network: allow tftp port if tftp is defined

add iptables rules to allow TFTP from the virtual network if <tftp>
element is defined in the network definition.

Fedora bz#580215

* src/network/bridge_driver.c: open UDP port 69 for TFTP traffic if
  tftproot is defined

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 0cd0978460e744c9b01d584adc6901d6ce7d93fd..72255c102f9391714d760d90142402fcdcb83bd3 100644 (file)
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -737,6 +737,15 @@ networkAddIptablesRules(struct network_driver *driver,
         goto err4;
     }
 
+    /* allow TFTP requests through to dnsmasq */
+    if (network->def->tftproot &&
+        (err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 69))) {
+        virReportSystemError(err,
+                             _("failed to add iptables rule to allow TFTP requests from '%s'"),
+                             network->def->bridge);
+        goto err4tftp;
+    }
+
 
     /* Catch all rules to block forwarding to/from bridges */
 
@@ -784,6 +793,10 @@ networkAddIptablesRules(struct network_driver *driver,
     iptablesRemoveForwardRejectOut(driver->iptables,
                                    network->def->bridge);
  err5:
+    if (network->def->tftproot) {
+        iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69);
+    }
+ err4tftp:
     iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
  err4:
     iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
@@ -821,6 +834,7 @@ networkRemoveIptablesRules(struct network_driver *driver,
     iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge);
     iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge);
     iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge);
+    iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69);
     iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
     iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
     iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);