From 42d4b85d863cc5876afba50e8dc8a47940257fa0 Mon Sep 17 00:00:00 2001 From: Mark McLoughlin Date: Fri, 30 Mar 2007 16:23:04 +0000 Subject: [PATCH] Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin * qemud/iptables.c: Remove the target interface parameter from iptablesPhysdevForward(). This rule is intended to allow frames to be forwarded across the bridge from the supplied bridge port. In this context, the --out parameter would match the outgoing bridge port, which will never be network->def->forwardDev. --- ChangeLog | 9 ++++++ qemud/conf.c | 4 +-- qemud/iptables.c | 33 +++++++------------- qemud/iptables.h | 6 ++-- qemud/qemud.c | 78 +++++++++++++++++++++++++----------------------- 5 files changed, 63 insertions(+), 67 deletions(-) diff --git a/ChangeLog b/ChangeLog index ffeffa9883..d404a94dbe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin + + * qemud/iptables.c: Remove the target interface parameter + from iptablesPhysdevForward(). This rule is intended to + allow frames to be forwarded across the bridge from the + supplied bridge port. In this context, the --out parameter + would match the outgoing bridge port, which will never + be network->def->forwardDev. + Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin * qemud/iptables.c: ensure iptablesContext is zereod out diff --git a/qemud/conf.c b/qemud/conf.c index 41ee7a3f9c..fa4e463210 100644 --- a/qemud/conf.c +++ b/qemud/conf.c @@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server, } if (net->type == QEMUD_NET_NETWORK && network->def->forward) { - if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) { + if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "Failed to add iptables rule to allow bridging from '%s' :%s", ifname, strerror(err)); @@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server, no_memory: if (net->type == QEMUD_NET_NETWORK && network->def->forward) - iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, ifname); qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds"); error: if (retval) diff --git a/qemud/iptables.c b/qemud/iptables.c index ced742753d..cbd2b8f345 100644 --- a/qemud/iptables.c +++ b/qemud/iptables.c @@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *ctx, static int iptablesPhysdevForward(iptablesContext *ctx, const char *iface, - const char *target, int action) { - if (target && target[0]) { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--out", target, - "--jump", "ACCEPT", - NULL); - } else { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--match", "physdev", - "--physdev-in", iface, - "--jump", "ACCEPT", - NULL); - } + return iptablesAddRemoveRule(ctx->forward_filter, + action, + "--match", "physdev", + "--physdev-in", iface, + "--jump", "ACCEPT", + NULL); } int iptablesAddPhysdevForward(iptablesContext *ctx, - const char *iface, - const char *target) + const char *iface) { - return iptablesPhysdevForward(ctx, iface, target, ADD); + return iptablesPhysdevForward(ctx, iface, ADD); } int iptablesRemovePhysdevForward(iptablesContext *ctx, - const char *iface, - const char *target) + const char *iface) { - return iptablesPhysdevForward(ctx, iface, target, REMOVE); + return iptablesPhysdevForward(ctx, iface, REMOVE); } static int diff --git a/qemud/iptables.h b/qemud/iptables.h index 395d5b3780..3b5bb910e1 100644 --- a/qemud/iptables.h +++ b/qemud/iptables.h @@ -42,11 +42,9 @@ int iptablesRemoveUdpInput (iptablesContext *ctx, int port); int iptablesAddPhysdevForward (iptablesContext *ctx, - const char *iface, - const char *target); + const char *iface); int iptablesRemovePhysdevForward (iptablesContext *ctx, - const char *iface, - const char *target); + const char *iface); int iptablesAddInterfaceForward (iptablesContext *ctx, const char *iface, diff --git a/qemud/qemud.c b/qemud/qemud.c index 12b112c4c1..fa5f5d840a 100644 --- a/qemud/qemud.c +++ b/qemud/qemud.c @@ -1050,8 +1050,7 @@ qemudNetworkIfaceDisconnect(struct qemud_server *server, return; } - if (network->def->forward) - iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname); } int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) { @@ -1248,83 +1247,87 @@ qemudAddIptablesRules(struct qemud_server *server, } /* allow bridging from the bridge interface itself */ - if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) { + if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, "failed to add iptables rule to allow bridging from '%s' : %s\n", network->bridge, strerror(err)); goto err1; } - /* allow forwarding packets from the bridge interface */ - if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) { + /* allow DHCP requests through to dnsmasq */ + if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow forwarding from '%s' : %s\n", + "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", network->bridge, strerror(err)); goto err2; } - /* allow forwarding packets to the bridge interface if they are part of an existing connection */ - if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) { + if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow forwarding to '%s' : %s\n", + "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", network->bridge, strerror(err)); goto err3; } - /* enable masquerading */ - if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) { + /* allow DNS requests through to dnsmasq */ + if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to enable masquerading : %s\n", - strerror(err)); + "failed to add iptables rule to allow DNS requests from '%s' : %s\n", + network->bridge, strerror(err)); goto err4; } - /* allow DHCP requests through to dnsmasq */ - if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) { + if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", + "failed to add iptables rule to allow DNS requests from '%s' : %s\n", network->bridge, strerror(err)); goto err5; } - if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) { + /* The remaining rules are only needed for IP forwarding */ + if (!network->def->forward) + return 1; + + /* allow forwarding packets from the bridge interface */ + if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DHCP requests from '%s' : %s\n", + "failed to add iptables rule to allow forwarding from '%s' : %s\n", network->bridge, strerror(err)); goto err6; } - /* allow DNS requests through to dnsmasq */ - if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) { + /* allow forwarding packets to the bridge interface if they are part of an existing connection */ + if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DNS requests from '%s' : %s\n", + "failed to add iptables rule to allow forwarding to '%s' : %s\n", network->bridge, strerror(err)); goto err7; } - if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) { + /* enable masquerading */ + if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) { qemudReportError(server, VIR_ERR_INTERNAL_ERROR, - "failed to add iptables rule to allow DNS requests from '%s' : %s\n", - network->bridge, strerror(err)); + "failed to add iptables rule to enable masquerading : %s\n", + strerror(err)); goto err8; } return 1; err8: - iptablesRemoveTcpInput(server->iptables, network->bridge, 53); + iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); err7: - iptablesRemoveUdpInput(server->iptables, network->bridge, 67); + iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); err6: - iptablesRemoveTcpInput(server->iptables, network->bridge, 67); + iptablesRemoveUdpInput(server->iptables, network->bridge, 53); err5: - iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev); + iptablesRemoveTcpInput(server->iptables, network->bridge, 53); err4: - iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemoveUdpInput(server->iptables, network->bridge, 67); err3: - iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemoveTcpInput(server->iptables, network->bridge, 67); err2: - iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev); + iptablesRemovePhysdevForward(server->iptables, network->bridge); err1: return 0; } @@ -1333,15 +1336,15 @@ static void qemudRemoveIptablesRules(struct qemud_server *server, struct qemud_network *network) { if (network->def->forward) { - iptablesRemoveUdpInput(server->iptables, network->bridge, 53); - iptablesRemoveTcpInput(server->iptables, network->bridge, 53); - iptablesRemoveUdpInput(server->iptables, network->bridge, 67); - iptablesRemoveTcpInput(server->iptables, network->bridge, 67); iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev); iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev); iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev); - iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev); } + iptablesRemoveUdpInput(server->iptables, network->bridge, 53); + iptablesRemoveTcpInput(server->iptables, network->bridge, 53); + iptablesRemoveUdpInput(server->iptables, network->bridge, 67); + iptablesRemoveTcpInput(server->iptables, network->bridge, 67); + iptablesRemovePhysdevForward(server->iptables, network->bridge); } static int @@ -1418,8 +1421,7 @@ int qemudStartNetworkDaemon(struct qemud_server *server, goto err_delbr; } - if (network->def->forward && - !qemudAddIptablesRules(server, network)) + if (!qemudAddIptablesRules(server, network)) goto err_delbr1; if (network->def->forward && -- 2.47.2