablesAddRemoveRule("filter", "FORWARD", - VIR_SOCKET_ADDR_FAMILY(netaddr), - action, - "--destination", networkstr, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); - } + if (physdev && physdev[0]) + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--destination", networkstr, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); + VIR_FREE(networkstr); - return ret; + return 0; } /** @@ -495,12 +394,13 @@ iptablesForwardAllowRelatedIn(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, +iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD); } /** @@ -517,49 +417,51 @@ iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, +iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int -iptablesForwardAllowIn(virSocketAddr *netaddr, +iptablesForwardAllowIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, int action) { - int ret; + virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ? + VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; char *networkstr; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; - if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule("filter", "FORWARD", - VIR_SOCKET_ADDR_FAMILY(netaddr), - action, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); - } else { - ret = iptablesAddRemoveRule("filter", "FORWARD", - VIR_SOCKET_ADDR_FAMILY(netaddr), - action, - "--destination", networkstr, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); - } + if (physdev && physdev[0]) + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); + else + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--destination", networkstr, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); VIR_FREE(networkstr); - return ret; + return 0; } /** @@ -576,12 +478,13 @@ iptablesForwardAllowIn(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(virSocketAddr *netaddr, +iptablesAddForwardAllowIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD); } /** @@ -598,30 +501,13 @@ iptablesAddForwardAllowIn(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(virSocketAddr *netaddr, +iptablesRemoveForwardAllowIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE); -} - - -/* Allow all traffic between guests on the same bridge, - * with a valid network address - */ -static int -iptablesForwardAllowCross(int family, - const char *iface, - int action) -{ - return iptablesAddRemoveRule("filter", "FORWARD", - family, - action, - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); } /** @@ -635,11 +521,18 @@ iptablesForwardAllowCross(int family, * * Returns 0 in case of success or an error code otherwise */ -int -iptablesAddForwardAllowCross(int family, +void +iptablesAddForwardAllowCross(virFirewallPtr fw, + virFirewallLayer layer, const char *iface) { - return iptablesForwardAllowCross(family, iface, ADD); + virFirewallAddRule(fw, layer, + "--table", "filter", + "--insert", "FORWARD", + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); } /** @@ -653,28 +546,18 @@ iptablesAddForwardAllowCross(int family, * * Returns 0 in case of success or an error code otherwise */ -int -iptablesRemoveForwardAllowCross(int family, +void +iptablesRemoveForwardAllowCross(virFirewallPtr fw, + virFirewallLayer layer, const char *iface) { - return iptablesForwardAllowCross(family, iface, REMOVE); -} - - -/* Drop all traffic trying to forward from the bridge. - * ie the bridge is the in interface - */ -static int -iptablesForwardRejectOut(int family, - const char *iface, - int action) -{ - return iptablesAddRemoveRule("filter", "FORWARD", - family, - action, - "--in-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddRule(fw, layer, + "--table", "filter", + "--delete", "FORWARD", + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); } /** @@ -687,11 +570,17 @@ iptablesForwardRejectOut(int family, * * Returns 0 in case of success or an error code otherwise */ -int -iptablesAddForwardRejectOut(int family, +void +iptablesAddForwardRejectOut(virFirewallPtr fw, + virFirewallLayer layer, const char *iface) { - return iptablesForwardRejectOut(family, iface, ADD); + virFirewallAddRule(fw, layer, + "--table", "filter", + "--insert", "FORWARD", + "--in-interface", iface, + "--jump", "REJECT", + NULL); } /** @@ -704,32 +593,20 @@ iptablesAddForwardRejectOut(int family, * * Returns 0 in case of success or an error code otherwise */ -int -iptablesRemoveForwardRejectOut(int family, +void +iptablesRemoveForwardRejectOut(virFirewallPtr fw, + virFirewallLayer layer, const char *iface) { - return iptablesForwardRejectOut(family, iface, REMOVE); + virFirewallAddRule(fw, layer, + "--table", "filter", + "--delete", "FORWARD", + "--in-interface", iface, + "--jump", "REJECT", + NULL); } - - -/* Drop all traffic trying to forward to the bridge. - * ie the bridge is the out interface - */ -static int -iptablesForwardRejectIn(int family, - const char *iface, - int action) -{ - return iptablesAddRemoveRule("filter", "FORWARD", - family, - action, - "--out-interface", iface, - "--jump", "REJECT", - NULL); -} - /** * iptablesAddForwardRejectIn: * @ctx: pointer to the IP table context @@ -740,11 +617,17 @@ iptablesForwardRejectIn(int family, * * Returns 0 in case of success or an error code otherwise */ -int -iptablesAddForwardRejectIn(int family, +void +iptablesAddForwardRejectIn(virFirewallPtr fw, + virFirewallLayer layer, const char *iface) { - return iptablesForwardRejectIn(family, iface, ADD); + virFirewallAddRule(fw, layer, + "--table", "filter", + "--insert", "FORWARD", + "--out-interface", iface, + "--jump", "REJECT", + NULL); } /** @@ -757,11 +640,17 @@ iptablesAddForwardRejectIn(int family, * * Returns 0 in case of success or an error code otherwise */ -int -iptablesRemoveForwardRejectIn(int family, +void +iptablesRemoveForwardRejectIn(virFirewallPtr fw, + virFirewallLayer layer, const char *iface) { - return iptablesForwardRejectIn(family, iface, REMOVE); + virFirewallAddRule(fw, layer, + "--table", "filter", + "--delete", "FORWARD", + "--out-interface", iface, + "--jump", "REJECT", + NULL); } @@ -769,7 +658,8 @@ iptablesRemoveForwardRejectIn(int family, * with the bridge */ static int -iptablesForwardMasquerade(virSocketAddr *netaddr, +iptablesForwardMasquerade(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, @@ -783,7 +673,7 @@ iptablesForwardMasquerade(virSocketAddr *netaddr, char *addrEndStr = NULL; char *portRangeStr = NULL; char *natRangeStr = NULL; - virCommandPtr cmd = NULL; + virFirewallRulePtr rule; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -805,16 +695,25 @@ iptablesForwardMasquerade(virSocketAddr *netaddr, } } - cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action); - virCommandAddArgList(cmd, "--source", networkstr, NULL); - - if (protocol && protocol[0]) - virCommandAddArgList(cmd, "-p", protocol, NULL); - - virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL); + if (protocol && protocol[0]) { + rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "nat", + action == ADD ? "--insert" : "--delete", "POSTROUTING", + "--source", networkstr, + "-p", protocol, + "!", "--destination", networkstr, + NULL); + } else { + rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "nat", + action == ADD ? "--insert" : "--delete", "POSTROUTING", + "--source", networkstr, + "!", "--destination", networkstr, + NULL); + } if (physdev && physdev[0]) - virCommandAddArgList(cmd, "--out-interface", physdev, NULL); + virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL); if (protocol && protocol[0]) { if (port->start == 0 && port->end == 0) { @@ -848,18 +747,20 @@ iptablesForwardMasquerade(virSocketAddr *netaddr, if (r < 0) goto cleanup; - virCommandAddArgList(cmd, "--jump", "SNAT", + virFirewallRuleAddArgList(fw, rule, + "--jump", "SNAT", "--to-source", natRangeStr, NULL); - } else { - virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); + } else { + virFirewallRuleAddArgList(fw, rule, + "--jump", "MASQUERADE", NULL); - if (portRangeStr && portRangeStr[0]) - virCommandAddArgList(cmd, "--to-ports", &portRangeStr[1], NULL); - } + if (portRangeStr && portRangeStr[0]) + virFirewallRuleAddArgList(fw, rule, + "--to-ports", &portRangeStr[1], NULL); + } - ret = virCommandRun(cmd, NULL); + ret = 0; cleanup: - virCommandFree(cmd); VIR_FREE(networkstr); VIR_FREE(addrStartStr); VIR_FREE(addrEndStr); @@ -882,14 +783,15 @@ iptablesForwardMasquerade(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(virSocketAddr *netaddr, +iptablesAddForwardMasquerade(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, ADD); } @@ -907,14 +809,15 @@ iptablesAddForwardMasquerade(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(virSocketAddr *netaddr, +iptablesRemoveForwardMasquerade(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, REMOVE); } @@ -923,7 +826,8 @@ iptablesRemoveForwardMasquerade(virSocketAddr *netaddr, * if said traffic targets @destaddr. */ static int -iptablesForwardDontMasquerade(virSocketAddr *netaddr, +iptablesForwardDontMasquerade(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, const char *destaddr, @@ -931,7 +835,6 @@ iptablesForwardDontMasquerade(virSocketAddr *netaddr, { int ret = -1; char *networkstr = NULL; - virCommandPtr cmd = NULL; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; @@ -944,16 +847,26 @@ iptablesForwardDontMasquerade(virSocketAddr *netaddr, goto cleanup; } - cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action); - if (physdev && physdev[0]) - virCommandAddArgList(cmd, "--out-interface", physdev, NULL); + virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "nat", + action == ADD ? "--insert" : "--delete", "POSTROUTING", + "--out-interface", physdev, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); + else + virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "nat", + action == ADD ? "--insert" : "--delete", "POSTROUTING", + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); - virCommandAddArgList(cmd, "--source", networkstr, - "--destination", destaddr, "--jump", "RETURN", NULL); - ret = virCommandRun(cmd, NULL); + ret = 0; cleanup: - virCommandFree(cmd); VIR_FREE(networkstr); return ret; } @@ -973,12 +886,13 @@ iptablesForwardDontMasquerade(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise. */ int -iptablesAddDontMasquerade(virSocketAddr *netaddr, +iptablesAddDontMasquerade(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(netaddr, prefix, physdev, destaddr, + return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, ADD); } @@ -997,18 +911,20 @@ iptablesAddDontMasquerade(virSocketAddr *netaddr, * Returns 0 in case of success or an error code otherwise. */ int -iptablesRemoveDontMasquerade(virSocketAddr *netaddr, +iptablesRemoveDontMasquerade(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(netaddr, prefix, physdev, destaddr, + return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, REMOVE); } -static int -iptablesOutputFixUdpChecksum(const char *iface, +static void +iptablesOutputFixUdpChecksum(virFirewallPtr fw, + const char *iface, int port, int action) { @@ -1017,14 +933,14 @@ iptablesOutputFixUdpChecksum(const char *iface, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule("mangle", "POSTROUTING", - AF_INET, - action, - "--out-interface", iface, - "--protocol", "udp", - "--destination-port", portstr, - "--jump", "CHECKSUM", "--checksum-fill", - NULL); + virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "mangle", + action == ADD ? "--insert" : "--delete", "POSTROUTING", + "--out-interface", iface, + "--protocol", "udp", + "--destination-port", portstr, + "--jump", "CHECKSUM", "--checksum-fill", + NULL); } /** @@ -1037,16 +953,13 @@ iptablesOutputFixUdpChecksum(const char *iface, * checksum of packets with the given destination @port. * the given @iface interface for TCP packets. * - * Returns 0 in case of success or an error code in case of error. - * (NB: if the system's iptables does not support checksum mangling, - * this will return an error, which should be ignored.) */ - -int -iptablesAddOutputFixUdpChecksum(const char *iface, +void +iptablesAddOutputFixUdpChecksum(virFirewallPtr fw, + const char *iface, int port) { - return iptablesOutputFixUdpChecksum(iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, iface, port, ADD); } /** @@ -1057,14 +970,11 @@ iptablesAddOutputFixUdpChecksum(const char *iface, * * Removes the checksum fixup rule that was previous added with * iptablesAddOutputFixUdpChecksum. - * - * Returns 0 in case of success or an error code in case of error - * (again, if iptables doesn't support checksum fixup, this will - * return an error, which should be ignored) */ -int -iptablesRemoveOutputFixUdpChecksum(const char *iface, +void +iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw, + const char *iface, int port) { - return iptablesOutputFixUdpChecksum(iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 2f9a2129a1..9ea25fc096 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -21,97 +21,131 @@ * Mark McLoughlin */ -#ifndef __QEMUD_IPTABLES_H__ -# define __QEMUD_IPTABLES_H__ +#ifndef __VIR_IPTABLES_H__ +# define __VIR_IPTABLES_H__ # include "virsocketaddr.h" +# include "virfirewall.h" -int iptablesAddTcpInput (int family, +void iptablesAddTcpInput (virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port); -int iptablesRemoveTcpInput (int family, +void iptablesRemoveTcpInput (virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port); -int iptablesAddUdpInput (int family, +void iptablesAddUdpInput (virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port); -int iptablesRemoveUdpInput (int family, +void iptablesRemoveUdpInput (virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port); -int iptablesAddUdpOutput (int family, +void iptablesAddUdpOutput (virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port); -int iptablesRemoveUdpOutput (int family, +void iptablesRemoveUdpOutput (virFirewallPtr fw, + virFirewallLayer layer, const char *iface, int port); -int iptablesAddForwardAllowOut (virSocketAddr *netaddr, +int iptablesAddForwardAllowOut (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, - const char *physdev); -int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr, + const char *physdev) + ATTRIBUTE_RETURN_CHECK; +int iptablesRemoveForwardAllowOut (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, - const char *physdev); - -int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, + const char *physdev) + ATTRIBUTE_RETURN_CHECK; +int iptablesAddForwardAllowRelatedIn(virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, - const char *physdev); -int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, + const char *physdev) + ATTRIBUTE_RETURN_CHECK; +int iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw, + virSocketAddr *netaddr, + unsigned int prefix, + const char *iface, + const char *physdev) + ATTRIBUTE_RETURN_CHECK; + +int iptablesAddForwardAllowIn (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, - const char *physdev); - -int iptablesAddForwardAllowIn (virSocketAddr *netaddr, + const char *physdev) + ATTRIBUTE_RETURN_CHECK; +int iptablesRemoveForwardAllowIn (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *iface, - const char *physdev); -int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr, - unsigned int prefix, - const char *iface, - const char *physdev); + const char *physdev) + ATTRIBUTE_RETURN_CHECK; -int iptablesAddForwardAllowCross (int family, +void iptablesAddForwardAllowCross (virFirewallPtr fw, + virFirewallLayer layer, const char *iface); -int iptablesRemoveForwardAllowCross (int family, +void iptablesRemoveForwardAllowCross (virFirewallPtr fw, + virFirewallLayer layer, const char *iface); -int iptablesAddForwardRejectOut (int family, +void iptablesAddForwardRejectOut (virFirewallPtr fw, + virFirewallLayer layer, const char *iface); -int iptablesRemoveForwardRejectOut (int family, +void iptablesRemoveForwardRejectOut (virFirewallPtr fw, + virFirewallLayer layer, const char *iface); -int iptablesAddForwardRejectIn (int family, +void iptablesAddForwardRejectIn (virFirewallPtr fw, + virFirewallLayer layer, const char *iface); -int iptablesRemoveForwardRejectIn (int family, +void iptablesRemoveForwardRejectIn (virFirewallPtr fw, + virFirewallLayer layery, const char *iface); -int iptablesAddForwardMasquerade (virSocketAddr *netaddr, +int iptablesAddForwardMasquerade (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, - const char *protocol); -int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr, + const char *protocol) + ATTRIBUTE_RETURN_CHECK; +int iptablesRemoveForwardMasquerade (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, - const char *protocol); -int iptablesAddDontMasquerade (virSocketAddr *netaddr, + const char *protocol) + ATTRIBUTE_RETURN_CHECK; +int iptablesAddDontMasquerade (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, - const char *destaddr); -int iptablesRemoveDontMasquerade (virSocketAddr *netaddr, + const char *destaddr) + ATTRIBUTE_RETURN_CHECK; +int iptablesRemoveDontMasquerade (virFirewallPtr fw, + virSocketAddr *netaddr, unsigned int prefix, const char *physdev, - const char *destaddr); -int iptablesAddOutputFixUdpChecksum (const char *iface, + const char *destaddr) + ATTRIBUTE_RETURN_CHECK; +void iptablesAddOutputFixUdpChecksum (virFirewallPtr fw, + const char *iface, int port); -int iptablesRemoveOutputFixUdpChecksum (const char *iface, +void iptablesRemoveOutputFixUdpChecksum (virFirewallPtr fw, + const char *iface, int port); -#endif /* __QEMUD_IPTABLES_H__ */ +#endif /* __VIR_IPTABLES_H__ */