#include "configmake.h"
#include "intprops.h"
#include "virstring.h"
+#include "virfirewall.h"
#define VIR_FROM_THIS VIR_FROM_NWFILTER
snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
#define PHYSDEV_IN "--physdev-in"
-#define PHYSDEV_OUT "--physdev-is-bridged --physdev-out"
-/*
- * Previous versions of libvirt only used --physdev-out.
- * To be able to upgrade with running VMs we need to be able to
- * remove rules generated by those older versions of libvirt.
- */
-#define PHYSDEV_OUT_OLD "--physdev-out"
static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED";
static const char *m_state_in_str = "-m state --state ESTABLISHED";
static const char *m_state_out_str_new = "-m conntrack --ctstate NEW,ESTABLISHED";
static const char *m_state_in_str_new = "-m conntrack --ctstate ESTABLISHED";
-static const char *m_physdev_in_str = "-m physdev " PHYSDEV_IN;
-static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
-static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD;
+static const char *m_physdev_in_str = "-m physdev --physdev-in";
+static const char *m_physdev_out_str = "-m physdev --physdev-is-bridged --physdev-out";
+static const char *m_physdev_out_old_str = "-m physdev --physdev-out";
#define MATCH_STATE_OUT m_state_out_str
#define MATCH_STATE_IN m_state_in_str
#define MATCH_PHYSDEV_OUT m_physdev_out_str
#define MATCH_PHYSDEV_OUT_OLD m_physdev_out_old_str
+#define MATCH_PHYSDEV_IN_FW "-m", "physdev", "--physdev-in"
+#define MATCH_PHYSDEV_OUT_FW "-m", "physdev", "--physdev-is-bridged", "--physdev-out"
+#define MATCH_PHYSDEV_OUT_OLD_FW "-m", "physdev", "--physdev-out"
+
#define COMMENT_VARNAME "comment"
static int ebtablesRemoveBasicRules(const char *ifname);
};
+static char chainprefixes_host[3] = {
+ CHAINPREFIX_HOST_IN,
+ CHAINPREFIX_HOST_OUT,
+ 0
+};
+
static int
printVar(virNWFilterVarCombIterPtr vars,
char *buf, int bufsize,
}
+static void
+_iptablesRemoveRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix[2] = {
+ prefix,
+ };
+
+ if (isTempChain)
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ else
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-F", chain, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-X", chain, NULL);
+}
+
+
static void
iptablesRemoveRootChain(virBufferPtr buf,
char prefix,
}
+static void
+iptablesRemoveRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming,
+ const char *ifname)
+{
+ _iptablesRemoveRootChainFW(fw, layer, prefix, incoming, ifname, false);
+}
+
+
static void
iptablesRemoveTmpRootChain(virBufferPtr buf,
char prefix,
}
+static void
+iptablesRemoveRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
+{
+ iptablesRemoveRootChainFW(fw, layer, 'F', false, ifname);
+ iptablesRemoveRootChainFW(fw, layer, 'F', true, ifname);
+ iptablesRemoveRootChainFW(fw, layer, 'H', true, ifname);
+}
+
+
static void
iptablesLinkTmpRootChain(virBufferPtr buf,
const char *basechain,
static void
-iptablesClearVirtInPost(virBufferPtr buf,
- const char *ifname)
+iptablesClearVirtInPostFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
{
- const char *match = MATCH_PHYSDEV_IN;
- virBufferAsprintf(buf,
- "$IPT -D " VIRT_IN_POST_CHAIN
- " %s %s -j ACCEPT" CMD_SEPARATOR,
- match, ifname);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
static void
}
+static void
+_iptablesUnlinkRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *basechain,
+ char prefix,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix[2] = {
+ prefix,
+ };
+ if (isTempChain)
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ else
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ if (incoming)
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_IN_FW, ifname,
+ "-g", chain,
+ NULL);
+ else
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_FW, ifname,
+ "-g", chain,
+ NULL);
+
+ /*
+ * Previous versions of libvirt may have created a rule
+ * with the --physdev-is-bridged missing. Remove this one
+ * as well.
+ */
+ if (!incoming)
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+ "-g", chain,
+ NULL);
+}
+
+
static void
iptablesUnlinkRootChain(virBufferPtr buf,
const char *basechain,
basechain, prefix, incoming, ifname, false);
}
+static void
+iptablesUnlinkRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *basechain,
+ char prefix,
+ bool incoming, const char *ifname)
+{
+ _iptablesUnlinkRootChainFW(fw, layer,
+ basechain, prefix, incoming, ifname, false);
+}
+
static void
iptablesUnlinkTmpRootChain(virBufferPtr buf,
}
+static void
+iptablesUnlinkRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
+{
+ iptablesUnlinkRootChainFW(fw, layer, VIRT_OUT_CHAIN, 'F', false, ifname);
+ iptablesUnlinkRootChainFW(fw, layer, VIRT_IN_CHAIN, 'F', true, ifname);
+ iptablesUnlinkRootChainFW(fw, layer, HOST_IN_CHAIN, 'H', true, ifname);
+}
+
+
static void
iptablesUnlinkTmpRootChains(virBufferPtr buf,
const char *ifname)
}
+static void
+_ebtablesRemoveRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix;
+ if (isTempChain)
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ else
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", chain, NULL);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", chain, NULL);
+}
+
+
static void
ebtablesRemoveRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
}
+static void
+ebtablesRemoveRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname)
+{
+ _ebtablesRemoveRootChainFW(fw, incoming, ifname, false);
+}
+
+
static void
ebtablesRemoveTmpRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
}
+static void
+_ebtablesUnlinkRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix;
+
+ if (isTempChain) {
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ } else {
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+ }
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-D",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
+}
+
+
static void
ebtablesUnlinkRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
}
+static void
+ebtablesUnlinkRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname)
+{
+ _ebtablesUnlinkRootChainFW(fw, incoming, ifname, false);
+}
+
+
static void
ebtablesUnlinkTmpRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
virBufferAddLit(buf, "rm_chains $chains\n");
}
+
+static int
+ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque)
+{
+ size_t i, j;
+ const char *chainprefixes = opaque;
+
+ for (i = 0; lines[i] != NULL; i++) {
+ VIR_DEBUG("Considering '%s'", lines[i]);
+ char *tmp = strstr(lines[i], "-j ");
+ if (!tmp)
+ continue;
+ tmp = tmp + 3;
+ for (j = 0; chainprefixes[j]; j++) {
+ if (tmp[0] == chainprefixes[j] &&
+ tmp[1] == '-') {
+ VIR_DEBUG("Processing chain '%s'", tmp);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chainprefixes,
+ "-t", "nat", "-L", tmp, NULL);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", tmp, NULL);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", tmp, NULL);
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+static void
+_ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname,
+ const char *chainprefixes)
+{
+ char rootchain[MAX_CHAINNAME_LENGTH];
+ size_t i;
+
+ for (i = 0; chainprefixes[i] != 0; i++) {
+ PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chainprefixes,
+ "-t", "nat", "-L", rootchain, NULL);
+ }
+}
+
static void
ebtablesRemoveSubChains(virBufferPtr buf,
const char *ifname)
_ebtablesRemoveSubChains(buf, ifname, chains);
}
+static void
+ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname)
+{
+ _ebtablesRemoveSubChainsFW(fw, ifname, chainprefixes_host);
+}
+
static void
ebtablesRemoveTmpSubChains(virBufferPtr buf,
const char *ifname)
* Unconditionally remove all possible user defined tables and rules
* that were created for the given interface (ifname).
*
- * Always returns 0.
+ * Returns 0 on success, -1 on OOM
*/
static int
ebiptablesAllTeardown(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
-
- if (iptables_cmd_path) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesClearVirtInPost(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
- }
+ virFirewallPtr fw = virFirewallNew();
+ int ret = -1;
- if (ip6tables_cmd_path) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesClearVirtInPost(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
- }
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesClearVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesClearVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- ebtablesUnlinkRootChain(&buf, true, ifname);
- ebtablesUnlinkRootChain(&buf, false, ifname);
+ ebtablesUnlinkRootChainFW(fw, true, ifname);
+ ebtablesUnlinkRootChainFW(fw, false, ifname);
- ebtablesRemoveSubChains(&buf, ifname);
+ ebtablesRemoveSubChainsFW(fw, ifname);
- ebtablesRemoveRootChain(&buf, true, ifname);
- ebtablesRemoveRootChain(&buf, false, ifname);
- }
- ebiptablesExecCLI(&buf, true, NULL);
+ ebtablesRemoveRootChainFW(fw, true, ifname);
+ ebtablesRemoveRootChainFW(fw, false, ifname);
- return 0;
+ virMutexLock(&execCLIMutex);
+ ret = virFirewallApply(fw);
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
+ return ret;
}
--- /dev/null
+/*
+ * nwfilterebiptablestest.c: Test {eb,ip,ip6}tables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#include "testutils.h"
+#include "nwfilter/nwfilter_ebiptables_driver.h"
+#include "virbuffer.h"
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+#include "virfirewallpriv.h"
+
+#define __VIR_COMMAND_PRIV_H_ALLOW__
+#include "vircommandpriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+static int
+testNWFilterEBIPTablesAllTeardown(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "iptables -F FO-vnet0\n"
+ "iptables -X FO-vnet0\n"
+ "iptables -F FI-vnet0\n"
+ "iptables -X FI-vnet0\n"
+ "iptables -F HI-vnet0\n"
+ "iptables -X HI-vnet0\n"
+ "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+ "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+ "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+ "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+ "ip6tables -F FO-vnet0\n"
+ "ip6tables -X FO-vnet0\n"
+ "ip6tables -F FI-vnet0\n"
+ "ip6tables -X FI-vnet0\n"
+ "ip6tables -F HI-vnet0\n"
+ "ip6tables -X HI-vnet0\n"
+ "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+ "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+ "ebtables -t nat -L libvirt-I-vnet0\n"
+ "ebtables -t nat -L libvirt-O-vnet0\n"
+ "ebtables -t nat -F libvirt-I-vnet0\n"
+ "ebtables -t nat -X libvirt-I-vnet0\n"
+ "ebtables -t nat -F libvirt-O-vnet0\n"
+ "ebtables -t nat -X libvirt-O-vnet0\n";
+ char *actual = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.allTeardown("vnet0") < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferContentAndReset(&buf);
+ virtTestClearCommandPath(actual);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ VIR_FREE(actual);
+ return ret;
+}
+
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+ if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ if (virtTestRun("ebiptablesAllTeardown",
+ testNWFilterEBIPTablesAllTeardown,
+ NULL) < 0)
+ ret = -1;
+
+ cleanup:
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
projects / thirdparty / libvirt.git / commitdiff
