diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index da27ee7b53..fc53293ead 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2501,7 +2501,6 @@ iptablesRemoveTcpInput; iptablesRemoveTcpOutput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; -iptablesSetDeletePrivate; iptablesSetupPrivateChains; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index d2eab33e5f..1c8be7103a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -37,7 +37,7 @@ VIR_LOG_INIT("network.bridge_driver_linux"); static virOnceControl createdOnce; static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */ -static bool createdChains; /* true iff networkSetupPrivateChains created chains during most recent call */ + static virErrorPtr errInitV4; static virErrorPtr errInitV6; @@ -50,7 +50,6 @@ static void networkSetupPrivateChains(void) VIR_DEBUG("Setting up global firewall chains"); - createdChains = false; virFreeError(errInitV4); errInitV4 = NULL; virFreeError(errInitV6); @@ -63,12 +62,10 @@ static void networkSetupPrivateChains(void) errInitV4 = virSaveLastError(); virResetLastError(); } else { - if (rc) { + if (rc) VIR_DEBUG("Created global IPv4 chains"); - createdChains = true; - } else { + else VIR_DEBUG("Global IPv4 chains already exist"); - } } rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); @@ -78,12 +75,10 @@ static void networkSetupPrivateChains(void) errInitV6 = virSaveLastError(); virResetLastError(); } else { - if (rc) { + if (rc) VIR_DEBUG("Created global IPv6 chains"); - createdChains = true; - } else { + else VIR_DEBUG("Global IPv6 chains already exist"); - } } chainInitDone = true; @@ -145,7 +140,7 @@ networkHasRunningNetworksWithFW(virNetworkDriverState *driver) void networkPreReloadFirewallRules(virNetworkDriverState *driver, - bool startup, + bool startup G_GNUC_UNUSED, bool force) { /* @@ -183,31 +178,13 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver, } ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); - - /* - * If this is initial startup, and we just created the - * top level private chains we either - * - * - upgraded from old libvirt - * - freshly booted from clean state - * - * In the first case we must delete the old rules from - * the built-in chains, instead of our new private chains. - * In the second case it doesn't matter, since no existing - * rules will be present. Thus we can safely just tell it - * to always delete from the builin chain - */ - if (startup && createdChains) { - VIR_DEBUG("Requesting cleanup of legacy firewall rules"); - iptablesSetDeletePrivate(false); - } } } void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED) { - iptablesSetDeletePrivate(true); + } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 721e1eeae7..ac949efba7 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -47,8 +47,6 @@ enum { REMOVE }; -static bool deletePrivate = true; - typedef struct { const char *parent; const char *child; @@ -162,17 +160,9 @@ iptablesSetupPrivateChains(virFirewallLayer layer) } -void -iptablesSetDeletePrivate(bool pvt) -{ - deletePrivate = pvt; -} - - static void iptablesInput(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int port, int action, @@ -186,7 +176,7 @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_INP" : "INPUT", + "LIBVIRT_INP", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -197,7 +187,6 @@ iptablesInput(virFirewall *fw, static void iptablesOutput(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int port, int action, @@ -211,7 +200,7 @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_OUT" : "OUTPUT", + "LIBVIRT_OUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -234,7 +223,7 @@ iptablesAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, true, iface, port, ADD, 1); + iptablesInput(fw, layer, iface, port, ADD, 1); } /** @@ -252,7 +241,7 @@ iptablesRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1); + iptablesInput(fw, layer, iface, port, REMOVE, 1); } /** @@ -270,7 +259,7 @@ iptablesAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, true, iface, port, ADD, 0); + iptablesInput(fw, layer, iface, port, ADD, 0); } /** @@ -288,7 +277,7 @@ iptablesRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0); + iptablesInput(fw, layer, iface, port, REMOVE, 0); } /** @@ -306,7 +295,7 @@ iptablesAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, true, iface, port, ADD, 1); + iptablesOutput(fw, layer, iface, port, ADD, 1); } /** @@ -324,7 +313,7 @@ iptablesRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 1); + iptablesOutput(fw, layer, iface, port, REMOVE, 1); } /** @@ -342,7 +331,7 @@ iptablesAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, true, iface, port, ADD, 0); + iptablesOutput(fw, layer, iface, port, ADD, 0); } /** @@ -360,7 +349,7 @@ iptablesRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, iface, port, REMOVE, 0); } @@ -400,7 +389,6 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, */ static int iptablesForwardAllowOut(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,7 +406,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWO" : "FORWARD", + "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -428,7 +416,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWO" : "FORWARD", + "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -457,7 +445,7 @@ iptablesAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD); } /** @@ -480,7 +468,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE); } @@ -489,7 +477,6 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, */ static int iptablesForwardAllowRelatedIn(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -507,7 +494,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -519,7 +506,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -550,7 +537,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD); } /** @@ -573,14 +560,13 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -598,7 +584,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -608,7 +594,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -636,7 +622,7 @@ iptablesAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD); } /** @@ -659,20 +645,19 @@ iptablesRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); } static void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWX" : "FORWARD", + "LIBVIRT_FWX", "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -695,7 +680,7 @@ iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, true, iface, ADD); + iptablesForwardAllowCross(fw, layer, iface, ADD); } /** @@ -714,20 +699,19 @@ iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, iface, REMOVE); } static void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWO" : "FORWARD", + "LIBVIRT_FWO", "--in-interface", iface, "--jump", "REJECT", NULL); @@ -748,7 +732,7 @@ iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, true, iface, ADD); + iptablesForwardRejectOut(fw, layer, iface, ADD); } /** @@ -766,21 +750,20 @@ iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, iface, REMOVE); } static void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--out-interface", iface, "--jump", "REJECT", NULL); @@ -801,7 +784,7 @@ iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, true, iface, ADD); + iptablesForwardRejectIn(fw, layer, iface, ADD); } /** @@ -819,7 +802,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, iface, REMOVE); } @@ -828,7 +811,6 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, */ static int iptablesForwardMasquerade(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -863,7 +845,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule = virFirewallAddRule(fw, layer, "--table", "nat", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -872,7 +854,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule = virFirewallAddRule(fw, layer, "--table", "nat", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -944,7 +926,7 @@ iptablesAddForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, true, netaddr, prefix, + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, ADD); } @@ -970,7 +952,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix, + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, REMOVE); } @@ -980,7 +962,6 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, */ static int iptablesForwardDontMasquerade(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -998,7 +979,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -1008,7 +989,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -1038,7 +1019,7 @@ iptablesAddDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, true, netaddr, prefix, + return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, ADD); } @@ -1063,14 +1044,13 @@ iptablesRemoveDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix, + return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, REMOVE); } static void iptablesOutputFixUdpChecksum(virFirewall *fw, - bool pvt, const char *iface, int port, int action) @@ -1083,7 +1063,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", action == ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1107,7 +1087,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, iface, port, ADD); } /** @@ -1124,5 +1104,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 41c493d3eb..bb13f3292d 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -25,8 +25,6 @@ int iptablesSetupPrivateChains (virFirewallLayer layer); -void iptablesSetDeletePrivate (bool pvt); - void iptablesAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface,