mirror of
https://github.com/libvirt/libvirt.git
synced 2025-02-25 18:55:26 -06:00
Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin <markmc@redhat.com>
* qemud/iptables.c: Remove the target interface parameter from iptablesPhysdevForward(). This rule is intended to allow frames to be forwarded across the bridge from the supplied bridge port. In this context, the --out parameter would match the outgoing bridge port, which will never be network->def->forwardDev.
This commit is contained in:
parent
27c1d7b9fa
commit
42d4b85d86
@ -1,3 +1,12 @@
|
|||||||
|
Wed Mar 30 17:21:08 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
||||||
|
|
||||||
|
* qemud/iptables.c: Remove the target interface parameter
|
||||||
|
from iptablesPhysdevForward(). This rule is intended to
|
||||||
|
allow frames to be forwarded across the bridge from the
|
||||||
|
supplied bridge port. In this context, the --out parameter
|
||||||
|
would match the outgoing bridge port, which will never
|
||||||
|
be network->def->forwardDev.
|
||||||
|
|
||||||
Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
Wed Mar 30 17:17:15 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
||||||
|
|
||||||
* qemud/iptables.c: ensure iptablesContext is zereod out
|
* qemud/iptables.c: ensure iptablesContext is zereod out
|
||||||
|
@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
|
if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
|
||||||
if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) {
|
if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) {
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
"Failed to add iptables rule to allow bridging from '%s' :%s",
|
"Failed to add iptables rule to allow bridging from '%s' :%s",
|
||||||
ifname, strerror(err));
|
ifname, strerror(err));
|
||||||
@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_server *server,
|
|||||||
|
|
||||||
no_memory:
|
no_memory:
|
||||||
if (net->type == QEMUD_NET_NETWORK && network->def->forward)
|
if (net->type == QEMUD_NET_NETWORK && network->def->forward)
|
||||||
iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev);
|
iptablesRemovePhysdevForward(server->iptables, ifname);
|
||||||
qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
|
qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
|
||||||
error:
|
error:
|
||||||
if (retval)
|
if (retval)
|
||||||
|
@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
|
|||||||
static int
|
static int
|
||||||
iptablesPhysdevForward(iptablesContext *ctx,
|
iptablesPhysdevForward(iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
const char *target,
|
|
||||||
int action)
|
int action)
|
||||||
{
|
{
|
||||||
if (target && target[0]) {
|
return iptablesAddRemoveRule(ctx->forward_filter,
|
||||||
return iptablesAddRemoveRule(ctx->forward_filter,
|
action,
|
||||||
action,
|
"--match", "physdev",
|
||||||
"--match", "physdev",
|
"--physdev-in", iface,
|
||||||
"--physdev-in", iface,
|
"--jump", "ACCEPT",
|
||||||
"--out", target,
|
NULL);
|
||||||
"--jump", "ACCEPT",
|
|
||||||
NULL);
|
|
||||||
} else {
|
|
||||||
return iptablesAddRemoveRule(ctx->forward_filter,
|
|
||||||
action,
|
|
||||||
"--match", "physdev",
|
|
||||||
"--physdev-in", iface,
|
|
||||||
"--jump", "ACCEPT",
|
|
||||||
NULL);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
iptablesAddPhysdevForward(iptablesContext *ctx,
|
iptablesAddPhysdevForward(iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface)
|
||||||
const char *target)
|
|
||||||
{
|
{
|
||||||
return iptablesPhysdevForward(ctx, iface, target, ADD);
|
return iptablesPhysdevForward(ctx, iface, ADD);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
iptablesRemovePhysdevForward(iptablesContext *ctx,
|
iptablesRemovePhysdevForward(iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface)
|
||||||
const char *target)
|
|
||||||
{
|
{
|
||||||
return iptablesPhysdevForward(ctx, iface, target, REMOVE);
|
return iptablesPhysdevForward(ctx, iface, REMOVE);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
@ -42,11 +42,9 @@ int iptablesRemoveUdpInput (iptablesContext *ctx,
|
|||||||
int port);
|
int port);
|
||||||
|
|
||||||
int iptablesAddPhysdevForward (iptablesContext *ctx,
|
int iptablesAddPhysdevForward (iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface);
|
||||||
const char *target);
|
|
||||||
int iptablesRemovePhysdevForward (iptablesContext *ctx,
|
int iptablesRemovePhysdevForward (iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface);
|
||||||
const char *target);
|
|
||||||
|
|
||||||
int iptablesAddInterfaceForward (iptablesContext *ctx,
|
int iptablesAddInterfaceForward (iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
|
@ -1050,8 +1050,7 @@ qemudNetworkIfaceDisconnect(struct qemud_server *server,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (network->def->forward)
|
iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname);
|
||||||
iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
|
int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
|
||||||
@ -1248,50 +1247,26 @@ qemudAddIptablesRules(struct qemud_server *server,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* allow bridging from the bridge interface itself */
|
/* allow bridging from the bridge interface itself */
|
||||||
if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) {
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
"failed to add iptables rule to allow bridging from '%s' : %s\n",
|
"failed to add iptables rule to allow bridging from '%s' : %s\n",
|
||||||
network->bridge, strerror(err));
|
network->bridge, strerror(err));
|
||||||
goto err1;
|
goto err1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* allow forwarding packets from the bridge interface */
|
|
||||||
if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
|
||||||
"failed to add iptables rule to allow forwarding from '%s' : %s\n",
|
|
||||||
network->bridge, strerror(err));
|
|
||||||
goto err2;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
|
|
||||||
if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
|
||||||
"failed to add iptables rule to allow forwarding to '%s' : %s\n",
|
|
||||||
network->bridge, strerror(err));
|
|
||||||
goto err3;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* enable masquerading */
|
|
||||||
if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
|
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
|
||||||
"failed to add iptables rule to enable masquerading : %s\n",
|
|
||||||
strerror(err));
|
|
||||||
goto err4;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* allow DHCP requests through to dnsmasq */
|
/* allow DHCP requests through to dnsmasq */
|
||||||
if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
|
if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
|
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
|
||||||
network->bridge, strerror(err));
|
network->bridge, strerror(err));
|
||||||
goto err5;
|
goto err2;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
|
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
|
"failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
|
||||||
network->bridge, strerror(err));
|
network->bridge, strerror(err));
|
||||||
goto err6;
|
goto err3;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* allow DNS requests through to dnsmasq */
|
/* allow DNS requests through to dnsmasq */
|
||||||
@ -1299,32 +1274,60 @@ qemudAddIptablesRules(struct qemud_server *server,
|
|||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
|
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
|
||||||
network->bridge, strerror(err));
|
network->bridge, strerror(err));
|
||||||
goto err7;
|
goto err4;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
|
if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
|
||||||
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
|
"failed to add iptables rule to allow DNS requests from '%s' : %s\n",
|
||||||
network->bridge, strerror(err));
|
network->bridge, strerror(err));
|
||||||
|
goto err5;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* The remaining rules are only needed for IP forwarding */
|
||||||
|
if (!network->def->forward)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
/* allow forwarding packets from the bridge interface */
|
||||||
|
if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||||
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
"failed to add iptables rule to allow forwarding from '%s' : %s\n",
|
||||||
|
network->bridge, strerror(err));
|
||||||
|
goto err6;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
|
||||||
|
if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
|
||||||
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
"failed to add iptables rule to allow forwarding to '%s' : %s\n",
|
||||||
|
network->bridge, strerror(err));
|
||||||
|
goto err7;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* enable masquerading */
|
||||||
|
if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
|
||||||
|
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
"failed to add iptables rule to enable masquerading : %s\n",
|
||||||
|
strerror(err));
|
||||||
goto err8;
|
goto err8;
|
||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
err8:
|
err8:
|
||||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
|
||||||
err7:
|
|
||||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
|
||||||
err6:
|
|
||||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
|
||||||
err5:
|
|
||||||
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
|
|
||||||
err4:
|
|
||||||
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
|
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||||
err3:
|
err7:
|
||||||
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
|
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||||
|
err6:
|
||||||
|
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
|
||||||
|
err5:
|
||||||
|
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
||||||
|
err4:
|
||||||
|
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
||||||
|
err3:
|
||||||
|
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
||||||
err2:
|
err2:
|
||||||
iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
|
iptablesRemovePhysdevForward(server->iptables, network->bridge);
|
||||||
err1:
|
err1:
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1333,15 +1336,15 @@ static void
|
|||||||
qemudRemoveIptablesRules(struct qemud_server *server,
|
qemudRemoveIptablesRules(struct qemud_server *server,
|
||||||
struct qemud_network *network) {
|
struct qemud_network *network) {
|
||||||
if (network->def->forward) {
|
if (network->def->forward) {
|
||||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
|
|
||||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
|
||||||
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
|
||||||
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
|
||||||
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
|
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
|
||||||
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
|
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||||
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
|
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
|
||||||
iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
|
|
||||||
}
|
}
|
||||||
|
iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
|
||||||
|
iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
|
||||||
|
iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
|
||||||
|
iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
|
||||||
|
iptablesRemovePhysdevForward(server->iptables, network->bridge);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@ -1418,8 +1421,7 @@ int qemudStartNetworkDaemon(struct qemud_server *server,
|
|||||||
goto err_delbr;
|
goto err_delbr;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (network->def->forward &&
|
if (!qemudAddIptablesRules(server, network))
|
||||||
!qemudAddIptablesRules(server, network))
|
|
||||||
goto err_delbr1;
|
goto err_delbr1;
|
||||||
|
|
||||||
if (network->def->forward &&
|
if (network->def->forward &&
|
||||||
|
Loading…
Reference in New Issue
Block a user