NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

network: wire up support for IPv6 NAT rules

Browse Source 
Now that we have support for IPv6 in the iptables helpers, and a new
option in the XML schema, we can wire up support for it in the network
driver.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
2020-06-08 14:40:15 +01:00
parent 927acaedec
commit 8a4f331e8c
4 changed files with 262 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/network/bridge_driver_linux.c
View File

@@ -334,7 +334,8 @@ int networkCheckRouteCollision(virNetworkDefPtr def)
return ret;
}
static const char networkLocalMulticast[] = "224.0.0.0/24";
static const char networkLocalMulticastIPv4[] = "224.0.0.0/24";
static const char networkLocalMulticastIPv6[] = "ff02::/16";
static const char networkLocalBroadcast[] = "255.255.255.255/32";
static int
@@ -344,6 +345,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
{
int prefix = virNetworkIPDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(def, 0);
bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
if (prefix < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -433,7 +435,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
return -1;
/* exempt local network broadcast address as destination */
if (iptablesAddDontMasquerade(fw,
if (isIPv4 &&
iptablesAddDontMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -445,7 +448,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
networkLocalMulticast) < 0)
isIPv4 ? networkLocalMulticastIPv4 :
networkLocalMulticastIPv6) < 0)
return -1;
return 0;
@@ -458,6 +462,7 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
{
int prefix = virNetworkIPDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(def, 0);
bool isIPv4 = VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET);
if (prefix < 0)
return 0;
@@ -466,10 +471,12 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
networkLocalMulticast) < 0)
isIPv4 ? networkLocalMulticastIPv4 :
networkLocalMulticastIPv6) < 0)
return -1;
if (iptablesRemoveDontMasquerade(fw,
if (isIPv4 &&
iptablesRemoveDontMasquerade(fw,
&ipdef->address,
prefix,
forwardIf,
@@ -796,7 +803,8 @@ networkAddIPSpecificFirewallRules(virFirewallPtr fw,
*/
if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
return networkAddMasqueradingFirewallRules(fw, def, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
return networkAddRoutingFirewallRules(fw, def, ipdef);
@@ -813,7 +821,8 @@ networkRemoveIPSpecificFirewallRules(virFirewallPtr fw,
virNetworkIPDefPtr ipdef)
{
if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET) ||
def->forward.natIPv6 == VIR_TRISTATE_BOOL_YES)
return networkRemoveMasqueradingFirewallRules(fw, def, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
return networkRemoveRoutingFirewallRules(fw, def, ipdef);